Add support for logging when codesigning has become invalidated for a process.
This adds support to the Recorder to log when codesigning is invalidated as reported by the Endpoint Security Framework's
ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED event.
* Fix issue preventing rule import / export from working.
* Removed unused --json option from help string.
* Document that import and export as taking a path argument.
Previously the sync command required root in order to establish a connection to santad with enough privilege to use the XPC methods for adding rules. Now that santasyncservice exists this requirement is no longer necessary and there is no risk in allowing unprivileged users to initiate a sync.
We still ensure that privileges are dropped, just in case someone does execute as root.
* Allow per-policy and per-rule FAA URL and button text
* Add format string support to the custom URL. Added SNTBlockMessageTest.
* Add event URL to TTY message.
* Allow rule specific policy to "clear" global to remove buttons for the rule
* Remove extra beta label for FAA
* Support new config (and sync config) option to override file access action.
* Adopt override action config in file access client
* Add sync service and file access client tests
* Require override action to be specific values. Add new sync setting to docs.
* WIP: UI: open cert modal, hookup silence checkbox. Add cert helper funcs.
* Popup dialog on file access violation. Support config-based and custom messages.
* Send message to TTY on file access rule violation
* TTYWriter Write now takes an es_process_t. Fix async data lifespan issue.
* Dedupe TTY message printing per process per rule
* Some minor swift beautification
* Remove main app from dock when showing file access dialog
* Update header docs
* Remove define guards for ObjC header file
* Update Source/common/CertificateHelpers.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix comment typo
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Use #import for ObjC headers
* Use #import for ObjC header
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* lint
* Comment use of escape sequences
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Bump bazel and build_bazel_rules_apple versions
* Minor change in Source dir to trigger github build actions
* Declare some archives higher up due to deps changes
Add support for was_mmaped_writeable to file write monitoring when using macOS 13
In macOS 13 close events now have a new field was_mapped_writable that lets us
track if the file was mmaped writable. Often developer tools use mmap to
avoid large numbers of write syscalls (e.g. the go toolchain) and this improves
transitive allow listing with those tools.
Allows the string displaying the enum to format it using %d.
Fixes the error: `error: format specifies type 'int' but the argument has type 'T' [-Werror,-Wformat]`
* Add hot cache for file reads
* Clear cache on policy change
* Prevent unbounded cache growth
* Move cache impl to its own class
* Add some additional tests
* Cleanup
* Comment cleanup
* Switch to absl containers
* Use default absl::Hash instead of custom hasher
* Removing another reference to PairHash
* Remove unused imports
This allows a sync server to send a `custom_url` field along with a rule blocking execution and this will be used as the URL for the "open" button in place of the normally generated URL.
* Change backoff in SNTSyncStage.m to be exponential instead of linear
* Improves the log message to indicate that the job will ALWAYS abort after N retries. Previously, it was not clear why it would try 5 times and then give up.
* Bump DB version. Ensure proper casing for rule identifiers on insert.
* Minor comment fixes, more test cases
* Handle SigningIDs using the delimiter character
* lint
* PR feedback
