Skip to content

Glossary

SIP (System Integrity Protection)

A kernel-enforced runtime restriction that forbids even root from modifying system files, loading unsigned kexts, or attaching debuggers to Apple-signed processes.

SIP — System Integrity Protection — is the kernel policy that says: even when running as root, you cannot:

  • Write to anything under /System, /usr (except /usr/local), /bin, /sbin.
  • Load kexts that aren't signed by Apple.
  • Attach a debugger to Apple-signed processes.
  • Modify boot-arg nvram values that control kernel security.
  • Set process flags that would let you bypass other policies.
apple-oss-distributions/xnubsd/sys/csr.hcsrutil's kernel interface — flags that say which SIP protections are active.View on GitHub(line )

SIP is configured via the csrutil command in recoveryOS — you can't disable it from the running system. Disabling requires booting into recoveryOS and explicit user action.

On macOS 11+, SIP is reinforced by the Sealed System Volume — even if SIP were bypassed at runtime, the cryptographic seal over /System would prevent a modified system from booting.

See also: Sealed System Volume, code signing, TCC.