mirror/munki
1
0
Fork 0
mirror of https://github.com/munki/munki.git synced 2026-05-08 05:19:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

Removing munkishim

Browse Source
This commit is contained in:
Greg Neagle
2025-06-30 08:21:40 -07:00
parent e727aa6aa2
commit cd3f18897e
3 changed files with 0 additions and 453 deletions
Download Patch File Download Diff File Expand all files Collapse all files
code/apps/munkishim/.gitignore
-12
View File
@@ -1,12 +0,0 @@
# .DS_Store files!
.DS_Store
# Xcode user data
*.xcodeproj/project.xcworkspace/
*.xcodeproj/xcuserdata/
# ignore the MainMenu.xib for most localizations; it is generated at build time
**/*.lproj/MainMenu.xib
# but not the Base one!
!**/Base.lproj/MainMenu.xib
code/apps/munkishim/munkishim.xcodeproj/project.pbxproj
-290
View File
@@ -1,290 +0,0 @@
// !$*UTF8*$!
{
archiveVersion = 1;
classes = {
};
objectVersion = 53;
objects = {
/* Begin PBXBuildFile section */
C0EEC6562996D41800CA3A24 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = C0EEC6552996D41800CA3A24 /* main.m */; };
/* End PBXBuildFile section */
/* Begin PBXCopyFilesBuildPhase section */
C0EEC6502996D41800CA3A24 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 2147483647;
dstPath = /usr/share/man/man1/;
dstSubfolderSpec = 0;
files = (
);
runOnlyForDeploymentPostprocessing = 1;
};
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
C0EEC6522996D41800CA3A24 /* munkishim */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = munkishim; sourceTree = BUILT_PRODUCTS_DIR; };
C0EEC6552996D41800CA3A24 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
C0EEC64F2996D41800CA3A24 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
C0EEC6492996D41800CA3A24 = {
isa = PBXGroup;
children = (
C0EEC6542996D41800CA3A24 /* munkishim */,
C0EEC6532996D41800CA3A24 /* Products */,
);
sourceTree = "<group>";
};
C0EEC6532996D41800CA3A24 /* Products */ = {
isa = PBXGroup;
children = (
C0EEC6522996D41800CA3A24 /* munkishim */,
);
name = Products;
sourceTree = "<group>";
};
C0EEC6542996D41800CA3A24 /* munkishim */ = {
isa = PBXGroup;
children = (
C0EEC6552996D41800CA3A24 /* main.m */,
);
path = munkishim;
sourceTree = "<group>";
};
/* End PBXGroup section */
/* Begin PBXNativeTarget section */
C0EEC6512996D41800CA3A24 /* munkishim */ = {
isa = PBXNativeTarget;
buildConfigurationList = C0EEC6592996D41800CA3A24 /* Build configuration list for PBXNativeTarget "munkishim" */;
buildPhases = (
C0EEC64E2996D41800CA3A24 /* Sources */,
C0EEC64F2996D41800CA3A24 /* Frameworks */,
C0EEC6502996D41800CA3A24 /* CopyFiles */,
);
buildRules = (
);
dependencies = (
);
name = munkishim;
productName = munkishim;
productReference = C0EEC6522996D41800CA3A24 /* munkishim */;
productType = "com.apple.product-type.tool";
};
/* End PBXNativeTarget section */
/* Begin PBXProject section */
C0EEC64A2996D41800CA3A24 /* Project object */ = {
isa = PBXProject;
attributes = {
BuildIndependentTargetsInParallel = 1;
LastUpgradeCheck = 1420;
TargetAttributes = {
C0EEC6512996D41800CA3A24 = {
CreatedOnToolsVersion = 14.2;
};
};
};
buildConfigurationList = C0EEC64D2996D41800CA3A24 /* Build configuration list for PBXProject "munkishim" */;
compatibilityVersion = "Xcode 8.0";
developmentRegion = en;
hasScannedForEncodings = 0;
knownRegions = (
en,
Base,
);
mainGroup = C0EEC6492996D41800CA3A24;
productRefGroup = C0EEC6532996D41800CA3A24 /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
C0EEC6512996D41800CA3A24 /* munkishim */,
);
};
/* End PBXProject section */
/* Begin PBXSourcesBuildPhase section */
C0EEC64E2996D41800CA3A24 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
