Load System Extension Error on Mac

Ever come into a situation where an application wants to load a system extension and wants you to allow it in System Preferences > Security & Privacy but there is no prompt for you to do so in the window?

Checks

  • Check /private/var/db/KernelExtensionManagement for the following:

    1. Permissions should be 0755 with the restricted flag set.
      $ ls -ldO /private/var/db/KernelExtensionManagement
      drwxr-xr-x@ 4 root  wheel  restricted 128 Sep 30 10:52 /private/var/db/KernelExtensionManagement
      
    2. The com.apple.rootless attribute set to KernelExtensionManagement
      $ xattr -l /private/var/db/KernelExtensionManagement
      com.apple.macl:
      00000000  03 00 9A 5A D4 7E 96 5A 42 62 AB 95 F0 FE 77 5D  |...Z.~.ZBb....w]|
      00000010  B3 00 03 00 98 D0 E8 EA 04 50 4D 30 BE 6E 07 3D  |.........PM0.n.=|
      00000020  87 A8 B8 46 00 00 00 00 00 00 00 00 00 00 00 00  |...F............|
      00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
      00000040  00 00 00 00 00 00 00 00                          |........|
      00000048
      com.apple.rootless: KernelExtensionManagement
      
  • Check /private/var/db/KernelExtensionManagement/Staging for the following:

    1. Permissions should be 0755 with the restricted flag set
      $ ls -ldO /private/var/db/KernelExtensionManagement/Staging
      drwxr-xr-x  2 root  wheel  restricted 64 Oct  2 12:40 /private/var/db/KernelExtensionManagement/Staging
      

Reason for the issue

If the restricted flag or the com.apple.rootless attribute is not set against KernelExtensionManagement, it appears to affect how SIP treats the directory.

Solutions

To fix the problem you can try either of the following in the mac recovery console:

  1. Delete /private/var/db/KernelExtensionManagement Deleting /private/var/db/KernelExtensionManagement fixes it, as it is recreated when needed.
    # rm -rf /private/var/db/KernelExtensionManagement
    
  2. Set restricted flag on /private/var/db/KernelExtensionManagement
    # chflags restricted /Volumes/Macintosh\ HD/private/var/db/KernelExtensionManagement
    

Note: In case the path /private/var/db/KernelExtensionManagement does not work, you could try /Volumes/Macintosh\ HD/private/var/db/KernelExtensionManagement instead. Replace Macintosh\ HD with the name of your root volume if needed.

References