diff --git a/code/apps/munkishim/.gitignore b/code/apps/munkishim/.gitignore deleted file mode 100644 index 56d3ccbf..00000000 --- a/code/apps/munkishim/.gitignore +++ /dev/null @@ -1,12 +0,0 @@ -# .DS_Store files! -.DS_Store - -# Xcode user data -*.xcodeproj/project.xcworkspace/ -*.xcodeproj/xcuserdata/ - -# ignore the MainMenu.xib for most localizations; it is generated at build time -**/*.lproj/MainMenu.xib -# but not the Base one! -!**/Base.lproj/MainMenu.xib - diff --git a/code/apps/munkishim/munkishim.xcodeproj/project.pbxproj b/code/apps/munkishim/munkishim.xcodeproj/project.pbxproj deleted file mode 100644 index 408ccdce..00000000 --- a/code/apps/munkishim/munkishim.xcodeproj/project.pbxproj +++ /dev/null @@ -1,290 +0,0 @@ -// !$*UTF8*$! -{ - archiveVersion = 1; - classes = { - }; - objectVersion = 53; - objects = { - -/* Begin PBXBuildFile section */ - C0EEC6562996D41800CA3A24 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = C0EEC6552996D41800CA3A24 /* main.m */; }; -/* End PBXBuildFile section */ - -/* Begin PBXCopyFilesBuildPhase section */ - C0EEC6502996D41800CA3A24 /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 2147483647; - dstPath = /usr/share/man/man1/; - dstSubfolderSpec = 0; - files = ( - ); - runOnlyForDeploymentPostprocessing = 1; - }; -/* End PBXCopyFilesBuildPhase section */ - -/* Begin PBXFileReference section */ - C0EEC6522996D41800CA3A24 /* munkishim */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = munkishim; sourceTree = BUILT_PRODUCTS_DIR; }; - C0EEC6552996D41800CA3A24 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; -/* End PBXFileReference section */ - -/* Begin PBXFrameworksBuildPhase section */ - C0EEC64F2996D41800CA3A24 /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXFrameworksBuildPhase section */ - -/* Begin PBXGroup section */ - C0EEC6492996D41800CA3A24 = { - isa = PBXGroup; - children = ( - C0EEC6542996D41800CA3A24 /* munkishim */, - C0EEC6532996D41800CA3A24 /* Products */, - ); - sourceTree = ""; - }; - C0EEC6532996D41800CA3A24 /* Products */ = { - isa = PBXGroup; - children = ( - C0EEC6522996D41800CA3A24 /* munkishim */, - ); - name = Products; - sourceTree = ""; - }; - C0EEC6542996D41800CA3A24 /* munkishim */ = { - isa = PBXGroup; - children = ( - C0EEC6552996D41800CA3A24 /* main.m */, - ); - path = munkishim; - sourceTree = ""; - }; -/* End PBXGroup section */ - -/* Begin PBXNativeTarget section */ - C0EEC6512996D41800CA3A24 /* munkishim */ = { - isa = PBXNativeTarget; - buildConfigurationList = C0EEC6592996D41800CA3A24 /* Build configuration list for PBXNativeTarget "munkishim" */; - buildPhases = ( - C0EEC64E2996D41800CA3A24 /* Sources */, - C0EEC64F2996D41800CA3A24 /* Frameworks */, - C0EEC6502996D41800CA3A24 /* CopyFiles */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = munkishim; - productName = munkishim; - productReference = C0EEC6522996D41800CA3A24 /* munkishim */; - productType = "com.apple.product-type.tool"; - }; -/* End PBXNativeTarget section */ - -/* Begin PBXProject section */ - C0EEC64A2996D41800CA3A24 /* Project object */ = { - isa = PBXProject; - attributes = { - BuildIndependentTargetsInParallel = 1; - LastUpgradeCheck = 1420; - TargetAttributes = { - C0EEC6512996D41800CA3A24 = { - CreatedOnToolsVersion = 14.2; - }; - }; - }; - buildConfigurationList = C0EEC64D2996D41800CA3A24 /* Build configuration list for PBXProject "munkishim" */; - compatibilityVersion = "Xcode 8.0"; - developmentRegion = en; - hasScannedForEncodings = 0; - knownRegions = ( - en, - Base, - ); - mainGroup = C0EEC6492996D41800CA3A24; - productRefGroup = C0EEC6532996D41800CA3A24 /* Products */; - projectDirPath = ""; - projectRoot = ""; - targets = ( - C0EEC6512996D41800CA3A24 /* munkishim */, - ); - }; -/* End PBXProject section */ - -/* Begin PBXSourcesBuildPhase section */ - C0EEC64E2996D41800CA3A24 /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - C0EEC6562996D41800CA3A24 /* main.m in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXSourcesBuildPhase section */ - -/* Begin XCBuildConfiguration section */ - C0EEC6572996D41800CA3A24 /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_ANALYZER_NONNULL = YES; - CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; - CLANG_ENABLE_MODULES = YES; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_ENABLE_OBJC_WEAK = YES; - CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_COMMA = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INFINITE_RECURSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; - CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; - CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; - CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; - CLANG_WARN_STRICT_PROTOTYPES = YES; - CLANG_WARN_SUSPICIOUS_MOVE = YES; - CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; - CLANG_WARN_UNREACHABLE_CODE = YES; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - COPY_PHASE_STRIP = NO; - DEBUG_INFORMATION_FORMAT = dwarf; - ENABLE_STRICT_OBJC_MSGSEND = YES; - ENABLE_TESTABILITY = YES; - GCC_C_LANGUAGE_STANDARD = gnu11; - GCC_DYNAMIC_NO_PIC = NO; - GCC_NO_COMMON_BLOCKS = YES; - GCC_OPTIMIZATION_LEVEL = 0; - GCC_PREPROCESSOR_DEFINITIONS = ( - "DEBUG=1", - "$(inherited)", - ); - GCC_WARN_64_TO_32_BIT_CONVERSION = YES; - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; - GCC_WARN_UNUSED_FUNCTION = YES; - GCC_WARN_UNUSED_VARIABLE = YES; - MACOSX_DEPLOYMENT_TARGET = 10.13; - MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; - MTL_FAST_MATH = YES; - ONLY_ACTIVE_ARCH = YES; - SDKROOT = macosx; - }; - name = Debug; - }; - C0EEC6582996D41800CA3A24 /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_ANALYZER_NONNULL = YES; - CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; - CLANG_ENABLE_MODULES = YES; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_ENABLE_OBJC_WEAK = YES; - CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_COMMA = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INFINITE_RECURSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; - CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; - CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; - CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; - CLANG_WARN_STRICT_PROTOTYPES = YES; - CLANG_WARN_SUSPICIOUS_MOVE = YES; - CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; - CLANG_WARN_UNREACHABLE_CODE = YES; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - COPY_PHASE_STRIP = NO; - DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; - ENABLE_NS_ASSERTIONS = NO; - ENABLE_STRICT_OBJC_MSGSEND = YES; - GCC_C_LANGUAGE_STANDARD = gnu11; - GCC_NO_COMMON_BLOCKS = YES; - GCC_WARN_64_TO_32_BIT_CONVERSION = YES; - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; - GCC_WARN_UNUSED_FUNCTION = YES; - GCC_WARN_UNUSED_VARIABLE = YES; - MACOSX_DEPLOYMENT_TARGET = 10.13; - MTL_ENABLE_DEBUG_INFO = NO; - MTL_FAST_MATH = YES; - SDKROOT = macosx; - }; - name = Release; - }; - C0EEC65A2996D41800CA3A24 /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - "CODE_SIGN_IDENTITY[sdk=macosx*]" = "-"; - CODE_SIGN_STYLE = Manual; - DEVELOPMENT_TEAM = ""; - ENABLE_HARDENED_RUNTIME = YES; - MACOSX_DEPLOYMENT_TARGET = 10.13; - PRODUCT_BUNDLE_IDENTIFIER = com.googlecode.munki.munkishim; - PRODUCT_NAME = "$(TARGET_NAME)"; - PROVISIONING_PROFILE_SPECIFIER = ""; - }; - name = Debug; - }; - C0EEC65B2996D41800CA3A24 /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - "CODE_SIGN_IDENTITY[sdk=macosx*]" = "-"; - CODE_SIGN_STYLE = Manual; - DEVELOPMENT_TEAM = ""; - ENABLE_HARDENED_RUNTIME = YES; - MACOSX_DEPLOYMENT_TARGET = 10.13; - PRODUCT_BUNDLE_IDENTIFIER = com.googlecode.munki.munkishim; - PRODUCT_NAME = "$(TARGET_NAME)"; - PROVISIONING_PROFILE_SPECIFIER = ""; - }; - name = Release; - }; -/* End XCBuildConfiguration section */ - -/* Begin XCConfigurationList section */ - C0EEC64D2996D41800CA3A24 /* Build configuration list for PBXProject "munkishim" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - C0EEC6572996D41800CA3A24 /* Debug */, - C0EEC6582996D41800CA3A24 /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; - C0EEC6592996D41800CA3A24 /* Build configuration list for PBXNativeTarget "munkishim" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - C0EEC65A2996D41800CA3A24 /* Debug */, - C0EEC65B2996D41800CA3A24 /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; -/* End XCConfigurationList section */ - }; - rootObject = C0EEC64A2996D41800CA3A24 /* Project object */; -} diff --git a/code/apps/munkishim/munkishim/main.m b/code/apps/munkishim/munkishim/main.m deleted file mode 100644 index 99c1b239..00000000 --- a/code/apps/munkishim/munkishim/main.m +++ /dev/null @@ -1,151 +0,0 @@ -// -// main.m -// munkishim -// -// A wrapper tool for Munki's managedsoftwareupdate and supervisor tools. -// This wrapper can be code-signed, and causes the responsible process for TCC/PPPC to -// be /usr/local/munki/managedsoftwareupdate, enabling TCC/PPPC approvals for App Management -// and/or Full Disk Access for managedsoftwareupdate. -// -// Heavily indebted to work by Tor Arne Vestbø -// (see https://www.qt.io/blog/the-curious-case-of-the-responsible-process -// and https://github.com/qt-creator/qt-creator/blob/master/src/tools/disclaim/disclaim.mm) -// Additional work by Kory L Prince -// (see https://github.com/korylprince/munki-disclaim/) -// and an Objective-C port by Per Olofsson (see https://github.com/magervalp/munki-disclaim/) -// - -#include -#include -#include -#include -#import - - -int responsibility_spawnattrs_setdisclaim(posix_spawnattr_t attrs, int disclaim) - __attribute__((availability(macos,introduced=10.14), weak_import)); - -// Category for NSArray that returns a plain C array of char * from an -// NSArray with NSStrings -@interface NSArray (CArrayCategory) - -- (char **)getCArray; - -@end - -@implementation NSArray (CArrayCategory) - -- (char **)getCArray -{ - NSUInteger count = [self count]; - char **array = (char **)malloc((count + 1) * sizeof(char *)); - - for (unsigned i = 0; i < count; i++) { - array[i] = strdup([[self objectAtIndex:i] UTF8String]); - } - array[count] = NULL; - return array; -} - -@end - - -// some constants -NSString *shimmedFlg = @"--shimmed"; -NSString *munkiBinDir = @"/usr/local/munki"; -NSString *munkiPythonPath = @"/usr/local/munki/munki-python"; - - -// runs a Python script implementing our command -int execPython(NSArray *args) { - NSArray *allowedCmds = @[ - @"managedsoftwareupdate" - ]; - - NSString *cmd = [args[0] lastPathComponent]; - if (! [allowedCmds containsObject:cmd]) { - printf("Unsupported cmd: %s\n", args[0].UTF8String); - exit(EPERM); - } - - // copy args and replace ".../{cmd} --shimmed" with ".../munki-python .../{cmd}.py" - NSMutableArray *newArgs = [args mutableCopy]; - [newArgs replaceObjectAtIndex:0 withObject: munkiPythonPath]; - [newArgs replaceObjectAtIndex:1 withObject:[ - NSString stringWithFormat:@"%@/.%@.py", munkiBinDir, cmd]]; - - char **new_argv = [newArgs getCArray]; - if (execvp(new_argv[0], &new_argv[0]) == -1) { - return errno; - } - return 0; -} - -#define POSIX_CHECK(expr) \ - if ((err = (expr))) { \ - exit(err); \ - } - -// re-launches this binary, disclaiming TCC responsiblity for it -// (so it becomes the responsible process and we can pre-approve it -// for App Management and/or Full Disk Access) -int execShimmed(NSArray *args, char *const *envp) { - int err; - NSString *cmd = [args[0] lastPathComponent]; - - // set argv to "--shimmed" + argv - NSMutableArray *newArgs = [args mutableCopy]; - [newArgs replaceObjectAtIndex:0 withObject:[ - NSString stringWithFormat:@"%@/%@", munkiBinDir, cmd]]; - [newArgs insertObject:shimmedFlg atIndex:1]; - char **new_argv = [newArgs getCArray]; - - // init posix attr - posix_spawnattr_t attr; - POSIX_CHECK(posix_spawnattr_init(&attr)); - - // act like execve(2) - short flags = POSIX_SPAWN_SETEXEC; - - // reset signal mask - sigset_t sig_mask; - sigemptyset(&sig_mask); - POSIX_CHECK(posix_spawnattr_setsigmask(&attr, &sig_mask)); - flags |= POSIX_SPAWN_SETSIGMASK; - - // reset signals to default behavior - sigset_t sig_default; - sigfillset(&sig_default); - POSIX_CHECK(posix_spawnattr_setsigdefault(&attr, &sig_default)); - flags |= POSIX_SPAWN_SETSIGDEF; - - // set flags - POSIX_CHECK(posix_spawnattr_setflags(&attr, flags)); - - // force TCC responsibility on child - if (@available(macOS 10.14, *)) { - POSIX_CHECK(responsibility_spawnattrs_setdisclaim(&attr, 1)); - } - - // exec shimmed process - err = posix_spawn(NULL, new_argv[0], NULL, &attr, new_argv, envp); - - // clean up attr - posix_spawnattr_destroy(&attr); - - return err; -} - - -int main(int argc, char * const argv[], char *const *envp) { - NSArray *args = [[NSProcessInfo processInfo] arguments]; - - // If we're called with --shimmed the child has been disclaimed and we - // execute python with the original command, dropping --shimmed. - if (args.count > 1 && [args[1] isEqualToString:shimmedFlg]) { - return execPython(args); - } else { - // Otherwise we call the disclaim logic and add a --shimmed argument. - return execShimmed(args, envp); - } -}