Time Machine utilizes Leopard’s new MAC framework, providing a “safety net” to ensure the integrity of your backups. Access control provisions are applied via a kernel extension located at /System/Library/Extensions/TMSafetyNet.kext, which makes calls to _mac_policy_register and _mac_policy_unregister. All of this results in a backup set which contains data which is immutable via standard means. For instance, attempting to delete a Time Machine backup via the cli utility ‘rm’ will result in failure, as well as any other cli file operation utility which attempts to alter Time Machine backups.
It seems that the system enforces the restrictions based upon all of the
following conditions being met:
following conditions being met:
- Has ACE ‘group:everyone deny full control’
- Resides in a directory “Backups.backupdb” located at volume root with the same deny ACE
Steps to create the safety net:
$mkdir -p /Backups.backupdb/test/test1
$chmod -R +a# 0 "group:everyone deny add_file,delete,add_subdirectory, delete_child,writeattr,writeextattr,chown" /Backups.backupdb/
$rm -rf /Backups.backupdb/test
rm: /Backups.backupdb/test/test1: Operation not permitted
rm: /Backups.backupdb/test: Operation not permitted
Attempts to alter this data is then unsuccessful. However, there are a few back doors here. There exists a cli binary at /System/Library/Extensions/TMSafetyNet.kext/Contents/MacOS/bypass
which allows you to supply a command + args as an argument and completely bypass the access restrictions. Likewise, GUI level apps can delete these items by escalating via the authorization trampoline.