←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 8 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source | bottom
1. Wowfunhappy ◴[20 Oct 20 16:46 UTC] No.24839553[source]
I wonder if it would make sense for Little Snitch to continue supporting their kext-based solution in parallel to the new one, possibly only for users who are willing to disable SIP.

You might argue that disabling SIP for a security product defeats the point, but I'm not sure if that's necessarily true. SIP effectively delegates trust away from the user and towards Apple, which is fine as a default—but the calculus may be different for experienced users, like the ones who use Little Snitch.

replies(1): >>24841142 #
2. novok ◴[20 Oct 20 19:02 UTC] No.24841142[source]
Eventually I don't think little snitch will even have apis to access stuff like that in the kernel as a kext as macos updates continue on.
replies(1): >>24841283 #
3. Wowfunhappy ◴[20 Oct 20 19:15 UTC] No.24841283[source]
Kexts are used by Apple internally, so I'd be shocked if they were removed from the OS completely. Third party kexts may be deprecated, but as long as SIP can be disabled it will always be possible to load your own.
replies(2): >>24843118 #>>24845946 #
4. dwaite ◴[20 Oct 20 22:53 UTC] No.24843118{3}[source]
The networking subsystem that the kernel exposes could be removed however, replaced with one which is neither stable nor publicly documented.
5. saagarjha ◴[21 Oct 20 08:45 UTC] No.24845946{3}[source]
Apple could stop allowing you to load kexts they don’t sign, like they do on iOS.
replies(1): >>24847261 #
6. sneak ◴[21 Oct 20 12:46 UTC] No.24847261{4}[source]
It’s my understanding (and I imagine yours is better than mine) that at least at present, the macOS kernel is open source, which would mean that unless they forked it, disabling firmware security and SIP would mean that you could replace it with a compatible one compiled from open sources that skips such a check.

They can, of course, remove that option a number of ways: closed source kernel, disable the disablement of boot security (such as on iOS), et c.

replies(2): >>24848014 #>>24852281 #
7. Wowfunhappy ◴[21 Oct 20 14:08 UTC] No.24848014{5}[source]
XNU is open source and I have personally used custom kernels, but if it got to that point I definitely don't think it would be worthwhile for Little Snitch to maintain their kernel extension.

I truly don't think it would get to that point though. And even if it does, that day could be years away. We're talking about maintaining an existing product, not starting a new one from scratch.

IMO, the more pertinent question is whether it's worth asking customers to disable SIP. Up until now, commercial Mac software—even software targeting advanced users—has seemingly wanted to avoid that at all costs, whether it's Flavours discontinuing their theming software or nVidia discontinuing their web drivers†.

---

† Note that I'm continually suspicious we don't have the whole story here, but the commonly-cited narrative is that Apple won't sign nVidia's drivers.

8. saagarjha ◴[21 Oct 20 21:16 UTC] No.24852281{5}[source]
The kernel is open source, but compiling it is non-trivial (over the years there's been a couple of hardcore people from the Hackintosh or jailbreaking community who do it, and sometimes Apple engineers write guides from time to time). But if they really wanted to stop this kind of thing they could go the iOS route and make it impossible to load that kernel.