• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Regd. "restricted" flag value in Kext
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regd. "restricted" flag value in Kext

  • Subject: Re: Regd. "restricted" flag value in Kext
  • From: Richard Hamilton <email@hidden>
  • Date: Mon, 07 Sep 2015 12:18:49 -0400
Looking through the XNU (kernel) code for 10.10.3 (latest on opensource.apple.com), it appears that the only thing that happens with the SF_RESTRICTED flag in Yosemite, is that if it is set on a directory, files created in that directory or renamed into that directory (or within that directory) will also have it set (automatically).  Renaming a file from a directory with SF_RESTRICTED to one without SF_RESTRICTED does _not_ clear the flag.  Hard-linking a file that does not have the flag set into a directory with it set does _not_ set the flag.  If the flag is set automatically, it may still be cleared by root.  If a file is in such a directory without the flag set (such as if hard-linked into there, or the flag cleared manually), hard-linking it to another name within that directory will _not_ set the flag.

That was determined partly by looking at the code, and partly by trying some scenarios to show that the effect was as limited as it appeared it would be.

I would suppose that in El Capitan, either the behavior is somewhat different, or additional limitations are enforced.  Maybe what's in Yosemite is for backward compatibility (e.g. if files are moved +/- one version, that the flag will be preserved and minimal honoring of when it's set automatically will still apply).  But that last is just a guess.

One other possibility: Macs have some not entirely kernel based security mechanisms; sandboxes, and entitlements are those I've heard of.  They might also be involved, in the full implementation in El Capitan; so once El Capitan source is available, one might have to look further than the XNU source tarfile alone, to determine all of what's happening.  Features may also be used in code that is not publicly released...so don't assume you can get the full picture by digging through all the released code.

In Yosemite, the chflags command and system call, stat(2) and variants, strtofflags(3) and its inverse (and therefore programs that call strtofflags(3), like ls(1) and chflags(1)) may be aware of the ST_RESTRICTED flag. copyfile(3) also seems to make some effort to preserve it if already set on the destination file, but I haven't looked at that enough to tell how or why that is done.

On Mon, Sep 7, 2015 at 10:38 AM, Charu Tiwari <email@hidden> wrote:
Hi Richard,
    Thanks a lot for the information. It will surely help me in digging a little deeper and figure out how to use it in kernel/userland. 

Regards,
~Charu


Regards,
~Charu

On Mon, Sep 7, 2015 at 7:51 PM, Richard Hamilton <email@hidden> wrote:
Pretty sure if you look at /usr/include/sys/stat.h, what "ls" is showing above corresponds to the line
#define SF_RESTRICTED   0x00080000      /* restricted access */

which is one of the bits that can be in the st_flags member of the stat structure (a field that's not common to all Unix flavors!).

I don't have El Capitan beta installed, but that's in the include file on Yosemite, too.

On Yosemite, I can set and clear the flag as root (using chflags(1), or from C, chflags(2)).  I haven't yet grabbed the latest Yosemite source, untarred it all, and grepped for SF_RESTRICTED, so I don't know what if anything it does prior to El Capitan.

sh-3.2# touch /tmp/testfile1
sh-3.2# ls -lO /tmp/testfile1
-rw-r--r--  1 root  wheel  - 0 Sep  7 10:14 /tmp/testfile1
sh-3.2# chflags restricted /tmp/testfile1
sh-3.2# ls -lO /tmp/testfile1
-rw-r--r--  1 root  wheel  restricted 0 Sep  7 10:14 /tmp/testfile1
sh-3.2# chflags 0 /tmp/testfile1
sh-3.2# ls -lO /tmp/testfile1
-rw-r--r--  1 root  wheel  - 0 Sep  7 10:14 /tmp/testfile1



On Mon, Sep 7, 2015 at 8:21 AM, Charu Tiwari <email@hidden> wrote:
Hi Everyone,
    in MAC OS X 10.11 Apple has introduced "System Integrity Protection" feature which makes some of the system folder and applications 'rootless".

if we run "ls -lO" command on file/folder we can see 'restricted' flag set for file/folder.

ls -lO /sbin/mount_nfs 

-r-xr-xr-x  1 root  wheel  restricted,compressed 46880 Aug 28 12:32 /sbin/mount_nfs

Is there any API provided in kernel extension to find out if the "restricted" bit is set on a particular file/folder.


Thanks and Regards,
~Charu

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Regd. "restricted" flag value in Kext (From: Charu Tiwari <email@hidden>)
 >Re: Regd. "restricted" flag value in Kext (From: Richard Hamilton <email@hidden>)
 >Re: Regd. "restricted" flag value in Kext (From: Charu Tiwari <email@hidden>)

  • Prev by Date: Re: Regd. "restricted" flag value in Kext
  • Next by Date: preallocating memory from Mac Kernel mode driver
  • Previous by thread: Re: Regd. "restricted" flag value in Kext
  • Next by thread: preallocating memory from Mac Kernel mode driver
  • Index(es):
    • Date
    • Thread