santad: Pass santa_message_t straight to SNTExecutionController

Fix an installation error with CocoaPods.

.travis.yml

@@ -2,9 +2,7 @@
 language: objective-c
 
 before_install:
- - gem install cocoapods
- - brew update
- - brew upgrade xctool
+ - gem install cocoapods xcpretty
 
 script:
- - xctool -workspace Santa.xcworkspace -scheme All build test CODE_SIGN_IDENTITY=''
+ - xcodebuild -workspace Santa.xcworkspace -scheme All build test CODE_SIGN_IDENTITY='' | xcpretty -sc && exit ${PIPESTATUS[0]}

Conf/Package/Makefile

@@ -0,0 +1,84 @@
+#
+#  Package Makefile for Santa
+#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
+#
+#  Will generate a package based on the latest release. You can replace
+#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
+#
+
+LUGGAGE:=/usr/local/share/luggage/luggage.make
+include ${LUGGAGE}
+
+TITLE:=santa
+REVERSE_DOMAIN:=com.google
+
+# Get latest Release version using the GitHub API. Each release is bound to a
+# git tag, which should always be a semantic version number. The most recent
+# release is always first in the API result.
+PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
+	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
+
+# Get the download URL for the latest Release. Each release should have a
+# tarball named santa-$version.tar.bz2 containing all of the files associated
+# with that release. The tarball layout is:
+#
+#   santa-$version.tar.bz2
+#   +--santa-$version
+#         |-- binaries
+#         |    |-- santa-driver.kext
+#         |    |-- Santa.app
+#         |-- conf
+#         |    |-- install.sh
+#         |    |-- com.google.santad.plist
+#         |    |-- com.google.santagui.plist
+#         |    +-- com.google.santa.asl.conf
+#         +--dsym
+#              |-- santa-driver.kext.dSYM
+#              |-- Santa.app.dSYM
+#              |-- santad.dSYM
+#              +-- santactl.dSYM
+PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
+
+PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
+	pack-applications-Santa.app \
+	pack-Library-LaunchDaemons-com.google.santad.plist \
+	pack-Library-LaunchAgents-com.google.santagui.plist \
+	pack-etc-asl-com.google.santa.asl.conf \
+	pack-script-preinstall \
+	pack-script-postinstall
+
+santa-driver.kext: download
+Santa.app: download
+com.google.santad.plist: download
+com.google.santagui.plist: download
+com.google.santa.asl.conf: download
+
+download:
+	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
+
+	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
+	@rm -rf *.dSYM
+
+pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/asl
+	@sudo chown root:wheel ${WORK_D}/private/etc/asl
+	@sudo chmod 755 ${WORK_D}/private/etc/asl
+	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
+
+pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
+	@sudo mkdir -p ${WORK_D}/Library/Extensions
+	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
+
+clean: myclean
+
+myclean:
+	@rm -rf *.dSYM
+	@rm -rf Santa.app
+	@rm -rf santa-driver.kext
+	@rm -f config.plist
+	@rm -f com.google.santa.asl.conf
+	@rm -f com.google.santad.plist
+	@rm -f com.google.santagui.plist
+	@rm -f install.sh

Conf/Package/postinstall

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Load the kernel extension, santad, sync client
+# If a user is logged in, also load the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+# Restart syslogd to pick up ASL configuration change
+/usr/bin/killall -HUP syslogd
+
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+sleep 1
+
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+sleep 1
+
+# Create hopefully useful symlink for santactl
+/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "$user" ]] && exit 0
+/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Conf/Package/preinstall

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Unload the kernel extension, santad, sync client
+# If a user is logged in, also unload the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+/bin/launchctl remove com.google.santad
+
+sleep 1
+
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Remove cruft from old Santa versions
+/bin/rm /usr/libexec/santad
+/bin/rm /usr/sbin/santactl
+/bin/launchctl remove com.google.santasync
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+
+sleep 1
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+
+exit 0

Conf/com.google.santa.asl.conf

@@ -1,4 +1,8 @@
 # Copy this file to /etc/asl to log all messages from santa-driver to the log file
-? [S= Message santa-driver:] claim only
-? [S= Message santa-driver:] file /var/log/santa.log format="[$((Time)(utc.3))] $Message"
-> /var/log/santa.log mode=0644 rotate=seq compress file_max=5M all_max=100M
+> /var/log/santa.log format="[$((Time)(utc.3))] $Message" mode=0644 rotate=seq compress file_max=10M all_max=100M uid=0 gid=0
+? [S= Message santa-driver:] claim
+? [S= Message santa-driver:] file /var/log/santa.log
+? [= Sender santad] claim
+? [= Sender santad] file /var/log/santa.log
+? [= Sender santactl] claim
+? [= Sender santactl] file /var/log/santa.log

Conf/com.google.santad.plist

@@ -6,19 +6,15 @@
 				<string>com.google.santad</string>
 				<key>ProgramArguments</key>
 				<array>
-								<string>/usr/libexec/santad</string>
+					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
 				</array>
 				<key>MachServices</key>
 				<dict>
-								<key>SantaXPCNotifications</key>
-								<true/>
-								<key>SantaXPCControl</key>
-								<true/>
+					<key>SantaXPCNotifications</key>
+					<true/>
+					<key>SantaXPCControl</key>
+					<true/>
 				</dict>
-				<key>StandardOutPath</key>
-				<string>/var/log/santa.log</string>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
 				<key>RunAtLoad</key>
 				<true/>
 				<key>KeepAlive</key>

