SantaGUI: Fix message text. Add support for Dark Mode. (#354)

* starlark format

* Source/santa-driver -> Source/santa_driver

* buildifier

* kernel_tests unloads the driver

* review updates

* review updates

.bazelrc

@@ -0,0 +1 @@
+build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes

.clang-format

@@ -0,0 +1,22 @@
+BasedOnStyle: Google
+Language: Cpp
+Standard: Cpp11
+
+# Disable ColumnLimit because it causes some very weird line breaks.
+# For ObjC the limit is 100
+# For Cpp  the limit is 80
+ColumnLimit: 0
+
+# Allow short case statements to be on a single line
+AllowShortCaseLabelsOnASingleLine: true
+
+# Ban short loops and functions on a single line
+AllowShortLoopsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: false
+
+# Allow spaces in NSArray/NSDictionary literals @[ and @{
+SpacesInContainerLiterals: true
+
+# For pointers, always put the * next to the variable name.
+DerivePointerAlignment: false
+PointerAlignment: Right

.gitignore

@@ -1,8 +1,3 @@
 .DS_Store
-Build
-Dist
-Pods
-Santa.xcodeproj/xcuserdata
-Santa.xcodeproj/project.xcworkspace
-Santa.xcworkspace/xcuserdata
-Santa.xcworkspace/xcshareddata
+default.profraw
+bazel-*

.travis.yml

@@ -0,0 +1,12 @@
+---
+language: objective-c
+sudo: false
+
+addons:
+  homebrew:
+    taps: bazelbuild/tap
+    packages: bazelbuild/tap/bazel
+
+script:
+ - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug
+ - bazel test :unit_tests --show_progress_rate_limit=30.0 --test_output=errors --color=no --verbose_failures --sandbox_debug

BUILD

@@ -0,0 +1,158 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])  # Apache 2.0
+
+exports_files(["LICENSE"])
+
+load("@build_bazel_rules_apple//apple:versioning.bzl", "apple_bundle_version")
+load("//:helper.bzl", "run_command")
+load("//:version.bzl", "SANTA_VERSION")
+
+# The version label for mac_* rules.
+apple_bundle_version(
+    name = "version",
+    build_version = SANTA_VERSION,
+    short_version_string = SANTA_VERSION,
+)
+
+# Used to detect optimized builds
+config_setting(
+    name = "opt_build",
+    values = {"compilation_mode": "opt"},
+)
+
+################################################################################
+# Loading/Unloading/Reloading
+################################################################################
+run_command(
+    name = "unload",
+    cmd = """
+sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
+sudo kextunload -b com.google.santa-driver 2>/dev/null
+launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null
+""",
+)
+
+run_command(
+    name = "load",
+    cmd = """
+sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
+launchctl load /Library/LaunchAgents/com.google.santagui.plist
+""",
+)
+
+run_command(
+    name = "reload",
+    srcs = ["//Source/santa_driver"],
+    cmd = """
+set -e
+
+rm -rf /tmp/bazel_santa_reload
+unzip -d /tmp/bazel_santa_reload \
+    $${BUILD_WORKSPACE_DIRECTORY}/bazel-bin/Source/santa_driver/santa_driver.zip >/dev/null
+echo "You may be asked for your password for sudo"
+sudo BINARIES=/tmp/bazel_santa_reload CONF=$${BUILD_WORKSPACE_DIRECTORY}/Conf \
+    $${BUILD_WORKSPACE_DIRECTORY}/Conf/install.sh
+rm -rf /tmp/bazel_santa_reload
+echo "Time to stop being naughty"
+""",
+)
+
+################################################################################
+# Release rules - used to create a release tarball
+################################################################################
+genrule(
+    name = "release",
+    srcs = [
+        "//Source/santa_driver",
+        "Conf/install.sh",
+        "Conf/uninstall.sh",
+        "Conf/com.google.santad.plist",
+        "Conf/com.google.santagui.plist",
+        "Conf/com.google.santa.asl.conf",
+        "Conf/com.google.santa.newsyslog.conf",
+        "Conf/Package/Makefile",
+        "Conf/Package/postinstall",
+        "Conf/Package/preinstall",
+    ],
+    outs = ["santa-" + SANTA_VERSION + ".tar.gz"],
+    cmd = select({
+        "//conditions:default": """
+        echo "ERROR: Trying to create a release tarball without optimization."
+        echo "Please add '-c opt' flag to bazel invocation"
+        """,
+        ":opt_build": """
+      # Extract santa_driver.zip
+      for SRC in $(SRCS); do
+        if [[ $$(basename $${SRC}) == "santa_driver.zip" ]]; then
+          mkdir -p $(@D)/binaries
+          unzip -q $${SRC} -d $(@D)/binaries >/dev/null
+        fi
+      done
+
+      # Copy config files
+      for SRC in $(SRCS); do
+        if [[ "$$(dirname $${SRC})" == *"Conf" ]]; then
+          mkdir -p $(@D)/conf
+          cp $${SRC} $(@D)/conf/
+        fi
+      done
+
+      # Gather together the dSYMs. Throw an error if no dSYMs were found
+      for SRC in $(SRCS); do
+        case $${SRC} in
+          *santa-driver.kext.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
+            ;;
+          *santad.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
+            ;;
+          *santactl.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santactl.dSYM
+            ;;
+          *santabs.xpc.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabs.xpc.dSYM
+            ;;
+          *Santa.app.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
+            ;;
+        esac
+      done
+
+      # Cause a build failure if the dSYMs are missing.
+      if [[ ! -d "$(@D)/dsym" ]]; then
+        echo "dsym dir missing: Did you forget to use --apple_generate_dsym?"
+        echo "This flag is required for the 'release' target."
+        exit 1
+      fi
+
+      # Update all the timestamps to now. Bazel avoids timestamps to allow
+      # builds to be hermetic and cacheable but for releases we want the
+      # timestamps to be more-or-less correct.
+      find $(@D)/{binaries,conf,dsym} -exec touch {} \;
+
+      # Create final output tar
+      tar -C $(@D) -czpf $(@) binaries dsym conf
+    """,
+    }),
+    heuristic_label_expansion = 0,
+)
+
+test_suite(
+    name = "unit_tests",
+    tests = [
+        "//Source/common:SNTFileInfoTest",
+        "//Source/santa_driver:SantaCacheTest",
+        "//Source/santa_driver:SantaPrefixTreeTest",
+        "//Source/santactl:SNTCommandFileInfoTest",
+        "//Source/santactl:SNTCommandSyncTest",
+        "//Source/santad:SNTEventTableTest",
+        "//Source/santad:SNTExecutionControllerTest",
+        "//Source/santad:SNTRuleTableTest",
+    ],
+)

