santa-driver: Change when we consider the client connected to avoid getting into a state where events are being held but no memory descriptor is in place yet.

is released before NSURLCredential is created

README.md

@@ -51,16 +51,9 @@ Known Issues
 
 Santa is not yet a 1.0 and we have some known issues to be aware of:
 
-* Potential race-condition: we currently have a single TODO in the kext code to
-investigate a potential race condition where a binary is executed and then very
-quickly modified between the kext getting the SHA-1 and the decision being made.
-
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
-found a good way to ensure the kext only accepts connections from a valid client,
-short of hardcoding the SHA-1 in the kext. This shouldn't present a huge problem
-as the daemon is loaded on boot-up by launchd, so any later attempts to connect
-will be blocked.
+found a good way to ensure the kext only accepts connections from a valid client.
 
 * Database protection: the SQLite database is installed with permissions so that
 only the root user can read/write it. We're considering approaches to secure

Santa.xcodeproj/project.pbxproj

@@ -42,6 +42,7 @@
 		0D1B477119A53419008CADD3 /* AboutWindow.xib in Resources */ = {isa = PBXBuildFile; fileRef = 0D1B476F19A53419008CADD3 /* AboutWindow.xib */; };
 		0D20710E1A7C4A86008B0A9A /* SNTStoredEvent.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD604A19105433006B445C /* SNTStoredEvent.m */; };
 		0D28D53819D9F5910015C5EB /* SNTConfigurator.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D42D2B719D2042900955F08 /* SNTConfigurator.m */; };
+		0D2CD4611A81C7B100C9C910 /* dn.plist in Resources */ = {isa = PBXBuildFile; fileRef = 0D2CD4601A81C7B100C9C910 /* dn.plist */; };
 		0D31DF4718D254B3002B300D /* SNTCodesignChecker.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D59C0E317710E6000748EBF /* SNTCodesignChecker.m */; };
 		0D35BD9F18FD71CE00921A21 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0D9A7F3E1759330500035EB5 /* Foundation.framework */; };
 		0D35BDA218FD71CE00921A21 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D35BDA118FD71CE00921A21 /* main.m */; };
@@ -213,6 +214,7 @@
 		0D28E5E119269B3600280F87 /* SNTLogging.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTLogging.h; sourceTree = "<group>"; };
 		0D28E5E31926AFE400280F87 /* SNTKernelCommon.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTKernelCommon.h; sourceTree = "<group>"; };
 		0D28E5E41926B55600280F87 /* santactl-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "santactl-Info.plist"; sourceTree = "<group>"; };
+		0D2CD4601A81C7B100C9C910 /* dn.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = dn.plist; sourceTree = "<group>"; };
 		0D35BD9E18FD71CE00921A21 /* santactl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = santactl; sourceTree = BUILT_PRODUCTS_DIR; };
 		0D35BDA118FD71CE00921A21 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
 		0D35BDA418FD71CE00921A21 /* santactl-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "santactl-Prefix.pch"; sourceTree = "<group>"; };
@@ -403,6 +405,7 @@
 		0D260DB018B68E12002A0B55 /* Resources */ = {
 			isa = PBXGroup;
 			children = (
+				0D2CD4601A81C7B100C9C910 /* dn.plist */,
 				0D6FDC8618C6913D0044685C /* apple.pem */,
 				0D6FDC8218C68D7E0044685C /* GIAG2.crt */,
 				0D6FDC8418C68E500044685C /* GIAG2.pem */,
@@ -863,6 +866,7 @@
 				0D6FDC8518C68E500044685C /* GIAG2.pem in Resources */,
 				0D6FDC8318C68D7E0044685C /* GIAG2.crt in Resources */,
 				0D6F12DA19EDE51E006B218E /* tubitak.crt in Resources */,
+				0D2CD4611A81C7B100C9C910 /* dn.plist in Resources */,
 				0D6FDC8718C6913D0044685C /* apple.pem in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;

Source/common/SNTCertificate.m

@@ -18,9 +18,7 @@
 #import <Security/Security.h>
 
 @interface SNTCertificate ()
-///
 ///  A container for cached property values
-///
 @property NSMutableDictionary *memoizedData;
 @end
 
