kolide · James-Pickett · Aug 7, 2024 · Jul 24, 2024 · Jul 24, 2024 · Jul 25, 2024
diff --git a/cmd/launcher/svc_config_windows.go b/cmd/launcher/svc_config_windows.go
@@ -6,6 +6,7 @@ package main
 import (
 	"context"
 	"log/slog"
+	"time"
 
 	"github.com/kolide/launcher/pkg/launcher"
 
@@ -64,6 +65,8 @@ func checkServiceConfiguration(logger *slog.Logger, opts *launcher.Options) {
 	checkDependOnService(launcherServiceKey, logger)
 
 	checkRestartActions(logger)
+
+	setRecoveryActions(logger)
 }
 
 // checkDelayedAutostart checks the current value of `DelayedAutostart` (whether to wait ~2 minutes
@@ -184,3 +187,56 @@ func checkRestartActions(logger *slog.Logger) {
 
 	logger.Log(context.TODO(), slog.LevelInfo, "successfully set RecoveryActionsOnNonCrashFailures flag")
 }
+
+// setRecoveryActions sets the recovery actions for the launcher service.
+// previously defined via wix ServicConfig Element (Util Extension) https://wixtoolset.org/docs/v3/xsd/util/serviceconfig/
+func setRecoveryActions(logger *slog.Logger) {
+	sman, err := mgr.Connect()
+	if err != nil {
+		logger.Log(context.TODO(), slog.LevelError,
+			"connecting to service control manager",
+			"err", err,
+		)
+
+		return
+	}
+
+	defer sman.Disconnect()
+
+	launcherService, err := sman.OpenService(launcherServiceName)
+	if err != nil {
+		logger.Log(context.TODO(), slog.LevelError,
+			"opening the launcher service from control manager",
+			"err", err,
+		)
+
+		return
+	}
+
+	defer launcherService.Close()
+
+	recoveryActions := []mgr.RecoveryAction{
+		{
+			// first failure
+			Type:  mgr.ServiceRestart,
+			Delay: 5 * time.Second,
+		},
+		{
+			// second failure
+			Type:  mgr.ServiceRestart,
+			Delay: 5 * time.Second,
+		},
+		{
+			// subsequent failures
+			Type:  mgr.ServiceRestart,
+			Delay: 5 * time.Second,
+		},
+	}
+
+	if err := launcherService.SetRecoveryActions(recoveryActions, 24*60*60); err != nil { // 24 hours
+		logger.Log(context.TODO(), slog.LevelError,
+			"setting RecoveryActions",
+			"err", err,
+		)
+	}
+}
diff --git a/cmd/package-builder/package-builder.go b/cmd/package-builder/package-builder.go
@@ -79,6 +79,11 @@ func runMake(args []string) error {
 			env.String("LAUNCHER_VERSION", "stable"),
 			"What TUF channel to download launcher from. Supports filesystem paths",
 		)
+		flLauncherArmVersion = flagset.String(
+			"launcher_arm_version",
+			env.String("LAUNCHER_ARM_VERSION", "stable"),
+			"What TUF channel to download launcher from for ARM. Supports filesystem paths",
+		)
 		flExtensionVersion = flagset.String(
 			"extension_version",
 			env.String("EXTENSION_VERSION", "stable"),
@@ -230,30 +235,31 @@ func runMake(args []string) error {
 	}
 
