←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0.206s | source
Show context
jjoonathan ◴[20 Oct 20 16:03 UTC] No.24838965[source]
"You don't need kernel extensions, we'll provide APIs for you! We won't abuse the power that gives us, promise!"

...and now Apple has altered the deal and we must pray they do not alter it further. Disgusting. Predictable, expected, unsurprising -- but still disgusting.

replies(6): >>24839165 #>>24839174 #>>24839249 #>>24839470 #>>24839566 #>>24840061 #
Skunkleton ◴[20 Oct 20 16:18 UTC] No.24839165[source]
You understand that Apple could bypass kexts too? This is an issue of trust, not a technical issue.
replies(2): >>24839232 #>>24839336 #
CountSessine ◴[20 Oct 20 16:23 UTC] No.24839232[source]
Try to bypass kexts and you’re just asking for kernel stability issues and Mac customer crashes. Pushing these guys out of the kernel lets Apple cheat them and Mac users clean and easy.
replies(1): >>24839452 #
gruez ◴[20 Oct 20 16:38 UTC] No.24839452[source]
>Try to bypass kexts and you’re just asking for kernel stability issues and Mac customer crashes

why would that be the case? All you'd need to do is provide some sort of private network api, and only allow apple signed code to use it.

replies(1): >>24839467 #
throwaway2048 ◴[20 Oct 20 16:39 UTC] No.24839467[source]
that is not how kexts work(ed), they can do completely arbitrary things to the kernel, including removing any theoretical code signing requirement.
replies(1): >>24839599 #
gruez ◴[20 Oct 20 16:50 UTC] No.24839599[source]
any access? On Windows, you can write a driver that would run in kernel mode, but critical sections can't be modified[1]. I'd imagine there's something similar for mac.

[1] https://en.wikipedia.org/wiki/Kernel_Patch_Protection

replies(2): >>24839831 #>>24839933 #
1. comex ◴[20 Oct 20 17:15 UTC] No.24839933[source]
There hasn’t been anything like that on macOS. macOS on Apple Silicon will have a form of kernel patch protection, like on iOS, but it’s designed to guard against exploits from userland, not approved kexts. It’s definitely possible for third party kexts to bypass that somehow, but possibly only by disabling Secure Boot; I haven’t looked into it.