Test User Approval Kernel Extension Loading on mac (TN2459)

Question

TN2459: https://developer.apple.com/library/content/technotes/tn2459/_index.html introduces that under macOS High Sierra user approval is required for loading new third-party kernel extensions.

The kext that I would like to test has been loaded before upgraded to High Sierra, so loading the same kext after upgrade does not trigger the user approval flow which I would like to test against.

The kernel extension user consent is enabled:

$ spctl kext-consent status
Kernel Extension User Consent: ENABLED

I deleted the entry that corresponds to the kext in the kext_policy table in /private/var/db/SystemPolicyConfiguration/KextPolicy under recovery mode and restart several times. But the user approval flow is still not triggered when I load the kext.

I wonder if the policy info is cached somewhere else and if I need to clear NVRAM for my machine or tell syspolicyd to clear its cache? Or there is other things that I need to do?

This is possibly duplicated to https://stackoverflow.com/questions/47810161/macos-high-sierra-kext-loading-are-there-any-ways-to-cancel-user-approval?rq=1 — yijiem, Apr 25 '18 at 20:00

Liviu · Accepted Answer · 2018-10-19T08:29:45.190

In short, you have to boot in recovery mode (Mac+R) and edit the sqlite table /private/var/db/SystemPolicyConfiguration/KextPolicy.

This table is accessible in read-only mode in normal boot:

sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy
sqlite> SELECT * FROM kext_policy;
sqlite> SELECT * FROM kext_load_history_v3;

You have to remove your entries (recovery mode) and reboot, like this (Replace 'G43BCU2T37' with your team_id):

sqlite> DELETE FROM kext_policy WHERE team_id = 'G43BCU2T37';
sqlite> DELETE FROM kext_load_history_v3 WHERE team_id = 'G43BCU2T37';
sqlite> .exit

To avoid the reboot every time, you could alter the "System Integrity Protection" configuration (in recovery mode): csrutil enable --without fs --no-internal. Now kext_policy is changeable from normal boot.

The whole procedure is described here: https://forums.developer.apple.com/thread/79172#248518.

Now I see the answer is also here: https://stackoverflow.com/questions/47810161/macos-high-sierra-kext-loading-are-there-any-ways-to-cancel-user-approval — Liviu, Oct 19 '18 at 08:25

score 0 · Answer 2 · answered Apr 30 '18 at 18:55

0

Was able to test it using a high sierra vm. The full step of installing the vm is: https://www.howtogeek.com/289594/how-to-install-macos-sierra-in-virtualbox-on-windows-10/

answered Apr 30 '18 at 18:55

yijiem

359
2
17

Test User Approval Kernel Extension Loading on mac (TN2459)

2 Answers2