From: srs5694 <srs5694@users.sourceforge.net>
Date: Sat, 31 Oct 2015 14:40:49 +0000 (-0400)
Subject: Added detection of SIP on Macs to installation script. Also began
X-Git-Url: https://code.delx.au/refind/commitdiff_plain/f71354b4045b0ca79f108c01fdde9afa020a500f

Added detection of SIP on Macs to installation script. Also began
swapping out tool icons.
---

diff --git a/NEWS.txt b/NEWS.txt
index 186ec3a..870a886 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -1,6 +1,16 @@
 0.9.3 (??/??/2015):
 -------------------
 
+- Added detection of System Integrity Protection (SIP; aka "rootless") mode
+  to OS X portion of install.sh script. When detected, and if no existing
+  rEFInd installation is found, the script now prints a warning and brief
+  instructions of how to enter the Recovery mode to install rEFInd and
+  suggests aborting the installation. (The user can override and attempt
+  installation anyhow.) If SIP is detected along with an existing rEFInd
+  installation, the script moderates the warning and explains that an
+  update of a working rEFInd will probably succeed, but that re-installing
+  to fix a broken rEFInd will probably fail.
+
 - Added new "spoof_osx_version" token, which takes an OS X version number
   (such as "10.9") as an option. This feature, when enabled, causes rEFInd
   to tell a Mac's firmware that the specified version of OS X is being
diff --git a/icons/tool_apple_rescue.png b/icons/tool_apple_rescue.png
index 301b7d6..931c2b4 100644
Binary files a/icons/tool_apple_rescue.png and b/icons/tool_apple_rescue.png differ
diff --git a/icons/tool_memtest.png b/icons/tool_memtest.png
index d1f80ea..7892c55 100644
Binary files a/icons/tool_memtest.png and b/icons/tool_memtest.png differ
diff --git a/icons/tool_mok_tool.png b/icons/tool_mok_tool.png
index fbb1dfc..42bc488 100644
Binary files a/icons/tool_mok_tool.png and b/icons/tool_mok_tool.png differ
diff --git a/icons/tool_netboot.png b/icons/tool_netboot.png
index 3df117a..09d2294 100644
Binary files a/icons/tool_netboot.png and b/icons/tool_netboot.png differ
diff --git a/icons/tool_part.png b/icons/tool_part.png
index 71ec791..4b7a07b 100644
Binary files a/icons/tool_part.png and b/icons/tool_part.png differ
diff --git a/icons/tool_shell.png b/icons/tool_shell.png
index 06110d2..b7fa2a7 100644
Binary files a/icons/tool_shell.png and b/icons/tool_shell.png differ
diff --git a/icons/tool_windows_rescue.png b/icons/tool_windows_rescue.png
index 08156cf..41e0f35 100644
Binary files a/icons/tool_windows_rescue.png and b/icons/tool_windows_rescue.png differ
diff --git a/install.sh b/install.sh
index 99896f2..a503820 100755
--- a/install.sh
+++ b/install.sh
@@ -36,7 +36,9 @@
 #
 # Revision history:
 #
-# 0.9.3   -- Enable running under OS X's recovery system.
+# 0.9.3   -- Enable running under OS X's recovery system & add warning about
+#            SIP & brief instructions on how to deal with it if SIP is
+#            detected to be enabled.
 # 0.9.2   -- Added --keepname option.
 # 0.8.7   -- Better detection of Secure Boot mode & fixed errors when copying
 #            Shim & MokManager files over themselves; fixed bug that caused
@@ -695,6 +697,55 @@ SetupMacHfs() {
 ENDOFHERE
 } # SetupMacHfs()
 
+CheckForSIP() {
+   if [[ -x "/usr/bin/csrutil" ]] ; then
+      local OKToInstall=`/usr/bin/csrutil status | grep "Protection status: enabled (Custom Configuration\|Apple Internal)"`
+      if [[ -z "$OKToInstall" ]] ; then
+         echo
+         echo "**** ALERT: SIP ENABLED! ****"
+         echo
+         if [[ "$Upgrade" == "1" ]] ; then
+            echo "You are attempting to upgrade an existing installation, but it appears that"
+            echo "System Integrity Protection (SIP) is enabled. If rEFInd is working now, then"
+            echo "this is fine; you can upgrade your existing rEFInd. If rEFInd is not working,"
+            echo "though, re-installing from this boot will not help. To re-enable rEFInd, you"
+            echo "must re-install it from a Recovery system or from another OS. To enter the"
+            echo "Recovery system and re-install rEFInd:"
+         else
+            echo "rEFInd cannot be installed because System Integrity Protection (SIP) seems"
+            echo "to be enabled! You must install rEFInd from your Recovery installation or"
+            echo "from another OS. To install from the Recovery system:"
+         fi
+         echo
+         echo "  1. Reboot"
+         echo "  2. Hold down Command+R as the chime sounds"
+         echo "  3. When the OS has booted, select Utilities->Terminal"
+         echo "  4. Change to this directory with the 'cd' command; it will probably be under"
+         if [[ "`pwd | cut -b 1-8`" == "/Volumes" ]] ; then
+            echo "     `pwd`"
+         else
+            local RootName=`diskutil info -plist / | grep -A 1 VolumeName | grep string | cut -d \> -f 2 | cut -d \< -f 1`
+            echo "     /Volumes/$RootName`pwd`"
+         fi
+         echo "  5. Re-run this script."
+         echo
+         if [[ "$Upgrade" != "1" ]] ; then
+            echo "If you believe SIP is NOT enabled, you may attempt an installation anyhow,"
+            echo "but it may fail."
+            echo
+         fi
+         echo "For more on this subject, see http://www.rodsbooks.com/refind/sip.html"
+         echo
+         echo -n "Do you want to attempt installation (Y/N)? "
+         ReadYesNo
+         if [[ $YesNo == "N" || $YesNo == "n" ]] ; then
+            echo "Exiting!"
+            exit
+         fi
+      fi # csrutil status suggests OK to install
+   fi # csrutil exists
+} # CheckForSIP()
+
 # Control the OS X installation.
 # Sets Problems=1 if problems found during the installation.
 InstallOnOSX() {
@@ -708,6 +759,7 @@ InstallOnOSX() {
    fi
    echo "Installing rEFInd to the partition mounted at $InstallDir"
    DetermineTargetDir
+   CheckForSIP
    Platform=`ioreg -l -p IODeviceTree | grep firmware-abi | cut -d "\"" -f 4`
    CopyRefindFiles
    if [[ $InstallToEspOnMac == "1" ]] ; then