CONTRIBUTING.md

@@ -25,6 +25,12 @@ tests beforehand, which you can do with the following commands:
 rake tests:logic
 rake tests:kernel  # only necessary if you're changing the kext code
 ```
+### Code Style
+
+All code submissions should try to match the surrounding code.  Wherever possible,
+code should adhere to either the
+[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
+or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
 
 ### The small print
 Contributions made by corporations are covered by a different agreement than

Conf/Package/Makefile

@@ -0,0 +1,95 @@
+#
+#  Package Makefile for Santa
+#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
+#
+#  Will generate a package based on the latest release. You can replace
+#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
+#
+
+LUGGAGE:=/usr/local/share/luggage/luggage.make
+include ${LUGGAGE}
+
+TITLE:=santa
+REVERSE_DOMAIN:=com.google
+
+# Get latest Release version using the GitHub API. Each release is bound to a
+# git tag, which should always be a semantic version number. The most recent
+# release is always first in the API result.
+PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
+	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
+
+# Get the download URL for the latest Release. Each release should have a
+# tarball named santa-$version.tar.bz2 containing all of the files associated
+# with that release. The tarball layout is:
+#
+#   santa-$version.tar.bz2
+#   +--santa-$version
+#         |-- binaries
+#         |    |-- santa-driver.kext
+#         |    |-- Santa.app
+#         |-- conf
+#         |    |-- install.sh
+#         |    |-- com.google.santad.plist
+#         |    |-- com.google.santagui.plist
+#         |    +-- com.google.santa.asl.conf
+#         |    +-- com.google.santa.newsyslog.conf
+#         +--dsym
+#              |-- santa-driver.kext.dSYM
+#              |-- Santa.app.dSYM
+#              |-- santad.dSYM
+#              +-- santactl.dSYM
+PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
+
+PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
+	pack-applications-Santa.app \
+	pack-Library-LaunchDaemons-com.google.santad.plist \
+	pack-Library-LaunchAgents-com.google.santagui.plist \
+	pack-etc-asl-com.google.santa.asl.conf \
+	pack-etc-newsyslog.d-com.google.santa.newsyslog.conf \
+	pack-script-preinstall \
+	pack-script-postinstall
+
+santa-driver.kext: download
+Santa.app: download
+com.google.santad.plist: download
+com.google.santagui.plist: download
+com.google.santa.asl.conf: download
+com.google.santa.newsyslog.conf: download
+
+download:
+	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
+
+	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
+	@rm -rf *.dSYM
+
+pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/asl
+	@sudo chown root:wheel ${WORK_D}/private/etc/asl
+	@sudo chmod 755 ${WORK_D}/private/etc/asl
+	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
+
+pack-etc-newsyslog.d-com.google.santa.newsyslog.conf: com.google.santa.newsyslog.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/newsyslog.d
+	@sudo chown root:wheel ${WORK_D}/private/etc/newsyslog.d
+	@sudo chmod 755 ${WORK_D}/private/etc/newsyslog.d
+	@sudo install -m 644 -o root -g wheel com.google.santa.newsyslog.conf ${WORK_D}/private/etc/newsyslog.d
+
+pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
+	@sudo mkdir -p ${WORK_D}/Library/Extensions
+	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
+
+clean: myclean
+
+myclean:
+	@rm -rf *.dSYM
+	@rm -rf Santa.app
+	@rm -rf santa-driver.kext
+	@rm -f config.plist
+	@rm -f com.google.santa.asl.conf
+	@rm -f com.google.santa.newsyslog.conf
+	@rm -f com.google.santad.plist
+	@rm -f com.google.santagui.plist
+	@rm -f install.sh
+	@rm -f uninstall.sh

Conf/Package/postinstall

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Load the kernel extension, santad, sync client
+# If a user is logged in, also load the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+# Restart syslogd to pick up ASL configuration change
+/usr/bin/killall -HUP syslogd
+
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+sleep 1
+
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+sleep 1
+
+# Create hopefully useful symlink for santactl
+mkdir -p /usr/local/bin
+/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "$user" ]] && exit 0
+/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Conf/Package/preinstall

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Unload the kernel extension, santad, sync client
+# If a user is logged in, also unload the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+/bin/launchctl remove com.google.santad
+
+sleep 1
+
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Remove cruft from old Santa versions
+/bin/rm /usr/libexec/santad
+/bin/rm /usr/sbin/santactl
+/bin/launchctl remove com.google.santasync
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+/bin/rm -rf /Applications/Santa.app
+
+sleep 1
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+
+exit 0

Conf/com.google.santa.asl.conf

@@ -1,4 +1,6 @@
 # Copy this file to /etc/asl to log all messages from santa-driver to the log file
-? [S= Message santa-driver:] claim only
-? [S= Message santa-driver:] file /var/log/santa.log format="[$((Time)(utc.3))] $Message"
-> /var/log/santa.log mode=0644 rotate=seq compress file_max=5M all_max=100M
+> /var/db/santa/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
+? [= Sender kernel] [S= Message santa-driver:] claim
+? [= Sender kernel] [S= Message santa-driver:] file /var/db/santa/santa.log
+? [= Facility com.google.santa] claim
+? [= Facility com.google.santa] file /var/db/santa/santa.log

Conf/com.google.santa.newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      NZ

Conf/com.google.santad.plist

@@ -6,19 +6,14 @@
 				<string>com.google.santad</string>
 				<key>ProgramArguments</key>
 				<array>
-								<string>/usr/libexec/santad</string>
+					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
+					<string>--syslog</string>
 				</array>
 				<key>MachServices</key>
 				<dict>
-								<key>SantaXPCNotifications</key>
-								<true/>
-								<key>SantaXPCControl</key>
-								<true/>
+					<key>SantaXPCControl</key>
+					<true/>
 				</dict>
-				<key>StandardOutPath</key>
-				<string>/var/log/santa.log</string>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
 				<key>RunAtLoad</key>
 				<true/>
 				<key>KeepAlive</key>

Conf/com.google.santagui.plist

@@ -6,9 +6,12 @@
 				<string>com.google.santagui</string>
 				<key>ProgramArguments</key>
 				<array>
-					<string>/Applications/Santa.app/Contents/MacOS/Santa</string>
+					<string>/Library/Extensions/santa-driver.kext/Contents/Resources/Santa.app/Contents/MacOS/Santa</string>
+					<string>--syslog</string>
 				</array>
 				<key>RunAtLoad</key>
 				<true/>
+				<key>KeepAlive</key>
+				<true/>
 </dict>
 </plist>

Conf/com.google.santasync.plist

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-				<key>Label</key>
-				<string>com.google.santasync</string>
-				<key>ProgramArguments</key>
-				<array>
-								<string>/usr/sbin/santactl</string>
-								<string>sync</string>
-				</array>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
-				<key>ProcessType</key>
-				<string>Background</string>
-				<key>StartInterval</key>
-				<integer>600</integer>
-</dict>
-</plist>

Conf/config.plist

@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<!-- Minimal Configuration -->
-	<key>ClientMode</key>
-	<integer>1</integer>
-
-	<!--  For documentation of other keys, see the following URL:
-  			https://github.com/google/santa/wiki/Configuration-Keys  -->
-</dict>
-</plist>

Conf/install.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root" 1>&2
+  exit 1
+fi
+
+if [[ -z "${BINARIES}" || -z "${CONF}" ]]; then
+  if [[ -d "binaries" ]]; then
+    BINARIES="${PWD}/binaries"
+    CONF="${PWD}/conf"
+  elif [[ -d "../binaries" ]]; then
+    BINARIES="${PWD}/../binaries"
+    CONF="${PWD}/../conf"
+  else
+    echo "Can't find binaries, run install.sh from inside the conf directory" 1>&2
+    exit 1
+  fi
+fi
+
+# Unload santad and scheduled sync job.
+/bin/launchctl remove com.google.santad >/dev/null 2>&1
+
+# Unload kext.
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Determine if anyone is logged into the GUI
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+
+# Unload GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
+
+# Cleanup cruft from old versions
+/bin/launchctl remove com.google.santasync >/dev/null 2>&1
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist >/dev/null 2>&1
+/bin/rm /usr/libexec/santad >/dev/null 2>&1
+/bin/rm /usr/sbin/santactl >/dev/null 2>&1
+/bin/rm -rf /Applications/Santa.app 2>&1
+/bin/rm -rf /Library/Extensions/santa-driver.kext 2>&1
+
+# Copy new files.
+/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
+/bin/mkdir -p /usr/local/bin
+/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
+
+if [ ! -d /var/db/santa ] ; then
+  /bin/mkdir /var/db/santa
+fi
+
+/bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santagui.plist /Library/LaunchAgents
+/bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
+/bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
+
+# Reload syslogd to pick up ASL configuration change.
+/usr/bin/killall -HUP syslogd
+
+# Load kext.
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+# Load santad and scheduled sync jobs.
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
+
+# Load GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} \
+  /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Conf/uninstall.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Uninstalls Santa from the boot volume, clearing up everything but logs/configs.
+# Unloads the kernel extension, services, and deletes component files.
+# If a user is logged in, also unloads the GUI agent.
+
+[ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
+
+/bin/launchctl remove com.google.santad
+sleep 1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+# and to clean out the log config, although it won't write after wiping the binary
+/usr/bin/killall -HUP syslogd
+# delete artifacts on-disk
+/bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
+/bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
+/bin/rm -f /usr/local/bin/santactl # just a symlink
+
+#uncomment to remove the config file and all databases, log files
+#/bin/rm -rf /var/db/santa
+#/bin/rm -f /var/log/santa*
+exit 0

Docs/deployment/com.google.santa.example.mobileconfig

@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>

Docs/deployment/configuration.md

@@ -0,0 +1,180 @@
+# Important
+
+Santa v0.9.21 has moved to using an Apple [Configuration Profile](https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html) to manage the local configuration. The old config file (`/var/db/santa/config.plist`) is no longer used.
+
+# Configuration
+
+Two configuration methods can be used to control Santa: a local configuration profile and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration profile and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
+
+## Local Configuration Profile
+
+| Key                           | Value Type | Description                              |
+| ----------------------------- | ---------- | ---------------------------------------- |
+| ClientMode*                   | Integer    | 1 = MONITOR, 2 = LOCKDOWN, defaults to MONITOR |
+| FileChangesRegex*             | String     | The regex of paths to log file changes. Regexes are specified in ICU format. |
+| WhitelistRegex*               | String     | A regex to whitelist if the binary or certificate scopes did not allow execution.  Regexes are specified in ICU format. |
+| BlacklistRegex*               | String     | A regex to blacklist if the binary or certificate scopes did not block an execution.  Regexes are specified in ICU format. |
+| EnablePageZeroProtection      | Bool       | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to YES, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in MONITOR mode, **unless** the binary is whitelisted by an explicit rule. |
+| MoreInfoURL                   | String     | The URL to open when the user clicks "More Info..." when opening Santa.app.  If unset, the button will not be displayed. |
+| EventDetailURL                | String     | See the [EventDetailURL](#eventdetailurl) section below. |
+| EventDetailText               | String     | Related to the above property, this string represents the text to show on the button. |
+| UnknownBlockMessage           | String     | In Lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured a reasonable default is provided. |
+| BannedBlockMessage            | String     | This is the message shown to the user when a binary is blocked because of a rule if that rule doesn't provide a custom message. If this is not configured a reasonable  default is provided. |
+| ModeNotificationMonitor       | String     | The notification text to display when the client goes into Monitor mode. Defaults to "Switching into Monitor mode". |
+| ModeNotificationLockdown      | String     | The notification text to display when the client goes into Lockdown mode. Defaults to "Switching into Lockdown mode". |
+| SyncBaseURL                   | String     | The base URL of the sync server.         |
+| ClientAuthCertificateFile     | String     | If set, this contains the location of a PKCS#12 certificate to be used for sync authentication. |
+| ClientAuthCertificatePassword | String     | Contains the password for the PKCS#12 certificate. |
+| ClientAuthCertificateCN       | String     | If set, this is the Common Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ClientAuthCertificateIssuerCN | String     | If set, this is the Issuer Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ServerAuthRootsData           | Data       | If set, this is valid PEM containing one or more certificates to be used for certificate pinning. To comply with [ATS](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57) the certificate chain must also be trusted in the keychain. |
+| ServerAuthRootsFile           | String     | The same as the above but is a path to a file on disk containing the PEM data. |
+| MachineOwner                  | String     | The machine owner.                       |
+| MachineID                     | String     | The machine ID.                          |
+| MachineOwnerPlist             | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineOwnerKey               | String     | The key to use on MachineOwnerPlist.     |
+| MachineIDPlist                | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineIDKey                  | String     | The key to use on MachineIDPlist.        |
+| EventLogType                  | String     | Defines how event logs are stored. Options are 1) syslog: Sent to ASL or ULS (if built with the 10.12 SDK or later). 2) filelog: Sent to a file on disk. Use EventLogPath to specify a path. Defaults to filelog      |
+| EventLogPath                  | String     | If EventLogType is set to filelog, EventLogPath will provide the path to save logs. Defaults to /var/db/santa/santa.log. If you change this value ensure you also update com.google.santa.newsyslog.conf with the new path.        |
+| EnableMachineIDDecoration     | Bool       | If YES, this appends the MachineID to the end of each log line. Defaults to NO.       |
+
+*overridable by the sync server: run `santactl status` to check the current running config
+
+##### EventDetailURL
+
+When the user gets a block notification, a button can be displayed which will take them to a web page with more information about that event.
+
+This property contains a kind of format string to be turned into the URL to send them to. The following sequences will be replaced in the final URL:
+
+| Key          | Description                              |
+| ------------ | ---------------------------------------- |
+| %file_sha%   | SHA-256 of the file that was blocked     |
+| %machine_id% | ID of the machine                        |
+| %username%   | The executing user                       |
+| %bundle_id%  | Bundle ID of the binary, if applicable   |
+| %bundle_ver% | Bundle version of the binary, if applicable |
+
+For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
+
+##### Example Configuration Profile
+
+Here is an example of a configuration profile that could be set. It was generated with Tim Sutton's great [mcxToProfile](https://github.com/timsutton/mcxToProfile) tool. A copy is also available [here](com.google.santa.example.mobileconfig).
+
+A few key points to when creating your configuration profile:
+
+* `com.google.santa` needs to be the key inside `PayloadContent`
+* The `PayloadScope` needs to be `System`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
+
+```
+
+Configuration profiles have a `.mobileconfig` file extension. There are many ways to install configuration profiles:
+
+* Double click them in Finder
+* Use the `/usr/bin/profiles` tool
+* Use an MDM
+
+## Sync server Provided Configuration
+
+| Key                            | Value Type | Description                              |
+| ------------------------------ | ---------- | ---------------------------------------- |
+| client_mode                    | String     | MONITOR or LOCKDOWN, defaults to MONITOR. |
+| clean_sync**                   | Bool       | If set to `True` Santa will clear all local rules and download a fresh copy from the sync-server. Defaults to `False`. |
+| batch_size                     | Integer    | The number of rules to download or events to upload per request. Multiple requests will be made if there is more work than can fit in single request. Defaults to 50. |
+| upload_logs_url**              | String     | If set, the endpoint to send Santa's current logs. No default. |
+| whitelist_regex                | String     | Same as the "Local Configuration" WhitelistRegex. No default. |
+| blacklist_regex                | String     | Same as the "Local Configuration" BlacklistRegex. No default. |
+| fcm_token*                     | String     | The FCM token used by Santa to listen for FCM messages. Unique for every machine. No default. |
+| fcm_full_sync_interval*        | Integer    | The full sync interval if a fcm_token is set. Defaults to  14400 secs (4 hours). |
+| fcm_global_rule_sync_deadline* | Integer    | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |
+| enable_bundles*                | Bool       | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
+| enabled_transitive_whitelisting | Bool       | If set to `True` the transitive whitelisting feature is enabled. Defaults to `False`. |
+
+*Held only in memory. Not persistent upon process restart.
+
+**Performed once per preflight run (if set).

Docs/details/events.md

@@ -0,0 +1,141 @@
+# Events
+
+Events are a defined set of data, core to how Santa interacts with a sync server. Events are generated when there is a blocked `execve()` while in Lockdown or Monitor mode. Events are also generated in Monitor mode for an `execve()` that was allowed to run, but would have been blocked in Lockdown mode. This allows an admin to roll out Santa to their macOS fleet in Monitor mode but still collect meaningful data. The events collected while in Monitor mode can be used to build a reasonably comprehensive whitelist of signing certificates and binaries before switching the fleet to Lockdown mode.
+
+##### Event Data
+
+Events begin their life as an [SNTStoredEvent](https://github.com/google/santa/blob/master/Source/common/SNTStoredEvent.h) object. The SNTStoredEvent class is just a simple storage class that has properties for all the relevant bits of information. More importantly the class implements the [NSSecureCoding](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) protocol. This allows the objects to be encoded and decoded for storage in the events sqlite3 database on disk and sent over XPC to another process.
+
+Events are temporarily stored in a database until they are uploaded. The format is subject the change; accessing the events database directly will most likely break in future releases. If direct access to the events database is required, raise a [issue on the Santa GitHub](https://github.com/google/santa/issues).
+
+###### JSON
+
+Before an event is uploaded to a sync server, the event data is copied into a JSON blob. Here is an example of Firefox being blocked and sent for upload:
+
+```json
+{
+  "events": [
+    {
+      "file_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app/Contents/MacOS",
+      "file_bundle_version": "5417.6.28",
+      "parent_name": "launchd",
+      "logged_in_users": [
+        "bur"
+      ],
+      "quarantine_timestamp": 0,
+      "signing_chain": [
+        {
+          "cn": "Developer ID Application: Mozilla Corporation (43AQ936H96)",
+          "valid_until": 1652123338,
+          "org": "Mozilla Corporation",
+          "valid_from": 1494270538,
+          "ou": "43AQ936H96",
+          "sha256": "96f18e09d65445985c7df5df74ef152a0bc42e8934175a626180d9700c343e7b"
+        },
+        {
+          "cn": "Developer ID Certification Authority",
+          "valid_until": 1801519935,
+          "org": "Apple Inc.",
+          "valid_from": 1328134335,
+          "ou": "Apple Certification Authority",
+          "sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f"
+        },
+        {
+          "cn": "Apple Root CA",
+          "valid_until": 2054670036,
+          "org": "Apple Inc.",
+          "valid_from": 1146001236,
+          "ou": "Apple Certification Authority",
+          "sha256": "b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024"
+        }
+      ],
+      "file_bundle_name": "Firefox",
+      "executing_user": "bur",
+      "ppid": 1,
+      "file_bundle_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app",
+      "file_name": "firefox",
+      "execution_time": 1501691337.059514,
+      "file_sha256": "dd78f456a0929faf5dcbb6d952992d900bfdf025e1e77af60f0b029f0b85bf09",
+      "decision": "BLOCK_BINARY",
+      "file_bundle_id": "org.mozilla.firefox",
+      "file_bundle_version_string": "54.0.1",
+      "pid": 49368,
+      "current_sessions": [
+        "bur@console",
+        "bur@ttys000",
+        "bur@ttys001",
+        "bur@ttys002",
+        "bur@ttys003",
+        "bur@ttys004"
+      ]
+    }
+  ]
+}
+```
+
+
+
+##### Event Lifecycle
+
+1. santad generates a new event
+2. santad compares, or adds if not present, the event's SHA-256 file hash to an in-memory cache with a timeout of 10 min. If an event with an matching hash is present in cache, the event is dropped.
+3. santad saves the event to `/var/db/santa/events.db` with a unique ID assigned as the key.
+4. santad sends an XPC message to the santactl daemon. The message contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread.
+
+##### Bundle Events
+
+Bundle events are a special type of event that are generated when a sync server supports receiving the associated bundle events, instead of just the original event. For example: `/Applications/Keynote.app/Contents/MacOS/Keynote` is blocked and an event representing the binary is uploaded. A whitelist rule is created for that one binary. Great, you can now run `/Applications/Keynote.app/Contents/MacOS/Keynote`, but what about all the other supporting binaries contained in the bundle? You would have to wait until they are executed until an event would be generated. It is very common for a bundle to contain multiple binaries, as shown here with Keynote.app. Waiting to get a block is not a very good user experience.
+
+```sh
+⇒  santactl bundleinfo /Applications/Keynote.app
+Hashing time: 1047 ms
+9 events found
+BundleHash: b475667ab1ab6eddea48bfc2bed76fcef89b8f85ed456c8068351292f7cb4806
+BundleID: com.apple.iWork.Keynote
+	SHA-256: be3aa404ee79c2af863132b93b0eedfdbc34c6e35d4fda2ade6dd637692ead84
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.MovieCompatibilityConverter.xpc/Contents/MacOS/com.apple.iWork.MovieCompatibilityConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 3b2582fd5e7652b653276b3980c248dc973e8082e9d0678c96a08d7d1a8366ba
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.PICTConverter.xpc/Contents/MacOS/com.apple.iWork.PICTConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: f1bf3be05d511d7c7f651cf7b130d4977f8d28d0bfcd7c5de4144b95eaab7ad7
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b59bc8548c91088a40d9023abb5d22fa8731b4aa17693fcb5b98c795607d219a
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.BitmapTracer.xpc/Contents/MacOS/com.apple.iWork.BitmapTracer
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 08cb407f541d867f1a63dc3ae44eeedd5181ca06c61df6ef62b5dc7192951a4b
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b965ae7be992d1ce818262752d0cf44297a88324a593c67278d78ca4d16fcc39
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 59668dc27314f0f6f5daa5f02b564c176f64836c88e2dfe166e90548f47336f1
+	Path: /Applications/Keynote.app/Contents/MacOS/Keynote
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 7ce324f919b14e14d327004b09f83ca81345fd4438c87ead4b699f89e9485595
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.ExternalResourceValidator.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceValidator
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 6b47f551565d886388eeec5e876b6de9cdd71ef36d43b0762e6ebf02bdd8515d
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceAccessor
+```
+
+Bundle events provide a mechanism to generate and upload events for all the executable Mach-O binaries within a bundle. To enable bundle event generation a configuration must be set in the preflight sync stage on the sync server. Once set the sync server can use bundle events to drive a better user experience.
+
+Bundle events can be differentiated by the existence of these fields:
+
+| Field                    | Value                                    |
+| ------------------------ | ---------------------------------------- |
+| decision                 | BUNDLE_BINARY                            |
+| file_bundle_hash         | Super Hash of all binary hashes          |
+| file_bundle_hash_millis  | The time in milliseconds it took to find all of the binaries, hash and produce a super hash |
+| file_bundle_binary_count | Number of binaries within the bundle     |
+
+To avoid redundant uploads of a bundle event Santa will wait for the sync server to ask for them. The server will respond to event uploads with a request like this:
+
+| Field                        | Value                                    |
+| ---------------------------- | ---------------------------------------- |
+| event_upload_bundle_binaries | An array of bundle hashes that the sync server needs to be uploaded |
+
+When santactl receives this type of request, it sends an XPC reply to santad to save all the bundle events to the events.db. It then attempts to upload all the bundle events, purging the successes from the events.db. Any failures will be uploaded during the next full sync.
+

Docs/details/ipc.md

@@ -0,0 +1,43 @@
+# Interprocess Communication (IPC)
+
+Most IPC within Santa is done by way of Apple's [XPC](https://developer.apple.com/documentation/xpc?language=objc). Santa wraps [NSXPCConnection](https://developer.apple.com/documentation/foundation/nsxpcconnection?language=objc) to provide client multiplexing, signature validation of connecting clients and forced connection establishment. This is called SNTXPCConnection.
+
+Communication between santad and santa-driver (KEXT) is done with a [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and IOKit/IOKitLib.h functions.
+
+##### Who starts who?
+
+The santad and Santa (GUI) processes are both started and kept alive by launchd as a LaunchDaemon and a LaunchAgent, respectively. This means santad runs as root and Santa (GUI) runs as the console user. 
+
+There can be multiple Santa (GUI) processes running, one per user logged into the GUI (assuming fast-user switching is enabled). While multiple processes might be running, only the one for the user currently logged-in will be connected to santad and receiving notifications.
+
+When using a sync server, the santactl process is started by santad. Before the new process starts, all privileges are dropped. santactl runs as _nobody_.
+
+The santabs process is started by launchd via an XPC service connection from santad. XPC services inherit their initiator's privileges meaning santabs runs as root, which is necessary to ensure it has permission to read all files.
+
+| Process  | Parent Process | Running User |
+| -------- | -------------- | ------------ |
+| santad   | launchd        | root         |
+| Santa    | launchd        | user         |
+| santactl | santad         | nobody       |
+| santabs  | launchd        | root         |
+
+
+
+##### Who communicates with who?
+
+In short, santad has two-way communication with every other process. In addition, Santa and santabs have two-way communication between each other. For other combinations, there is no direct communication.
+
+![Santa IPC](santa_ipc.png)
+
+##### SNTXPCConnection and two way communication
+
+`SNTXPCConnection` enforces a server / client model for XPC connections. This allows for strong signature validation and forced connection establishment. The only problem with this model is the lack of two-way communication. For example, process A can call methods on process B and retrieve a response, but process B cannot call methods on process A.
+
+To accomplish two-way communication, the following approach can be used:
+
+1. Process A creates a server with an anonymous `NSXPCListener`.
+2. Process A sends the anonymous `NSXPCListenerEndpoint` to process B over an already established `SNTXPCConnection`.
+3. Process B can now communicate directly with process A.
+
+This is a powerful notion. It enables forced connection establishment between both processes, which is critical when reliability is a concern.
+

Docs/details/logs.md

@@ -0,0 +1,30 @@
+# Logs
+
+Santa currently logs to `/var/db/santa/santa.log` by default. All executions and disk mounts are logged here. File operations can also be configured to be logged. See the `FileChangesRegex` key in the [configuration.md](../deployment/configuration.md) document.
+
+To view the logs:
+
+```sh
+tail -F /var/db/santa/santa.log
+```
+
+The `-F` will continue watching the path even when the current file fills up and rolls over.
+
+##### macOS Unified Logging System (ULS)
+
+Currently all of the most recent releases of Santa are built with the macOS 10.11 SDK. This allows Santa to continue to log to Apple System Logger (ASL) instead of ULS. However, on macOS 10.12+ all of the Kernel logs are sent to ULS. See the KEXT Logging section below for more details.
+
+If you are building Santa yourself and using the macOS 10.12+ SDKs, Santa's logs will be sent to ULS.
+
+Work is currently underway to bypass ASL and ULS altogether, allowing Santa to continue logging to `/var/db/santa/santa.log`. This change will also allow us to add alternative logging formats, like Protocol Buffer or JSON.
+
+##### KEXT Logging
+
+Streaming logs from the santa-driver KEXT does not work properly. Logs are generated but they will likely be garbled or show inaccurate data.
+
+Instead, `show` can be used to view the santa-driver KEXT logs:
+
+```sh
+/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
+```
+

Docs/details/mode.md

@@ -0,0 +1,53 @@
+# Mode
+
+Santa can run in one of two modes, Lockdown or Monitor. To check the current status run the following command:
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 13.59%)
+  Watchdog RAM Events       | 0  (Peak: 31.49MB)
+>>> Kernel Info
+  Root cache count          | 107
+  Non-root cache count      | 0
+>>> Database Info
+  Binary Rules              | 5
+  Certificate Rules         | 2
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server-hostname.com
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/02 21:44:17 -0400
+  Last Successful Rule Sync | 2017/08/02 21:44:17 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+##### Monitor mode
+
+The default mode. Running Santa in Monitor Mode will stop any binaries matching blacklist rules, but will not stop unknown binaries from running. This is a flexible state, allowing virtually zero user interruption but still gives protection against known blacklisted binaries. In addition execution events that would have been blocked in Lockdown mode are generated and can be collected and analyzed by a sync server.
+
+##### Lockdown mode
+
+Running Santa in Lockdown Mode will stop all blacklisted binaries and additionally will prevent all unknown binaries from running. This means that if the binary has no rules or scopes that apply, then it will be blocked.
+
+##### Changing Modes
+
+There are two ways to change the running mode: changing the configuration profile and with a sync server configuration.
+
+###### Change modes with the configuration profile
+
+Set the `ClientMode` in your configuration profile to the integer value `1` for MONITOR or `2` for LOCKDOWN.
+
+```xml
+<key>ClientMode</key>
+<integer>1</integer>
+```
+
+Install your new configuration profile, it will overwrite any old `com.google.santa` profiles you may have already install. See the [configuration](../deployment/configuration.md) document for more details.
+
+###### Change modes with a sync server
+
+The mode is set in the preflight sync stage. Use the key `client_mode` and a value of `MONITOR` or `LOCKDOWN`.

Docs/details/rules.md

@@ -0,0 +1,104 @@
+# Rules
+
+Rules provide the primary evaluation mechanism for whitelisting and blacklisting binaries with Santa on macOS. There are two types of rules: binary and certificate.
+
+##### Binary Rules
+
+Binary rules use the SHA-256 hash of the entire binary as an identifier. This is the most specific rule in Santa. Even a small change in the binary will alter the SHA-256 hash, invalidating the rule.
+
+##### Certificate Rules
+
+Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule. A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing.
+
+```sh
+⇒  santactl fileinfo /Applications/Dropbox.app --key "Signing Chain"
+Signing Chain:
+     1. SHA-256             : 2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2
+        SHA-1               : 86ec91f726ba9caa09665b2109c49117f0b93134
+        Common Name         : Developer ID Application: Dropbox, Inc.
+        Organization        : Dropbox, Inc.
+        Organizational Unit : G7HH3F8CAK
+        Valid From          : 2012/06/19 16:10:30 -0400
+        Valid Until         : 2017/06/20 16:10:30 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+If you wanted to whitelist or blacklist all software signed with this perticular Dropbox signing certificate you would use the leaf SHA-256 fingerprint.
+
+`2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2`
+
+Santa does not evaluate the `Valid From` or `Valid Until` fields, nor does it check the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) for revoked certificates. Adding rules for the certificate chain's intermediates or roots has no effect on binaries signing by a leaf. Santa ignores the chain and is only concerned with the leaf certificate's SHA-256 hash.
+
+##### Rule Evaluation
+
+When a process is trying to `execve()` santad retrieves information on the binary,  including a hash of the entire file and the signing chain (if any). The hash and signing leaf certificate are then passed through the [SNTPolicyProcessor](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.h). Rules are evaluated from most specific to least specific. First binary (either whitelist or blacklist), then certificate (either whitelist or blacklist). If no rules are found that apply, scopes are then searched. See the [scopes.md](scopes.md) document for more information on scopes.
+
+You can use the `santactl fileinfo` command to check the status of any given binary on the filesystem.
+
+###### Whitelisted with a Binary Rule 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key Rule
+Whitelisted (Binary)
+```
+
+###### Whitelisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Safari.app --key Rule
+Whitelisted (Certificate)
+```
+
+###### Blacklisted with a Binary Rule
+
+```sh
+⇒  santactl fileinfo /usr/bin/yes --key Rule
+Blacklisted (Binary)
+```
+
+###### Blacklisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Malware.app --key Rule
+Blacklisted (Certificate)
+```
+
+You can also check arbitrary SHA-256 binary and certificate hashes for rules. The rule verb needs to be run with root privileges.
+
+For checking the SHA-256 hash of `/usr/bin/yes`:
+
+```sh
+sudo santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /usr/bin/yes)
+Blacklisted (Binary)
+```
+
+For checking the SHA-256 hash of `/usr/bin/yes ` signing certificate:
+
+```sh
+⇒  sudo santactl rule --check --certificate --sha256 $(santactl fileinfo --cert-index 1 --key SHA-256 /usr/bin/yes)
+Whitelisted (Certificate)
+```
+
+##### Built-in rules
+
+To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup:
+
+* The signing certificate santad is signed with
+* The signing certificate launchd is signed with
+
+By creating these two rules at startup, Santa should never block critical Apple system binaries or other Santa components.

Docs/details/santa-driver.md

@@ -0,0 +1,94 @@
+# santa-driver
+
+santa-driver is a macOS [kernel extension](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html) (KEXT) that makes use of the [Kernel Authorization](https://developer.apple.com/library/content/technotes/tn2127/_index.html) (Kauth) KPI. This allows santa-driver to listen for events and either deny or defer the decision of those events. The santa-driver acts as an intermediary layer between Kauth and santad, with some caching to lower the overhead of decision making.
+
+##### Kauth
+
+santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments:
+
+* `const char *scope`
+* `kauth_scope_callback_t _callback`_
+* `void *contex`
+
+It returns a `kauth_listener_t` that is stored for later use, in Santa's case to stop listening.
+
+###### KAUTH_SCOPE_VNODE
+
+Here is how santa-driver starts listening for `KAUTH_SCOPE_VNODE` events.
+
+```c++
+vnode_listener_ = kauth_listen_scope(
+    KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
+```
+
+The function `vnode_scope_callback` is called for every vnode event. There are many types of vnode events, they complete list can be viewed in the kauth.h. There are many types of vnode events, the complete list can be viewed in kauth.h. Santa is only concerned with regular files generating `KAUTH_VNODE_EXECUTE` [1] and `KAUTH_VNODE_WRITE_DATA` events. All non-regular files and unnecessary vnode events are filtered out.
+
+Here is how santa-driver stops listening for `KAUTH_SCOPE_VNODE` events:
+
+```c++
+kauth_unlisten_scope(vnode_listener_);
+```
+
+[1] `KAUTH_VNODE_EXECUTE` events that do not have the `KAUTH_VNODE_ACCESS` advisory bit set.
+
+###### KAUTH_SCOPE_FILEOP
+
+Santa also listens for file operations, this is mainly used for logging [1] and cache invalidation. 
+
+* `KAUTH_FILEOP_DELETE`, `KAUTH_FILEOP_RENAME`, `KAUTH_FILEOP_EXCHANGE` and `KAUTH_FILEOP_LINK` are logged
+* `KAUTH_FILEOP_EXEC` is used to log `execve()`s. Since the `KAUTH_VNODE_EXECUTE` is used to allow or deny an `execve()` the process arguments have not been setup yet. Since `KAUTH_FILEOP_EXEC` is triggered after an `execve()` it is used to log the `execve()`.
+
+[1] `KAUTH_FILEOP_CLOSE` is used to invalidate that file's representation in the cache. If a file has changed it needs to be re-evalauted. This is particularly necessary for files that were added to the cache with an action of allow.
+
+##### Driver Interface
+
+santa-driver implements an [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and santad interacts with it through IOKit/IOKitLib.h functions.
+
+[//]: # "TODO(bur, rah) Flesh out the details"
+
+##### Cache
+
+To aid in performance, santa-driver utilizes a caching system to hold the state of all observed `execve()` events.
+
+###### Key
+
+The key is a `uint64_t`. The top 32 bits hold the filesystem ID, while the bottom 32 bits hold the file unique ID. Together we call this the vnode_id.
+
+```c++
+uint64_t vnode_id = (((uint64_t)fsid << 32) | fileid);
+```
+
+###### Value
+
+The value is a `uint64_t` containing the action necessary, along with the decision timestamp. The action is stored in the top 8 bits. The decision timestamp is stored in the remaining 56 bits.
+
+```c++
+santa_action_t action = (santa_action_t)(cache_val >> 56);
+uint64_t decision_time = (cache_val & ~(0xFF00000000000000));
+```
+
+The possible actions are:
+
+| Actions                 | Expiry Time      | Description                              |
+| ----------------------- | ---------------- | ---------------------------------------- |
+| `ACTION_REQUEST_BINARY` | None             | Awaiting an allow or deny decision from santad. |
+| `ACTION_RESPOND_ALLOW`  | None             | Allow the `execve()`                     |
+| `ACTION_RESPOND_DENY`   | 500 milliseconds | Deny the `execve()`, but re-evalaute after 500 milliseconds. If someone is trying to run a banned binary continually every millisecond for example, only 2 evaluation requests to santad for would occur per second. This mitigates a denial of service type attack on santad. |
+
+###### Invalidation
+
+Besides the expiry time for individual entries, the entire cache will be cleared if any of the following events takes place:
+
+* Addition of a blacklist rule
+* Addition of a blacklist regex scope
+* Cache fills up. This defaults to `5000` entries for the root volume and `500` for all other mounted volumes.
+
+To view the current kernel cache count see the "Kernel info" section of `santactl status`:
+
+```sh
+⇒  santactl status
+>>> Kernel Info
+    Root cache count          | 107
+    Non-root cache count      | 0
+```
+

Docs/details/santa-gui.md

@@ -0,0 +1,11 @@
+# Santa GUI
+
+The Santa GUI process is pretty simple. It's only job is the display user GUI notifications. There are two types of notifications it can display:
+
+A notification when an `execve()` is blocked.
+
+![Block](block.png)
+
+Notifications when specific rules arrive (when using FCM for push notifications).
+
+![Notification](push.png)

Docs/details/santabs.md

@@ -0,0 +1,44 @@
+# santabs
+
+The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.
+
+##### Events
+
+The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.
+
+When there is an `execve()` that is blocked within a bundle, a few actions take place:
+
+1. The highest ancestor bundle in the tree is found
+
+   * So `/Applications/DVD Player.app/Contents/MacOS/DVD Player` would be `/Applications/DVD Player.app`
+   * Or `/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension` would be `/Applications/Safari.app`
+
+2. The ancestor bundle is then searched for Mach-O executables
+
+   * For Safari that would currently be 4 binaries
+
+   * ```sh
+     Hashing time: 53 ms
+     4 events found
+     BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
+     BundleID: com.apple.Safari
+     	SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
+     	Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
+     BundleID: com.apple.Safari
+     	SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
+     	Path: /Applications/Safari.app/Contents/MacOS/Safari
+     BundleID: com.apple.Safari
+     	SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
+     	Path: /Applications/Safari.app/Contents/Resources/appdiagnose
+     BundleID: com.apple.Safari
+     	SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
+     	Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
+     ```
+
+3. Events are created for each binary and the bundle hash is calculated
+
+4. These events are sent to the sync server for processing
+
+##### Bundle Hash
+
+The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.

Docs/details/santactl.md

@@ -0,0 +1,425 @@
+# santactl
+
+This may be the most complex part of Santa. It does two types of work:
+
+1. It contains all of the code and functionality for syncing with a sync-server.
+2. It can be used to view the state and configuration of Santa as a whole. It can also inspect individual files. When running without a sync server it also a supported method of managing the rules database.
+
+The details of santactl's syncing functionality are covered in the syncing.md document. This document will cover the status work that santactl performs.
+
+##### status
+
+To view the status of Santa run `santactl status`
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 2.19%)
+  Watchdog RAM Events       | 0  (Peak: 29.45MB)
+>>> Kernel Info
+  Kernel cache count        | 123
+>>> Database Info
+  Binary Rules              | 321
+  Certificate Rules         | 123
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server.com/santa/
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/10 15:05:32 -0400
+  Last Successful Rule Sync | 2017/08/10 15:29:21 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+The status command also has the ability to print JSON output `santactl status --json`
+
+```sh
+⇒  santactl status --json
+{
+  "kernel" : {
+    "cache_count" : 123
+  },
+  "daemon" : {
+    "watchdog_ram_events" : 0,
+    "watchdog_ram_peak" : 29.44921875,
+    "watchdog_cpu_events" : 0,
+    "file_logging" : true,
+    "mode" : "Monitor",
+    "watchdog_cpu_peak" : 2.188006666666666
+  },
+  "database" : {
+    "events_pending_upload" : 0,
+    "certificate_rules" : 123,
+    "binary_rules" : 321
+  },
+  "sync" : {
+    "last_successful_rule" : "2017\/08\/10 15:29:21 -0400",
+    "push_notifications" : "Connected",
+    "bundle_scanning" : true,
+    "clean_required" : false,
+    "server" : "https:\/\//sync-server.com\/santa\/",
+    "last_successful_full" : "2017\/08\/10 15:05:32 -0400"
+  }
+}
+```
+
+##### version
+
+To view all of the component versions `santactl version`
+
+```sh
+⇒  santactl version
+santa-driver    | 0.9.19
+santad          | 0.9.19
+santactl        | 0.9.19
+SantaGUI        | 0.9.19
+```
+
+Again, a JSON version is available `santactl version --json`
+
+```sh
+⇒  santactl version --json
+{
+  "santa-driver" : "0.9.19",
+  "santad" : "0.9.19",
+  "SantaGUI" : "0.9.19",
+  "santactl" : "0.9.19"
+}
+```
+
+##### fileinfo
+
+The fileinfo verb is very powerful and can be used to tease out just about anything you wish to know about a file, with respect to the domain of Santa.
+
+Here is an example of using `santactl fileinfo ` to inspect the main executable within `/Applications/Hex Fiend.app`. 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app
+Path                 : /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+SHA-256              : efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+SHA-1                : 5585e6fb94eace1bd37da9a0a2f928e992d7c60c
+Bundle Name          : Hex Fiend
+Bundle Version       : 170205
+Bundle Version Str   : 2.5
+Download Referrer URL: http://ridiculousfish.com/hexfiend/
+Download URL         : http://ridiculousfish.com/hexfiend/files/Hex_Fiend_2.5.dmg
+Download Timestamp   : 2017/06/29 12:52:16 -0400
+Download Agent       : com.google.Chrome
+Type                 : Executable (x86-64)
+Code-signed          : Yes
+Rule                 : Whitelisted (Unknown)
+Signing Chain:
+     1. SHA-256             : ba1be5d2d60a43658a0c6ebf61b577e428439b53ef2e0b96ba90285e2c82a1b2
+        SHA-1               : 8fdbf6d6c22a97c472fb4961b7733ab0d8830ff7
+        Common Name         : Developer ID Application: Kevin Wojniak
+        Organization        : Kevin Wojniak
+        Organizational Unit : QK92QP33YN
+        Valid From          : 2012/10/30 01:07:40 -0400
+        Valid Until         : 2017/10/31 01:07:40 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+Any of the desired information can be targeted with the `--key` flag
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+```
+
+Multiple `--key` flags are allowed
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+Whitelisted (Unknown)
+```
+
+The `--json` flag can also be used at any point
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule --json
+{
+  "SHA-256" : "efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1",
+  "Rule" : "Whitelisted (Unknown)"
+}
+```
+
+Multiple files are also supported as input
+
+```sh
+⇒  santactl fileinfo /bin/* --key SHA-256 --key Rule --json
+[
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9f9b36ec79b9fcaf649e17f2f94c544dd408c2ab630e73d7c62a7a43f1bc7b1d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "08a09d2d9bade16872acdf5da1c4e9d29582ed985480a9e73fd389e98293c40d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "48e4b938b363201ec11d06a13d8080c1bd77187d286780259b9304c96edc5324",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7cbba457df4c02d6a7fb93046fea0e869732c65a2225bee6f2e8ec290d38c57b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "39e894d1705656451f592884a56bcc76e7ffbb9ed2a8b81d5f2878e1c0e68dbe",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "8555ed4622410aa7b4379041acabf80fe452a90efe3be2697406935ff0d6822e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cee3e29089f8919ee904328904a7492995cfa398b027857fbf8b3e601397b308",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da2cfa9fc2cabd41907f9d0931cea79000a19520fe0b3d73fc40537408730e40",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "73aee02c4761e5501b1fdfa51ccd316bf735017a5cc0a09d5bcc46f4e7112be9",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "3a1c4ca5a038b42b1fbfca6f9bec25d307a8af40afbe9c48b307372fe8167a2f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dc8e1c5b6ec49602dd968eb88286e330220233f7cfa6e73fd37fc983a365084",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "78fd9b8749c2a216ca76ff4541754d4cf5a5e2e8c00710a85c3fdab171486f92",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4daaf12bd42adee60549872126e15186c75d89e760f078bfa6a45a861f6400f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dba1cbb01bce47a9610a40cbcbc27704a754e31a889503eb0670c3a25f7ad72",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4c5517ff40a33006028853a19734d8cda8e2942cb9ba27b8310e07f18677487",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a944b104742db59204b45f1dae657bd6a845ff2374e1ade3cf9f09cc428154cf",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "09e143cf3b6c4dcc98676cc45543613b83b6527b502d4dacb42b3f6c7036ef5a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "47cea771e93aff464f1060a6a1a2c3855401e6cd22c3971b2b76fae92e8c33b4",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5682f15628ae15e5c29aa37f19ec421bbe4aca47734864b6363b73a16f891888",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83c29a2445d84daf51eebd51668753fb39600a136efc20aba7298a812b44974c",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cccd818698aa802b116586a773643d0b951067dea8284304acaae62ac97b362b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "2bf2d10a7529a88d340ce0255da52dbef9873ccb44e46d23af03abf70b8e54ca",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "956f2dc7ba31663dd3a9b70e84e6a2491980165426b90cacd10db4bd010c3353",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da1a3ae959751b211928f175f6c8987408a976be44690022c92d45ef5a8cb6e5",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "1e51209ae4549a72432ad504341c0731a282b33ba99c5f7f4e2abc9993e09b0a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "17372eafbe9e920d5715a9cffa59f881ef4ed949785c1e2adf9c067d550dbde6",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "b1834d55b76c65d57cef1219a30331452301e84b6e315f2a17e5b5b295ce1648",
+  "Rule" : "Whitelisted (Certificate)"
+}
+]
+```
+
+Recursive lookups of an application or directory is a soon to be added feature
+
+```sh
+⇒  santactl fileinfo --recursive /Applications/Santa.app --key SHA-256 --key Rule --key Type --json
+[
+{
+  "SHA-256" : "c149c10c83abaf6b602401106f098b68d47a1a433ab02455cef2ca8057cf4a82",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "c339c3e5e04c732ae493dbc4a26d18fccc8bb48cea0cc0762ccd8754ef318a0b",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "6ee757ab65d7c93e8b6a467b44cd2f0d10b6db7da8b6200e778c3ca279ea5619",
+  "Type" : "Executable (x86-64)",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "82502191c9484b04d685374f9879a0066069c49b8acae7a04b01d38d07e8eca0",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "9814019f865a540d3635012a75db932eaefc9a62468750f2294350690430aadf",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "05a9c9dbbf0a7a30f083e3dccd8db3d96845e0644930977b4e284c65083b89ac",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "e1db8fdffc5017684f962c51fad059dcaa06ab5d551186aa85711f80b727d23d",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+}
+]
+```
+
+##### rule
+
+The rule command is covered in the [rules.md](rules.md) document.
+
+##### sync
+
+The sync command is covered in the [syncing.md](syncing.md) document.
+
+##### Debug Commands
+
+There are a few commands that are not included in the release versions of Santa. They are mainly used during development and only accessible with a debug build of Santa.
+
+##### bundleinfo
+
+This prints info about all of the executable Mach-O files within a bundle. It also prints the calculated bundle hash for that particular bundle. A bundle hash is a notion used by Santa to represent a set of binaries.
+
+```sh
+⇒  santactl bundleinfo /Applications/Hex\ Fiend.app
+Hashing time: 12 ms
+4 events found
+BundleHash: 33da3e2d5e2ccbdb9d34fb9753c2c18805e6325853d2fb4eb947915c90113efc
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: e592a7c65f803675c0b7d55ab7d2a1a2696c9f097a99dc28a4083d7387e53d95
+	Path: /Applications/Hex Fiend.app/Contents/Library/LaunchServices/com.ridiculousfish.HexFiend.PrivilegedHelper
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: ce23d39a1a8ff2b42baad5a0204b24b57590bb7ff74c9552b3ba10d9c1517279
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+	Path: /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: 148d6ae55176b619e5eb9f5000922b3ca4c126206fc5782f925d112027f9db3c
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
+```
+
+See the [santabs.md](santabs.md) document for more information on bundles and bundle hashes.
+
+##### checkcache
+
+This is used to check if a particular file is apart of santa-driver's kernel cache. Mainly for debugging purposes.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+⇒  /usr/bin/yes
+y
+y
+y
+y
+y
+^C
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+```
+
+##### flushcache
+
+This can be used to flush santa-driver's kernel cache, as shown here.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+⇒  sudo santactl flushcache
+Cache flush requested
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+```

