sync: Fix USB blocking config sync (#890)

Source/common/SNTConfigurator.m

@@ -468,15 +468,15 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 + (NSSet *)keyPathsForValuesAffectingRemountUSBMode {
-  return [self configStateSet];
+  return [self syncAndConfigStateSet];
 }
 
 + (NSSet *)keyPathsForValuesAffectingRemountUSBBlockMessage {
-  return [self syncAndConfigStateSet];
+  return [self configStateSet];
 }
 
 + (NSSet *)keyPathsForValuesAffectingUsbBlockMessage {
-  return [self syncAndConfigStateSet];
+  return [self configStateSet];
 }
 
 #pragma mark Public Interface
@@ -577,7 +577,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 - (NSArray<NSString *> *)remountUSBMode {
-  NSArray<NSString *> *args = self.configState[kRemountUSBModeKey];
+  NSArray<NSString *> *args = self.syncState[kRemountUSBModeKey];
+  if (!args) {
+    args = (NSArray<NSString *> *)self.configState[kRemountUSBModeKey];
+  }
   for (id arg in args) {
     if (![arg isKindOfClass:[NSString class]]) {
       return nil;
@@ -855,8 +858,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 - (BOOL)blockUSBMount {
-  NSNumber *number = self.configState[kBlockUSBMountKey];
-  return number ? [number boolValue] : NO;
+  NSNumber *n = self.syncState[kBlockUSBMountKey];
+  if (n) return [n boolValue];
+
+  return [self.configState[kBlockUSBMountKey] boolValue];
 }
 
 ///

Source/santasyncservice/SNTSyncPostflight.m

@@ -59,9 +59,9 @@
                                                        reply:replyBlock];
   }
 
-  if (self.syncState.blockUSBMount) {
+  if (self.syncState.blockUSBMount != nil) {
     dispatch_group_enter(group);
-    [[self.daemonConn remoteObjectProxy] setBlockUSBMount:self.syncState.blockUSBMount
+    [[self.daemonConn remoteObjectProxy] setBlockUSBMount:[self.syncState.blockUSBMount boolValue]
                                                     reply:replyBlock];
   }
   if (self.syncState.remountUSBMode) {

Source/santasyncservice/SNTSyncPreflight.m

@@ -158,8 +158,8 @@
     self.syncState.blocklistRegex = resp[kBlockedPathRegexDeprecated];
   }
 
-  if ([resp[kBlockUSBMount] boolValue]) {
-    self.syncState.blockUSBMount = YES;
+  if ([resp[kBlockUSBMount] isKindOfClass:[NSNumber class]]) {
+    self.syncState.blockUSBMount = resp[kBlockUSBMount];
   }
 
   if ([resp[kRemountUSBMode] isKindOfClass:[NSArray class]]) {

Source/santasyncservice/SNTSyncState.h

@@ -58,7 +58,7 @@
 @property SNTClientMode clientMode;
 @property NSString *allowlistRegex;
 @property NSString *blocklistRegex;
-@property BOOL blockUSBMount;
+@property NSNumber *blockUSBMount;
 // Array of mount args for the forced remounting feature.
 @property NSArray *remountUSBMode;
 

Source/santasyncservice/SNTSyncTest.m

@@ -212,19 +212,41 @@
   XCTAssertNil(self.syncState.blocklistRegex);
 }
 
-- (void)testPreflightBlockUSBMount {
+- (void)testPreflightTurnOnBlockUSBMount {
   [self setupDefaultDaemonConnResponses];
   SNTSyncPreflight *sut = [[SNTSyncPreflight alloc] initWithState:self.syncState];
 
-  NSData *respData = [self dataFromFixture:@"sync_preflight_toggle_blockusb.json"];
+  NSData *respData = [self dataFromFixture:@"sync_preflight_turn_on_blockusb.json"];
   [self stubRequestBody:respData response:nil error:nil validateBlock:nil];
 
   XCTAssertTrue([sut sync]);
-  XCTAssertEqual(self.syncState.blockUSBMount, true);
+  XCTAssertEqualObjects(self.syncState.blockUSBMount, @1);
   NSArray<NSString *> *wantRemountUSBMode = @[ @"rdonly", @"noexec" ];
   XCTAssertEqualObjects(self.syncState.remountUSBMode, wantRemountUSBMode);
 }
 
