commit 2f3656f8a12b866933397e4aa6ee1b31f661255c
Author: Alexander Færøy <a...@0x90.dk>
Date: Sun Oct 16 20:48:21 2016 +0200
Add check for Apple's System Integrity Protection.
---
src/bin/torsocks.in | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/src/bin/torsocks.in b/src/bin/torsocks.in
index 7288337..d8522e2 100644
--- a/src/bin/torsocks.in
+++ b/src/bin/torsocks.in
@@ -85,6 +85,41 @@ set_ld_preload ()
esac
}
+# Report error due to Apple's System Integrity Protection.
+macos_sip_error ()
+{
+ echo "ERROR: $1 is located in a directory protected by Apple's System
Integrity Protection." >&2
+ exit 1
+}
+
+# Check if SIP is enabled and if the user is about to violate the blacklist.
+macos_sip_check ()
+{
+ local app_path="$1"
+
+ case "$OSTYPE" in
+ darwin*)
+ # We need to figure out if Apple's System Integrity
Protection is
+ # enabled on the users' system.
+ if /usr/bin/csrutil status | grep -q enabled; then
+ local abs_app_dir=`cd "$(dirname "$app_path")"
&& pwd -P`
+
+ # It seems like /usr/** (with an exception of
/usr/local/**),
+ # /System/**, /sbin/**, and /bin/** are
currently protected
+ # using SIP.
+ case "$abs_app_dir/`basename $app_path`" in
+ /usr/local/*)
+ # Must be listed before the
match on /usr/*
+ ;;
+ /usr/*|/System/*|/sbin/*|/bin/*)
+ macos_sip_error $app_path
+ ;;
+ esac
+ fi
+ ;;
+ esac
+}
+
# Spawn a torified shell.
tor_shell ()
{
@@ -112,6 +147,10 @@ torify_app ()
caps=`$getcap $app_path`
fi
+ # Check if Apple's System Integrity Protection is enabled if the user is
+ # running on macOS.
+ macos_sip_check $app_path
+
# NEVER remove that line or else nothing it torified.
set_ld_preload
_______________________________________________
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
