Add column for system extensions managed by configuration policy (system_extensi...
source link: https://github.com/osquery/osquery/pull/6915
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
System extensions deployed on a managed environment can be configured through a device management profile. The changes add a new column (is_managed) having information if the extension is managed by a payload policy. It scans through the extension payload policies and checks the allowed team identifiers & allowed extensions dictionary.
It will be great to get feedback from the community both on the changes and uses of having the information in the table.
changed the title Add column for system extensions managed by configuration policy
Add column for system extensions managed by configuration policy (system_extensions table)
force-pushed the kumarak/systemextension_table_update
branch
from
dc36b87
to
5a3de30
11 months ago
The committers are authorized under a signed CLA.
force-pushed the kumarak/systemextension_table_update
branch
2 times, most recently
from
bd9223e
to
71af424
11 months ago
osquery/tables/system/darwin/system_extensions.mm
Outdated Show resolved
getExtensionRow(extension_value, r);
getPolicyFlag(ptree, r);
I think this code is extra recursive? If I read it correctly, you generate the ExtensionRow, which includes the team id that signed it. Then, for each one, you iterate to find the extension policies, and compare to set is_managed. Is that correct?
Naively, it feels simpler to generate the underlying policy outside the forloop, and then pass allowed_extensions and allowed_team_opt to getExtensionRow. Am I mis understanding?
@directionless, getExtensionRow and getPolicyFlag operate on two different nodes of the property tree. The one node has the list of system extension installed and the other have the policy related to the system extension.
The function getExtensionRow only gets the list of the system extension installed and for each extension, it looks into the extension policy node based on team id. The two-level of indirection makes it look extra recursive.
I see that getExtensionRow and getPolicyFlag work in different places. But looks like for each row, this calls getPolicyFlag, which mostly does the same parsing, to see if teamid is allowed. So I wonder if parsing for all allowed team IDs, then checking membership would be faster than the repeated parsing. I'm not very confident in my read here.
I don't know that you can call it "recursive." genExtensionsFromPtree has a single loop that calls getExtensionRow then (conditionally) getPolicyFlag
You're right that getPolicyFlag() does not cache its lookups, meaning it will do a small amount of work to walk the ptree again each time even if multiple rows all had the same Team ID and it was determined in the first call to getPolicyFlag() that the Team ID was allowed by MDM policy. But this is a very small amount of unnecessary work, and done only a few times per table query.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK