Block an application's read/write access to a specific file in OS X?
The premise is this:
I have an app which has been set in its code to only run on OS X versions 10.4 to 10.9.2. (When I try to install it, it gives a message "This version of ____ is for Mac OS X 10.4 to 10.9.2."). I have updated to 10.9.3, and the developer just needs to update the app to fix this restriction in his tool.
I'm actually in contact with the developer, who says he is 'too busy' to work on the app or issue an update right now.
I worked out that the app is just reading /System/Library/CoreServices/SystemVersion.plist
to determine OS version, and I managed to bypass its installer restriction by temporarily editing the file using this guide. But after reverting the plist values to 10.9.3 and restarting the system to start (hopefully) using the app, I saw that it even checks SystemVersion.plist
to even run as well - not just during installation.
I'm worried that if I keep SystemVersion.plist
at 10.9.2 indefinitely it would ruin other parts of the system such as App Store updates and the like.
So my idea now, is to try and find some method or tool, to block the app from being able to even read SystemVersion.plist
entirely - think of it as a 'file system' version of Little Snitch if you will - just some way to create custom rules, for specific processes, that disallow read and/or write access, to specific files/folders in the system.
Maybe it would just cause the app to throw an error and not run at all (I could probably test this by temporarily moving the plist file to Trash for just 30 seconds while trying to install/run it) - but in either case, I think it's a really useful thing to be able to have, for powerful security purposes - just like the custom-blocking network access for apps in Little Snitch.
So is there some awesome third party tool, or even native OS X / Xcode tool, that can do this? Any insights as to what would even need to happen anyway, system/programming-wise? Tweaking with 'Sharing & Persimmons' for a file in Finder lets me control user access, but not process.
You could just use the built-in sandboxing features of Mac OS X.
Create a custom profile that limits access to the SystemVersion.plist file, using syntax like this:
(version 1)
(deny file* (literal "/System/Library/CoreServices/SystemVersion.plist"))
(allow default)
Save that as for example ~/myprofile.sb and then run your program like this:
sandbox-exec -f ~/myprofile.sb "/Application/My Program.app/Contents/MacOS/My Program"
Hands Off app has this feature:
Monitoring disk access
Applications present on your computer can freely read, store or erase information on your computer without your knowledge. Using Hands Off!, you can monitor and control disk access from all applications as to prevent them from obtaining confidential information, erasing your data or storing cookies.
And it happens to include the network firewall feature of Little Snitch.
https://www.macworld.com/article/3190149/little-flocker-reincarnates-at-f-secure-in-free-beta.html:
Little Flocker, a tool that restricts apps and system processes access to files without permission. He was unable to talk details, but recently F-Secure, a leading security developer and analysis company, announced its purchase of Little Flocker, which it’s rebranded as Xfence.
MacOS Catalina now has this similar feature:
Data protections
macOS Catalina checks with you before allowing an app to access your data in your Documents, Desktop, and Downloads folders; iCloud Drive; the folders of third-party cloud storage providers; removable media; and external volumes. In addition, you’re asked before an app can perform key logging or capture a still or video recording of your screen.