Understanding output of xattr -p com.apple.quarantine

13k views Asked by At

The other day I was messing with some files that had the extended attribute com.apple.quarantine on them. I am aware of its purpose, but I have always been curious what the properties below meant when you output its values.

E.g. when I typed in

xattr -p com.apple.quarantine xmlrpc.php

for a file that has the said xattr, I get output like this:

0083;59b926ad;Safari.app;55847AA4-5562-42A2-89A7-8FAD394B455C

What do the first 4 digits represent? i.e. 0083 Google hasn't brought up anything good and there are a few guides I found from users also trying to figure out what these numbers precisely represent.

1

There are 1 answers

2
TheDarkKnight On BEST ANSWER

As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.

All this information is stored and there's a complete history for every user.

The first 4 digits are a set of flags that I expect are defined in quarantine.h, which appears to be a private header included in copyfile.c, within Apple's open source code.

These flags represent states, such as whether the file is quarantined or not.

On closer analysis, the kernel extension quarantine.kext is responsible for handling this and upon disassembly, we can see the function quarantine_get_flags.

Here's just a snippet of the disassembled kext enter image description here

Note the formatting of the xattr output's first 4 flags with _sscanf(rbx, "%04x;") == 0x1)

This calls quarantine_get_info.

enter image description here

We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.

As for the rest of the xattr output, each user has a local sqlite3database that keeps a record of every item downloaded. Its location is

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

The database has just one table LSQuarantineEvent. You can read all the data by using the sqlite3 command in the terminal

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent;" 

If you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the xattr output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.