Re: macOS SIP, next try

Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> writes:
> On 01.03.21 15:44, Tom Lane wrote:
>> Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> writes:
>>> I have since learned that there is a way to disable only the part of SIP
>>> that is relevant for us. This seems like a useful compromise, and it
>>> appears that a number of other open-source projects are following the
>>> same route. I suggest the attached documentation patch and then close
>>> this issue.

>> Hmm, interesting. Where is it documented what this does?

> Not really documented AFAICT, but here is a source:
> https://developer.apple.com/forums/thread/17452

Hmm. So I tried this, ie "csrutil enable --without debug" in the
recovery system, and after rebooting what I see is

$ csrutil status
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: enabled
Filesystem Protections: disabled
Debugging Restrictions: enabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
$

which is, shall we say, not the set of options the command appeared
to select. It does work, in the sense that "make check" is able
to complete without having an installation tree. But really, Apple
is doing their level best to hang a "here be dragons" sign on this.
I'm not comfortable with recommending it, and I'm about to go
turn it off again, because I have no damn idea what it really does.

regards, tom lane