cleanup 10.14 -> 10.15 upgrade artifacts (#427)

* cleanup 10.14 -> 10.15 upgrade artifacts

* exit exit

* exit exit

Conf/Package/postinstall

@@ -27,7 +27,10 @@ fi
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
 user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -z "$user" ]] && exit 0
+if [[ -z "$user" ]]; then
+  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
+  exit 0
+fi
 /bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 
 exit 0

Conf/install.sh

@@ -45,9 +45,7 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm -rf /Library/Extensions/santa-driver.kext 2>&1
 
 # Copy new files.
-if [ ! -d /var/db/santa ] ; then
-  /bin/mkdir /var/db/santa
-fi
+/bin/mkdir -p /var/db/santa
 
 /bin/cp -r ${BINARIES}/Santa.app /Applications
 
@@ -67,14 +65,17 @@ if [ $(uname -r | cut -d'.' -f1) -lt 19 ]; then
   /bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
   /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
   /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
+else
+  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
 fi
 
 # Load the bundle service
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
 # Load GUI agent if someone is logged in.
-[[ -n "$GUI_USER" ]] && \
+if [[ -n "$GUI_USER" ]]; then
   /bin/launchctl asuser ${GUI_USER} \
   /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
+fi
 
 exit 0

Conf/uninstall.sh

@@ -6,11 +6,15 @@
 
 [ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
 
+# For macOS 10.15+ this will block up to 60 seconds
+/Applications/Santa.app/Contents/MacOS/Santa --unload-system-extension
+
 /bin/launchctl remove com.google.santad
 sleep 1
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
 # and to clean out the log config, although it won't write after wiping the binary
 /usr/bin/killall -HUP syslogd
 # delete artifacts on-disk

Source/santa/main.m

@@ -13,11 +13,79 @@
 ///    limitations under the License.
 
 #import <Cocoa/Cocoa.h>
+#import <SystemExtensions/SystemExtensions.h>
 
+#import "Source/common/SNTXPCControlInterface.h"
 #import "Source/santa/SNTAppDelegate.h"
 
+@interface SNTSystemExtensionDelegate : NSObject<OSSystemExtensionRequestDelegate>
+@end
+
+@implementation SNTSystemExtensionDelegate
+
+#pragma mark OSSystemExtensionRequestDelegate
+
+- (OSSystemExtensionReplacementAction)request:(OSSystemExtensionRequest *)request
+                  actionForReplacingExtension:(OSSystemExtensionProperties *)old
+                                withExtension:(OSSystemExtensionProperties *)new
+    API_AVAILABLE(macos(10.15)) {
+  NSLog(@"SystemExtension \"%@\" request for replacement", request.identifier);
+  return OSSystemExtensionReplacementActionReplace;
+}
+
+- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request API_AVAILABLE(macos(10.15)) {
+  NSLog(@"SystemExtension \"%@\" request needs user approval", request.identifier);
+}
+
+- (void)request:(OSSystemExtensionRequest *)request
+    didFailWithError:(NSError *)error API_AVAILABLE(macos(10.15)) {
+  NSLog(@"SystemExtension \"%@\" request did fail: %@", request.identifier, error);
+  exit((int)error.code);
+}
+
+- (void)request:(OSSystemExtensionRequest *)request
+    didFinishWithResult:(OSSystemExtensionRequestResult)result API_AVAILABLE(macos(10.15)) {
+  NSLog(@"SystemExtension \"%@\" request did finish: %ld", request.identifier, (long)result);
+  exit(0);
+}
+
+@end
+
 int main(int argc, const char *argv[]) {
   @autoreleasepool {
+    NSNumber *sysxOperation;
+    NSArray *args = [NSProcessInfo processInfo].arguments;
+    if ([args containsObject:@"--load-system-extension"]) {
+      sysxOperation = @(1);
+    } else if ([args containsObject:@"--unload-system-extension"]) {
+      sysxOperation = @(2);
+    }
+    if (sysxOperation) {
+      if (@available(macOS 10.15, *)) {
+        NSString *e = [SNTXPCControlInterface systemExtensionID];
+        dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
+        OSSystemExtensionRequest *req;
+        if (sysxOperation.intValue == 1) {
+          NSLog(@"Requesting SystemExtension activation");
+          req = [OSSystemExtensionRequest activationRequestForExtension:e queue:q];
+        } else if (sysxOperation.intValue == 2) {
+          NSLog(@"Requesting SystemExtension deactivation");
+          req = [OSSystemExtensionRequest deactivationRequestForExtension:e queue:q];
+        }
+        if (req) {
+          SNTSystemExtensionDelegate *ed = [[SNTSystemExtensionDelegate alloc] init];
+          req.delegate = ed;
+          [[OSSystemExtensionManager sharedManager] submitRequest:req];
+          dispatch_after(dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60), q, ^{
+            exit(1);
+          });
+          [[NSRunLoop mainRunLoop] run];
+        }
+      } else {
+        exit(1);
+      }
+    }
+
     NSApplication *app = [NSApplication sharedApplication];
     SNTAppDelegate *delegate = [[SNTAppDelegate alloc] init];
     [app setDelegate:delegate];

