Fetching RSR info

mac_apt.py

@@ -290,6 +290,12 @@ def FindMacOsPartitionInApfsContainer(img, vol_info, container_size, container_s
         elif vol.role == vol.container.apfs.VolumeRoleType.data.value:
             log.debug("{} is DATA volume type".format(vol.volume_name))
             mac_info.apfs_data_volume = vol
+        elif vol.role == vol.container.apfs.VolumeRoleType.preboot.value:
+            log.debug("{} is PREBOOT volume type".format(vol.volume_name))
+            mac_info.apfs_preboot_volume = vol
+        elif vol.role == vol.container.apfs.VolumeRoleType.update.value:
+            log.debug("{} is UPDATE volume type".format(vol.volume_name))
+            mac_info.apfs_update_volume = vol
     try:
         # start db
         use_existing_db = False
@@ -305,6 +311,8 @@ def FindMacOsPartitionInApfsContainer(img, vol_info, container_size, container_s
                 if mac_info.apfs_sys_volume:
                     mac_info.apfs_data_volume.dbo = mac_info.apfs_db
                     mac_info.apfs_sys_volume.dbo = mac_info.apfs_db
+                    mac_info.apfs_preboot_volume.dbo = mac_info.apfs_db
+                    mac_info.apfs_update_volume.dbo = mac_info.apfs_db
                     mac_info.UseCombinedVolume()
                 log.info('Found an existing APFS_Volumes.db in the output folder, looks good, will not create a new one!')
             else:

plugins/basicinfo.py

@@ -241,7 +241,10 @@ def GetModelAndHostNameFromPreference(mac_info, preference_plist_path):
 
 def GetMacOSVersion(mac_info):
     sys_ver_plist_path = '/System/Library/CoreServices/SystemVersion.plist'
-    basic_data.append(['SYSTEM', 'macOS Version', mac_info.os_version, mac_info.os_friendly_name, sys_ver_plist_path])
+    version = mac_info.os_version
+    if mac_info.os_version_extra:
+        version += ' ' + mac_info.os_version_extra
+    basic_data.append(['SYSTEM', 'macOS Version', version, mac_info.os_friendly_name, sys_ver_plist_path])
     basic_data.append(['SYSTEM', 'macOS Build Version', mac_info.os_build, mac_info.os_friendly_name, sys_ver_plist_path])
     mac_info.ExportFile(sys_ver_plist_path, __Plugin_Name, "", False)
 

plugins/helpers/macinfo.py

@@ -18,7 +18,6 @@
 import sys
 import tempfile
 import time
-import traceback
 import zipfile
 from io import BytesIO
 from uuid import UUID
@@ -318,6 +317,7 @@ def __init__(self, output_params, password='', dont_decrypt=False):
         self.vol_info = None # disk_volumes
         self.output_params = output_params
         self.os_version = '0.0.0'
+        self.os_version_extra = '' # Since macOS 13, for Rapid Security Response patches
         self.os_build = ''
         self.os_friendly_name = 'No name yet!'
         self.users = []
@@ -600,7 +600,7 @@ def ListItemsInFolder(self, path='/', types_to_fetch=EntryType.FILES_AND_FOLDERS
             if str(ex).find('tsk_fs_dir_open: path not found'):
                 log.debug("Path not found : " + path)
             else:
-                log.debug("Exception details:\n", exc_info=True) #traceback.print_exc()
+                log.debug("Exception details:\n", exc_info=True)
                 log.error("Failed to get dir info!")
         return items
 
@@ -705,20 +705,20 @@ def GetArrayFirstElement(self, array, error=''):
         return error
 
     def GetVersionDictionary(self):
-        '''Returns macOS version as dictionary {major:10, minor:5 , micro:0}'''
-        version_dict = { 'major':0, 'minor':0, 'micro':0 }
+        '''Returns macOS version as dictionary {major:10, minor:5 , micro:0, extra:'(a)'}'''
+        version_dict = { 'major':0, 'minor':0, 'micro':0, 'extra':self.os_version_extra }
         info = self.os_version.split(".")
         try:
             version_dict['major'] = int(info[0])
             try:
                 version_dict['minor'] = int(info[1])
                 try:
                     version_dict['micro'] = int(info[2])
-                except Exception:
+                except (IndexError,ValueError):
                     pass
-            except Exception:
+            except (IndexError,ValueError):
                 pass
-        except Exception:
+        except (IndexError,ValueError):
             pass
         return version_dict
 
