Uploading Privileges 2.5 source code

Author: sdicosta

source/Icon Dummy/AppDelegate.h

@@ -19,6 +19,5 @@
 
 @interface AppDelegate : NSObject <NSApplicationDelegate>
 
-
 @end
 

source/Privileges.xcodeproj/project.pbxproj

@@ -268,7 +268,7 @@ - (void)showMainWindow
         }
 
         if (![_privilegesApp hideSettingsButton]) { [_alert addButtonWithTitle:NSLocalizedString(@"settingsButton", nil)]; }
-        [_alert addButtonWithTitle:NSLocalizedString(@"cancelButton", nil)];
+        NSButton *cancelButton = [_alert addButtonWithTitle:NSLocalizedString(@"cancelButton", nil)];
         [_alert setAlertStyle:NSAlertStyleInformational];
         if (![[NSWorkspace sharedWorkspace] isVoiceOverEnabled] && ![_privilegesApp hideHelpButton]) { [_alert setShowsHelp:YES]; }
         [_alert setDelegate:self];
@@ -286,6 +286,9 @@ - (void)showMainWindow
                                                             NSHeight([[_alert accessoryView] frame])
                                                             )
             ];
+            
+            // make sure the text field is selected
+            [cancelButton setRefusesFirstResponder:YES];
         }
     }
 

source/Privileges/AppDelegate.m

@@ -536,6 +536,22 @@
                                     you are doing so.
                                 -->
                                 <key>ForceUpdatePrebootVolume</key>
+                                <true/>
+                                
+                                <!--
+                                    key:    EnableSystemExtension
+                                    value:  a boolean
+                                  
+                                    When set to true, the Privileges system extension is enabled. The system
+									extension protects the Privileges application and its components against
+									unauthorized modifications, deactivation, or uninstallation. Once this
+									key has been set, it is no longer possible to enable or disable the
+									extension using PrivilegesCLI.
+                                
+                                    Please make sure you grant the Privileges system extension full disk
+                                    access, otherwise it will not work.
+                                -->
+                                <key>EnableSystemExtension</key>
                                 <true/>
 
 								<!--
@@ -698,9 +714,9 @@
 									<key>SyslogOptions</key>
 									<dict>
                                         <key>ServerPort</key>
-                                        <integer>514</integer>
+                                        <integer>6514</integer>
                                         <key>UseTLS</key>
-                                        <false/>
+                                        <true/>
 										<key>LogFacility</key>
 										<integer>4</integer>
 										<key>LogSeverity</key>

source/Privileges/Base.lproj/Main.storyboard

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>MachServices</key>
+	<dict>
+		<key>corp.sap.privileges.helper.xpc</key>
+		<true/>
+	</dict>
+	<key>Label</key>
+	<string>corp.sap.privileges.helper</string>
+	<key>Program</key>
+	<string>/Applications/Privileges.app/Contents/MacOS/PrivilegesHelper.app/Contents/MacOS/PrivilegesHelper</string>
+	<key>AssociatedBundleIdentifiers</key>
+	<string>corp.sap.privileges</string>
+	<key>SpawnConstraint</key>
+	<dict>
+		<key>team-identifier</key>
+		<string>7R5ZEU67FQ</string>
+		<key>signing-identifier</key>
+		<string>corp.sap.privileges.helper</string>
+	</dict>
+</dict>
+</plist>

source/Privileges/Privileges.mobileconfig

@@ -19,6 +19,7 @@
 #import "MTPrivileges.h"
 #import "MTCodeSigning.h"
 #import "MTDaemonConnection.h"
+#import "MTSystemExtension.h"
 #import "MTSystemInfo.h"
 #import "Constants.h"
 #import "MTIdentity.h"
@@ -36,11 +37,13 @@ @interface AppDelegate ()
 @property (nonatomic, strong, readwrite) NSTimer *expirationTimer;
 @property (nonatomic, strong, readwrite) NSTimer *statusItemTimer;
 @property (nonatomic, strong, readwrite) NSTimer *animationTimer;
+@property (nonatomic, strong, readwrite) NSTimer *fixTimeoutObserverTimer;
 @property (nonatomic, strong, readwrite) NSDate *timerExpirationDate;
 @property (nonatomic, strong, readwrite) NSUserDefaults *userDefaults;
 @property (nonatomic, strong, readwrite) NSUserDefaults *appGroupDefaults;
 @property (nonatomic, strong, readwrite) MTLocalNotification *userNotification;
 @property (nonatomic, strong, readwrite) MTDaemonConnection *daemonConnection;
+@property (nonatomic, strong, readwrite) MTSystemExtension *systemExtension;
 @property (nonatomic, strong, readwrite) NSStatusItem *statusItem;
 @property (nonatomic, strong, readwrite) MTStatusItemMenu *statusMenu;
 @property (nonatomic, strong, readwrite) MTRemoteLoggingManager *logManager;
@@ -76,6 +79,7 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
         [_listener resume];
 