@@ -46,7 +44,8 @@ static NSString *const kCertDataKey = @"certData";
     // Despite the header file claiming that SecCertificateCreateWithData will return NULL if
     // @c certData doesn't contain a valid DER-encoded X509 cert, this isn't always true.
     // radar://problem/16124651
-    // To workaround, check that the certificate serial number can be retrieved.
+    // To workaround, check that the certificate serial number can be retrieved. According to
+    // RFC5280, the serial number field is required.
     NSData *ser = CFBridgingRelease(SecCertificateCopySerialNumber(cert, NULL));
     if (ser) {
       self = [self initWithSecCertificateRef:cert];

Source/common/SNTStoredEvent.h

@@ -90,4 +90,9 @@
 ///
 @property NSNumber *pid;
 
+///
+///  The parent process ID of the binary being executed.
+///
+@property NSNumber *ppid;
+
 @end

Source/common/SNTStoredEvent.m

@@ -41,6 +41,8 @@
   ENCODE(self.executingUser, @"executingUser");
   ENCODE(self.occurrenceDate, @"occurrenceDate");
   ENCODE(@(self.decision), @"decision");
+  ENCODE(self.pid, @"pid");
+  ENCODE(self.ppid, @"ppid");
 
   ENCODE(self.loggedInUsers, @"loggedInUsers");
   ENCODE(self.currentSessions, @"currentSessions");
@@ -63,6 +65,8 @@
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");
     _decision = [DECODE(NSNumber, @"decision") intValue];
+    _pid = DECODE(NSNumber, @"pid");
+    _ppid = DECODE(NSNumber, @"ppid");
 
     _loggedInUsers = DECODEARRAY(NSString, @"loggedInUsers");
     _currentSessions = DECODEARRAY(NSString, @"currentSessions");

Source/santa-driver/SantaDecisionManager.cc

@@ -89,12 +89,6 @@ bool SantaDecisionManager::ClientConnected() {
 # pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
-  process_listener_ = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
-                                         process_scope_callback,
-                                         reinterpret_cast<void *>(this));
-  if (!process_listener_) return kIOReturnInternalError;
-  LOGD("Process listener started.");
-
   vnode_listener_ = kauth_listen_scope(KAUTH_SCOPE_VNODE,
                                        vnode_scope_callback,
                                        reinterpret_cast<void *>(this));
@@ -109,9 +103,6 @@ kern_return_t SantaDecisionManager::StopListener() {
   kauth_unlisten_scope(vnode_listener_);
   vnode_listener_ = NULL;
 
-  kauth_unlisten_scope(process_listener_);
-  process_listener_ = NULL;
-
   // Wait for any active invocations to finish before returning
   do {
     IOSleep(5);
@@ -121,7 +112,6 @@ kern_return_t SantaDecisionManager::StopListener() {
   ClearCache();
 
   LOGD("Vnode listener stopped.");
-  LOGD("Process listener stopped.");
 
   return kIOReturnSuccess;
 }
@@ -258,9 +248,8 @@ santa_action_t SantaDecisionManager::FetchDecision(
       path[0] = '\0';
     }
 
-    // If daemon isn't connected, allow and cache
-    if (owning_pid_ < 1) {
-      LOGI("Exeuction request without daemon running: %s", path);
+    if (!ClientConnected()) {
+      LOGI("Execution request without daemon running: %s", path);
       AddToCache(vnode_id_str,
                  ACTION_RESPOND_CHECKBW_ALLOW,
                  GetCurrentUptime());
@@ -335,38 +324,9 @@ void SantaDecisionManager::DecrementListenerInvocations() {
   OSDecrementAtomic(&listener_invocations_);
 }
 
-bool SantaDecisionManager::MatchesOwningPID(const pid_t other_pid) {
-  return (owning_pid_ == other_pid);
-}
-
 #undef super
 
-#pragma mark Kauth Callbacks
-
-extern "C" int process_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  if (idata == NULL) {
-    LOGE("Process callback established without valid decision manager.");
-    return KAUTH_RESULT_ALLOW;
-  }
-  SantaDecisionManager *sdm = OSDynamicCast(
-      SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
-
-  // NOTE: this prevents a debugger from attaching to an existing santad
-  // process but doesn't prevent starting santad under a debugger. This check
-  // is only here to try and prevent the user from deadlocking their machine
-  // by attaching a debugger, so if they work around it and end up deadlocking,
-  // that's their problem.
-  if (action == KAUTH_PROCESS_CANTRACE &&
-      sdm->MatchesOwningPID(proc_pid((proc_t)arg0))) {
-    *(reinterpret_cast<int *>(arg1)) = EPERM;
-    LOGD("Denied debugger access");
-    return KAUTH_RESULT_DENY;
-  }
-
-  return KAUTH_RESULT_ALLOW;
-}
+#pragma mark Kauth Callback
 
