Apple - macOS System Integrity Protection Configuration
It is possible to add your own protected directory to SIP:
- Boot to Recovery Mode and disable SIP
- Reboot and create a directory structure.
Flag the whole folder or single files or folders:
sudo chflags restricted /example sudo chflags restricted /example/example.app sudo chflags restricted /example/subdir/fileor a folder hierarchy:
sudo chflags -R restricted /exampleIf you want to exclude a subdir after using the -R option you have to remove the restricted flag there:
sudo chflags norestricted /example/subdir- Boot to Recovery Mode and enable SIP
Now the folders example, example.app and the file /example/subdir/file are protected. You still can add or remove files to/from /example/subdir.
The restricted flag has no effect if SIP is disabled - the usual POSIX/ACLs permissions apply. With SIP enabled the files/folders are protected.
It is also possible to add, remove or change SIP-protected files and directories via an installer package which is signed by Apple’s own certificate authority. Since a normal user /customer usually doesn't have access to this certificate authority, this possibility is eliminated.
An earlier version of this answer asserted that it is required to modify the file /System/Library/Sandbox/rootless.conf and add something like:
/example
/example/example.app
* /example/subdir
/example/subdir/file
This is wrong! Simply flagging a file or folder as restricted is sufficient to protect it.