Docs/details/santad.md

@@ -0,0 +1,23 @@
+# santad
+
+The santad process does the heavy lifting when it comes to making decisions about binary executions. It also handles brokering all of the XPC connections between the various components of Santa. It does all of this with performance being at the forefront. 
+
+##### A note on performance
+
+On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes `execve()` at the same time, the CPU and memory usage can spike. All of the `execve()` decisions are made on high priority threads to ensure decisions are posted back to the kernel as soon as possible. A watchdog thread will log warnings when sustained high CPU (>20%) and memory (>250MB) usage by santad is detected.
+
+##### On Launch
+
+The very first thing santad does once it has been launched is to load and connect to santa-driver. Only one connection may be active at any given time.
+
+At this point, santa-driver is loaded and running in the kernel, but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages, it needs to setup a few more things:
+
+* The rule and event databases are initialized
+* Connections to Santa (GUI) and santactl sync daemon are established. 
+* The config file is processed.
+
+santad is now ready to start processing decision and logging messages from santa-driver. The listeners are started and santad sits in a run loop awaiting messages from santa-driver. 
+
+##### Running
+
+Messages are read from a shared memory queue (`IODataQueueMemory` ) on a single thread. A callback is invoked for each message. The callback then dispatches all the work of processing a decision message to a concurrent high priority queue. The log messages are dispatched to a low priority queue for processing.

Docs/details/scopes.md

@@ -0,0 +1,27 @@
+# Scopes
+
+In addition to rules, Santa can whitelist or blacklist based on scopes. Currently, only a few scopes are implemented. They fall into one of two categories: a whitelist scope or blacklist scope. Scopes are evaluated after rules, with blacklist evaluation preceding whitelist.
+
+Scopes are a broader way of whitelisting or blacklisting `execve()`s.
+
+For configuration of scopes see [configuration.md](../deployment/configuration.md).
+
+##### Blacklist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Blacklist Path Regex | Yes          |
+| Missing __PAGEZERO   | Yes          |
+
+##### Whitelist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Whitelist Path Regex | Yes          |
+| Not a Mach-O         | No           |
+
+As seen above, Santa will whitelist any non Mach-O binary under a whitelist scope. However, a blacklist regex or binary SHA-256 rule can be used to block non Mach-O `execve()`s since they are evaluated before the whitelist scopes.
+
+##### Regex Caveats
+
+The paths covered by the whitelist and blacklist regex patterns are not tracked. If an `execve()` is allowed initially, then moved into a blacklist directory, Santa has no knowledge of that move. Since santa-driver caches decisions, the recently moved file will continue to be allowed to `execve()` even though it is now within a blacklisted regex path. The cache holds "allow" decisions until invalidated and "deny" decisions for 500 milliseconds. Going from a blacklist path to a whitelist path is not largely affected.

Docs/development/building.md

@@ -0,0 +1,150 @@
+# Building
+
+Santa uses [Bazel](https://bazel.build) for building, testing and releases.
+The `master` branch on GitHub is the source-of-truth with features developed
+in personal forks.
+
+#### Cloning
+
+Clone the source and change into the directory.
+
+```sh
+git clone https://github.com/google/santa
+cd santa
+```
+
+The above command will default to using the `master` branch. All releases are
+built from tagged commits, so if you wanted to build, run or test a specific
+release you can checkout that tag:
+
+```sh
+git checkout 0.9.30
+```
+
+If you want to list all the tags in reverse order:
+
+```sh
+git tag --sort=-creatordate
+```
+
+#### Building
+
+Build a debug version of Santa:
+
+```sh
+bazel build :santa-driver
+```
+
+Build a release (optimized) version of Santa:
+
+```sh
+bazel build :santa-driver -c opt
+```
+
+The output for these commands will be a `santa-driver.zip` file under
+`bazel-bin` which, when extracted, will contain all of Santa and should be
+installed under `/Library/Extensions`. However, if you're working on Santa
+and want a quick way to reload everything, see the next section.
+
+#### Running
+
+When working on Santa, it's useful to have a way to quickly reload all of the
+Santa components. For this reason, there's a special rule in the Santa BUILD
+file that will compile a new santa-driver, unload Santa if it's running,
+install the new Santa in the right place and attempt to load it.
+
+On macOS 10.11+ System Integrity Protection (SIP) prevents loading of kernel
+extensions that are not signed by an Apple KEXT signing certificate. To be able
+to load and test a non-release version of Santa, SIP will have to be configured
+to allow non-Apple KEXT signing certificates.
+
+__This is only to be done a machine that is actively developing, unloading and
+loading kernel extensions.__
+
+1. Boot into Recovery Mode: Reboot and hold down `command+r`
+2. From the utilities menu select `Terminal`
+3. Disable the KEXT feature of SIP: `csrutil enable --without kext`
+4. Reboot
+
+You should now be able to load and run a non-release version of Santa.
+
+Build and run a debug version of Santa.
+
+```sh
+bazel run :reload
+```
+
+Build and run a release version of Santa.
+
+```sh
+bazel run :reload -c opt
+```
+
+#### Using Xcode
+
+While Bazel is a very convenient and powerful build system, it can still be
+useful to use Xcode for actually working on the code. If you'd like to use
+Xcode you can use [Tulsi](https://tulsi.bazel.build) to generate an `.xcodeproj`
+from the BUILD file which will use Bazel for actually doing the builds.
+
+#### Debugging
+
+Xcode and lldb can be used to debug Santa, similarly to any other project, with
+some exceptions. Instead of clicking the play button to launch and attach to a
+process, you can attach to an already running, or soon to by running, component
+of Santa. To do this select the Debug menu and choose `Attach to Process by PID
+or Name… `. Below are the four components of Santa and who to debug the process
+as.
+
+Note: santa-driver (the kernel extension) cannot be debugged by attaching with
+Xcode.
+
+Note: Xcode can attach to santad without interruption, however any breakpoints
+in the decision making codepath can deadlock the machine. Using lldb directly
+to attach to santad will deadlock the machine.
+
+| process  | user |
+| -------- | ---- |
+| santad   | root |
+| Santa*   | me   |
+| santactl | me   |
+| santabs  | root |
+
+Xcode will then wait for the process to start. Issue this command to restart
+all the Santa processes in debug mode.
+
+*The Santa (GUI) process is the only component of Santa that can be launched
+and debugged from Xcode directly. All the other components are launched with
+privileges and/or are scoped to an XPC service that launchd scopes to a hosting
+bundle. Thus the need for the `Attach to Process by PID or Name…` technique.
+See the [ipc](../details/ipc.md) document for for details.
+
+```sh
+bazel run :reload
+```
+
+Now the process is attached in Xcode and you can debug your day away.
+
+#### Tests
+
+Run all the logic / unit tests
+
+```sh
+bazel test :logic_tests
+```
+
+Run all of santa-driver kernel extension tests
+
+```sh
+bazel run :kernel_tests
+```
+
+#### Releases
+
+Creates a release build of Santa with a version based of the newest tag. Also
+saves the dsym files for each component of Santa. This makes debugging and
+interpreting future crashes or kernel panics much easier.
+
+```sh
+bazel run :release
+```

Docs/index.md

@@ -0,0 +1,46 @@
+# Welcome to the Santa Docs
+
+Santa is a binary whitelisting / blacklisting system for macOS. Here you will find the documentation for understanding how Santa works, how to deploy it and how to contribute.
+
+#### Introduction
+
+The following documents give an overview of how Santa accomplishes binary whitelisting / blacklisting at the enterprise scale.
+
+- [Binary Whitelisting](introduction/binary-whitelisting-overview.md): How Santa makes allow or deny decisions for any `execve()` taking place.
+- [Syncing](introduction/syncing-overview.md): How configuration and whitelist / blacklist rules are applied from a sync server.
+
+#### Deployment
+
+* [Configuration](deployment/configuration.md): The local and sync server configuration options.
+
+#### Development
+
+* [Building Santa](development/building.md): How to build and load Santa for testing on a development machine.
+* [Contributing](../CONTRIBUTING.md): How to contribute a bug fix or new feature to Santa.
+
+#### Details
+
+For those who want even more details on how Santa works under the hood, this section is for you.
+
+###### Binaries
+
+There are five main components that make up Santa whose core functionality is described in snippets below. For additional detail on each component, visit their respective pages. These quick descriptions do not encompass all the jobs performed by each component, but do provide a quick look at the basic functionality utilized to achieve the goal of binary whitelisting / blacklisting.
+
+* [santa-driver](details/santa-driver.md): A macOS kernel extension that participates in `execve()` decisions.
+* [santad](details/santad.md): A user-land root daemon that makes decisions on behalf of santa-driver requests.
+* [santactl](details/santactl.md): A user-land anonymous daemon that communicates with a sync server for configurations and policies. santactl can also be used by a user to manually configure Santa when using the local configuration.
+* [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `execve()` is blocked.
+* [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them. 
+
+###### Concepts
+
+Additional documentation on the concepts that support the operation of the main components:
+
+* [mode](details/mode.md): An operating mode, either Monitor or Lockdown.
+* [events](details/events.md): Represents an `execve()` that was blocked, or would have been blocked, depending on the mode.
+* [rules](details/rules.md): Represents allow or deny decisions for a given `execve()`. Can either be a binary's SHA-256 hash or a leaf code-signing certificate's SHA-256 hash.
+* [scopes](details/scopes.md): The level at which an `execve()` was allowed or denied from taking place.
+* [syncing](introduction/syncing-overview.md): How Santa communicates with a TLS server for configuration, rules and event uploading.
+* [ipc](details/ipc.md): How all the components of Santa communicate.
+  duction/syncing-overview.
+* [logs](details/logs.md): What and where Santa logs.

Docs/introduction/binary-whitelisting-overview.md

@@ -0,0 +1,31 @@
+# Binary Whitelisting Overview
+
+#### Background
+
+The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes the Kernel Authorization (Kauth) KPI. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document.
+
+#### Flow of an execve()
+
+This is a high level overview of the binary whitelisting / blacklisting decision process. For a more detailed account of each part, see the respective documentation. This flow does not cover the logging component of Santa, see the [logs.md](../details/logs.md) documentation for more info.
+
+###### Kernel Space
+
+0. santa-driver registers itself as a `KAUTH_SCOPE_VNODE` listener. This flow follows how santa-driver handles `KAUTH_VNODE_EXECUTE` events.
+1. A santa-driver Kauth callback function is executed by the kernel when a process is trying to `execve()`. In most cases, the `execve()` takes place right after a process calls `fork()` to start a new process. This function is running on a kernel thread representing the new process. Information on where to find the executable is provided. This information is known as the `vnode_id`.
+2. santa-driver then checks if its cache has an allow or deny entry for the `vnode_id`. If so it returns that decision to the Kauth KPI. 
+   * If Kauth receives a deny, it will stop the `execve()` from taking place. 
+   * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer.
+3. If there is no entry for the `vnode_id` in the cache a few actions occur:
+   * santa-driver hands off the decision making to santad.
+   * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`.  This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation.
+   * If the executing file is written to while any of the threads are waiting for a response the `ACTION_REQUEST_BINARY` entry is removed, forcing the decision-making process to be restarted.
+
+###### User Space
+
+1. santad is listening for decision requests from santa-driver.
+   * More information is collected about the executable that lives at the `vnode_id`. Since this codepath has a sleeping kernel thread waiting for a decision, extra care is taken to be as performant as possible.
+2. santad uses the information it has gathered to make a decision to allow or deny the `execve()`. There are more details on how these decisions are made in the [rules.md](../details/rules.md) and [scopes.md](../details/scopes.md) documents.
+3. The decision is posted back to santa-driver.
+4. If there was a deny decision, a message is sent to Santa GUI to display a user popup notification.
+
+

Docs/introduction/syncing-overview.md

@@ -0,0 +1,27 @@
+# Syncing Overview
+
+#### Background
+
+Santa can be run and configured without a sync server. Doing so will enable an admin to configure rules with the `santactl rule` command. Using a sync server will enable an admin to configures rules and multiple other settings from the sync server itself. Santa was designed from the start with a sync server in mind. This allows an admin to easily configure and sync rules across a fleet of macOS systems. This document explains the syncing process.
+
+#### Flow of a full sync
+
+This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events.
+
+0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `execve()` `santactl sync —-daemon`. Before the new process calls `execve()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes.
+1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync server to process.
+2. The full sync starts. There are a number of stages to a full sync:
+   1. preflight: The sync server can set various settings for Santa.
+   2. logupload (optional): The sync server can request that the Santa logs be uploaded to an endpoint.
+   3. eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
+   4. ruledownload: Download rules from the sync server.
+   5. postflight: Updates timestamps for successful syncs.
+3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this:
+   1. The sync server can send down a configuration in the preflight to override the 10min interval. It can be anything greater than 10min.
+   2. Firebase Cloud Messaging (FCM) can be used. The sync server can send down a configuration in the preflight to have the santactl daemon to start listening for FCM messages. If a connection to FCM is made, the full sync interval drops to a default of 4 hours. This can be further configured by a preflight configuration. The FCM connection allows the sync-sever to talk directly with Santa. This way we can reduce polling the sync server dramatically.
+4. Full syncs will continue to take place at their configured interval. If configured FCM messages will continue to be digested and acted upon.
+
+#### santactl XPC interface
+
+When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.
+

Docs/theme/Santa.css

@@ -0,0 +1,3 @@
+.wy-side-nav-search {
+  background-color: rgb(253, 67, 69);
+}

Fuzzing/libFuzzer/.gitignore

@@ -0,0 +1,4 @@
+bin
+llvm-*.src
+llvm-*.src.tar.xz
+

Fuzzing/libFuzzer/build.sh

@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+
+LLVM_VERSION='5.0.1'
+LLVM_COMPILERRT_TARBALL_NAME="llvm-${LLVM_VERSION}.src.tar.xz"
+LLVM_COMPILERRT_SRC_FOLDER_NAME=`echo "${LLVM_COMPILERRT_TARBALL_NAME}" | cut -d '.' -f 1-4`
+LLVM_COMPILERRT_TARBALL_URL="http://releases.llvm.org/${LLVM_VERSION}/${LLVM_COMPILERRT_TARBALL_NAME}"
+
+LIBFUZZER_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+LOG_FILE=`mktemp`
+
+main() {
+  echo "libFuzzer build script"
+
+  echo " > Checking dependencies..."
+  checkDependencies || return 1
+
+  echo " > Entering libFuzzer folder..."
+  cd "${LIBFUZZER_FOLDER}" > /dev/null 2>&1
+  if [ $? -ne 0 ] ; then
+    echo "Failed to enter the libFuzzer folder: ${LIBFUZZER_FOLDER}"
+    return 1
+  fi
+
+  if [ ! -f "${LLVM_COMPILERRT_TARBALL_NAME}" ] ; then
+    echo " > Downloading the LLVM tarball..."
+    curl "${LLVM_COMPILERRT_TARBALL_URL}" -o "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to download the LLVM tarball"
+      return 1
+    fi
+  else
+    echo " > An existing LLVM tarball was found"
+  fi
+
+  if [ -d "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" ] ; then
+    echo " > Deleting existing LLVM folder..."
+    rm -rf "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to delete the existing source folder"
+      return 1
+    fi
+  fi
+
+  echo " > Extracting the LLVM tarball..."
+  tar xf "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    rm "${LLVM_COMPILERRT_TARBALL_NAME}" "${LLVM_COMPILERRT_SRC_FOLDER_NAME}"
+    dumpLogFile "Failed to extract the LLVM tarball"
+    return 1
+  fi
+
+  if [ -d "bin" ] ; then
+    echo " > Deleting existing bin folder..."
+    rm -rf "bin" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to delete the existing bin folder"
+      return 1
+    fi
+  fi
+
+  mkdir "bin" > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    dumpLogFile "Failed to create the bin folder"
+    return 1
+  fi
+
+  echo " > Building libFuzzer..."
+  ( cd "bin" && "../${LLVM_COMPILERRT_SRC_FOLDER_NAME}/lib/Fuzzer/build.sh" ) > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    dumpLogFile "Failed to build the library"
+    return 1
+  fi
+
+  printf "\nFinished building libFuzzer\n"
+  rm "${LOG_FILE}"
+
+  return 0
+}
+
+checkDependencies() {
+  executable_list=( "clang++" "curl" "tar" )
+
+  for executable in "${executable_list[@]}" ; do
+    which "${executable}" > /dev/null 2>&1
+    if [ $? -ne 0 ] ; then
+      echo "The following program was not found: ${executable}"
+      return 1
+    fi
+  done
+
+  return 0
+}
+
+dumpLogFile() {
+  if [ $# -eq 1 ] ; then
+    local message="$1"
+  else
+    local message="An error has occurred"
+  fi
+
+  printf "${message}\n"
+  printf "Log file follows\n===\n"
+  cat "${LOG_FILE}"
+  printf "\n===\n"
+  rm "${LOG_FILE}"
+}
+
+main $@
+exit $?

Fuzzing/santacache/.gitignore

@@ -0,0 +1,3 @@
+santacache.dSYM
+santacache
+

Fuzzing/santacache/src/main.cpp

@@ -0,0 +1,41 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <SantaCache.h>
+
+#include <iostream>
+#include <cstdint>
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  static SantaCache<uint64_t, uint64_t> decision_cache(5000, 2);
+
+  std::uint64_t fields[2] = {};
+
+  if (size > 16) {
+    std::cout << "Invalid size! Start with -max_len=16\n";
+    return 1;
+  }
+
+  std::memcpy(fields, data, size);
+
+  decision_cache.set(fields[0], fields[1]);
+  auto returned_value = decision_cache.get(fields[0]);
+
+  if (returned_value != fields[1]) {
+    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value << "\n";
+    return 1;
+  }
+
+  return 0;
+}

Fuzzing/santactl/santactl_fuzzer_seed_corpus/example01

@@ -0,0 +1,16 @@
+{
+  "rules": [
+    {
+      "rule_type": "BINARY",
+      "policy": "BLACKLIST",
+      "sha256": "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda",
+      "custom_msg": "blacklist firefox"
+    },
+    {
+      "rule_type": "CERTIFICATE",
+      "policy": "BLACKLIST",
+      "sha256": "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d",
+      "custom_msg": "blacklist dash app certificate"
+    }
+  ]
+}

Fuzzing/santactl/src/main.mm

@@ -0,0 +1,62 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <iostream>
+#include <cstdint>
+#include <vector>
+
+#include <SNTCommandSyncRuleDownload.h>
+#include <SNTCommandSyncState.h>
+#include <SNTCommandSyncConstants.h>
+#include <SNTRule.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  NSData *buffer = [NSData dataWithBytes:static_cast<const void *>(data) length:size];
+  if (!buffer) {
+    return 0;
+  }
+
+  NSError *error;
+  NSDictionary *response = [NSJSONSerialization JSONObjectWithData:buffer options:0 error:&error];
+  if (!response) {
+    return 0;
+  }
+
+  if (![response isKindOfClass:[NSDictionary class]]) {
+    return 0;
+  }
+
+  if (![response objectForKey:kRules]) {
+    return 0;
+  }
+
+  SNTCommandSyncState *state = [[SNTCommandSyncState alloc] init];
+  if (!state) {
+    return 0;
+  }
+
+  SNTCommandSyncRuleDownload *obj = [[SNTCommandSyncRuleDownload alloc] initWithState:state];
+  if (!obj) {
+    return 0;
+  }
+
+  for (NSDictionary *ruleDict in response[kRules]) {
+    SNTRule *rule = [obj ruleFromDictionary:ruleDict];
+    if (rule) {
+      std::cerr << "Rule: " << [[rule description] UTF8String] << "\n";
+    }
+  }
+ 
+  return 0;
+}

Fuzzing/santad/santad_databaseRemoveEventsWithIDs_fuzzer_seed_corpus/example01

@@ -0,0 +1 @@
+К'.p▒└G╗М┐║ЙSЮ╝и▌РУерЭxt1iАЫШ9ы*H╩4R"═©$-├Уww╙+Р╝╘[┼иу╧oС┬ОwRpЗя≤х°е

Fuzzing/santad/src/checkCacheForVnodeID.mm

@@ -0,0 +1,55 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <iostream>
+#include <cstdint>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  if (size > 16) {
+    std::cerr << "Invalid buffer size of " << size
+              <<  " (should be <= 16)" << std::endl;
+
+    return 1;
+  }
+
+  santa_vnode_id_t vnodeID = {};
+  std::memcpy(&vnodeID, data, size);
+  
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+
+  [[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
+                                                  withReply:^(santa_action_t action) {
+    if (action == ACTION_RESPOND_ALLOW) {
+      std::cerr << "File exists in [whitelist] kernel cache" << std::endl;;
+    } else if (action == ACTION_RESPOND_DENY) {
+      std::cerr << "File exists in [blacklist] kernel cache" << std::endl;;
+    } else if (action == ACTION_UNSET) {
+      std::cerr << "File does not exist in cache" << std::endl;;
+    }
+  }];
+  
+  return 0;
+}

Fuzzing/santad/src/databaseRemoveEventsWithIDs.mm

@@ -0,0 +1,51 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <iostream>
+#include <cstdint>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+#pragma pack(push, 1)
+
+#pragma pack(pop)
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  auto *eventId = reinterpret_cast<const std::uint64_t *>(data);
+  std::size_t eventIdCount = size / sizeof(std::uint64_t);
+  if (eventIdCount == 0) {
+    return 0;
+  }
+
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+
+  NSMutableSet *eventIds = [NSMutableSet setWithCapacity:eventIdCount];
+  for (std::size_t i = 0; i < eventIdCount; i++) {
+    auto id = [NSNumber numberWithInteger:eventId[i]];
+    [eventIds addObject:id];
+  }
+
+  [[daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:[eventIds allObjects]];
+  return 0;
+}

Fuzzing/santad/src/databaseRuleAddRules.mm

@@ -0,0 +1,73 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <iostream>
+#include <cstdint>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+#pragma pack(push, 1)
+
+struct InputData {
+  std::uint32_t cleanSlate;
+  std::uint32_t state;
+  std::uint32_t type;
+  char hash[33];
+};
+
+#pragma pack(pop)
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  if (size > sizeof(InputData)) {
+    std::cerr << "Invalid buffer size of " << size
+              <<  " (should be <= " << sizeof(InputData)
+              << ")" << std::endl;
+
+    return 1;
+  }
+
+  InputData input_data = {};
+  std::memcpy(&input_data, data, size);
+
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.state = (SNTRuleState) input_data.state;
+  newRule.type = (SNTRuleType) input_data.type;
+  newRule.shasum = @(input_data.hash);
+  newRule.customMsg = @"";
+  
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
+                                                 cleanSlate:NO
+                                                      reply:^(NSError *error) {
+    if (!error) {
+      if (newRule.state == SNTRuleStateRemove) {
+        printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+      } else {
+        printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+      }
+    }
+  }];
+  
+  return 0;
+}

Podfile

@@ -1,12 +0,0 @@
-platform :osx, "10.8"
-
-inhibit_all_warnings!
-
-target :santad do
-  pod 'FMDB'
-end
-
-target :LogicTests do
-  pod 'OCMock'
-  pod 'FMDB'
-end

Podfile.lock

@@ -1,17 +0,0 @@
-PODS:
-  - FMDB (2.4):
-    - FMDB/standard (= 2.4)
-  - FMDB/common (2.4)
-  - FMDB/standard (2.4):
-    - FMDB/common
-  - OCMock (3.1.1)
-
-DEPENDENCIES:
-  - FMDB
-  - OCMock
-
-SPEC CHECKSUMS:
-  FMDB: 0b2fa25e5264ef177973c0cb8c02c711107979aa
-  OCMock: f6cb8c162ab9d5620dddf411282c7b2c0ee78854
-
-COCOAPODS: 0.35.0

README.md

@@ -1,141 +1,183 @@
-Santa
-=====
+# Santa [![Build Status][build-status-img]][build-status-link] [![Documentation Status][doc-status-img]][doc-status-link]
 
-Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of
-a kernel extension that monitors for executions, a userland daemon that makes
-execution decisions based on the contents of a SQLite database, a GUI agent that
-notifies the user in case of a block decision and a command-line utility for
-managing the system and synchronizing the database with a server.
+[build-status-img]: https://travis-ci.org/google/santa.png?branch=master
+[build-status-link]: https://travis-ci.org/google/santa
+[doc-status-img]: https://readthedocs.org/projects/santa/badge/?version=latest
+[doc-status-link]: https://santa.readthedocs.io/en/latest/?badge=latest
 
-Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
-and finishing up a security audit.
+<p align="center">
+    <img src="./Source/SantaGUI/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
+</p>
 
-Santa is named because it keeps track of binaries that are naughty and nice.
+Santa is a binary whitelisting/blacklisting system for macOS. It consists of a
+kernel extension that monitors for executions, a userland daemon that makes
+execution decisions based on the contents of a SQLite database, a GUI agent
+that notifies the user in case of a block decision and a command-line utility
+for managing the system and synchronizing the database with a server.
+
+It is named Santa because it keeps track of binaries that are naughty or nice.
 
