SIP in 10.12.4 prevents unloading system daemons

Originator:kuehn.karl
Number:rdar://32281471 Date Originated:5/18/2017
Status:Closed Resolved:11/14/2017
Product:macOS + SDK Product Version:10.12.4
Classification: Reproducible:Always
 
Area:
Something not on this list

Summary:
Starting with 10.12.4 SIP in MacOS prevents unloading of any LaunchD item from `/System`. While this is generally a good idea, for testing systems there are a number of items there that either pop up unexpectedly (sometimes breaking GUI scripting) or cause jitters that mess with performance numbers. A couple of examples would be `com.apple.notificationcenterui` and `com.apple.apsd`.

Additionally the `launchctl unload` command has been updated, and gives a descriptive error message, but the `launchctl disable` command does not seem to work for these and does not give any error message.

Steps to Reproduce:
`sudo launchctl unload -w /System/Library/LaunchAgents/com.apple.notificationcenterui.plist`
or
`sudo launchctl disable system/com.apple.notificationcenterui`

Expected Results:
That that process goes away, and does not come back on a reboot (the latter is not strictly required for my purposes).

Observed Results:
The first version has a descriptive error message, the latter does not. Neither shuts down the service.

Version:
Starting in 10.12.4. I have confirmed that 10.12.3 does not have this.

Notes:
I could switch off SIP, but that would make my testing less valid.

Configuration:
n/a

Comments

Apple closed this one as 'Will not fix'

By kuehn.karl at Nov. 17, 2017, 11:22 p.m. (reply...)

A message I sent later:

Since posting this I have learned about the whitelist at /System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist. So here are my nominations to add back onto that list: - apsd: I have found that this takes up a lot of resources at times (up to 20% or more CPU) when testing in VMs. I don't need that functionality, and the performance jitter is hard to pull out of test results. - notificationcenterui: again for testing it is not only distracting, but can take focus from what is being tested

There are going to be a lot more from other places that need to turn various things off to better handle their environments. Perhaps engaging with the sysadmin community to help build a list before changing this would be a better idea.

By kuehn.karl at Nov. 17, 2017, 11:21 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!