Add column for system extensions managed by configuration policy (system_extensions table) #6915
Conversation
dc36b87
to
5a3de30
Compare
bd9223e
to
71af424
Compare
| getExtensionRow(extension_value, r); | ||
| getPolicyFlag(ptree, r); |
There was a problem hiding this comment.
I think this code is extra recursive? If I read it correctly, you generate the ExtensionRow, which includes the team id that signed it. Then, for each one, you iterate to find the extension policies, and compare to set is_managed. Is that correct?
Naively, it feels simpler to generate the underlying policy outside the forloop, and then pass allowed_extensions and allowed_team_opt to getExtensionRow. Am I mis understanding?
There was a problem hiding this comment.
@directionless, getExtensionRow and getPolicyFlag operate on two different nodes of the property tree. The one node has the list of system extension installed and the other have the policy related to the system extension.
The function getExtensionRow only gets the list of the system extension installed and for each extension, it looks into the extension policy node based on team id. The two-level of indirection makes it look extra recursive.
There was a problem hiding this comment.
I see that getExtensionRow and getPolicyFlag work in different places. But looks like for each row, this calls getPolicyFlag, which mostly does the same parsing, to see if teamid is allowed. So I wonder if parsing for all allowed team IDs, then checking membership would be faster than the repeated parsing. I'm not very confident in my read here.
There was a problem hiding this comment.
I don't know that you can call it "recursive." genExtensionsFromPtree has a single loop that calls getExtensionRow then (conditionally) getPolicyFlag
You're right that getPolicyFlag() does not cache its lookups, meaning it will do a small amount of work to walk the ptree again each time even if multiple rows all had the same Team ID and it was determined in the first call to getPolicyFlag() that the Team ID was allowed by MDM policy. But this is a very small amount of unnecessary work, and done only a few times per table query.
|
Ping! |
|
@theopolis, Sorry for the delay. I got busy with other stuff and didn't get time to finish the PR. I will try to address it this weekend. |
|
Seems the commit history went wrong due to rebasing. I will try fixing it. |
4a441a1
to
b89f086
Compare
update table column name
2472ebf
to
0a322dc
Compare
System extensions deployed on a managed environment can be configured through a device management profile. The changes add a new column (
is_managed) having information if the extension is managed by a payload policy. It scans through the extension payload policies and checks the allowed team identifiers & allowed extensions dictionary.It will be great to get feedback from the community both on the changes and uses of having the information in the table.
Refs: com.apple.system-extension-policy