Conf/com.google.santagui.plist

@@ -10,5 +10,7 @@
 				</array>
 				<key>RunAtLoad</key>
 				<true/>
+				<key>KeepAlive</key>
+				<true/>
 </dict>
 </plist>

Conf/com.google.santasync.plist

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-				<key>Label</key>
-				<string>com.google.santasync</string>
-				<key>ProgramArguments</key>
-				<array>
-								<string>/usr/sbin/santactl</string>
-								<string>sync</string>
-				</array>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
-				<key>ProcessType</key>
-				<string>Background</string>
-				<key>StartInterval</key>
-				<integer>600</integer>
-</dict>
-</plist>

Conf/install.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root" 1>&2
+  exit 1
+fi
+
+if [[ -d "binaries" ]]; then
+  SOURCE="."
+elif [[ -d "../binaries" ]]; then
+  SOURCE=".."
+else
+  echo "Can't find binaries, run install.sh from inside the conf directory" 1>&2
+  exit 1
+fi
+
+# Determine if anyone is logged into the GUI
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+
+# Unload santad and scheduled sync job.
+/bin/launchctl remove com.google.santad >/dev/null 2>&1
+
+# Unload kext.
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Unload GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove /Library/LaunchAgents/com.google.santagui.plist
+
+# Cleanup cruft from old versions
+/bin/launchctl remove com.google.santasync >/dev/null 2>&1
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist >/dev/null 2>&1
+/bin/rm /usr/libexec/santad >/dev/null 2>&1
+/bin/rm /usr/sbin/santactl >/dev/null 2>&1
+
+# Copy new files.
+/bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
+/bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
+/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+
+/bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons
+/bin/cp ${SOURCE}/conf/com.google.santagui.plist /Library/LaunchAgents
+/bin/cp ${SOURCE}/conf/com.google.santa.asl.conf /etc/asl/
+
+# Reload syslogd to pick up ASL configuration change.
+/usr/bin/killall -HUP syslogd
+
+# Load kext.
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+# Load santad and scheduled sync jobs.
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
+
+# Load GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Podfile

@@ -5,12 +5,13 @@ inhibit_all_warnings!
 target :santad do
   pod 'FMDB'
 
-  post_install do |rep|
-    rep.project.targets.each do |target|
+  post_install do |installer|
+    installer.pods_project.targets.each do |target|
       target.build_configurations.each do |config|
         if config.name != 'Release' then
           break
         end
+
         config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
         config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
       end

Podfile.lock

@@ -11,7 +11,7 @@ DEPENDENCIES:
   - OCMock
 
 SPEC CHECKSUMS:
-  FMDB: 0efa188cf0dd1ce82c27a478cd5f5fa245308677
-  OCMock: ecdd510b73ef397f2f97274785c1e87fd147c49f
+  FMDB: 96e8f1bcc1329e269330f99770ad4285d9003e52
+  OCMock: a10ea9f0a6e921651f96f78b6faee95ebc813b92
 
-COCOAPODS: 0.35.0
+COCOAPODS: 0.38.0

README.md

@@ -46,11 +46,21 @@ server.
 programming interfaces to do its job. This means that the kext code should
 continue to work across OS versions.
 
+Intentions and Expectations
+===========================
+No single system or process will stop *all* attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.
+
+Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.
+
 Known Issues
 ============
-
 Santa is not yet a 1.0 and we have some known issues to be aware of:
 
+* Santa only blocks execution (execve and variants), it doesn't protect against
+dynamic libraries loaded with dlopen, libraries on disk that have been replaced or
+libraries loaded using DYLD_INSERT_LIBRARIES. We are working on also protecting
+against these avenues of attack.
+
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
 found a good way to ensure the kext only accepts connections from a valid client.
@@ -80,7 +90,6 @@ option) if it would be useful to others.
 
