←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
rootusrootus ◴[20 Oct 20 16:09 UTC] No.24839054[source]
Hasn't this always been a bit of an issue? Apps with root privileges have been able to get around Little Snitch for as long as I can recall. Some software relies specifically on that ability.
replies(1): >>24839142 #
Wowfunhappy ◴[20 Oct 20 16:17 UTC] No.24839142[source]
...no, I don't think they could. Is there an example you're thinking of?

Up until recently, Little Snitch monitored network traffic in kernel space.

replies(2): >>24839691 #>>24840817 #
1. frankjr ◴[20 Oct 20 16:56 UTC] No.24839691[source]
Not OP but one example is bridged networking. I discovered this while trying Parallels Lite from the App Store. I was used to being prompted for every connection attempt VirtualBox was making but I was not getting any when using Parallels. I contacted Little Snitch's support and they acknowledged the issue but said that there's not much they can do because Little Snitch works on "application level" and Parallels uses bridged mode of networking that Little Snitch is unable to intercept. Note that the Lite version of Parallels doesn't require any kernel extensions (even on older macOS releases).

If an application is running as root, you are similarly able to use the lower level APIs and completely "bypass" Little Snitch. I cannot find a good alternative source for this other than the Security and Privacy Guide [0]:

It is worth noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities (pdf), but they are still worth having - just don't expect absolute protection.

[0] https://github.com/drduh/macOS-Security-and-Privacy-Guide#th...