From ac7b95ceb650397cf4dfac57db5fee2d01adeecf Mon Sep 17 00:00:00 2001 From: Tom Burgin Date: Fri, 25 May 2018 10:47:48 -0400 Subject: [PATCH] santa-driver: do not invalidate cached decisions on KAUTH_VNODE_ACCESS (#266) * santa-driver: do not invalidate cached decisions on KAUTH_VNODE_ACCESS * downtown --- Source/santa-driver/SantaDecisionManager.cc | 10 ++++--- Source/santa-driver/SantaDecisionManager.h | 33 ++++++++++----------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/Source/santa-driver/SantaDecisionManager.cc b/Source/santa-driver/SantaDecisionManager.cc index e7e92885..8a7ffe15 100644 --- a/Source/santa-driver/SantaDecisionManager.cc +++ b/Source/santa-driver/SantaDecisionManager.cc @@ -497,9 +497,7 @@ void SantaDecisionManager::FileOpCallback( auto vnode_id = GetVnodeIDForVnode(context, vp); vfs_context_rele(context); - if (action == KAUTH_FILEOP_CLOSE) { - RemoveFromCache(vnode_id); - } else if (action == KAUTH_FILEOP_EXEC) { + if (action == KAUTH_FILEOP_EXEC) { auto message = NewMessage(nullptr); message->vnode_id = vnode_id; message->action = ACTION_NOTIFY_EXEC; @@ -615,8 +613,12 @@ extern "C" int vnode_scope_callback( reinterpret_cast(arg3)); sdm->DecrementListenerInvocations(); return result; - } else if (action & KAUTH_VNODE_WRITE_DATA) { + } else if (action & KAUTH_VNODE_WRITE_DATA || action & KAUTH_VNODE_APPEND_DATA) { sdm->IncrementListenerInvocations(); + if (!(action & KAUTH_VNODE_ACCESS)) { + auto vnode_id = sdm->GetVnodeIDForVnode(reinterpret_cast(arg0), vp); + sdm->RemoveFromCache(vnode_id); + } char path[MAXPATHLEN]; int pathlen = MAXPATHLEN; vn_getpath(vp, path, &pathlen); diff --git a/Source/santa-driver/SantaDecisionManager.h b/Source/santa-driver/SantaDecisionManager.h index 4914d4a1..7a3c8f7e 100644 --- a/Source/santa-driver/SantaDecisionManager.h +++ b/Source/santa-driver/SantaDecisionManager.h @@ -115,6 +115,22 @@ class SantaDecisionManager : public OSObject { /// Decrements the count of active callbacks pending. void DecrementListenerInvocations(); + /** + Fetches the vnode_id for a given vnode. + + @param ctx The VFS context to use. + @param vp The Vnode to get the ID for + @return uint64_t The Vnode ID as a 64-bit unsigned int. + */ + static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp) { + struct vnode_attr vap; + VATTR_INIT(&vap); + VATTR_WANTED(&vap, va_fsid); + VATTR_WANTED(&vap, va_fileid); + vnode_getattr(vp, &vap, ctx); + return (((uint64_t)vap.va_fsid << 32) | vap.va_fileid); + } + /** Vnode Callback @@ -214,23 +230,6 @@ class SantaDecisionManager : public OSObject { */ bool PostToLogQueue(santa_message_t *message); - /** - Fetches the vnode_id for a given vnode. - - @param ctx The VFS context to use. - @param vp The Vnode to get the ID for - @return uint64_t The Vnode ID as a 64-bit unsigned int. - */ - static inline uint64_t GetVnodeIDForVnode( - const vfs_context_t ctx, const vnode_t vp) { - struct vnode_attr vap; - VATTR_INIT(&vap); - VATTR_WANTED(&vap, va_fsid); - VATTR_WANTED(&vap, va_fileid); - vnode_getattr(vp, &vap, ctx); - return (((uint64_t)vap.va_fsid << 32) | vap.va_fileid); - } - /** Creates a new santa_message_t with some fields pre-filled.