hoakley February 18, 2023 Macs, Technology

What are all those extensions?

It’s estimated that there are over 170,000 words in current use in the English language, yet we repeatedly cause confusion by reusing the same words to mean different things. Today’s example is extension, which now extends from the kernel and innermost parts of macOS right up to minor enhancements to the Finder. This article tries to draw distinction between them.

Kernel extensions

The most fundamental type of extension are those found in the Extensions folders in /System/Library and /Library that extend the features and abilities of the macOS kernel. These are bundles with the extension kext, as a result of which they’re also commonly known as kexts to distinguish them from lesser types of extension.

Although once popular for a wide range of purposes, including the support of third-part peripherals, Apple has been encouraging developers away from them. Nevertheless, macOS Ventura itself comes with nearly 600 of them, ranging from one for the APFS file system, to web content filtering. These are necessary because the design concept behind macOS is that its kernel is relatively small, and almost everything that it needs to do requires an extension.

The macOS kernel runs at the highest level of privilege, commonly referred to as Ring 0, and kexts run in Ring 1, while other less privileged processes run in Ring 3. A rogue kext can thus cause havoc, and is a sure way to a kernel panic. Apple is therefore encouraging developers away from kexts towards system extensions. Because of their security implications, if you want to use third-party kexts on an Apple silicon Mac, its boot security has to be reduced, a good deterrent from using them on Apple’s new Macs.

System extensions

Instead of using kernel extensions, modern apps are supposed to use one of their replacements running with Ring 3 privileges rather than Ring 1. That should isolate them from the kernel, making it impossible for them to cause kernel panics, and strictly limit the power of any malicious extensions. These come in several varieties, including System, Driver, Endpoint Security and Network Extensions, depending on their purpose and the framework they use. However tempting it might be to refer to them as sexts, Apple has carefully avoided using that nickname.

Although some user-level extensions do have folders, such as /Library/DriverExtensions, in which the extension may be stored, and some may also be staged (at /Library/StagedDriverExtensions, for example), user-level extensions are managed by the app responsible for installing them, and are found in Contents/Library/SystemExtensions in the app bundle. Most importantly for Apple silicon Macs, they don’t need macOS to be run at reduced security, nor approval in the Privacy & Security pane.

These extensions should be completely managed by the apps which rely on them. Early in its launch process, the app should check whether its required extensions are installed. If they aren’t, the app should then guide you through that process, which usually involves authentication but shouldn’t require consent in Privacy & Security settings or restarting the Mac. One of the system requirements for the activation of user-level extensions is that the app is installed in one of the Applications folders. Activation may therefore fail if the app hasn’t yet been properly installed or moved into /Applications or ~/Applications.

Finder, app and other extensions

Many apps support plugins to extend their capabilities, and those are also termed extensions. An even more diverse group, many of these are now collected in System Settings > Privacy & Security > Extensions, right at the foot of the list of privacy settings. Those listed there include Actions, Photos editing, Quick Look, Finder, and a whole ragbag that appear in Sharing. One significant type of app extension omitted from there are Safari Extensions, which are still managed in Safari’s Settings. Plugins for third-party apps are the responsibility of those apps to manage, which is perhaps just as well.

Their settings are generally managed in two parts. The Added extensions section at the top lists those apps recognised as providing extensions, and extensions they offer can be enabled by app. Sections below that list extensions by functional group, and provide a different set of controls. Both parts suffer from poor interfaces, with fixed-size windows and unhelpful information, making decisions difficult. Thankfully the consequences of enabling or disabling these app extensions are less than those of kexts and system extensions, so trial and error shouldn’t cause problems for your Mac.

Summary

Kernel extensions, kexts, go in Library/Extensions folders, extend the kernel, and need to be taken seriously.
System extensions come inside apps, and are intended to replace kexts, as they’re less likely to cause mayhem.
App and other extensions are plugins managed mostly in System Settings, and are relatively lightweight.
Safari extensions are managed separately, in Safari’s Settings.

15Comments

Add yours

1

EcleX on February 18, 2023 at 8:29 am
Reply

Many thanks for the useful reference article. Twice for the summary.

LikeLiked by 1 person
- 2
  
  hoakley on February 18, 2023 at 10:28 am
  Reply
  
  Thank you. It’s good to see you back – we missed you.
  Howard.
  
