Error on SUIS (#941)

* Rename macos planner to macos/mod

* Clean up some clippy notes about specifying truncate

* Add types for parsing macOS system profiles

* Error on SUIS

* Dump all profiles

* Clean up errors

* fixup: emit multiple errors on suis blocks

* Clean up the error after user input

* Nit on phrasing in warn

* tpot -> blocking_policy

* slice

* Add a description to the fail pilst

* Move around deck chairs

* Disable GHA cache

* clean up the query

* profile sample: fail -> block

* less technical

* Link to a det.sys page that talks more about internal disks (tbd)

* Update src/planner/macos/profiles.rs

Co-authored-by: Cole Helbling <[email protected]>

* Expand the errorr message again

* Test unknown does not error

---------

Co-authored-by: Cole Helbling <[email protected]>

.github/workflows/build-aarch64-darwin.yml

@@ -1,6 +1,6 @@
 name: Build aarch64 Darwin
 
-on: 
+on:
   workflow_call:
     inputs:
       cache-key:
@@ -23,6 +23,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Build the installer
         run: |
           nix build .#packages.aarch64-darwin.nix-installer -L

.github/workflows/build-aarch64-linux.yml

@@ -1,6 +1,6 @@
 name: Build aarch64 Linux (static)
 
-on: 
+on:
   workflow_call:
     inputs:
       cache-key:
@@ -23,6 +23,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Build the installer
         run: |
           nix build .#packages.aarch64-linux.nix-installer-static -L

.github/workflows/build-i686-linux.yml

@@ -1,6 +1,6 @@
 name: Build i686 Linux (static)
 
-on: 
+on:
   workflow_call:
     inputs:
       cache-key:
@@ -23,6 +23,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Build the installer
         run: |
           nix build .#packages.i686-linux.nix-installer-static -L

.github/workflows/build-x86_64-darwin.yml

@@ -23,6 +23,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Build the installer
         run: |
           nix build .#packages.x86_64-darwin.nix-installer -L

.github/workflows/build-x86_64-linux.yml

@@ -1,6 +1,6 @@
 name: Build x86_64 Linux (static)
 
-on: 
+on:
   workflow_call:
     inputs:
       cache-key:
@@ -23,6 +23,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Build the installer
         run: |
           nix build .#packages.x86_64-linux.nix-installer-static -L

.github/workflows/ci.yml

@@ -34,6 +34,8 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Check rustfmt
         run: nix develop --command check-rustfmt
       - name: Check Clippy

.github/workflows/update.yml

@@ -2,7 +2,7 @@ name: update-flake-lock
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * 0'
+    - cron: "0 0 * * 0"
 
 jobs:
   lockfile:
@@ -17,8 +17,10 @@ jobs:
         uses: DeterminateSystems/nix-installer-action@main
         with:
           flakehub: true
-      - name: Enable magic Nix cache
+      - name: Enable Magic Nix Cache
         uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          use-gha-cache: false
       - name: Check flake
         uses: DeterminateSystems/flake-checker-action@main
       - name: Update flake.lock

src/action/base/create_or_insert_into_file.rs

@@ -208,6 +208,7 @@ impl Action for CreateOrInsertIntoFile {
         }
         let mut temp_file = OpenOptions::new()
             .create(true)
+            .truncate(true)
             .write(true)
             // If the file is created, ensure that it has harmless
             // permissions regardless of whether the mode will be

src/action/base/create_or_merge_nix_config.rs

@@ -258,6 +258,7 @@ impl Action for CreateOrMergeNixConfig {
         }
         let mut temp_file = OpenOptions::new()
             .create(true)
+            .truncate(true)
             .write(true)
             // If the file is created, ensure that it has harmless
             // permissions regardless of whether the mode will be

src/action/macos/create_fstab_entry.rs

@@ -136,6 +136,7 @@ impl Action for CreateFstabEntry {
 
         let mut fstab = tokio::fs::OpenOptions::new()
             .create(true)
+            .truncate(false)
             .write(true)
             .read(true)
             .open(fstab_path)

src/planner/macos.rs → src/planner/macos/mod.rs

@@ -8,6 +8,9 @@ use which::which;
 use super::ShellProfileLocations;
 use crate::planner::HasExpectedErrors;
 
+mod profile_queries;
+mod profiles;
+
 use crate::{
     action::{
         base::RemoveDirectory,
@@ -306,6 +309,7 @@ impl Planner for Macos {
     }
 
     async fn pre_install_check(&self) -> Result<(), PlannerError> {
+        check_suis().await?;
         check_not_running_in_rosetta()?;
         if self.enterprise_edition {
             check_enterprise_edition_available().await?;
@@ -364,6 +368,43 @@ fn check_not_running_in_rosetta() -> Result<(), PlannerError> {
     Ok(())
 }
 
