fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

MacOS `safari_extensions` table returned nothing

Open zhumo opened this issue 2 years ago • 4 comments

Problem

I installed DDG and 1Password extensions on my Mac's Safari.

image

I then ran the following query: SELECT * FROM users JOIN safari_extensions USING(uid) It returned blank.

When I ran that same query again for both chrome_extensions and firefox_addons, it returned results as expected.

Requirements

  • Investigate why safari_extensions is not returning anything

Parent Epic

  • https://github.com/fleetdm/fleet/issues/4973

zhumo avatar Jul 28 '22 17:07 zhumo

Wondering if this is due to changes to Safari extensions in the last couple macOS releases...

GuillaumeRoss avatar Jul 28 '22 19:07 GuillaumeRoss

I manually installed an extension just to be sure, and it's definitely not working on macOS 12.5. Tested with osquery running as both user and root (with join to users table).

@sharvilshah any ideas about what changed?

zwass avatar Aug 11 '22 16:08 zwass

Looks like the what we know as Safari Extensions are deprecated, and there is now "Safari App Extension"

https://developer.apple.com/documentation/safariservices/safari_app_extensions/converting_a_legacy_safari_extension_to_a_safari_app_extension?language=objc

These seem to live within the .app bundle itself: for me the 1Password one is located at /Applications/1Password 7.app/Contents/PlugIns/1PasswordSafariAppExtension.appex and the format is different from the previous .safariextz

These are "sandboxed" now, there is at least some metadata about them here:

  AppExtensions pwd
/Users/sharvil/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions

cat Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.agilebits.onepassword7.1PasswordSafariAppExtension (2BUA8C4S2C)</key>
	<dict>
		<key>AddedDate</key>
		<date>2022-02-14T13:58:27Z</date>
		<key>Enabled</key>
		<true/>
		<key>LastSeenBaseURI</key>
		<string>safari-extension://FA1EF6BD-48C7-4135-94CC-B20CF4D94DD7/</string>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<true/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
	<key>com.parallels.desktop.console.OpenInIE (4C6364ACXT)</key>
	<dict>
		<key>AddedDate</key>
		<date>2022-06-06T16:49:07Z</date>
		<key>WebsiteAccess</key>
		<dict>
			<key>Allowed Domains</key>
			<array/>
			<key>Has Injected Content</key>
			<false/>
			<key>Level</key>
			<string>All</string>
		</dict>
	</dict>
</dict>
</plist>

sharvilshah avatar Aug 15 '22 15:08 sharvilshah

Reed, when testing MacOS 13, ran into safari returning inaccurate information. Slack thread here: https://fleetdm.slack.com/archives/C02MP2CTQUE/p1663957171288589?thread_ts=1663768800.320469&cid=C02MP2CTQUE

zhumo avatar Sep 23 '22 18:09 zhumo

@marcosd4h Marcos to take a look and determine the estimate

zayhanlon avatar Jan 24 '23 18:01 zayhanlon

Marcos to review and provide an estimate by Friday.

zayhanlon avatar Feb 01 '23 19:02 zayhanlon

1 pt to investigate the technical scope

zayhanlon avatar Feb 15 '23 15:02 zayhanlon

Safari extensions are now treated as sandboxed applications. New extensions are installed as applications that create extension information metadata on the /Applications directory.

As an example, this is the location of the metadata for MKPlayer extension:

/Applications/MKPlayer.app/Contents/PlugIns/MKPlayer Extension.appex/Contents/Info.plist

Accessing /Applications requires the calling application to have Full Disk Access (FDA) rights. This is currently a limitation of osquery/orbit, which should be manually configured on the device to has FDA rights (see here). If a macOS host is enrolled in MDM, The FDA permissions can be granted silently by pushing a "PPPC payload" configuration profile (Privacy Preferences Policy Control) that sets the SystemPolicyAllFiles (i.e., the FDA) key. A PPPC payload silently sets permissions, provided with an executable identifier called the CodeRequirement.

@zhumo @zayhanlon: The recommendation is to pair the development of the feature with the ability to deploy FDA rights to osquery/orbit through MDM

marcosd4h avatar Apr 03 '23 14:04 marcosd4h

We have the PPPC config documented here.

zwass avatar Apr 03 '23 16:04 zwass

Hey @xpkoala It looks like this issue wasn't QA'd before going live. Could you test and verify?

zhumo avatar Jul 14 '23 18:07 zhumo

I don't think this has been fixed. I tried it again and got the same error.

zhumo avatar Aug 02 '23 17:08 zhumo

@zhumo I removed the bug label from this ticket because it is a bug in osquery core, so we don't want to count it against the Fleet product KPIs. I've moved it to the release board and brought it to "Awaiting QA" to make sure it still gets validated by QA.

lukeheath avatar Aug 04 '23 18:08 lukeheath

@sharon-fdm Using osquery locally it does look like the extension is still broken for me. This probably needs dev time to investigate the issue at this point.

Private Zenhub Image

xpkoala avatar Sep 02 '23 14:09 xpkoala

@zhumo @lukeheath we will need to prioritize this issue for some engineering work. It's an osquery core bug so it's not on our Bugs board. Need to make sure this does not 'fall between the cracks'.

sharon-fdm avatar Sep 05 '23 14:09 sharon-fdm

@sharon-fdm Thanks for following up on this. I'm not sure why I added it to the release board, I'm removing it now.

But good point, this is at risk of slipping between the cracks. I think the right next step is to assign to @zhumo since he created it, and he can bring it to feature fest if he wants to get it prioritized.

lukeheath avatar Sep 05 '23 14:09 lukeheath