fix: #22297 re-enable Escrow Buddy in the auth-db (#22298)

fix: #22297 re-enable Escrow Buddy in the auth-db
fleetdm · Sep 24, 2024 · aa38b10 · aa38b10
1 parent 111b243
commit aa38b10
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/orbit/pkg/update/escrow_buddy.go b/orbit/pkg/update/escrow_buddy.go
@@ -5,8 +5,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/fleetdm/fleet/v4/server/fleet"
 	"github.com/rs/zerolog/log"
+
+	"github.com/fleetdm/fleet/v4/server/fleet"
 )
 
 // EscrowBuddyRunner sets up [Escrow Buddy][1] to rotate FileVault keys on
@@ -86,6 +87,13 @@ func (e *EscrowBuddyRunner) Run(cfg *fleet.OrbitConfig) error {
 		}
 	}
 
+	// Some macOS updates and upgrades reset the authorization database to its default state
+	// which will deactivate Escrow Buddy and prevent FileVault key generation upon next login.
+	log.Debug().Msg("EscrowBuddyRunner: re-enable Escrow Buddy in the authorization database")
+	if err := e.setAuthDBSetup(); err != nil {
+		return fmt.Errorf("failed to re-enable Escrow Buddy in the authorization database, err: %w", err)
+	}
+
 	log.Debug().Msg("EscrowBuddyRunner: enabling disk encryption rotation")
 	if err := e.setGenerateNewKeyTo(true); err != nil {
 		return fmt.Errorf("enabling disk encryption rotation: %w", err)
@@ -118,3 +126,13 @@ func (e *EscrowBuddyRunner) setGenerateNewKeyTo(enabled bool) error {
 	}
 	return fn("sh", "-c", cmd)
 }
+
+func (e *EscrowBuddyRunner) setAuthDBSetup() error {
+	log.Debug().Msg("ready to re-enable Escrow Buddy in the authorization database")
+	cmd := "/Library/Security/SecurityAgentPlugins/Escrow\\ Buddy.bundle/Contents/Resources/AuthDBSetup.sh"
+	fn := e.runCmdFunc
+	if fn == nil {
+		fn = runCmdCollectErr
+	}
+	return fn("sh", "-c", cmd)
+}