 Building
 ========
-
 ```sh
 git clone https://github.com/google/santa
 cd santa
@@ -98,7 +107,6 @@ and for security-reasons parts of Santa will not operate properly if not signed.
 
 Kext Signing
 ============
-
 10.9 requires a special Developer ID certificate to sign kernel extensions and
 if the kext is not signed with one of these special certificates a warning will
 be shown when loading the kext for the first time. In 10.10 this is a hard error
@@ -124,11 +132,9 @@ kext-dev mode, instructions for which can be found on the Apple developer site.
 
 Contributing
 ============
-
 Patches to this project are very much welcome. Please see the [CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
 file.
 
 Disclaimer
 ==========
-
 This is **not** an official Google product.

Rakefile

@@ -1,46 +1,24 @@
 require 'timeout'
 
-WORKSPACE       = 'Santa.xcworkspace'
-DEFAULT_SCHEME  = 'All'
-OUTPUT_PATH     = 'Build'
-DIST_PATH       = 'Dist'
-BINARIES        = ['Santa.app', 'santa-driver.kext', 'santad', 'santactl']
-XCTOOL_DEFAULTS = "-workspace #{WORKSPACE}"
-XCODE_DEFAULTS  = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
+WORKSPACE           = 'Santa.xcworkspace'
+DEFAULT_SCHEME      = 'All'
+OUTPUT_PATH         = 'Build'
+DIST_PATH           = 'Dist'
+BINARIES            = ['Santa.app', 'santa-driver.kext']
+XCPRETTY_DEFAULTS   = '-sc'
+XCODEBUILD_DEFAULTS = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
 
 task :default do
   system("rake -sT")
 end
 
-def xctool_available
-  return system 'xctool --version >/dev/null 2>&1'
-end
-
-def run_and_output_on_fail(cmd)
-  output=`#{cmd} 2>&1`
-  if not $?.success?
-    raise output
-  end
-end
-
-def run_and_output_with_color(cmd)
-  output=`#{cmd} 2>&1`
-
-  has_output = false
-  output.scan(/((Test Suite|Test Case|Executed).*)$/) do |match|
-    has_output = true
-    out = match[0]
-    if out.include?("passed")
-      puts "\e[32m#{out}\e[0m"
-    elsif out.include?("failed")
-      puts "\e[31m#{out}\e[0m"
-    else
-      puts out
-    end
-  end
-
-  if not has_output
-    raise output
+def xcodebuild(opts)
+  if system "xcodebuild #{XCODEBUILD_DEFAULTS} #{opts} | " \
+      "xcpretty #{XCPRETTY_DEFAULTS} && " \
+      "exit ${PIPESTATUS[0]}"
+    puts "\e[32mPass\e[0m"
+  else
+    raise "\e[31mFail\e[0m"
   end
 end
 
@@ -49,19 +27,20 @@ task :init do
     puts "Pods missing, running 'pod install'"
     system "pod install" or raise "CocoaPods is not installed. Install with 'sudo gem install cocoapods'"
   end
+  unless system 'xcpretty -v >/dev/null 2>&1'
+    puts "xcpretty is not installed. Install with 'sudo gem install xcpretty'"
+  end
 end
 
 task :remove_existing do
-  system 'sudo rm -rf /santa-driver.kext'
+  system 'sudo rm -rf /Library/Extensions/santa-driver.kext'
   system 'sudo rm -rf /Applications/Santa.app'
-  system 'sudo rm /usr/libexec/santad'
-  system 'sudo rm /usr/sbin/santactl'
 end
 
 desc "Clean"
 task :clean => :init do
   puts "Cleaning"
-  system "xcodebuild #{XCODE_DEFAULTS} -scheme All clean"
+  xcodebuild("-scheme All clean")
   FileUtils.rm_rf(OUTPUT_PATH)
   FileUtils.rm_rf(DIST_PATH)
 end
@@ -81,11 +60,7 @@ namespace :build do
   task :build, [:configuration] => :init do |t, args|
     config = args[:configuration]
     puts "Building with configuration: #{config}"
-    if xctool_available
-      system "xctool #{XCTOOL_DEFAULTS} -scheme All -configuration #{config} build"
-    else
-      system "xcodebuild #{XCODE_DEFAULTS} -scheme All -configuration #{config} build"
-    end
+    xcodebuild("-scheme All -configuration #{config} build")
   end
 end
 
@@ -105,16 +80,13 @@ namespace :install do
   task :install, [:configuration] do |t, args|
     config = args[:configuration]
     system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
-    system 'sudo cp conf/com.google.santasync.plist /Library/LaunchDaemons'
     system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
     system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
     Rake::Task['build:build'].invoke(config)
     puts "Installing with configuration: #{config}"
     Rake::Task['remove_existing'].invoke()
-    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/santa-driver.kext /"
+    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/santa-driver.kext /Library/Extensions"
     system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/Santa.app /Applications"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santad /usr/libexec"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santactl /usr/sbin"
   end
 end
 
@@ -135,7 +107,7 @@ task :dist do
     FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}.dSYM", "#{DIST_PATH}/dsym")
   end
 
-  Dir.glob("Conf/*") {|x| FileUtils.cp(x, "#{DIST_PATH}/conf")}
+  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{DIST_PATH}/conf")}
 
   puts "Distribution folder created"
 end
@@ -145,11 +117,7 @@ namespace :tests do
   desc "Tests: Logic"
   task :logic => [:init] do
     puts "Running logic tests"
-    if xctool_available
-      system "xctool #{XCTOOL_DEFAULTS} -scheme LogicTests test"
-    else
-      system "xcodebuild #{XCODE_DEFAULTS} -scheme LogicTests test"
-    end
+    xcodebuild("-scheme LogicTests test")
   end
 
   desc "Tests: Kernel"
@@ -183,7 +151,7 @@ end
 
 task :unload_gui do
   puts "Unloading GUI agent"
