问题描述

前几天，我弄乱了一些扩展属性为 com.apple.quarantine 的文件.我知道它的用途，但是我一直很好奇以下属性在输出值时的含义.

The other day I was messing with some files that had the extended attribute com.apple.quarantine on them. I am aware of its purpose, but I have always been curious what the properties below meant when you output its values.

例如当我输入

xattr -p com.apple.quarantine xmlrpc.php

对于具有所述xattr的文件，我得到这样的输出:

for a file that has the said xattr, I get output like this:

0083;59b926ad;Safari.app;55847AA4-5562-42A2-89A7-8FAD394B455C

前4位数字代表什么?即0083 Google并没有带来什么好处，我从用户那里找到了一些指南，他们还试图弄清楚这些数字的确切含义.

What do the first 4 digits represent? i.e. 0083 Google hasn't brought up anything good and there are a few guides I found from users also trying to figure out what these numbers precisely represent.

推荐答案

您可能已经知道，当代理(浏览器，邮件客户端等)将文件保存到您的计算机上时，将设置隔离标志.这是您首次尝试打开从Internet下载的应用程序时出现警告的原因.

As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.

所有这些信息都已存储，并且每个用户都有完整的历史记录.

All this information is stored and there's a complete history for every user.

前4位数字是我希望在quarantine.h中定义的一组标志，它似乎是 copyfile.c .

The first 4 digits are a set of flags that I expect are defined in quarantine.h, which appears to be a private header included in copyfile.c, within Apple's open source code.

这些标志表示状态，例如文件是否被隔离.

These flags represent states, such as whether the file is quarantined or not.

仔细分析，内核扩展quarantine.kext负责处理此问题，并且在反汇编后，我们可以看到函数quarantine_get_flags.

On closer analysis, the kernel extension quarantine.kext is responsible for handling this and upon disassembly, we can see the function quarantine_get_flags.

这只是拆卸后的kext的一小段

Here's just a snippet of the disassembled kext

请注意，使用 _sscanf(rbx，％04x;")== 0x1)来格式化xattr输出的前4个标志

这将调用quarantine_get_info.

我们可以在这里看到这些标志表示系统上文件的各种状态，其中vfs是虚拟文件系统，而vnode是文件的基本表示结构.

We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.

对于其余的xattr输出，每个用户都有一个本地的sqlite3数据库，该数据库记录了每个下载的项目.它的位置是

As for the rest of the xattr output, each user has a local sqlite3database that keeps a record of every item downloaded. Its location is

数据库只有一个表LSQuarantineEvent.您可以在终端中使用sqlite3命令读取所有数据

The database has just one table LSQuarantineEvent. You can read all the data by using the sqlite3 command in the terminal

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent;" 

如果您过滤结果(grep或替代方法)，您将能够匹配组成xattr输出后半部分的GUID，并且您将看到有关该特定下载的所有信息，包括代理负责下载文件，甚至是从中获取文件的URL.

If you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the xattr output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.

这篇关于了解xattr -p com.apple.quarantine的输出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！