Member-only story
MACF on macOS
Introduction to Mandatory Access Control Framework on macOS
INTRO
On macOS, both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) are integral to managing system security.
DAC, for instance, governs file permissions, while MAC enforces policies that users cannot alter, such as Sandbox or Code Sign. The enforcement is managed through the MAC Framework (MACF), an integral part of the XNU kernel.
This article examines the implementation of the MACF in macOS and delves into its core components, including Policy Modules and hooks.
Enjoy!
DAC vs MAC
To understand Mandatory Access Control (MAC), it is essential first to grasp Discretionary Access Control (DAC) to avoid confusion between the two.
DAC on macOS
The fundamental difference is DAC can be modified as a user, while MAC is mandatory and cannot. The following examples illustrate how DAC works:
- File and Directory Permissions — traditional UNIX
(r)ead
,(w)rite
, ande(x)ecute
permissions for owner…