Peter Eisentraut <peter.eisentr...@enterprisedb.com> writes: > On 01.03.21 15:44, Tom Lane wrote: >> Peter Eisentraut <peter.eisentr...@enterprisedb.com> writes: >>> I have since learned that there is a way to disable only the part of SIP >>> that is relevant for us. This seems like a useful compromise, and it >>> appears that a number of other open-source projects are following the >>> same route. I suggest the attached documentation patch and then close >>> this issue.
>> Hmm, interesting. Where is it documented what this does? > Not really documented AFAICT, but here is a source: > https://developer.apple.com/forums/thread/17452 Hmm. So I tried this, ie "csrutil enable --without debug" in the recovery system, and after rebooting what I see is $ csrutil status System Integrity Protection status: unknown (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: enabled Filesystem Protections: disabled Debugging Restrictions: enabled DTrace Restrictions: enabled NVRAM Protections: enabled BaseSystem Verification: enabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state. $ which is, shall we say, not the set of options the command appeared to select. It does work, in the sense that "make check" is able to complete without having an installation tree. But really, Apple is doing their level best to hang a "here be dragons" sign on this. I'm not comfortable with recommending it, and I'm about to go turn it off again, because I have no damn idea what it really does. regards, tom lane