+- (void)testPreflightTurnOffBlockUSBMount {
+  [self setupDefaultDaemonConnResponses];
+  SNTSyncPreflight *sut = [[SNTSyncPreflight alloc] initWithState:self.syncState];
+
+  NSData *respData = [self dataFromFixture:@"sync_preflight_turn_off_blockusb.json"];
+  [self stubRequestBody:respData response:nil error:nil validateBlock:nil];
+
+  XCTAssertTrue([sut sync]);
+  XCTAssertEqualObjects(self.syncState.blockUSBMount, @0);
+}
+
+- (void)testPreflightBlockUSBMountAbsent {
+  [self setupDefaultDaemonConnResponses];
+  SNTSyncPreflight *sut = [[SNTSyncPreflight alloc] initWithState:self.syncState];
+
+  NSData *respData = [self dataFromFixture:@"sync_preflight_blockusb_absent.json"];
+  [self stubRequestBody:respData response:nil error:nil validateBlock:nil];
+
+  XCTAssertTrue([sut sync]);
+  XCTAssertNil(self.syncState.blockUSBMount);
+}
+
 - (void)testPreflightDatabaseCounts {
   SNTSyncPreflight *sut = [[SNTSyncPreflight alloc] initWithState:self.syncState];
 
@@ -493,11 +515,15 @@
   OCMVerify([self.daemonConnRop setAllowedPathRegex:@"^horse$" reply:OCMOCK_ANY]);
   OCMVerify([self.daemonConnRop setBlockedPathRegex:@"^donkey$" reply:OCMOCK_ANY]);
 
-  self.syncState.blockUSBMount = YES;
+  self.syncState.blockUSBMount = @1;
   self.syncState.remountUSBMode = @[ @"readonly" ];
   XCTAssertTrue([sut sync]);
   OCMVerify([self.daemonConnRop setBlockUSBMount:YES reply:OCMOCK_ANY]);
   OCMVerify([self.daemonConnRop setRemountUSBMode:@[ @"readonly" ] reply:OCMOCK_ANY]);
+
+  self.syncState.blockUSBMount = @0;
+  XCTAssertTrue([sut sync]);
+  OCMVerify([self.daemonConnRop setBlockUSBMount:NO reply:OCMOCK_ANY]);
 }
 
 @end

Source/santasyncservice/testdata/sync_preflight_blockusb_absent.json

@@ -0,0 +1 @@
+{"allowed_path_regex": null, "client_mode": "LOCKDOWN", "blocked_path_regex": null, "batch_size": 100}

Source/santasyncservice/testdata/sync_preflight_turn_off_blockusb.json

@@ -0,0 +1 @@
+{"allowed_path_regex": null, "client_mode": "LOCKDOWN", "blocked_path_regex": null, "batch_size": 100, "block_usb_mount":false}

docs/deployment/configuration.md

@@ -67,6 +67,8 @@ also known as mobileconfig files, which are in an Apple-specific XML format.
 | MetricExtraLabels                 | Dictionary | A map of key value pairs to add to all metric root labels. (e.g. a=b,c=d) defaults to @{}). If a previously set key (e.g. host_name is set to "" then the key is remove from the metric root labels. Alternatively if a value is set for an existing key then the new value will override the old. |
 | EnableAllEventUpload              | Bool       | If YES, the client will upload all execution events to the sync server, including those that were explicitly allowed. |
 | DisableUnknownEventUpload         | Bool       | If YES, the client will *not* upload events for executions of unknown binaries allowed in monitor mode |
+| BlockUSBMount                     | Bool       | If set to 'True' blocking USB Mass storage feature is enabled. Defaults to `False`. |
+| RemountUSBMode                    | Array      | Array of strings for arguments to pass to mount -o (any of "rdonly", "noexec", "nosuid", "nobrowse", "noowners", "nodev", "async", "-j"). when forcibly remounting devices. No default. |
 
 
 \*overridable by the sync server: run `santactl status` to check the current
@@ -215,7 +217,7 @@ ways to install configuration profiles:
 | enable\_bundles\*                   | Bool       | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
 | enable\_transitive\_rules           | Bool       | If set to `True` the transitive rule feature is enabled. Defaults to `False`. |
 | enable\_all\_event\_upload          | Bool       | If set to `True` the client will upload events for all executions, including those that are explicitly allowed. |
-| block\_usb\_mass\_storage           | Bool       | If set to 'True' blocking USB Mass storage feature is enabled. Defaults to `False`. |
+| block\_usb\_mount                   | Bool       | If set to 'True' blocking USB Mass storage feature is enabled. Defaults to `False`. |
 | remount\_usb\_mode                  | Array      | Array of strings for arguments to pass to mount -o (any of "rdonly", "noexec", "nosuid", "nobrowse", "noowners", "nodev", "async", "-j"). when forcibly remounting devices. No default. |