Add sandbox patch to remove SIP 0x2 requirement

plooshi · Dec 5, 2024 · 429d2de · 429d2de
1 parent 4a9e3ab
commit 429d2de
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,3 @@
 # RealRoot
 ### Kext using Lilu to allow using the underlying FS of the root snapshot in macOS Big Sur and up.
-#### SIP 0x2 is needed to be able to access all files
 > SIP flag 0x800 replacement (allows easy snapshot reverting by removing the kext, and fixes FileVault), x64 only (for arm64, use the plooshfinder-based static patcher)
diff --git a/RealRoot.xcodeproj/project.pbxproj b/RealRoot.xcodeproj/project.pbxproj
@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 46;
+	objectVersion = 54;
 	objects = {
 
 /* Begin PBXBuildFile section */
@@ -176,15 +176,15 @@
 			isa = PBXProject;
 			attributes = {
 				LastUpgradeCheck = 1200;
-				ORGANIZATIONNAME = vit9696;
+				ORGANIZATIONNAME = Ploosh;
 				TargetAttributes = {
 					1C748C261C21952C0024EED2 = {
 						CreatedOnToolsVersion = 7.2;
 					};
 				};
 			};
 			buildConfigurationList = 1C748C211C21952C0024EED2 /* Build configuration list for PBXProject "RealRoot" */;
-			compatibilityVersion = "Xcode 3.2";
+			compatibilityVersion = "Xcode 12.0";
 			developmentRegion = English;
 			hasScannedForEncodings = 0;
 			knownRegions = (
@@ -223,8 +223,8 @@
 			outputPaths = (
 			);
 			runOnlyForDeploymentPostprocessing = 0;
-			shellPath = /bin/sh;
-			shellScript = "cd \"${TARGET_BUILD_DIR}\"\n\ndist=(\"$FULL_PRODUCT_NAME\")\nif [ -d \"$DWARF_DSYM_FILE_NAME\" ]; then dist+=(\"$DWARF_DSYM_FILE_NAME\"); fi\n\narchive=\"${PRODUCT_NAME}-${MODULE_VERSION}-$(echo $CONFIGURATION | tr /a-z/ /A-Z/).zip\"\nrm -rf *.zip\nif [ \"$CONFIGURATION\" == \"Release\" ]; then\n  strip -x -T \"${EXECUTABLE_PATH}\" &>/dev/null || strip -x \"${EXECUTABLE_PATH}\"\nfi\nzip -qry -FS \"${archive}\" \"${dist[@]}\"\n";
+			shellPath = /bin/bash;
+			shellScript = "cd \"${TARGET_BUILD_DIR}\"\n\ndist=(\"$FULL_PRODUCT_NAME\")\n\narchive=\"${PRODUCT_NAME}-${MODULE_VERSION}-$(echo $CONFIGURATION | tr /a-z/ /A-Z/).zip\"\nrm -rf *.zip\nif [ \"$CONFIGURATION\" == \"Release\" ]; then\n  strip -x -T \"${EXECUTABLE_PATH}\" &>/dev/null || strip -x \"${EXECUTABLE_PATH}\"\nfi\nzip -qry -FS \"${archive}\" \"${dist[@]}\"\n";
 		};
 /* End PBXShellScriptBuildPhase section */
 
@@ -362,7 +362,7 @@
 				MODULE_NAME = dev.ploosh.RealRoot;
 				MODULE_START = "$(PRODUCT_NAME)_kern_start";
 				MODULE_STOP = "$(PRODUCT_NAME)_kern_stop";
-				MODULE_VERSION = 1.0.4;
+				MODULE_VERSION = 1.0.5;
 				OTHER_CFLAGS = (
 					"-mmmx",
 					"-msse",
@@ -411,7 +411,7 @@
 				MODULE_NAME = dev.ploosh.RealRoot;
 				MODULE_START = "$(PRODUCT_NAME)_kern_start";
 				MODULE_STOP = "$(PRODUCT_NAME)_kern_stop";
-				MODULE_VERSION = 1.0.4;
+				MODULE_VERSION = 1.0.5;
 				OTHER_CFLAGS = (
 					"-mmmx",
 					"-msse",

