Skip to content

Subsystems

The five subsystems

macOS is not one thing. It's a Mach kernel core wrapped in a BSD personality, fronted by a C++ driver framework, sitting on a copy-on-write filesystem, all managed by a virtual memory layer that spans every running process. Each card below opens into a deep dive of one piece.

XNU / Darwin architectureThe four canonical layers Apple defines for the XNU kernel environment: application environments at the top, system libraries and daemons, the kernel itself (Mach + BSD + I/O Kit + libkern), and hardware at the bottom. A security stack on the right intersects every layer.APPLICATION ENVIRONMENTSAppsApp Store · CLI · GUIApp frameworksCocoa · UIKit · SwiftUIMetal · CoreImagegraphics + MLFoundation · CombineObj-C / Swift runtimeSYSTEM LIBRARIES & DAEMONSlibSystemlibc · libpthread · libmlibdispatchGCD queuesdylddynamic loaderlaunchd · mDNSResponderPID 1 + system servicesUSER / KERNEL BOUNDARY — THREE API TIERSsysent[+n] · BSD syscallmach_trap_table[−n]IOUserClient · mach_msgKERNEL ENVIRONMENT (XNU)Machtasks · threads · ports · IPCscheduler · exception deliveryBSDproc · syscalls · signals · ucredthe POSIX personalityI/O KitIOService · IORegistryC++ driver frameworkvm_*, thread_*mach_msgVirtual memoryvm_map · vm_object · pmapVFS + APFSvnode · vnop_* · apfs.kextlibkern · DriverKitOSObject · userland driversVM compressor · jetsamreclaim under pressureNetwork stack4.4 BSD · TCP/IP · Skywalkkextslegacy in-kernel modulesHARDWARECPU / MMUSSD · APFS HWGPU / NPUSecure EnclavePCIe · USBDRAMSEP storageSensors · Display · Wi-Fi · Bluetooth · PowerSECURITYCode signingevery binarySandboxSBPL profilesEntitlementscapability grantsSIPcsrutilSealed System VolumeMerkle rootTCCuser consentSEP-backed keysFileVaultAPRR · KPPhardware-enforced
Userspace at the top; kernel below. The three entry points (BSD syscalls, Mach traps, IOUserClient) reach different parts of the kernel.
The microkernel core

Mach

Tasks, threads, ports, messages, and the virtual-memory primitives every other layer is built on top of.

Explore Mach
The POSIX personality

BSD

Processes, files, signals, sockets, system calls — the FreeBSD-derived layer that makes XNU look like a Unix.

Explore BSD
The driver framework

IOKit

A C++ object model that turns hardware into a tree of nodes, matched at boot and unloaded on demand.

Explore IOKit
The on-disk format

APFS

Apple File System: copy-on-write, snapshots, cloning, sealed system volumes — the format under every modern Mac.

Explore APFS
Pages, maps, and compression

Virtual Memory

Pmap, VM map, the compressor, jetsam — how XNU gives every process a private address space without ever running out of RAM.

Explore Virtual Memory
Signing, sandbox, SIP, SEP

Security

Code signing, sandbox profiles, System Integrity Protection, TCC, the Sealed System Volume, and the Secure Enclave — the layered policies that keep an Apple device trustworthy.

Explore Security
The hardware tier

Apple Silicon

How XNU adapts to Apple-designed chips: APRR/SPRR for fast W↔X switching, unified memory, the AMX matrix coprocessor, and Rosetta 2's x86_64 translation.

Explore Apple Silicon