v5.0.6-d6a765c

Security

Fixes GHSA-5r9w-9fg6-266q (High — CVSS 4.0: 8.2)

A root process could suspend opfilter with SIGSTOP or kill it with SIGKILL/SIGTERM. While suspended, all Endpoint Security AUTH events time out and default to allow, silently disabling file-access policy enforcement for the duration of the suspension.

Tamper resistance for the opfilter process

opfilter now subscribes to Endpoint Security auth events for signal delivery and process suspension targeting itself. Both are denied at the kernel level before they take effect:

• Signals sent by any process other than opfilter itself or its launchd parent are blocked
• Process suspension (PROC_SUSPEND) from any unauthorised source is blocked
• Allowed sources (launchd, the opfilter process itself) are verified by code signing identity — com.apple.xpc.launchd as a platform binary, or the clearancekit team ID and signing identifier for self-signals. A source that presents the right PID but wrong signature is treated as a spoofed process and denied

Note: ES_EVENT_TYPE_AUTH_SIGNAL intercepts signals in the kernel before delivery, so SIGKILL is blocked in the same way as any other signal. Kernel-initiated teardown (jetsam, System Extension uninstall) is not routed through ES AUTH_SIGNAL and is unaffected.

Monitor

Tamper Events view

Denied tamper attempts are now streamed to the GUI over XPC and displayed in a new Tamper Events section in the Monitor sidebar. Each entry shows the source process (signing ID, team ID, PID and version) and the type of attempt (signal or process suspension). Historic events are fetched on view load, consistent with the existing Events view.

Full Changelog: v5.0.5-beta-caaf673...v5.0.6-d6a765c