Skip to content

Open source. Linked to the real code.

How macOS really works.

A guided tour of the open-source kernel that runs every Mac — every concept linked back to the actual file on GitHub.

Start hereExplore the subsystems

The five subsystems.

macOS is not one thing. It's a Mach kernel core wrapped in a BSD personality, fronted by a C++ driver framework, sitting on a copy-on-write filesystem, all managed by a virtual memory layer that spans every running process.

XNU / Darwin architectureThe four canonical layers Apple defines for the XNU kernel environment: application environments at the top, system libraries and daemons, the kernel itself (Mach + BSD + I/O Kit + libkern), and hardware at the bottom. A security stack on the right intersects every layer.APPLICATION ENVIRONMENTSAppsApp Store · CLI · GUIApp frameworksCocoa · UIKit · SwiftUIMetal · CoreImagegraphics + MLFoundation · CombineObj-C / Swift runtimeSYSTEM LIBRARIES & DAEMONSlibSystemlibc · libpthread · libmlibdispatchGCD queuesdylddynamic loaderlaunchd · mDNSResponderPID 1 + system servicesUSER / KERNEL BOUNDARY — THREE API TIERSsysent[+n] · BSD syscallmach_trap_table[−n]IOUserClient · mach_msgKERNEL ENVIRONMENT (XNU)Machtasks · threads · ports · IPCscheduler · exception deliveryBSDproc · syscalls · signals · ucredthe POSIX personalityI/O KitIOService · IORegistryC++ driver frameworkvm_*, thread_*mach_msgVirtual memoryvm_map · vm_object · pmapVFS + APFSvnode · vnop_* · apfs.kextlibkern · DriverKitOSObject · userland driversVM compressor · jetsamreclaim under pressureNetwork stack4.4 BSD · TCP/IP · Skywalkkextslegacy in-kernel modulesHARDWARECPU / MMUSSD · APFS HWGPU / NPUSecure EnclavePCIe · USBDRAMSEP storageSensors · Display · Wi-Fi · Bluetooth · PowerSECURITYCode signingevery binarySandboxSBPL profilesEntitlementscapability grantsSIPcsrutilSealed System VolumeMerkle rootTCCuser consentSEP-backed keysFileVaultAPRR · KPPhardware-enforced
Userspace at the top, kernel below. Each block is a subsystem you can open.
Explore the subsystems

Grounded in the source.

Apple publishes the XNU kernel and most of Darwin as open source. Every claim on this site cites a file you can open in your browser.

Browse apple-oss-distributions on GitHub

Latest articles

Articles
APFS clones and snapshots: the kernel calls that make them work
clonefile, fclonefileat, fs_snapshot — three syscalls that let you copy 50 GB in 50 milliseconds. Here's what happens under each one, and what doesn't get copied.
apfsfilesystemclonefilesnapshots
Apple Silicon and XNU: APRR, unified memory, AMX, Rosetta 2
What changed in XNU when Apple shipped its own ARM silicon — P/E cores, APRR page-permission switching, the AMX matrix coprocessor, and Rosetta 2.
apple-siliconarm64rosettaamx
DriverKit: how Apple is moving every driver out of the kernel
Same IOKit object model, userland process. Why kexts are dying, what DriverKit gives you, and how a USB driver actually crosses the boundary.
iokitdriverkitdriverskernel