The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.


High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions

There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?

SIP?

Please STOP using existing acronym. SIP has already been in use by something else:

https://en.wikipedia.org/wiki/Session_Initiation_Protocol

By the headline, I was expecting an article to be about how SIP softphones were broke in MAC OS.

Re:It's not your computer. It's Apple's

[TheRaven64]

SIP can be disabled. Generally, you don't want to, because it does what it says: protects the integrity of the system, by preventing the user from modifying system files. If you really want to, then reboot into recovery mode, disable SIP, and then reboot into normal mode. This is no different from the procedure for lowering the default securelevel on a BSD system (reboot to single-user mode, tweak the config file, boot to multiuser), does that mean that when you use FreeBSD then the FreeBSD project owns your computer?