Re: macOS SIP, next try

On 05.03.21 01:36, Tom Lane wrote:
> Hmm. So I tried this, ie "csrutil enable --without debug" in the
> recovery system, and after rebooting what I see is
>
> $ csrutil status
> System Integrity Protection status: unknown (Custom Configuration).
>
> Configuration:
> Apple Internal: disabled
> Kext Signing: enabled
> Filesystem Protections: disabled
> Debugging Restrictions: enabled
> DTrace Restrictions: enabled
> NVRAM Protections: enabled
> BaseSystem Verification: enabled
>
> This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
> $
>
> which is, shall we say, not the set of options the command appeared
> to select. It does work, in the sense that "make check" is able
> to complete without having an installation tree. But really, Apple
> is doing their level best to hang a "here be dragons" sign on this.

Yeah, you'd think --without-debug would make "Debugging Restrictions"
disabled. And it used to do that in older macOS versions. My
assessment is that it actually does work, as you also observed, but that
the status display is somehow displaying things incorrectly.

> I'm not comfortable with recommending it, and I'm about to go
> turn it off again, because I have no damn idea what it really does.

Okay. Interested users can find it at their own risk in this thread or
similar ones elsewhere.

I'm going to close this CF entry now. This is apparently as far as we
can take it for now.