Yabai: System Integrity Protection integration

This entry in the wiki pretty much answers most of your questions. https://github.com/koekeishiya/yabai/wiki/Disabling-System-Integrity-Protection

Additionally, take a look at the pinned issue #13.

1. What is the responsibility of the code that you inject in Dock.app (scripting-addition)? What high-level functionality do we gain by adding it there?

• focus/create/destroy space without animation
• move space (and its windows) left, right or to another display
• remove window shadows
• enable window transparency
• control window layers (make windows appear topmost)
• sticky windows (make windows appear on all spaces)

2. Would it be possible to run yabai with smaller functionality without installing scripting additions?

The above features simply won't work and yabai will issue a system notification telling you that the scripting addition is not installed. You can silence these notifications in the system preferences.

3. Would it be possible to somehow re-enable SIP after installing yabai? So, are we able to just inject the code once and re-enable SIP to prevent us from malicious software? If no, why not?

Ever since 10.14 you need SIP to be disabled to load scripting additions for system applications. On 10.13 it can be re-enabled after installing, but needs to then be disabled for every scripting addition update.

Note that you do not need to disable SIP completely, as there are some (undocumented?) flags to disable it partially.

• On 10.14+: csrutil enable --without debug --without fs (disable SIP for debug and filesystem)
• On 10.13: csrutil enable --without debug (disable SIP for debug)

Note that you do not need to disable SIP completely, as there are some (undocumented?) flags to disable it partially.

• On 10.14+: csrutil enable --without debug --without fs (disable SIP for debug and filesystem)
• On 10.13: csrutil enable --without debug (disable SIP for debug)

Can you please explain these partial disables more? I really want to use yabai but would pick security over convenience. As far as I understand SIP is quite useful for security. Is this a halfway sort of disable?

Can you please explain these partial disables more? [...] Is this a halfway sort of disable?

SIP is basically locking down parts of your system by making them inaccessible even to the root user (e.g. through sudo). This protection makes it so software that is run with elevated privileges cannot modify the system.

SIP is split into multiple parts. debug for example needs to be disabled to install scripting additions into system applications on 10.13 and also needs to be disabled to load scripting additions into system applications on 10.14+. On 10.14+ there's an additional part named fs—short for filesystem—which makes it so you cannot modify or install into some system owned directories. This includes the directory the scripting addition needs to be installed into.

Edit: Just found a full list of all parts.

# without internal protection (implied by all other flags)
csrutil enable --no-internal

# without kext signing protection 
csrutil enable --without kext

# without file system protection
csrutil enable --without fs

# without debugging protection
csrutil enable --without debug

# without DTrace protection
csrutil enable --without dtrace

# without NVRAM protection.
csrutil enable --without nvram

# disable completely
csrutil disable

I really want to use yabai but would pick security over convenience. As far as I understand SIP is quite useful for security.

Here's my two cents on this: SIP is a useful security feature, but its importance is also way overblown. If a malicious actor has root user privileges on your computer, they can already do pretty bad things without needing to modify the system.

You should always think about why software asks for elevated privileges when it does and question that.

Also, you can still use yabai without disabling SIP—you just don't get to use the features that require controlling the window server.

@koekeishiya So then can the fs protection be turned back on after installing, if it's only needed to install code in the right place, or will that cause the installed code to be uninstalled again by the system?

@koekeishiya So then can the fs protection be turned back on after installing, if it's only needed to install code in the right place, or will that cause the installed code to be uninstalled again by the system?

for those of you who find this issue through search, here's the situation with macOS Catalina 10.15.6:

just with the debug turned off, the scripting addon will fail, this does not work.
This is the case where, you turned fs and debug off (csrutil enable --without fs --without debug, installed skhd and yabai and then
turned fs back on. (csrutil enable --without debug).

System Integrity Protection status: unknown (Custom Configuration).

Configuration:
    Apple Internal: disabled
    Kext Signing: enabled
    Filesystem Protections: enabled
    Debugging Restrictions: disabled
    DTrace Restrictions: enabled
    NVRAM Protections: enabled
    BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

The situation remains the same if you enable SIP back (csrutil enable).

The only way for the scripting addon to work (move windows to other workspaces, move windows to other screens, create new workspaces) all the good isht, is to have both fs and debug turned off.
csrutil enable --without fs --without debug.

aka

$ csrutil status
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
    Apple Internal: disabled
    Kext Signing: enabled
    Filesystem Protections: disabled
    Debugging Restrictions: disabled
    DTrace Restrictions: enabled
    NVRAM Protections: enabled
    BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

@PI-Victor So if I understood that correctly, the short version is: fs protection cannot be enabled again, it has to stay disabled for the plugin to be usable.

@mentalisttraceur yup, that's correct!