C0EEC6562996D41800CA3A24 /* main.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin XCBuildConfiguration section */
C0EEC6572996D41800CA3A24 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ANALYZER_NONNULL = YES;
CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_COMMA = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INFINITE_RECURSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_STRICT_PROTOTYPES = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
COPY_PHASE_STRIP = NO;
DEBUG_INFORMATION_FORMAT = dwarf;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_TESTABILITY = YES;
GCC_C_LANGUAGE_STANDARD = gnu11;
GCC_DYNAMIC_NO_PIC = NO;
GCC_NO_COMMON_BLOCKS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
"DEBUG=1",
"$(inherited)",
);
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
MACOSX_DEPLOYMENT_TARGET = 10.13;
MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
MTL_FAST_MATH = YES;
ONLY_ACTIVE_ARCH = YES;
SDKROOT = macosx;
};
name = Debug;
};
C0EEC6582996D41800CA3A24 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ANALYZER_NONNULL = YES;
CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_ENABLE_OBJC_WEAK = YES;
CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_COMMA = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INFINITE_RECURSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_STRICT_PROTOTYPES = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
COPY_PHASE_STRIP = NO;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
ENABLE_NS_ASSERTIONS = NO;
ENABLE_STRICT_OBJC_MSGSEND = YES;
GCC_C_LANGUAGE_STANDARD = gnu11;
GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
MACOSX_DEPLOYMENT_TARGET = 10.13;
MTL_ENABLE_DEBUG_INFO = NO;
MTL_FAST_MATH = YES;
SDKROOT = macosx;
};
name = Release;
};
C0EEC65A2996D41800CA3A24 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
CODE_SIGN_STYLE = Manual;
DEVELOPMENT_TEAM = "";
ENABLE_HARDENED_RUNTIME = YES;
MACOSX_DEPLOYMENT_TARGET = 10.13;
PRODUCT_BUNDLE_IDENTIFIER = com.googlecode.munki.munkishim;
PRODUCT_NAME = "$(TARGET_NAME)";
PROVISIONING_PROFILE_SPECIFIER = "";
};
name = Debug;
};
C0EEC65B2996D41800CA3A24 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
CODE_SIGN_STYLE = Manual;
DEVELOPMENT_TEAM = "";
ENABLE_HARDENED_RUNTIME = YES;
MACOSX_DEPLOYMENT_TARGET = 10.13;
PRODUCT_BUNDLE_IDENTIFIER = com.googlecode.munki.munkishim;
PRODUCT_NAME = "$(TARGET_NAME)";
PROVISIONING_PROFILE_SPECIFIER = "";
};
name = Release;
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
C0EEC64D2996D41800CA3A24 /* Build configuration list for PBXProject "munkishim" */ = {
isa = XCConfigurationList;
buildConfigurations = (
C0EEC6572996D41800CA3A24 /* Debug */,
C0EEC6582996D41800CA3A24 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
C0EEC6592996D41800CA3A24 /* Build configuration list for PBXNativeTarget "munkishim" */ = {
isa = XCConfigurationList;
buildConfigurations = (
C0EEC65A2996D41800CA3A24 /* Debug */,
C0EEC65B2996D41800CA3A24 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
/* End XCConfigurationList section */
};
rootObject = C0EEC64A2996D41800CA3A24 /* Project object */;
}
code/apps/munkishim/munkishim/main.m
-151
View File
@@ -1,151 +0,0 @@
//
// main.m
// munkishim
//
// A wrapper tool for Munki's managedsoftwareupdate and supervisor tools.
// This wrapper can be code-signed, and causes the responsible process for TCC/PPPC to
// be /usr/local/munki/managedsoftwareupdate, enabling TCC/PPPC approvals for App Management
// and/or Full Disk Access for managedsoftwareupdate.
