fritz
03/01/2021, 10:00 PMMike Myers
03/01/2021, 10:08 PMmmyers@MMyers-MBP13 ~/P/E/o/o/build> cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
cat: /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist: Operation not permitted
mmyers@MMyers-MBP13 ~/P/E/o/o/build [1]> ls -la ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
-rw-r--r--@ 1 mmyers staff 463 Nov 18 08:39 /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
fritz
03/01/2021, 10:10 PMMike Myers
03/01/2021, 10:11 PMfritz
03/01/2021, 10:11 PMMike Myers
03/01/2021, 10:12 PMfritz
03/01/2021, 10:13 PMMike Myers
03/01/2021, 10:13 PMmmyers@mmyerss-Mac ~ % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> WITH
...> app_extensions_flat AS (
...> SELECT * FROM plist
...> WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%Extension.appex/Contents/Info.plist'),
...> app_extension_pivot AS (
...> SELECT
...> SPLIT(path, '/', 1) AS extension_parent_app,
...> MAX(CASE WHEN key = 'CFBundleIdentifier' THEN value END) AS bundle_identifier,
...> MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) AS display_name,
...> MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) AS description,
...> MAX(CASE WHEN key = 'CFBundleShortVersionString' THEN value END) AS bundle_short_version,
...> MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) AS bundle_version,
...> MAX(CASE WHEN key = 'NSHumanReadableCopyright' THEN value END) AS copyright
...> FROM app_extensions_flat
...> GROUP BY path),
...> human_accounts AS (
...> SELECT username, uid, directory FROM users WHERE SUBSTR(uuid,0,8) != 'FFFFEEE'),
...> safari_raw AS (
...> SELECT
...> username, uid,
...> MAX(CASE WHEN subkey = 'Enabled' THEN value END) AS enabled,
...> MAX(CASE WHEN subkey LIKE '%Level' THEN value END) AS level,
...> MAX(CASE WHEN subkey LIKE '%Has Injected Content' THEN value END) AS has_injected_content,
...> REGEX_SPLIT(key,' \(', 0) AS bundle_identifier,
...> REGEX_MATCH(key,'\((.*?)\)', 1) AS extension_id
...> FROM plist JOIN human_accounts ha ON directory = '/Users/' || SPLIT(path,'/',1)
...> WHERE path LIKE '/Users/%/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist'
...> GROUP BY key, path),
...> -- Remove nulls
...> safari_extensions_plist AS (
...> SELECT * FROM safari_raw WHERE enabled NOT NULL)
...> SELECT * FROM safari_extensions_plist LEFT JOIN app_extension_pivot USING(bundle_identifier);
osquery>
mmyers@mmyerss-Mac ~ % cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>com.adguard.safari.AdGuard.AdvancedBlocking (TC3Q7MAJXF)</key>
<dict>
<key>WebsiteAccess</key>
<dict>
<key>Allowed Domains</key>
<array/>
<key>Has Injected Content</key>
<true/>
<key>Level</key>
<string>All</string>
</dict>
</dict>
<key>com.adguard.safari.AdGuard.Extension (TC3Q7MAJXF)</key>
<dict>
<key>WebsiteAccess</key>
<dict>
<key>Allowed Domains</key>
<array/>
<key>Has Injected Content</key>
<true/>
<key>Level</key>
<string>All</string>
</dict>
</dict>
</dict>
</plist>
fritz
03/01/2021, 10:18 PMMike Myers
03/01/2021, 10:19 PMfritz
03/01/2021, 10:19 PMMike Myers
03/01/2021, 10:21 PMTerminal
the Full Disk Access? I can try that now in my hostfritz
03/01/2021, 10:23 PMMike Myers
03/01/2021, 10:24 PMosqueryd
then it wouldn't be a problem?fritz
03/01/2021, 10:27 PMMike Myers
03/01/2021, 10:28 PMfritz
03/01/2021, 10:29 PMMike Myers
03/01/2021, 10:29 PMfritz
03/01/2021, 10:32 PMMike Myers
03/01/2021, 10:39 PM--verbose
fritz
03/01/2021, 10:39 PMMike Myers
03/01/2021, 10:42 PMosqueryi
as sudo. Terminal has FDA permission, and I can cat
the contents of the plist.enabled
key, and I don't have thatfritz
03/02/2021, 1:37 AM