Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Services loading back when SIP is restored #334

Closed
dkadev opened this issue Mar 29, 2019 · 4 comments
Closed

Services loading back when SIP is restored #334

dkadev opened this issue Mar 29, 2019 · 4 comments

Comments

@dkadev
Copy link

dkadev commented Mar 29, 2019

Whenever I unload any service through $ sudo launchctl unload -w or $ launchctl unload -w after disabling SIP it works if I don't enable it again.
But when I enable again SIP and restart, every single service comes back.
Also karek314/macOS-home-call-drop audit returns that services are running again.

I'm running last update from Mojave btw /10.14.4 (18E226)
@dkadev
Copy link
Author

dkadev commented Mar 29, 2019
edited
Loading

This seems to be happening since Mac OS 10.12.4 and Apple will not fix it (see SIP in 10.12.4 prevents unloading system daemons)

"Since posting this I have learned about the whitelist at /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist."

So a workaround would be to add each service desired to that whitelist. Steps:

  1. Disable SIP in recovery mode $ csrutil disable and reboot.

  2. Add services to /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist.
    e.g. 'apsd' (same example in the guide)
    $ sudo nano /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist
    Add key(s) at bottom:
    <key>com.apple.apsd</key> <true/>

  3. Unload agents and daemons previously added to the whitelist
    $ launchctl unload -w or $ sudo launchctl unload -w
    e.g.
    $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist

  4. Reboot on recovery mode and enable SIP again with $ csrutil enable.

  5. Reboot again and agents and daemons will be unloaded with SIP enabled.

Works for me in Mojave 10.14.4 (29/03/2019)

(Anyway, you can disable some services from Recovery mode at once without need of the whitelist)

@dkadev
Copy link
Author

dkadev commented Oct 19, 2019
edited
Loading

This won't work exactly as I described since macOS Catalina, as /System is now a read-only volume and Apple has restricted writing permissions on every file hanging from there.

However, it's not impossible to edit this Sandbox .plist (/System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist)
You will have to boot into recovery mode and modify it from there, but first you need to mount de Data volume from Disk Utility to have access later via Terminal.

I will open an issue at call-drop too as @hazcod said. Sorry for not answering your comment before.

@drduh
Copy link
Owner

drduh commented Feb 6, 2020

I've referenced this issue in the Services section. Feel free to PR integrating instructions into the guide, but I think the writing is on the wall for the ability to disable system services.

@drduh drduh closed this as completed Feb 6, 2020
@roblav96
Copy link

roblav96 commented May 26, 2020
edited
Loading

@dkadev @drduh

Tested on Catalina 10.15.4

The way around this while retaining SIP after disabling agents and/or daemons,

  1. Reboot to recovery, hold ⌘ + R
  2. Open Utilities ↳ Terminal from the top menu bar
  3. Temporarily disable SIP csrutil disable
  4. Rename the *.plist files located in /System/Library/LaunchAgents and/or /System/Library/LaunchDaemons for example: https://github.com/roblav96/dotfiles/blob/a519745618eeb7cd7d014f364920d570263d2dea/macosx/launchctl.catalina.sh#L384
  5. Enable SIP csrutil enable
  6. Reboot 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@roblav96 @drduh @dkadev