stripsystem

1. #!/bin/bash
2.  
3. # ==============================
4. # 🔐 Combined RecoveryOS Kext Hardening Script
5. # Purpose:
6. # - Audit loaded and installed kexts
7. # - Detect foreign/unapproved kexts
8. # - Prompt user
9. # - Lock down all other volumes to prevent external kext injection
10. # ==============================
11.  
12. # -- CONFIG: Approved Recovery kexts only
13. WHITELIST=(
14.   "AppleAPFS.kext"
15.   "IOStorageFamily.kext"
16.   "IOHDIXController.kext"
17.   "AppleSMC.kext"
18.   "IOKit.kext"
19.   "IOHIDFamily.kext"
20.   "IOGraphicsFamily.kext"
21.   "AppleTopCase.kext"
22.   "AppleBacklight.kext"
23.   "AppleCLCD.kext"
24.   "AppleDisplay.kext"
25.   "AppleM1Framebuffer.kext"
26.   "IOAcceleratorFamily2.kext"
27. )
28.  
29. KEXT_DIRS=(/System/Library/Extensions /Library/Extensions)
30.  
31. # -- Check if a kext is whitelisted
32. is_whitelisted() {
33.   local name="$1"
34.   for wk in "${WHITELIST[@]}"; do
35.     [[ "$name" == "$wk" ]] && return 0
36.   done
37.   return 1
38. }
39.  
40. # -- Audit kexts on disk
41. echo "\n📦 Checking installed kexts in Recovery disk..."
42. FOUND_EXTRA=0
43. for dir in "${KEXT_DIRS[@]}"; do
44.   if [ -d "$dir" ]; then
45.     for kext in "$dir"/*.kext; do
46.       base=$(basename "$kext")
47.       if ! is_whitelisted "$base"; then
48.         echo "❌ Extra kext on disk: $base"
49.         FOUND_EXTRA=1
50.       else
51.         echo "✅ Approved: $base"
52.       fi
53.     done
54.   fi
55. done
56.  
57. # -- Audit loaded kexts in memory
58. echo "\n📡 Checking loaded kexts (RecoveryOS kernelcache)..."
59. if command -v kmutil &>/dev/null; then
60.   LOADED=$(kmutil showloaded | grep -vE '^Index|^$' | awk '{print $2}' | sort | uniq)
61.   for kext in $LOADED; do
62.     name=$(basename "$kext")
63.     if ! is_whitelisted "$name"; then
64.       echo "❌ Loaded unapproved: $name"
65.       FOUND_EXTRA=1
66.     else
67.       echo "✅ Loaded & approved: $name"
68.     fi
69.   done
70. else
71.   echo "❌ kmutil not found (unexpected in RecoveryOS)"
72.   FOUND_EXTRA=1
73. fi
74.  
75. # -- Prompt user
76. if [[ $FOUND_EXTRA -eq 0 ]]; then
77.   echo "\n✅ System clean. Only whitelisted kexts found."
78. else
79.   echo "\n⚠️  WARNING: Non-whitelisted kexts found in RecoveryOS."
80. fi
81.  
82. read -r -p "❓ Proceed to LOCK DOWN all other volumes to block external kext injection? (y/N): " RESP
83. if [[ "$RESP" =~ ^[Yy]$ ]]; then
84.   echo "\n🚫 Locking down /Volumes/* ..."
85.  
86.   # Step 1: Lock Extensions folders
87.   for vol in /Volumes/*; do
88.     [ -d "$vol" ] || continue
89.     if [ -d "$vol/Library/Extensions" ]; then
90.       chmod -R 000 "$vol/Library/Extensions" 2>/dev/null
91.       chflags -R uchg "$vol/Library/Extensions" 2>/dev/null
92.       echo "🔒 Locked: $vol/Library/Extensions"
93.     fi
94.   done
95.  
96.   # Step 2: Remove known kext tools from mounted OS volumes
97.   for vol in /Volumes/*; do
98.     rm -f "$vol"/sbin/kextload
99.     rm -f "$vol"/sbin/kextunload
100.     rm -f "$vol"/usr/bin/kmutil
101.     rm -f "$vol"/usr/sbin/kextcache
102.   done
103.   echo "🧹 Removed staging tools from mounted systems."
104.  
105.   # Step 3: Lock all detected .kexts across /Volumes/*
106.   echo "\n🔎 Searching for foreign .kext files..."
107.   find /Volumes/* -name "*.kext" -type d 2>/dev/null | while read -r k; do
108.     chmod -R 000 "$k"
109.     chflags -R uchg "$k"
110.     echo "🔐 Locked kext: $k"
111.   done
112.  
113.   echo "\n✅ External kext injection prevention complete. Recovery is now airgap-hardened."
114. else
115.   echo "\n🛑 Skipped lockdown. No changes made."
116. fi