 Santa is a project of Google's Macintosh Operations Team.
 
-Features
-========
+# Docs
 
-* Multiple modes: MONITOR and LOCKDOWN. In MONITOR mode all binaries except
-those marked as blacklisted will be allowed to run, whilst being logged and
-recorded in the database. In LOCKDOWN mode, only whitelisted binaries are
-allowed to run.
+The Santa docs are stored in the
+[Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the
+Docs instance is available here: https://santa.readthedocs.io.
 
-* Codesign listing: Binaries can be whitelisted/blacklisted by their signing
-certificate, so you can trust/block all binaries by a given publisher. The
-binary will only be whitelisted by certificate if its signature validates
-correctly. However, a decision for a binary will override a decision for a
-certificate; i.e. you can whitelist a certificate while blacklisting a binary
-signed by that certificate or vice-versa.
+The docs include deployment options, details on how parts of Santa work and
+instructions for developing Santa itself.
+
+# Get Help
+
+If you have questions or otherwise need help getting started,
+the [santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
+great place.
+
+If you believe you have a bug, feel free to report [an
+issue](https://github.com/google/santa/isues) and we'll respond as soon as we
+can.
+
+
+# Admin-Related Features
+
+* Multiple modes: In the default MONITOR mode, all binaries except those marked
+  as blacklisted will be allowed to run, whilst being logged and recorded in
+  the events database. In LOCKDOWN mode, only whitelisted binaries are allowed
+  to run.
+
+* Event logging: When the kext is loaded, all binary launches are logged.  When
+  in either mode, all unknown or denied binaries are stored in the database to
+  enable later aggregation.
+
+* Certificate-based rules, with override levels: Instead of relying on a
+  binary's hash (or 'fingerprint'), executables can be whitelisted/blacklisted
+  by their signing certificate. You can therefore trust/block all binaries by a
+  given publisher that were signed with that cert across version updates. A
+  binary can only be whitelisted by its certificate if its signature validates
+  correctly, but a rule for a binary's fingerprint will override a decision for
+  a certificate; i.e. you can whitelist a certificate while blacklisting a
+  binary signed with that certificate, or vice-versa.
+
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature
+  to that found in Managed Client (the precursor to configuration profiles,
+  which used the same implementation mechanism), Application Launch
+  Restrictions via the mcxalr binary. This implementation carries the added
+  benefit of being configurable via regex, and not relying on LaunchServices.
+  As detailed in the wiki, when evaluating rules this holds the lowest
+  precedence.
+
+* Failsafe cert rules: You cannot put in a deny rule that would block the
+  certificate used to sign launchd, a.k.a. pid 1, and therefore all components
+  used in macOS. The binaries in every OS update (and in some cases entire new
+  versions) are therefore auto-whitelisted. This does not affect binaries from
+  Apple's App Store, which use various certs that change regularly for common
+  apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct
+  separate cert than other Google apps.
+
+# Intentions and Expectations
+
+No single system or process will stop *all* attacks, or provide 100% security.
+Santa is written with the intention of helping protect users from themselves.
+People often download malware and trust it, giving the malware credentials, or
+allowing unknown software to exfiltrate more data about your system. As a
+centrally managed component, Santa can help stop the spread of malware among a
+large fleet of machines. Independently, Santa can aid in analyzing what is
+running on your computer.
+
+Santa is part of a defense-in-depth strategy, and you should continue to
+protect hosts in whatever other ways you see fit.
+
+# Security and Performance-Related Features
 
 * In-kernel caching: whitelisted binaries are cached in the kernel so the
-processing required to make a request is only done if the binary
-isn't already cached.
+  processing required to make a request is only done if the binary isn't
+  already cached.
 
 * Userland components validate each other: each of the userland components (the
-daemon, the GUI agent and the command-line utility) communicate with each other
-using XPC and check that their signing certificates are identical before any
-communication is accepted.
-
-* Event logging: all executions processed by the userland agent are logged and
-all unknown or denied binaries are also stored in the database for upload to a
-server.
+  daemon, the GUI agent and the command-line utility) communicate with each
+  other using XPC and check that their signing certificates are identical
+  before any communication is accepted.
 
 * Kext uses only KPIs: the kernel extension only uses provided kernel
-programming interfaces to do its job. This means that the kext code should
-continue to work across OS versions.
+  programming interfaces to do its job. This means that the kext code should
+  continue to work across OS versions.
 
-Known Issues
-============
+# Known Issues
 
-Santa is not yet a 1.0 and we have some known issues to be aware of:
-
-* Potential race-condition: we currently have a single TODO in the kext code to
-investigate a potential race condition where a binary is executed and then very
-quickly modified between the kext getting the SHA-1 and the decision being made.
+* Santa only blocks execution (execve and variants), it doesn't protect against
+  dynamic libraries loaded with dlopen, libraries on disk that have been
+  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version
+  0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were
+  exploited in some versions of macOS. We are working on also protecting
+  against similar avenues of attack.
 
 * Kext communication security: the kext will only accept a connection from a
-single client at a time and said client must be running as root. We haven't yet
-found a good way to ensure the kext only accepts connections from a valid client,
-short of hardcoding the SHA-1 in the kext. This shouldn't present a huge problem
-as the daemon is loaded on boot-up by launchd, so any later attempts to connect
-will be blocked.
+  single client at a time and said client must be running as root. We haven't
+  yet found a good way to ensure the kext only accepts connections from a valid
+  client.
 
-* Database protection: the SQLite database is installed with permissions so that
-only the root user can read/write it. We're considering approaches to secure
-this further.
-
-* Sync client: the command-line client includes a command to synchronize with a
-management server, including the uploading of events that have occurred on the
-machine and to download new rules. We're still very heavily working on this
-server (which is AppEngine-based and will be open-sourced in the future), so the
-sync client code is unfinished. It does show the 'API' that we're expecting to
-use so if you'd like to write your own management server, feel free to look at
-how the client currently works (and suggest changes!)
+* Database protection: the SQLite database is installed with permissions so
+  that only the root user can read/write it. We're considering approaches to
+  secure this further.
 
 * Scripts: Santa is currently written to ignore any execution that isn't a
-binary. This is because after weighing the administration cost vs the benefit,
-we found it wasn't worthwhile. Additionally, a number of applications make use
-of temporary generated scripts, which we can't possibly whitelist and not doing
-so would cause problems. We're happy to revisit this (or at least make it an
-option) if it would be useful to others.
+  binary. This is because after weighing the administration cost vs the
+  benefit, we found it wasn't worthwhile. Additionally, a number of
+  applications make use of temporary generated scripts, which we can't possibly
+  whitelist and not doing so would cause problems. We're happy to revisit this
+  (or at least make it an option) if it would be useful to others.
 
-* Documentation: There currently isn't any.
+# Sync Servers
 
-* Tests: There aren't enough of them.
+* The `santactl` command-line client includes a flag to synchronize with a
+  management server, which uploads events that have occurred on the machine and
+  downloads new rules. There are several open-source servers you can sync with:
 
-Building
-========
+    * [Upvote](https://github.com/google/upvote) - An AppEngine-based server
+      that implements social voting to make managing a large fleet easier.
+    * [Moroz](https://github.com/groob/moroz) - A simple golang server that
+      serves hardcoded rules from simple configuration files.
+    * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A
+      centralized service that pulls data from multiple sources and deploy
+      configurations to multiple services.
 
-```sh
-git clone https://github.com/google/santa
-cd santa
+* Alternatively, `santactl` can configure rules locally (without a sync
+  server).
 
-# Build a debug build. This will install any necessary CocoaPods, create the
-# workspace and build, outputting the full log only if an error occurred.
-# If CocoaPods is not installed, you'll be prompted to install it.
-#
-# For other build/install/run options, run rake without any arguments
-rake build:debug
-```
+# Screenshots
 
-Note: the Xcode project is setup to use any installed "Mac Developer" certificate
-and for security-reasons parts of Santa will not operate properly if not signed.
+A tool like Santa doesn't really lend itself to screenshots, so here's a video
+instead.
 
-Kext Signing
-============
+<p align="center"> <img src="https://zippy.gfycat.com/MadFatalAmphiuma.gif"
+alt="Santa Block Video" /> </p>
 
-10.9 requires a special Developer ID certificate to sign kernel extensions and
-if the kext is not signed with one of these special certificates a warning will
-be shown when loading the kext for the first time. In 10.10 this is a hard error
-and the kext will not load at all unless the machine is booted with a debug
-boot-arg.
+# Kext Signing
+Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
+Developer ID certificate with a kernel extension flag. Without it, the only way
+to load an extension is to enable kext-dev-mode or disable SIP, depending on
+the OS version.
 
 There are two possible solutions for this, for distribution purposes:
 
-1) Use a [pre-built, pre-signed version](https://github.com/google/santa/releases)
-of the kext that we supply. Each time changes are made to the kext code we will
-update the pre-built version that you can make use of. This doesn't prevent you
-from making changes to the non-kext parts of Santa and distributing those.
-If you make changes to the kext and make a pull request, we can merge them in
-and distribute a new version of the pre-signed kext.
+1) Use a [pre-built, pre-signed
+version](https://github.com/google/santa/releases) of the kext that we supply.
+Each time changes are made to the kext code we will update the pre-built
+version that you can make use of. This doesn't prevent you from making changes
+to the non-kext parts of Santa and distributing those.  If you make changes to
+the kext and make a pull request, we can merge them in and distribute a new
+version of the pre-signed kext.
 
-2) Apply for your own [kext signing certificate](https://developer.apple.com/contact/kext/).
-Apple will only grant this for broad distribution within an organization, they
-won't issue them just for testing purposes.
+2) Apply for your own [kext signing
+certificate](https://developer.apple.com/contact/kext/).  Apple will only grant
+this for broad distribution within an organization, they won't issue them just
+for testing purposes.
 
-If you just want to locally test changes to the kext code, you should enable
-kext-dev mode, instructions for which can be found on the Apple developer site.
-
-
-Contributing
-============
-
-Patches to this project are very much welcome. Please see the [CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
+# Contributing
+Patches to this project are very much welcome. Please see the
+[CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
 file.
 
-Disclaimer
-==========
-
+# Disclaimer
 This is **not** an official Google product.

Rakefile

@@ -1,235 +0,0 @@
-require 'timeout'
-
-WORKSPACE       = 'Santa.xcworkspace'
-DEFAULT_SCHEME  = 'All'
-OUTPUT_PATH     = 'Build'
-DIST_PATH       = 'Dist'
-BINARIES        = ['Santa.app', 'santa-driver.kext', 'santad', 'santactl']
-PLISTS          = ['Source/SantaGUI/Resources/Santa-Info.plist',
-                   'Source/santad/Resources/santad-Info.plist',
-                   'Source/santa-driver/Resources/santa-driver-Info.plist',
-                   'Source/santactl/Resources/santactl-Info.plist']
-XCODE_DEFAULTS  = "-workspace #{WORKSPACE} -scheme #{DEFAULT_SCHEME} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
-
-task :default do
-  system("rake -sT")
-end
-
-def run_and_output_on_fail(cmd)
-  output=`#{cmd} 2>&1`
-  if not $?.success?
-    raise output
-  end
-end
-
-def run_and_output_with_color(cmd)
-  output=`#{cmd} 2>&1`
-
-  has_output = false
-  output.scan(/((Test Suite|Test Case|Executed).*)$/) do |match|
-    has_output = true
-    out = match[0]
-    if out.include?("passed")
-      puts "\e[32m#{out}\e[0m"
-    elsif out.include?("failed")
-      puts "\e[31m#{out}\e[0m"
-    else
-      puts out
-    end
-  end
-
-  if not has_output
-    raise output
-  end
-end
-
-task :init do
-  unless File.exists?(WORKSPACE) and File.exists?('Pods')
-    puts "Workspace is missing, running 'pod install'"
-    system "pod install" or raise "CocoaPods is not installed. Install with 'sudo gem install cocoapods'"
-  end
-end
-
-task :remove_existing do
-  system 'sudo rm -rf /santa-driver.kext'
-  system 'sudo rm -rf /Applications/Santa.app'
-  system 'sudo rm /usr/libexec/santad'
-  system 'sudo rm /usr/sbin/santactl'
-end
-
-desc "Clean"
-task :clean => :init do
-  puts "Cleaning"
-  run_and_output_on_fail("xcodebuild #{XCODE_DEFAULTS} clean")
-  FileUtils.rm_rf(OUTPUT_PATH)
-  FileUtils.rm_rf(DIST_PATH)
-end
-
-# Build
-namespace :build do
-  desc "Build: Debug"
-  task :debug do
-    Rake::Task['build:build'].invoke("Debug")
-  end
-
-  desc "Build: Release"
-  task :release do
-    Rake::Task['build:build'].invoke("Release")
-  end
-
-  task :build, [:configuration] => :init do |t, args|
-    config = args[:configuration]
-    puts "Building with configuration: #{config}"
-    run_and_output_on_fail("xcodebuild #{XCODE_DEFAULTS} -configuration #{config} build")
-  end
-end
-
-
-# Install
-namespace :install do
-  desc "Install: Debug"
-  task :debug do
-    Rake::Task['install:install'].invoke("Debug")
-  end
-
-  desc "Install: Release"
-  task :release do
-    Rake::Task['install:install'].invoke("Release")
-  end
-
-  task :install, [:configuration] do |t, args|
-    config = args[:configuration]
-    system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
-    system 'sudo cp conf/com.google.santasync.plist /Library/LaunchDaemons'
-    system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
-    system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
-    Rake::Task['build:build'].invoke(config)
-    puts "Installing with configuration: #{config}"
-    Rake::Task['remove_existing'].invoke()
-    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/santa-driver.kext /"
-    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/Santa.app /Applications"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santad /usr/libexec"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santactl /usr/sbin"
-  end
-end
-
-# Dist
-task :dist do
-  desc "Create distribution folder"
-
-  Rake::Task['build:build'].invoke("Release")
-
-  FileUtils.rm_rf(DIST_PATH)
-
-  FileUtils.mkdir_p("#{DIST_PATH}/binaries")
-  FileUtils.mkdir_p("#{DIST_PATH}/conf")
-  FileUtils.mkdir_p("#{DIST_PATH}/dsym")
-
-  BINARIES.each do |x|
-    FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}", "#{DIST_PATH}/binaries")
-    FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}.dSYM", "#{DIST_PATH}/dsym")
-  end
-
-  Dir.glob("Conf/*") {|x| FileUtils.cp(x, "#{DIST_PATH}/conf")}
-
-  puts "Distribution folder created"
-end
-
-# Tests
-namespace :tests do
-  desc "Tests: Logic"
-  task :logic => [:init] do
-    puts "Running logic tests"
-    run_and_output_with_color("xcodebuild #{XCODE_DEFAULTS} test")
-  end
-
-  desc "Tests: Kernel"
-  task :kernel do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:debug'].invoke()
-    Rake::Task['load_kext'].invoke
-    timeout = 30
-    puts "Running kernel tests with a #{timeout} second timeout"
-    begin
-      Timeout::timeout(timeout) {
-        system "sudo #{OUTPUT_PATH}/Products/Debug/KernelTests"
-      }
-    rescue Timeout::Error
-      puts "ERROR: tests ran for longer than #{timeout} seconds and were killed."
-    end
-    Rake::Task['unload_kext'].execute
-  end
-end
-
-# Load/Unload
-task :unload_daemon do
-  puts "Unloading daemon"
-  system "sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null"
-end
-
-task :unload_kext do
-  puts "Unloading kernel extension"
-  system "sudo kextunload /santa-driver.kext 2>/dev/null"
-end
-
-task :unload_gui do
-  puts "Unloading GUI agent"
-  system "sudo killall Santa 2>/dev/null"
-end
-
-desc "Unload"
-task :unload => [:unload_daemon, :unload_kext, :unload_gui]
-
-task :load_daemon do
-  puts "Loading daemon"
-  system "sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist"
-end
-
-task :load_kext do
-  puts "Loading kernel extension"
-  system "sudo kextload /santa-driver.kext"
-end
-
-task :load_gui do
-  puts "Loading GUI agent"
-  system "open /Applications/Santa.app"
-end
-
-desc "Load"
-task :load => [:load_kext, :load_daemon, :load_gui]
-
-namespace :reload do
-  desc "Reload: Debug"
-  task :debug do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:debug'].invoke()
-    Rake::Task['load'].invoke()
-  end
-
-  desc "Reload: Release"
-  task :release do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:release'].invoke()
-    Rake::Task['load'].invoke()
-  end
-end
-
-# Versioning
-desc "Update version, version should be of the form rake version[\\d{1,4}.\\d{1,2}(?:.\\d{1,2})?]"
-task :version, :version do |t, args|
-  response = args[:version]
-
-  unless response =~ /^\d{1,4}\.\d{1,2}(?:\.\d{1,2})?$/
-    raise "Version number must be of form: xxxx.xx[.xx]. E.g: rake version[1.0.2], rake version[1.7]"
-  end
-
-  system "sed -i -e 's/MODULE_VERSION = .*;/MODULE_VERSION = #{response};/g' Santa.xcodeproj/project.pbxproj"
-
-  PLISTS.each do |plist|
-    system "defaults write $PWD/#{plist} CFBundleVersion #{response}"
-    system "defaults write $PWD/#{plist} CFBundleShortVersionString #{response}"
-    system "plutil -convert xml1 $PWD/#{plist}"
-  end
-
-  puts "Updated version to #{response}"
-end

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,69 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0510"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D91BCDC174E8AE600131A7D"
-               BuildableName = "All"
-               BlueprintName = "All"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-         <TestableReference
-            skipped = "NO">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-               BuildableName = "LogicTests.xctest"
-               BlueprintName = "LogicTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </TestableReference>
-      </Testables>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0600"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-               BuildableName = "KernelTests"
-               BlueprintName = "KernelTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0510"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-               BuildableName = "Santa.app"
-               BlueprintName = "Santa"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0510"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D91BCB3174E8A7E00131A7D"
-               BuildableName = "santa-driver.kext"
-               BlueprintName = "santa-driver"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-      </Testables>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0510"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-               BuildableName = "santactl"
-               BlueprintName = "santactl"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0510"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-               BuildableName = "santad"
-               BlueprintName = "santad"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      buildConfiguration = "Debug">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </TestAction>
-   <LaunchAction
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Debug"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      buildConfiguration = "Release"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcworkspace/contents.xcworkspacedata

@@ -1 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?><Workspace version='1.0'><FileRef location='group:Santa.xcodeproj'/><FileRef location='group:Pods/Pods.xcodeproj'/></Workspace>

Source/SantaGUI/BUILD

@@ -0,0 +1,54 @@
+licenses(["notice"])  # Apache 2.0
+
+exports_files([
+    "Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-256.png",
+])
+
+load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
+
+objc_library(
+    name = "SantaGUI_lib",
+    srcs = [
+        "SNTAboutWindowController.h",
+        "SNTAboutWindowController.m",
+        "SNTAccessibleTextField.h",
+        "SNTAccessibleTextField.m",
+        "SNTAppDelegate.h",
+        "SNTAppDelegate.m",
+        "SNTMessageWindow.h",
+        "SNTMessageWindow.m",
+        "SNTMessageWindowController.h",
+        "SNTMessageWindowController.m",
+        "SNTNotificationManager.h",
+        "SNTNotificationManager.m",
+        "main.m",
+    ],
+    data = [
+        "Resources/AboutWindow.xib",
+        "Resources/MessageWindow.xib",
+    ],
+    sdk_frameworks = [
+        "IOKit",
+        "SecurityInterface",
+    ],
+    deps = [
+        "//Source/common:SNTBlockMessage_SantaGUI",
+        "//Source/common:SNTConfigurator",
+        "//Source/common:SNTXPCControlInterface",
+        "//Source/common:SNTXPCNotifierInterface",
+        "@MOLCodesignChecker",
+        "@MOLXPCConnection",
+    ],
+)
+
+macos_application(
+    name = "SantaGUI",
+    app_icons = glob(["Resources/Images.xcassets/**"]),
+    bundle_id = "com.google.SantaGUI",
+    bundle_name = "Santa",
+    infoplists = ["Resources/SantaGUI-Info.plist"],
+    minimum_os_version = "10.9",
+    version = "//:version",
+    visibility = ["//visibility:public"],
+    deps = [":SantaGUI_lib"],
+)

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,21 +1,22 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6250" systemVersion="13F34" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
-        <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6250"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14460.31"/>
+        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTAboutWindowController">
             <connections>
+                <outlet property="moreInfoButton" destination="SRu-Kf-vu5" id="Vj2-9Q-05d"/>
                 <outlet property="window" destination="F0z-JX-Cv5" id="gIp-Ho-8D9"/>
             </connections>
         </customObject>
         <customObject id="-1" userLabel="First Responder" customClass="FirstResponder"/>
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
-        <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
-            <windowStyleMask key="styleMask" titled="YES"/>
+        <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
+            <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
             <rect key="contentRect" x="196" y="240" width="480" height="200"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1578"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="3840" height="1577"/>
             <view key="contentView" id="se5-gp-TjO">
                 <rect key="frame" x="0.0" y="0.0" width="480" height="200"/>
                 <autoresizingMask key="autoresizingMask"/>
@@ -28,40 +29,60 @@
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Santa" id="VVj-gU-bzy">
                             <font key="font" size="34" name="HelveticaNeue-UltraLight"/>
-                            <color key="textColor" red="0.1869618941" green="0.1869618941" blue="0.1869618941" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
                     <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" fixedFrame="YES" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="uh6-q0-RzL">
                         <rect key="frame" x="18" y="65" width="444" height="60"/>
+                        <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/>
                         <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
                             <font key="font" metaFont="system"/>
-                            <string key="title">Santa is a binary whitelisting system for Mac OS X.
+                            <string key="title">Santa is an application whitelisting system for macOS.
 
