Search code examples
clinuxmacosdarwin

Is Mac System Integrity Protection defined within the sys/stat.h

I've done some hunting around on the internet and have not found a good way of programmatically determining if a given file has integrity detection turned on.

I noticed that, unlike most linux headers I have run across, Darwin doesn't define their st_mode bits in the stat struct defined in /sys/stat.h. It seems like the best way to implement this would be to work off the existing sys/stat.h header however, it's obvious why they would not want to be open about it. Has anyone looked into this more?

Edit

Bases on Ken Thomases suggestion my if check looks like this. Looking at the comments in the source it appears as though this should work, however it is still attempting to enter directories such as: "/Users/<USER>/Library/IdentityServices" Causing a segmentation fault. FYI I have tested it with and without preprocessor IFDEF statements.

if(
  (entry->d_type == DT_DIR) 
    && ((fileStat.st_flags & SF_RESTRICTED) == 0)
    && (((fileStat.st_mode & 5) == 5)
      || (((fileStat.st_mode & 40) == 40)
        && (fileStat.st_gid == userHomeStat.st_uid))
      || (((fileStat.st_mode & 320) == 320)
        && (fileStat.st_uid == userHomeStat.st_uid))))
 {
   std::cout<< "Decending into --> " << fullPath.c_str() <<std::endl;
   packIndexFrom((fullPath).c_str());
 }

EDIT

https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/FileSystemProtections/FileSystemProtections.html#//apple_ref/doc/uid/TP40016462-CH2-SW1

I found this on Apple's website. It seems to indicate that the $HOME/Library area, which is where I am getting hung up falls under some type of restriction, with exclusive r/w access for developers. Doesn't solve my problem unfortunately.

Edit

Dans-MBP:tmp mreff555$ cd ~/Library/IdentityServices/
Dans-MBP:IdentityServices mreff555$ pwd
/Users/mreff555/Library/IdentityServices
Dans-MBP:IdentityServices mreff555$ ls
ls: .: Operation not permitted
Dans-MBP:IdentityServices mreff555$ 

Dans-MBP:IdentityServices mreff555$ ls -ldO ~/Library/IdentityServices
drwxr-xr-x  9 mreff555  staff  - 288 Apr 14 10:04 /Users/mreff555/Library/IdentityServices
Solution

  • There are flags that are separate from the mode flags. You're looking for the SF_RESTRICTED flag in the st_flags field of struct stat. That flag is, in fact, defined in sys/stat.h.

    The mode flags (e.g. S_IRUSR) are defined in sys/_types/_s_ifmt.h, which is indirectly included by sys/stat.h.