Title
#macos
f

fritz

03/01/2021, 10:00 PM
@Mike Myers curious about your thoughts pertaining to a comment i posted on the Safari Extensions issue: https://github.com/osquery/osquery/issues/6498 I found what I believe to be a better datasource.
Mike Myers

Mike Myers

03/01/2021, 10:08 PM
hmm on my system it seems like my current user can't read it?
mmyers@MMyers-MBP13 ~/P/E/o/o/build> cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
cat: /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist: Operation not permitted
mmyers@MMyers-MBP13 ~/P/E/o/o/build [1]> ls -la ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
-rw-r--r--@ 1 mmyers  staff  463 Nov 18 08:39 /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
10:08 PM
I'll test your query in a VM
f

fritz

03/01/2021, 10:10 PM
Interesting, are you running as root or regular user?
Mike Myers

Mike Myers

03/01/2021, 10:11 PM
on my host macOS I run as a standard user
f

fritz

03/01/2021, 10:11 PM
whoops just reread your pasted block of text, what happens when you try to read with sudo?
Mike Myers

Mike Myers

03/01/2021, 10:12 PM
I'll know in a minute (VM starting)
f

fritz

03/01/2021, 10:13 PM
I am now wondering how many other tables cannot be queried outside of standard user context.
10:13 PM
I can't think of one off-hand...
Mike Myers

Mike Myers

03/01/2021, 10:13 PM
I see that the file doesn't exist if you don't have any extensions yet
10:14 PM
one moment
10:14 PM
oh yea there are several tables that don't return full or any results, when run as standard user
10:16 PM
ok, on the 10.15 VM, that file is readable no problem (admin user)
10:17 PM
although, the query you mentioned doesn't seem to parse it
10:17 PM
mmyers@mmyerss-Mac ~ % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> WITH 
    ...> app_extensions_flat AS (
    ...>   SELECT * FROM plist 
    ...>   WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%Extension.appex/Contents/Info.plist'),
    ...> app_extension_pivot AS (
    ...>   SELECT 
    ...>     SPLIT(path, '/', 1) AS extension_parent_app,
    ...>     MAX(CASE WHEN key = 'CFBundleIdentifier' THEN value END) AS bundle_identifier,
    ...>     MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) AS display_name,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) AS description,
    ...>     MAX(CASE WHEN key = 'CFBundleShortVersionString' THEN value END) AS bundle_short_version,
    ...>     MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) AS bundle_version,
    ...>     MAX(CASE WHEN key = 'NSHumanReadableCopyright' THEN value END) AS copyright
    ...>   FROM app_extensions_flat
    ...>   GROUP BY path),
    ...> human_accounts AS (
    ...>   SELECT username, uid, directory FROM users WHERE SUBSTR(uuid,0,8) != 'FFFFEEE'),
    ...> safari_raw AS (
    ...>   SELECT 
    ...>     username, uid,
    ...>     MAX(CASE WHEN subkey = 'Enabled' THEN value END) AS enabled,
    ...>     MAX(CASE WHEN subkey LIKE '%Level' THEN value END) AS level,
    ...>     MAX(CASE WHEN subkey LIKE '%Has Injected Content' THEN value END) AS has_injected_content,
    ...>     REGEX_SPLIT(key,' \(', 0) AS bundle_identifier, 
    ...>     REGEX_MATCH(key,'\((.*?)\)', 1) AS extension_id
    ...>   FROM plist JOIN human_accounts ha ON directory = '/Users/' || SPLIT(path,'/',1) 
    ...>   WHERE path LIKE '/Users/%/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist'
    ...>   GROUP BY key, path),
    ...> -- Remove nulls
    ...> safari_extensions_plist AS (
    ...>   SELECT * FROM safari_raw WHERE enabled NOT NULL)
    ...> SELECT * FROM safari_extensions_plist LEFT JOIN app_extension_pivot USING(bundle_identifier);
osquery>
10:18 PM
mmyers@mmyerss-Mac ~ % cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
	<key>com.adguard.safari.AdGuard.AdvancedBlocking (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
	<key>com.adguard.safari.AdGuard.Extension (TC3Q7MAJXF)</key>
	<dict>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
</dict>
</plist>
f

fritz

03/01/2021, 10:18 PM
ahhhh
10:19 PM
I bet it is TCC related
Mike Myers

Mike Myers

03/01/2021, 10:19 PM
maybe a Big Sur change. I'll try the macOS 11 VM
f

fritz

03/01/2021, 10:19 PM
This was on catalina
10:19 PM
But i have Full Disk Access for terminal
10:20 PM
10:20 PM
I wonder if that is the blocker
Mike Myers

Mike Myers

03/01/2021, 10:21 PM
like if I gave
Terminal
the Full Disk Access? I can try that now in my host
10:22 PM
yep that was it, I can view that file now from CLI tools
f

fritz

03/01/2021, 10:23 PM
yeah, so this file must be in one of the tcc protected directories
10:23 PM
Which isn't terrifically surprising.
10:24 PM
This is going to increasingly become the case I suspect for some of these buried plists.
Mike Myers

Mike Myers

03/01/2021, 10:24 PM
if it's common to add that permission to
osqueryd
then it wouldn't be a problem?
f

fritz

03/01/2021, 10:27 PM
We typically recommend customers grant osqueryd FDA perms since without them the agent is prevented from accessing various directories. I am unsure what other vendors and osquery admins are doing with regards to recommendations.
Mike Myers

Mike Myers

03/01/2021, 10:28 PM
I had planned to add a section to the official docs, under macOS and Deployment
f

fritz

03/01/2021, 10:29 PM
That's a great idea
Mike Myers

Mike Myers

03/01/2021, 10:29 PM
still, I don't seem to get results with this query. Perhaps I am doing something wrong? Trying it in osqueryi, but it's a big multi-line query and I wonder if it worked.
f

fritz

03/01/2021, 10:32 PM
That is weird....
10:33 PM
10:34 PM
What's mostly weird to me about that is you have the plist on disk and verified it has data inside
Mike Myers

Mike Myers

03/01/2021, 10:39 PM
I'll re-run with
--verbose
f

fritz

03/01/2021, 10:39 PM
I gotta go start dinner, but I will be back around later.
Mike Myers

Mike Myers

03/01/2021, 10:42 PM
Yea, no results. Whether or not I am running
osqueryi
as sudo. Terminal has FDA permission, and I can
cat
the contents of the plist.
10:45 PM
Maybe compare the contents of my plist file to what yours has
10:49 PM
Specifically you mentioned that there was an
enabled
key, and I don't have that
10:52 PM
yea that was it — I left feedback in the issue on GitHub
f

fritz

03/02/2021, 1:37 AM
I wonder if the enabled key is not created until you have disabled an extension for the first time...
1:37 AM
that sounds like some standard stupid apple behavior