 There are no user-configurable settings.</string>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
-                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Udo-BY-n7e">
-                        <rect key="frame" x="196" y="21" width="88" height="32"/>
+                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="SRu-Kf-vu5">
+                        <rect key="frame" x="130" y="21" width="111" height="32"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="76" id="2Xc-ax-2bV"/>
+                            <constraint firstAttribute="width" constant="99" id="JHv-2J-QSe"/>
                         </constraints>
-                        <buttonCell key="cell" type="push" title="OK" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uSw-o1-lWW">
+                        <buttonCell key="cell" type="push" title="More Info..." bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="6fe-ju-aET">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
                         </buttonCell>
+                        <connections>
+                            <action selector="openMoreInfoURL:" target="-2" id="dps-TN-rkS"/>
+                        </connections>
+                    </button>
+                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Udo-BY-n7e">
+                        <rect key="frame" x="240" y="21" width="111" height="32"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="99" id="2Xc-ax-2bV"/>
+                        </constraints>
+                        <buttonCell key="cell" type="push" title="Dismiss" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uSw-o1-lWW">
+                            <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                            <font key="font" metaFont="system"/>
+                            <string key="keyEquivalent" base64-UTF8="YES">
+DQ
+</string>
+                        </buttonCell>
                         <connections>
                             <action selector="orderOut:" target="-1" id="6oW-zI-zn5"/>
                         </connections>
                     </button>
                 </subviews>
                 <constraints>
+                    <constraint firstItem="Udo-BY-n7e" firstAttribute="leading" secondItem="se5-gp-TjO" secondAttribute="leading" priority="900" constant="191" id="1T4-DB-Dz8"/>
+                    <constraint firstItem="SRu-Kf-vu5" firstAttribute="leading" secondItem="se5-gp-TjO" secondAttribute="leading" constant="136" id="Ake-nU-qhW"/>
                     <constraint firstItem="BnL-ZS-kXw" firstAttribute="top" secondItem="se5-gp-TjO" secondAttribute="top" constant="20" symbolic="YES" id="Fj1-SG-mzF"/>
                     <constraint firstAttribute="bottom" secondItem="Udo-BY-n7e" secondAttribute="bottom" constant="28" id="bpF-hC-haN"/>
-                    <constraint firstItem="BnL-ZS-kXw" firstAttribute="centerX" secondItem="Udo-BY-n7e" secondAttribute="centerX" constant="0.5" id="csK-2p-W94"/>
+                    <constraint firstAttribute="bottom" secondItem="SRu-Kf-vu5" secondAttribute="bottom" constant="28" id="fCB-02-SEt"/>
                     <constraint firstItem="BnL-ZS-kXw" firstAttribute="centerX" secondItem="se5-gp-TjO" secondAttribute="centerX" id="kez-S0-6Gg"/>
+                    <constraint firstItem="Udo-BY-n7e" firstAttribute="leading" secondItem="SRu-Kf-vu5" secondAttribute="trailing" constant="11" id="sYO-yY-w9w"/>
                 </constraints>
             </view>
             <connections>

Source/SantaGUI/Resources/Images.xcassets/AppIcon.appiconset/Contents.json

@@ -31,25 +31,25 @@
       "scale" : "1x"
     },
     {
-      "idiom" : "mac",
       "size" : "128x128",
+      "idiom" : "mac",
+      "filename" : "santa-hat-icon-256.png",
       "scale" : "2x"
     },
     {
-      "idiom" : "mac",
       "size" : "256x256",
+      "idiom" : "mac",
+      "filename" : "santa-hat-icon-256.png",
       "scale" : "1x"
     },
     {
-      "size" : "256x256",
       "idiom" : "mac",
-      "filename" : "santa-hat-icon-512.png",
+      "size" : "256x256",
       "scale" : "2x"
     },
     {
-      "size" : "512x512",
       "idiom" : "mac",
-      "filename" : "santa-hat-icon-512.png",
+      "size" : "512x512",
       "scale" : "1x"
     },
     {
@@ -62,4 +62,4 @@
     "version" : 1,
     "author" : "xcode"
   }
-}
+}

Source/SantaGUI/Resources/Images.xcassets/Contents.json

@@ -0,0 +1,6 @@
+{
+  "info" : {
+    "version" : 1,
+    "author" : "xcode"
+  }
+}

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,141 +1,296 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6250" systemVersion="14B25" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
-        <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6250"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14460.31"/>
+        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTMessageWindowController">
             <connections>
+                <outlet property="applicationNameLabel" destination="qgf-Jf-cJr" id="1JX-X8-03v"/>
+                <outlet property="bundleHashLabel" destination="xP7-jE-NF8" id="i8B-Gs-2E3"/>
+                <outlet property="bundleHashTitle" destination="MhO-U0-MLR" id="KT0-bK-fpV"/>
+                <outlet property="foundFileCountLabel" destination="LHV-gV-vyf" id="Sr0-T2-xGx"/>
+                <outlet property="hashingIndicator" destination="VyY-Yg-JOe" id="Yq4-tZ-9ep"/>
+                <outlet property="openEventButton" destination="7ua-5a-uSd" id="9s4-ZA-Vlo"/>
                 <outlet property="window" destination="9Bq-yh-54f" id="Uhs-WF-TV9"/>
             </connections>
         </customObject>
         <customObject id="-1" userLabel="First Responder" customClass="FirstResponder"/>
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
-        <window allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" showsToolbarButton="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
+        <window title="Santa Blocked Execution" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
             <windowStyleMask key="styleMask" utility="YES"/>
-            <rect key="contentRect" x="167" y="107" width="550" height="275"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
+            <rect key="contentRect" x="167" y="107" width="540" height="479"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="3840" height="1577"/>
             <view key="contentView" id="Iwq-Lx-rLv">
-                <rect key="frame" x="0.0" y="0.0" width="550" height="275"/>
+                <rect key="frame" x="0.0" y="0.0" width="540" height="479"/>
                 <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                 <subviews>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
-                        <rect key="frame" x="234" y="210" width="83" height="40"/>
-                        <constraints>
-                            <constraint firstAttribute="height" constant="40" id="KoG-v6-GfK"/>
-                            <constraint firstAttribute="width" constant="79" id="oS3-CE-1vv"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
-                            <font key="font" size="34" name="HelveticaNeue-UltraLight"/>
-                            <color key="textColor" red="0.18696189413265307" green="0.18696189413265307" blue="0.18696189413265307" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR">
-                        <rect key="frame" x="23" y="168" width="504" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="500" id="q9O-xW-hnS"/>
-                        </constraints>
-                        <textFieldCell key="cell" allowsUndo="NO" sendsActionOnEndEditing="YES" alignment="center" title="A message to the user goes here..." allowsEditingTextAttributes="YES" id="5tH-bG-UJA">
-                            <font key="font" metaFont="system"/>
-                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.attributedCustomMessage" id="NH1-gV-Cor">
-                                <dictionary key="options">
-                                    <string key="NSNullPlaceholder">The following application has been blocked from executing because its trustworthiness cannot be determined.</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
-                    <imageView horizontalHuggingPriority="1000" verticalHuggingPriority="1000" horizontalCompressionResistancePriority="1000" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="GYD-v8-fqH">
-                        <rect key="frame" x="31" y="91" width="32" height="32"/>
-                        <imageCell key="cell" refusesFirstResponder="YES" alignment="left" imageScaling="proportionallyDown" image="NSBonjour" id="jKM-qY-7mp"/>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.bundleIcon" id="X4L-aD-P21">
-                                <dictionary key="options">
-                                    <bool key="NSConditionallySetsEnabled" value="NO"/>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </imageView>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H">
-                        <rect key="frame" x="111" y="126" width="34" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Path" id="KgY-X1-ESG">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <textField horizontalHuggingPriority="1000" verticalHuggingPriority="1000" horizontalCompressionResistancePriority="1000" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ">
-                        <rect key="frame" x="154" y="126" width="350" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="346" id="BYY-2q-Lmb"/>
-                        </constraints>
-                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="E7T-9h-ofr">
-                            <font key="font" metaFont="system"/>
-                            <color key="textColor" white="0.0" alpha="0.5" colorSpace="deviceWhite"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.path" id="4Nh-Ue-aCb"/>
-                        </connections>
-                    </textField>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y">
-                        <rect key="frame" x="96" y="99" width="46" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="SHA-1" id="eKN-Ic-5zy">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
-                        <rect key="frame" x="155" y="99" width="88" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Binary SHA-1" id="X4W-9e-eIu">
-                            <font key="font" metaFont="system"/>
-                            <color key="textColor" white="0.0" alpha="0.5" colorSpace="deviceWhite"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.SHA1" id="KuE-WW-9av"/>
-                        </connections>
-                    </textField>
-                    <textField verticalHuggingPriority="750" verticalCompressionResistancePriority="499" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5">
-                        <rect key="frame" x="78" y="72" width="66" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Publisher" id="yL9-yD-JXX">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS">
-                        <rect key="frame" x="322" y="75" width="10" height="10"/>
-                        <constraints>
-                            <constraint firstAttribute="height" constant="10" id="c3b-iv-bWa"/>
-                            <constraint firstAttribute="width" constant="10" id="fXl-na-Lwx"/>
-                        </constraints>
-                        <buttonCell key="cell" type="bevel" bezelStyle="regularSquare" image="NSFollowLinkFreestandingTemplate" imagePosition="overlaps" alignment="center" refusesFirstResponder="YES" imageScaling="proportionallyDown" inset="2" id="R72-Qy-Xbb">
+                    <button focusRingType="none" verticalHuggingPriority="750" fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="kiB-jZ-69S">
+                        <rect key="frame" x="16" y="451" width="37" height="32"/>
+                        <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/>
+                        <buttonCell key="cell" type="push" title="Hidden Button" alternateTitle="This button exists so neither of the other two buttons is pre-selected when the dialog opens." bezelStyle="rounded" alignment="center" borderStyle="border" focusRingType="none" transparent="YES" imageScaling="proportionallyDown" inset="2" id="XGa-Sl-F4t">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </buttonCell>
+                        <connections>
+                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="vl5-A8-O0H"/>
+                        </connections>
+                    </button>
+                    <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" textCompletion="NO" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="43" y="369" width="454" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="450" id="XgJ-EV-tBa"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" refusesFirstResponder="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" alignment="center" title="A message to the user goes here..." allowsEditingTextAttributes="YES" id="5tH-bG-UJA">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.attributedCustomMessage" id="376-sj-4Q1"/>
+                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="VC7-bE-uHc"/>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H" userLabel="Label: Path">
+                        <rect key="frame" x="8" y="297" width="142" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="138" id="Kqd-nX-7df"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Filename" id="KgY-X1-ESG">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YNz-ka-cBi" userLabel="Label: Path">
+                        <rect key="frame" x="8" y="272" width="142" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="138" id="3wU-P0-gAC"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Path" id="adC-be-Beh">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <textField toolTip="Binary Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="297" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="xVR-j3-dLw"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Name" id="E7T-9h-ofr">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.filePath.lastPathComponent" id="bOu-gv-1Vh"/>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5" userLabel="Label: Publisher">
+                        <rect key="frame" x="8" y="247" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Publisher" id="yL9-yD-JXX">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <textField toolTip="Publisher" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w" userLabel="Publisher" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="247" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="Dem-wH-KHm"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.publisherInfo" id="CEI-Cu-7pC">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Not code-signed</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS" userLabel="Publisher Certs Button">
+                        <rect key="frame" x="62" y="248" width="15" height="15"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="15" id="QTm-Iv-m5p"/>
+                            <constraint firstAttribute="height" constant="15" id="YwG-0s-jop"/>
+                        </constraints>
+                        <buttonCell key="cell" type="bevel" bezelStyle="regularSquare" image="NSInfo" imagePosition="overlaps" alignment="center" refusesFirstResponder="YES" imageScaling="proportionallyDown" inset="2" id="R72-Qy-Xbb">
+                            <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                            <font key="font" metaFont="system"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
                         </buttonCell>
                         <connections>
                             <action selector="showCertInfo:" target="-2" id="dB0-a3-X31"/>
-                            <binding destination="-2" name="hidden" keyPath="self.binaryCert" id="xpJ-jl-aUN">
+                            <binding destination="-2" name="hidden" keyPath="self.publisherInfo" id="fFR-f3-Oiw">
                                 <dictionary key="options">
                                     <string key="NSValueTransformerName">NSIsNil</string>
                                 </dictionary>
                             </binding>
                         </connections>
                     </button>
-                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL">
-                        <rect key="frame" x="220" y="23" width="110" height="25"/>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y" userLabel="Label: Identifier">
+                        <rect key="frame" x="8" y="222" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Identifier" id="eKN-Ic-5zy">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <textField toolTip="SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
+                        <rect key="frame" x="187" y="222" width="219" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="110" id="HdL-6x-X4f"/>
-                            <constraint firstAttribute="height" constant="22" id="YYm-GI-ojT"/>
+                            <constraint firstAttribute="width" constant="215" id="4hh-R2-86s"/>
                         </constraints>
-                        <buttonCell key="cell" type="roundTextured" title="OK" bezelStyle="texturedRounded" alignment="center" refusesFirstResponder="YES" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="SHA-256" id="X4W-9e-eIu">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.fileSHA256" id="9KB-0b-qLV"/>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="MhO-U0-MLR" userLabel="Label: Bundle Identifier">
+                        <rect key="frame" x="8" y="197" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Bundle Identifier" id="LEe-u0-52o">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.needsBundleHash" id="2kb-3z-Kyn">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSNegateBoolean</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="eQb-0a-76J" userLabel="Label: Parent">
+                        <rect key="frame" x="8" y="157" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Parent" id="gze-4A-1w5">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <textField toolTip="Parent Process" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="f1p-GL-O3o" userLabel="Parent" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="157" width="294" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="290" id="h3Y-mO-38F"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Parent Name" id="ieo-WK-aDD">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="displayPatternValue1" keyPath="self.event.parentName" id="Lce-TO-q9V">
+                                <dictionary key="options">
+                                    <string key="NSDisplayPattern">%{value1}@ (%{value2}@)</string>
+                                </dictionary>
+                            </binding>
+                            <binding destination="-2" name="displayPatternValue2" keyPath="self.event.ppid" previousBinding="Lce-TO-q9V" id="ofI-kH-F2d">
+                                <dictionary key="options">
+                                    <string key="NSDisplayPattern">%{value1}@ (%{value2}@)</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="oFj-ol-xpL" userLabel="Label: User">
+                        <rect key="frame" x="8" y="132" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="User" id="1ut-uT-hQD">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                    </textField>
+                    <button verticalHuggingPriority="750" horizontalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="7ua-5a-uSd">
+                        <rect key="frame" x="154" y="34" width="112" height="23"/>
+                        <constraints>
+                            <constraint firstAttribute="width" priority="900" constant="112" id="Pec-Pa-4aZ"/>
+                        </constraints>
+                        <buttonCell key="cell" type="roundTextured" title="Open Event..." bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="X1b-TF-1TL">
+                            <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
+                            <font key="font" metaFont="system"/>
+                            <string key="keyEquivalent" base64-UTF8="YES">
+DQ
+</string>
+                            <modifierMask key="keyEquivalentModifierMask" command="YES"/>
+                        </buttonCell>
+                        <connections>
+                            <action selector="openEventDetails:" target="-2" id="VhL-ql-rCV"/>
+                            <outlet property="nextKeyView" destination="BbV-3h-mmL" id="Xkz-va-iGc"/>
+                        </connections>
+                    </button>
+                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bDE-Tl-UHg" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="272" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="p1W-f9-KBX"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="H1b-Ui-CYo">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.filePath" id="Sry-KY-HDb"/>
+                        </connections>
+                    </textField>
+                    <button translatesAutoresizingMaskIntoConstraints="NO" id="5D8-GP-a4l">
+                        <rect key="frame" x="113" y="80" width="315" height="29"/>
+                        <constraints>
+                            <constraint firstAttribute="height" constant="25" id="KvD-X6-CsO"/>
+                        </constraints>
+                        <buttonCell key="cell" type="check" title="Prevent future notifications for this application for a day" bezelStyle="regularSquare" imagePosition="left" alignment="center" inset="2" id="R5Y-Uc-rEP">
+                            <behavior key="behavior" changeContents="YES" doesNotDimImage="YES" lightByContents="YES"/>
+                            <font key="font" metaFont="smallSystem"/>
+                        </buttonCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.silenceFutureNotifications" id="tEb-2A-sht"/>
+                        </connections>
+                    </button>
+                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL" userLabel="Dismiss Button">
+                        <rect key="frame" x="278" y="34" width="110" height="23"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
+                            <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
+                        </constraints>
+                        <buttonCell key="cell" type="roundTextured" title="Ignore" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
                             <string key="keyEquivalent" base64-UTF8="YES">
@@ -143,60 +298,203 @@ DQ
 </string>
                             <modifierMask key="keyEquivalentModifierMask" shift="YES"/>
                         </buttonCell>
+                        <accessibility description="Dismiss Dialog"/>
                         <connections>
                             <action selector="closeWindow:" target="-2" id="qQq-gh-8lw"/>
+                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="4KL-Z2-1op"/>
                         </connections>
                     </button>
-                    <textField horizontalHuggingPriority="750" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w">
-                        <rect key="frame" x="154" y="72" width="159" height="17"/>
+                    <textField toolTip="Executing User" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="132" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="height" constant="17" id="re0-7U-qcL"/>
+                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
                         </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
                             <font key="font" metaFont="system"/>
-                            <color key="textColor" white="0.0" alpha="0.5" colorSpace="deviceWhite"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.binaryCert" id="eFt-oy-SXL">
+                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
                                 <dictionary key="options">
-                                    <string key="NSNullPlaceholder">Not code-signed</string>
+                                    <string key="NSNullPlaceholder">Unknown</string>
                                 </dictionary>
                             </binding>
                         </connections>
                     </textField>
+                    <progressIndicator wantsLayer="YES" canDrawConcurrently="YES" horizontalHuggingPriority="750" verticalHuggingPriority="750" maxValue="1" bezeled="NO" controlSize="small" style="bar" translatesAutoresizingMaskIntoConstraints="NO" id="VyY-Yg-JOe">
+                        <rect key="frame" x="187" y="199" width="217" height="12"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="217" id="M22-Dv-KIP"/>
+                        </constraints>
+                    </progressIndicator>
+                    <textField toolTip="Bundle SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="xP7-jE-NF8">
+                        <rect key="frame" x="187" y="197" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="s7W-o9-2nN"/>
+                        </constraints>
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="Calculating..." id="yJa-yL-X9a">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleHash" id="CnT-q6-bot"/>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LHV-gV-vyf">
+                        <rect key="frame" x="187" y="182" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="LUu-Vd-peN"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="1000 related binaries" id="AVM-vB-hB8">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                    </textField>
+                    <box horizontalHuggingPriority="750" boxType="custom" borderType="line" title="Line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
+                        <rect key="frame" x="168" y="132" width="1" height="207"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
+                        </constraints>
+                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
+                        <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
+                        <font key="titleFont" metaFont="system"/>
+                    </box>
+                    <textField toolTip="Application Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="qgf-Jf-cJr" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="322" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="Pav-ZA-iAu"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Application Name" id="3UG-ca-d1k">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleName" id="enC-Cl-UWt">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pDa-fA-vnC" userLabel="Label: Application">
+                        <rect key="frame" x="8" y="322" width="142" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="138" id="8mA-zi-Ev7"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Application" id="Hy7-WF-6xW">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.fileBundleName" id="r2Q-hh-Uy5">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSIsNil</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
+                        <rect key="frame" x="229" y="408" width="82" height="41"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" refusesFirstResponder="YES" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
+                            <font key="font" metaFont="systemUltraLight" size="34"/>
+                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="z5y-RR-IEH"/>
+                        </connections>
+                    </textField>
                 </subviews>
                 <constraints>
-                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="113" id="3oY-g4-wHW"/>
-                    <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" priority="800" constant="52" id="42Z-62-hKo"/>
-                    <constraint firstItem="cD5-Su-lXR" firstAttribute="top" secondItem="t8c-Fx-e5h" secondAttribute="bottom" constant="25" id="4Hn-vu-fva"/>
-                    <constraint firstItem="C3G-wL-u7w" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="10" id="7Pr-bA-HgG"/>
-                    <constraint firstItem="PXc-xv-A28" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="bottom" constant="10" id="8LX-e8-bKv"/>
-                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="d9e-Wv-Y5H" secondAttribute="top" id="94E-d6-Jrg"/>
-                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="13" id="A6N-gA-dt5"/>
-                    <constraint firstItem="KEB-eH-x2Y" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="98" id="CYj-Gm-XZp"/>
-                    <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="17" id="IGi-bx-nBP"/>
-                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="80" id="O3p-RO-0ZJ"/>
-                    <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="cJf-k6-OxS" secondAttribute="centerY" constant="-1" id="R0U-iV-5Fx"/>
-                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="SHu-BF-01V"/>
-                    <constraint firstAttribute="centerX" secondItem="BbV-3h-mmL" secondAttribute="centerX" id="UAx-Xk-9DE"/>
-                    <constraint firstItem="KEB-eH-x2Y" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="top" id="YiW-o8-HZ2"/>
-                    <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="C3G-wL-u7w" secondAttribute="bottom" constant="25" id="Zxm-Pa-Ryj"/>
-                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="top" secondItem="C3G-wL-u7w" secondAttribute="top" id="adm-oT-FAf"/>
-                    <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="25" id="awW-Dh-Xl4"/>
-                    <constraint firstItem="GYD-v8-fqH" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="31" id="btT-jY-NXw"/>
-                    <constraint firstItem="GYD-v8-fqH" firstAttribute="centerY" secondItem="KEB-eH-x2Y" secondAttribute="centerY" id="cOS-EE-Mw8"/>
-                    <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="14" id="ewf-Pg-nRK"/>
-                    <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="goV-ub-zwi"/>
-                    <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="25" id="mY6-FP-uEK"/>
-                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="25" id="pfg-1u-Yfj"/>
-                    <constraint firstItem="cJf-k6-OxS" firstAttribute="leading" secondItem="C3G-wL-u7w" secondAttribute="trailing" constant="11" id="sMW-KK-A28"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="0AD-PS-5V1"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="centerY" secondItem="eQb-0a-76J" secondAttribute="centerY" id="2Aq-1E-Ybz"/>
+                    <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" priority="500" constant="193" id="2uo-Cm-Tfp"/>
+                    <constraint firstItem="h6f-PY-cc0" firstAttribute="top" secondItem="f1p-GL-O3o" secondAttribute="bottom" constant="8" id="496-VQ-Fx5"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="5Mr-By-PAU"/>
+                    <constraint firstItem="pDa-fA-vnC" firstAttribute="centerY" secondItem="qgf-Jf-cJr" secondAttribute="centerY" id="AKX-pe-hEX"/>
+                    <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="ALv-0v-szi"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="FPe-Rd-G4n"/>
+                    <constraint firstItem="cJf-k6-OxS" firstAttribute="centerY" secondItem="C3G-wL-u7w" secondAttribute="centerY" id="FdL-ZZ-Vbe"/>
+                    <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="30" id="FuB-GX-0jg"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="G0I-O2-S91"/>
+                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-67" id="GD2-Ka-deo"/>
+                    <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="GT2-tO-2td"/>
+                    <constraint firstItem="h6f-PY-cc0" firstAttribute="centerY" secondItem="oFj-ol-xpL" secondAttribute="centerY" id="GXI-pT-FM1"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="top" secondItem="pDa-fA-vnC" secondAttribute="top" id="Gd4-Nr-n5G"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="HUT-MI-jsR"/>
+                    <constraint firstItem="qgf-Jf-cJr" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="Ht4-Lg-U5N"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="IA0-dy-2be"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="IwX-ja-ZIs"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="top" secondItem="4Li-ul-zIi" secondAttribute="top" priority="500" id="JY4-N1-j8e"/>
+                    <constraint firstItem="YNz-ka-cBi" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="KmX-kX-VCN"/>
+                    <constraint firstItem="5D8-GP-a4l" firstAttribute="centerX" secondItem="Iwq-Lx-rLv" secondAttribute="centerX" id="LkH-F4-Ncm"/>
+                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" priority="950" constant="55" id="Nsl-zf-poH"/>
+                    <constraint firstItem="YNz-ka-cBi" firstAttribute="centerY" secondItem="bDE-Tl-UHg" secondAttribute="centerY" id="ObQ-RA-S5V"/>
+                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="SCl-Ky-VmT"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="centerY" secondItem="pc8-G9-4pJ" secondAttribute="centerY" id="SLv-F7-w5k"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="20" id="Seb-c0-MUL"/>
+                    <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="V0a-Py-iEc"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="top" secondItem="VyY-Yg-JOe" secondAttribute="bottom" id="Vjr-NX-j8V"/>
+                    <constraint firstItem="MhO-U0-MLR" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="Vly-VE-BwU"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="leading" priority="999" id="Z6G-l9-G4a"/>
+                    <constraint firstItem="C3G-wL-u7w" firstAttribute="top" secondItem="bDE-Tl-UHg" secondAttribute="bottom" constant="8" id="ZoS-xV-2WA"/>
+                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="aMJ-Wb-vRS"/>
+                    <constraint firstItem="KEB-eH-x2Y" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="aOk-S0-0n2"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="eQb-0a-76J" secondAttribute="trailing" constant="20" id="b0B-3w-grH"/>
+                    <constraint firstItem="KEB-eH-x2Y" firstAttribute="centerY" secondItem="PXc-xv-A28" secondAttribute="centerY" id="cHe-pZ-0Oq"/>
+                    <constraint firstItem="cD5-Su-lXR" firstAttribute="top" secondItem="t8c-Fx-e5h" secondAttribute="bottom" constant="22" id="dYg-zP-wh2"/>
+                    <constraint firstItem="h6f-PY-cc0" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="eSz-lz-Fdh"/>
+                    <constraint firstItem="qgf-Jf-cJr" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="30" id="esg-lX-BAT"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="fGd-YS-phP"/>
+                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="h3d-Kc-q88"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="LHV-gV-vyf" secondAttribute="bottom" constant="8" id="h4h-K3-BTd"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" priority="700" constant="8" id="hXw-6Z-lb2"/>
+                    <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="7ua-5a-uSd" secondAttribute="trailing" constant="12" id="ioO-NJ-Jqo"/>
+                    <constraint firstItem="bDE-Tl-UHg" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="jdk-ak-soQ"/>
+                    <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="lvJ-Rk-UT5" secondAttribute="centerY" id="jfs-YI-7Ae"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="trailing" constant="20" id="kOG-Cj-hFG"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="MhO-U0-MLR" secondAttribute="trailing" constant="20" id="ke9-wW-5fr"/>
+                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="qgf-Jf-cJr" secondAttribute="bottom" constant="8" id="lWU-tC-vWg"/>
+                    <constraint firstItem="5D8-GP-a4l" firstAttribute="top" secondItem="h6f-PY-cc0" secondAttribute="bottom" constant="25" id="lYd-VZ-lBs"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="18" id="lei-uP-T8m"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="xP7-jE-NF8" secondAttribute="bottom" priority="701" constant="8" id="oY4-e7-lsz"/>
+                    <constraint firstItem="7ua-5a-uSd" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="pCX-eX-erN"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="pdC-x8-Nao"/>
+                    <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="60" id="phL-j9-rPq"/>
+                    <constraint firstItem="bDE-Tl-UHg" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="bottom" constant="8" id="pis-of-f93"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="20" id="qKi-KT-jzJ"/>
+                    <constraint firstItem="C3G-wL-u7w" firstAttribute="bottom" secondItem="PXc-xv-A28" secondAttribute="top" constant="-8" id="snd-8T-LjC"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="20" id="stz-Vm-Kxo"/>
+                    <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="tAa-1s-xVZ"/>
+                    <constraint firstItem="eQb-0a-76J" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="u1y-6V-moc"/>
+                    <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="35" id="ukF-FH-DE8"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="vB8-c5-pfO"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="YNz-ka-cBi" secondAttribute="trailing" constant="20" id="vfq-83-tKI"/>
+                    <constraint firstItem="pDa-fA-vnC" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="z6s-ga-iAk"/>
                 </constraints>
             </view>
+            <connections>
+                <outlet property="initialFirstResponder" destination="kiB-jZ-69S" id="I96-dS-lq5"/>
+            </connections>
+            <point key="canvasLocation" x="274" y="326.5"/>
         </window>
+        <userDefaultsController representsSharedInstance="YES" id="iXx-cu-WYe"/>
     </objects>
     <resources>
-        <image name="NSBonjour" width="32" height="32"/>
-        <image name="NSFollowLinkFreestandingTemplate" width="14" height="14"/>
+        <image name="NSInfo" width="32" height="32"/>
     </resources>
 </document>

Source/SantaGUI/Resources/Santa-Prefix.pch

@@ -1,3 +0,0 @@
-#ifdef __OBJC__
-  #import <Cocoa/Cocoa.h>
-#endif

Source/SantaGUI/Resources/SantaGUI-Info.plist

@@ -2,31 +2,31 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>CFBundleDevelopmentRegion</key>
-	<string>en</string>
-	<key>CFBundleExecutable</key>
-	<string>${EXECUTABLE_NAME}</string>
-	<key>CFBundleIconFile</key>
-	<string></string>
-	<key>CFBundleIdentifier</key>
-	<string>com.google.${PRODUCT_NAME:rfc1034identifier}GUI</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
-	<key>CFBundleName</key>
-	<string>${PRODUCT_NAME}</string>
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
-	<key>CFBundleShortVersionString</key>
-	<string>0.7.1</string>
-	<key>CFBundleVersion</key>
-	<string>0.7.1</string>
-	<key>LSMinimumSystemVersion</key>
-	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
-	<key>LSUIElement</key>
-	<true/>
 	<key>NSHumanReadableCopyright</key>
 	<string>Google, Inc.</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.google.SantaGUI</string>
+	<key>CFBundleName</key>
+	<string>Santa</string>
+	<key>CFBundleExecutable</key>
+	<string>Santa</string>
+	<key>CFBundleVersion</key>
+	<string>${SANTA_VERSION}</string>
+	<key>CFBundleShortVersionString</key>
+	<string>${SANTA_VERSION}</string>
+	<key>LSMinimumSystemVersion</key>
+	<string>${MACOSX_VERSION_MIN}</string>
+	<key>LSUIElement</key>
+	<true/>
 	<key>NSPrincipalClass</key>
 	<string>NSApplication</string>
+	<key>CFBundleIconFile</key>
+	<string>AppIcon</string>
+	<key>CFBundleIconName</key>
+	<string>AppIcon</string>
 </dict>
 </plist>

Source/SantaGUI/SNTAboutWindowController.h

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,6 +12,12 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 @interface SNTAboutWindowController : NSWindowController
 
+@property IBOutlet NSButton *moreInfoButton;
+
+- (IBAction)openMoreInfoURL:(id)sender;
+
 @end

Source/SantaGUI/SNTAboutWindowController.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,7 +12,9 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTAboutWindowController.h"
+#import "Source/SantaGUI/SNTAboutWindowController.h"
+
+#import "Source/common/SNTConfigurator.h"
 
 @implementation SNTAboutWindowController
 
@@ -20,4 +22,16 @@
   return [super initWithWindowNibName:@"AboutWindow"];
 }
 
+- (void)loadWindow {
+  [super loadWindow];
+  if (![[SNTConfigurator configurator] moreInfoURL]) {
+    [self.moreInfoButton removeFromSuperview];
+  }
+}
+
+- (IBAction)openMoreInfoURL:(id)sender {
+  [[NSWorkspace sharedWorkspace] openURL:[[SNTConfigurator configurator] moreInfoURL]];
+  [self close];
+}
+
 @end

Source/SantaGUI/SNTAccessibleTextField.h

@@ -0,0 +1,23 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Cocoa/Cocoa.h>
+
+/**
+   An NSTextField subclass that provides an accessiblity label equal to:
+   (self.toolTip + self.stringValue) where available. It also sets the
+   accessibilityRoleDescription to "label".
+*/
+@interface SNTAccessibleTextField : NSTextField
+@end

Source/SantaGUI/SNTAccessibleTextField.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2016 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,21 +12,28 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-/// An instance of this class is passed to each stage of the sync process for storing data
-/// that might be needed in later stages.
-@interface SNTCommandSyncStatus : NSObject
+#import "Source/SantaGUI/SNTAccessibleTextField.h"
 
-/// The base API URL
-@property NSURL *syncBaseURL;
+@implementation SNTAccessibleTextField
 
-/// Machine identifier and owner
-@property NSString *machineID;
-@property NSString *machineOwner;
+- (BOOL)accessibilityIsIgnored {
+  return NO;
+}
 
-/// Batch size for uploading events, sent from server
-@property int32_t eventBatchSize;
+- (NSString *)accessibilityLabel {
+  if (self.toolTip && self.stringValue) {
+    return [NSString stringWithFormat:@"%@: %@", self.toolTip, self.stringValue];
+  } else if (self.stringValue) {
+    return self.stringValue;
+  } else if (self.toolTip) {
+    return self.toolTip;
+  } else {
+    return nil;
+  }
+}
 
-/// Log upload URL sent from server
-@property NSURL *uploadLogURL;
+- (NSString *)accessibilityRoleDescription {
+  return @"label";
+}
 
 @end

Source/SantaGUI/SNTAppDelegate.h

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
+///
 /// Initiates and manages the connection to santad
+///
 @interface SNTAppDelegate : NSObject<NSApplicationDelegate>
 @end

Source/SantaGUI/SNTAppDelegate.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,16 +12,21 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTAppDelegate.h"
+#import "Source/SantaGUI/SNTAppDelegate.h"
 
-#import "SNTAboutWindowController.h"
-#import "SNTNotificationManager.h"
-#import "SNTXPCConnection.h"
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTStrengthify.h"
+#import "Source/common/SNTXPCControlInterface.h"
+#import "Source/SantaGUI/SNTAboutWindowController.h"
+#import "Source/SantaGUI/SNTNotificationManager.h"
 
 @interface SNTAppDelegate ()
 @property SNTAboutWindowController *aboutWindowController;
 @property SNTNotificationManager *notificationManager;
-@property SNTXPCConnection *listener;
+@property MOLXPCConnection *daemonListener;
+@property MOLXPCConnection *bundleListener;
 @end
 
 @implementation SNTAppDelegate
@@ -30,40 +35,114 @@
 
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
   [self setupMenu];
-  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
   self.notificationManager = [[SNTNotificationManager alloc] init];
-  [self createConnection];
+
+  NSNotificationCenter *workspaceNotifications = [[NSWorkspace sharedWorkspace] notificationCenter];
+
+  [workspaceNotifications addObserverForName:NSWorkspaceSessionDidResignActiveNotification
+                                      object:nil
+                                       queue:[NSOperationQueue currentQueue]
+                                  usingBlock:^(NSNotification *note) {
+    self.daemonListener.invalidationHandler = nil;
+    [self.daemonListener invalidate];
+    self.daemonListener = nil;
+
+    self.bundleListener.invalidationHandler = nil;
+    [self.bundleListener invalidate];
+    self.bundleListener = nil;
+  }];
+  [workspaceNotifications addObserverForName:NSWorkspaceSessionDidBecomeActiveNotification
+                                      object:nil
+                                       queue:[NSOperationQueue currentQueue]
+                                  usingBlock:^(NSNotification *note) {
+    [self attemptDaemonReconnection];
+    [self attemptBundleReconnection];
+  }];
+
+  [self createDaemonConnection];
+  [self createBundleConnection];
 }
 
 - (BOOL)applicationShouldHandleReopen:(NSApplication *)sender hasVisibleWindows:(BOOL)flag {
+  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
   [self.aboutWindowController showWindow:self];
   return NO;
 }
 
 #pragma mark Connection handling
 
-- (void)createConnection {
-  __weak __typeof(self) weakSelf = self;
+- (void)createDaemonConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
 
-  self.listener =
-      [[SNTXPCConnection alloc] initClientWithName:[SNTXPCNotifierInterface serviceId]
-                                           options:NSXPCConnectionPrivileged];
-  self.listener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
-  self.listener.exportedObject = self.notificationManager;
-  self.listener.rejectedHandler = ^{
-      [weakSelf performSelectorInBackground:@selector(attemptReconnection)
-                                 withObject:nil];
+  WEAKIFY(self);
+
+  // Create listener for return connection from daemon.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.daemonListener = [[MOLXPCConnection alloc] initServerWithListener:listener];
+  self.daemonListener.privilegedInterface = [SNTXPCNotifierInterface notifierInterface];
+  self.daemonListener.exportedObject = self.notificationManager;
+  self.daemonListener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
   };
-  self.listener.invalidationHandler = self.listener.rejectedHandler;
-  [self.listener resume];
+  self.daemonListener.invalidationHandler = ^{
+    STRONGIFY(self);
+    [self attemptDaemonReconnection];
+  };
+  [self.daemonListener resume];
+
+  // Tell daemon to connect back to the above listener.
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy] setNotificationListener:listener.endpoint];
+  [daemonConn invalidate];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptDaemonReconnection];
+  }
 }
 
-- (void)attemptReconnection {
-  // TODO(rah): Make this smarter.
-  sleep(10);
-  [self performSelectorOnMainThread:@selector(createConnection)
-                         withObject:nil
-                      waitUntilDone:NO];
+- (void)attemptDaemonReconnection {
+  self.daemonListener.invalidationHandler = nil;
+  [self.daemonListener invalidate];
+  [self performSelectorInBackground:@selector(createDaemonConnection) withObject:nil];
+}
+
+- (void)createBundleConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  WEAKIFY(self);
+
+  // Create listener for return connection from the bundle service.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.bundleListener = [[MOLXPCConnection alloc] initServerWithListener:listener];
+  self.bundleListener.privilegedInterface = [SNTXPCNotifierInterface bundleNotifierInterface];
+  self.bundleListener.exportedObject = self.notificationManager;
+  self.bundleListener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
+  };
+  self.bundleListener.invalidationHandler = ^{
+    STRONGIFY(self);
+    [self attemptBundleReconnection];
+  };
+  [self.bundleListener resume];
+
+  // Tell santabs to connect back to the above listener.
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy] setBundleNotificationListener:listener.endpoint];
+  [daemonConn invalidate];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptBundleReconnection];
+  }
+}
+
+- (void)attemptBundleReconnection {
+  self.bundleListener.invalidationHandler = nil;
+  [self.bundleListener invalidate];
+  [self performSelectorInBackground:@selector(createBundleConnection) withObject:nil];
 }
 
 #pragma mark Menu Management

Source/SantaGUI/SNTMessageWindow.h

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,13 +12,21 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-/// An NSPanel that can become key/main and can fade in/out.
+#import <Cocoa/Cocoa.h>
+
+///
+///  An NSPanel that can become key/main and can fade in/out.
+///
 @interface SNTMessageWindow : NSPanel
 
-/// Fade the window in
+///
+///  Fade the window in
+///
 - (IBAction)fadeIn:(id)sender;
 
-/// Fade the window out
+///
+///  Fade the window out
+///
 - (IBAction)fadeOut:(id)sender;
 
 @end

Source/SantaGUI/SNTMessageWindow.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTMessageWindow.h"
+#import "Source/SantaGUI/SNTMessageWindow.h"
 
 @implementation SNTMessageWindow
 
@@ -26,11 +26,12 @@
 
 - (IBAction)fadeIn:(id)sender {
   [self setAlphaValue:0.f];
+  [self center];
   [self makeKeyAndOrderFront:sender];
   [NSAnimationContext beginGrouping];
   [[NSAnimationContext currentContext] setDuration:0.15f];
   [[NSAnimationContext currentContext] setCompletionHandler:^{
-      [NSApp activateIgnoringOtherApps:YES];
+    [NSApp activateIgnoringOtherApps:YES];
   }];
   [[self animator] setAlphaValue:1.f];
   [NSAnimationContext endGrouping];
@@ -42,9 +43,9 @@
   [NSAnimationContext beginGrouping];
   [[NSAnimationContext currentContext] setDuration:0.15f];
   [[NSAnimationContext currentContext] setCompletionHandler:^{
-      [weakSelf.windowController windowWillClose:nil];
-      [weakSelf orderOut:nil];
-      [weakSelf setAlphaValue:1.f];
+    [weakSelf.windowController windowWillClose:sender];
+    [weakSelf orderOut:sender];
+    [weakSelf setAlphaValue:1.f];
   }];
   [[self animator] setAlphaValue:0.f];
   [NSAnimationContext endGrouping];

Source/SantaGUI/SNTMessageWindowController.h

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,34 +12,62 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTNotificationMessage;
+#import <Cocoa/Cocoa.h>
+
+@class SNTStoredEvent;
 
 @protocol SNTMessageWindowControllerDelegate
-- (void)windowDidClose;
+- (void)windowDidCloseSilenceHash:(NSString *)hash;
 @end
 
-/// Controller for a single message window.
+///
+///  Controller for a single message window.
+///
 @interface SNTMessageWindowController : NSWindowController
 
-- (instancetype)initWithEvent:(SNTNotificationMessage *)event;
+- (instancetype)initWithEvent:(SNTStoredEvent *)event andMessage:(NSString *)message;
 
 - (IBAction)showWindow:(id)sender;
 - (IBAction)closeWindow:(id)sender;
 - (IBAction)showCertInfo:(id)sender;
 
-/// The execution event that this window is for
-@property SNTNotificationMessage *event;
+///  Reference to the "Bundle Hash" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashLabel;
 
-/// The delegate to inform when the notification is dismissed
+///  Reference to the "Bundle Identifier" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashTitle;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSProgressIndicator *hashingIndicator;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSTextField *foundFileCountLabel;
+
+///
+///  Reference to the "Open Event" button in the XIB. Used to either remove the button
+///  if it isn't needed or set its title if it is.
+///
+@property(weak) IBOutlet NSButton *openEventButton;
+
+///
+///  The execution event that this window is for
+///
+@property(readonly) SNTStoredEvent *event;
+
+///
+///  The root progress object. Child nodes are vended to santad to report on work being done.
+///
+@property NSProgress *progress;
+
+///
+///  The delegate to inform when the notification is dismissed
+///
 @property(weak) id<SNTMessageWindowControllerDelegate> delegate;
 
-/// A 'friendly' string representing the certificate information
-@property(readonly) IBOutlet NSString *binaryCert;
-
-/// An optional message to display with this block.
-@property(readonly) IBOutlet NSAttributedString *attributedCustomMessage;
-
-/// If the binary is part of a bundle, this is the icon for that bundle
-@property(readonly) IBOutlet NSImage *bundleIcon;
-
 @end

Source/SantaGUI/SNTMessageWindowController.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,44 +12,123 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTMessageWindowController.h"
+#import "Source/SantaGUI/SNTMessageWindowController.h"
 
+#import <MOLCertificate/MOLCertificate.h>
 #import <SecurityInterface/SFCertificatePanel.h>
 
-#import "SNTBinaryInfo.h"
-#import "SNTCertificate.h"
-#import "SNTMessageWindow.h"
-#import "SNTNotificationMessage.h"
+#import "Source/common/SNTBlockMessage.h"
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTStoredEvent.h"
+#import "Source/SantaGUI/SNTMessageWindow.h"
+
+@interface SNTMessageWindowController ()
+///  The custom message to display for this event
+@property(copy) NSString *customMessage;
+
+///  A 'friendly' string representing the certificate information
+@property(readonly, nonatomic) NSString *publisherInfo;
+
+///  An optional message to display with this block.
+@property(readonly, nonatomic) NSAttributedString *attributedCustomMessage;
+
+///  Reference to the "Application Name" label in the XIB. Used to remove if application
+///  doesn't have a CFBundleName.
+@property(weak) IBOutlet NSTextField *applicationNameLabel;
+
+///  Linked to checkbox in UI to prevent future notifications for this binary.
+@property BOOL silenceFutureNotifications;
+@end
 
 @implementation SNTMessageWindowController
 
-- (instancetype)initWithEvent:(SNTNotificationMessage *)event {
+- (instancetype)initWithEvent:(SNTStoredEvent *)event andMessage:(NSString *)message {
   self = [super initWithWindowNibName:@"MessageWindow"];
   if (self) {
     _event = event;
-    [self.window setMovableByWindowBackground:NO];
-    [self.window setLevel:NSPopUpMenuWindowLevel];
-    [self.window center];
+    _customMessage = message;
+    _progress = [NSProgress discreteProgressWithTotalUnitCount:1];
+    [_progress addObserver:self
+                forKeyPath:@"fractionCompleted"
+                   options:NSKeyValueObservingOptionNew
+                   context:NULL];
   }
   return self;
 }
 
+- (void)dealloc {
+  [_progress removeObserver:self forKeyPath:@"fractionCompleted"];
+}
+
+- (void)observeValueForKeyPath:(NSString *)keyPath
+                      ofObject:(id)object
+                        change:(NSDictionary *)change
+                       context:(void *)context {
+  if ([keyPath isEqualToString:@"fractionCompleted"]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      NSProgress *progress = object;
+      if (progress.fractionCompleted != 0.0) {
+        self.hashingIndicator.indeterminate = NO;
+      }
+      self.hashingIndicator.doubleValue = progress.fractionCompleted;
+    });
+  }
+}
+
+- (void)loadWindow {
+  [super loadWindow];
+  [self.window setLevel:NSPopUpMenuWindowLevel];
+  [self.window setMovableByWindowBackground:YES];
+
+  if (![[SNTConfigurator configurator] eventDetailURL]) {
+    [self.openEventButton removeFromSuperview];
+  } else {
+    NSString *eventDetailText = [[SNTConfigurator configurator] eventDetailText];
+    if (eventDetailText) {
+      [self.openEventButton setTitle:eventDetailText];
+    }
+  }
+
+  if (!self.event.needsBundleHash) {
+    [self.bundleHashLabel removeFromSuperview];
+    [self.hashingIndicator removeFromSuperview];
+    [self.foundFileCountLabel removeFromSuperview];
+  } else {
+    self.openEventButton.enabled = NO;
+    self.hashingIndicator.indeterminate = YES;
+    [self.hashingIndicator startAnimation:self];
+    self.bundleHashLabel.hidden = YES;
+    self.foundFileCountLabel.stringValue = @"";
+  }
+
+  if (!self.event.fileBundleName) {
+    [self.applicationNameLabel removeFromSuperview];
+  }
+}
+
 - (IBAction)showWindow:(id)sender {
   [(SNTMessageWindow *)self.window fadeIn:sender];
 }
 
 - (IBAction)closeWindow:(id)sender {
+  [self.progress cancel];
   [(SNTMessageWindow *)self.window fadeOut:sender];
 }
 
 - (void)windowWillClose:(NSNotification *)notification {
-  if (self.delegate) [self.delegate windowDidClose];
+  if (!self.delegate) return;
+
+  if (self.silenceFutureNotifications) {
+    [self.delegate windowDidCloseSilenceHash:self.event.fileSHA256];
+  } else {
+    [self.delegate windowDidCloseSilenceHash:nil];
+  }
 }
 
 - (IBAction)showCertInfo:(id)sender {
   // SFCertificatePanel expects an NSArray of SecCertificateRef's
-  NSMutableArray *certArray = [NSMutableArray arrayWithCapacity:[self.event.certificates count]];
-  for (SNTCertificate *cert in self.event.certificates) {
+  NSMutableArray *certArray = [NSMutableArray arrayWithCapacity:[self.event.signingChain count]];
+  for (MOLCertificate *cert in self.event.signingChain) {
     [certArray addObject:(id)cert.certRef];
   }
 
@@ -61,21 +140,27 @@
                                                showGroup:YES];
 }
 
+- (IBAction)openEventDetails:(id)sender {
+  NSURL *url = [SNTBlockMessage eventDetailURLForEvent:self.event];
+  [self closeWindow:sender];
+  [[NSWorkspace sharedWorkspace] openURL:url];
+}
+
 #pragma mark Generated properties
 
 + (NSSet *)keyPathsForValuesAffectingValueForKey:(NSString *)key {
-  if (! [key isEqualToString:@"event"]) {
+  if (![key isEqualToString:@"event"]) {
     return [NSSet setWithObject:@"event"];
   } else {
-    return nil;
+    return [NSSet set];
   }
 }
 
-- (NSString *)binaryCert {
-  SNTCertificate *leafCert = self.event.leafCertificate;
+- (NSString *)publisherInfo {
+  MOLCertificate *leafCert = [self.event.signingChain firstObject];
 
   if (leafCert.commonName && leafCert.orgName) {
-    return [NSString stringWithFormat:@"%@ - %@", leafCert.commonName, leafCert.orgName];
+    return [NSString stringWithFormat:@"%@ - %@", leafCert.orgName, leafCert.commonName];
   } else if (leafCert.commonName) {
     return leafCert.commonName;
   } else if (leafCert.orgName) {
@@ -86,33 +171,8 @@
 }
 
 - (NSAttributedString *)attributedCustomMessage {
-  if (self.event.customMessage) {
-    NSString *htmlHeader = @"<html><head><style>"
-                           @"body {"
-                           @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
-                           @"  font-size: 13px;"
-                           @"  color: #666;"
-                           @"  text-align: center;"
-                           @"}"
-                           @"</style></head><body>";
-    NSString *htmlFooter = @"</body></html>";
-    NSString *fullHtml = [NSString stringWithFormat:@"%@%@%@", htmlHeader,
-                          self.event.customMessage, htmlFooter];
-    NSData *htmlData = [fullHtml dataUsingEncoding:NSUTF8StringEncoding];
-    NSAttributedString *returnStr = [[NSAttributedString alloc] initWithHTML:htmlData
-                                                          documentAttributes:NULL];
-    return returnStr;
-  } else {
-    return nil;
-  }
-}
-
-- (NSImage *)bundleIcon {
-  SNTBinaryInfo *bi = [[SNTBinaryInfo alloc] initWithPath:self.event.path];
-
-  if (!bi || !bi.bundle) return nil;
-
-  return [[NSWorkspace sharedWorkspace] iconForFile:bi.bundlePath];
+  return [SNTBlockMessage attributedBlockMessageForEvent:self.event
+                                           customMessage:self.customMessage];
 }
 
 @end

Source/SantaGUI/SNTNotificationManager.h

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,11 +12,15 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTMessageWindowController.h"
-#import "SNTXPCNotifierInterface.h"
+#import <Cocoa/Cocoa.h>
 
-/// Keeps track of pending notifications and ensures only one is presented to the user at a time.
-@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate, SNTNotifierXPC>
+#import "Source/common/SNTXPCNotifierInterface.h"
+#import "Source/SantaGUI/SNTMessageWindowController.h"
 
+///
+///  Keeps track of pending notifications and ensures only one is presented to the user at a time.
+///
+@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate,
+                                             SNTNotifierXPC, SNTBundleNotifierXPC>
 
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,70 +12,268 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTNotificationManager.h"
+#import "Source/SantaGUI/SNTNotificationManager.h"
 
-#import "SNTNotificationMessage.h"
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "Source/common/SNTBlockMessage.h"
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTLogging.h"
+#import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTStrengthify.h"
+#import "Source/common/SNTXPCControlInterface.h"
 
 @interface SNTNotificationManager ()
-/// The currently displayed notification
+
+///  The currently displayed notification
 @property SNTMessageWindowController *currentWindowController;
 
-/// The queue of pending notifications
+///  The queue of pending notifications
 @property(readonly) NSMutableArray *pendingNotifications;
+
+///  The connection to the bundle service
+@property MOLXPCConnection *bundleServiceConnection;
+
+///  A semaphore to block bundle hashing until a connection is established
+@property dispatch_semaphore_t bundleServiceSema;
+
+// A serial queue for holding hashBundleBinaries requests
+@property dispatch_queue_t hashBundleBinariesQueue;
+
 @end
 