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
@@ -391,7 +351,7 @@ extern "C" int vnode_scope_callback(
   // Don't operate on ACCESS events, as they're advisory
   if (action & KAUTH_VNODE_ACCESS) return returnResult;
 
-  // Filter for only WRITE_DATA actions
+  // Filter for only writes
   if (action & KAUTH_VNODE_WRITE_DATA ||
       action & KAUTH_VNODE_APPEND_DATA ||
       action & KAUTH_VNODE_DELETE) {
@@ -431,17 +391,7 @@ extern "C" int vnode_scope_callback(
       default:
         // NOTE: Any unknown response or error condition causes us to fail open.
         // Whilst from a security perspective this is bad, it's important that
-        // we don't break user's machines. Every fallen open response will come
-        // through this code path and cause this log entry to be created, so we
-        // can investigate each case and try to fix the root cause.
-        char path[MAX_PATH_LEN];
-        int name_len = MAX_PATH_LEN;
-        if (vn_getpath(vnode, path, &name_len) != 0) {
-          path[0] = '\0';
-        }
-        LOGW("Didn't receive a valid response for %s. Received: %d.",
-             path,
-             returnedAction);
+        // we don't break user's machines.
         break;
     }
 

Source/santa-driver/SantaDecisionManager.h

@@ -83,10 +83,10 @@ class SantaDecisionManager : public OSObject {
   ///  Returns whether a client is currently connected or not.
   bool ClientConnected();
 
-  ///  Starts both kauth listeners.
+  ///  Starts the kauth listener.
   kern_return_t StartListener();
 
-  ///  Stops both kauth listeners. After stopping new callback requests,
+  ///  Stops the kauth listener. After stopping new callback requests,
   ///  waits until all current invocations have finished before clearing the
   ///  cache and returning.
   kern_return_t StopListener();
@@ -128,16 +128,12 @@ class SantaDecisionManager : public OSObject {
   ///  Returns the current system uptime in microseconds
   uint64_t GetCurrentUptime();
 
-
   ///  Increments the count of active vnode callback's pending.
   void IncrementListenerInvocations();
 
   ///  Decrements the count of active vnode callback's pending.
   void DecrementListenerInvocations();
 
-  ///  Returns true if other_pid is the same as the current client pid.
-  bool MatchesOwningPID(const pid_t other_pid);
-
  private:
   OSDictionary *cached_decisions_;
   IORWLock *cached_decisions_lock_;
@@ -151,7 +147,6 @@ class SantaDecisionManager : public OSObject {
   proc_t owning_proc_;
 
   kauth_listener_t vnode_listener_;
-  kauth_listener_t process_listener_;
 };
 
 ///
@@ -168,18 +163,4 @@ extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
 
-///
-///  The kauth callback function for the Process scope
-///  @param actor's credentials
-///  @param data that was passed when the listener was registered
-///  @param action that was requested (KAUTH_PROCESS_{CANTRACE,CANSIGNAL})
-///  @param target process
-///  @param Pointer to an errno-style error.
-///  @param unused
-///  @param unused
-///
-extern "C" int process_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
-
 #endif  // SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H

Source/santa-driver/SantaDriverClient.cc

@@ -94,6 +94,9 @@ IOReturn SantaDriverClient::clientMemoryForType(UInt32 type,
     fSharedMemory->retain();  // client will decrement this ref
     *memory = fSharedMemory;
 
+    fSDM->ConnectClient(fDataQueue, proc_selfpid());
+    LOGI("Client connected, PID: %d.", proc_selfpid());
+
     return kIOReturnSuccess;
   }
 
@@ -122,10 +125,6 @@ IOReturn SantaDriverClient::open() {
     return kIOReturnVMError;
   }
 