-  system "sudo killall Santa 2>/dev/null"
+  system "launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
 end
 
 desc "Unload"
@@ -196,12 +164,12 @@ end
 
 task :load_kext do
   puts "Loading kernel extension"
-  system "sudo kextload /santa-driver.kext"
+  system "sudo kextload /Library/Extensions/santa-driver.kext"
 end
 
 task :load_gui do
   puts "Loading GUI agent"
-  system "open /Applications/Santa.app"
+  system "launchctl load /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
 end
 
 desc "Load"

Santa.xcodeproj/project.pbxproj

@@ -69,7 +69,7 @@
 		0D3AFBF018FB4C6C0087BCEE /* SNTDriverManager.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D7D01861774F93A005DBAB4 /* SNTDriverManager.m */; };
 		0D3AFBF618FB4C7E0087BCEE /* Cocoa.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0D385DB7180DE4A900418BC6 /* Cocoa.framework */; };
 		0D3AFBF818FB4C870087BCEE /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0D3AFBF718FB4C870087BCEE /* IOKit.framework */; };
-		0D416401191974F1006A356A /* SNTCommandSyncStatus.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D416400191974F1006A356A /* SNTCommandSyncStatus.m */; };
+		0D416401191974F1006A356A /* SNTCommandSyncState.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D416400191974F1006A356A /* SNTCommandSyncState.m */; };
 		0D41640519197AD7006A356A /* SNTCommandSyncEventUpload.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D41640419197AD7006A356A /* SNTCommandSyncEventUpload.m */; };
 		0D41DAD41A7C28C800A890FE /* SNTEventTableTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D41DAD31A7C28C800A890FE /* SNTEventTableTest.m */; };
 		0D42D2B519D1D98A00955F08 /* SNTSystemInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D42D2B419D1D98A00955F08 /* SNTSystemInfo.m */; };
@@ -113,10 +113,13 @@
 		0DA73CA11934F8100056D7C4 /* SNTLogging.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DA73C9E1934F8100056D7C4 /* SNTLogging.m */; };
 		0DA73CA21934F88D0056D7C4 /* SNTLogging.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DA73C9E1934F8100056D7C4 /* SNTLogging.m */; };
 		0DB390991AB1E11400614002 /* SNTCommandVersion.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB390981AB1E11400614002 /* SNTCommandVersion.m */; };
+		0DB537871AFD36EB00487F92 /* SNTRuleTableTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */; };
 		0DB8ACC1185662DC00FEF9C7 /* SNTApplication.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */; };
 		0DC5D86D191AED220078A5C0 /* SNTRuleTable.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D86C191AED220078A5C0 /* SNTRuleTable.m */; };
 		0DC5D86E191AED220078A5C0 /* SNTRuleTable.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D86C191AED220078A5C0 /* SNTRuleTable.m */; };
 		0DC5D871192160180078A5C0 /* SNTCommandSyncLogUpload.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D870192160180078A5C0 /* SNTCommandSyncLogUpload.m */; };
+		0DC765EA1B28D9EA00BAE651 /* santad in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0D9A7F3D1759330500035EB5 /* santad */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
+		0DC765EB1B28D9EA00BAE651 /* santactl in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0D35BD9E18FD71CE00921A21 /* santactl */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		0DCA552718C95928002A7DAE /* SNTXPCConnection.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D6FDC9518C93A020044685C /* SNTXPCConnection.m */; };
 		0DCD5FBF1909D64A006B445C /* SNTCommandBinaryInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD5FBE1909D64A006B445C /* SNTCommandBinaryInfo.m */; };
 		0DCD6042190ACCB8006B445C /* SNTFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD6041190ACCB8006B445C /* SNTFileInfo.m */; };
@@ -147,6 +150,11 @@
 		0DE50F6C19130358007B2B0C /* SNTStoredEvent.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD604A19105433006B445C /* SNTStoredEvent.m */; };
 		0DE50F6E191304E0007B2B0C /* SNTRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE50F671912716A007B2B0C /* SNTRule.m */; };
 		0DE6788D1784A8C2007A9E52 /* SNTExecutionController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */; };
+		0DEFB7C01ACB28B000B92AAE /* SNTCommandSyncConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */; };
+		0DEFB7C41ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
+		0DEFB7C51ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
+		0DEFB7C61ACDE5F600B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
+		0DEFB7C81ACF0BFE00B92AAE /* SNTFileWatcherTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C71ACF0BFE00B92AAE /* SNTFileWatcherTest.m */; };
 		0DF395641AB76A7900CBC520 /* NSData+Zlib.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DF395631AB76A7900CBC520 /* NSData+Zlib.m */; };
 		0DF395661AB76ABC00CBC520 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 0DF395651AB76ABC00CBC520 /* libz.dylib */; };
 		4092327A1A51B66400A04527 /* SNTCommandRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 409232791A51B65D00A04527 /* SNTCommandRule.m */; };
@@ -197,8 +205,36 @@
 			remoteGlobalIDString = 0D9A7F3C1759330400035EB5;
 			remoteInfo = santad;
 		};
+		0DC765E51B28D9C600BAE651 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 0D91BCA8174E8A6500131A7D /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 0D9A7F3C1759330400035EB5;
+			remoteInfo = santad;
+		};