 @implementation SNTNotificationManager
 
+static NSString * const silencedNotificationsKey = @"SilencedNotifications";
+
 - (instancetype)init {
   self = [super init];
   if (self) {
     _pendingNotifications = [[NSMutableArray alloc] init];
+    _bundleServiceSema = dispatch_semaphore_create(0);
+    _hashBundleBinariesQueue = dispatch_queue_create("com.google.santagui.hashbundlebinaries",
+                                                     DISPATCH_QUEUE_SERIAL);
   }
   return self;
 }
 
-- (void)windowDidClose {
+- (void)windowDidCloseSilenceHash:(NSString *)hash {
+  if (hash) [self updateSilenceDate:[NSDate date] forHash:hash];
+
   [self.pendingNotifications removeObject:self.currentWindowController];
   self.currentWindowController = nil;
 
   if ([self.pendingNotifications count]) {
     self.currentWindowController = [self.pendingNotifications firstObject];
     [self.currentWindowController showWindow:self];
+    if (self.currentWindowController.event.needsBundleHash) {
+      dispatch_async(self.hashBundleBinariesQueue, ^{
+        [self hashBundleBinariesForEvent:self.currentWindowController.event];
+      });
+    }
   } else {
+    // Tear down the bundle service
+    self.bundleServiceSema = dispatch_semaphore_create(0);
+    [self.bundleServiceConnection invalidate];
+    self.bundleServiceConnection = nil;
     [NSApp hide:self];
   }
 }
 
+- (void)updateSilenceDate:(NSDate *)date forHash:(NSString *)hash {
+  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
+  NSMutableDictionary *d = [[ud objectForKey:silencedNotificationsKey] mutableCopy];
+  if (!d) d = [NSMutableDictionary dictionary];
+  if (date) {
+    d[hash] = date;
+  } else {
+    [d removeObjectForKey:hash];
+  }
+  [ud setObject:d forKey:silencedNotificationsKey];
+}
+
 #pragma mark SNTNotifierXPC protocol methods
 
-- (void)postBlockNotification:(SNTNotificationMessage *)event {
+- (void)postClientModeNotification:(SNTClientMode)clientmode {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  NSString *customMsg;
+  switch (clientmode) {
+    case SNTClientModeMonitor:
+      un.informativeText = @"Switching into Monitor mode";
+      customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
+      if (!customMsg) break;
+      if (!customMsg.length) return;
+      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
+      break;
+    case SNTClientModeLockdown:
+      un.informativeText = @"Switching into Lockdown mode";
+      customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
+      if (!customMsg) break;
+      if (!customMsg.length) return;
+      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
+      break;
+    default:
+      return;
+  }
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
+
+- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
   // See if this binary is already in the list of pending notifications.
-  NSPredicate *predicate = [NSPredicate predicateWithFormat:@"event.SHA1==%@", event.SHA1];
+  NSPredicate *predicate =
+      [NSPredicate predicateWithFormat:@"event.fileSHA256==%@", event.fileSHA256];
   if ([[self.pendingNotifications filteredArrayUsingPredicate:predicate] count]) return;
 
+  // See if this binary is silenced.
+  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
+  NSDate *silenceDate = [ud objectForKey:silencedNotificationsKey][event.fileSHA256];
+  if ([silenceDate isKindOfClass:[NSDate class]]) {
+    NSDate *oneDayAgo = [NSDate dateWithTimeIntervalSinceNow:-86400];
+    if ([silenceDate compare:[NSDate date]] == NSOrderedDescending) {
+      LOGI(@"Notification silence: date is in the future, ignoring");
+      [self updateSilenceDate:nil forHash:event.fileSHA256];
+    } else if ([silenceDate compare:oneDayAgo] == NSOrderedAscending) {
+      LOGI(@"Notification silence: date is more than one day ago, ignoring");
+      [self updateSilenceDate:nil forHash:event.fileSHA256];
+    } else {
+      LOGI(@"Notification silence: dropping notification for %@", event.fileSHA256);
+      return;
+    }
+  }
+
+  if (!event) {
+    LOGI(@"Error: Missing event object in message received from daemon!");
+    return;
+  }
+
   // Notifications arrive on a background thread but UI updates must happen on the main thread.
   // This includes making windows.
-  [self performSelectorOnMainThread:@selector(postBlockNotificationMainThread:)
-                         withObject:event
-                      waitUntilDone:NO];
+  dispatch_async(dispatch_get_main_queue(), ^{
+    SNTMessageWindowController *pendingMsg =
+        [[SNTMessageWindowController alloc] initWithEvent:event andMessage:message];
+    pendingMsg.delegate = self;
+    [self.pendingNotifications addObject:pendingMsg];
+
+    // If a notification isn't currently being displayed, display the incoming one.
+    if (!self.currentWindowController) {
+      self.currentWindowController = pendingMsg;
+      [pendingMsg showWindow:nil];
+      if (self.currentWindowController.event.needsBundleHash) {
+        dispatch_async(self.hashBundleBinariesQueue, ^{
+          [self hashBundleBinariesForEvent:self.currentWindowController.event];
+        });
+      }
+    }
+  });
 }
 
-- (void)postBlockNotificationMainThread:(SNTNotificationMessage *)event {
-  // Create message window
-  SNTMessageWindowController *pendingMsg = [[SNTMessageWindowController alloc] initWithEvent:event];
-  pendingMsg.delegate = self;
-  [self.pendingNotifications addObject:pendingMsg];
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  un.informativeText = message ?: @"Requested application can now be run";
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
 
-  // If a notification isn't currently being displayed, display the incoming one.
-  if (!self.currentWindowController) {
-    self.currentWindowController = pendingMsg;
+#pragma mark SNTBundleNotifierXPC protocol methods
 
-    [NSApp activateIgnoringOtherApps:YES];
-
-    // It's quite likely that we're currently on a background thread, and GUI code should always be
-    // on main thread. Open the window on the main thread so any code it runs is also.
-    [pendingMsg showWindow:nil];
+- (void)updateCountsForEvent:(SNTStoredEvent *)event
+                 binaryCount:(uint64_t)binaryCount
+                   fileCount:(uint64_t)fileCount
+                 hashedCount:(uint64_t)hashedCount {
+  if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      self.currentWindowController.foundFileCountLabel.stringValue =
+          [NSString stringWithFormat:@"%llu binaries / %llu %@",
+               binaryCount, hashedCount ?: fileCount, hashedCount ? @"hashed" : @"files"];
+    });
   }
 }
 
+- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithListener:listener];
+  c.remoteInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  [c resume];
+  self.bundleServiceConnection = c;
+
+  WEAKIFY(self);
+  self.bundleServiceConnection.invalidationHandler = ^{
+    STRONGIFY(self);
+    if (self.currentWindowController) {
+      [self updateBlockNotification:self.currentWindowController.event withBundleHash:nil];
+    }
+    self.bundleServiceConnection.invalidationHandler = nil;
+    [self.bundleServiceConnection invalidate];
+  };
+
+  dispatch_semaphore_signal(self.bundleServiceSema);
+}
+
+#pragma mark SNTBundleNotifierXPC helper methods
+
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event {
+  self.currentWindowController.foundFileCountLabel.stringValue = @"Searching for files...";
+
+  // Wait a max of 6 secs for the bundle service. Should the bundle service fall over, it will
+  // reconnect within 5 secs. Otherwise abandon bundle hashing and display the blockable event.
+  if (dispatch_semaphore_wait(self.bundleServiceSema,
+                              dispatch_time(DISPATCH_TIME_NOW, 6 * NSEC_PER_SEC))) {
+    [self updateBlockNotification:event withBundleHash:nil];
+    return;
+  }
+
+  // Let all future requests flow, until the connection is terminated and we go back to waiting.
+  dispatch_semaphore_signal(self.bundleServiceSema);
+
+  // NSProgress becomes current for this thread. XPC messages vend a child node to the receiver.
+  [self.currentWindowController.progress becomeCurrentWithPendingUnitCount:100];
+
+  // Start hashing. Progress is reported to the root NSProgress (currentWindowController.progress).
+  [[self.bundleServiceConnection remoteObjectProxy]
+      hashBundleBinariesForEvent:event
+                           reply:^(NSString *bh, NSArray<SNTStoredEvent *> *events, NSNumber *ms) {
+    // Revert to displaying the blockable event if we fail to calculate the bundle hash
+    if (!bh) return [self updateBlockNotification:event withBundleHash:nil];
+
+    event.fileBundleHash = bh;
+    event.fileBundleBinaryCount = @(events.count);
+    event.fileBundleHashMilliseconds = ms;
+    event.fileBundleExecutableRelPath = [events.firstObject fileBundleExecutableRelPath];
+    for (SNTStoredEvent *se in events) {
+      se.fileBundleHash = bh;
+      se.fileBundleBinaryCount = @(events.count);
+      se.fileBundleHashMilliseconds = ms;
+    }
+
+    // Send the results to santad. It will decide if they need to be synced.
+    MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+    [daemonConn resume];
+    [[daemonConn remoteObjectProxy] syncBundleEvent:event relatedEvents:events];
+    [daemonConn invalidate];
+
+    // Update the UI with the bundle hash. Also make the openEventButton available.
+    [self updateBlockNotification:event withBundleHash:bh];
+  }];
+  [self.currentWindowController.progress resignCurrent];
+}
+
+- (void)updateBlockNotification:(SNTStoredEvent *)event withBundleHash:(NSString *)bundleHash {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+      if (bundleHash) {
+        [self.currentWindowController.bundleHashLabel setHidden:NO];
+      } else {
+        [self.currentWindowController.bundleHashLabel removeFromSuperview];
+        [self.currentWindowController.bundleHashTitle removeFromSuperview];
+      }
+      self.currentWindowController.event.fileBundleHash = bundleHash;
+      [self.currentWindowController.foundFileCountLabel removeFromSuperview];
+      [self.currentWindowController.hashingIndicator setHidden:YES];
+      [self.currentWindowController.openEventButton setEnabled:YES];
+    }
+  });
+}
+
 @end

Source/SantaGUI/main.m

@@ -1,4 +1,4 @@
-/// Copyright 2014 Google Inc. All rights reserved.
+/// Copyright 2015 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,7 +12,9 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTAppDelegate.h"
+#import <Cocoa/Cocoa.h>
+
+#import "Source/SantaGUI/SNTAppDelegate.h"
 
 int main(int argc, const char *argv[]) {
   @autoreleasepool {

Source/common/BUILD

@@ -0,0 +1,181 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])  # Apache 2.0
+
+load("//:helper.bzl", "santa_unit_test")
+
+objc_library(
+    name = "SNTBlockMessage",
+    srcs = ["SNTBlockMessage.m"],
+    hdrs = ["SNTBlockMessage.h"],
+    deps = [
+        ":SNTConfigurator",
+        ":SNTStoredEvent",
+    ],
+)
+
+objc_library(
+    name = "SNTBlockMessage_SantaGUI",
+    srcs = ["SNTBlockMessage.m"],
+    hdrs = ["SNTBlockMessage.h"],
+    deps = [
+        ":SNTConfigurator",
+        ":SNTStoredEvent",
+    ],
+    defines = ["SANTAGUI"],
+)
+
+objc_library(
+    name = "SNTCachedDecision",
+    srcs = ["SNTCachedDecision.m"],
+    hdrs = ["SNTCachedDecision.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTKernelCommon",
+    ],
+)
+
+cc_library(
+    name = "SNTCommonEnums",
+    hdrs = ["SNTCommonEnums.h"],
+)
+
+objc_library(
+    name = "SNTConfigurator",
+    srcs = ["SNTConfigurator.m"],
+    hdrs = ["SNTConfigurator.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTLogging",
+        ":SNTStrengthify",
+        ":SNTSystemInfo",
+    ],
+)
+
+objc_library(
+    name = "SNTDropRootPrivs",
+    srcs = ["SNTDropRootPrivs.m"],
+    hdrs = ["SNTDropRootPrivs.h"],
+)
+
+objc_library(
+    name = "SNTFileInfo",
+    srcs = ["SNTFileInfo.m"],
+    hdrs = ["SNTFileInfo.h"],
+    deps = [
+        "@FMDB",
+        "@MOLCodesignChecker",
+    ],
+)
+
+cc_library(
+    name = "SNTKernelCommon",
+    hdrs = ["SNTKernelCommon.h"],
+)
+
+cc_library(
+    name = "SNTLoggingKernel",
+    hdrs = ["SNTLogging.h"],
+)
+
+objc_library(
+    name = "SNTLogging",
+    srcs = ["SNTLogging.m"],
+    hdrs = ["SNTLogging.h"],
+)
+
+objc_library(
+    name = "SNTRule",
+    srcs = ["SNTRule.m"],
+    hdrs = ["SNTRule.h"],
+    deps = [":SNTCommonEnums"],
+)
+
+objc_library(
+    name = "SNTStoredEvent",
+    srcs = ["SNTStoredEvent.m"],
+    hdrs = ["SNTStoredEvent.h"],
+    deps = [
+        ":SNTCommonEnums",
+        "@MOLCertificate",
+    ],
+)
+
+cc_library(
+    name = "SNTStrengthify",
+    hdrs = ["SNTStrengthify.h"],
+)
+
+objc_library(
+    name = "SNTSystemInfo",
+    srcs = ["SNTSystemInfo.m"],
+    hdrs = ["SNTSystemInfo.h"],
+    sdk_frameworks = ["IOKit"],
+)
+
+objc_library(
+    name = "SNTXPCBundleServiceInterface",
+    srcs = ["SNTXPCBundleServiceInterface.m"],
+    hdrs = ["SNTXPCBundleServiceInterface.h"],
+    deps = [":SNTStoredEvent"],
+)
+
+objc_library(
+    name = "SNTXPCControlInterface",
+    srcs = ["SNTXPCControlInterface.m"],
+    hdrs = ["SNTXPCControlInterface.h"],
+    deps = [
+        ":SNTStoredEvent",
+        ":SNTXPCUnprivilegedControlInterface",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCNotifierInterface",
+    srcs = ["SNTXPCNotifierInterface.m"],
+    hdrs = ["SNTXPCNotifierInterface.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTXPCBundleServiceInterface",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCSyncdInterface",
+    srcs = ["SNTXPCSyncdInterface.m"],
+    hdrs = ["SNTXPCSyncdInterface.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTStoredEvent",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCUnprivilegedControlInterface",
+    srcs = ["SNTXPCUnprivilegedControlInterface.m"],
+    hdrs = ["SNTXPCUnprivilegedControlInterface.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTKernelCommon",
+        ":SNTRule",
+        ":SNTStoredEvent",
+        ":SNTXPCBundleServiceInterface",
+        "@MOLCertificate",
+        "@MOLXPCConnection",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTFileInfoTest",
+    srcs = ["SNTFileInfoTest.m"],
+    resources = [
+        "testdata/bad_pagezero",
+        "testdata/missing_pagezero",
+    ],
+    structured_resources = glob([
+        "testdata/BundleExample.app/**",
+        "testdata/DirectoryBundle/**",
+    ]),
+    deps = [":SNTFileInfo"],
+)

Source/common/SNTBinaryInfo.h

@@ -1,73 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-/// SNTBinaryInfo represents a binary on disk, providing access to details about that binary such as
-/// the SHA-1, the Info.plist and the Mach-O data.
-@interface SNTBinaryInfo : NSObject
-
-/// Designated initializer
-- (instancetype)initWithPath:(NSString *)path;
-
-/// Return SHA-1 hash of this binary
-- (NSString *)SHA1;
-
-/// Returns the type of Mach-O file:
-///  Dynamic Library, Kernel Extension, Fat Binary, Thin Binary
-- (NSString *)machoType;
-
-/// Returns the architectures included in this binary (e.g. x86_64, ppc)
-- (NSArray *)architectures;
-
-/// Returns YES if this file is a Mach-O file
-- (BOOL)isMachO;
-
-/// Returns YES if this file contains multiple architectures
-- (BOOL)isFat;
-
-/// Returns YES if this file is an executable Mach-O file
-- (BOOL)isExecutable;
-
-/// Returns YES if this file is a dynamic library
-- (BOOL)isDylib;
-
-/// Returns YES if this file is a kernel extension
-- (BOOL)isKext;
-
-/// Returns YES if this file is a script (e.g. it begins #!)
-- (BOOL)isScript;
-
-/// Returns an NSBundle if this file is part of a bundle.
-- (NSBundle *)bundle;
-
-/// Returns the path to the bundle this file is a part of, if any.
-- (NSString *)bundlePath;
-
-/// Returns either the Info.plist in the bundle this file is part of, or an embedded plist if there
-/// is one. In the odd case that a file has both an embedded Info.plist and is part of a bundle,
-/// the Info.plist from the bundle will be returned.
-- (NSDictionary *)infoPlist;
-
-/// Returns the CFBundleIdentifier from this file's Info.plist
-- (NSString *)bundleIdentifier;
-
-/// Returns the CFBundleName from this file's Info.plist
-- (NSString *)bundleName;
-
-/// Returns the CFBundleVersion from this file's Info.plist
-- (NSString *)bundleVersion;
-
-/// Returns the CFBundleShortVersionString from this file's Info.plist
-- (NSString *)bundleShortVersionString;
-
-@end

Source/common/SNTBinaryInfo.m

@@ -1,291 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTBinaryInfo.h"
-
-#import <CommonCrypto/CommonDigest.h>
-
-#include <mach-o/loader.h>
-#include <mach-o/swap.h>
-
-@interface SNTBinaryInfo ()
-@property NSString *path;
-@property NSData *fileData;
-@property NSBundle *bundleRef;
-@property NSDictionary *infoDict;
-@end
-
-@implementation SNTBinaryInfo
-
-- (instancetype)initWithPath:(NSString *)path {
-  self = [super init];
-
-  if (self) {
-    _path = path;
-
-    _fileData = [NSData dataWithContentsOfFile:path options:NSDataReadingMappedIfSafe error:nil];
-    if (!_fileData) return nil;
-  }
-
-  return self;
-}
-
-- (NSString *)SHA1 {
-  unsigned char sha1[CC_SHA1_DIGEST_LENGTH];
-  CC_SHA1([self.fileData bytes], (unsigned int)[self.fileData length], sha1);
-
-  // Convert the binary SHA into hex
-  NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
-  for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; i++) {
-    [buf appendFormat:@"%02x", (unsigned char)sha1[i]];
-  }
-
-  return buf;
-}
-
-- (NSString *)machoType {
-  if ([self isDylib])   { return @"Dynamic Library"; }
-  if ([self isKext])    { return @"Kernel Extension"; }
-  if ([self isFat])     { return @"Fat Binary"; }
-  if ([self isMachO])   { return @"Thin Binary"; }
-  if ([self isScript])  { return @"Script"; }
-  return @"Unknown (not executable?)";
-}
-
-- (NSArray *)architectures {
-  if (![self isMachO]) return nil;
-
-  if ([self isFat]) {
-    NSMutableArray *ret = [[NSMutableArray alloc] init];
-
-    // Retrieve just the fat_header, if possible.
-    NSData *head = [self safeSubdataWithRange:NSMakeRange(0, sizeof(struct fat_header))];
-    if (!head) return nil;
-    struct fat_header *fat_header = (struct fat_header *)[head bytes];
-
-    // Get number of architectures in the binary
-    uint32_t narch = NSSwapBigIntToHost(fat_header->nfat_arch);
-
-    // Retrieve just the fat_arch's, make a mutable copy and if necessary swap the bytes
-    NSData *archs = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                           sizeof(struct fat_arch) * narch)];
-    if (!archs) return nil;
-    struct fat_arch *fat_archs = (struct fat_arch *)[archs bytes];
-
-    // For each arch, get the name of it's architecture
-    for (int i = 0; i < narch; ++i) {
-      [ret addObject:[self nameForCPUType:NSSwapBigIntToHost(fat_archs[i].cputype)]];
-    }
-    return ret;
-  } else {
-    struct mach_header *hdr = [self firstMachHeader];
-    return @[ [self nameForCPUType:hdr->cputype] ];
-  }
-  return nil;
-}
-
-- (BOOL)isDylib {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_DYLIB ||
-      mach_header->filetype == MH_FVMLIB) {
-    return YES;
-  }
-
-  return NO;
-}
-
-- (BOOL)isKext {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_KEXT_BUNDLE) {
-    return YES;
-  }
-
-  return NO;
-}
-
-- (BOOL)isMachO {
-  return ([self.fileData length] >= 160 &&
-          ([self isMachHeader:(struct mach_header *)[self.fileData bytes]] || [self isFat]));
-}
-
-- (BOOL)isFat {
-  return ([self isFatHeader:(struct fat_header *)[self.fileData bytes]]);
-}
-
-- (BOOL)isScript {
-  if ([self.fileData length] < 1) return NO;
-
-  char magic[2];
-  [self.fileData getBytes:&magic length:2];
-
-  return (strncmp("#!", magic, 2) == 0);
-}
-
-- (BOOL)isExecutable {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_OBJECT ||
-      mach_header->filetype == MH_EXECUTE ||
-      mach_header->filetype == MH_PRELOAD) {
-    return YES;
-  }
-
-  return NO;
-}
-
-# pragma mark Bundle Information
-
-/**
- *  Try and determine the bundle that the represented executable is contained within, if any.
- *
- *  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
- *  bundle but provides no way to get an NSBundle object when only the executablePath is known. Also,
- *  a bundle can contain multiple binaries within the MacOS folder and we want any of these to count
- *  as being part of the bundle.
- *
- *  This method relies on executable bundles being laid out as follows:
- *
- *@code
- *  Bundle.app/
- *     Contents/
- *        MacOS/
- *          executable
- *@endcode
- *
- *  If @c self.path is the full path to @c executable above, this method would return an
- *  NSBundle reference for Bundle.app.
- */
-- (NSBundle *)bundle {
-  if (self.bundleRef) return self.bundleRef;
-
-  NSArray *pathComponents = [self.path pathComponents];
-
-  // Check that the full path is at least 4-levels deep:
-  // e.g: /Calendar.app/Contents/MacOS/Calendar
-  if ([pathComponents count] < 4) return nil;
-
-  pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
-  self.bundleRef = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-
-  // Clear the bundle if it doesn't have a bundle ID
-  if (![self.bundleRef objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = nil;
-
-  return self.bundleRef;
-}
-
-- (NSString *)bundlePath {
-  return [self.bundle bundlePath];
-}
-
-- (NSDictionary *)infoPlist {
-  if (self.infoDict) return self.infoDict;
-
-  if ([self bundle]) {
-    self.infoDict = [[self bundle] infoDictionary];
-    return self.infoDict;
-  }
-
-  NSURL *url = [NSURL fileURLWithPath:self.path isDirectory:NO];
-  self.infoDict =
-      (__bridge_transfer NSDictionary*)CFBundleCopyInfoDictionaryForURL((__bridge CFURLRef) url);
-  return self.infoDict;
-}
-
-- (NSString *)bundleIdentifier {
-  return [[self infoPlist] objectForKey:@"CFBundleIdentifier"];
-}
-
-- (NSString *)bundleName {
-  return [[self infoPlist] objectForKey:@"CFBundleName"];
-}
-
-- (NSString *)bundleVersion {
-  return [[self infoPlist] objectForKey:@"CFBundleVersion"];
-}
-
-- (NSString *)bundleShortVersionString {
-  return [[self infoPlist] objectForKey:@"CFBundleShortVersionString"];
-}
-
-# pragma mark Internal Methods
-
-/// Look through the file for the first mach_header. If the file is thin, this will be the
-/// header at the beginning of the file. If the file is fat, it will be the first
-/// architecture-specific header.
-- (struct mach_header *)firstMachHeader {
-  if (![self isMachO]) return NULL;
-
-  struct mach_header *mach_header = (struct mach_header *)[self.fileData bytes];
-  struct fat_header *fat_header = (struct fat_header *)[self.fileData bytes];
-
-  if ([self isFatHeader:fat_header]) {
-    // Get the bytes for the fat_arch
-    NSData *archHdr = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                             sizeof(struct fat_arch))];
-    if (!archHdr) return nil;
-    struct fat_arch *fat_arch = (struct fat_arch *)[archHdr bytes];
-
-    // Get bytes for first mach_header
-    NSData *machHdr = [self safeSubdataWithRange:NSMakeRange(NSSwapBigIntToHost(fat_arch->offset),
-                                                             sizeof(struct mach_header))];
-    if (!machHdr) return nil;
-    mach_header = (struct mach_header *)[machHdr bytes];
-  }
-
-  if ([self isMachHeader:mach_header]) {
-    return mach_header;
-  }
-
-  return NULL;
-}
-
-- (BOOL)isMachHeader:(struct mach_header *)header {
-  return (header->magic == MH_MAGIC || header->magic == MH_MAGIC_64 ||
-          header->magic == MH_CIGAM || header->magic == MH_CIGAM_64);
-}
-
-- (BOOL)isFatHeader:(struct fat_header *)header {
-  return (header->magic == FAT_MAGIC || header->magic == FAT_CIGAM);
-}
-
-/// Wrap subdataWithRange: in a @try/@catch, returning nil on exception.
-/// Useful for when the range is beyond the end of the file.
-- (NSData *)safeSubdataWithRange:(NSRange)range {
-  @try {
-    return [self.fileData subdataWithRange:range];
-  }
-  @catch (NSException *exception) {
-    return nil;
-  }
-}
-
-- (NSString *)nameForCPUType:(cpu_type_t)cpuType {
-  switch (cpuType) {
-    case CPU_TYPE_X86:
-      return @"i386";
-    case CPU_TYPE_X86_64:
-      return @"x86-64";
-    case CPU_TYPE_POWERPC:
-      return @"ppc";
-    case CPU_TYPE_POWERPC64:
-      return @"ppc64";
-    default:
-      return @"unknown";
-  }
-  return nil;
-}
-
-@end

