Add the option to ignore actions from other ES clients (#498)

* [com.google.santa.daemon]: add the option to ignore actions from other ES clients * review updates * review updates
2026-04-24 03:00:12 -04:00 · 2020-10-21 13:20:13 -04:00
parent db1d65f944
commit d2bbdff373
4 changed files with 28 additions and 2 deletions
--- a/Source/common/SNTConfigurator.h
+++ b/Source/common/SNTConfigurator.h
@@ -320,6 +320,11 @@
 ///
@property(readonly, nonatomic) BOOL enableForkAndExitLogging;

+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///
--- a/Source/common/SNTConfigurator.m
+++ b/Source/common/SNTConfigurator.m
@@ -79,6 +79,7 @@ static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration"
 static NSString *const kEnableSystemExtension = @"EnableSystemExtension";

 static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging";
+static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients";

 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
@@ -152,6 +153,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
      kEnableMachineIDDecoration : number,
      kEnableSystemExtension : number,
      kEnableForkAndExitLogging : number,
+      kIgnoreOtherEndpointSecurityClients : number,
    };
    _defaults = [NSUserDefaults standardUserDefaults];
    [_defaults addSuiteNamed:@"com.google.santa"];
@@ -326,6 +328,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
  return [self configStateSet];
 }

+ (NSSet *)keyPathsForValuesAffectingIgnoreOtherEndpointSecurityClients {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface

 - (SNTClientMode)clientMode {
@@ -570,6 +576,11 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
  return number ? [number boolValue] : NO;
 }

+- (BOOL)ignoreOtherEndpointSecurityClients {
+  NSNumber *number = self.configState[kIgnoreOtherEndpointSecurityClients];
+  return number ? [number boolValue] : NO;
+}
+
 #pragma mark Private

 ///
--- a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm
+++ b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm
@@ -77,10 +77,20 @@

    es_client_t *client = NULL;
    es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) {
+      pid_t pid = audit_token_to_pid(m->process->audit_token);
+
+      // If enabled, skip any action generated from another endpoint security client.
+      if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) {
+        if (m->action_type == ES_ACTION_TYPE_AUTH) {
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
+        }
+        LOGD(@"Skipping action from es_client pid: %d", pid);
+        return;
+      }
+
      // Perform the following checks on this serial queue.
      // Some checks are simple filters that avoid copying m.
      // However, the bulk of the work done here is to support transitive whitelisting.
-      pid_t pid = audit_token_to_pid(m->process->audit_token);
      switch (m->event_type) {
        case ES_EVENT_TYPE_NOTIFY_EXEC: {
          // Deny results are currently logged when ES_EVENT_TYPE_AUTH_EXEC posts a deny.
--- a/version.bzl
+++ b/version.bzl
@@ -1,3 +1,3 @@
 """The version for all Santa components."""

-SANTA_VERSION = "1.14"
+SANTA_VERSION = "1.15"