enhancement(santactl): can add and remove rule(s) now.

2026-04-24 03:00:12 -04:00 · 2014-12-29 17:20:56 +01:00
parent 2d1941dcff
commit 86cd6aa133
2 changed files with 179 additions and 0 deletions
--- a/Santa.xcodeproj/project.pbxproj
+++ b/Santa.xcodeproj/project.pbxproj
@@ -144,6 +144,7 @@
 		0DE50F6D191303E3007B2B0C /* SNTNotificationMessage.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DBE65F018BEA3CC00AC994C /* SNTNotificationMessage.m */; };
 		0DE50F6E191304E0007B2B0C /* SNTRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE50F671912716A007B2B0C /* SNTRule.m */; };
 		0DE6788D1784A8C2007A9E52 /* SNTExecutionController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */; };
+		4092327A1A51B66400A04527 /* SNTCommandRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 409232791A51B65D00A04527 /* SNTCommandRule.m */; };
 		8BFD9B39112F4D16B3D0EFFB /* libPods-LogicTests.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 752301D17AA44BDE8B6D0541 /* libPods-LogicTests.a */; };
 		E86AE075D7F24FB88FB627C5 /* libPods-santad.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0A84545E322F475FA0B505D5 /* libPods-santad.a */; };
 /* End PBXBuildFile section */
@@ -333,6 +334,7 @@
 		0DE6788B1784A8C2007A9E52 /* SNTExecutionController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTExecutionController.h; sourceTree = "<group>"; };
 		0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = SNTExecutionController.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
 		13A4FE400F3857C0F5831498 /* Pods-LogicTests.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-LogicTests.debug.xcconfig"; path = "Pods/Target Support Files/Pods-LogicTests/Pods-LogicTests.debug.xcconfig"; sourceTree = "<group>"; };
+		409232791A51B65D00A04527 /* SNTCommandRule.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SNTCommandRule.m; path = rule/SNTCommandRule.m; sourceTree = "<group>"; };
 		627BB4EC9917DC20E89D718C /* Pods-santad.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santad.debug.xcconfig"; path = "Pods/Target Support Files/Pods-santad/Pods-santad.debug.xcconfig"; sourceTree = "<group>"; };
 		752301D17AA44BDE8B6D0541 /* libPods-LogicTests.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-LogicTests.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		8003CA1D3E46447BCEA56440 /* Pods-santad.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santad.release.xcconfig"; path = "Pods/Target Support Files/Pods-santad/Pods-santad.release.xcconfig"; sourceTree = "<group>"; };
@@ -433,6 +435,7 @@
 		0D35BDA018FD71CE00921A21 /* santactl */ = {
 			isa = PBXGroup;
 			children = (
+				409232751A51914400A04527 /* rule */,
 				0D35BDA118FD71CE00921A21 /* main.m */,
 				0D35BDAA18FD7CFD00921A21 /* SNTCommandController.h */,
 				0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */,
@@ -705,6 +708,14 @@
 			name = Pods;
 			sourceTree = "<group>";
 		};
+		409232751A51914400A04527 /* rule */ = {
+			isa = PBXGroup;
+			children = (
+				409232791A51B65D00A04527 /* SNTCommandRule.m */,
+			);
+			name = rule;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */

 /* Begin PBXHeadersBuildPhase section */
@@ -1025,6 +1036,7 @@
 				0D42D2B919D2042900955F08 /* SNTConfigurator.m in Sources */,
 				0D10BE871A0AABD600C0C944 /* SNTDropRootPrivs.m in Sources */,
 				0DE4C8A618FF3B1700466D04 /* SNTCommandFlushCache.m in Sources */,
+				4092327A1A51B66400A04527 /* SNTCommandRule.m in Sources */,
 				0D416401191974F1006A356A /* SNTCommandSyncStatus.m in Sources */,
 				0DC5D871192160180078A5C0 /* SNTCommandSyncLogUpload.m in Sources */,
 				0D35BDA218FD71CE00921A21 /* main.m in Sources */,
--- a/Source/santactl/rule/SNTCommandRule.m
+++ b/Source/santactl/rule/SNTCommandRule.m
@@ -0,0 +1,167 @@
+/// Copyright 2014 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandController.h"
+
+#include "SNTLogging.h"
+
+#import "SNTBinaryInfo.h"
+#import "SNTCertificate.h"
+#import "SNTCodesignChecker.h"
+
+#import "SNTRule.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+#import "SNTConfigurator.h"
