Unloading Santa’s system extension when uninstalling using Munki

What the problem is

System extensions in place of kernel extensions

For macOS 10.15+, Apple has deprecated kernel extensions in favor of system extensions, but system extensions can’t be unloaded silently by script.

If you try to unload Santa’s system extension using the command:

systemextensionsctl uninstall EQHXZ8M8AV com.google.santa.daemon

you’ll get this:

At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!
.

Most orgs (I hope) will not want their users disabling system integrity protection.

Limitations of Santa uninstall script, especially in a Munki context

Santa has an uninstall.sh available on its GitHub project, that prompts (with a GUI dialogue) the user to authenticate to unload the system extension. But what if the user dismisses that GUI dialogue? What happens is Munki, running that script, will mostly uninstall Santa, but the Santa system extension will still be loaded. Worse yet—whether you have an installcheck_script (to make sure Santa is both installed and running) or an installs array—Munki won’t consider Santa installed any more unless all the install criteria is met, so if you’re saying, for example, in an installcheck_script that Santa has to be installed, Santa’s launch daemon has to be loaded, and the system extension has to be loaded; then Munki will see the launch daemon isn’t loaded and Santa isn’t installed, and then consider Santa not installed.

How to address the issue

So there are a few things you can do (super hacky, but better than nothing?) to address these issues:

  • Add an uninstallcheck_script that will say Santa isn’t fully uninstalled if the system extension is still loaded
  • Since Santa uses the Santa binary to pop up the GUI dialogue to unload the system extension, check to make sure the Santa binary is there, and download it again if needed.
  • Require a restart. For a background run, the dialogue should pop up, but if you manually run Managed Software Center without requiring a restart, the dialogue may not pop up. Requiring a restart will pop up the GUI dialogue box (at the login screen). Unfortunately, the dialogue box (because no one is logged in) will require both a username and a password.

Example pkginfo

I’ve posted up a sample pkginfo for Santa. Don’t use this exact one, but you may want to use the uninstall_script and uninstallcheck_script in your own pkginfo for Santa.

What the uninstall process looks like

Before uninstalling, the system extension will be running: systemextensionsctl list | grep santa
* * EQHXZ8M8AV com.google.santa.daemon (2021.2/2021.2) santad [activated enabled]

The uninstallcheck_script notes that Santa needs to be removed (if it’s a managed uninstall, which it is, in this example.

Running uninstallcheck_script for santa
Santa system extension still loaded. Santa still needs to be uninstalled.
Removal of santa added to ManagedInstaller tasks.

Managed Software Center prompts the user to log out.

If the user doesn’t authenticate…

This is what it looks like if the user cancels the GUI dialogue instead of authenticating:

Removing Santa (1 of 1)...
Running uninstall_script for santa
Trying to unload system extension...
Santa[1362:14150] Requesting SystemExtension deactivation
Santa[1362:14153] SystemExtension "com.google.santa.daemon" request did fail: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)"
Removing /Applications/Santa.app
Removing /Library/LaunchAgents/com.google.santa.plist
Removing /Library/LaunchDaemons/com.google.santa.bundleservice.plist
Removing /private/etc/asl/com.google.santa.asl.conf
Removing /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
Running uninstall_script for santa was successful.

And, since the GUI dialogue was dismissed, the system extensino wasn’t unloaded, which means Munki still wants to uninstall it:

Running uninstallcheck_script for santa
Santa system extension still loaded. Santa still needs to be uninstalled.
Removal of santa added to ManagedInstaller tasks.

If the user does authenticate…

This is what it looks like if the user does authenticate to unload the system extension:


Removing Santa (1 of 1)...
Running uninstall_script for santa
Downloading Santa so we can unload the system extension
Verifying integrity of Santa download.
Extracting compressed /tmp/santa.tar.gz
x santa-2021.2/
x santa-2021.2/binaries/
x santa-2021.2/conf/
x santa-2021.2/dsym/
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/
x santa-2021.2/dsym/santa-driver.kext.dSYM/
x santa-2021.2/dsym/Santa.app.dSYM/
x santa-2021.2/dsym/santabundleservice.dSYM/
x santa-2021.2/dsym/santactl.dSYM/
x santa-2021.2/dsym/santactl.dSYM/Contents/
x santa-2021.2/dsym/santactl.dSYM/Contents/Info.plist
x santa-2021.2/dsym/santactl.dSYM/Contents/Resources/
x santa-2021.2/dsym/santactl.dSYM/Contents/Resources/DWARF/
x santa-2021.2/dsym/santactl.dSYM/Contents/Resources/DWARF/santactl_arm64
x santa-2021.2/dsym/santactl.dSYM/Contents/Resources/DWARF/santactl_x86_64
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/Info.plist
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/Resources/
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/Resources/DWARF/
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/Resources/DWARF/santabundleservice_arm64
x santa-2021.2/dsym/santabundleservice.dSYM/Contents/Resources/DWARF/santabundleservice_x86_64
x santa-2021.2/dsym/Santa.app.dSYM/Contents/
x santa-2021.2/dsym/Santa.app.dSYM/Contents/Info.plist
x santa-2021.2/dsym/Santa.app.dSYM/Contents/Resources/
x santa-2021.2/dsym/Santa.app.dSYM/Contents/Resources/DWARF/
x santa-2021.2/dsym/Santa.app.dSYM/Contents/Resources/DWARF/Santa_arm64
x santa-2021.2/dsym/Santa.app.dSYM/Contents/Resources/DWARF/Santa_x86_64
x santa-2021.2/dsym/santa-driver.kext.dSYM/Contents/
x santa-2021.2/dsym/santa-driver.kext.dSYM/Contents/Info.plist
x santa-2021.2/dsym/santa-driver.kext.dSYM/Contents/Resources/
x santa-2021.2/dsym/santa-driver.kext.dSYM/Contents/Resources/DWARF/
x santa-2021.2/dsym/santa-driver.kext.dSYM/Contents/Resources/DWARF/santa-driver_x86_64
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/Info.plist
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/Resources/
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/Resources/DWARF/
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/Resources/DWARF/com.google.santa.daemon_arm64
x santa-2021.2/dsym/com.google.santa.daemon.systemextension.dSYM/Contents/Resources/DWARF/com.google.santa.daemon_x86_64
x santa-2021.2/conf/com.google.santa.asl.conf
x santa-2021.2/conf/com.google.santa.bundleservice.plist
x santa-2021.2/conf/com.google.santa.newsyslog.conf
x santa-2021.2/conf/com.google.santa.plist
x santa-2021.2/conf/com.google.santad.plist
x santa-2021.2/conf/install.sh
x santa-2021.2/conf/uninstall.sh
x santa-2021.2/binaries/santa-driver.kext/
x santa-2021.2/binaries/Santa.app/
x santa-2021.2/binaries/Santa.app/Contents/
x santa-2021.2/binaries/Santa.app/Contents/_CodeSignature/
x santa-2021.2/binaries/Santa.app/Contents/CodeResources
x santa-2021.2/binaries/Santa.app/Contents/embedded.provisionprofile
x santa-2021.2/binaries/Santa.app/Contents/Info.plist
x santa-2021.2/binaries/Santa.app/Contents/Library/
x santa-2021.2/binaries/Santa.app/Contents/MacOS/
x santa-2021.2/binaries/Santa.app/Contents/PkgInfo
x santa-2021.2/binaries/Santa.app/Contents/Resources/
x santa-2021.2/binaries/Santa.app/Contents/Resources/AboutWindow.nib
x santa-2021.2/binaries/Santa.app/Contents/Resources/AppIcon.icns
x santa-2021.2/binaries/Santa.app/Contents/Resources/Assets.car
x santa-2021.2/binaries/Santa.app/Contents/Resources/MessageWindow.nib
x santa-2021.2/binaries/Santa.app/Contents/MacOS/Santa
x santa-2021.2/binaries/Santa.app/Contents/MacOS/santabundleservice
x santa-2021.2/binaries/Santa.app/Contents/MacOS/santactl
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/_CodeSignature/
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/embedded.provisionprofile
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/Info.plist
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon
x santa-2021.2/binaries/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/_CodeSignature/CodeResources
x santa-2021.2/binaries/Santa.app/Contents/_CodeSignature/CodeResources
x santa-2021.2/binaries/santa-driver.kext/Contents/
x santa-2021.2/binaries/santa-driver.kext/Contents/_CodeSignature/
x santa-2021.2/binaries/santa-driver.kext/Contents/CodeResources
x santa-2021.2/binaries/santa-driver.kext/Contents/Info.plist
x santa-2021.2/binaries/santa-driver.kext/Contents/MacOS/
x santa-2021.2/binaries/santa-driver.kext/Contents/MacOS/santa-driver
x santa-2021.2/binaries/santa-driver.kext/Contents/_CodeSignature/CodeResources
Copying /tmp/santa-2021.2/binaries/Santa.app to the /Applications folder.
Trying to unload system extension...
Santa[772:8054] Requesting SystemExtension deactivation
Santa[772:8075] SystemExtension "com.google.santa.daemon" request did finish: 0
Removing /Applications/Santa.app
Running uninstall_script for santa was successful.

After uninstalling, the system extension will be removed: systemextensionsctl list | grep santa
EQHXZ8M8AV com.google.santa.daemon (2021.2/2021.2) santad [uninstalling]
systemextensionsctl list | grep santa

And then Munki sees the system extension is unloaded and no longer wants to remove Santa:

Running uninstallcheck_script for santa
Santa system extension unloaded.
santa doesn't appear to be installed.
**Checking for managed updates**

Leave a comment

Your email address will not be published. Required fields are marked *