Is /dev protected by SIP?

So I know /dev contains all the drivers required for mouse , keyboard etc but can some dangerous malware delete the folder? Or can someone manually delete the folder with sudo?


Solution 1:

The directory that SIP (About System Integrity Protection) covers are

  • /System
  • /usr
  • /bin
  • /sbin
  • Apps that are pre-installed with OS X


/dev contains all the drivers required for mouse , keyboard etc

No. These are device nodes or special files that access the hardware directly.

Device drivers are usually located in the System Library as kexts (Kernel Extensions). See this answer for more further details.

can someone manually delete the folder with sudo?

Yes, you can delete this folder however, it should be restored upon reboot because these nodes are dynamically generated as hardware is detected. Under Linux and BSD, the command makedev will regenerate your devices. mknod will do the same for macOS.

From the man page (man mknod)

The mknod command creates device special files.

So, can malware delete or affect these files? Possibly, but it would be counterproductive because it would need root access to begin with and whatever changes would be temporary at best.