Fields like pid, ppid, execution_time, current_sessions etc. are not supplied in Event uploads when the decision is BUNDLE_BINARY (ie. Events generated by the bundle scanning service, rather than actual executions) so I have marked these as not required in the API definition.
Few other small formatting tidy-ups while I was there.
* Allow per-policy and per-rule FAA URL and button text
* Add format string support to the custom URL. Added SNTBlockMessageTest.
* Add event URL to TTY message.
* Allow rule specific policy to "clear" global to remove buttons for the rule
* Remove extra beta label for FAA
* Support new config (and sync config) option to override file access action.
* Adopt override action config in file access client
* Add sync service and file access client tests
* Require override action to be specific values. Add new sync setting to docs.
* WIP: UI: open cert modal, hookup silence checkbox. Add cert helper funcs.
* Popup dialog on file access violation. Support config-based and custom messages.
* Send message to TTY on file access rule violation
* TTYWriter Write now takes an es_process_t. Fix async data lifespan issue.
* Dedupe TTY message printing per process per rule
* Some minor swift beautification
* Remove main app from dock when showing file access dialog
* Update header docs
* Remove define guards for ObjC header file
* Update Source/common/CertificateHelpers.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix comment typo
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Use #import for ObjC headers
* Use #import for ObjC header
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* lint
* Comment use of escape sequences
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Bump bazel and build_bazel_rules_apple versions
* Minor change in Source dir to trigger github build actions
* Declare some archives higher up due to deps changes
The logupload stage was referred to in this document but was removed in #331.
FYI this document also refers to santactl performing syncs, which I believe is now handled by santasyncservice, but I am not familiar enough with it to document sorry.
Removes file_bundle_binary_count and file_bunde_hash from the Rule definition and examples
These were accidentally added to the Rule definition and examples, rather than to the Event section in #1130.
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
Added SigningID/TeamID to Event definition
Added SigningID and TeamID to the definition of Events in the EventUpload stage
Documented SigningID and TeamID in the definition of Events in the EventUpload stage
Add support for was_mmaped_writeable to file write monitoring when using macOS 13
In macOS 13 close events now have a new field was_mapped_writable that lets us
track if the file was mmaped writable. Often developer tools use mmap to
avoid large numbers of write syscalls (e.g. the go toolchain) and this improves
transitive allow listing with those tools.
Allows the string displaying the enum to format it using %d.
Fixes the error: `error: format specifies type 'int' but the argument has type 'T' [-Werror,-Wformat]`
* Add hot cache for file reads
* Clear cache on policy change
* Prevent unbounded cache growth
* Move cache impl to its own class
* Add some additional tests
* Cleanup
* Comment cleanup
* Switch to absl containers
* Use default absl::Hash instead of custom hasher
* Removing another reference to PairHash
* Remove unused imports
This allows a sync server to send a `custom_url` field along with a rule blocking execution and this will be used as the URL for the "open" button in place of the normally generated URL.
* Change backoff in SNTSyncStage.m to be exponential instead of linear
* Improves the log message to indicate that the job will ALWAYS abort after N retries. Previously, it was not clear why it would try 5 times and then give up.
* Bump DB version. Ensure proper casing for rule identifiers on insert.
* Minor comment fixes, more test cases
* Handle SigningIDs using the delimiter character
* lint
* PR feedback
