Can't change security policy or disable SIP with macOS 15 Sequoia

43 pointsposted 10 months ago
by transpute
(lapcatsoftware.com)

55 Comments

burke

10 months ago

As someone working in developer tools for a company with thousands of people developing software on MacBooks, MAN do I resent SIP. I've recently started calling it "Systems Implementation Prevention".

It's incredible that it's 2024 and I can't cobble together anything vaguely container-like on macOS because:

* bind mounts don't exist (?!)

* clonefile() could maaaybe do the job but doesn't work cross-volume and a lot of the stuff outside of /Users is a different volume

* there's no filesystem namespace.

* chroot doesn't work either because /usr/lib/libsystem.B.dylib is required, but also pretend.

* And it sounds like chroot runs afoul of some SIP rule nowadays even if you can get past the above.

* A lot of this could be worked around with FUSE, but in order to turn that on, we'd have to turn off a lot of SIP.

The closest we can get without virtualization is sandbox-exec, which just allows allowing/denying file reads by path, with no path translation. And also is deprecated.

Nevermind that dtrace exists but you're not allowed to use it either.

Truly, the worst UNIX.

ChocolateGod

10 months ago

> * A lot of this could be worked around with FUSE, but in order to turn that on, we'd have to turn off a lot of SIP.

Didn't the latest MacOS update add something similar with userspace filesystems

mbirth

10 months ago

Not macOS directly, but there’s fuse-t which works in userspace and just creates an NFS server which it automatically mounts via macOS-own capabilities.

The library is a drop-in replacement for libfuse and works great for me.

https://www.fuse-t.org

viraptor

10 months ago

> Nevermind that dtrace exists but you're not allowed to use it either.

You're not losing anything, dtrace even without SIP has been broken and unusable for at least 2 major versions now.

pxc

10 months ago

What's broken in dtrace even with SIP disabled?

jsolson

10 months ago

Why do you want to avoid virtualization?

burke

10 months ago

It's very heavyweight, and there's no good shared filesystem option.

We did use virtualization for a bunch of stuff before the move to Apple Silicon, back when Hypervisor.framework and xhyve actually existed and were plausibly useful.

Those also fell by the wayside in the architecture migration and now virtualization has a massive performance cost.

Apparently the M4 chips are on ARMv9 which is apparently much better at virtualization, but it remains to be seen whether apple provides anything lightweight again.

plorkyeran

10 months ago

Filesystem perf is definitely an issue, but cpu wise virtualization perf is basically free on Apple Silicon. I don’t know why you think Hypervisor.framework went away or became useless in the architecture migration. Obviously x86 VMs are slow, but we’ve been using arm64 VMs for years now with great results.

burke

10 months ago

Ok, probably I'm over-interpreting some first-year pain with the new chips.

Anyway, even at that, virtualization isn't really my preferred way to solve any of the problems I have.

darklion

10 months ago

Uh, Hypervisor still exists, and is still supported: https://developer.apple.com/documentation/hypervisor

burke

10 months ago

Yep. However, before the Apple Silicon migration, VT-x gave us extremely low-overhead virtualization. We built a tiny linux kernel that booted in a second or two and were able to run whatever we wanted with minimal perf overhead.

In the Apple Silicon migration, obviously emulating x86_64 got slow, but even when we built ARM64 VMs, performance was still miserable: there was (is?) no way -- at least no way we ever figured out -- to get reasonable perf out of virtualization on a macbook.

It's possible that this changed post-M1 and it sounds likely it's set to change with M4.

EDIT: ok, I'm probably hallucinating more problem than there actually turned out to be based on the pain in the first year of the M1 chips.

inkyoto

10 months ago

If you are referring to the nested virtualisation support in ARM v8, it was added in the ARM v8.3-A revision of the architecture, and M1 uses ARM v8.5-A as the baseline.

