[tor-commits] [torsocks/master] Add check for Apple's System Integrity Protection.

dgoulet at torproject.org dgoulet at torproject.org
Mon Oct 17 14:07:13 UTC 2016


commit 2f3656f8a12b866933397e4aa6ee1b31f661255c
Author: Alexander Færøy <ahf at 0x90.dk>
Date:   Sun Oct 16 20:48:21 2016 +0200

    Add check for Apple's System Integrity Protection.
---
 src/bin/torsocks.in | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/src/bin/torsocks.in b/src/bin/torsocks.in
index 7288337..d8522e2 100644
--- a/src/bin/torsocks.in
+++ b/src/bin/torsocks.in
@@ -85,6 +85,41 @@ set_ld_preload ()
 	esac
 }
 
+# Report error due to Apple's System Integrity Protection.
+macos_sip_error ()
+{
+	echo "ERROR: $1 is located in a directory protected by Apple's System Integrity Protection." >&2
+	exit 1
+}
+
+# Check if SIP is enabled and if the user is about to violate the blacklist.
+macos_sip_check ()
+{
+	local app_path="$1"
+
+	case "$OSTYPE" in
+		darwin*)
+			# We need to figure out if Apple's System Integrity Protection is
+			# enabled on the users' system.
+			if /usr/bin/csrutil status | grep -q enabled; then
+				local abs_app_dir=`cd "$(dirname "$app_path")" && pwd -P`
+
+				# It seems like /usr/** (with an exception of /usr/local/**),
+				# /System/**, /sbin/**, and /bin/** are currently protected
+				# using SIP.
+				case "$abs_app_dir/`basename $app_path`" in
+					/usr/local/*)
+						# Must be listed before the match on /usr/*
+						;;
+					/usr/*|/System/*|/sbin/*|/bin/*)
+						macos_sip_error $app_path
+						;;
+				esac
+			fi
+			;;
+	esac
+}
+
 # Spawn a torified shell.
 tor_shell ()
 {
@@ -112,6 +147,10 @@ torify_app ()
 		caps=`$getcap $app_path`
 	fi
 
+	# Check if Apple's System Integrity Protection is enabled if the user is
+	# running on macOS.
+	macos_sip_check $app_path
+
 	# NEVER remove that line or else nothing it torified.
 	set_ld_preload
 





More information about the tor-commits mailing list