 	packageOptions := packaging.PackageOptions{
-		PackageVersion:    *flPackageVersion,
-		OsqueryVersion:    *flOsqueryVersion,
-		OsqueryFlags:      flOsqueryFlags,
-		LauncherVersion:   *flLauncherVersion,
-		ExtensionVersion:  *flExtensionVersion,
-		Hostname:          *flHostname,
-		Secret:            *flEnrollSecret,
-		AppleSigningKey:   *flSigningKey,
-		Transport:         *flTransport,
-		Insecure:          *flInsecure,
-		InsecureTransport: *flInsecureTransport,
-		UpdateChannel:     *flUpdateChannel,
-		InitialRunner:     *flInitialRunner,
-		Identifier:        *flIdentifier,
-		OmitSecret:        *flOmitSecret,
-		CertPins:          *flCertPins,
-		RootPEM:           *flRootPEM,
-		BinRootDir:        *flBinRootDir,
-		CacheDir:          cacheDir,
-		TufServerURL:      *flTufURL,
-		MirrorURL:         *flMirrorURL,
-		WixPath:           *flWixPath,
-		WixSkipCleanup:    *flWixSkipCleanup,
-		DisableService:    *flDisableService,
+		PackageVersion:     *flPackageVersion,
+		OsqueryVersion:     *flOsqueryVersion,
+		OsqueryFlags:       flOsqueryFlags,
+		LauncherVersion:    *flLauncherVersion,
+		LauncherArmVersion: *flLauncherArmVersion,
+		ExtensionVersion:   *flExtensionVersion,
+		Hostname:           *flHostname,
+		Secret:             *flEnrollSecret,
+		AppleSigningKey:    *flSigningKey,
+		Transport:          *flTransport,
+		Insecure:           *flInsecure,
+		InsecureTransport:  *flInsecureTransport,
+		UpdateChannel:      *flUpdateChannel,
+		InitialRunner:      *flInitialRunner,
+		Identifier:         *flIdentifier,
+		OmitSecret:         *flOmitSecret,
+		CertPins:           *flCertPins,
+		RootPEM:            *flRootPEM,
+		BinRootDir:         *flBinRootDir,
+		CacheDir:           cacheDir,
+		TufServerURL:       *flTufURL,
+		MirrorURL:          *flMirrorURL,
+		WixPath:            *flWixPath,
+		WixSkipCleanup:     *flWixSkipCleanup,
+		DisableService:     *flDisableService,
 	}
 
 	outputDir := *flOutputDir

diff --git a/pkg/packagekit/wix/service.go b/pkg/packagekit/wix/service.go
@@ -62,7 +62,6 @@ type ServiceInstall struct {
 	Start             StartType          `xml:",attr,omitempty"`
 	Type              string             `xml:",attr,omitempty"`
 	Vital             YesNoType          `xml:",attr,omitempty"` // The overall install should fail if this service fails to install
-	UtilServiceConfig *UtilServiceConfig `xml:",omitempty"`
 	ServiceConfig     *ServiceConfig     `xml:",omitempty"`
 	ServiceDependency *ServiceDependency `xml:",omitempty"`
 }
@@ -90,32 +89,14 @@ type ServiceControl struct {
 // This is used needed to set DelayedAutoStart
 type ServiceConfig struct {
 	// TODO: this should need a namespace, and yet. See https://github.com/golang/go/issues/36813
+	Id               string    `xml:",attr,omitempty"`
 	XMLName          xml.Name  `xml:"http://schemas.microsoft.com/wix/2006/wi ServiceConfig"`
 	DelayedAutoStart YesNoType `xml:",attr,omitempty"`
 	OnInstall        YesNoType `xml:",attr,omitempty"`
 	OnReinstall      YesNoType `xml:",attr,omitempty"`
 	OnUninstall      YesNoType `xml:",attr,omitempty"`
 }
 
-// UtilServiceConfig implements
-// http://wixtoolset.org/documentation/manual/v3/xsd/util/serviceconfig.html
-// This is used to set FailureActions. There are some
-// limitations. Notably, reset period is in days here, though the
-// underlying `sc.exe` command supports seconds. (See
-// https://github.com/wixtoolset/issues/issues/5963)
-//
-// Docs are a bit confusing. This schema is supported, and should
-// work. The non-util ServiceConfig generates unsupported CNDL1150
-// errors.
-type UtilServiceConfig struct {
-	XMLName                      xml.Name `xml:"http://schemas.microsoft.com/wix/UtilExtension ServiceConfig"`
-	FirstFailureActionType       string   `xml:",attr,omitempty"`
-	SecondFailureActionType      string   `xml:",attr,omitempty"`
-	ThirdFailureActionType       string   `xml:",attr,omitempty"`
-	RestartServiceDelayInSeconds int      `xml:",attr,omitempty"`
-	ResetPeriodInDays            int      `xml:",attr,omitempty"`
-}
-
 // Service represents a wix service. It provides an interface to both
 // ServiceInstall and ServiceControl.
 type Service struct {
@@ -194,16 +175,6 @@ func ServiceArgs(args []string) ServiceOpt {
 
