https://github.com/osquery/osquery logo
Title
f

fritz

03/01/2021, 10:00 PM
@Mike Myers curious about your thoughts pertaining to a comment i posted on the Safari Extensions issue: https://github.com/osquery/osquery/issues/6498 I found what I believe to be a better datasource.
m

Mike Myers

03/01/2021, 10:08 PM
hmm on my system it seems like my current user can't read it?
mmyers@MMyers-MBP13 ~/P/E/o/o/build> cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
cat: /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist: Operation not permitted
mmyers@MMyers-MBP13 ~/P/E/o/o/build [1]> ls -la ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
-rw-r--r--@ 1 mmyers  staff  463 Nov 18 08:39 /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
I'll test your query in a VM
f

fritz

03/01/2021, 10:10 PM
Interesting, are you running as root or regular user?
m

Mike Myers

03/01/2021, 10:11 PM
on my host macOS I run as a standard user
f

fritz

03/01/2021, 10:11 PM
whoops just reread your pasted block of text, what happens when you try to read with sudo?
m

Mike Myers

03/01/2021, 10:12 PM
I'll know in a minute (VM starting)
f

fritz

03/01/2021, 10:13 PM
I am now wondering how many other tables cannot be queried outside of standard user context.
I can't think of one off-hand...
m

Mike Myers

03/01/2021, 10:13 PM
I see that the file doesn't exist if you don't have any extensions yet
one moment
oh yea there are several tables that don't return full or any results, when run as standard user
ok, on the 10.15 VM, that file is readable no problem (admin user)
although, the query you mentioned doesn't seem to parse it
mmyers@mmyerss-Mac ~ % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> WITH 
    ...> app_extensions_flat AS (
    ...>   SELECT * FROM plist 
    ...>   WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%Extension.appex/Contents/Info.plist'),
    ...> app_extension_pivot AS (
    ...>   SELECT 
    ...>     SPLIT(path, '/', 1) AS extension_parent_app,
    ...>     MAX(CASE WHEN key = 'CFBundleIdentifier' THEN value END) AS bundle_identifier,
    ...>     MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) AS display_name,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) AS description,
    ...>     MAX(CASE WHEN key = 'CFBundleShortVersionString' THEN value END) AS bundle_short_version,
    ...>     MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) AS bundle_version,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableCopyright' THEN value END) AS copyright
    ...>   FROM app_extensions_flat
    ...>   GROUP BY path),
    ...> human_accounts AS (
    ...>   SELECT username, uid, directory FROM users WHERE SUBSTR(uuid,0,8) != 'FFFFEEE'),
    ...> safari_raw AS (
    ...>   SELECT 
    ...>     username, uid,
    ...>     MAX(CASE WHEN subkey = 'Enabled' THEN value END) AS enabled,
    ...>     MAX(CASE WHEN subkey LIKE '%Level' THEN value END) AS level,
    ...>     MAX(CASE WHEN subkey LIKE '%Has Injected Content' THEN value END) AS has_injected_content,
    ...>     REGEX_SPLIT(key,' \(', 0) AS bundle_identifier, 
    ...>     REGEX_MATCH(key,'\((.*?)\)', 1) AS extension_id
    ...>   FROM plist JOIN human_accounts ha ON directory = '/Users/' || SPLIT(path,'/',1) 
    ...>   WHERE path LIKE '/Users/%/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist'
    ...>   GROUP BY key, path),
    ...> -- Remove nulls
    ...> safari_extensions_plist AS (
    ...>   SELECT * FROM safari_raw WHERE enabled NOT NULL)
    ...> SELECT * FROM safari_extensions_plist LEFT JOIN app_extension_pivot USING(bundle_identifier);
osquery>
mmyers@mmyerss-Mac ~ % cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
	<key>com.adguard.safari.AdGuard.AdvancedBlocking (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
	<key>com.adguard.safari.AdGuard.Extension (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
</dict>
</plist>
f

fritz

03/01/2021, 10:18 PM
ahhhh
I bet it is TCC related
m

Mike Myers

03/01/2021, 10:19 PM
maybe a Big Sur change. I'll try the macOS 11 VM
f

fritz

03/01/2021, 10:19 PM
This was on catalina
But i have Full Disk Access for terminal
I wonder if that is the blocker
m

Mike Myers

03/01/2021, 10:21 PM
like if I gave
Terminal
the Full Disk Access? I can try that now in my host
yep that was it, I can view that file now from CLI tools
f

fritz

03/01/2021, 10:23 PM
yeah, so this file must be in one of the tcc protected directories
Which isn't terrifically surprising.
This is going to increasingly become the case I suspect for some of these buried plists.
m

Mike Myers

03/01/2021, 10:24 PM
if it's common to add that permission to
osqueryd
then it wouldn't be a problem?
f

fritz

03/01/2021, 10:27 PM
We typically recommend customers grant osqueryd FDA perms since without them the agent is prevented from accessing various directories. I am unsure what other vendors and osquery admins are doing with regards to recommendations.
m

Mike Myers

03/01/2021, 10:28 PM
I had planned to add a section to the official docs, under macOS and Deployment
1
f

fritz

03/01/2021, 10:29 PM
That's a great idea
m

Mike Myers

03/01/2021, 10:29 PM
still, I don't seem to get results with this query. Perhaps I am doing something wrong? Trying it in osqueryi, but it's a big multi-line query and I wonder if it worked.
f

fritz

03/01/2021, 10:32 PM
That is weird....
What's mostly weird to me about that is you have the plist on disk and verified it has data inside
m

Mike Myers

03/01/2021, 10:39 PM
I'll re-run with
--verbose
f

fritz

03/01/2021, 10:39 PM
I gotta go start dinner, but I will be back around later.
🆗 1
m

Mike Myers

03/01/2021, 10:42 PM
Yea, no results. Whether or not I am running
osqueryi
as sudo. Terminal has FDA permission, and I can
cat
the contents of the plist.
Maybe compare the contents of my plist file to what yours has
Specifically you mentioned that there was an
enabled
key, and I don't have that
yea that was it — I left feedback in the issue on GitHub
f

fritz

03/02/2021, 1:37 AM
I wonder if the enabled key is not created until you have disabled an extension for the first time...
that sounds like some standard stupid apple behavior
:apple-rainbow: 1