Saagar Jha (@saagar@saagarjha.com)

AssertionError("Joe Groff")

02/27/2026 (replying to Jeff Johnson)

@lapcatsoftware @saagar i didn't have an exploit per se in mind, but one thing i was recently playing with in a side project was creating virtual network interfaces with vmnet.framework. creating an interface typically requires root, but if apple grants your executable the `com.apple.vm.networking` entitlement, then that executable can do so as a regular user, or even in the sandbox. but the mechanisms that ensure #OnlyApple can grant that entitlement rely on SIP, AIUI

AssertionError("Joe Groff")

02/27/2026 (replying to AssertionError("Joe Groff"))

@lapcatsoftware @saagar i suppose that isn't so different from setuid binaries though

Saagar Jha

02/28/2026 (replying to AssertionError("Joe Groff"))

@joe @lapcatsoftware Yeah I mean vaguely you would have the same issue if there was a configuration that convinced ld to let you preload into a setuid binary or that you could mess with their procfs or something