Source/santad/EventProviders/SNTDriverManager.h

@@ -31,6 +31,11 @@
 ///
 - (instancetype)init;
 
+///
+///  Unloads the driver.
+///
++ (void)unloadDriver;
+
 ///
 ///  Handles requests from the kernel using the given block.
 ///  @note Loops indefinitely unless there is an error trying to read data from the data queue.

Source/santad/EventProviders/SNTDriverManager.m

@@ -62,6 +62,10 @@ - (void)dealloc {
   IOServiceClose(_connection);
 }
 
++ (void)unloadDriver {
+  KextManagerUnloadKextWithIdentifier(CFSTR(USERCLIENT_ID));
+}
+
 #pragma mark Driver Waiting
 
 // Helper function used with IOServiceAddMatchingNotification which expects

Source/santad/main.m

@@ -14,14 +14,15 @@
 
 #import <Foundation/Foundation.h>
 
-#include "Source/common/SNTLogging.h"
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTLogging.h"
+#import "Source/santad/EventProviders/SNTDriverManager.h"
+#import "Source/santad/SNTApplication.h"
 
 #include <mach/task.h>
 #include <pthread/pthread.h>
 #include <sys/resource.h>
 
-#import "Source/santad/SNTApplication.h"
-
 extern uint64_t watchdogCPUEvents;
 extern uint64_t watchdogRAMEvents;
 extern double watchdogCPUPeak;
@@ -88,20 +89,40 @@ static inline double timeval_to_double(time_value_t tv) {
   return NULL;
 }
 
+void cleanup() {
+  LOGI(@"com.google.santa.daemon is running from an unexpected path: cleaning up");
+  NSFileManager *fm = [NSFileManager defaultManager];
+  [fm removeItemAtPath:@"/Library/LaunchDaemons/com.google.santad.plist" error:NULL];
+  [SNTDriverManager unloadDriver];
+  [fm removeItemAtPath:@"/Library/Extensions/santa-driver.kext" error:NULL];
+  NSTask *t = [[NSTask alloc] init];
+  t.launchPath = @"/bin/launchctl";
+  t.arguments = @[ @"remove", @"com.google.santad" ];
+  [t launch];
+  [t waitUntilExit];
+  exit(0);
+}
+
 int main(int argc, const char *argv[]) {
   @autoreleasepool {
     // Do not wait on child processes
     signal(SIGCHLD, SIG_IGN);
 
     NSDictionary *infoDict = [[NSBundle mainBundle] infoDictionary];
+    NSProcessInfo *pi = [NSProcessInfo processInfo];
 
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"-v"]) {
+    if ([pi.arguments containsObject:@"-v"]) {
       printf("%s\n", [infoDict[@"CFBundleVersion"] UTF8String]);
       return 0;
     }
 
     LOGI(@"Started, version %@", infoDict[@"CFBundleVersion"]);
 
+    // Handle the case of macOS < 10.15 updating to >= 10.15.
+    if (@available(macOS 10.15, *)) {
+      if ([pi.arguments.firstObject isEqualToString:@(kSantaDPath)]) cleanup();
+    }
+
     SNTApplication *s = [[SNTApplication alloc] init];
     [s start];
 

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.0.0"
+SANTA_VERSION = "1.0.2"