+		0DC765E71B28D9C600BAE651 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 0D91BCA8174E8A6500131A7D /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 0D35BD9D18FD71CE00921A21;
+			remoteInfo = santactl;
+		};
 /* End PBXContainerItemProxy section */
 
+/* Begin PBXCopyFilesBuildPhase section */
+		0DC765E91B28D9CB00BAE651 /* CopyFiles */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = "";
+			dstSubfolderSpec = 6;
+			files = (
+				0DC765EA1B28D9EA00BAE651 /* santad in CopyFiles */,
+				0DC765EB1B28D9EA00BAE651 /* santactl in CopyFiles */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXCopyFilesBuildPhase section */
+
 /* Begin PBXFileReference section */
 		0A84545E322F475FA0B505D5 /* libPods-santad.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santad.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		0D0016A2192BCD3C005E7FCD /* KernelTests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = KernelTests; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -248,8 +284,8 @@
 		0D385DEF180DE51600418BC6 /* SNTNotificationManager.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTNotificationManager.m; sourceTree = "<group>"; };
 		0D3AFBE618FB32CB0087BCEE /* SNTXPCConnectionTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTXPCConnectionTest.m; sourceTree = "<group>"; };
 		0D3AFBF718FB4C870087BCEE /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; };
-		0D4163FF191974F1006A356A /* SNTCommandSyncStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommandSyncStatus.h; sourceTree = "<group>"; };
-		0D416400191974F1006A356A /* SNTCommandSyncStatus.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandSyncStatus.m; sourceTree = "<group>"; };
+		0D4163FF191974F1006A356A /* SNTCommandSyncState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommandSyncState.h; sourceTree = "<group>"; };
+		0D416400191974F1006A356A /* SNTCommandSyncState.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandSyncState.m; sourceTree = "<group>"; };
 		0D41640319197AD7006A356A /* SNTCommandSyncEventUpload.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommandSyncEventUpload.h; sourceTree = "<group>"; };
 		0D41640419197AD7006A356A /* SNTCommandSyncEventUpload.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandSyncEventUpload.m; sourceTree = "<group>"; };
 		0D41DAD31A7C28C800A890FE /* SNTEventTableTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTEventTableTest.m; sourceTree = "<group>"; };
@@ -296,6 +332,7 @@
 		0DA73C9E1934F8100056D7C4 /* SNTLogging.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTLogging.m; sourceTree = "<group>"; };
 		0DB2B92318085753001C01D9 /* santad-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "santad-Prefix.pch"; sourceTree = "<group>"; };
 		0DB390981AB1E11400614002 /* SNTCommandVersion.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SNTCommandVersion.m; path = version/SNTCommandVersion.m; sourceTree = "<group>"; };
+		0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTRuleTableTest.m; sourceTree = "<group>"; };
 		0DB8ACBF185662DC00FEF9C7 /* SNTApplication.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTApplication.h; sourceTree = "<group>"; };
 		0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = SNTApplication.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
 		0DB8ACE41858D73000FEF9C7 /* santad-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "santad-Info.plist"; sourceTree = "<group>"; };
@@ -325,6 +362,11 @@
 		0DE50F671912716A007B2B0C /* SNTRule.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTRule.m; sourceTree = "<group>"; };
 		0DE6788B1784A8C2007A9E52 /* SNTExecutionController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTExecutionController.h; sourceTree = "<group>"; };
 		0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = SNTExecutionController.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
+		0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandSyncConstants.m; sourceTree = "<group>"; };
+		0DEFB7C11ACB28BC00B92AAE /* SNTCommandSyncConstants.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTCommandSyncConstants.h; sourceTree = "<group>"; };
+		0DEFB7C21ACDD80100B92AAE /* SNTFileWatcher.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTFileWatcher.h; sourceTree = "<group>"; };
+		0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTFileWatcher.m; sourceTree = "<group>"; };
+		0DEFB7C71ACF0BFE00B92AAE /* SNTFileWatcherTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTFileWatcherTest.m; sourceTree = "<group>"; };
 		0DF395621AB76A7900CBC520 /* NSData+Zlib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSData+Zlib.h"; sourceTree = "<group>"; };
 		0DF395631AB76A7900CBC520 /* NSData+Zlib.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSData+Zlib.m"; sourceTree = "<group>"; };
 		0DF395651AB76ABC00CBC520 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = usr/lib/libz.dylib; sourceTree = SDKROOT; };
@@ -410,6 +452,8 @@
 				0D41DAD31A7C28C800A890FE /* SNTEventTableTest.m */,
 				0DD0D490194F9947005F27EB /* SNTExecutionControllerTest.m */,
 				0DD0D48E194F78F8005F27EB /* SNTFileInfoTest.m */,
+				0DEFB7C71ACF0BFE00B92AAE /* SNTFileWatcherTest.m */,
+				0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */,
 				0D3AFBE618FB32CB0087BCEE /* SNTXPCConnectionTest.m */,
 			);
 			path = LogicTests;
@@ -464,6 +508,8 @@
