Disabled SIP, but still can't make changes:
sh-3.2# id
uid=0(root) gid=0(wheel) groups=0(wheel),1(dae……
sh-3.2# mkdir PAH-en
mkdir: PAH-en: Read-only file system
sh-3.2# csrutil status
System Integrity Protection status: disabled.
sh-3.2# pwd
/System/Library/Input Methods/PressAndHold.app/Contents/PlugIns/PAH_Extension.appex/Contents/Resources
go up several levels (no ACLs or xattrs on intermediates)
sh-3.2# pwd
/System/Library
sh-3.2# cd ..;ls -lae@ | head
total 0
drwxr-xr-x@ 8 root wheel 256 Oct 12 16:17 .
com.apple.rootless 0
0: group:everyone deny delete
sh-3.2# cd ..;ls -lae@ | head
total 0
drwxr-xr-x@ 8 root wheel 256 Oct 12 16:17 .
com.apple.rootless 0
0: group:everyone deny delete
drwxr-xr-x 22 root admin 704 Jan 30 11:54 ..
-rw-r--r-- 1 root wheel 0 Aug 25 17:26 .localized
drwxr-xr-x 39 root wheel 1248 Oct 12 16:16 Applications
drwxr-xr-x 5 root wheel 160 Oct 12 16:11 DriverKit
drwxr-xr-x 116 root wheel 3712 Oct 18 00:55 Library
drwxr-xr-x 3 root wheel 96 Aug 24 15:20 Volumes
sh-3.2# pwd
/System
So the xattr says I cannot delete anything, but why can't I create something?
For that matter, if SIP only prevents delete when enabled, why is sudo mkdir rejected here when SIP is on?
