search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

MacOS `safari_extensions` table returned nothing #6950

Open zhumo opened 2 years ago

zhumo commented 2 years ago

Problem

I installed DDG and 1Password extensions on my Mac's Safari.

image

I then ran the following query: SELECT * FROM users JOIN safari_extensions USING(uid) It returned blank.

When I ran that same query again for both chrome_extensions and firefox_addons, it returned results as expected.

Requirements

Parent Epic

GuillaumeRoss commented 2 years ago

Wondering if this is due to changes to Safari extensions in the last couple macOS releases...

zwass commented 2 years ago

I manually installed an extension just to be sure, and it's definitely not working on macOS 12.5. Tested with osquery running as both user and root (with join to users table).

@sharvilshah any ideas about what changed?

sharvilshah commented 2 years ago

Looks like the what we know as Safari Extensions are deprecated, and there is now "Safari App Extension"

https://developer.apple.com/documentation/safariservices/safari_app_extensions/converting_a_legacy_safari_extension_to_a_safari_app_extension?language=objc

These seem to live within the .app bundle itself: for me the 1Password one is located at /Applications/1Password 7.app/Contents/PlugIns/1PasswordSafariAppExtension.appex and the format is different from the previous .safariextz

These are "sandboxed" now, there is at least some metadata about them here:

  AppExtensions pwd
/Users/sharvil/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions

cat Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.agilebits.onepassword7.1PasswordSafariAppExtension (2BUA8C4S2C)</key>
    <dict>
        <key>AddedDate</key>
        <date>2022-02-14T13:58:27Z</date>
        <key>Enabled</key>
        <true/>
        <key>LastSeenBaseURI</key>
        <string>safari-extension://FA1EF6BD-48C7-4135-94CC-B20CF4D94DD7/</string>
        <key>WebsiteAccess</key>
        <dict>
            <key>Allowed Domains</key>
            <array/>
            <key>Has Injected Content</key>
            <true/>
            <key>Level</key>
            <string>All</string>
        </dict>
    </dict>
    <key>com.parallels.desktop.console.OpenInIE (4C6364ACXT)</key>
    <dict>
        <key>AddedDate</key>
        <date>2022-06-06T16:49:07Z</date>
        <key>WebsiteAccess</key>
        <dict>
            <key>Allowed Domains</key>
            <array/>
            <key>Has Injected Content</key>
            <false/>
            <key>Level</key>
            <string>All</string>
        </dict>
    </dict>
</dict>
</plist>
zhumo commented 2 years ago

Reed, when testing MacOS 13, ran into safari returning inaccurate information. Slack thread here: https://fleetdm.slack.com/archives/C02MP2CTQUE/p1663957171288589?thread_ts=1663768800.320469&cid=C02MP2CTQUE

zayhanlon commented 1 year ago

@marcosd4h Marcos to take a look and determine the estimate

zayhanlon commented 1 year ago

Marcos to review and provide an estimate by Friday.

zayhanlon commented 1 year ago

1 pt to investigate the technical scope

marcosd4h commented 1 year ago

Safari extensions are now treated as sandboxed applications. New extensions are installed as applications that create extension information metadata on the /Applications directory.

As an example, this is the location of the metadata for MKPlayer extension:

/Applications/MKPlayer.app/Contents/PlugIns/MKPlayer Extension.appex/Contents/Info.plist

Accessing /Applications requires the calling application to have Full Disk Access (FDA) rights. This is currently a limitation of osquery/orbit, which should be manually configured on the device to has FDA rights (see here). If a macOS host is enrolled in MDM, The FDA permissions can be granted silently by pushing a "PPPC payload" configuration profile (Privacy Preferences Policy Control) that sets the SystemPolicyAllFiles (i.e., the FDA) key. A PPPC payload silently sets permissions, provided with an executable identifier called the CodeRequirement.

@zhumo @zayhanlon: The recommendation is to pair the development of the feature with the ability to deploy FDA rights to osquery/orbit through MDM

zwass commented 1 year ago

We have the PPPC config documented here.

zhumo commented 1 year ago

Hey @xpkoala It looks like this issue wasn't QA'd before going live. Could you test and verify?

zhumo commented 1 year ago

I don't think this has been fixed. I tried it again and got the same error.

lukeheath commented 1 year ago

@zhumo I removed the bug label from this ticket because it is a bug in osquery core, so we don't want to count it against the Fleet product KPIs. I've moved it to the release board and brought it to "Awaiting QA" to make sure it still gets validated by QA.

xpkoala commented 1 year ago

@sharon-fdm Using osquery locally it does look like the extension is still broken for me. This probably needs dev time to investigate the issue at this point.

Private Zenhub Image

sharon-fdm commented 1 year ago

@zhumo @lukeheath we will need to prioritize this issue for some engineering work. It's an osquery core bug so it's not on our Bugs board. Need to make sure this does not 'fall between the cracks'.

lukeheath commented 1 year ago

@sharon-fdm Thanks for following up on this. I'm not sure why I added it to the release board, I'm removing it now.

But good point, this is at risk of slipping between the cracks. I think the right next step is to assign to @zhumo since he created it, and he can bring it to feature fest if he wants to get it prioritized.