It’s estimated that there are over 170,000 words in current use in the English language, yet we repeatedly cause confusion by reusing the same words to mean different things. Today’s example is extension, which now extends from the kernel and innermost parts of macOS right up to minor enhancements to the Finder. This article tries to draw distinction between them.
The most fundamental type of extension are those found in the Extensions folders in /System/Library and /Library that extend the features and abilities of the macOS kernel. These are bundles with the extension
kext, as a result of which they’re also commonly known as kexts to distinguish them from lesser types of extension.
Although once popular for a wide range of purposes, including the support of third-part peripherals, Apple has been encouraging developers away from them. Nevertheless, macOS Ventura itself comes with nearly 600 of them, ranging from one for the APFS file system, to web content filtering. These are necessary because the design concept behind macOS is that its kernel is relatively small, and almost everything that it needs to do requires an extension.
The macOS kernel runs at the highest level of privilege, commonly referred to as Ring 0, and kexts run in Ring 1, while other less privileged processes run in Ring 3. A rogue kext can thus cause havoc, and is a sure way to a kernel panic. Apple is therefore encouraging developers away from kexts towards system extensions. Because of their security implications, if you want to use third-party kexts on an Apple silicon Mac, its boot security has to be reduced, a good deterrent from using them on Apple’s new Macs.
Instead of using kernel extensions, modern apps are supposed to use one of their replacements running with Ring 3 privileges rather than Ring 1. That should isolate them from the kernel, making it impossible for them to cause kernel panics, and strictly limit the power of any malicious extensions. These come in several varieties, including System, Driver, Endpoint Security and Network Extensions, depending on their purpose and the framework they use. However tempting it might be to refer to them as sexts, Apple has carefully avoided using that nickname.
Although some user-level extensions do have folders, such as /Library/DriverExtensions, in which the extension may be stored, and some may also be staged (at /Library/StagedDriverExtensions, for example), user-level extensions are managed by the app responsible for installing them, and are found in Contents/Library/SystemExtensions in the app bundle. Most importantly for Apple silicon Macs, they don’t need macOS to be run at reduced security, nor approval in the Privacy & Security pane.
These extensions should be completely managed by the apps which rely on them. Early in its launch process, the app should check whether its required extensions are installed. If they aren’t, the app should then guide you through that process, which usually involves authentication but shouldn’t require consent in Privacy & Security settings or restarting the Mac. One of the system requirements for the activation of user-level extensions is that the app is installed in one of the Applications folders. Activation may therefore fail if the app hasn’t yet been properly installed or moved into /Applications or ~/Applications.
Finder, app and other extensions
Many apps support plugins to extend their capabilities, and those are also termed extensions. An even more diverse group, many of these are now collected in System Settings > Privacy & Security > Extensions, right at the foot of the list of privacy settings. Those listed there include Actions, Photos editing, Quick Look, Finder, and a whole ragbag that appear in Sharing. One significant type of app extension omitted from there are Safari Extensions, which are still managed in Safari’s Settings. Plugins for third-party apps are the responsibility of those apps to manage, which is perhaps just as well.
Their settings are generally managed in two parts. The Added extensions section at the top lists those apps recognised as providing extensions, and extensions they offer can be enabled by app. Sections below that list extensions by functional group, and provide a different set of controls. Both parts suffer from poor interfaces, with fixed-size windows and unhelpful information, making decisions difficult. Thankfully the consequences of enabling or disabling these app extensions are less than those of kexts and system extensions, so trial and error shouldn’t cause problems for your Mac.
- Kernel extensions, kexts, go in Library/Extensions folders, extend the kernel, and need to be taken seriously.
- System extensions come inside apps, and are intended to replace kexts, as they’re less likely to cause mayhem.
- App and other extensions are plugins managed mostly in System Settings, and are relatively lightweight.
- Safari extensions are managed separately, in Safari’s Settings.