//
// Heavily indebted to work by Tor Arne Vestbø
// (see https://www.qt.io/blog/the-curious-case-of-the-responsible-process
// and https://github.com/qt-creator/qt-creator/blob/master/src/tools/disclaim/disclaim.mm)
// Additional work by Kory L Prince
// (see https://github.com/korylprince/munki-disclaim/)
// and an Objective-C port by Per Olofsson (see https://github.com/magervalp/munki-disclaim/)
//
#include <signal.h>
#include <spawn.h>
#include <unistd.h>
#include <sysexits.h>
#import <Foundation/Foundation.h>
int responsibility_spawnattrs_setdisclaim(posix_spawnattr_t attrs, int disclaim)
__attribute__((availability(macos,introduced=10.14), weak_import));
// Category for NSArray that returns a plain C array of char * from an
// NSArray with NSStrings
@interface NSArray (CArrayCategory)
- (char **)getCArray;
@end
@implementation NSArray (CArrayCategory)
- (char **)getCArray
{
NSUInteger count = [self count];
char **array = (char **)malloc((count + 1) * sizeof(char *));
for (unsigned i = 0; i < count; i++) {
array[i] = strdup([[self objectAtIndex:i] UTF8String]);
}
array[count] = NULL;
return array;
}
@end
// some constants
NSString *shimmedFlg = @"--shimmed";
NSString *munkiBinDir = @"/usr/local/munki";
NSString *munkiPythonPath = @"/usr/local/munki/munki-python";
// runs a Python script implementing our command
int execPython(NSArray<NSString *> *args) {
NSArray *allowedCmds = @[
@"managedsoftwareupdate"
];
NSString *cmd = [args[0] lastPathComponent];
if (! [allowedCmds containsObject:cmd]) {
printf("Unsupported cmd: %s\n", args[0].UTF8String);
exit(EPERM);
}
// copy args and replace ".../{cmd} --shimmed" with ".../munki-python .../{cmd}.py"
NSMutableArray *newArgs = [args mutableCopy];
[newArgs replaceObjectAtIndex:0 withObject: munkiPythonPath];
[newArgs replaceObjectAtIndex:1 withObject:[
NSString stringWithFormat:@"%@/.%@.py", munkiBinDir, cmd]];
char **new_argv = [newArgs getCArray];
if (execvp(new_argv[0], &new_argv[0]) == -1) {
return errno;
}
return 0;
}
#define POSIX_CHECK(expr) \
if ((err = (expr))) { \
exit(err); \
}
// re-launches this binary, disclaiming TCC responsiblity for it
// (so it becomes the responsible process and we can pre-approve it
// for App Management and/or Full Disk Access)
int execShimmed(NSArray<NSString *> *args, char *const *envp) {
int err;
NSString *cmd = [args[0] lastPathComponent];
// set argv to "--shimmed" + argv
NSMutableArray *newArgs = [args mutableCopy];
[newArgs replaceObjectAtIndex:0 withObject:[
NSString stringWithFormat:@"%@/%@", munkiBinDir, cmd]];
[newArgs insertObject:shimmedFlg atIndex:1];
char **new_argv = [newArgs getCArray];
// init posix attr
posix_spawnattr_t attr;
POSIX_CHECK(posix_spawnattr_init(&attr));
// act like execve(2)
short flags = POSIX_SPAWN_SETEXEC;
// reset signal mask
sigset_t sig_mask;
sigemptyset(&sig_mask);
POSIX_CHECK(posix_spawnattr_setsigmask(&attr, &sig_mask));
flags |= POSIX_SPAWN_SETSIGMASK;
// reset signals to default behavior
sigset_t sig_default;
sigfillset(&sig_default);
POSIX_CHECK(posix_spawnattr_setsigdefault(&attr, &sig_default));
flags |= POSIX_SPAWN_SETSIGDEF;
// set flags
POSIX_CHECK(posix_spawnattr_setflags(&attr, flags));
// force TCC responsibility on child
if (@available(macOS 10.14, *)) {
POSIX_CHECK(responsibility_spawnattrs_setdisclaim(&attr, 1));
}
// exec shimmed process
err = posix_spawn(NULL, new_argv[0], NULL, &attr, new_argv, envp);
// clean up attr
posix_spawnattr_destroy(&attr);
return err;
}
int main(int argc, char * const argv[], char *const *envp) {
NSArray<NSString *> *args = [[NSProcessInfo processInfo] arguments];
// If we're called with --shimmed the child has been disclaimed and we
// execute python with the original command, dropping --shimmed.
if (args.count > 1 && [args[1] isEqualToString:shimmedFlg]) {
return execPython(args);
} else {
// Otherwise we call the disclaim logic and add a --shimmed argument.
return execShimmed(args, envp);
}
}