 				0DCD6060191188B1006B445C /* SNTAuthenticatingURLSession.h */,
 				0DCD6061191188B1006B445C /* SNTAuthenticatingURLSession.m */,
 				0D35BDB418FD84F600921A21 /* SNTCommandSync.m */,
+				0DEFB7C11ACB28BC00B92AAE /* SNTCommandSyncConstants.h */,
+				0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */,
 				0D41640319197AD7006A356A /* SNTCommandSyncEventUpload.h */,
 				0D41640419197AD7006A356A /* SNTCommandSyncEventUpload.m */,
 				0DC5D86F192160180078A5C0 /* SNTCommandSyncLogUpload.h */,
@@ -474,8 +520,8 @@
 				0DCD605B19117A90006B445C /* SNTCommandSyncPreflight.m */,
 				0D0A1EC1191998C900B8450F /* SNTCommandSyncRuleDownload.h */,
 				0D0A1EC2191998C900B8450F /* SNTCommandSyncRuleDownload.m */,
-				0D4163FF191974F1006A356A /* SNTCommandSyncStatus.h */,
-				0D416400191974F1006A356A /* SNTCommandSyncStatus.m */,
+				0D4163FF191974F1006A356A /* SNTCommandSyncState.h */,
+				0D416400191974F1006A356A /* SNTCommandSyncState.m */,
 				0D7FFD491A017D4B00F34435 /* SNTDERDecoder.h */,
 				0D7FFD4A1A017D4B00F34435 /* SNTDERDecoder.m */,
 			);
@@ -616,6 +662,8 @@
 				0D10BE851A0AABD600C0C944 /* SNTDropRootPrivs.m */,
 				0DCD6040190ACCB8006B445C /* SNTFileInfo.h */,
 				0DCD6041190ACCB8006B445C /* SNTFileInfo.m */,
+				0DEFB7C21ACDD80100B92AAE /* SNTFileWatcher.h */,
+				0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */,
 				0D28E5E31926AFE400280F87 /* SNTKernelCommon.h */,
 				0D28E5E119269B3600280F87 /* SNTLogging.h */,
 				0DA73C9E1934F8100056D7C4 /* SNTLogging.m */,
@@ -817,10 +865,13 @@
 				0DD98E691A5DD5C900A754C6 /* Update Module Version */,
 				0D91BCAE174E8A7E00131A7D /* Sources */,
 				0D91BCB0174E8A7E00131A7D /* Headers */,
+				0DC765E91B28D9CB00BAE651 /* CopyFiles */,
 			);
 			buildRules = (
 			);
 			dependencies = (
+				0DC765E61B28D9C600BAE651 /* PBXTargetDependency */,
+				0DC765E81B28D9C600BAE651 /* PBXTargetDependency */,
 			);
 			name = "santa-driver";
 			productName = "santa-driver";
@@ -1086,10 +1137,13 @@
 				0DD0D491194F9947005F27EB /* SNTExecutionControllerTest.m in Sources */,
 				0D3AFBEF18FB4C6C0087BCEE /* SNTExecutionController.m in Sources */,
 				0D3AFBEC18FB48E70087BCEE /* SNTEventTable.m in Sources */,
+				0DB537871AFD36EB00487F92 /* SNTRuleTableTest.m in Sources */,
 				0DCD604D19105433006B445C /* SNTStoredEvent.m in Sources */,
 				0DCD605819115E57006B445C /* SNTXPCControlInterface.m in Sources */,
 				0D10BE891A0AAF6700C0C944 /* SNTDropRootPrivs.m in Sources */,
+				0DEFB7C61ACDE5F600B92AAE /* SNTFileWatcher.m in Sources */,
 				0D10BE8B1A0AB23300C0C944 /* SNTDERDecoderTest.m in Sources */,
+				0DEFB7C81ACF0BFE00B92AAE /* SNTFileWatcherTest.m in Sources */,
 				0DD0D48B194F6193005F27EB /* SNTCertificateTest.m in Sources */,
 				0D28D53819D9F5910015C5EB /* SNTConfigurator.m in Sources */,
 				0D3AFBE718FB32CB0087BCEE /* SNTXPCConnectionTest.m in Sources */,
@@ -1116,6 +1170,7 @@
 				0D35BDC218FDA5D100921A21 /* SNTCodesignChecker.m in Sources */,
 				0D35BDB518FD84F600921A21 /* SNTCommandSync.m in Sources */,
 				0DCD5FBF1909D64A006B445C /* SNTCommandBinaryInfo.m in Sources */,
+				0DEFB7C01ACB28B000B92AAE /* SNTCommandSyncConstants.m in Sources */,
 				0DCD6062191188B1006B445C /* SNTAuthenticatingURLSession.m in Sources */,
 				0DCD605619115D17006B445C /* SNTXPCControlInterface.m in Sources */,
 				0DE50F6C19130358007B2B0C /* SNTStoredEvent.m in Sources */,
@@ -1127,7 +1182,7 @@
 				0D10BE871A0AABD600C0C944 /* SNTDropRootPrivs.m in Sources */,
 				0DE4C8A618FF3B1700466D04 /* SNTCommandFlushCache.m in Sources */,
 				4092327A1A51B66400A04527 /* SNTCommandRule.m in Sources */,
-				0D416401191974F1006A356A /* SNTCommandSyncStatus.m in Sources */,
+				0D416401191974F1006A356A /* SNTCommandSyncState.m in Sources */,
 				0DC5D871192160180078A5C0 /* SNTCommandSyncLogUpload.m in Sources */,
 				0D35BDA218FD71CE00921A21 /* main.m in Sources */,
 				0DCD6043190ACCB8006B445C /* SNTFileInfo.m in Sources */,
@@ -1161,6 +1216,7 @@
 				0D1B477019A53419008CADD3 /* SNTAboutWindowController.m in Sources */,
 				0D668E8118D1121700E29A8B /* SNTMessageWindow.m in Sources */,
 				0DA73CA11934F8100056D7C4 /* SNTLogging.m in Sources */,
+				0DEFB7C51ACDD80100B92AAE /* SNTFileWatcher.m in Sources */,
 				0D20710E1A7C4A86008B0A9A /* SNTStoredEvent.m in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -1190,6 +1246,7 @@
 				0D1AF477187C7A2C00D3298D /* SNTCertificate.m in Sources */,
 				0DA73C9F1934F8100056D7C4 /* SNTLogging.m in Sources */,
 				0DCD6042190ACCB8006B445C /* SNTFileInfo.m in Sources */,
+				0DEFB7C41ACDD80100B92AAE /* SNTFileWatcher.m in Sources */,
 				0DC5D86D191AED220078A5C0 /* SNTRuleTable.m in Sources */,
 				0D7D01871774F93A005DBAB4 /* SNTDriverManager.m in Sources */,
 				0D8E18CD19107B56000F89B8 /* SNTDaemonControlController.m in Sources */,
@@ -1237,6 +1294,16 @@
 			target = 0D9A7F3C1759330400035EB5 /* santad */;
 			targetProxy = 0D9A7F591759393600035EB5 /* PBXContainerItemProxy */;
 		};
+		0DC765E61B28D9C600BAE651 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 0D9A7F3C1759330400035EB5 /* santad */;
+			targetProxy = 0DC765E51B28D9C600BAE651 /* PBXContainerItemProxy */;
+		};
+		0DC765E81B28D9C600BAE651 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 0D35BD9D18FD71CE00921A21 /* santactl */;
+			targetProxy = 0DC765E71B28D9C600BAE651 /* PBXContainerItemProxy */;
+		};
