_opName`**.
+
+The object is one of the following: `bpfdesc`, `cred`, `file`, `proc`, `vnode`, `mount`, `devfs`, `ifnet`, `inpcb`, `mbuf`, `ipq`, `pipe`, `sysv[msg/msq/shm/sem]`, `posix[shm/sem]`, `socket`, `kext`.\
+The `opType` is usually check which will be used to allow or deny the action. However, it's also possible to find `notify`, which will allow the kext to react to the given action.
+
+You can find an example in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_mman.c#L621):
+
+int
+mmap(proc_t p, struct mmap_args *uap, user_addr_t *retval)
+{
+[...]
+#if CONFIG_MACF
+ error = mac_file_check_mmap(vfs_context_ucred(ctx),
+ fp->fp_glob, prot, flags, file_pos + pageoff,
+ &maxprot);
+ if (error) {
+ (void)vnode_put(vp);
+ goto bad;
+ }
+#endif /* MAC */
+[...]
+
+
+Then, it's possible to find the code of `mac_file_check_mmap` in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_file.c#L174)
+
+```c
+mac_file_check_mmap(struct ucred *cred, struct fileglob *fg, int prot,
+ int flags, uint64_t offset, int *maxprot)
+{
+ int error;
+ int maxp;
+
+ maxp = *maxprot;
+ MAC_CHECK(file_check_mmap, cred, fg, NULL, prot, flags, offset, &maxp);
+ if ((maxp | *maxprot) != *maxprot) {
+ panic("file_check_mmap increased max protections");
+ }
+ *maxprot = maxp;
+ return error;
+}
+```
+
+Which is calling the `MAC_CHECK` macro, whose code can be found in [https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L261)
+
+```c
+/*
+ * MAC_CHECK performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the
+ * request. Note that it returns its value via 'error' in the scope
+ * of the caller.
+ */
+#define MAC_CHECK(check, args...) do { \
+ error = 0; \
+ MAC_POLICY_ITERATE({ \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_CHECK); \
+ int __step_err = mpc->mpc_ops->mpo_ ## check (args); \
+ DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_err); \
+ error = mac_error_select(__step_err, error); \
+ } \
+ }); \
+} while (0)
+```
+
+Which will go over all the registered mac policies calling their functions and storing the output inside the error variable, which will only be overridable by `mac_error_select` by success codes so if any check fails the complete check will fail and the action won't be allowed.
+
+{% hint style="success" %}
+However, remember that not all MACF callouts are used only to deny actions. For example, `mac_priv_grant` calls the macro [**MAC\_GRANT**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac\_internal.h#L274), which will grant the requested privilege if any policy answers with a 0:
+
+```c
+/*
+ * MAC_GRANT performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the
+ * request. Unlike MAC_CHECK, it grants if any policies return '0',
+ * and otherwise returns EPERM. Note that it returns its value via
+ * 'error' in the scope of the caller.
+ */
+#define MAC_GRANT(check, args...) do { \
+ error = EPERM; \
+ MAC_POLICY_ITERATE({ \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_GRANT); \
+ int __step_res = mpc->mpc_ops->mpo_ ## check (args); \
+ if (__step_res == 0) { \
+ error = 0; \
+ } \
+ DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_res); \
+ } \
+ }); \
+} while (0)
+```
+{% endhint %}
+
+### priv\_check & priv\_grant
+
+These callas are meant to check and provide (tens of) **privileges** defined in [**bsd/sys/priv.h**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/sys/priv.h).\
+Some kernel code would call `priv_check_cred()` from [**bsd/kern/kern\_priv.c**](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/kern/kern\_priv.c) with the KAuth credentials of the process and one of the privileges code which will call `mac_priv_check` to see if any policy **denies** giving the privilege and then it calls `mac_priv_grant` to see if any policy grants the `privilege`.
+
+### proc\_check\_syscall\_unix
+
+This hook allows to intercept all system calls. In `bsd/dev/[i386|arm]/systemcalls.c` it's possible to see the declared function [`unix_syscall`](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/bsd/dev/arm/systemcalls.c#L160C1-L167C25), which contains this code:
+
+```c
+#if CONFIG_MACF
+ if (__improbable(proc_syscall_filter_mask(proc) != NULL && !bitstr_test(proc_syscall_filter_mask(proc), syscode))) {
+ error = mac_proc_check_syscall_unix(proc, syscode);
+ if (error) {
+ goto skip_syscall;
+ }
+ }
+#endif /* CONFIG_MACF */
+```
+
+Which will check in the calling process **bitmask** if the current syscall should call `mac_proc_check_syscall_unix`. This is because syscalls are called so frequently that it's interesting to avoid calling `mac_proc_check_syscall_unix` every time.
+
+Note that the function `proc_set_syscall_filter_mask()`, which set the bitmask syscalls in a process is called by Sandbox to set masks on sandboxed processes.
+
+## Exposed MACF syscalls
+
+It's possible to interact with MACF through some syscalls defined in [security/mac.h](https://github.com/apple-oss-distributions/xnu/blob/94d3b452840153a99b38a3a9659680b2a006908e/security/mac.h#L151):
+
+```c
+/*
+ * Extended non-POSIX.1e interfaces that offer additional services
+ * available from the userland and kernel MAC frameworks.
+ */
+#ifdef __APPLE_API_PRIVATE
+__BEGIN_DECLS
+int __mac_execve(char *fname, char **argv, char **envv, mac_t _label);
+int __mac_get_fd(int _fd, mac_t _label);
+int __mac_get_file(const char *_path, mac_t _label);
+int __mac_get_link(const char *_path, mac_t _label);
+int __mac_get_pid(pid_t _pid, mac_t _label);
+int __mac_get_proc(mac_t _label);
+int __mac_set_fd(int _fildes, const mac_t _label);
+int __mac_set_file(const char *_path, mac_t _label);
+int __mac_set_link(const char *_path, mac_t _label);
+int __mac_mount(const char *type, const char *path, int flags, void *data,
+ struct mac *label);
+int __mac_get_mount(const char *path, struct mac *label);
+int __mac_set_proc(const mac_t _label);
+int __mac_syscall(const char *_policyname, int _call, void *_arg);
+__END_DECLS
+#endif /*__APPLE_API_PRIVATE*/
+```
+
+## References
+
+* [**\*OS Internals Volume III**](https://newosxbook.com/home.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-users.md b/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
index d1bc4f7c8..cd63037cf 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
@@ -1,8 +1,8 @@
-# macOS Users
+# macOS Users & External Accounts
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -15,8 +15,7 @@ Learn & practice GCP Hacking:
{% endhint %}
-
-### Common Users
+## Common Users
* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
@@ -35,16 +34,21 @@ for i in "${state[@]}"; do sysadminctl -"${i}" status; done;
* **Nobody**: Processes are executed with this user when minimal permissions are required
* **Root**
-### User Privileges
+## User Privileges
* **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own.
* **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**.
* **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection).
* For example root won't be able to place a file inside `/System`
+## External Accounts
+
+MacOS also support to login via external identity providers such as FaceBook, Google... The main daemon performing this job is `accountsd` (`/System/Library/Frameworks/Accounts.framework//Versions/A/Support/accountsd`) and it's possible to find plugins used for external authentication inside the folder `/System/Library/Accounts/Authentication/`.\
+Moreover, `accountsd` gets the list of account types from `/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`.
+
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)