I was looking to lock down the configuration on some macs, and wanted to know if there is any way to change the files and folders that SIP protects. I know it can be disabled, and its current rules viewed, but is there any way to add your own protected directories?
Thanks
It is possible to add your own protected directory to SIP:
Flag the whole folder or single files or folders:
sudo chflags restricted /example sudo chflags restricted /example/example.app sudo chflags restricted /example/subdir/file or a folder hierarchy:
sudo chflags -R restricted /example If you want to exclude a subdir after using the -R option you have to remove the restricted flag there:
sudo chflags norestricted /example/subdir Now the folders example, example.app and the file /example/subdir/file are protected. You still can add or remove files to/from /example/subdir.
The restricted flag has no effect if SIP is disabled - the usual POSIX/ACLs permissions apply. With SIP enabled the files/folders are protected.
It is also possible to add, remove or change SIP-protected files and directories via an installer package which is signed by Apple’s own certificate authority. Since a normal user /customer usually doesn't have access to this certificate authority, this possibility is eliminated.
An earlier version of this answer asserted that it is required to modify the file /System/Library/Sandbox/rootless.conf and add something like:
/example /example/example.app * /example/subdir /example/subdir/file This is wrong! Simply flagging a file or folder as restricted is sufficient to protect it.
As far as I know, there is no way to modify which directories SIP protects; SIP is either on or off. Apple appears to make no mention to such an ability in their developer documents either.
Disregard this, @kanomath has a better answer. The latter part of my answer still stands to a limited degree.
If you want to lock down configuration files, modify the filesystem permissions either through the Finder GUI or the command line utility chown.
