On 15 Dec 2016, at 02:49, Jorgen Lundman <lund...@lundman.net> wrote:
> I'm not entirely sure what vnode "labels" are for … Yeah, you and me both (-: However, in this case I think it’s a red herring; AFAICT the Sandbox kext ignores the last two parameters (`vp->v_label` and `alist`) passed to it by `mac_vnode_check_getattrlist`. The fun thing about the Sandbox kext is that it actually runs a small Scheme interpreter to decide whether to allow something. So you can’t just dig into the Sandbox kext itself, you have to look at its inputs (the sandbox profiles), and there’s a /lot/ of complexity there. If you want to get some understanding of the scope of this stuff, run the following command (-: $ find /System -name "*.sb” IMPORTANT: The presence and format of these files is not considered API. So the Sandbox kext is just an engine, and the actual work being done is determined by the sandbox profiles. In terms of where the engine touches the file system, however, there’s a relatively small list of contact points. The ones that spring to mind are: * The item’s path, using `vn_getpath` or `vn_getpath_fsenter` * The name of the file system on which the item resides, using `vnode_mount ` and `vfs_name` * The mount point of that file system, using `vnode_mount` and `vfs_statfs` * The item’s mode, using `vnode_getattr` with `va_mode` * The item’s type, using `vnode_getattr` with `va_type` * The item’s rdev, using `vnode_getattr` with `va_type` and `va_rdev` * Whether the item is considered to be SIP protected; the details of this is beyond me, but the basic inputs are the `SF_RESTRICTED` and `SF_NOUNLINK` flags and `com.apple.rootless` xattr of all the items on the path You may be able to trace these callbacks from the Sandbox kext to the kernel to see where things have gone wrong, perhaps comparing the HFS and ZFS cases side by side. Share and Enjoy -- Quinn "The Eskimo!" <http://www.apple.com/developer/> Apple Developer Relations, Developer Technical Support, Core OS/Hardware _______________________________________________ Do not post admin requests to the list. They will be ignored. Filesystem-dev mailing list (Filesystem-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/filesystem-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
