hoakley March 13, 2023 Macs, Technology

Ventura has changed app quarantine with a new xattr

Now that we’re approaching half time in Ventura’s cycle, it’s good that we’re still discovering new features that Apple forgot to mention at WWDC last June. This article outlines how macOS 13 has changed the process of app quarantine, with the addition of a new extended attribute to track the origin of quarantined apps in their provenance.

Clearing quarantine

What used to happen when a file was downloaded using Safari or another app that supports quarantine, was that an extended attribute of type com.apple.quarantine was added to the downloaded file. This contains the quarantine flag itself, indicating whether it’s set or has been cleared, the time of its attachment, the app or agent that attached the flag, and a UUID reference to an entry in the QuarantineEvents database at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2.

When that app was run for the first time and underwent Gatekeeper’s full checks, if it was accepted, the quarantine flag was changed to indicate the app was no longer quarantined, and future launches of that app didn’t undergo full first run checks. For instance, the normal quarantine flag attached when a file transits AirDrop is 0081, and when that’s cleared it becomes 00c1. Other than that changed extended attribute, there seems to be no record kept of the clearance of that flag.

Provenance

What happens in macOS Ventura is essentially the same until the moment that quarantine is cleared, when macOS now attaches a new extended attribute (xattr) of type com.apple.provenance to the file. This contains an 11-byte binary reference unique to that quarantine event, and may be protected by SIP to make it persist and prevent it from being stripped.

xattr01

For example, when an app is transferred between Macs using AirDrop, any existing com.apple.quarantine xattr is replaced with a new one with its flag is set to 0081. When that app is successfully opened on the recipient Mac, and its quarantine flag is changed to 00c1, an 11-byte com.apple.provenance xattr is added and SIP may be applied to it to prevent its removal.

Some early releases of Ventura appear to have been more thorough in applying the com.apple.provenance xattr, and have added it to every folder and file within an app when it was taken out of quarantine; in that situation, the 11-byte identifier is identical across all files and folders taken out of quarantine in that app. Behaviour in macOS 13.2.1 currently appears limited to attaching just a single com.apple.provenance xattr to the .app folder. You may also come across apps in which the original com.apple.quarantine xattrs have been stripped, leaving just the protected com.apple.provenance xattrs behind.

xattr02

Removal

Defeating any SIP protection is simple for the user: when an app with a protected com.apple.provenance xattr is copied to another volume, the SIP protection breaks, and the xattr can be deleted in the normal way. However, code that tries to remove that xattr while it’s still protected may fail, and that has resulted in problems reported in Ventura by some users.

Unlike the other com.apple.macl xattr that can be attached to any file as part of TCC’s privacy protections, and is also protected by SIP, com.apple.provenance should only ever be attached to apps and their contents. It always seems to be just 11 bytes in size, although in one case rose to 4096 bytes through trailing padding with zeros, presumably as the result of an error on the part of macOS.

xattr03

The purpose and use of the com.apple.provenance xattr is currently unknown, and appears to be still evolving. I’d be very interested to hear of other evidence of its behaviour and use in quarantine.

Summary

Ventura introduces a new extended attribute com.apple.provenance, attached to apps when they clear quarantine.
The xattr contains binary data of 11 bytes that is unique to that quarantine event.
The xattr is protected by SIP, so can’t be removed unless the app is copied to another volume.
It’s otherwise undocumented, and its purpose and use are unknown.

GUI access to xattrs and the crawler used above are features of my free utility xattred.

Postscript

I’m very grateful to Randy Saldinger of Mothers Ruin for pointing out that SIP isn’t always applied to the com.apple.provenance xattr. I’m not sure whether this only occurs in certain circumstances, or in earlier versions of Ventura, but has been a previous cause of complaint about this xattr.

Randy has also identified the binary content of this new xattr as containing an 8-byte integer that is that app’s primary key in the provenance_tracking table in /var/db/SystemPolicyConfiguration/ExecPolicy. This would enable macOS to check the previous cdhash and other information about the app, perhaps to determine whether fuller checks are required by Gatekeeper, when the app is launched on subsequent occasions. That would make it a key part of Ventura’s new extended Gatekeeper checks.

Please read Randy’s comments below for further information.

27Comments

Add yours

1

Randy Saldinger on March 13, 2023 at 5:09 pm

Oh, that’s an interesting find! It looks like the last 8 bytes of this xattr value is a (Little Endian) integer value that connects to the “pk” (primary key) column of the “provenance_tracking” table in /var/db/SystemPolicyConfiguration/ExecPolicy. This table contains the cdhash, bundle identifier, team ID and some other bits about the app.

I’d suspect this is used somehow to decide when an app has been modified and thus requires a full code signature validation of all resources (which can’t possibly be happening on every app launch, since it would never be performant enough). But how exactly, I don’t know…

LikeLiked by 1 person
- 2
  
  hoakley on March 13, 2023 at 5:12 pm
  
  Thank you – an excellent catch there too. The pieces are starting to fit together.
  Howard
  
  LikeLike
  - 3
    
    Randy Saldinger on March 13, 2023 at 5:29 pm
    
    By the way, I’m not seeing the com.apple.provenance xattr as protected on macOS 13.2.1 (22D68). I can delete it readily with “xattr -d” — the command succeeds and ls -l@ shows it as gone. It doesn’t seem to come back, even after a reboot (as com.apple.macl wants to do?). I absolutely have SIP enabled, so that’s a bit baffling.
    