Source/common/SNTBlockMessage.h

@@ -0,0 +1,47 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#ifdef SANTAGUI
+#import <Cocoa/Cocoa.h>
+#else
+#import <Foundation/Foundation.h>
+#endif
+
+@class SNTStoredEvent;
+
+@interface SNTBlockMessage : NSObject
+
+///
+///  Return a message suitable for presenting to the user.
+///  Uses either the configured message depending on the event type or a custom message
+///  if the rule that blocked this file included one.
+///
+///  In SantaGUI this will return an NSAttributedString with links and formatting included
+///  while for santad all HTML will be properly stripped.
+///
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage;
+
+///
+///  Return a URL generated from the EventDetailURL configuration key
+///  after replacing templates in the URL with values from the event.
+///
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event;
+
+///
+///  Strip HTML from a string, replacing <br /> with newline.
+///
++ (NSString *)stringFromHTML:(NSString *)html;
+
+@end

Source/common/SNTBlockMessage.m

@@ -0,0 +1,129 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTBlockMessage.h"
+
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTLogging.h"
+#import "Source/common/SNTStoredEvent.h"
+
+@implementation SNTBlockMessage
+
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage {
+  NSString *htmlHeader = @"<html><head><style>"
+      @"body {"
+      @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
+      @"  font-size: 13px;"
+      @"  color: %@;"
+      @"  text-align: center;"
+      @"}"
+
+      // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
+      @"@media (prefers-color-scheme: dark) {"
+      @"  body {"
+      @"    color: #ddd;"
+      @"  }"
+      @"}"
+      @"</style></head><body>";
+
+  // Support Dark Mode. Note, the returned NSAttributedString is static and does not update when
+  // the OS switches modes.
+  NSString *mode = [NSUserDefaults.standardUserDefaults stringForKey:@"AppleInterfaceStyle"];
+  BOOL dark =  [mode isEqualToString:@"Dark"];
+  htmlHeader = [NSString stringWithFormat:htmlHeader, dark ? @"#ddd" : @"#333"];
+
+  NSString *htmlFooter = @"</body></html>";
+
+  NSString *message;
+  if (customMessage.length) {
+    message = customMessage;
+  } else if (event.decision == SNTEventStateBlockUnknown) {
+    message = [[SNTConfigurator configurator] unknownBlockMessage];
+    if (!message) {
+      message = @"The following application has been blocked from executing<br />"
+                @"because its trustworthiness cannot be determined.";
+    }
+  } else {
+    message = [[SNTConfigurator configurator] bannedBlockMessage];
+    if (!message) {
+      message = @"The following application has been blocked from executing<br />"
+                @"because it has been deemed malicious.";
+    }
+  }
+
+  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
+
+#ifdef SANTAGUI
+  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
+  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
+#else
+  NSString *strippedHTML = [self stringFromHTML:fullHTML];
+  if (!strippedHTML) {
+    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
+  }
+  return [[NSAttributedString alloc] initWithString:strippedHTML];
+#endif
+}
+
++ (NSString *)stringFromHTML:(NSString *)html {
+  NSError *error;
+  NSXMLDocument *xml = [[NSXMLDocument alloc] initWithXMLString:html options:0 error:&error];
+
+  if (!xml && error.code == NSXMLParserEmptyDocumentError) {
+    html = [NSString stringWithFormat:@"<html><body>%@</body></html>", html];
+    xml = [[NSXMLDocument alloc] initWithXMLString:html options:0 error:&error];
+    if (!xml) return html;
+  }
+
+  // Strip any HTML tags out of the message. Also remove any content inside <style> tags and
+  // replace <br> elements with a newline.
+  NSString *stripXslt = @"<?xml version='1.0' encoding='utf-8'?>"
+      @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
+      @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
+      @"<xsl:output method='text'/>"
+      @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
+      @"<xsl:template match='style'/>"
+      @"</xsl:stylesheet>";
+  NSData *data = [xml objectByApplyingXSLTString:stripXslt arguments:NULL error:&error];
+  if (error || ![data isKindOfClass:[NSData class]]) {
+    return html;
+  }
+  return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
+}
+
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  NSString *formatStr = config.eventDetailURL;
+  if (!formatStr.length) return nil;
+
+  if (event.fileSHA256) {
+    formatStr =
+        [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                             withString:event.fileBundleHash ?: event.fileSHA256];
+  }
+  if (event.executingUser) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
+                                                     withString:event.executingUser];
+  }
+  if (config.machineID) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
+                                                     withString:config.machineID];
+  }
+
+  return [NSURL URLWithString:formatStr];
+}
+
+@end

Source/common/SNTCachedDecision.h

@@ -0,0 +1,36 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTKernelCommon.h"
+
+///
+///  Store information about executions from decision making for later logging.
+///
+@interface SNTCachedDecision : NSObject
+
+@property santa_vnode_id_t vnodeId;
+@property SNTEventState decision;
+@property NSString *decisionExtra;
+@property NSString *sha256;
+@property NSString *certSHA256;
+@property NSString *certCommonName;
+@property NSString *quarantineURL;
+
+@property NSString *customMsg;
+@property BOOL silentBlock;
+
+@end

Source/common/SNTCachedDecision.m

@@ -0,0 +1,18 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTCachedDecision.h"
+
+@implementation SNTCachedDecision
+@end

Source/common/SNTCertificate.h

@@ -1,67 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-/// SNTCertificate wraps a @c SecCertificateRef to provide Objective-C accessors to
-/// commonly used certificate data. Accessors cache data for repeated access.
-@interface SNTCertificate : NSObject<NSSecureCoding>
-
-/// Initialize a SNTCertificate object with a valid SecCertificateRef. Designated initializer.
-- (instancetype)initWithSecCertificateRef:(SecCertificateRef)certRef;
-
-/// Initialize a SNTCertificate object with certificate data in DER format.
-/// Returns nil if |certData| is invalid.
-- (instancetype)initWithCertificateDataDER:(NSData *)certData;
-
-/// Initialize a SNTCertificate object with certificate data in PEM format.
-/// If multiple PEM certificates exist within the string, the first is used.
-/// Returns nil if |certData| is invalid.
-- (instancetype)initWithCertificateDataPEM:(NSString *)certData;
-
-/// Returns an array of SNTCertificate's for all of the certificates in |pemData|.
-+ (NSArray *)certificatesFromPEM:(NSString *)pemData;
-
-/// Access the underlying certificate ref.
-@property(readonly) SecCertificateRef certRef;
-
-/// SHA-1 hash of the certificate data.
-@property(readonly) NSString *SHA1;
-
-/// Certificate data.
-@property(readonly) NSData *certData;
-
-/// Common Name e.g: "Software Signing"
-@property(readonly) NSString *commonName;
-
-/// Country Name e.g: "US"
-@property(readonly) NSString *countryName;
-
-/// Organizational Name e.g: "Apple Inc."
-@property(readonly) NSString *orgName;
-
-/// Organizational Unit Name e.g: "Apple Software"
-@property(readonly) NSString *orgUnit;
-
-/// Issuer details, same fields as above.
-@property(readonly) NSString *issuerCommonName;
-@property(readonly) NSString *issuerCountryName;
-@property(readonly) NSString *issuerOrgName;
-@property(readonly) NSString *issuerOrgUnit;
-
-/// Validity Not Before
-@property(readonly) NSDate *validFrom;
-
-/// Validity Not After
-@property(readonly) NSDate *validUntil;
-
-@end

Source/common/SNTCertificate.m

@@ -1,336 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCertificate.h"
-
-#import <CommonCrypto/CommonDigest.h>
-#import <Security/Security.h>
-
-@interface SNTCertificate ()
-/// A container for cached property values
-@property NSMutableDictionary *memoizedData;
-@end
-
-@implementation SNTCertificate
-
-static NSString *const kCertDataKey = @"certData";
-
-#pragma mark Init/Dealloc
-
-- (instancetype)initWithSecCertificateRef:(SecCertificateRef)certRef {
-  self = [super init];
-  if (self) {
-    _certRef = certRef;
-    CFRetain(_certRef);
-  }
-  return self;
-}
-
-- (instancetype)initWithCertificateDataDER:(NSData *)certData {
-  SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
-
-  if (cert) {
-    // Despite the header file claiming that SecCertificateCreateWithData will return NULL if
-    // |certData| doesn't contain a valid DER-encoded X509 cert, this isn't always true.
-    // radar://problem/16124651
-    // To workaround, check that the certificate serial number can be retrieved.
-    NSData *ser = CFBridgingRelease(SecCertificateCopySerialNumber(cert, NULL));
-    if (ser) {
-      self = [self initWithSecCertificateRef:cert];
-    } else {
-      self = nil;
-    }
-    CFRelease(cert);  // was retained in initWithSecCertificateRef
-  } else {
-    self = nil;
-  }
-
-  return self;
-}
-
-- (instancetype)initWithCertificateDataPEM:(NSString *)certData {
-  // Find the PEM and extract the base64-encoded DER data from within
-  NSScanner *scanner = [NSScanner scannerWithString:certData];
-  NSString *base64der;
-
-  // Locate and parse DER data into |base64der|
-  [scanner scanUpToString:@"-----BEGIN CERTIFICATE-----" intoString:NULL];
-  if (!([scanner scanString:@"-----BEGIN CERTIFICATE-----" intoString:NULL] &&
-        [scanner scanUpToString:@"-----END CERTIFICATE-----" intoString:&base64der] &&
-        [scanner scanString:@"-----END CERTIFICATE-----" intoString:NULL])) {
-    return nil;
-  }
-
-  // base64-decode the DER
-  SecTransformRef transform = SecDecodeTransformCreate(kSecBase64Encoding, NULL);
-  if (!transform) return nil;
-  NSData *input = [base64der dataUsingEncoding:NSUTF8StringEncoding];
-  NSData *output = nil;
-
-  if (SecTransformSetAttribute(transform,
-                             kSecTransformInputAttributeName,
-                             (__bridge CFDataRef)input,
-                             NULL)) {
-    output = CFBridgingRelease(SecTransformExecute(transform, NULL));
-  }
-  if (transform) CFRelease(transform);
-
-  return [self initWithCertificateDataDER:output];
-}
-
-+ (NSArray *)certificatesFromPEM:(NSString *)pemData {
-  NSScanner *scanner = [NSScanner scannerWithString:pemData];
-  NSMutableArray *certs = [[NSMutableArray alloc] init];
-
-  while (YES) {
-    NSString *curCert;
-
-    [scanner scanUpToString:@"-----BEGIN CERTIFICATE-----" intoString:NULL];
-    [scanner scanUpToString:@"-----END CERTIFICATE-----" intoString:&curCert];
-
-    // If there was no data, break.
-    if (!curCert) break;
-
-    curCert = [curCert stringByAppendingString:@"-----END CERTIFICATE-----"];
-    SNTCertificate *cert = [[SNTCertificate alloc] initWithCertificateDataPEM:curCert];
-
-    // If the data couldn't be turned into a valid SNTCertificate, continue.
-    if (!cert) continue;
-
-    [certs addObject:cert];
-  }
-
-  return certs;
-}
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-- (void)dealloc {
-  if (_certRef) CFRelease(_certRef);
-}
-
-#pragma mark Equality & description
-
-- (BOOL)isEqual:(SNTCertificate *)other {
-  if (self == other) return YES;
-  if (![other isKindOfClass:[SNTCertificate class]]) return NO;
-
-  return [self.certData isEqual:other.certData];
-}
-
-- (NSUInteger)hash {
-  return [self.certData hash];
-}
-
-- (NSString *)description {
-  return [NSString stringWithFormat:@"/O=%@/OU=%@/CN=%@",
-          self.orgName,
-          self.orgUnit,
-          self.commonName];
-}
-
-#pragma mark NSSecureCoding
-
-+ (BOOL)supportsSecureCoding {
-  return YES;
-}
-
-- (void)encodeWithCoder:(NSCoder *)coder {
-  [coder encodeObject:self.certData forKey:kCertDataKey];
-}
-
-- (instancetype)initWithCoder:(NSCoder *)decoder {
-  NSData *certData = [decoder decodeObjectOfClass:[NSData class] forKey:kCertDataKey];
-  if ([certData length] == 0) return nil;
-  SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
-  self = [self initWithSecCertificateRef:cert];
-  if (cert) CFRelease(cert);
-  return self;
-}
-
-#pragma mark Private Accessors
-
-/// For a given selector, caches the value that selector would return on subsequent invocations,
-/// using the provided block to get the value on the first invocation.
-/// Assumes the selector's value will never change.
-- (id)memoizedSelector:(SEL)selector forBlock:(id (^)(void))block {
-  NSString *selName = NSStringFromSelector(selector);
-
-  if (!self.memoizedData) {
-    self.memoizedData = [NSMutableDictionary dictionary];
-  }
-
-  if (!self.memoizedData[selName]) {
-    id val = block();
-    if (val) {
-      self.memoizedData[selName] = val;
-    } else {
-      self.memoizedData[selName] = [NSNull null];
-    }
-  }
-
-  // Return the value if there is one, or nil if the value is NSNull
-  return self.memoizedData[selName] != [NSNull null] ? self.memoizedData[selName] : nil;
-}
-
-- (NSDictionary *)allCertificateValues {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return CFBridgingRelease(SecCertificateCopyValues(self.certRef, NULL, NULL));
-  }];
-}
-
-- (NSDictionary *)x509SubjectName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self allCertificateValues][(__bridge NSString *)kSecOIDX509V1SubjectName];
-  }];
-}
-
-- (NSDictionary *)x509IssuerName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self allCertificateValues][(__bridge NSString *)kSecOIDX509V1IssuerName];
-  }];
-}
-
-/// Retrieve the value with the specified label from the X509 dictionary provided
-/// @param desiredLabel The label you want, e.g: kSecOIDOrganizationName.
-/// @param dict The dictionary to look in (Subject or Issuer)
-/// @returns An @c NSString, the value for the specified label.
-- (NSString *)x509ValueForLabel:(NSString *)desiredLabel fromDictionary:(NSDictionary *)dict {
-  @try {
-    NSArray *valArray = dict[(__bridge NSString *)kSecPropertyKeyValue];
-
-    for (NSDictionary *curCertVal in valArray) {
-      NSString *valueLabel = curCertVal[(__bridge NSString *)kSecPropertyKeyLabel];
-      if ([valueLabel isEqual:desiredLabel]) {
-        return curCertVal[(__bridge NSString *)kSecPropertyKeyValue];
-      }
-    }
-    return nil;
-  }
-  @catch (NSException *exception) {
-    return nil;
-  }
-}
-
-/// Retrieve the specified date from the certificate's values and convert from a reference date
-/// to an NSDate object.
-/// @param key The identifier for the date: @c kSecOIDX509V1ValiditityNot{Before,After}
-/// @return An @c NSDate representing the date and time the certificate is valid from or expires.
-- (NSDate *)dateForX509Key:(NSString *)key {
-  NSDictionary *curCertVal = [self allCertificateValues][key];
-  NSNumber *value = curCertVal[(__bridge NSString *)kSecPropertyKeyValue];
-
-  NSTimeInterval interval = [value doubleValue];
-  if (interval) {
-    return [NSDate dateWithTimeIntervalSinceReferenceDate:interval];
-  }
-
-  return nil;
-}
-
-#pragma mark Public Accessors
-
-- (NSString *)SHA1 {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      NSMutableData *SHA1Buffer = [[NSMutableData alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH];
-
-      CC_SHA1([self.certData bytes], (CC_LONG)[self.certData length], [SHA1Buffer mutableBytes]);
-
-      const unsigned char *bytes = (const unsigned char *)[SHA1Buffer bytes];
-      return [NSString stringWithFormat:
-          @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-          bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], bytes[8],
-          bytes[9], bytes[10], bytes[11], bytes[12], bytes[13], bytes[14], bytes[15], bytes[16],
-          bytes[17], bytes[18], bytes[19]];
-  }];
-}
-
-- (NSData *)certData {
-  return CFBridgingRelease(SecCertificateCopyData(self.certRef));
-}
-
-- (NSString *)commonName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      CFStringRef commonName = NULL;
-      SecCertificateCopyCommonName(self.certRef, &commonName);
-      return CFBridgingRelease(commonName);
-  }];
-}
-
-- (NSString *)countryName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDCountryName
-                      fromDictionary:[self x509SubjectName]];
-  }];
-}
-
-- (NSString *)orgName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDOrganizationName
-                      fromDictionary:[self x509SubjectName]];
-  }];
-}
-
-- (NSString *)orgUnit {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDOrganizationalUnitName
-                      fromDictionary:[self x509SubjectName]];
-  }];
-}
-
-- (NSDate *)validFrom {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self dateForX509Key:(__bridge NSString *)kSecOIDX509V1ValidityNotBefore];
-  }];
-}
-
-- (NSDate *)validUntil {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self dateForX509Key:(__bridge NSString *)kSecOIDX509V1ValidityNotAfter];
-  }];
-}
-
-- (NSString *)issuerCommonName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDCommonName
-                      fromDictionary:[self x509IssuerName]];
-  }];
-}
-
-- (NSString *)issuerCountryName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDCountryName
-                      fromDictionary:[self x509IssuerName]];
-  }];
-}
-
-- (NSString *)issuerOrgName {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDOrganizationName
-                      fromDictionary:[self x509IssuerName]];
-  }];
-}
-
-- (NSString *)issuerOrgUnit {
-  return [self memoizedSelector:_cmd forBlock:^id{
-      return [self x509ValueForLabel:(__bridge NSString *)kSecOIDOrganizationalUnitName
-                      fromDictionary:[self x509IssuerName]];
-  }];
-}
-
-
-@end

Source/common/SNTCodesignChecker.h

@@ -1,55 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-@class SNTCertificate;
-
-/// SNTCodesignChecker validates a binary (either on-disk or in memory) has been signed
-/// and if so allows for pulling out the certificates that were used to sign it.
-@interface SNTCodesignChecker : NSObject
-
-/// The SecStaticCodeRef that this SNTCodesignChecker is working around
-@property(readonly) SecStaticCodeRef codeRef;
-
-/// Returns a dictionary of raw signing information
-@property(readonly) NSDictionary *signingInformation;
-
-/// Returns an array of @c SNTCertificate objects representing the chain that signed this binary.
-@property(readonly) NSArray *certificates;
-
-/// Returns the leaf certificate that this binary was signed with
-@property(readonly) SNTCertificate *leafCertificate;
-
-/// Returns the on-disk path of this binary.
-@property(readonly) NSString *binaryPath;
-
-/// Initialize an @c SNTCodesignChecker with a SecStaticCodeRef
-/// Designated initializer.
-/// Takes ownership of @c codeRef.
-- (instancetype)initWithSecStaticCodeRef:(SecStaticCodeRef)codeRef;
-
-/// Initialize an @c SNTCodesignChecker with a binary on disk.
-/// Returns nil if @c binaryPath does not exist, is not a binary or is not codesigned.
-- (instancetype)initWithBinaryPath:(NSString *)binaryPath;
-
-/// Initialize an @c SNTCodesignChecker with the PID of a running process.
-- (instancetype)initWithPID:(pid_t)PID;
-
-/// Initialize an @c SNTCodesignChecker for the currently-running process.
-- (instancetype)initWithSelf;
-
-/// Returns true if the binary represented by @c otherChecker has signing information that matches
-/// this binary.
-- (BOOL)signingInformationMatches:(SNTCodesignChecker *)otherChecker;
-
-@end

Source/common/SNTCodesignChecker.m

@@ -1,190 +0,0 @@
-/// Copyright 2014 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCodesignChecker.h"
-
-#import <Security/Security.h>
-
-#import "SNTCertificate.h"
-
-
-// kStaticSigningFlags are the flags used when validating signatures on disk.
-//
-// Don't validate resources but do validate nested code. Ignoring resources _dramatically_ speeds
-// up validation (see below) but does mean images, plists, etc will not be checked and modifying
-// these will not be considered invalid. To ensure any code inside the binary is still checked,
-// we check nested code.
-//
-// Timings with different flags:
-//   Checking Xcode 5.1.1 bundle:
-//      kSecCSDefaultFlags:                                   3.895s
-//      kSecCSDoNotValidateResources:                         0.013s
-//      kSecCSDoNotValidateResources | kSecCSCheckNestedCode: 0.013s
-//
-//   Checking Google Chrome 36.0.1985.143 bundle:
-//      kSecCSDefaultFlags:                                   0.529s
-//      kSecCSDoNotValidateResources:                         0.032s
-//      kSecCSDoNotValidateResources | kSecCSCheckNestedCode: 0.033s
-//
-const SecCSFlags kStaticSigningFlags = kSecCSDoNotValidateResources | kSecCSCheckNestedCode;
-
-// kSigningFlags are the flags used when validating signatures for running binaries.
-//
-// No special flags needed currently.
-const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
-
-
-@implementation SNTCodesignChecker {
-  /// Array of @c SNTCertificate's representing the chain of certs this executable was signed with.
-  NSMutableArray *_certificates;
-}
-
-#pragma mark Init/dealloc
-
-- (instancetype)initWithSecStaticCodeRef:(SecStaticCodeRef)codeRef {
-  self = [super init];
-
-  if (self) {
-    // First check the signing is valid
-    if (CFGetTypeID(codeRef) == SecStaticCodeGetTypeID()) {
-      if (SecStaticCodeCheckValidity(codeRef, kStaticSigningFlags, NULL) != errSecSuccess) {
-        return nil;
-      }
-    } else if (CFGetTypeID(codeRef) == SecCodeGetTypeID()) {
-      if (SecCodeCheckValidity((SecCodeRef)codeRef, kSigningFlags, NULL) != errSecSuccess) {
-        return nil;
-      }
-    } else {
-      return nil;
-    }
-
-    // Get CFDictionary of signing information for binary
-    OSStatus status = errSecSuccess;
-    CFDictionaryRef signingDict = NULL;
-    status = SecCodeCopySigningInformation(codeRef, kSecCSSigningInformation, &signingDict);
-    _signingInformation = CFBridgingRelease(signingDict);
-    if (status != errSecSuccess) return nil;
-
-    // Get array of certificates.
-    NSArray *certs = _signingInformation[(id)kSecCodeInfoCertificates];
-    if (!certs) return nil;
-
-    // Wrap SecCertificateRef objects in SNTCertificate and put in a new NSArray
-    _certificates = [[NSMutableArray alloc] initWithCapacity:certs.count];
-    for (int i = 0; i < certs.count; ++i) {
-      SecCertificateRef certRef = (__bridge SecCertificateRef)certs[i];
-      SNTCertificate *newCert = [[SNTCertificate alloc] initWithSecCertificateRef:certRef];
-      [_certificates addObject:newCert];
-    }
-
-    _codeRef = codeRef;
-    CFRetain(_codeRef);
-  }
-
-  return self;
-}
-
-- (instancetype)initWithBinaryPath:(NSString *)binaryPath {
-  SecStaticCodeRef codeRef = NULL;
-
-  // Get SecStaticCodeRef for binary
-  if (SecStaticCodeCreateWithPath((__bridge CFURLRef)[NSURL fileURLWithPath:binaryPath
-                                                                isDirectory:NO],
-                                  kSecCSDefaultFlags,
-                                  &codeRef) == errSecSuccess) {
-    self = [self initWithSecStaticCodeRef:codeRef];
-  } else {
-    self = nil;
-  }
-
-  if (codeRef) CFRelease(codeRef);
-  return self;
-}
-
-- (instancetype)initWithPID:(pid_t)PID {
-  SecCodeRef codeRef = NULL;
-  NSDictionary *attributes = @{(__bridge NSString *)kSecGuestAttributePid: @(PID)};
-
-  if (SecCodeCopyGuestWithAttributes(NULL,
-                                     (__bridge CFDictionaryRef)attributes,
-                                     kSecCSDefaultFlags,
-                                     &codeRef) == errSecSuccess) {
-    self = [self initWithSecStaticCodeRef:codeRef];
-  } else {
-    self = nil;
-  }
-
-  if (codeRef) CFRelease(codeRef);
-  return self;
-}
-
-- (instancetype)initWithSelf {
-  SecCodeRef codeSelf = NULL;
-  if (SecCodeCopySelf(kSecCSDefaultFlags, &codeSelf) == errSecSuccess) {
-    self = [self initWithSecStaticCodeRef:codeSelf];
-  } else {
-    self = nil;
-  }
-
-  if (codeSelf) CFRelease(codeSelf);
-  return self;
-}
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-- (void)dealloc {
-  if (_codeRef) {
-    CFRelease(_codeRef);
-    _codeRef = NULL;
-  }
-}
-
-#pragma mark Description
-
-- (NSString *)description {
-  NSString *binarySource;
-  if (CFGetTypeID(self.codeRef) == SecStaticCodeGetTypeID()) {
-    binarySource = @"On-disk";
-  } else {
-    binarySource = @"In-memory";
-  }
-
-  return [NSString stringWithFormat:@"%@ binary, signed by %@, located at: %@",
-             binarySource,
-             self.leafCertificate.orgName,
-             self.binaryPath];
-}
-
-#pragma mark Public accessors
-
-- (SNTCertificate *)leafCertificate {
-  return [self.certificates firstObject];
-}
-
-- (NSString *)binaryPath {
-  CFURLRef path;
-  OSStatus status = SecCodeCopyPath(_codeRef, kSecCSDefaultFlags, &path);
-  NSURL *pathURL = CFBridgingRelease(path);
-  if (status != errSecSuccess) return nil;
-  return [pathURL path];
-}
-
-- (BOOL)signingInformationMatches:(SNTCodesignChecker *)otherChecker {
-  return [self.certificates isEqual:otherChecker.certificates];
-}
-
-@end