22395084: Mac OS X 10.11 (15A263e): SIP has undocumented exception for creating, modifying and deleting /usr/sbin/jamf

[openradar-mirror]

Description

Summary:

The /usr directory is listed as a protected directory in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e).

It appears that there is an undocumented exception in SIP for "/usr/sbin/jamf". This exception does not appear in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e).

Steps to Reproduce:

Run the following command with root privileges:

touch /usr/sbin/jamf

Expected Results:

Receive the following error message:

touch: /usr/sbin/jamf: Operation not permitted

Actual Results:

/usr/sbin/jamf file created

Regression:

Ran the following commands and received the expected results:

touch /usr/sbin/jamff touch /usr/sbin/jam touch /usr/sbin/munki touch /usr/sbin/puppet

In all cases, I receive error messages similar to those shown below:

touch: /usr/sbin/jamff: Operation not permitted touch: /usr/sbin/jam: Operation not permitted touch: /usr/sbin/munki: Operation not permitted touch: /usr/sbin/puppet: Operation not permitted

Notes:

I've attached a screenshot showing that SIP is enabled, via running the following command:

csrutil status

The screenshot also shows the output of running the various touch commands listed above.

Product Version: Mac OS X 10.11 (15A263e) Created: 2015-08-23T21:02:27.849850 Originated: 2015-08-23T17:01:00 Open Radar Link: http://www.openradar.me/22395084

[openradar-mirror]

Modified: 2015-09-01T15:22:50.761210