Understanding output of xattr -p com.apple.quarantine

给你一囗甜甜゛ 提交于 2020-02-20 10:54:39

问题


The other day I was messing with some files that had the extended attribute com.apple.quarantine on them. I am aware of its purpose, but I have always been curious what the properties below meant when you output its values.

E.g. when I typed in

xattr -p com.apple.quarantine xmlrpc.php

for a file that has the said xattr, I get output like this:

0083;59b926ad;Safari.app;55847AA4-5562-42A2-89A7-8FAD394B455C

What do the first 4 digits represent? i.e. 0083 Google hasn't brought up anything good and there are a few guides I found from users also trying to figure out what these numbers precisely represent.


回答1:


As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.

All this information is stored and there's a complete history for every user.

The first 4 digits are a set of flags that I expect are defined in quarantine.h, which appears to be a private header included in copyfile.c, within Apple's open source code.

These flags represent states, such as whether the file is quarantined or not.

On closer analysis, the kernel extension quarantine.kext is responsible for handling this and upon disassembly, we can see the function quarantine_get_flags.

Here's just a snippet of the disassembled kext

Note the formatting of the xattr output's first 4 flags with _sscanf(rbx, "%04x;") == 0x1)

This calls quarantine_get_info.

We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.

As for the rest of the xattr output, each user has a local sqlite3database that keeps a record of every item downloaded. Its location is

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

The database has just one table LSQuarantineEvent. You can read all the data by using the sqlite3 command in the terminal

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent;" 

If you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the xattr output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.



来源:https://stackoverflow.com/questions/46198557/understanding-output-of-xattr-p-com-apple-quarantine

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!