macOS 15 alf support

[lucasmrod]

Fixes #8395, with three columns marked as not supported (details documented in genALFFromSystemProfiler):

// Currently on macOS 15+ osquery supports the following 'alf' columns:
//
// 'global_state', 'stealth_enabled', 'logging_enabled', and 'version'.
// These columns are populated from information gathered from system_profiler's
// "SPFirewallDataType".
//
// 'alf' columns that are not supported (returned empty) on macOS 15+:
//
//  - 'allow_signed_enabled': (As of September 24th, 2024) This setting is only
//  exposed through
//    executing '/usr/libexec/ApplicationFirewall/socketfilterfw
//    --getallowsigned'.
//  - 'logging_option': Quote from https://support.apple.com/en-jo/121011: "The
//  EnableLogging and
//    LoggingOption keys in the Firewall payload are deprecated and no longer
//    necessary. Application Firewall logging is increased by default for the
//    socketfilterfw process."
//  - 'firewall_unload': This does not seem available on system_profiler's
//  "SPFirewallDataType"
//    or the socketfilterfw command.

Tables alf_exceptions and alf_explicit_auths are also not returning results on macOS 15+ (because they read from the same plist that doesn't exist anymore). I wanted to keep this PR as small as possible because the main alf table is probably the most important setting to support. Issues:

• Table alf_exceptions returns no results on macOS 15 #8432
• Table alf_explicit_auths returns no results on macOS 15 #8433

[zwass]

The approach lgtm. Let's add a test and merge it!

[lucasmrod]

@zwass Sanity test added.

[directionless]

My memory is that there's some effort to avoid calling SQL select from within tables -- it's part of some long range issue around test size, and include files. But since I know we do it a bunch, and I don't offhand know the alternative, I'm not blocking over it

[Smjert]

The better alternative is to export the common logic needed from the tables in utility functions, instead of using SQL and the tables.
In some cases it's a matter of performance, in other it's a matter of unnecessary (or even problematic) dependencies among tables or other parts of codes.

The worse offender is the core depending on tables. It's a dependency loop and affects that necessity we have to include all symbols from archive files when linking, even if actually unused, which in turn causes test binaries to be unnecessarily big, slowing down compilation and hitting disk limits.

[lucasmrod]

Sounds like some overall effort is needed to refactor all of them. Otherwise people like me will keep mimicking existing code :)

[Smjert]

Yeah it's a process that I started multiple times, arriving also at seeing the improvements in size (3x reduction was the minimum), but time is an issue when doing it all together.

That being said, converting tables one by one can still be done, and then a policy to avoid getting more.
It's mostly a matter on the reviewers being on the same page on what's the direction.