-  fSDM->ConnectClient(fDataQueue, proc_selfpid());
-
-  LOGI("Client connected, PID: %d.", proc_selfpid());
-
   return kIOReturnSuccess;
 }
 

Source/santa-driver/SantaDriverClient.h

@@ -29,7 +29,7 @@
 #include "SNTKernelCommon.h"
 
 // The maximum number of messages can be kept in the IODataQueue at any time.
-const int kMaxQueueEvents = 64;
+const int kMaxQueueEvents = 256;
 
 ///
 ///  This class is instantiated by IOKit when a new client process attempts to

Source/santactl/sync/SNTAuthenticatingURLSession.h

@@ -29,6 +29,11 @@
 ///
 @property(nonatomic) NSString *userAgent;
 
+///
+///  If set to YES, this session refuses redirect requests. Defaults to NO.
+///
+@property(nonatomic) BOOL refusesRedirects;
+
 ///
 ///  If set, the server that we connect to _must_ match this string. Redirects to other
 ///  hosts will not be allowed.

Source/santactl/sync/SNTAuthenticatingURLSession.m

@@ -15,7 +15,6 @@
 #import "SNTAuthenticatingURLSession.h"
 
 #import "SNTCertificate.h"
-#import "SNTConfigurator.h"
 #import "SNTDERDecoder.h"
 #import "SNTLogging.h"
 
@@ -107,6 +106,18 @@
   completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
 }
 
+- (void)URLSession:(NSURLSession *)session
+                          task:(NSURLSessionTask *)task
+    willPerformHTTPRedirection:(NSHTTPURLResponse *)response
+                    newRequest:(NSURLRequest *)request
+             completionHandler:(void (^)(NSURLRequest *))completionHandler {
+  if (self.refusesRedirects) {
+    completionHandler(NULL);
+  } else {
+    completionHandler(request);
+  }
+}
+
 #pragma mark Private Helpers for URLSession:didReceiveChallenge:completionHandler:
 
 ///
@@ -152,6 +163,7 @@
     }
 
     foundIdentity = (__bridge SecIdentityRef)identities[0][(__bridge id)kSecImportItemIdentity];
+    CFRetain(foundIdentity);
   } else {
     CFArrayRef cfIdentities;
     err = SecItemCopyMatching((__bridge CFDictionaryRef)@{
@@ -186,6 +198,7 @@
         if ([clientCert.commonName compare:self.clientCertCommonName
                                    options:NSCaseInsensitiveSearch] == NSOrderedSame) {
           foundIdentity = identityRef;
+          CFRetain(foundIdentity);
           *stop = YES;
           return;  // return from enumeration block
         }
@@ -193,6 +206,7 @@
         if ([clientCert.issuerCommonName compare:self.clientCertIssuerCn
                                          options:NSCaseInsensitiveSearch] == NSOrderedSame) {
           foundIdentity = identityRef;
+          CFRetain(foundIdentity);
           *stop = YES;
           return;  // return from enumeration block
         }
@@ -206,6 +220,7 @@
               [clientCert.issuerOrgUnit isEqual:decoder.organizationalUnit]) {
 
             foundIdentity = identityRef;
+            CFRetain(foundIdentity);
             *stop = YES;
             return;  // return from enumeration block
           }
@@ -216,9 +231,12 @@
 
   if (foundIdentity) {
     LOGD(@"Client Trust: Valid client identity %@.", foundIdentity);
-    return [NSURLCredential credentialWithIdentity:foundIdentity
-                                      certificates:nil
-                                       persistence:NSURLCredentialPersistenceForSession];
+    NSURLCredential *cred =
+        [NSURLCredential credentialWithIdentity:foundIdentity
+                                   certificates:nil
+                                    persistence:NSURLCredentialPersistenceForSession];
+    CFRelease(foundIdentity);
+    return cred;
   } else {
     LOGD(@"Client Trust: No valid identity found.");
     return nil;

Source/santactl/sync/SNTCommandSync.m

@@ -78,6 +78,7 @@ REGISTER_COMMAND_NAME(@"sync");
   if (santactlVersion) {
      authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
   }
+  authURLSession.refusesRedirects = YES;
 
   // Configure server auth
   if ([config syncServerAuthRootsFile]) {

Source/santactl/sync/SNTCommandSyncEventUpload.m

@@ -143,6 +143,9 @@
   ADDKEY(newEvent, @"file_bundle_version", event.fileBundleVersion);
   ADDKEY(newEvent, @"file_bundle_version_string", event.fileBundleVersionString);
 
