https://github.com/osquery/osquery logo
Join Slack
Powered by
<@U7DT2E8B0> curious about your thoughts pertainin...
# macos
f
@Mike Myers curious about your thoughts pertaining to a comment i posted on the Safari Extensions issue: https://github.com/osquery/osquery/issues/6498 I found what I believe to be a better datasource.
m
hmm on my system it seems like my current user can't read it?
Copy code
mmyers@MMyers-MBP13 ~/P/E/o/o/build> cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
cat: /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist: Operation not permitted
mmyers@MMyers-MBP13 ~/P/E/o/o/build [1]> ls -la ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
-rw-r--r--@ 1 mmyers  staff  463 Nov 18 08:39 /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
I'll test your query in a VM
f
Interesting, are you running as root or regular user?
m
on my host macOS I run as a standard user
f
whoops just reread your pasted block of text, what happens when you try to read with sudo?
m
I'll know in a minute (VM starting)
f
I am now wondering how many other tables cannot be queried outside of standard user context.
I can't think of one off-hand...
m
I see that the file doesn't exist if you don't have any extensions yet
one moment
oh yea there are several tables that don't return full or any results, when run as standard user
ok, on the 10.15 VM, that file is readable no problem (admin user)
although, the query you mentioned doesn't seem to parse it
Copy code
mmyers@mmyerss-Mac ~ % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> WITH 
    ...> app_extensions_flat AS (
    ...>   SELECT * FROM plist 
    ...>   WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%Extension.appex/Contents/Info.plist'),
    ...> app_extension_pivot AS (
    ...>   SELECT 
    ...>     SPLIT(path, '/', 1) AS extension_parent_app,
    ...>     MAX(CASE WHEN key = 'CFBundleIdentifier' THEN value END) AS bundle_identifier,
    ...>     MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) AS display_name,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) AS description,
    ...>     MAX(CASE WHEN key = 'CFBundleShortVersionString' THEN value END) AS bundle_short_version,
    ...>     MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) AS bundle_version,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableCopyright' THEN value END) AS copyright
    ...>   FROM app_extensions_flat
    ...>   GROUP BY path),
    ...> human_accounts AS (
    ...>   SELECT username, uid, directory FROM users WHERE SUBSTR(uuid,0,8) != 'FFFFEEE'),
    ...> safari_raw AS (
    ...>   SELECT 
    ...>     username, uid,
    ...>     MAX(CASE WHEN subkey = 'Enabled' THEN value END) AS enabled,
    ...>     MAX(CASE WHEN subkey LIKE '%Level' THEN value END) AS level,
    ...>     MAX(CASE WHEN subkey LIKE '%Has Injected Content' THEN value END) AS has_injected_content,
    ...>     REGEX_SPLIT(key,' \(', 0) AS bundle_identifier, 
    ...>     REGEX_MATCH(key,'\((.*?)\)', 1) AS extension_id
    ...>   FROM plist JOIN human_accounts ha ON directory = '/Users/' || SPLIT(path,'/',1) 
    ...>   WHERE path LIKE '/Users/%/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist'
    ...>   GROUP BY key, path),
    ...> -- Remove nulls
    ...> safari_extensions_plist AS (
    ...>   SELECT * FROM safari_raw WHERE enabled NOT NULL)
    ...> SELECT * FROM safari_extensions_plist LEFT JOIN app_extension_pivot USING(bundle_identifier);
osquery>
Copy code
mmyers@mmyerss-Mac ~ % cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
	<key>com.adguard.safari.AdGuard.AdvancedBlocking (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
	<key>com.adguard.safari.AdGuard.Extension (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
</dict>
</plist>
f
ahhhh
I bet it is TCC related
m
maybe a Big Sur change. I'll try the macOS 11 VM
f
This was on catalina
But i have Full Disk Access for terminal
image.png
I wonder if that is the blocker
m
like if I gave 
Terminal
the Full Disk Access? I can try that now in my host
yep that was it, I can view that file now from CLI tools
f
yeah, so this file must be in one of the tcc protected directories
Which isn't terrifically surprising.
This is going to increasingly become the case I suspect for some of these buried plists.
m
if it's common to add that permission to 
osqueryd
then it wouldn't be a problem?
f
We typically recommend customers grant osqueryd FDA perms since without them the agent is prevented from accessing various directories. I am unsure what other vendors and osquery admins are doing with regards to recommendations.
m
I had planned to add a section to the official docs, under macOS and Deployment
1
f
That's a great idea
m
still, I don't seem to get results with this query. Perhaps I am doing something wrong? Trying it in osqueryi, but it's a big multi-line query and I wonder if it worked.
f
That is weird....
Untitled.txt
Untitled.txt
What's mostly weird to me about that is you have the plist on disk and verified it has data inside
m
I'll re-run with 
--verbose
f
I gotta go start dinner, but I will be back around later.
🆗 1
m
Yea, no results. Whether or not I am running 
osqueryi
as sudo. Terminal has FDA permission, and I can 
cat
the contents of the plist.
Maybe compare the contents of my plist file to what yours has
Specifically you mentioned that there was an 
enabled
key, and I don't have that
yea that was it — I left feedback in the issue on GitHub
f
I wonder if the enabled key is not created until you have disabled an extension for the first time...
that sounds like some standard stupid apple behavior
apple rainbow 1
Open in Slack
PreviousNext
Powered by