-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
darwin/firewall: Fixes for alf_exceptions, make alf_services an alias for sharing_preferences #5378
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution, @woodruffw !
Traditional question about table integration tests, may I ask you to update it?
Alright, I've added integration tests for |
Anything else I can do to help get this merged, @akindyakov? |
Polite ping on this. Is there anything blocking another review/merge? |
|
||
/// Parse a nested (base-64 encoded) plist's alias data for its path | ||
/// Observed experimentally with /Library/Preferences/com.apple.alf.plist | ||
Status pathFromNestedPlistAliasData(const std::string& data, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mind uploading test data into ./tests
and making a unit test for this new parsing.
I can +1 to the observation, it's the same format on a 10.14.6 test device.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, let me see if I can whip up a sanitized version of a local sample.
Looking good! Last thing needed is the unit test. |
Looks like the CI is failing on Linux due to disk exhaustion?
|
@mike-myers-tob or @Smjert, see above about disk exhaustion. Is this something we have control over within Azure? |
Some plists (like com.apple.alf) contain a weird nested (base64-encoded) plist, which in turn contains a single NSData value. This commit updates `filterPlist` to handle this NSData case, and adds a new convenience method for extracting the POSIX path from the alias data of these weird nested plists.
Should make it a bit easier to debug these in the future, if Apple decides to change the format up.
The alf_services row was generated from an apparently unused/meaningless array in the ALF plist. sharing_preferences represents the same services and has accurate status information, so just substitute it instead.
The `alf_services` table is now an alias for `sharing_preferences`, so the functionality test should just go there.
… for sharing_preferences (osquery#5378)
This adds the
pathFromNestedPlistAliasData
function to handle an edge case in parsing some of thealias
fields in the ALF plist, and turnsalf_services
into an alias forsharing_preferences
(the original backing plist was vestigial and didn't accurately represent the state of the application firewall).