Can you elaborate on what a "Data Vault" is and where a developer would be likely to encounter one?
A Data Vault is a directory that’s only readable by a process that has a specific entitlement. So, for example, being root won’t give you access, nor will enabling FDA.
Data Vaults were introduced in the late 10.13.x releases [1].
Currently Data Vaults are completely private to Apple, meaning that there’s:
No way to create one for yourself
No way to access the content of an Apple one
No documentation about the structure of a Data Vault
No way to reliably identify a directory as a Data Vault [2]
No official list of existing Data Vaults
One consequence of this is that a third-party backup product will not be able to back up a Data Vault [3]. In most cases this isn’t a problem because the contents will be transitory (caches, and other stuff that can be rebuilt if needed), and hence the Data Vault will be located in a directory that isn’t backed up anyway.
IMPORTANT The following is meant as an example only. As I mentioned above, the structure of a Data Vault is not publicly documented.
For example, consider this:
$ ls $TMPDIR../0/ | cat
…
com.apple.nsurlsessiond
…
So the temporary directory has an item called
com.apple.nsurlsessiond
. But if you try to get any information about that it, things fail:
$ stat $TMPDIR../0/com.apple.nsurlsessiond
stat: /var/folders/7j/6bzgmchs7z11xphl4c1nwfph0001yh/T/../0/com.apple.nsurlsessiond: stat: Operation not permitted
If you disable SIP you can poke around inside this Data Vault to learn more about how it’s structured but, as I mentioned above, this is not publicly documented and thus subject to change.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
[1] I never managed to work out exactly which release, but if you need to know for sure you can open a DTS tech support incident and I’ll research that.
[2] Some Data Vaults have the
UF_DATAVAULT
flag set, but I was told by the team that this is not always the case, and thus this is not a reliable way to check to see if a directory is a Data Vault.
[3] While booted from the disk containing that Data Vault.