         _daemonConnection = [[MTDaemonConnection alloc] init];
+        _systemExtension = [[MTSystemExtension alloc] init];
         _userDefaults = [NSUserDefaults standardUserDefaults];
         _appGroupDefaults = [[NSUserDefaults alloc] initWithSuiteName:kMTAppGroupIdentifier];
 
@@ -153,6 +157,7 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
                               kMTDefaultsShowInMenuBarKey,
                               kMTDefaultsShowRemainingTimeInMenuBarKey,
                               kMTDefaultsRemoteLoggingKey,
+                              kMTDefaultsEnableSystemExtensionKey,
                               nil
         ];
 
@@ -236,6 +241,9 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
 
         // initialize the logging manager
         [self initializeLogManager];
+        
+        // force system extension state if configured
+        [self handleSystemExtensionConfigChange];
     }
 }
 
@@ -260,12 +268,14 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
 
         if (taskRef) {
 
-            if (SecTaskValidateForRequirement(taskRef, (__bridge CFStringRef)(reqString)) == errSecSuccess) {
+            OSStatus result = SecTaskValidateForRequirement(taskRef, (__bridge CFStringRef)(reqString));
+            
+            if (result == errSecSuccess) {
 
                 acceptConnection = YES;
 
-                newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(PrivilegesAgentProtocol)];
-                newConnection.exportedObject = self;
+                [newConnection setExportedInterface:[NSXPCInterface interfaceWithProtocol:@protocol(PrivilegesAgentProtocol)]];
+                [newConnection setExportedObject:self];
 
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Warc-retain-cycles"
@@ -282,7 +292,7 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
 
             } else {
 
-                os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: Code signature verification failed");
+                os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: Code signature verification failed (error %d)", result);
             }
 
             CFRelease(taskRef);
@@ -612,7 +622,7 @@ - (void)displayNotificationOfType:(MTLocalNotificationType)type
             notificationMessage = NSLocalizedString(@"notificationMessage_RenewSuccess", nil);
             break;
 
-        default:
+        case MTLocalNotificationTypeNoChange:
             break;
     }
 
@@ -628,40 +638,92 @@ - (void)displayNotificationOfType:(MTLocalNotificationType)type
     }
 }
 
+- (void)handleSystemExtensionConfigChange
+{
+    if (@available(macOS 13.0, *)) {
+
+        if ([_privilegesApp systemExtensionIsForced]) {
+            
+            BOOL enableExtension = [_privilegesApp enableSystemExtension];
+            [_systemExtension statusWithReply:^(NSString *status) {
+                
+                dispatch_async(dispatch_get_main_queue(), ^{
+                    
+                    if ([status isEqualToString:kMTExtensionStatusEnabled] && !enableExtension) {
+                        
+                        [self->_systemExtension disableWithCompletionHandler:^(BOOL success, NSError *error) {
+                            
+                            return;
+                        }];
+                        
+                    } else if ([status isEqualToString:kMTExtensionStatusDisabled] && enableExtension) {
+                        
+                        [self->_systemExtension enableWithCompletionHandler:^(BOOL success, NSError *error) {
+                            
+                            [self->_systemExtension statusWithReply:^(NSString *status) {
+                                
+                                if ([status rangeOfString:@"waiting"].location != NSNotFound) {
+                                    
+                                    os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: System extension is waiting for full disk access");
+                                }
+                            }];
+                        }];
+                    }
+                });
+            }];
+        }
+    }
+}
+
 - (void)observeValueForKeyPath:(NSString *)keyPath ofObject:(id)object change:(NSDictionary<NSKeyValueChangeKey,id> *)change context:(void *)context
 {
     if (object == [_privilegesApp userDefaults] && [_keysToObserve containsObject:keyPath]) {
 
-        if ([keyPath isEqualToString:kMTDefaultsEnforcePrivilegesKey] ||
-            [keyPath isEqualToString:kMTDefaultsLimitToUserKey] ||
-            [keyPath isEqualToString:kMTDefaultsLimitToGroupKey]) {
+        if ([keyPath isEqualToString:kMTDefaultsEnableSystemExtensionKey]) {
 
