Skip to content
macsyscalls

Glossary

SIP

System Integrity Protection — the kernel-enforced lockdown on macOS that, since El Capitan, prevents even root from modifying core system files, debugging Apple binaries, or loading unsigned kexts.

SIP ("System Integrity Protection", internally called "rootless") is the kernel-enforced policy that makes root not an unlimited account on macOS. Introduced in macOS 10.11 El Capitan, it now covers several distinct restrictions:

  • Filesystem write protection. /System, /usr (except /usr/local), /bin, /sbin, and most of /Library are mounted read-only and protected against modification — even by root. Since macOS 11 Big Sur, the system volume is sealed (SSV) and verified at boot.
  • Process protection. Apple-signed binaries with restricted entitlements (Safari, WindowServer, most launchd-managed daemons) cannot be attached to by debuggers, even as root. This is what blocks DTrace, lldb, and DYLD_INSERT_LIBRARIES against them.
  • Kext loading restrictions. Only Apple-signed kernel extensions (or developer-signed kexts with explicit user approval) can load.
  • NVRAM and boot-args protection. Most NVRAM variables and boot-args cannot be modified without disabling SIP.

SIP can only be modified from Recovery via csrutil. The granular flags (--without dtrace, --without debug, --without fs, etc.) let you relax individual restrictions without disabling the whole policy — useful for research without losing the rest of the protections.

For syscall work, the relevant flag is usually csrutil enable --without dtrace, which keeps everything else locked down while letting DTrace probe Apple-signed binaries.

Together with AMFI and TCC, SIP forms the kernel-enforced layer of macOS's defence-in-depth model.