Tuesday, January 2, 2018 [Tweets] [Favorites]

The “app” You Can’t Trash: How SIP Is Broken in High Sierra

Howard Oakley:

So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection? Surely SIP is there to protect macOS, not third-party app components installed later by the user? Who or what enabled SIP on that extension, and how can it be removed?

[…]

High Sierra has a new mechanism for handling third-party kernel extensions (User-Approved Kernel Extension Loading, or UAKL), which requires the user to authorise them. When a third-party installer tries to install a kernel extension, you see the warning[…] High Sierra then packages the extension in the form of a non-executable stub app, which it installs in /Library/StagedExtensions/Applications.

[…]

Thus SIP prevents the user from uninstalling a third-party app which the user installed, even though the kernel extension might be rendering macOS unstable, or have other significant side-effects.

Previously: Kernel Extensions in High Sierra.

Update (2018-01-03): See also: Hacker News.

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment