device: support distinct remount args for encrypted and unencrypted policies (#896)

SNT-359

Support new RemovableMediaAction and EncryptedRemovableMediaAction
along with RemovableMediaRemountFlags and EncryptedRemovableMediaRemountFlags

Deprecate BlockUSBMount and USBRemountMode

Author: sharvilshah

MODULE.bazel

@@ -17,7 +17,7 @@ bazel_dep(name = "boringssl", version = "0.20260211.0")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "96ef1e30fd33c455b90ca40815fcda789a2ee609",
+    commit = "82ff2bad461c860ee9c48c342e51d1a59bd40065",
     remote = "https://github.com/northpolesec/protos",
 )
 

Source/common/SNTBlockMessage.mm

@@ -111,7 +111,7 @@ + (NSAttributedString*)attributedBlockMessageForDeviceEvent:(SNTDeviceEvent*)eve
                         @"(e.g. USB device) is blocked from mounting");
 
   // Use the actual event.remountArgs rather than global config,
-  // since RemountUSBMode can be both for BlockUnencryptedRemovableMediaMount and BlockUSBMount
+  // since we have distinct RemovableMediaRemountFlags and EncryptedRemovableMediaRemountFlags
   if (event.remountArgs.count > 0) {
     return [SNTBlockMessage formatMessage:[[SNTConfigurator configurator] remountUSBBlockMessage]
                              withFallback:defaultRemountMessage];

Source/common/SNTCommonEnums.h

@@ -189,6 +189,12 @@ typedef NS_ENUM(NSInteger, SNTDeviceManagerStartupPreferences) {
   SNTDeviceManagerStartupPreferencesForceRemount,
 };
 
+typedef NS_ENUM(NSInteger, SNTRemovableMediaAction) {
+  SNTRemovableMediaActionAllow,
+  SNTRemovableMediaActionBlock,
+  SNTRemovableMediaActionRemount,
+};
+
 typedef NS_ENUM(NSInteger, SNTSyncType) {
   SNTSyncTypeNormal,
   SNTSyncTypeClean,

Source/common/SNTConfigBundle.h

@@ -28,9 +28,10 @@
 - (void)syncType:(void (^)(SNTSyncType))block;
 - (void)allowlistRegex:(void (^)(NSString*))block;
 - (void)blocklistRegex:(void (^)(NSString*))block;
-- (void)blockUSBMount:(void (^)(BOOL))block;
-- (void)blockUnencryptedRemovableMediaMount:(void (^)(BOOL))block;
-- (void)remountUSBMode:(void (^)(NSArray*))block;
+- (void)removableMediaAction:(void (^)(NSString*))block;
+- (void)removableMediaRemountFlags:(void (^)(NSArray<NSString*>*))block;
+- (void)encryptedRemovableMediaAction:(void (^)(NSString*))block;
+- (void)encryptedRemovableMediaRemountFlags:(void (^)(NSArray<NSString*>*))block;
 - (void)blockNetworkMount:(void (^)(BOOL))block;
 - (void)bannedNetworkMountBlockMessage:(void (^)(NSString*))block;
 - (void)allowedNetworkMountHosts:(void (^)(NSArray<NSString*>*))block;

Source/common/SNTConfigBundle.mm

@@ -25,9 +25,10 @@ @interface SNTConfigBundle ()
 @property NSNumber* syncType;
 @property NSString* allowlistRegex;
 @property NSString* blocklistRegex;
-@property NSNumber* blockUSBMount;
-@property NSNumber* blockUnencryptedRemovableMediaMount;
-@property NSArray* remountUSBMode;
+@property NSString* removableMediaAction;
+@property NSArray<NSString*>* removableMediaRemountFlags;
+@property NSString* encryptedRemovableMediaAction;
+@property NSArray<NSString*>* encryptedRemovableMediaRemountFlags;
 @property NSNumber* blockNetworkMount;
 @property NSString* bannedNetworkMountBlockMessage;
 @property NSArray<NSString*>* allowedNetworkMountHosts;
@@ -64,9 +65,10 @@ - (void)encodeWithCoder:(NSCoder*)coder {
   ENCODE(coder, syncType);
   ENCODE(coder, allowlistRegex);
   ENCODE(coder, blocklistRegex);
-  ENCODE(coder, blockUSBMount);
-  ENCODE(coder, blockUnencryptedRemovableMediaMount);
-  ENCODE(coder, remountUSBMode);
+  ENCODE(coder, removableMediaAction);
+  ENCODE(coder, removableMediaRemountFlags);
+  ENCODE(coder, encryptedRemovableMediaAction);
+  ENCODE(coder, encryptedRemovableMediaRemountFlags);
   ENCODE(coder, blockNetworkMount);
   ENCODE(coder, bannedNetworkMountBlockMessage);
   ENCODE(coder, allowedNetworkMountHosts);
@@ -99,9 +101,10 @@ - (instancetype)initWithCoder:(NSCoder*)decoder {
     DECODE(decoder, syncType, NSNumber);
     DECODE(decoder, allowlistRegex, NSString);
     DECODE(decoder, blocklistRegex, NSString);
-    DECODE(decoder, blockUSBMount, NSNumber);
-    DECODE(decoder, blockUnencryptedRemovableMediaMount, NSNumber);
-    DECODE_ARRAY(decoder, remountUSBMode, NSString);
+    DECODE(decoder, removableMediaAction, NSString);
+    DECODE_ARRAY(decoder, removableMediaRemountFlags, NSString);
+    DECODE(decoder, encryptedRemovableMediaAction, NSString);
+    DECODE_ARRAY(decoder, encryptedRemovableMediaRemountFlags, NSString);
     DECODE(decoder, blockNetworkMount, NSNumber);
     DECODE(decoder, bannedNetworkMountBlockMessage, NSString);
     DECODE_ARRAY(decoder, allowedNetworkMountHosts, NSString);
@@ -153,21 +156,27 @@ - (void)blocklistRegex:(void (^)(NSString*))block {
   }
 }
 
