What does "csrutil disable" actually disable for this app to run properly?

[AirpodsNow]

Hi there,

I have lurked around to install Playcover for Genshin impact on my M1 Mac. It requires one to temporary disable SIP to get it going so to say (https://docs.playcover.io/getting_s...in.html?csrutil#troubleshoot-app-login-issues).

It seems that for 'some' it is seems like to open a backdoor that you are forever at risk that one has 'ever dared' to turned it off, even temporary. This thread is most visible people arguing for and against: https://forums.macrumors.com/threads/enabling-sip-while-disabling-specific-parts-is-it-safe.2365063/.

But I was hoping to understand what it actually 'does' for this app to be able to do what it needs to do. I have no problem to temporary disable it, but don't mind to actually understand what it means.

Thanks.

 

[maflynn]

But I was hoping to understand what it actually 'does' for this app to be able to do what it needs to do.

Disabling and Enabling System Integrity Protection

System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorized code. The system automatically authorizes apps that the user downloads from the App Store.

I believe this is caused by apps that are not in the Mac App store and not signed to the degree that apple wants, so it represent a risk, since apple cannot gaurentee the code is free of malware code.

 

[AirpodsNow]

The weird things is, we can download apps elsewhere and it require one to go to security in the settings app to say “open anyway”. I was just wondering what it need to execute to be able to need this to be turned off….

 

[maflynn]

Yeah, but apple has taken steps to protect the mac, but those steps could inconvenience the user.

 

[donawalt]

It maybe wants SIP disabled in order for an app to exploit that it needs root permissions.

SIP is more there to reduce the severity of malware and limit what it can do and will not prevent malware to get onto your system. Disabling SIP also has some other side effects. It disables the folder permission system. So apps do not have to ask for permission to access certain folderes like Desktop, Documents and so.

Also: syspolicyd will not scan every app constantly on startup. This reduces CPU load on startup and startup time significantly of applications. If your system is clean and no malicious code is running on your Mac, no downside. But if an app modified some application to do weird things, it might now be able to do that. Might, because of the application already had that permission, then it also would not prevent much, but if the signature is now invalid, macOS will still complain that the App is not signed correctly.

Also, I believe that Apple Pay will not work as long as SIP is disabled. Some other apps also might refuse to work as Apple is tightening things up all the time. Any app can check whether SIP is enabled.

In short - if you do some surfing, while some will disagree, many believe that an app that requires SIP to be disabled to run is not to be trusted.

 

[stradify]

Your app might need SIP disabled in order to install a third-party kernel extension (kext).
To enable system extensions, you need to modify your security settings, SIP, in the Recovery environment.

Here's a good overview showing how it's done: https://iboysoft.com/howto/enable-s...system-extensions-on-m1m2-mac---text-tutorial

Is the reduction in your computer's security worth the gain you'll receive from getting your app to run?
Only if no other options are available and your livelihood depends on it is my take.

 

[ondioline]

The weird things is, we can download apps elsewhere and it require one to go to security in the settings app to say “open anyway”.

This is because you’re using an .ipa file that has had its signature completely stripped. All this is doing is bypassing this check.

When you are able to click “open” it’s because the binary has been self signed.

 

[bogdanw]

But I was hoping to understand what it actually 'does' for this app to be able to do what it needs to do. I have no problem to temporary disable it, but don't mind to actually understand what it means.

Nothing suspicious, just complicated way of enabling a test mode
Disabling SIP (csrutil disable) is only required in order to be able to write the NVRAM values.
“amfi_get_out_of_my_way - disable amfi”
https://www.theiphonewiki.com/wiki/AppleMobileFileIntegrity
ipc_control_port_options=0
/* These boot-args decide if the pinned and immovable ports can be copied out to IPC space */
https://github.com/apple/darwin-xnu...90a1990af3c5c5393479/osfmk/kern/ipc_kobject.h
* used for testing by exception_tests */
https://github.com/apple/darwin-xnu...2590a1990af3c5c5393479/bsd/kern/sys_generic.c

I don’t want to enable SIP on my M1 just for this, but you can test if you can write into NVRAM with SIP enabled from Terminal in Recovery: nvram boot-args="amfi_get_out_of_my_way=0x1 ipc_control_port_options=0"