Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelisting of Kext's #24

Closed
egandro opened this issue Feb 8, 2019 · 6 comments
Closed

Whitelisting of Kext's #24

egandro opened this issue Feb 8, 2019 · 6 comments
Labels
enhancement New feature or request fixed Issue has been fixed in master
Milestone
v3.3.0

Comments

@egandro
Copy link
Contributor

egandro commented Feb 8, 2019

Hello,

can we make a nice --whitelist-known-kext flag?

I'd like to whitelist all "wellknown" kext e.g. vbox, virtualbox, docker, ... by the way you use for vmware.

This will reduce the number of clicks we have to do in postsetup.

(I will create a patch request within a few days).
@bacongravy
Copy link
Owner

Sure, @egandro, I'd be happy to consider a PR that adds such a feature, thought it does does seem like it may contradict the macinbox design philosophy:

[T]his tool is also intended to the do the least amount of configuration possible. Nothing is done that could instead be deferred to a provisioning step in a Vagrantfile or packer template.

I think I'm willing to make an exception here, since macinbox already knows how to update the kext whitelist, and there's a clear benefit to getting the kext whitelisted before the first boot.

On the other hand, I wonder if it would be better to make this mechanism more generic; basically, a way for the user to specify a custom script that is run after the macOS installer finishes, and is provided with the path to the newly-installed OS so that it can make any modifications it wants.

@bacongravy bacongravy added the enhancement New feature or request label Feb 8, 2019
@bacongravy bacongravy mentioned this issue Feb 9, 2019
Merged
@bacongravy
Copy link
Owner

@egandro please take a look at the --user-script feature I added in PR #27 and let me know if that would address your request.

@egandro
Copy link
Contributor Author

egandro commented Feb 10, 2019

I think yes - if we provide some cool examples.

@bacongravy
Copy link
Owner

The user script you want would look something like:

#!/bin/bash

cat << EOF | /usr/bin/sqlite3 "${1}/private/var/db/SystemPolicyConfiguration/KextPolicy"

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
INSERT INTO kext_policy VALUES('xxxxxxxxxx','com.xxx.yyy.zzz,1,'Example, Inc.',1);
COMMIT;

EOF

To determine what values you need to insert into the KextPolicy database, first install the kexts on a running system and permit them to be loaded, and then run this command:

echo ".dump kext_policy" | sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy

@bacongravy
Copy link
Owner

I've merged the PR to master: bcc8f9f

@bacongravy bacongravy added this to the v3.3.0 milestone Feb 21, 2019
@bacongravy bacongravy added the fixed Issue has been fixed in master label Feb 27, 2019
@bacongravy
Copy link
Owner

Tagged and released: https://github.com/bacongravy/macinbox/tree/v3.3.0

@bacongravy bacongravy mentioned this issue Apr 15, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request fixed Issue has been fixed in master
Projects
None yet
Milestone
v3.3.0
Development

No branches or pull requests
2 participants
@egandro @bacongravy