How to Install a Binary in SIP-Protected Locations in macOS without Recovery Mode

I'm looking for a solution to install a binary on a macOS system where System Integrity Protection (SIP) is enabled, and the target installation location is protected by SIP. I need to achieve this without booting into recovery mode to disable SIP.

Is there any method to achieve this, such as by creating separate packages that can handle SIP-protected locations, developing or using installer applications capable of navigating SIP constraints, leveraging specific entitlements or permissions to facilitate the installation, or utilising Mobile Device Management (MDM) solutions for deployment?

If anyone has experience or insights on any reliable ways to accomplish this, please share any detailed steps, tools, or best practices that could be useful.

Answered by ForumsContributor in

Generally speaking, if an app could modify locations protected by SIP, it would constitute a SIP bypass, which is a vulnerability. Locations protected by SIP aren't meant to be modified by apps.

Could you provide more details on what are you trying to achieve? What is the SIP-protected path you're referring to?

I am looking to provide additional security for my binary

Who do you want to protect the binary from: any administrator user, root included (with Full Disk Access), or non-system apps (sandboxed or not) in general?

And what is the reason: protecting the binary from being modified, preventing the app's files from being read, or even preventing the binary itself from being read?

by utilizing a SIP-enabled location. Any SIP-protected directory would be suitable, with a preference for /usr/sbin.

The main purpose of SIP is ensuing the operating system's integrity. Your app is not part of the OS, so the OS is designed to prevent modifying SIP-protected locations.

If you were able to bypass these protections and place your own binaries at protected paths, again, it would represent a vulnerability that needs to be reported and fixed, since if defeats SIP's purpose.

So, I believe you cannot / should not be able to place your app in a SIP-protected directory without disabling SIP.

Alternatives to placing your binary in a SIP-protected location

There is a way to protect your app's files from being accessed and modified by other apps using SIP. Check out the App Sandbox part of the WWDC23 "What's new in privacy" session.

macOS Sequoia also has a new SIP feature for Group Containers.

Your app can also protected by the hardened runtime, which is required by default for your app to be notarized.

AFAIK this is impossible, at some point your binary needs to be loaded into memory. Unless it is being loaded into a secure region of memory, it isn't safe. May I suggest a more open and honest approach with a custom integrity protection system, like storing file hashes. Nothing is going to stop a dedicated reverse engineer, and everything is vulnerable whether you like it or not. Have you thought of solutions that don't involve actively hiding the binary from users and instead take reasonable steps to protect stored information.

Maybe rethink your trust model to put the user at the center of it.

even preventing the binary itself from being read

How to Install a Binary in SIP-Protected Locations in macOS without Recovery Mode
 
 
Q