 /* End PBXTargetDependency section */
 
 /* Begin XCBuildConfiguration section */
@@ -1269,8 +1336,10 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
+				WARNING_CFLAGS = "";
 			};
 			name = Debug;
 		};
@@ -1297,8 +1366,10 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
+				WARNING_CFLAGS = "";
 			};
 			name = Release;
 		};
@@ -1347,6 +1418,7 @@
 				);
 				INFOPLIST_FILE = "Tests/LogicTests/Resources/Tests-Info.plist";
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				WARNING_CFLAGS = "";
 				WRAPPER_EXTENSION = xctest;
 			};
 			name = Debug;
@@ -1390,6 +1462,7 @@
 				);
 				INFOPLIST_FILE = "Tests/LogicTests/Resources/Tests-Info.plist";
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				WARNING_CFLAGS = "";
 				WRAPPER_EXTENSION = xctest;
 			};
 			name = Release;
@@ -1428,6 +1501,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santactl-Info.plist";
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
 			};
@@ -1461,6 +1535,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santactl-Info.plist";
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
 			};
@@ -1554,6 +1629,11 @@
 				PROVISIONING_PROFILE = "";
 				RUN_CLANG_STATIC_ANALYZER = YES;
 				SDKROOT = macosx;
+				WARNING_CFLAGS = (
+					"-Wall",
+					"-Wextra",
+					"-Wno-unused-parameter",
+				);
 			};
 			name = Debug;
 		};
@@ -1569,6 +1649,11 @@
 				PROVISIONING_PROFILE = "";
 				RUN_CLANG_STATIC_ANALYZER = YES;
 				SDKROOT = macosx;
+				WARNING_CFLAGS = (
+					"-Wall",
+					"-Wextra",
+					"-Wno-unused-parameter",
+				);
 			};
 			name = Release;
 		};
@@ -1584,6 +1669,7 @@
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COMBINE_HIDPI_IMAGES = YES;
+				COPY_PHASE_STRIP = NO;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_ENABLE_OBJC_EXCEPTIONS = YES;
 				GCC_OPTIMIZATION_LEVEL = 0;
@@ -1602,7 +1688,10 @@
 				OTHER_LDFLAGS = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				WARNING_CFLAGS = "-Wno-deprecated-register";
+				WARNING_CFLAGS = (
+					"-Wno-deprecated-register",
+					"$(inherit)",
+				);
 				WRAPPER_EXTENSION = kext;
 			};
 			name = Debug;
@@ -1619,6 +1708,7 @@
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COMBINE_HIDPI_IMAGES = YES;
+				COPY_PHASE_STRIP = NO;
 				GCC_ENABLE_OBJC_EXCEPTIONS = YES;
 				GCC_PRECOMPILE_PREFIX_HEADER = YES;
 				GCC_PREPROCESSOR_DEFINITIONS = "";
@@ -1633,7 +1723,10 @@
 				MODULE_VERSION = TO.BE.FILLED;
 				OTHER_LDFLAGS = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				WARNING_CFLAGS = "-Wno-deprecated-register";
+				WARNING_CFLAGS = (
+					"-Wno-deprecated-register",
+					"$(inherit)",
+				);
 				WRAPPER_EXTENSION = kext;
 			};
 			name = Release;
@@ -1681,7 +1774,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santad-Info.plist";
-				INSTALL_PATH = /usr/sbin;
+				INSTALL_PATH = "";
 				LIBRARY_SEARCH_PATHS = "$(inherited)";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -1709,7 +1802,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santad-Info.plist";
-				INSTALL_PATH = /usr/sbin;
+				INSTALL_PATH = "";
 				LIBRARY_SEARCH_PATHS = "$(inherited)";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -49,6 +49,15 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "0D91BCDC174E8AE600131A7D"
+            BuildableName = "All"
+            BlueprintName = "All"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <AdditionalOptions>
       </AdditionalOptions>
    </LaunchAction>

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0600"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D385DB5180DE4A900418BC6"

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -39,6 +39,15 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "0D91BCB3174E8A7E00131A7D"
+            BuildableName = "santa-driver.kext"
+            BlueprintName = "santa-driver"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <AdditionalOptions>
       </AdditionalOptions>
    </LaunchAction>

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -49,7 +49,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
@@ -67,7 +68,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D9A7F3C1759330400035EB5"

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14C1514" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14D136" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
@@ -14,7 +14,7 @@
         <customObject id="-1" userLabel="First Responder" customClass="FirstResponder"/>
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
-            <windowStyleMask key="styleMask" titled="YES"/>
+            <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
             <rect key="contentRect" x="196" y="240" width="480" height="200"/>
             <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
             <view key="contentView" id="se5-gp-TjO">
@@ -65,6 +65,9 @@ There are no user-configurable settings.</string>
                         <buttonCell key="cell" type="push" title="Dismiss" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uSw-o1-lWW">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
+                            <string key="keyEquivalent" base64-UTF8="YES">
+DQ
+</string>
                         </buttonCell>
                         <connections>
                             <action selector="orderOut:" target="-1" id="6oW-zI-zn5"/>

