How can I protect my macOS system extension endpoint security from:
A. kill by the user (root user)
B. unloading by the root user?
Asked
Active
Viewed 279 times
1 Answers
0
I would say you could subscribe to a ES_EVENT_TYPE_AUTH_SIGNAL event to filter out all kill-alike signals to your process (if you run it inside your daemon. In case you are loading it into system process, user just can't kill it).
Well, I would not recomend to do this. The main question you should ask yourself: how the one will unload your system extension to uninstall a software or to update it, if it could not be unloaded?
The root user is the one that should be able to do any sane operation on the system by design.
You could still do some tricks here, like subscribe to the ES_EVENT_TYPE_AUTH_EXEC event and cancel all launchctl unload attempts, or systemextensionsctl with your system extension parameters in case you are doing this via separate extension.
Arthur Bulakaiev
- 1,207
- 8
- 17