stackoom
  简体   繁体   中英

Is Mac System Integrity Protection defined within the sys/stat.h

 原文  2019-04-20 02:06:18       c/ linux/ macos/ darwin

Question

I've done some hunting around on the internet and have not found a good way of programmatically determining if a given file has integrity detection turned on.

I noticed that, unlike most linux headers I have run across, Darwin doesn't define their st_mode bits in the stat struct defined in /sys/stat.h. It seems like the best way to implement this would be to work off the existing sys/stat.h header however, it's obvious why they would not want to be open about it. Has anyone looked into this more?

Edit

Bases on Ken Thomases suggestion my if check looks like this. Looking at the comments in the source it appears as though this should work, however it is still attempting to enter directories such as: "/Users/<USER>/Library/IdentityServices" Causing a segmentation fault. FYI I have tested it with and without preprocessor IFDEF statements. 

if(
  (entry->d_type == DT_DIR) 
    && ((fileStat.st_flags & SF_RESTRICTED) == 0)
    && (((fileStat.st_mode & 5) == 5)
      || (((fileStat.st_mode & 40) == 40)
        && (fileStat.st_gid == userHomeStat.st_uid))
      || (((fileStat.st_mode & 320) == 320)
        && (fileStat.st_uid == userHomeStat.st_uid))))
 {
   std::cout<< "Decending into --> " << fullPath.c_str() <<std::endl;
   packIndexFrom((fullPath).c_str());
 }

EDIT 

 https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/FileSystemProtections/FileSystemProtections.html#//apple_ref/doc/uid/TP40016462-CH2-SW1

I found this on Apple's website. It seems to indicate that the $HOME/Library area, which is where I am getting hung up falls under some type of restriction, with exclusive r/w access for developers. Doesn't solve my problem unfortunately.

Edit 

Dans-MBP:tmp mreff555$ cd ~/Library/IdentityServices/
Dans-MBP:IdentityServices mreff555$ pwd
/Users/mreff555/Library/IdentityServices
Dans-MBP:IdentityServices mreff555$ ls
ls: .: Operation not permitted
Dans-MBP:IdentityServices mreff555$ 

Dans-MBP:IdentityServices mreff555$ ls -ldO ~/Library/IdentityServices
drwxr-xr-x  9 mreff555  staff  - 288 Apr 14 10:04 /Users/mreff555/Library/IdentityServices

1 answers

solution1
 3 ACCPTED  2019-04-20 05:39:09

There are flags that are separate from the mode flags. You're looking for the SF_RESTRICTED flag in the st_flags field of struct stat . That flag is, in fact, defined in sys/stat.h.

The mode flags (eg S_IRUSR ) are defined in sys/_types/_s_ifmt.h, which is indirectly included by sys/stat.h.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question sys/stat.h returning wrong size Calling stat from <sys/stat.h> faills with “Value too large for defined data type” error C sys/stat.h not every field of stat structure is initialised Is there a wide character version of stat() (from sys/stat.h)? C <sys/stat.h> Find file type C++ Sys/Stat.h has an error? sys/stat.h:456: error: nested function 'stat' declared 'extern' Why include direct.h or sys/stat.h conditionally based on _WIN32 or __linux__? Trouble with S_ISXXX(m) macros from sys/stat.h S_ISDIR and S_ISREG undeclared despite including the <sys/stat.h> header
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM