I'm a big fan of Patrick Wardle's free mac utilities but I noticed something odd
about LuLu recently. It seems that it only filters egress traffic when LuLu.app
is running. Since it normally runs as the local user rather than root, this
makes it somewhat trivial for malware to defeat as it can simply kill the
process and then connect to whatever it wants.
This can be mitigated by running the app as root, but since it's not installed
root-owned the first thing to do is change that:
$ sudo chown -R root:wheel /Applications/LuLu.app/
Then we need to create an suid loader binary to load it with. This needs to
execute via the LaunchAgents mechanism in order for the application to work
properly. So something like:
$ cat >lulu-as-root.c <<EOF
> #include <unistd.h>
>
> int main() {
> if (getuid() != 501) { # replace this with your user's uid
> return 0;
> }
> setuid(0);
> seteuid(0);
> execl("/Applications/LuLu.app/Contents/MacOS/LuLu", "/Applications/LuLu.app/Contents/MacOS/LuLu", NULL);
> return 0;
> }
> EOF
$ sudo gcc -o /usr/local/bin/lulu-as-root lulu-as-root.c
$ sudo chmod 4755 /usr/local/bin/lulu-as-root
Then we need a LaunchAgent script to load it:
$ cat >~/Library/LaunchAgents/com.m4rkw.lulu.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.m4rkw.lulu</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/lulu-as-root</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
EOF
Then kill the non-root process and re-launch LuLu as root:
$ killall LuLu
$ launchctl load -w ~/Library/LaunchAgents/com.m4rkw.lulu.plist