+  ADDKEY(newEvent, @"pid", event.pid);
+  ADDKEY(newEvent, @"ppid", event.ppid);
+
   NSMutableArray *signingChain = [NSMutableArray arrayWithCapacity:event.signingChain.count];
   for (int i = 0; i < event.signingChain.count; i++) {
     SNTCertificate *cert = [event.signingChain objectAtIndex:i];

Source/santactl/sync/SNTDERDecoder.h

@@ -1,3 +1,17 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
 ///
 /// This is a simple ASN.1 decoder that utilizes Apple's SecAsn1Decode
 /// to parse the @c distinguishedNames property of NSURLProtectionSpace.

Source/santactl/sync/SNTDERDecoder.m

@@ -1,3 +1,17 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
 #import "SNTDERDecoder.h"
 
 #import <Security/SecAsn1Coder.h>

Source/santad/SNTApplication.m

@@ -138,6 +138,7 @@
                 [self.execController validateBinaryWithPath:@(message.path)
                                                    userName:userName
                                                         pid:@(message.pid)
+                                                       ppid:@(message.ppid)
                                                     vnodeId:message.vnode_id];
             });
             break;

Source/santad/SNTExecutionController.h

@@ -53,11 +53,13 @@
 ///  @param path the binary that's being executed
 ///  @param userName the user who's executing the binary
 ///  @param pid the process id being executed
+///  @param ppid the parent process id
 ///  @param vnoteId the id of the vnode being executed
 ///
 - (void)validateBinaryWithPath:(NSString *)path
                       userName:(NSString *)userName
                            pid:(NSNumber *)pid
+                          ppid:(NSNumber *)ppid
                        vnodeId:(uint64_t)vnodeId;
 
 

Source/santad/SNTExecutionController.m

@@ -61,6 +61,7 @@
 - (void)validateBinaryWithPath:(NSString *)path
                       userName:(NSString *)userName
                            pid:(NSNumber *)pid
+                          ppid:(NSNumber *)ppid
                        vnodeId:(uint64_t)vnodeId {
   SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path];
   NSString *sha256 = [binInfo SHA256];
@@ -121,6 +122,7 @@
     se.occurrenceDate = [[NSDate alloc] init];
     se.decision = [self eventStateForDecision:respondedAction type:rule.type];
     se.pid = pid;
+    se.ppid = ppid;
 
     NSArray *loggedInUsers, *currentSessions;
     [self loggedInUsers:&loggedInUsers sessions:&currentSessions];

Tests/LogicTests/Resources/dn.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<data>
+	MIGcMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVGhlIE1vb24xEjAQBgNVBAcMCU1vb24g
+	QmFzZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSkwJwYDVQQLDCBB
+	d2Vzb21lIEF1dGhlbnRpY2F0aW9uIEF1dGhvcml0eTEYMBYGA1UEAwwPYXV0aC5zZXJ2
+	ZXIuY29t
+	</data>
+</array>
+</plist>

Tests/LogicTests/SNTCertificateTest.m

@@ -80,9 +80,11 @@
   XCTAssertEqualObjects(sut.commonName, @"Google Internet Authority G2");
   XCTAssertEqualObjects(sut.orgUnit, nil);
   XCTAssertEqualObjects(sut.orgName, @"Google Inc");
+  XCTAssertEqualObjects(sut.countryName, @"US");
   XCTAssertEqualObjects(sut.issuerCommonName, @"GeoTrust Global CA");
   XCTAssertEqualObjects(sut.issuerOrgName, @"GeoTrust Inc.");
   XCTAssertEqualObjects(sut.issuerOrgUnit, nil);
+  XCTAssertEqualObjects(sut.issuerCountryName, @"US");
   XCTAssertEqualObjects(sut.SHA1, @"d83c1a7f4d0446bb2081b81a1670f8183451ca24");
   XCTAssertEqualObjects(sut.SHA256,
       @"a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d");
@@ -97,6 +99,7 @@
                         @"Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü - UEKAE");
   XCTAssertEqualObjects(sut.orgName,
                         @"Türkiye Bilimsel ve Teknolojik Araştırma Kurumu - TÜBİTAK");
+  XCTAssertEqualObjects(sut.countryName, @"TR");
 }
 
