Re: macOS SIP, next try

Sun, 28 Feb 2021 23:16:40 -0800
So, we haven't gotten anywhere satisfying with these proposed technical solutions. 


I have since learned that there is a way to disable only the part of SIP 
that is relevant for us.  This seems like a useful compromise, and it 
appears that a number of other open-source projects are following the 
same route.  I suggest the attached documentation patch and then close 
this issue.

From 7efb0ec3e15f37f9c5e12845aeccd9cd8693c01d Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Mon, 1 Mar 2021 07:58:17 +0100
Subject: [PATCH] doc: Update information on macOS SIP

On more recent versions of macOS, it is sufficient to disable only a
part of SIP in order to get make check to run before make install.
Document how.
---
 doc/src/sgml/installation.sgml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 66ad4ba938..39adf1f5d9 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -2375,6 +2375,9 @@ <title>macOS</title>
     You may or may not wish to also install Xcode.
    </para>
 
+   <sect3 id="installation-notes-macos-sysroot">
+    <title>Sysroot</title>
+    
    <para>
     On recent <productname>macOS</productname> releases, it's necessary to
     embed the <quote>sysroot</quote> path in the include switches used to
@@ -2419,6 +2422,10 @@ <title>macOS</title>
     to build with a non-Apple compiler, but beware that that case is not
     tested or supported by the PostgreSQL developers.
    </para>
+   </sect3>
+
+   <sect3 id="installation-notes-macos-sip">
+    <title>System Integrity Protection</title>
 
    <para>
     <productname>macOS</productname>'s <quote>System Integrity
@@ -2429,6 +2436,25 @@ <title>macOS</title>
     install</literal> before <literal>make check</literal>.
     Most PostgreSQL developers just turn off SIP, though.
    </para>
+
+   <para>
+    To disable SIP, boot into recovery mode, open a terminal, and run
+<programlisting>
+csrutil disable
+</programlisting>
+   and reboot.  In macOS version 10.14 and later, it is sufficient to disable
+   the <quote>Debugging</quote> part of SIP, by running
+<programlisting>
+csrutil enable --without debug
+</programlisting>
+    instead.  The status of SIP can be shown using
+<programlisting>
+csrutil status
+</programlisting>
+    Note that that status display does not reflect changes until after a
+    reboot.
+   </para>
+   </sect3>
   </sect2>
 
   <sect2 id="installation-notes-mingw">
-- 
2.30.1























					Reply via email to