-- (void)blockUSBMount:(void (^)(BOOL))block {
-  if (self.blockUSBMount) {
-    block([self.blockUSBMount boolValue]);
+- (void)removableMediaAction:(void (^)(NSString*))block {
+  if (self.removableMediaAction) {
+    block(self.removableMediaAction);
   }
 }
 
-- (void)blockUnencryptedRemovableMediaMount:(void (^)(BOOL))block {
-  if (self.blockUnencryptedRemovableMediaMount) {
-    block([self.blockUnencryptedRemovableMediaMount boolValue]);
+- (void)encryptedRemovableMediaAction:(void (^)(NSString*))block {
+  if (self.encryptedRemovableMediaAction) {
+    block(self.encryptedRemovableMediaAction);
   }
 }
 
-- (void)remountUSBMode:(void (^)(NSArray*))block {
-  if (self.remountUSBMode) {
-    block(self.remountUSBMode);
+- (void)encryptedRemovableMediaRemountFlags:(void (^)(NSArray<NSString*>*))block {
+  if (self.encryptedRemovableMediaRemountFlags) {
+    block(self.encryptedRemovableMediaRemountFlags);
+  }
+}
+
+- (void)removableMediaRemountFlags:(void (^)(NSArray<NSString*>*))block {
+  if (self.removableMediaRemountFlags) {
+    block(self.removableMediaRemountFlags);
   }
 }
 

Source/common/SNTConfigBundleTest.mm

@@ -27,9 +27,10 @@ @interface SNTConfigBundle (Testing)
 @property NSNumber* syncType;
 @property NSString* allowlistRegex;
 @property NSString* blocklistRegex;
-@property NSNumber* blockUSBMount;
-@property NSNumber* blockUnencryptedRemovableMediaMount;
-@property NSArray* remountUSBMode;
+@property NSString* removableMediaAction;
+@property NSArray<NSString*>* removableMediaRemountFlags;
+@property NSString* encryptedRemovableMediaAction;
+@property NSArray<NSString*>* encryptedRemovableMediaRemountFlags;
 @property NSNumber* blockNetworkMount;
 @property NSString* bannedNetworkMountBlockMessage;
 @property NSArray<NSString*>* allowedNetworkMountHosts;
@@ -61,17 +62,18 @@ @implementation SNTConfigBundleTest
 
 - (void)testGettersWithValues {
   __block XCTestExpectation* exp = [self expectationWithDescription:@"Result Blocks"];
-  exp.expectedFulfillmentCount = 28;
+  exp.expectedFulfillmentCount = 29;
   NSDate* nowDate = [NSDate now];
 
   SNTConfigBundle* bundle = [[SNTConfigBundle alloc] init];
   bundle.clientMode = @(SNTClientModeLockdown);
   bundle.syncType = @(SNTSyncTypeNormal);
   bundle.allowlistRegex = @"allow";
   bundle.blocklistRegex = @"block";
-  bundle.blockUSBMount = @(YES);
-  bundle.blockUnencryptedRemovableMediaMount = @(YES);
-  bundle.remountUSBMode = @[ @"foo" ];
+  bundle.removableMediaAction = @"Block";
+  bundle.removableMediaRemountFlags = @[ @"foo" ];
+  bundle.encryptedRemovableMediaAction = @"Remount";
+  bundle.encryptedRemovableMediaRemountFlags = @[ @"rdonly" ];
   bundle.blockNetworkMount = @(YES);
   bundle.bannedNetworkMountBlockMessage = @"Network mount blocked";
   bundle.allowedNetworkMountHosts = @[ @"example.com", @"localhost" ];
@@ -116,18 +118,23 @@ - (void)testGettersWithValues {
     [exp fulfill];
   }];
 
-  [bundle blockUSBMount:^(BOOL val) {
-    XCTAssertNotEqual(val, NO);
+  [bundle removableMediaAction:^(NSString* val) {
+    XCTAssertEqualObjects(val, @"Block");
     [exp fulfill];
   }];
 
-  [bundle blockUnencryptedRemovableMediaMount:^(BOOL val) {
-    XCTAssertNotEqual(val, NO);
+  [bundle removableMediaRemountFlags:^(NSArray<NSString*>* val) {
+    XCTAssertEqualObjects(val, @[ @"foo" ]);
     [exp fulfill];
   }];
 
-  [bundle remountUSBMode:^(NSArray* val) {
-    XCTAssertEqualObjects(val, @[ @"foo" ]);
+  [bundle encryptedRemovableMediaAction:^(NSString* val) {
+    XCTAssertEqualObjects(val, @"Remount");
+    [exp fulfill];
+  }];
+
+  [bundle encryptedRemovableMediaRemountFlags:^(NSArray<NSString*>* val) {
+    XCTAssertEqualObjects(val, @[ @"rdonly" ]);
     [exp fulfill];
   }];
 
@@ -264,15 +271,19 @@ - (void)testGettersWithoutValues {
     XCTFail(@"This shouldn't be called");
   }];
 
-  [bundle blockUSBMount:^(BOOL val) {
+  [bundle removableMediaAction:^(NSString* val) {
+    XCTFail(@"This shouldn't be called");
+  }];
+
+  [bundle removableMediaRemountFlags:^(NSArray<NSString*>* val) {
     XCTFail(@"This shouldn't be called");
   }];
 
-  [bundle blockUnencryptedRemovableMediaMount:^(BOOL val) {
+  [bundle encryptedRemovableMediaAction:^(NSString* val) {
     XCTFail(@"This shouldn't be called");
   }];
 
-  [bundle remountUSBMode:^(NSArray* val) {
+  [bundle encryptedRemovableMediaRemountFlags:^(NSArray<NSString*>* val) {
     XCTFail(@"This shouldn't be called");
   }];
 

Source/common/SNTConfigurator.h

@@ -847,32 +847,47 @@ extern NSString* _Nonnull const kEnableMenuItemUserOverride;
 #pragma mark - USB Settings
 
 ///
-/// USB Mount Blocking. Defaults to false.
+/// The action to apply to all removable media. Defaults to Allow.
+/// If unset, falls back to deprecated BlockUSBMount + RemountUSBMode.
 ///
-@property(nonatomic, readonly) BOOL blockUSBMount;
+@property(nonatomic, readonly) SNTRemovableMediaAction removableMediaAction;
 
 ///
-///  Set the block USB mount state as received from a sync server.
+///  Set the removable media action as received from a sync server.
 ///
-- (void)setSyncServerBlockUSBMount:(BOOL)enabled;
+- (void)setSyncServerRemovableMediaAction:(nullable NSString*)action;
 
 ///
-/// If YES, unencrypted external USB storage devices will be blocked from mounting.
-/// Encrypted devices will be allowed (or remounted per RemountUSBMode).
-/// This setting is independent of BlockUSBMount. Defaults to NO.
+/// Mount flags for removable media when action is "Remount".
+/// If unset, falls back to deprecated RemountUSBMode.
 ///
-@property(nonatomic, readonly) BOOL blockUnencryptedRemovableMediaMount;
+@property(nullable, nonatomic, readonly) NSArray<NSString*>* removableMediaRemountFlags;
 
 ///
-///  Set the block unencrypted USB mount state as received from a sync server.
+///  Set the removable media remount flags as received from a sync server.
 ///
-- (void)setSyncServerBlockUnencryptedRemovableMediaMount:(BOOL)enabled;
+- (void)setSyncServerRemovableMediaRemountFlags:(nullable NSArray<NSString*>*)flags;
 
 ///
-/// Comma-separated `$ mount -o` arguments used for forced remounting of USB devices. Default
-/// to fully allow/deny without remounting if unset.
+/// The action to apply to encrypted removable media.
+/// If unset, encrypted volumes use removableMediaAction.
 ///
-@property(nullable, nonatomic) NSArray<NSString*>* remountUSBMode;
+@property(nonatomic, readonly) SNTRemovableMediaAction encryptedRemovableMediaAction;
+
+///
+///  Set the encrypted removable media action as received from a sync server.
+///
+- (void)setSyncServerEncryptedRemovableMediaAction:(nullable NSString*)action;
+
+///
+/// Mount flags for encrypted removable media when action is "Remount".
+///
+@property(nullable, nonatomic, readonly) NSArray<NSString*>* encryptedRemovableMediaRemountFlags;
+
+///
+///  Set the encrypted removable media remount flags as received from a sync server.
+///
+- (void)setSyncServerEncryptedRemovableMediaRemountFlags:(nullable NSArray<NSString*>*)flags;
 
 ///
 /// Network Mount Blocking. Defaults to false.