+async fn check_suis() -> Result<(), PlannerError> {
+    let policies: profiles::Policies = match profiles::load().await {
+        Ok(pol) => pol,
+        Err(e) => {
+            tracing::warn!(
+                "Skipping SystemUIServer checks: failed to load profile data: {:?}",
+                e
+            );
+            return Ok(());
+        },
+    };
+
+    let blocks: Vec<_> = profile_queries::blocks_internal_mounting(&policies)
+        .into_iter()
+        .map(|blocking_policy| blocking_policy.display())
+        .collect();
+
+    let error: String = match &blocks[..] {
+        [] => {
+            return Ok(());
+        },
+        [block] => format!(
+            "The following macOS configuration profile includes a 'Restrictions - Media' policy, which interferes with the Nix Store volume:\n\n{}\n\nSee https://determinate.systems/solutions/macos-internal-disk-policy",
+            block
+        ),
+        blocks => {
+            format!(
+                "The following macOS configuration profiles include a 'Restrictions - Media' policy, which interferes with the Nix Store volume:\n\n{}\n\nSee https://determinate.systems/solutions/macos-internal-disk-policy",
+                blocks.join("\n\n")
+            )
+        },
+    };
+
+    Err(MacosError::BlockedBySystemUIServerPolicy(error))
+        .map_err(|e| PlannerError::Custom(Box::new(e)))
+}
+
 async fn check_enterprise_edition_available() -> Result<(), PlannerError> {
     tokio::fs::metadata("/usr/local/bin/determinate-nix-ee")
         .await
@@ -377,12 +418,16 @@ async fn check_enterprise_edition_available() -> Result<(), PlannerError> {
 pub enum MacosError {
     #[error("`nix-darwin` installation detected, it must be removed before uninstalling Nix. Please refer to https://github.com/LnL7/nix-darwin#uninstalling for instructions how to uninstall `nix-darwin`.")]
     UninstallNixDarwin,
+
+    #[error("{0}")]
+    BlockedBySystemUIServerPolicy(String),
 }
 
 impl HasExpectedErrors for MacosError {
     fn expected<'a>(&'a self) -> Option<Box<dyn std::error::Error + 'a>> {
         match self {
             this @ MacosError::UninstallNixDarwin => Some(Box::new(this)),
+            this @ MacosError::BlockedBySystemUIServerPolicy(_) => Some(Box::new(this)),
         }
     }
 }

src/planner/macos/profile.sample.block.plist

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- The user's username OR the string literal _computerlevel -->
+	<key>foo</key>
+	<array>
+		<dict>
+			<!-- Show the following data (if set, they're not required) to contextualize the issue: -->
+			<key>ProfileDescription</key>
+			<string>The description</string>
+			<key>ProfileDisplayName</key>
+			<string>Don't allow mounting internal devices</string>
+			<key>ProfileIdentifier</key>
+			<string>MyProfile.6F6670A3-65AC-4EA4-8665-91F8FCE289AB</string>
+			<key>ProfileInstallDate</key>
+			<string>2024-04-22 14:12:42 +0000</string>
+			<key>ProfileType</key>
+			<string>Configuration</string>
+			<key>ProfileUUID</key>
+			<string>6F6670A3-65AC-4EA4-8665-91F8FCE289AB</string>
+			<key>ProfileVersion</key>
+			<integer>1</integer>
+
+
+			<key>ProfileItems</key>
+			<array>
+				<dict>
+					<!-- Look for an entry which has PayloadType as follows ... -->
+					<key>PayloadType</key>
+					<string>com.apple.systemuiserver</string>
+
+					<key>PayloadContent</key>
+					<dict>
+						<key>mount-controls</key>
+						<dict>
+							<key>harddisk-internal</key>
+							<array>
+							 	<!--
+									This could be one of the following:
+
+									authenticate: The user is authenticated before the media is mounted.
+									read-only: The media is mounted as read-only; this action cannot be combined with unmount controls.
+									deny: The media isn't mounted.
+									eject: The media isn't mounted and is ejected, if possible. Note that some volumes aren't defined as ejectable, so using the deny key may be the best solution. This action cannot be combined with unmount controls.
+
+									We should fail ahead of time if this list contains read-only, deny, or eject.
+								 -->
+								<string>deny</string>
+							</array>
+						</dict>
+					</dict>
+				</dict>
+			</array>
+		</dict>
+	</array>
+</dict>
+</plist>

src/planner/macos/profile.sample.unknown.plist

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>_computerlevel</key>
+	<array>
+		<dict>
+			<key>ProfileDescription</key>
+			<string></string>
+			<key>ProfileDisplayName</key>
+			<string>macOS Software Update Policy: Mandatory Minor Upgrades</string>
+			<key>ProfileIdentifier</key>
+			<string>com.example</string>
+			<key>ProfileInstallDate</key>
+			<string>2024-04-22 00:00:00 +0000</string>
+			<key>ProfileItems</key>
+			<array>
+				<dict>
+					<key>PayloadContent</key>
+					<dict>
+						<key>AllowPreReleaseInstallation</key>
+						<false/>
+						<key>AutomaticCheckEnabled</key>
+						<true/>
+					</dict>
+					<key>PayloadIdentifier</key>
+					<string>abc123</string>
+					<key>PayloadType</key>
+					<string>com.apple.SoftwareUpdate</string>
+					<key>PayloadUUID</key>
+					<string>def456</string>
+					<key>PayloadVersion</key>
+					<integer>1</integer>
+				</dict>
+			</array>
+			<key>ProfileRemovalDisallowed</key>
+			<string>true</string>
+			<key>ProfileType</key>
+			<string>Configuration</string>
+			<key>ProfileUUID</key>
+			<string>F7972F85-2A4D-4609-A4BB-02CB0C34A3F8</string>
+			<key>ProfileVerificationState</key>
+			<string>verified</string>
+			<key>ProfileVersion</key>
+			<integer>1</integer>			
+		</dict>
+	</array>
+</dict>
+</plist>