• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: The mystery of mac_vnode_check_getattrlist()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The mystery of mac_vnode_check_getattrlist()

  • Subject: Re: The mystery of mac_vnode_check_getattrlist()
  • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Date: Thu, 15 Dec 2016 08:44:17 +0000
On 15 Dec 2016, at 02:49, Jorgen Lundman <email@hidden> wrote:

> I'm not entirely sure what vnode "labels" are for …

Yeah, you and me both (-:  However, in this case I think it’s a red herring; AFAICT the Sandbox kext ignores the last two parameters (`vp->v_label` and `alist`) passed to it by `mac_vnode_check_getattrlist`.

The fun thing about the Sandbox kext is that it actually runs a small Scheme interpreter to decide whether to allow something.  So you can’t just dig into the Sandbox kext itself, you have to look at its inputs (the sandbox profiles), and there’s a /lot/ of complexity there.  If you want to get some understanding of the scope of this stuff, run the following command (-:

$ find /System -name "*.sb”

IMPORTANT: The presence and format of these files is not considered API.

So the Sandbox kext is just an engine, and the actual work being done is determined by the sandbox profiles.  In terms of where the engine touches the file system, however, there’s a relatively small list of contact points.  The ones that spring to mind are:

* The item’s path, using `vn_getpath` or `vn_getpath_fsenter`

* The name of the file system on which the item resides, using `vnode_mount ` and `vfs_name`

* The mount point of that file system, using `vnode_mount` and `vfs_statfs`

* The item’s mode, using `vnode_getattr` with `va_mode`

* The item’s type, using `vnode_getattr` with `va_type`

* The item’s rdev, using `vnode_getattr` with `va_type` and `va_rdev`

* Whether the item is considered to be SIP protected; the details of this is beyond me, but the basic inputs are the `SF_RESTRICTED` and `SF_NOUNLINK` flags and `com.apple.rootless` xattr of all the items on the path

You may be able to trace these callbacks from the Sandbox kext to the kernel to see where things have gone wrong, perhaps comparing the HFS and ZFS cases side by side.

Share and Enjoy
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Filesystem-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: The mystery of mac_vnode_check_getattrlist()
      • From: Jorgen Lundman <email@hidden>
References: 
 >The mystery of mac_vnode_check_getattrlist() (From: Jorgen Lundman <email@hidden>)

  • Prev by Date: Re: The mystery of mac_vnode_check_getattrlist()
  • Next by Date: Re: The mystery of mac_vnode_check_getattrlist()
  • Previous by thread: Re: The mystery of mac_vnode_check_getattrlist()
  • Next by thread: Re: The mystery of mac_vnode_check_getattrlist()
  • Index(es):
    • Date
    • Thread