    LikeLiked by 2 people
    - 4
      
      hoakley on March 13, 2023 at 6:07 pm
      
      Thank you. I haven’t tried every instance of the xattr, but those that I tried to delete wouldn’t, and it has been complained about by other users. I’ll try taking a look to see when SIP is being applied, and when it isn’t.
      I think what you’re seeing with com.apple.macl is that the initial delete worked for a second or two, but the xattr is rapidly restored and SIP reapplied. It looks weird in xattred: you can cut the macl xattr, but it bounces back every time, unless the file has been transited through another volume, when it loses SIP of course.
      Howard.
      
      LikeLike
5

dominikushoffmann on March 13, 2023 at 7:58 pm

I found that I was able to use xattr -d com.apple.quarantine on a Mac mini (Intel) running Ventura to stop the OS from asking me about whether I wanted to really open the app every single time I launched it. Was that, because it was a Mac without a T1 or T2 chip?

LikeLiked by 1 person
- 6
  
  hoakley on March 13, 2023 at 10:24 pm
  
  No. The com.apple.quarantine flag has never been protected. Indeed, some very respectable (cough, cough) software strips it. However, what should happen is that, once that app has been run first time, the flag should be set as being cleared, but not removed from the app. I’m not sure why yours isn’t – that’s the abnormal behaviour here.
  Howard.
  
  LikeLike
7

Jeff on March 13, 2023 at 9:54 pm

I saw this attribute after I created a signed installer package. I haven’t seen any developer documentation for it so I was wondering what it was for as well. Thank you for peeling off the first layer of the mystery.

LikeLiked by 1 person
- 8
  
  hoakley on March 13, 2023 at 10:24 pm
  
  Thank you.
  Howard.
  
  LikeLike
9

Pico on March 13, 2023 at 9:59 pm

Very interesting find, thanks for sharing this info!

One small but important distinction though is that it appears “com.apple.macl” and “com.apple.provenance” are protected by TCC rather than SIP.

Things that are protected by SIP cannot be altered even by processes that have been granted Full Disk Access TCC permissions, but these extended attributes can be deleted by processed that have been granted FDA.

While I believe technically TCC is part of the whole SIP umbrella, things directly protected by SIP are much more locked down by the system vs TCC protected things that just need explicit user permissions.

LikeLiked by 1 person
- 10
  
  hoakley on March 13, 2023 at 10:33 pm
  
  Thank you, Pico. You’ve just opened another can of worms!
  When com.apple.macl was first discovered by Jeff Johnson back in Catalina, he discovered it was protected by SIP, and all my prior experience with it is that it has been since then. I normally give my app xattred FDA, but it can’t strip macl xattrs until they’ve been passed through another volume to disable the SIP. And my Mac Studio running 13.2.1 behaves like that too.
  However, I’ve now noticed that my iMac Pro, also running 13.2.1, can strip macl xattrs with only FDA enabled. I cannot explain the difference, but the Studio definitely has given xattred FDA.
  I’m not so convinced now that the provenance xattr is currently protected by either TCC or SIP. However, I have some apps that gained it earlier in Ventura, and the xattr is still sticky on them. I also have a couple of apps where, instead of just attaching to the .app folder, every single file in the bundle has got a provenance xattr attached.
  So I suspect that its behaviour has changed since the first beta of Ventura, and may continue to change.
  The good thing is that I have now tracked this behaviour down in the log, so it’s going to be much easier to keep track of its behaviour, so long as the log entries continue.
  Howard.
  
  LikeLike
  - 11
    
    Pico on March 13, 2023 at 10:47 pm
    
    There may be more pieces to the puzzle, but it looks like maybe what is protecting the extended attributes on apps in Ventura is the new “App Management” TCC permission. I only did one quick test with only granting Terminal “App Management” instead of FDA but was then able to remove all xattrs using “xattr -c” including “com.apple.macl” and “com.apple.provenance” on a newly downloaded app that had been opened once.
    
    So, some kinds of TCC protection seems at play here, but it could either have to do with general app protections, or maybes with the specific xattrs but it’s hard to say without more investigation and also knowing exactly what these TCC permissions are programmed to allow.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on March 13, 2023 at 11:33 pm
      
      I’ll have to look in the log, I think.
      Howard.
      
      LikeLike
    - 13
      
      Pico on March 13, 2023 at 11:34 pm
      
      Looking forward to hearing about anything you find!
      