@@ -1012,6 +1012,8 @@ def __init__(self, output_params, password, dont_decrypt):
         self.apfs_db_path = ''
         self.apfs_sys_volume = None  # New in 10.15, a System read-only partition
         self.apfs_data_volume = None # New in 10.15, a separate Data partition
+        self.apfs_preboot_volume = None # In macOS 13, it's loaded while running
+        self.apfs_update_volume = None  # In macOS 13, it's loaded while running
 
     def UseCombinedVolume(self):
         self.macos_FS = ApfsSysDataLinkedVolume(self.apfs_sys_volume, self.apfs_data_volume)
@@ -1027,6 +1029,51 @@ def CreateCombinedVolume(self):
         log.error('Failed to create combined System + Data volume')
         return False
 
+    def _GetSystemInfo(self):
+        info = MacInfo._GetSystemInfo(self)
+        if self.GetVersionDictionary()['major'] >= 13:
+            # Get Rapid Security Response patch info, new in macOS 13 (Ventura)
+            uuid = ''
+            update_plist_path = '/nvram.plist'
+            log.debug(f"Trying to read RSR related UUID from {update_plist_path}")
+            f = self.apfs_update_volume.open(update_plist_path)
+            if f != None:
+                success, plist, error = CommonFunctions.ReadPlist(f)
+                if success:
+                    efi_boot_device = plist.get('efi-boot-device', '')
+                    #if efi_boot_device:
+                    #    plistlib.loads()
+                    matches = re.search(r"\<key\>Path\<\/key\>\<string\>\\([^\\]+)\\", efi_boot_device)
+                    if matches:
+                        uuid = matches.group(1)
+                    else:
+                        log.warning(f"No UUID found for RSR, efi_boot_device info = {efi_boot_device}")
+                    f.close()
+                else:
+                    log.error("Could not read plist. Error=" + error)
+                f.close()
+            else:
+                log.error("Could not open plist to get system version info!")
+                return info
+
+            preboot_plist_path = f'/{uuid}/cryptex1/current/SystemVersion.plist'
+            log.debug(f"Trying to get RSR patch version from {preboot_plist_path}")
+            f = self.apfs_preboot_volume.open(preboot_plist_path)
+            if f != None:
+                success, plist, error = CommonFunctions.ReadPlist(f)
+                if success:
+                    self.os_version_extra = plist.get('ProductVersionExtra', '')
+                    self.os_version = plist.get('ProductVersion', self.os_version)
+                    self.os_build = plist.get('ProductBuildVersion', self.os_build)
+                    log.info (f'macOS RSR patch version detected is: {self.os_version} {self.os_version_extra}')
+                    f.close()
+                else:
+                    log.error("Could not read plist. Error=" + error)
+                f.close()
+            else:
+                log.error("Could not open plist to get system version info!")
+        return info
+
     def ReadApfsVolumes(self):
         '''Read volume information into an sqlite db'''
         decryption_key = None
@@ -1426,7 +1473,7 @@ def ListItemsInFolder(self, path='/', types_to_fetch=EntryType.FILES_AND_FOLDERS
                 log.debug("Path not found : " + mounted_path)
             else:
                 log.debug("Problem accessing path : " + mounted_path)
-                log.debug("Exception details:\n", exc_info=True) #traceback.print_exc()
+                log.debug("Exception details:\n", exc_info=True)
                 log.error("Failed to get dir info!")
         return items
 

version.py

@@ -1 +1 @@
-__VERSION = "1.5.5.dev (20230430)"
+__VERSION = "1.5.6.dev (20230430)"