[jprx]

Additionally, if can find a way to trick a user into installing a malicious kext, why even bother with PACMAN? You already have arbitrary kernel code execution!

[throwaway290]

Perhaps the kext with the overflow may not necessarily look malicious? It can serve as an actually useful kext and pass review.

[aenis]

These days all kexts look malicious.

[ntauthority]

Yeah. The bundled ones in the main OS image are the worst. Who the hell knows what nefarious acts lie behind IOPCIFamily.kext?!

/s, though not entirely, moving more stuff to unprivileged contexts would be nice

[shp0ngle]

yeah but if you can trick the user to do that, you can already trick him to do more

[sgjohnson]

First you need to trick Apple into signing that kext (which is getting more difficult by the day even for legitimate uses), or get the user to disable SIP first.

[throwaway290]

Didn't many tools require disabling SIP, like Homebrew? Is this no longer true?

[sgjohnson]

This hasn't been true for at least 2 major macOS releases.

But yes, there was a time when editing even /etc/sudoers required disabling SIP. That time is long gone.