MACF on macOS

Introduction to Mandatory Access Control Framework on macOS

INTRO

On macOS, both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) are integral to managing system security.

DAC, for instance, governs file permissions, while MAC enforces policies that users cannot alter, such as Sandbox or Code Sign. The enforcement is managed through the MAC Framework (MACF), an integral part of the XNU kernel.

This article examines the implementation of the MACF in macOS and delves into its core components, including Policy Modules and hooks.

Enjoy!

DAC vs MAC

To understand Mandatory Access Control (MAC), it is essential first to grasp Discretionary Access Control (DAC) to avoid confusion between the two.

DAC on macOS

The fundamental difference is DAC can be modified as a user, while MAC is mandatory and cannot. The following examples illustrate how DAC works:

• File and Directory Permissions — traditional UNIX (r)ead, (w)rite, and e(x)ecute permissions for owner, group, and others (chmod).
• Ownership — files and directories have an owner (user ID) and a group (group ID). Owners can use chown to change ownership.
• Access Control Lists (ACLs) — extended permissions allow finer-grained access control, configurable via chmod with ACL-specific(-a) options.
• umask — controls default permissions for new files and directories. For example, umask 022 ensures new files are created with rw-r--r--.
• Setuid and Setgid Bits — enable executables to temporarily run with the privileges of their file owner (Setuid) or group (Setgid).
• Sticky Bit — applied to directories to restrict file deletion to file owners, even when others have write access (like /tmp).

On macOS, we also have the Finder Permissions Interface (Get Info), a graphical method for assigning file and folder permissions based on UNIX.