If you want to change things on the root drive of a Mac you will need to take some steps to disable the built in security of the system. Most of these steps are the same regardless if you are on Intel or Apple Silicon. If there is a difference it is noted.
Note that all of these things put a Mac into an unsupported and less secure state.
Make sure you either perform these steps in a VM or that you reset the protections after you are done poking around
(This list is not exahustive on the details of each. Check the links at the end for more info.)
- SIP (System Integrety Protection)
- Protects agains a wide range of things from changing system
launchd
jobs to denying debugger attaching.
- Protects agains a wide range of things from changing system
- Hardened Runtime
- A runtime flag that enforces additional security measures on macOS apps. By default blocks things like JIT-code, unsigned executable memory, loading of unsigned libraries, microphone and camera access, contacts and photos.
- SSV (Signed System Volume)
- Prevents changes from being made to the contents of the boot volume. This is implimented by restricting boot to a known good APFS snapshot.
- AMFI (Apple Mobile File Integrity)
- On macOS this checks the code signatures of binaries before allowing code to execute. Also enforces entitlements.
- Library Validation
- Ensure that code loaded into other processes is signed by the expected owner.
- Platform Binary
- Code supplied by Apple as part of the system. On Apple Silicon this is arm64e ABI code to enable pointer authentication (PAC).
Disabling SIP is the first step in most of these processes. This step will essentially give the root user the power to do things like debug arbitrary executables that don't contain additional hardening in code or to break things by deleting otherwise protected directories.
- Boot into Recovery OS and open the Terminal.
- Disable SIP with:
csrutil disable
- Reboot.
To unlock the boot volume you need to disable SIP and SSV then make a new snapshot to boot from that contains your changes. Since the system boots from a snapshot now you can't just enable write access to the system volume. Once you make changes to the boot disk you will need to keep SSV disabled in order to boot. Updates will turn this back on if the installer will even run against the modified disk. Luckily you can revert to the previous boot snapshot without any real headache.
If you change the boot volume you will need to keep SSV disabled in order to boot.
- Boot into Recovery OS and open the Terminal.
- Disable SIP with:
csrutil disable
- Disable SSV with:
csrutil authenticated-root disable
- Reboot from the regular boot drive.
- Take a look at the volume list with
mount
and find the sealed volume. In my case it shows as:
~ % mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
- Make a directory to use as a mount point somewhere:
mkdir /tmp/mount
- Mount the snapshot there with r/w access with:
sudo mount -o nobrowse -t apfs /dev/disk3s1 /tmp/mount
- Make the changes you want to test to the volume at that mount point.
- Generate a new snapshot to boot from with:
sudo bless --mount /tmp/mount --bootefi --create-snapshot
- Reboot and you will be running from your modified root volume.
If you want to go back to the Apple sealed snapshot, it is easy to revert your changes.
- Revert the boot snapshot with:
sudo bless --mount / --last-sealed-snapshot
- Reboot.
If you want to run code that you've resigned, fiddled with, or just generally messed with you will need to get around AMFI. Otherwise it is going to deny your code the ability to run as it won't be signed by the expected identity for a platform binary or to have the enitlements that it needs to run.
We do this with a boot argument set in NVRAM.
- Make sure SIP is disabled with:
sudo csrutil status
. If it's not then follow the steps above to disable it. - Set the required boot arg with:
sudo nvram boot-args="amfi_get_out_of_my_way=1"
- Reboot.
We can disable library validation for the cases in which just disabling SIP and AMFI is not enough.
- Make sure SIP is disabled.
- Adjust this setting with
/Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true
- Reboot.
If you are experimenting with your own arm64e code, or patching Apple's, you need an additional boot-arg on Apple Silicon.
- Make sure SIP is disabled.
- Set the boot-arg to disable AMFI and enabled non-Apple arm64e code:
sudo nvram boot-args="amfi_get_out_of_my_way=1 -arm64e_preview_abi"
- Reboot.
To put everything back into a factory state:
- Revert boot snapshot changes with:
sudo bless --mount / --last-sealed-snapshot
- Clear boot-args with:
sudo nvram -d boot-args
- Boot into Recovery OS and open the Terminal.
- Re-enable SIP with:
csrutil enable
- Re-enable SSV with:
csrutil authenticated-root enable
- Reboot.