Why Catalina has got a read-only system volume

Since Apple introduced System Integrity Protection (SIP) in El Capitan – in addition to the more regular file-system protections provided to macOS system files – there has been a succession of vulnerabilities reported in it.

In March 2016, Pedro Vilaca revealed a local attack which allowed escalation of privileges and bypass of SIP, which was patched in OS X 10.11.4. Immediately after that, Stefan Esser revealed a group of SIP-related vulnerabilities, some of which were fixed in 10.11.3, others which remained in 10.11.4.

In December 2016, Patrick Wardle explained how to bypass SIP in a local attack using an upgrade Installer app, which affected versions of macOS up to and including 10.12.1.

In August 2018, Adam Chester revealed full details of an exploit which used a kernel extension for VirtualBox to disable SIP.

Most recently, at the second Objective by the Sea conference earlier this month, Jaron Bradley detailed how a crafted Installer package can partially bypass SIP, a vulnerability which was fixed in macOS 10.14.4.

This is a small selection of those reports which have been published to date. They demonstrate that there have been, and almost certainly still are, quite a few vulnerabilities in SIP during its relatively brief existence. This sustained interest in SIP among security experts confirms how important they consider it to be to your Mac: it’s not ‘security theatre’, but a primary defence.

The solution adopted in Catalina has involved considerable engineering investment, including the development of a new type of bi-directional symbolic link named a firmlink, which enables the two boot volumes to integrate and function as one. Apple clearly considers that protecting system integrity is an essential function in macOS 10.15, not an optional extra to be enabled so long as it doesn’t trip your apps up.