Disable the preserve_proto_field_names option when marshalling JSON requests as this prevents the json_name attribute on fields from working properly. Add that attribute to all fields so that they marshal as expected. Stop setting the always_print_enums_as_ints field as the value we're setting to is the default anyway.
Also add a test that preflight request data looks as expected.
* Convert santa::santad::logs::endpoint_security::serializers::Utilities
* Convert santa::santad::logs::endpoint_security::writers
* Convert santa::santad::logs::endpoint_security::serializers
* Convert santa::santad::logs::endpoint_security and santatest
* Lint
* Change type alias names to not conflict with sysinfo.h
* WIP Basic new enriched types, hooked up serializers
* WIP Expanded enriched types, finished basic string logging
* WIP Standardize instigator and event user strings.
* WIP Remove sudo event for now. Fix proto types.
* Update proto field names. Fix builds on older SDKs.
* Fix more issues with builds on older SDKs.
* Even more build fixes for older SDKs
* Fix basic string test build on older sdks
* More fixes for older SDKs
* WIP Started on proto encoding and tests
* WIP expanded proto support for new events
* Lint. Fix recorder tests for missing event types
* WIP continued expanding proto support for new events
* WIP finished proto support for all new event types
* WIP Comment all new messages and fields in santa.proto
* WIP Use different impl to set strings to sidestep internal absl issues
* Temporarily removing serializer impls and tests to reduce PR size
* Lint fixes
* PR feedback
Prior to this change, root users could kill the com.google.santa.daemon process.
It would be immediately restarted by sysextd but this opens a very brief
window where protection is lost. Hooking AUTH_SIGNAL and blocking all
signals to the santad process except those sent by launchd lets us block
this without breaking upgrades, reboots, etc.
This leaves `launchctl kill` and friends as an avenue, so we're also
hooking for exec and blocking executions of launchctl that reference
com.google.santa.daemon except in known safe cases.
* Add metrics for stat change detection
* Fix test related issues due to partially constructed messages
* lint
* Convert errno to enum class StatResult
* Cleanup from PR feedback
Bumping from BACKGROUND to DEFAULT had the desired impact of processing events faster and reducing memory usage but had a larger-than-expected increase in CPU usage. UTILITY is in the middle of these two and better fits the desired priority.
The use of the background queue is a historical artifact from when Santa had its own kernel extension with separate in-kernel queues for processing AUTH & NOTIFY type events. With the move to ES and the larger number of event types that we now notify on, running at the background QoS carries a small risk that the thread processing these events is not given a chance to run often enough that the queue grows and increases memory usage.
* Update SNTPolicyProcessor to use a map instead of a giant switch statement
Update SNTPolicyProcessor to use a map instead of a giant switch statement.
Add unit tests for the method that sets SNTCachedDecision values.
* Remove unneccessary OCMock dep in BUILD file.
* Fix typo in method signature.
* Incorporate review feedback.
* Upper case UpdateCachedDecisionSigningInfo
* Update SNTPolicyProcessor.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Update SNTPolicyProcessor.mm
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix typo
* Fix linter issues.
* Fixed up more linter issues.
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
This includes updating to rules_apple 3.5.1 and protobuf 26.1, as well as updating several tests to no longer use the data attribute to pass in testdata.
* Change the behavior of addedRulesShouldFlushDecisionCache to flush when 1000 non-allowlist rules are added or a remove rule is encountered or any new non-allowlist rules are added
* Add tests for cache flushing behavior.
* process annotations: thread the tree through santa
* Update enricher to read annotations from the ProcessTree
* rebase changes
* add configuration for annotations, disabling the tree entirely if none are enabled
* lingering build dep
* use tree factory constructor
* fix configurator
* build fixes
* rebase fixes
* fix tests
* review comments
* lint
* english hard
* record metrics even when event only used for process tree
* ProcessTree: add macos-specific loader and event adapter
* lingering darwin->macos
* lint
* remove defunct client id
* struct rename
* and one last header update
* use EndpointSecurityAPI in adapter
* expose esapi in message
* Responses to events about to exceed deadline should respect FailClosed
* Only respect FailClosed when in Lockdown mode. Update docs.
* FailClosed in Configurator now wraps checking client mode
* PR feedback
* Fix execution controller tests with new FailClosed logic
* ProcessTree: add core process tree logic
* make Step implicitly called by Handle* methods
* lint
* naming convention
* widen pidversion to be generic
* move os specific backfill to os specific impl
* simplify ts checking
* retain/release a whole vec of pids
* document processtoken
* lint
* namespace
* add process tree to project-wide unit test target
* case change annotations
* case change annotations
* remove stray comment
* default initialize seen_timestamps
* fix missing initialization of refcnt and tombstoned
* reshuffle pb namespace
* pr review
* move annotation registration to tree construction
* use factory function for tree construction