+#import "SNTDropRootPrivs.h"
+
+
+@interface SNTCommandRule : NSObject<SNTCommand>
+@property SNTXPCConnection *daemonConn;
+@end
+
+@implementation SNTCommandRule
+
+REGISTER_COMMAND_NAME(@"rule");
+
+ (BOOL)requiresRoot {
+  return TRUE;
+}
+
+ (NSString *)shortHelpText {
+  return @"Adds a rule for the given binary or hash.";
+}
+
+ (NSString *)longHelpText {
+  return (@"santactl rules {add|remove}\n"
+          @"--whitelist: add to whitelist\n"
+          @"--blacklist: add to blacklist\n"
+          @"--silent-blacklist: add to silent blacklist\n"
+          @"--message {message}: custom message\n"
+          @"--path {path}: path of binary to add\n"
+          @"--sha1 {sha1}: hash to add\n"
+          );
+}
+
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+  SNTConfigurator *config = [SNTConfigurator configurator];
+  
+  // Ensure we have no privileges
+  if (!DropRootPrivileges()) {
+    LOGE(@"Failed to drop root privileges. Exiting.");
+    exit(1);
+  }
+
+  NSString *action = [arguments firstObject];
+  
+  // add or remove
+  if (!action) {
+    LOGI(@"Missing action");
+    exit(1);
+  }
+
+  int state = RULESTATE_UNKNOWN;
+  
+  if ([action compare:@"add" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+  } else if ([action compare:@"remove" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+    state = RULESTATE_REMOVE;
+  } else {
+    LOGI(@"Unknown action, expected add or remove");
+    exit(1);
+  }
+  
+  NSString *customMsg = @"";
+  NSString *SHA1 = nil;
+  NSString *filePath = nil;
+  
+  // parse arguments
+  for (int i=1; i < [arguments count] ; i++ ) {
+    NSString* argument = [arguments objectAtIndex:i];
+    
+    if ([argument compare:@"--whitelist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      state = RULESTATE_WHITELIST;
+    } else if ([argument compare:@"--blacklist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      state = RULESTATE_BLACKLIST;
+    } else if ([argument compare:@"--silent-blacklist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      state = RULESTATE_SILENT_BLACKLIST;
+    } else if ([argument compare:@"--message" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      if (++i > ([arguments count])) {
+        LOGI(@"No message specified");
+      }
+      
+      customMsg = [arguments objectAtIndex:i];
+    } else if ([argument compare:@"--path" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      if (++i > ([arguments count])) {
+        LOGI(@"No path specified");
+      }
+      
+      filePath = [arguments objectAtIndex:i];
+    } else if ([argument compare:@"--sha1" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+      if (++i > ([arguments count])) {
+        LOGI(@"No sha1 specified");
+      }
+      
+      SHA1 = [arguments objectAtIndex:i];
+    } else {
+      LOGI(@"Unknown argument %@", argument);
+      exit(1);
+    }
+  }
+  
+  if (state == RULESTATE_UNKNOWN) {
+    LOGI(@"No state specified");
+    exit(1);
+  }
+  
+  if (filePath) {
+    BOOL directory;
+    if (![[NSFileManager defaultManager] fileExistsAtPath:filePath isDirectory:&directory]) {
+      LOGI(@"File does not exist");
+      exit(1);
+    }
+    
+    if (directory) {
+      LOGI(@"Not a regular file");
+      exit(1);
+    }
+    
+    // Convert to absolute, standardized path
+    filePath = [filePath stringByStandardizingPath];
+    if (![filePath isAbsolutePath]) {
+      NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
+      filePath = [cwd stringByAppendingPathComponent:filePath];
+    }
+    
+    SNTBinaryInfo *ftd = [[SNTBinaryInfo alloc] initWithPath:filePath];
+    SHA1 = [ftd.SHA1 copy];
+  } else if (SHA1) {
+  } else {
+    LOGI(@"No SHA1 or binary specified");
+    exit(1);
+  }
+  
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.SHA1 = SHA1;
+  newRule.state = state;
+  newRule.type = RULETYPE_BINARY;
+  newRule.customMsg = @"";
+  
+  [[daemonConn remoteObjectProxy] databaseRuleAddRule:newRule withReply:^{
+    LOGI(@"Added rule for SHA1: %@", [newRule SHA1]);
+  }];
+
+  exit(0);
+}
+
+@end