But yes, virtualisaiton support for ARM (in general) was abysmal and Apple Silicon was the catalyst that pushed people over the edge towards improving it across aarch64 (also in general).

hi-v-rocknroll

10 months ago

> It's very heavyweight

I guess your dainty, utopian senses are irrationally offended by something that works. Some types of virtualization offer hard isolation guarantees while cgroups, chroot, jails and the like provide pretend isolation lacking hard guarantees about either security or resource limits. KVM is tiny and so is Virtualization.framework. If you want perfect "containers", you're not going to find them anywhere because they try solve a problem (convenience, speed, and isolation) at the wrong level, in the wrong way. Type 1 Xen and VMware are the gold standards supporting all sorts of deduplication, replication, and migration options that containers can't touch. Type 2 Kata Containers is another option out there with stronger guarantees with the same interface as CRI. If these don't work for you, write a better solution that can divvy disk IOPS and latency, process manipulation, memory shares and bandwidth, network bandwidth and priority, and VFS fairly while sandboxing misbehaving processes from taking down other containers on the same host. I submit that these are essentially impossible goals with the architecture of Linux, which is why variants of virtualization providing paravirtualized guests is generally superior in providing service guarantees because there is out-of-band management exterior to fallible, DoSable containers.

burke

10 months ago

> I guess your dainty, utopian senses are irrationally offended by something that works

1) What

talldayo

10 months ago

> If these don't work for you, write a better solution

It's MacOS, you fucking can't.

Vilian

10 months ago

Bro read one line and went crazy

m463

10 months ago

> Truly, the worst UNIX.

You're not the target market.

:(

Vilian

10 months ago

It's still the worse unix, if the target market don't care don't change that fact

talldayo

10 months ago

If the Xserve's legacy is anything to go by, neither are UNIX customers.

DidYaWipe

10 months ago

After upgrading, I was prompted to allow the AltTab utility to control something "for one month," or to open Settings. So I opened Settings and everything was already enabled.

The question is who is clamoring for all this BS? The cynic would say that Apple is prepping us all for the eventual iOSification of Macs, where you can't do squat. Which will leave only Linux as a viable (AKA tolerable) computing platform.

ocodo

10 months ago

To be fair, I switched away from Windows back in ~2004 and used Macos pretty much exclusively since then, with the exception of Linux, which wasn't feeling as good for desktop.

I switched again, in Dec 2023 to Linux as desktop, due to the kind of issues we're discussing ITT, and also due to Apple's "buy new, you can't repair" effective hardware policy.

I setup a couple of Windows 11 machines with WSL too, and tend to use them a lot more than I expected. There's issues, and I'm still figuring some things out wrt to doing things in Windows (not WSL) but the experience is significantly better than expected.

I'm not a fan of M$ but Apple are really taking the cake for anti-user hostility these days.

linuxguy2

10 months ago

and iTerm, Zoom, WebEx, Teams, talosctl... All kinds of prompts like that only to find everything enabled.

ocodo

10 months ago

It was when Apple started to imply that Chromium, LibreOffice etc was Malware...

Yeah, sure Apple.... sure.

daft_pink

10 months ago

it’s pretty obnoxious especially when it’s something vital that I use my mac for everyday like displaylink or google chrome audio sharing or microsoft teams

mbirth

10 months ago

I've got the same on a stock M1 MBP. At some point in the past I've disabled SIP - probably when I was playing around with FUSE.

Did all the Betas - never had any problem. However, after installing the RC/final version of Sequoia, I suddenly had a popup after bootup about an updated extension from "Apple Inc." and to please allow the updated version.

In Settings --> Privacy I was able to "Allow" the extension, however, this also requires a reboot. And after the reboot, the same popup appeared again.

I've put in a ticket - FB15087179.

Apple replied and said to first, toggle Activation Lock/Find My and wait 5+ minutes in-between. (Either off - wait 5mins - on, or on - wait 5mins - off.) Then boot into the bootloader and turn SIP on, then back off again.