      LikeLiked by 1 person
14

Michael Tsai - Blog - Ventura Adds com.apple.provenance on March 16, 2023 at 7:38 pm

[…] Howard Oakley (Hacker News): […]

LikeLike
15

fitzlcsaba on March 20, 2023 at 11:07 am

It seems that this xattr is only used for some tracking purposes. The only two binaries that reference it are the Quarantine.kext (qtn_track_vnode_if_needed) and syspolicyd, which makes sense considering that it seems to be related to the quarantine xattr. In syspolicyd it’s part of its ExecManager functionality and not GK. It doesn’t seem to play any role in GK checks related to app modifications.

LikeLiked by 1 person
- 16
  
  hoakley on March 20, 2023 at 11:10 am
  
  Thank you. That’s very useful, but suggests this is work in progress, and far from complete.
  Howard
  
  LikeLiked by 1 person
17

Tye McQueen on March 28, 2023 at 10:25 pm

I installed iTerm2 and noticed that provenance being added to every directory I create from it and not being able to remove even after I gave iTerm2 FDA. But if I launch Terminal (which I had given FDA), I can delete the attribute.

So it seem iTerm2 has been removed from quarantine but Apple wants to track everything that gets created using it. That is going to be a lot of noise in my filesystem.

LikeLiked by 1 person
- 18
  
  hoakley on March 29, 2023 at 7:31 am
  
  That’s a very interesting observation, thank you. It still isn’t clear what this tracking does, or how it works. I wonder if it has changed in 13.3?
  Howard.
  
  LikeLike
19

angelikamkeller on April 7, 2023 at 9:42 am

i have trouble in ventura since some days with simple files like png, jpgs or pdfs donwloaded from web or draged from mail or safari app to the desktop.
they get all the qurantine attribute and the mac doesn’t allow to open this files and says, i should delete them. i have to correct this via terminal for each file to get them opened.
i can’t find any reason about this and no solution to get this strange behaviour corrected.
i tried a new user, safe mode, changing network … nothing helped.
i updated from last to newest version of ventura. no changes.
i didn’t want to restore the complete mac before understanding the problem, but i’m far away from this.

LikeLiked by 1 person
- 20
  
  hoakley on April 7, 2023 at 3:19 pm
  
  I’m sorry to hear that.
  Does this happen to all downloaded files, or is there a pattern to it? Is there anything unusual about your Mac’s setup? Which model is it? Do you have any kernel extensions installed, or any user customisations?
  Howard.
  
  LikeLiked by 1 person
  - 21
    
    angelikamkeller on April 7, 2023 at 4:17 pm
    
    its strange.
    its a m1 macbook air, with some apps – not an exotic setup. i have a second m1 air and an intel macbook in the same network without any issues.
    the problem occured with end of march without any special action before.
    with all downloaded files: jpg, zip, png, docx, pages, …
    i posted in a german forum mactechnews and event there nobody has a solution yet.
    theres a design collection from adobe and the setapp-tool installed. but as i said, the other two with the same had no problems.
    i wish to understand the problem before i would completely erase the mac … so i made researches and various checks now, nothing helped yet.
    
    LikeLiked by 2 people
    - 22
      
      hoakley on April 7, 2023 at 7:56 pm
      
      One problem that does occur sometimes is when a document is recorded by macOS as being edited by one app, and you then try to edit it using a different app. This can also involve changes to default editors: for example, if you normally double-click on a JPEG image, Preview will open it. If you change that to a different app, that can cause confusion with LaunchServices databases and security, and that can result in the effects you describe. But that shouldn’t affect more than one type of document, and certainly not all downloads.
      I’m concerned that if you do wipe and reinstall your Mac, you could end up with it doing the same thing, after all your work.
      Have you contacted Apple Support?
      Howard.
      
      LikeLiked by 1 person
23

angelikamkeller on April 7, 2023 at 8:39 pm

thanks for your interest howard,
and sorry that i couldn’t reply to your latest post in the thread (the button won’t appear), so i made a new post.

the update 13.3.1 from today was also no solution.

i could test a full install. (no other possible workaround till now.)
other people also say, perhaps the problem will still exist even after a new installation … that wouldn’t be nice.

no, i didn’t contact official support yet, perhaps i should do.

LikeLiked by 1 person
- 24
  
  angelikamkeller on May 2, 2023 at 3:31 pm
  
  i would now like to report the latest status:
  
  a pure reinstallation of the system as recommended by the apple-hotline did not help.
  the problem persisted.
  
  i then completely flattened the mac and used the holiday to manually rebuild it.
  no timemachine rollback or anything like that.
  all programs reinstalled and data copied.
  since then it’s working again.
  
  unfortunately, i don’t know what caused it.
  and hopefully it doesn’t happen out of the blue again.
  
  LikeLiked by 1 person
  - 25
    
    hoakley on May 2, 2023 at 4:52 pm
    
    Thank you. I’m delighted for you – let’s hope it remains that way now.
    Howard.
    
    LikeLike
26

Dan on April 19, 2023 at 10:02 am

Thanks for sharing your knowledge about the topic.

LikeLiked by 1 person
- 27
  
  hoakley on April 19, 2023 at 12:04 pm
  
  Thank you. I aim to revisit this more thoroughly in the next week or two.
  Howard.
  
  LikeLike