MacOS
XNU (acronym from X is Not Unix) - a hybrid kernel based on Mach and BSD. Used in OS X. It was developed to replace the obsolete classic Mac OS (Mac OS 9 and older) kernel, which had poor memory protection and cooperative multitasking.
(Mac) OS X - Apple's half-proprietary operating system for Macintosh computers, which is, in fact, able to be run on any modern x86_64 computer.
iOS - the mobile version of OS X.
Darwin - the core open source components of OS X and iOS.
Features
XNU inherits some BSD features:
- POSIX system calls
- some BSD extensions
- Mandatory Access Control (MAC)
But it is wrong to classify XNU as a BSD flavor like FreeBSD. XNU and OS X introduce a lot of specific features, including:
- own sandboxing system
- own file system hierarchy (with FHS preserved)
- Apple Events and FSEvents
- OpenDirectory - authentification system
- SystemConfiguration - modular configuration mechanism
- Apple System Log (ASL)
- Apple Script
- notifyd and distnoted - notification (IPC) mechanisms
- launchd - initialization system, network manager and other things all-in-one
- Mach APIs
- IOKit framework - allows interfacing with kernel mode drivers for user space programs
- and more...
OS X is a certified UNIX system.
Security
Code signing
OS X and iOS support code signing. In OS X it can be disabled, but in iOS it is a heavy protection mechanism, which allows only reviewed apps to be run. However, Apple sells developer and enterprise certificates, which can be used to distribute malware, a user only needs to install a profile. There also were a vulnerability, which allowed to install outdated profiles by resetting the date. Apple can easily block certificates.
Entitlements
An entitlement is simply a permission written for the binary. Even with root access it is not possible to override them. For example, running a program which uses task_for_pid Mach call under root without the required entitlements will result in an error. Entitlements are, of course, signed.
Sandboxing
This feature is present in both OS X and iOS, but in iOS it is much harder. In fact, it is a jail, which places applications inside their own environment, from which they can only access their own root. More about app sandbox [[1]].
Hybrid Kernel Design
TODO
See Also
- http://opensource.apple.com - here you can obtain sources of all open source components.
- Microkernel
- Hybrid Kernel