Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co)

Posted by msmash on from the closer-look dept.

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.


High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions

There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?

8 of 164 comments (clear)

  1. kextunload command... by Kenja · · Score: 5, Informative

    Use the kextunload to unload a kernel extension. It can then be deleted.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  2. Re:SIP? by Hal_Porter · · Score: 5, Informative

    I use the SIP to do research for the package I'm writing to automate my SIP which I'm writing using SIP. Thanks to the SIP my phone service is good and I don't need to use SIP to phone people.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  3. There's a reason by 93+Escort+Wagon · · Score: 1, Informative

    I've stayed on El Capitan (tried Sierra - twice - and eventually rolled back to El Capitan - twice). Unfortunately it will stop getting security updates sometime this summer, though... at which point I'll have to pick my poison and "upgrade".

    --
    #DeleteChrome
  4. Re:So turn it off by Kenja · · Score: 4, Informative

    Turn what off? SIP? You can't, there is no option to disable it. It's always on as part of Apple's continued effort to boil the frog until no one notices OS X is now iOS X.

    You can, but I wouldn't recommend it. Just use the kextunload command to turn off a kernel extension, it can then be deleted.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  5. AC's are ignorant. by phayes · · Score: 4, Informative

    The reason SIP was protecting the kext is because it was loaded into the actively running kernel. Unload the kext with "kextunload kextfile" and it is no longer protected by SIP and can be removed.

    Yes, Apple could make this easier do so without using a shell. Ex: By putting a button in Preferences>Security that pops up a window displaying loaded kexts in a list & a button to unload them.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  6. Re:Unix by TheRaven64 · · Score: 4, Informative

    SIP is basically the flags part of BSD securelevel 1. At securelevel 1 you can set the user and system immutable flags, but you can't remove them. If you want to, you need to reboot at securelevel 0 (or -1), use chflags to remove the relevant flags, and then delete the files (you can always increase the securelevel, you can't lower it without a reboot). On most BSD systems, securelevel 1 comes with some other restrictions related to opening certain devices, which are not enforced by XNU for SIP. This functionality dates back to 4.4BSD.

    --
    I am TheRaven on Soylent News
  7. Curly quotes by tepples · · Score: 3, Informative

    Aside: When did links stop working?

    Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.

  8. Re: Kind of how by sexconker · · Score: 3, Informative

    Last update: Nov. 10, 2016

    There have been 2 major Windows 10 updates since that thing was last updated. There's no way it still manages to block all of the shit, if it ever did.