xattr: com.apple.rootless, protects with SIP

Type: com.apple.rootless
Subtypes: none
Serialisation: none
Data type: often empty; sometimes contains UTF-8 text
Example: <4d6f6269 6c654173 736574> «MobileAsset»
macOS: Sierra, High Sierra
System use: extensively, mainly to mark KEXTs in /System/Library/Extensions
App use: SIP-protected Apple apps only
Document use: none
Other usage: none

Purpose: marks folder/file as being protected by macOS SIP
Almost all are empty, with no data. Where they contain data, this appears to be the name of the system or process which controls access to that protected file/folder. For example, in High Sierra the /Library/StagedExtensions has a xattr which identifies Apple’s KernelExtensionManagement service as controlling what can be changed within it.

Data seen include «MobileAsset», «SystemPolicyConfiguration», and «KernelExtensionManagement»

Protected by SIP, and cannot be removed by the user, even as root, or on a non-boot disk. However, users can add this xattr to their own files and folders if those are on a volume other than the boot disk, and modify and remove the xattr from those items.

Tools: xattred, xattr


Original page: 2017-12-10
Last modified: 2018-01-04