Is /dev protected by SIP?

high-sierra

So I know /dev contains all the drivers required for mouse , keyboard etc but can some dangerous malware delete the folder? Or can someone manually delete the folder with sudo?


Solution 1:

The directory that SIP (About System Integrity Protection) covers are

  • /System
  • /usr
  • /bin
  • /sbin
  • Apps that are pre-installed with OS X


/dev contains all the drivers required for mouse , keyboard etc

No. These are device nodes or special files that access the hardware directly.

Device drivers are usually located in the System Library as kexts (Kernel Extensions). See this answer for more further details.

can someone manually delete the folder with sudo?

Yes, you can delete this folder however, it should be restored upon reboot because these nodes are dynamically generated as hardware is detected. Under Linux and BSD, the command makedev will regenerate your devices. mknod will do the same for macOS.

From the man page (man mknod)

The mknod command creates device special files.

So, can malware delete or affect these files? Possibly, but it would be counterproductive because it would need root access to begin with and whatever changes would be temporary at best.

Related

Is possible modify the App Store purchased listing (delete or hide some/unhide other hidden apps)?
Where do files go when you AirDrop them on iOS?
How can we unlock an iPhone backup file if we don't know the password?
Not seeing my HD in the disk utility
Cleaning ‘staining’ off bottom of MacBook screen
iPhone data connection types
"cron" processes spawning and piling up, but no crontab
Why can't I update iMovie?
Is it possible to activate an iPhone 4 without a SIM?
Is it possible to disable CPU throttling on a MacBook Pro with a completely dead (not recognized) battery?
pfctl - howto add an anchor and make it active / load it
When did the colon character : become an allowed character in the filesystem?