 // New returns a service
 func NewService(matchString string, opts ...ServiceOpt) *Service {
-	// Set some defaults. It's not clear we can reset in under a
-	// day. See https://github.com/wixtoolset/issues/issues/5963
-	utilServiceConfig := &UtilServiceConfig{
-		FirstFailureActionType:       "restart",
-		SecondFailureActionType:      "restart",
-		ThirdFailureActionType:       "restart",
-		ResetPeriodInDays:            1,
-		RestartServiceDelayInSeconds: 5,
-	}
-
 	serviceConfig := &ServiceConfig{
 		OnInstall:        Yes,
 		OnReinstall:      Yes,
@@ -215,16 +186,16 @@ func NewService(matchString string, opts ...ServiceOpt) *Service {
 	// probably better to specific a ServiceName, but this might be an
 	// okay default.
 	defaultName := cleanServiceName(strings.TrimSuffix(matchString, ".exe") + ".svc")
+
 	si := &ServiceInstall{
-		Name:              defaultName,
-		Id:                defaultName,
-		Account:           `[SERVICEACCOUNT]`, // Wix resolves this to `LocalSystem`
-		Start:             StartAuto,
-		Type:              "ownProcess",
-		ErrorControl:      ErrorControlNormal,
-		Vital:             Yes,
-		UtilServiceConfig: utilServiceConfig,
-		ServiceConfig:     serviceConfig,
+		Name:          defaultName,
+		Id:            defaultName,
+		Account:       `[SERVICEACCOUNT]`, // Wix resolves this to `LocalSystem`
+		Start:         StartAuto,
+		Type:          "ownProcess",
+		ErrorControl:  ErrorControlNormal,
+		Vital:         Yes,
+		ServiceConfig: serviceConfig,
 	}
 
 	sc := &ServiceControl{
@@ -237,8 +208,9 @@ func NewService(matchString string, opts ...ServiceOpt) *Service {
 	}
 
 	s := &Service{
-		matchString:    matchString,
-		expectedCount:  1,
+		matchString: matchString,
+		// one count for arm64 and ond for amd64
+		expectedCount:  2,
 		count:          0,
 		serviceInstall: si,
 		serviceControl: sc,

diff --git a/pkg/packagekit/wix/service_test.go b/pkg/packagekit/wix/service_test.go
@@ -17,17 +17,22 @@ func TestService(t *testing.T) {
 	require.NoError(t, err)
 	require.False(t, expectFalse)
 
+	// first match
 	expectTrue, err := service.Match("daemon.exe")
 	require.NoError(t, err)
 	require.True(t, expectTrue)
 
-	// Should error. count now exceeds expectedCount.
+	// second match
 	expectTrue2, err := service.Match("daemon.exe")
-	require.Error(t, err)
+	require.NoError(t, err)
 	require.True(t, expectTrue2)
 
+	// third match, should error
+	expectTrue3, err := service.Match("daemon.exe")
+	require.Error(t, err)
+	require.True(t, expectTrue3)
+
 	expectedXml := `<ServiceInstall Account="[SERVICEACCOUNT]" ErrorControl="normal" Id="DaemonSvc" Name="DaemonSvc" Start="auto" Type="ownProcess" Vital="yes">
-                        <ServiceConfig xmlns="http://schemas.microsoft.com/wix/UtilExtension" FirstFailureActionType="restart" SecondFailureActionType="restart" ThirdFailureActionType="restart" RestartServiceDelayInSeconds="5" ResetPeriodInDays="1"></ServiceConfig>
                         <ServiceConfig xmlns="http://schemas.microsoft.com/wix/2006/wi" DelayedAutoStart="no" OnInstall="yes" OnReinstall="yes"></ServiceConfig>
                     </ServiceInstall>
                     <ServiceControl Name="DaemonSvc" Id="DaemonSvc" Remove="uninstall" Start="install" Stop="both" Wait="no"></ServiceControl>`

diff --git a/pkg/packagekit/wix/wix.go b/pkg/packagekit/wix/wix.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/go-kit/kit/log/level"
 	"github.com/kolide/kit/fsutil"
+	"github.com/kolide/kit/ulid"
 	"github.com/kolide/launcher/pkg/contexts/ctxlog"
 )
 
@@ -223,19 +224,81 @@ func (wo *wixTool) addServices(ctx context.Context) error {
 	}
 	defer heatWrite.Close()
 
