答案1
他不知道自己在说什么。我认为他在谈论以下几件事:
- 用户以非超级用户身份登录,因此用户进程不能简单地加载模块或以其他方式对内核进行更改。 (当然,任何 macOS 病毒都会利用内核中的缺陷来绕过该漏洞,或者只是使用社会工程来让用户输入密码)
- MacOSX 比 10.0 之前的版本具有更好的内存保护。也许“天才”还记得 MacOS 9 及之前版本的日子?现在几乎每个现代操作系统都具有这种功能,并且它并没有阻止病毒编写者。
我认为这个 Mac Genius 可能只是记错了一些营销活动。 MacOSX 可能感染病毒。使用类 Unix 系统当然有一些优点,也许 BSD Userland + Mach 微内核也提供了一些额外的保护,但说 MacOSX 内核以某种方式免受病毒侵害是明显错误的。
答案2
他可能指的是 freebsd 的 kern.securelevel 变量,该变量似乎存在于 osx 10.8 中,大概具有相同的含义。来自 fbsd man 7 安全:
The security level can be set with a
sysctl(8) on the kern.securelevel variable. Once you have set the secu-
rity level to 1, write access to raw devices will be denied and special
chflags(1) flags, such as schg, will be enforced. You must also ensure
that the schg flag is set on critical startup binaries, directories, and
script files -- everything that gets run up to the point where the secu-
rity level is set. This might be overdoing it, and upgrading the system
is much more difficult when you operate at a higher security level. You
may compromise and run the system at a higher security level but not set
the schg flag for every system file and directory under the sun. Another
possibility is to simply mount / and /usr read-only. It should be noted
that being too draconian in what you attempt to protect may prevent the
all-important detection of an intrusion.
The kernel runs with five different security levels. Any super-user
process can raise the level, but no process can lower it. The security
levels are:
-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted file systems, /dev/mem and
/dev/kmem may not be opened for writing; /dev/io (if your platform
has it) may not be opened at all; kernel modules (see kld(4)) may
not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with file systems by unmounting
them, but also inhibits running newfs(8) while the system is multi-
user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message ``Time adjustment clamped to +1 second''.
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.
The security level can be configured with variables documented in
rc.conf(8).
可以使用 chflags 命令在目录或文件上设置不可变和附加标志。为了降低或关闭内核安全级别,您需要引导单用户。警告:我不知道 osx 是否充分利用了这个功能,我只知道它是可用的。
注意事项 2:osx 实际上是基于 mach 内核的。用户层的东西来自freebsd。不过,我看到内核定义了这个变量,所以我认为它可能意味着同样的事情。