At WWDC 2019, Apple announced that macOS Catalina would reside in its own read-only volume. Security is greatly enhanced.
Over the last few years, there have been several reported vulnerabilities in macOS, despite the introduction of System Integrity Protection (SIP) as well as the usual file system protections. From Apple:
System Integrity Protection is a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system.
Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.
In spite of these security improvements, ways have been found to bypass SIP. The next step Apple is taking involves putting macOS in its own volume, making it read-only, and according to the article above, required “the development of a new type of bi-directional symbolic link named a firmlink, which enables the two boot volumes to integrate and function as one.
As long as Linux has existed, as I recall, it has done something similar with the /root partition for the OS and the /home partition for user files. But there was no effort to make these two look as one, so Apple’s treatment in Catalina makes things look simpler to the user.
As an aside, macOS users have been able, all along, to put the /Users volume in a different place than the System files, but it required some mild wizardry and could cause minor problems.
From the moment that Apple announced APFS, I anticipated exactly this sort of setup – user data on one volume, macOS on another – complete separation, absolute protection for the system. Apple has implemented this in a manner that will be (almost) completely transparent to the end user ….
But there are implications. Developer Bombich continues:
HFS simply won’t work for making a backup of a Catalina system volume, so in the near future, we’re going to drop support [in CCC] for backing up macOS (Catalina and later) to HFS+ formatted volumes. We plan to make this as easy as possible for you ….
Apple is Speaking Volumes
Users won’t be very much aware of this change except in certain cases, especially with backup software that clones the startup disk. But the result is that macOS system files will be virtually impervious to modification by malware. This is just about all we know at this time. Stay tuned.