However, when trying to turn SIP on, I get the same error as OP:

SDErrorDomain error 104.

I've found another user on Twitter with the same issue: https://x.com/davidhsherman13/status/1833264669793923151

After reporting my findings in the Apple Feedback thing, I've yet to get further instructions to try.

mbirth

10 months ago

A Reddit user found a solution: https://old.reddit.com/r/MacOSBeta/comments/1fhl39c/system_e...

I've noticed he disabled "Find My Mac" in the first step and only enabled it again after everything was done.

This seems to be the key. I suspect the "SDErrorDomain error 104" is related to the "Activation Lock" aka. "Find My Mac".

I've disabled Find My Mac, booted into recovery and was finally able to set it to "Full Security" and back to "Reduced Security" again without problems. After that and a fresh boot, the popup message about the updated extension was gone.

Enabled "Find My Mac" again (after setting the system to "Full Security" first - as that's the setting I intended to use) and all is well.

nb. SIP was enabled for me the whole time. It was the security mode running on "Reduced Security" (both checkboxes checked) which was probably the cause for the "updated extension" issue.

nativeit

10 months ago

For everyone who reads the title and instantly assumes this is something Apple has done—this is a tech support request for an error this person has encountered.

eksu

10 months ago

I did a .ipsw restore of my M1 Mac mini to 15 Sequoia RC last week and have since gone in and lowered the Security Policy to install ZFS kexts. I wonder if your issue is a bug relating to your multi MacOS boot setup? Have you posted this on MacRumors or elsewhere?

habitue

10 months ago

The ideal state for Apple and their target audience is to make your computer an appliance. They really don't want a wide set of configuration options, that makes it harder to service and harder to test.

People are kind of anchored to how Mac is / used to be etc, thinking of it as basically another unix. That's a historical blip in retrospect. Long term, their market really isn't developers & technical users, there are not enough of those to make concessions to.

In order to really help Aunt Sally keep her computer running and functional, they need to make sure that her nephew Billy can't make any complicated or potentially dangerous changes to the lower levels of the OS based on some internet forum post. If you need that kind of configurability, you really want a different OS. (Alternately, consider whether you really do need that configurability. Maybe you just think you do, and you'd much rather have a stable operating system that just works)

Brian_K_White

10 months ago

My definition of a tool that just works is not a hammer that will only hit some kinds of nails and refuses to break rocks.

Even an appliance is a tool. A bicycle, as in "bicycle for the mind" does not become more useful and valid when it gains the ability to decide if it agrees with how and where it's being operated.

There are people who think that's a good thing, who think the ultimate form of life would be the wonderful order if all the bicycles kept anyone from going too fast, removing their hands from the handle bars, riding on sidewalks, ignoring traffic lights, etc...

But those bicycles are no longer human amplifiers. They are no longer tools, or they are tools but the user is not the person on the bike.

The order argument ignores the ultimate purpose of any tool, and ultimately the point of human existence itself. It's flatly invalid to forget that the person wields the tool, not the other way around. Sanity checks and guard rails and sane defaults etc are one thing, those are themselves tools that ultimately empower the wielder, as long as the user is the one who ultimately controls them.

altairprime

10 months ago

> How do I fix it?

Image the partitions to a backup location. Zero the entire drive. Clear nvram. Reinstall macOS 15. See if it’s resolved.

mbirth

10 months ago

You must have missed the part where it says that it's an M1 Mac. They don't have NVRAM you could clear. And zeroing the entire drive is also a bad idea as it also houses the "One True Recovery" - the only allowed pre-boot system. Once deleted, good luck getting your system working again. See: https://eclecticlight.co/2021/01/14/m1-macs-radically-change...

altairprime

10 months ago

> You must have missed the part where it says that it's an M1 Mac.

That's certainly one possibility.

> They don't have NVRAM you could clear.