 - (void)testInitWithValidPEM {
@@ -219,6 +222,8 @@
   (void)sut.orgName;
   (void)sut.issuerCommonName;
   (void)sut.validFrom;
+  (void)sut.countryName;
+  (void)sut.issuerCountryName;
 
   // Now break some of the properties
   OCMStub([sutMock x509ValueForLabel:OCMOCK_ANY fromDictionary:OCMOCK_ANY]);
@@ -227,6 +232,8 @@
   XCTAssertEqualObjects(sut.orgName, @"Google Inc");
   XCTAssertEqualObjects(sut.issuerCommonName, @"GeoTrust Global CA");
   XCTAssertEqualObjects(sut.validFrom, [NSDate dateWithString:@"2013-04-05 15:15:55 +0000"]);
+  XCTAssertEqualObjects(sut.countryName, @"US");
+  XCTAssertEqualObjects(sut.issuerCountryName, @"US");
 }
 
 @end

Tests/LogicTests/SNTDERDecoderTest.m

@@ -33,6 +33,17 @@
   [super tearDown];
 }
 
+- (void)testAllFields {
+  NSString *file = [[NSBundle bundleForClass:[self class]] pathForResource:@"dn" ofType:@"plist"];
+  NSArray *distinguishedNames = [NSArray arrayWithContentsOfFile:file];
+
+  SNTDERDecoder *sut = [[SNTDERDecoder alloc] initWithData:[distinguishedNames firstObject]];
+  XCTAssertEqualObjects(sut.commonName, @"auth.server.com");
+  XCTAssertEqualObjects(sut.organizationName, @"Internet Widgits Pty Ltd");
+  XCTAssertEqualObjects(sut.organizationalUnit, @"Awesome Authentication Authority");
+  XCTAssertEqualObjects(sut.countryName, @"US");
+}
+
 - (void)testOIDDecoding {
   unsigned char oidBytes1[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x14};
   NSString *oidStr = [SNTDERDecoder decodeOIDWithBytes:oidBytes1 length:sizeof(oidBytes1)];

Tests/LogicTests/SNTExecutionControllerTest.m

@@ -80,6 +80,7 @@
   [self.sut validateBinaryWithPath:@"/a/file"
                           userName:@"nobody"
                                pid:@(12)
+                              ppid:@(1)
                            vnodeId:1234];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
@@ -101,6 +102,7 @@
   [self.sut validateBinaryWithPath:@"/a/file"
                           userName:@"nobody"
                                pid:@(12)
+                              ppid:@(1)
                            vnodeId:1234];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
@@ -125,6 +127,7 @@
   [self.sut validateBinaryWithPath:@"/a/file"
                           userName:@"nobody"
                                pid:@(12)
+                              ppid:@(1)
                            vnodeId:1234];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
@@ -149,6 +152,7 @@
   [self.sut validateBinaryWithPath:@"/a/file"
                           userName:@"nobody"
                                pid:@(12)
+                              ppid:@(1)
                            vnodeId:1234];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
@@ -160,7 +164,11 @@
   OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
 
   [self.sut setOperatingMode:CLIENTMODE_MONITOR];
-  [self.sut validateBinaryWithPath:@"/a/file" userName:@"nobody" pid:@(12) vnodeId:1234];
+  [self.sut validateBinaryWithPath:@"/a/file"
+                          userName:@"nobody"
+                               pid:@(12)
+                              ppid:@(1)
+                           vnodeId:1234];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 
@@ -168,6 +176,7 @@
   [self.sut validateBinaryWithPath:@"/a/file"
                           userName:@"nobody"
                                pid:@(12)
+                              ppid:@(1)
                            vnodeId:1234];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
                                             forVnodeID:1234]);
@@ -178,7 +187,11 @@
   OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(NO);
 
   [self.sut setOperatingMode:CLIENTMODE_LOCKDOWN];
-  [self.sut validateBinaryWithPath:@"/a/file" userName:@"nobody" pid:@(24) vnodeId:1234];
+  [self.sut validateBinaryWithPath:@"/a/file"
+                          userName:@"nobody"
+                               pid:@(24)
+                              ppid:@(1)   
+                           vnodeId:1234];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 }