Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MacOS High Sierra KEXT Loading - Are there any ways to cancel user approval?

As some kinds of MacOS developers know, Apple implemented Secure Kernel Extension Loading .

Users can approve third party KEXT by clicking Approve button in Security and Privacy. However, once the KEXT is approved, are there any methods for cancelling the approval?

Imagine, the case of testing the app with KEXT loading, etc.

If there are no way but the clean install, it's very difficult to test apps.

like image 929
HirofumiTamori Avatar asked Dec 14 '17 09:12

HirofumiTamori


People also ask

What is Spctl KEXT consent?

The command is as follows: spctl kext-consent add 4C6364ACXT. The 4C6364ACXT value in the example above is the Parallels Team ID. The command disables User Approved Kernel Extension Loading for Parallels Desktop, so user consent to load the extensions will not be required.


2 Answers

The information about approvals is stored in sqlite3 database:

/var/db/SystemPolicyConfiguration/KextPolicy

The tables you're interested in are: kext_policy and kext_load_history_v3. E.g. here is how you can view the data and the table schema:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

sqlite> select * from kext_policy;
54GTJ2AU36|com.joshuawise.kexts.HoRNDIS|1|Joshua Wise|1

sqlite> .schema kext_policy
CREATE TABLE kext_policy ( team_id TEXT, bundle_id TEXT, allowed BOOLEAN, developer_name TEXT, flags INTEGER, PRIMARY KEY (team_id, bundle_id) );

Removing the approval is tricker, since the System Integrity Protection does not allow you to modify the database. So, you'd need to reboot into a recovery partition, or a different MacOS installation, then cd into the root of your volume, and run the commands like these (replace with your team_id, or use other criteria):

usr/bin/sqlite3 var/db/SystemPolicyConfiguration/KextPolicy
delete from kext_load_history_v3 where team_id='54GTJ2AU36';
delete from kext_policy where team_id='54GTJ2AU36';
.quit 
like image 63
Mikhail Iakhiaev Avatar answered Sep 29 '22 11:09

Mikhail Iakhiaev


To echo what people are saying in the comments, I found that the accepted solution did not work. I also had to reset the PRAM.

Working steps:

  1. Create the following script somewhere on your filesystem (you will be running this from recovery mode, so you won't be able to copy and paste in that mode). You will need to replace TEAMID1234 with the team ID of the kext(s) you want to revoke consent for. Note that the full paths to /Volumes/Macintosh\ HD are required in recovery mode.

    I called my script /Users/me/revoke_kext_consent.sh, and ran chmod +x /Users/me/revoke_kext_consent.sh.

#!/bin/sh -e
/Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy 'delete from kext_policy where team_id="TEAMID1234";'
/Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy 'delete from kext_load_history_v3 where team_id="TEAMID1234";'
  1. Reboot into recovery mode (boot with Cmd-R)

  2. Open Terminal, and run the above script (/Volumes/Macintosh\ HD/Users/me/revoke_kext_consent.sh).

  3. Reboot and reset the PRAM (boot with Cmd-Opt-P-R)

like image 39
craig65535 Avatar answered Sep 29 '22 09:09

craig65535