+	type archSpecificBinDir string
+
+	const (
+		none  archSpecificBinDir = ""
+		amd64 archSpecificBinDir = "amd64"
+		arm64 archSpecificBinDir = "arm64"
+	)
+	currentArchSpecificBinDir := none
+
+	baseSvcName := wo.services[0].serviceInstall.Id
+
 	lines := strings.Split(string(heatContent), "\n")
 	for _, line := range lines {
+
+		if currentArchSpecificBinDir != none && strings.Contains(line, "</Directory>") {
+			// were in a arch specific bin dir that we want to remove, don't write closing tag
+			currentArchSpecificBinDir = none
+			continue
+		}
+
+		if strings.Contains(line, "Directory") {
+			if strings.Contains(line, string(amd64)) {
+				// were in a arch specific bin dir that we want to remove so when we hit closing tag, we'll skip it
+				currentArchSpecificBinDir = amd64
+				continue
+			}
+
+			if strings.Contains(line, string(arm64)) {
+				// were in a arch specific bin dir that we want to remove so when we hit closing tag, we'll skip it
+				currentArchSpecificBinDir = arm64
+				continue
+			}
+		}
+
 		heatWrite.WriteString(line)
 		heatWrite.WriteString("\n")
+
 		for _, service := range wo.services {
+
 			isMatch, err := service.Match(line)
 			if err != nil {
 				return fmt.Errorf("match error: %w", err)
 			}
+
 			if isMatch {
+				if currentArchSpecificBinDir == none {
+					return fmt.Errorf("service found, but not in a bin directory")
+				}
+
+				// make sure elements are not duplicated in any service
+				serviceId := fmt.Sprintf("%s%s", baseSvcName, ulid.New())
+				service.serviceControl.Id = serviceId
+				service.serviceInstall.Id = serviceId
+				service.serviceInstall.ServiceConfig.Id = serviceId
+
+				// create a condition based on architecture
+				// have to format in the "%P" in "%PROCESSOR_ARCHITECTURE"
+				heatWrite.WriteString(fmt.Sprintf(`<Condition> %sROCESSOR_ARCHITECTURE="%s" </Condition>`, "%P", strings.ToUpper(string(currentArchSpecificBinDir))))
+				heatWrite.WriteString("\n")
+
 				if err := service.Xml(heatWrite); err != nil {
 					return fmt.Errorf("adding service: %w", err)
 				}
+
+				continue
+			}
+
+			if strings.Contains(line, "osqueryd.exe") {
+				if currentArchSpecificBinDir == none {
+					return fmt.Errorf("osqueryd.exe found, but not in a bin directory")
+				}
+
+				// create a condition based on architecture
+				heatWrite.WriteString(fmt.Sprintf(`<Condition> %sROCESSOR_ARCHITECTURE="%s" </Condition>`, "%P", currentArchSpecificBinDir))
+				heatWrite.WriteString("\n")
 			}
 		}
 	}

diff --git a/pkg/packaging/detectLauncherVersion.go b/pkg/packaging/detectLauncherVersion.go
@@ -19,7 +19,13 @@ func (p *PackageOptions) detectLauncherVersion(ctx context.Context) error {
 	logger := log.With(ctxlog.FromContext(ctx), "library", "detectLauncherVersion")
 	level.Debug(logger).Log("msg", "Attempting launcher autodetection")
 
-	launcherPath := p.launcherLocation(filepath.Join(p.packageRoot, p.binDir))
+	binDir := filepath.Join(p.packageRoot, p.binDir)
+	if p.target.Platform != Darwin {
+		binDir = filepath.Join(binDir, string(p.target.Arch))
+	}
+
+	launcherPath := p.launcherLocation(binDir)
+
 	stdout, err := p.execOut(ctx, launcherPath, "-version")
 	if err != nil {
 		return fmt.Errorf("failed to exec -- possibly can't autodetect while cross compiling: out `%s`: %w", stdout, err)

diff --git a/pkg/packaging/fetch.go b/pkg/packaging/fetch.go
@@ -38,6 +38,14 @@ func FetchBinary(ctx context.Context, localCacheDir, name, binaryName, channelOr
 		return "", errors.New("empty cache dir argument")
 	}
 
+	// put binaries in arch specific directory to avoid naming collisions in wix msi building
+	// where a single destination will have multiple, mutally exclusive sources
+	localCacheDir = filepath.Join(localCacheDir, string(target.Arch))
+
+	if err := os.MkdirAll(localCacheDir, fsutil.DirMode); err != nil {
+		return "", fmt.Errorf("could not create cache directory: %w", err)
+	}
+
 	localBinaryPath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s", name, target.Platform, channelOrVersion), binaryName)
 	localPackagePath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s.tar.gz", name, target.Platform, channelOrVersion))