diff --git a/RealRoot/kern_realroot.cpp b/RealRoot/kern_realroot.cpp
@@ -43,6 +43,11 @@ static const char *kextAPFSPath[] { "/System/Library/Extensions/apfs.kext/Conten
 
 static KernelPatcher::KextInfo kextAPFS { "com.apple.filesystems.apfs", kextAPFSPath, 1, {true, true}, {}, KernelPatcher::KextInfo::Unloaded };
 
+
+static const char *kextSandboxPath[] { "/System/Library/Extensions/Sandbox.kext/Contents/MacOS/Sandbox" };
+
+static KernelPatcher::KextInfo kextSandbox { "com.apple.security.sandbox", kextSandboxPath, 1, {true, true}, {}, KernelPatcher::KextInfo::Unloaded };
+
 uint64_t selectSnapshotPatch(void *_Arg1, void *_Arg2, void **Arg3) {
 	*Arg3 = nullptr;
 	return 0;
@@ -134,6 +139,15 @@ void PatchAPFS(void *_user, KernelPatcher &patcher, size_t index, mach_vm_addres
 	}
 }
 
+void PatchSandbox(void *_user, KernelPatcher &patcher, size_t index, mach_vm_address_t address, size_t size) {
+	if (kextSandbox.loadIndex == index) {
+		auto apply_rootless_modifier = patcher.solveSymbol(index, "_apply_rootless_modifier");
+		if (!KernelPatcher::findAndReplaceWithMask((void *) apply_rootless_modifier, 32768, RootlessOrig, arrsize(RootlessOrig), RootlessMask, arrsize(RootlessMask), RootlessReplace, arrsize(RootlessReplace), RootlessReplaceMask, arrsize(RootlessReplaceMask))) {
+			panic("Failed to patch apply_rootless_modifier!");
+		}
+	}
+}
+
 mach_vm_address_t getKernelBase() {
 #ifdef LILU_COMPRESSION_SUPPORT
 	static constexpr const char *prelinkKernelPaths[7] {
@@ -193,4 +207,5 @@ void PatchKernel(void *_user, KernelPatcher &patcher) {
 void InitRealRoot() {
 	lilu.onPatcherLoadForce(PatchKernel);
 	lilu.onKextLoadForce(&kextAPFS, 1, PatchAPFS);
+	if (getKernelVersion() >= KernelVersion::Ventura) lilu.onKextLoadForce(&kextSandbox, 1, PatchSandbox);
 }
diff --git a/RealRoot/kern_realroot.hpp b/RealRoot/kern_realroot.hpp
@@ -233,5 +233,33 @@ const uint8_t SnapshotReplaceMaskBigSur[] = {
     0xff, 0x00
 };
 
+const uint8_t RootlessOrig[] = {
+    0xbf, 0x02, 0x00, 0x00, 0x00, // mov edi, 0x2
+    0xe8, 0x00, 0x00, 0x00, 0x00, // call _csr_check
+    0x85, 0xc0, // test eax, eax
+    0x75, 0x00 // jne
+};
+
+const uint8_t RootlessMask[] = {
+    0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0x00, 0x00, 0x00, 0x00,
+    0xff, 0xff,
+    0xff, 0x00
+};
+
+const uint8_t RootlessReplace[] = {
+    0xbf, 0x02, 0x00, 0x00, 0x00, // mov edi, 0x2
+    0xe8, 0x00, 0x00, 0x00, 0x00, // call _csr_check
+    0x85, 0xc0, // test eax, eax
+    0x90, 0x90 // nop
+};
+
+const uint8_t RootlessReplaceMask[] = {
+    0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0x00, 0x00, 0x00, 0x00,
+    0xff, 0xff,
+    0xff, 0xff
+};
+
 
 #endif /* kern_realroot_hpp */