macOS: run APFS formatter elevated

APFS volume creation can still fail with Permission denied after preparing the raw and block device aliases because newfs_apfs performs privileged APFS container and volume operations beyond opening the device nodes. Route APFS formatting through the elevated CoreService path for non-root macOS runs. Keep the elevated interface narrow by sending only the target device and invoking user UID/GID, validate the device path on the privileged side, rebuild the formatter arguments there, and execute /sbin/newfs_apfs by absolute path to avoid PATH shadowing. Pass -U/-G so the created filesystem preserves the invoking user ownership. Apply the same path to GUI and text-mode creation.
2026-05-17 18:11:30 +00:00 · 2026-05-15 10:51:27 +09:00
parent 213dd2e74a
commit 77e4830c99
9 changed files with 224 additions and 2 deletions
--- a/src/Core/Unix/CoreServiceResponse.cpp
+++ b/src/Core/Unix/CoreServiceResponse.cpp
@@ -88,6 +88,18 @@ namespace VeraCrypt
 		Serializable::SerializeList (stream, HostDevices);
 	}

+#ifdef TC_MACOSX
+	// ExecuteMacOSXAPFSFormatterResponse
+	void ExecuteMacOSXAPFSFormatterResponse::Deserialize (shared_ptr <Stream> stream)
+	{
+	}
+
+	void ExecuteMacOSXAPFSFormatterResponse::Serialize (shared_ptr <Stream> stream) const
+	{
+		Serializable::Serialize (stream);
+	}
+#endif
+
 	// MountVolumeResponse
 	void MountVolumeResponse::Deserialize (shared_ptr <Stream> stream)
 	{
@@ -118,6 +130,9 @@ namespace VeraCrypt
 	TC_SERIALIZER_FACTORY_ADD_CLASS (GetDeviceSectorSizeResponse);
 	TC_SERIALIZER_FACTORY_ADD_CLASS (GetDeviceSizeResponse);
 	TC_SERIALIZER_FACTORY_ADD_CLASS (GetHostDevicesResponse);
+#ifdef TC_MACOSX
+	TC_SERIALIZER_FACTORY_ADD_CLASS (ExecuteMacOSXAPFSFormatterResponse);
+#endif
 	TC_SERIALIZER_FACTORY_ADD_CLASS (MountVolumeResponse);
 	TC_SERIALIZER_FACTORY_ADD_CLASS (SetFileOwnerResponse);
 }