John Naylor <john.naylor@enterprisedb.com> writes:
>> System Information says it's disabled. Running "csrutil status" complains
>> of an unsupported configuration, which doesn't sound good, so I should
>> probably go fix that independent of anything else. :-/
> Looking online, I wonder if the "unsupported" message might be overly
> cautious. In any case, I do remember turning something off to allow a
> debugger to run. Here are all the settings, in case it matters:
> Apple Internal: disabled
> Kext Signing: enabled
> Filesystem Protections: enabled
> Debugging Restrictions: disabled
> DTrace Restrictions: enabled
> NVRAM Protections: enabled
> BaseSystem Verification: enabled
I remember having seen that report too, after some previous software
upgrade that had started from a "SIP disabled" status. I'm mostly
guessing here, but my guess is that
(a) csrutil only considers the all-enabled and all-disabled states
of these individual flags to be "supported" cases.
(b) some one or more of these flags came along in a macOS update,
and if you did the update starting from a "disabled" state, you
nonetheless ended up with the new flags enabled, leading to the
mixed state that csrutil complains about.
I've lost count of the number of times I've seen macOS updates
be sloppy about preserving non-default settings, so I don't find
theory (b) to be even slightly surprising.
Whether the mixed state is actually problematic in any way,
I dunno. I don't recall having had any problems before noticing
that that was what I had.
regards, tom lane
