Mac Usage Guide

1.csrutil command

In a nutshell, Apple is adding a security mechanism to the new system.

The premise of the rootless discussion is to assume that the root account is the last line of defense against malicious program protection operating systems in OS X (or other UNIX systems). This means that once an application has access to the root account, it will gain unlimited access to the system. Can make real-time modifications, modify the disk, replace any system files, and so on.

Use status: Csrutil enable [--without kext | fs | debug | dtrace | nvram] [--no-internal]
When disabled, it is equivalent to all parameter switches closed:
Csrutil Disable
(equivalent to csrutil enable--without kext--without FS--without debug--without dtrace--without nvram)

Each of these switches has the following meanings:

B0: [Kext] allows untrusted kext to be loaded (equivalent to a kext-dev-mode=1 that has been revoked)
B1: [FS] Unlocking File system Limitations
B2: [Debug] allows task_for_pid () to call
B3: [n/a] allows kernel debugging (the official Csrutil tool cannot set this bit)
B4: [internal] apple internal reserved bit (Csrutil This bit is set by default and does not actually work.) can be set or not)
B5: [DTrace] Unlocking DTrace limits
B6: [nvram] Unlock nvram limit
B7: [n/A] allow device configuration (new, specific effect is not determined at the moment

CMD window tip:

Clear

Clear the existing configuration. Only available in Recovery OS.

Disable

Disable the protection on the machine. Only available in Recovery OS.

Enable

Enable the protection on the machine. Only available in Recovery OS.

Status

Display the current configuration.

NetBoot

Add <address>

Insert a new IPv4 address in the list of allowed NetBoot sources.

List

Print the list of allowed NetBoot sources.

Remove <address>

Remove an IPv4 address from the list of allowed NetBoot sources.

2.

Mac Usage Guide