Member-only story

MACF on macOS

Introduction to Mandatory Access Control Framework on macOS

Karol Mazurek
11 min readNov 28, 2024

INTRO

On macOS, both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) are integral to managing system security.

DAC, for instance, governs file permissions, while MAC enforces policies that users cannot alter, such as Sandbox or Code Sign. The enforcement is managed through the MAC Framework (MACF), an integral part of the XNU kernel.

This article examines the implementation of the MACF in macOS and delves into its core components, including Policy Modules and hooks.

Enjoy!

DAC vs MAC

To understand Mandatory Access Control (MAC), it is essential first to grasp Discretionary Access Control (DAC) to avoid confusion between the two.

DAC on macOS

The fundamental difference is DAC can be modified as a user, while MAC is mandatory and cannot. The following examples illustrate how DAC works:

  • File and Directory Permissions — traditional UNIX (r)ead, (w)rite, and e(x)ecute permissions for owner…

--

--

No responses yet