-            [self enforceFixedPrivileges];
+            // workaround for bug that is causing observeValueForKeyPath to be called multiple times.
+            // so every notification resets the timer and if we got no new notifications for 5 seconds,
+            // we evaluate the changes.
+            if (_fixTimeoutObserverTimer) { [_fixTimeoutObserverTimer invalidate]; };
+            _fixTimeoutObserverTimer = [NSTimer scheduledTimerWithTimeInterval:5.0
+                                                                       repeats:NO
+                                                                         block:^(NSTimer *timer) {
+                [self handleSystemExtensionConfigChange];
+             }];
 
-        } else if ([keyPath isEqualToString:kMTDefaultsExpirationIntervalKey] ||
-                   [keyPath isEqualToString:kMTDefaultsExpirationIntervalMaxKey]) {
+        } else {
 
-            // invalidate or (re)schedule our timer if needed
-            if ([_privilegesApp expirationInterval] == 0) {
+            if ([keyPath isEqualToString:kMTDefaultsEnforcePrivilegesKey] ||
+                [keyPath isEqualToString:kMTDefaultsLimitToUserKey] ||
+                [keyPath isEqualToString:kMTDefaultsLimitToGroupKey]) {
 
-                [self invalidateExpirationTimer];
-                                
-            } else if ([self privilegesTimeLeft] > [_privilegesApp expirationInterval] ||
-                       ([self userHasAdminPrivileges] && [self privilegesTimeLeft] == 0)) {
-             
-                [self scheduleExpirationTimerWithInterval:[_privilegesApp expirationInterval] isSavedTimer:NO];
+                [self enforceFixedPrivileges];
+                
+            } else if ([keyPath isEqualToString:kMTDefaultsExpirationIntervalKey] ||
+                       [keyPath isEqualToString:kMTDefaultsExpirationIntervalMaxKey]) {
+                
+                // invalidate or (re)schedule our timer if needed
+                if ([_privilegesApp expirationInterval] == 0) {
+                    
+                    [self invalidateExpirationTimer];
+                    
+                } else if ([self privilegesTimeLeft] > [_privilegesApp expirationInterval] ||
+                           ([self userHasAdminPrivileges] && [self privilegesTimeLeft] == 0)) {
+                    
+                    [self scheduleExpirationTimerWithInterval:[_privilegesApp expirationInterval] isSavedTimer:NO];
+                }
+                
+            } else if ([keyPath isEqualToString:kMTDefaultsRemoteLoggingKey]) {
+                
+                [self initializeLogManager];
             }
 
-        } else if ([keyPath isEqualToString:kMTDefaultsRemoteLoggingKey]) {
-
-            [self initializeLogManager];
+            // update the status item if needed
+            [self showStatusItem:[self->_privilegesApp showInMenuBar]];
+            
+            [self postConfigurationChangeNotificationForKeyPath:keyPath];
         }
 
-        // update the status item if needed
-        [self showStatusItem:[self->_privilegesApp showInMenuBar]];
-
-        [self postConfigurationChangeNotificationForKeyPath:keyPath];
-        
     } else if ((object == _appGroupDefaults && [_appGroupToObserve containsObject:keyPath]) ||
                (object == _statusItem && [keyPath isEqualToString:@"visible"])) {
 

source/Privileges/corp.sap.privileges.helper.plist

@@ -17,7 +17,6 @@
 
 #import <Foundation/Foundation.h>
 #import "PrivilegesDaemonProtocol.h"
-#import <OSLog/OSLog.h>
 #import <os/log.h>
 
 /*!
@@ -35,7 +34,7 @@
 @property (atomic, strong, readonly) NSXPCConnection *connection;
 
 /*!
- @method        connectToDaemonWithExportedObject:andExecuteCommandBlock:
+ @method        connectToDaemonAndExecuteCommandBlock:
  @abstract      Connects to the daemon and executes the given command block.
  @param         commandBlock The command block that should be executed after the connection has been established.
 */

source/PrivilegesAgent/AppDelegate.m

@@ -65,6 +65,11 @@ - (instancetype)initWithRetryIntervals:(NSArray<NSNumber*>*)intervals
 
                 _loggingObject = syslogObject;
                 _serverType = kMTRemoteLoggingServerTypeSyslog;
+                
+                if (![syslogOptions useTLS]) {
+
+                    os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: Remote syslog is configured without TLS. Events will be sent as clear text until TLS is enabled.");
+                }
 
             } else if ([[remoteLoggingConfiguration serverType] isEqualToString:kMTRemoteLoggingServerTypeWebhook]) {
 

source/PrivilegesAgent/Classes/MTDaemonConnection.h

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.Storyboard.XIB" version="3.0" toolsVersion="23727" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.Storyboard.XIB" version="3.0" toolsVersion="24128" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="23727"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="24128"/>
         <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <scenes>