  LikeLike
3

alberic on February 18, 2023 at 11:09 am
Reply

I’d be interested if there is a penalty in using System Extensions for very high bandwidth transfers. IOW incurring context switches between the execution rings may possibly slow the entire I/O operations.

LikeLiked by 1 person
- 4
  
  hoakley on February 18, 2023 at 2:37 pm
  Reply
  
  Thank you – a good question, but I’m not sure there’s an answer, because currently System Extensions frameworks only support a limited range of functions that were covered in kernel extensions. For example, there’s none to support third-party file systems, nor for the kext currently required for SoftRAID, AFAIK.
  That said, as kexts aren’t Ring 0, they can still suffer context switching for the kernel too.
  Howard.
  
  LikeLike
5

BenSar on February 18, 2023 at 3:29 pm
Reply

OWC claims that the newest version of SoftRAID (V7.1) is now compatible with Ventura. Does this mean that it now has a system extension rather than a kext? Their documentation is not … the clearest and retrieving full use of SoftRAID without reducing security would be a blessing.

LikeLiked by 1 person
- 6
  
  hoakley on February 18, 2023 at 3:45 pm
  Reply
  
  Yes, the latest version of SoftRAID is compatible with Ventura. However, it still relies on a kernel extension. AFAIK there currently isn’t a type of system extension that could be used as a replacement, yet.
  Howard.
  
  LikeLike
7

BenSar on February 18, 2023 at 3:47 pm
Reply

Thank you.

LikeLiked by 1 person
8

Jack on February 19, 2023 at 1:58 am
Reply

Driver Extensions (DEXTs) do require user approval – in Ventura the approval request appears in the main Privacy & Security Pane of System Settings, and only appears when a DEXT activation is pending. As a developer, it is a problem when a user has not yet approved the driver since we cannot move forward with using the device that requires it. Monterey provided us with the necessary APIs to detect User approval – see OSSystemExtensionProperties, the isAwaitingUserApproval property.
The requirements for implementing DEXTs are rather rigorous, and require Apple approval for the necessary entitlements. In general device manufacturers have moved on to device interfaces that do not require KEXTs or DEXTs, but some older devices still need them.
Having gone through the development process, I understand their power, but recommend their use only when absolutely necessary.

LikeLiked by 1 person
- 9
  
  hoakley on February 19, 2023 at 9:44 am
  Reply
  
  Thank you. That’s interesting, and shows the diverse nature of system extensions. If I recall correctly, that’s not the case with some other types, such as Endpoint Security. It’s also strange, in that one of Apple’s claimed advantages to system extensions was that they wouldn’t require such authorisation.
  All types of system extension require Apple-controlled entitlements, which again appears to go against their design objectives.
  Congratulations on negotiating all these barriers – it must have been frustrating at times.
  Howard.
  
  LikeLike
10

Nils on February 19, 2023 at 9:18 am
Reply

Mail extensions (not plugins) seem also be managed in the Application only, like Safari.

LikeLiked by 1 person
- 11
  
  hoakley on February 19, 2023 at 9:48 am
  Reply
  
  Thank you. That only confirms that the real consistency is inconsistency.
  Howard.
  
  LikeLike
12

Michael Roitzsch on February 19, 2023 at 10:37 am
Reply

Looking at the published XNU source, I would say ring 1 is not used on x86-64 systems. References to the call gates only appear in the 32-bit-Intel specific parts.

LikeLiked by 1 person
- 13
  
  hoakley on February 19, 2023 at 8:14 pm
  Reply
  
  Thank you – that’s fascinating. So kexts are now in Ring 0? No wonder Apple wants to get rid of third-party kexts as quickly as possible.
  Howard.
  
  LikeLike
  - 14
    
    Michael Roitzsch on February 22, 2023 at 7:13 am
    Reply
    
    Exactly. Since the hardware page tables on x86 only distinguish between two protection levels (kernel/user), the protection for rings 1 and 2 uses these arcane segmentation and call gate features. I remember that these features became slow with later 32-bit processors, because they were not widely used and with 64 bit, they got removed. On their Arm CPUs, Apple invented GXF (https://blog.svenpeter.dev/posts/m1_sprr_gxf/), which serves a similar purpose – isolation between parts of the kernel.
    
    LikeLiked by 1 person
    - 15
      
      hoakley on February 22, 2023 at 9:24 pm
      
      Thank you – of course, the problem with ARM’s two available ELs. I must admit that hadn’t occurred to me at all, although it’s obvious really.
      Howard.
      
      LikeLike