Services loading back when SIP is restored

Question

Services loading back when SIP is restored

dkadev opened this issue 5 years ago · 4 comments

Whenever I unload any service through $ sudo launchctl unload -w or $ launchctl unload -w after disabling SIP it works if I don't enable it again.
But when I enable again SIP and restart, every single service comes back.
Also karek314/macOS-home-call-drop audit returns that services are running again.

I'm running last update from Mojave btw /10.14.4 (18E226)

Answer 1 · 2019-03-29T15:46:10.000Z

This seems to be happening since Mac OS 10.12.4 and Apple will not fix it (see SIP in 10.12.4 prevents unloading system daemons)

"Since posting this I have learned about the whitelist at /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist."

So a workaround would be to add each service desired to that whitelist. Steps:

Disable SIP in recovery mode $ csrutil disable and reboot.
Add services to /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist.
e.g. 'apsd' (same example in the guide)
$ sudo nano /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist
Add key(s) at bottom:
<key>com.apple.apsd</key> <true/>
Unload agents and daemons previously added to the whitelist
$ launchctl unload -w or $ sudo launchctl unload -w
e.g.
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist
Reboot on recovery mode and enable SIP again with $ csrutil enable.
Reboot again and agents and daemons will be unloaded with SIP enabled.

Works for me in Mojave 10.14.4 (29/03/2019)

(Anyway, you can disable some services from Recovery mode at once without need of the whitelist)

Answer 2 · 2019-10-19T19:46:09.000Z

This won't work exactly as I described since macOS Catalina, as /System is now a read-only volume and Apple has restricted writing permissions on every file hanging from there.

However, it's not impossible to edit this Sandbox .plist (/System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist)
You will have to boot into recovery mode and modify it from there, but first you need to mount de Data volume from Disk Utility to have access later via Terminal.

I will open an issue at call-drop too as @hazcod said. Sorry for not answering your comment before.

Answer 3 · 2020-02-06T01:02:48.000Z

I've referenced this issue in the Services section. Feel free to PR integrating instructions into the guide, but I think the writing is on the wall for the ability to disable system services.

Answer 4 · 2020-05-26T12:26:59.000Z

@dkadev @drduh

Tested on Catalina 10.15.4

The way around this while retaining SIP after disabling agents and/or daemons,

Reboot to recovery, hold ⌘ + R
Open Utilities ↳ Terminal from the top menu bar
Temporarily disable SIP csrutil disable
Rename the *.plist files located in /System/Library/LaunchAgents and/or /System/Library/LaunchDaemons for example: https://github.com/roblav96/dotfiles/blob/a519745618eeb7cd7d014f364920d570263d2dea/macosx/launchctl.catalina.sh#L384
Enable SIP csrutil enable
Reboot 👍