[macOS] CSR get active config programatically

csr.c

#include <stdio.h>
#include <stdint.h>
#include <errno.h>
#include <string.h>

typedef uint32_t csr_config_t;

/* Those two functions are syscall */

/**
 * Get active CSR config mask
 * @return      zero if success
 *              -1 if failed to get(errno will be set)
 * @errno       EINVAL, EFAULT if `csr_config_t *` is invalid
 * @see         xnu/bsd/kern/kern_csr.c
 */
extern int csr_get_active_config(csr_config_t *);

/**
 * Check if given CSR mask is allowed
 * @return      0 if given mask is allowed
 *              -1 if inactive(errno will be set)
 * @errno       EPERM if given mask is either invalid or disallowed
 * @see         xnu/bsd/kern/kern_csr.c
 */
extern int csr_check(csr_config_t);

/* CSR configuration flags */
#define CSR_ALLOW_UNTRUSTED_KEXTS               (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS               (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID                  (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER               (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL                (1 << 4)
#define CSR_ALLOW_DESTRUCTIVE_DTRACE            (1 << 5) /* name deprecated */
#define CSR_ALLOW_UNRESTRICTED_DTRACE           (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM            (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION          (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS               (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS              (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE    (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT          (1 << 11) // macOS 11+

#define CSR_VALID_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
                         CSR_ALLOW_UNRESTRICTED_FS | \
                         CSR_ALLOW_TASK_FOR_PID | \
                         CSR_ALLOW_KERNEL_DEBUGGER | \
                         CSR_ALLOW_APPLE_INTERNAL | \
                         CSR_ALLOW_UNRESTRICTED_DTRACE | \
                         CSR_ALLOW_UNRESTRICTED_NVRAM | \
                         CSR_ALLOW_DEVICE_CONFIGURATION | \
                         CSR_ALLOW_ANY_RECOVERY_OS | \
                         CSR_ALLOW_UNAPPROVED_KEXTS | \
                         CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE | \
                         CSR_ALLOW_UNAUTHENTICATED_ROOT)

static const char *mask_str[] = {
    "CSR_ALLOW_UNTRUSTED_KEXTS",
    "CSR_ALLOW_UNRESTRICTED_FS",
    "CSR_ALLOW_TASK_FOR_PID",
    "CSR_ALLOW_KERNEL_DEBUGGER",
    "CSR_ALLOW_APPLE_INTERNAL",
    "CSR_ALLOW_UNRESTRICTED_DTRACE",
    "CSR_ALLOW_UNRESTRICTED_NVRAM",
    "CSR_ALLOW_DEVICE_CONFIGURATION",
    "CSR_ALLOW_ANY_RECOVERY_OS",
    "CSR_ALLOW_UNAPPROVED_KEXTS",
    "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",
    "CSR_ALLOW_UNAUTHENTICATED_ROOT",
};

int main(void)
{
    csr_config_t csr;

    (void) csr_get_active_config(&csr);
    printf("csr config: %#x\n\n", csr);

    size_t i, n = sizeof(mask_str) / sizeof(*mask_str);
    for (i = 0; i < n; i++) {
        if (csr_check(1 << i) == 0) {
            printf("%36s: yes\n", mask_str[i]);
        } else {
            printf("%36s: (%d %s)\n", mask_str[i], errno, strerror(errno));
        }
    }

    return 0;
}

# In recovery mode
$ csrutil disable

$ nvram -x csr-active-config | grep -E '\s<data>$' -A1 | tail -1 | base64 -d | hexdump
0000000 77 00 00 00
0000004

$ csrutil status
System Integrity Protection status: disabled.

$ ./csr
csr config: 0x67

           CSR_ALLOW_UNTRUSTED_KEXTS: yes
           CSR_ALLOW_UNRESTRICTED_FS: yes
              CSR_ALLOW_TASK_FOR_PID: yes
           CSR_ALLOW_KERNEL_DEBUGGER: yes
            CSR_ALLOW_APPLE_INTERNAL: (1 Operation not permitted)
       CSR_ALLOW_UNRESTRICTED_DTRACE: yes
        CSR_ALLOW_UNRESTRICTED_NVRAM: yes
      CSR_ALLOW_DEVICE_CONFIGURATION: (1 Operation not permitted)
           CSR_ALLOW_ANY_RECOVERY_OS: (1 Operation not permitted)
          CSR_ALLOW_UNAPPROVED_KEXTS: (1 Operation not permitted)
CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE: (1 Operation not permitted)
      CSR_ALLOW_UNAUTHENTICATED_ROOT: (1 Operation not permitted)

# In recovery mode
$ csrutil enable

$ nvram -x csr-active-config | grep -E '\s<data>$' -A1 | tail -1 | base64 -d | hexdump
0000000 10 00 00 00
0000004

$ csrutil status
System Integrity Protection status: enabled.

$ ./csr
csr config: 0

           CSR_ALLOW_UNTRUSTED_KEXTS: (1 Operation not permitted)
           CSR_ALLOW_UNRESTRICTED_FS: (1 Operation not permitted)
              CSR_ALLOW_TASK_FOR_PID: (1 Operation not permitted)
           CSR_ALLOW_KERNEL_DEBUGGER: (1 Operation not permitted)
            CSR_ALLOW_APPLE_INTERNAL: (1 Operation not permitted)
       CSR_ALLOW_UNRESTRICTED_DTRACE: (1 Operation not permitted)
        CSR_ALLOW_UNRESTRICTED_NVRAM: (1 Operation not permitted)
      CSR_ALLOW_DEVICE_CONFIGURATION: (1 Operation not permitted)
           CSR_ALLOW_ANY_RECOVERY_OS: (1 Operation not permitted)
          CSR_ALLOW_UNAPPROVED_KEXTS: (1 Operation not permitted)
CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE: (1 Operation not permitted)
      CSR_ALLOW_UNAUTHENTICATED_ROOT: (1 Operation not permitted)

macOS syscall
https://gist.github.com/nikolay-n/5ad64ae82ae91c21d2d2a5be5d49b3b3