`nvram -p` still works fine on Apple Silicon — though I'm pretty sure it's only modifiable by the kernel these days — but, I haven't had a Mac that needed that wiped for years and years, so I missed that this is all the system image's problem on Apple Silicon now — thanks!

> Once deleted, good luck getting your system working again.

Per the 2021 post linked:

> the only way to recover it is to restore the whole firmware and software image in DFU mode

That's not "good luck" — that is, literally, the documented and expected next step, same as all the other Apple CPU devices, whether they're handheld or laptop or desktop: boot into DFU mode and factory reset it using another device.

https://support.apple.com/en-us/108900

I know the author of the original post is aware of how to do that, and I recognize that they have chosen not to do so. I'm really glad that they explore all this stuff in depth; I don't have a development device to muck around with like they do!

user

10 months ago

[deleted]

talldayo

10 months ago

[flagged]

adamtaylor_13

10 months ago

I don’t understand. Can you explain?

dijit

10 months ago

He’s suggesting that people shouldn’t buy apple products.

Given that the only viable commercial alternative is Windows, with arguably much more egregious user-hostile behaviour (especially towards power users) I find his comment disingenuous.

Edit: Downvoted for answering? Shame on you HN.

talldayo

10 months ago

Hey, if you don't want to admit that both OSes are metastasizing the same tumor it's not my problem. I don't use either MacOS or Windows nowadays, but my experience developing with WSL was ~10x more stable than any Mac environment I've made for the same purpose. For Docker, the performance differential is so wide it's embarrassing.

dijit

10 months ago

The alternatives are not commercially viable. (even though I am a Linux/OpenBSD user- and a loud one).

MacOS is perfectly serviceable with things like colima.

Calling MacOS user-hostile (due to SIP being enforced?!) is quite a bit different than the actual major usability issues that Windows has been pushing on users, it’s not fair to compare them like this.

Commercially viable Linux desktops can’t come soon enough; though desktop computing is dying.

dialup_sounds

10 months ago

"I don't know the answer, but I have strong opinions about the question."

talldayo

10 months ago

[flagged]

gjsman-1000

10 months ago

> Stop using Apple products

Remember that all of the above applies to any device with Secure Boot; including but not limited to all Android devices. Additionally, let's not pretend Windows is the paragon of user freedom.

fsflover

10 months ago

All true, which is why I daily drive Qubes OS with coreboot and TPM with my own keys.

talldayo

10 months ago

Wherever the bootloader is open, none of that really tends to matter.

> Additionally, let's not pretend Windows is the paragon of user freedom.

False dichotomy

gjsman-1000

10 months ago

Fair dichotomy when modern computers have very hit-and-miss Linux compatibility. Who cares if the bootloader's unlocked when sleep doesn't work?

zdragnar

10 months ago

I've been using Linux on laptops almost exclusively for years. I made two exceptions:

1) one job required mac laptops. The user experience was, for my tastes, subpar, and the performance was the same or worse.

2) I keep a windows install around for the rare case of playing a game.

It really isn't that hard to look up hardware compatibility online, and of the three OSs, windows is easily the worst. Booting occasionally fails, sometimes reboot will shut down, or the shut down option will reboot instead.

I've had less problems running Linux (currently fedora) than anything else in the last, I dunno, 8 years?

gjsman-1000

10 months ago

> It really isn't that hard to look up hardware compatibility online

Code for, “buy a new computer.” In which case my point stands even stronger: who cares if the boot loader is locked, if I can just buy a different computer with it unlocked?

Also, good for you that Linux works. That’s not anywhere close to universal.

zdragnar

10 months ago

It may, however, be far more common than you expect.

mistrial9

10 months ago

> To Apple, it doesn't matter if your livelihood or carefully-written software relies on a depreciated feature. They never have.

not entirely true, but especially true of Steve Jobs, who seemed to make some special personal effort to crush people and their products. The current CEO was hand-picked by Jobs for his ability to dominate contract negotiations IIR.