Mac OS X 10.11 (15A263e): SIP has undocumented exception for creating, modifying and deleting /usr/sbin/jamf

Originator:rtrouton
Number:rdar://22395084 Date Originated:23-Aug-2015 05:01 PM
Status:Closed Resolved:
Product:OS X Product Version:Mac OS X 10.11 (15A263e)
Classification:Security Reproducible:Always
 
Summary:

The /usr directory is listed as a protected directory in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e). 

It appears that there is an undocumented exception in SIP for "/usr/sbin/jamf". This exception does not appear in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e). 

Steps to Reproduce:

Run the following command with root privileges:

touch /usr/sbin/jamf

Expected Results:

Receive the following error message:

touch: /usr/sbin/jamf: Operation not permitted

Actual Results:

/usr/sbin/jamf file created

Regression:

Ran the following commands and received the expected results:

touch /usr/sbin/jamff
touch /usr/sbin/jam
touch /usr/sbin/munki
touch /usr/sbin/puppet

In all cases, I receive error messages similar to those shown below:

touch: /usr/sbin/jamff: Operation not permitted
touch: /usr/sbin/jam: Operation not permitted
touch: /usr/sbin/munki: Operation not permitted
touch: /usr/sbin/puppet: Operation not permitted

Notes:

I've attached a screenshot showing that SIP is enabled, via running the following command:

csrutil status

The screenshot also shows the output of running the various touch commands listed above.

Comments

Exception file located in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

Never mind, I found where /usr/sbin/jamf is getting its exception from: /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

Forum post with additional information:

https://forums.developer.apple.com/message/7098#47433

By rtrouton at Sept. 1, 2015, 1:53 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!