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14C1514" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14D136" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
@@ -15,14 +15,14 @@
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" showsToolbarButton="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
             <windowStyleMask key="styleMask" utility="YES"/>
-            <rect key="contentRect" x="167" y="107" width="550" height="331"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
+            <rect key="contentRect" x="167" y="107" width="497" height="356"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1600"/>
             <view key="contentView" id="Iwq-Lx-rLv">
-                <rect key="frame" x="0.0" y="0.0" width="550" height="331"/>
+                <rect key="frame" x="0.0" y="0.0" width="497" height="356"/>
                 <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                 <subviews>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
-                        <rect key="frame" x="234" y="261" width="83" height="40"/>
+                        <rect key="frame" x="207" y="286" width="83" height="40"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
                             <font key="font" size="34" name="HelveticaNeue-UltraLight"/>
                             <color key="textColor" red="0.18696189413265307" green="0.18696189413265307" blue="0.18696189413265307" alpha="1" colorSpace="calibratedRGB"/>
@@ -30,9 +30,9 @@
                         </textFieldCell>
                     </textField>
                     <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR">
-                        <rect key="frame" x="25" y="214" width="500" height="17"/>
+                        <rect key="frame" x="22" y="239" width="454" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="496" id="XgJ-EV-tBa"/>
+                            <constraint firstAttribute="width" constant="450" id="XgJ-EV-tBa"/>
                         </constraints>
                         <textFieldCell key="cell" allowsUndo="NO" sendsActionOnEndEditing="YES" alignment="center" title="A message to the user goes here..." allowsEditingTextAttributes="YES" id="5tH-bG-UJA">
                             <font key="font" metaFont="system"/>
@@ -44,9 +44,9 @@
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ">
-                        <rect key="frame" x="175" y="167" width="324" height="17"/>
+                        <rect key="frame" x="165" y="192" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="320" id="xVR-j3-dLw"/>
+                            <constraint firstAttribute="width" constant="290" id="xVR-j3-dLw"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="E7T-9h-ofr">
                             <font key="font" metaFont="system"/>
@@ -58,23 +58,23 @@
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
-                        <rect key="frame" x="175" y="117" width="304" height="17"/>
+                        <rect key="frame" x="165" y="142" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="300" id="4hh-R2-86s"/>
+                            <constraint firstAttribute="width" constant="290" id="4hh-R2-86s"/>
                         </constraints>
-                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="File SHA-256" id="X4W-9e-eIu">
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="Part of SHA-256" id="X4W-9e-eIu">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" white="0.0" alpha="0.5" colorSpace="deviceWhite"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.fileSHA256" id="SzX-Ep-rBa"/>
+                            <binding destination="-2" name="value" keyPath="self.shortenedHash" id="xgu-71-9ZT"/>
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w">
-                        <rect key="frame" x="175" y="142" width="309" height="17"/>
+                        <rect key="frame" x="165" y="167" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="305" id="Dem-wH-KHm"/>
+                            <constraint firstAttribute="width" constant="290" id="Dem-wH-KHm"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
                             <font key="font" metaFont="system"/>
@@ -90,15 +90,23 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="oFj-ol-xpL">
-                        <rect key="frame" x="18" y="92" width="120" height="17"/>
+                        <rect key="frame" x="8" y="92" width="120" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="User" id="1ut-uT-hQD">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="eQb-0a-76J">
+                        <rect key="frame" x="8" y="117" width="120" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Parent" id="gze-4A-1w5">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5">
-                        <rect key="frame" x="18" y="142" width="120" height="17"/>
+                        <rect key="frame" x="8" y="167" width="120" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Publisher" id="yL9-yD-JXX">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -106,7 +114,7 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H">
-                        <rect key="frame" x="18" y="167" width="120" height="17"/>
+                        <rect key="frame" x="8" y="192" width="120" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="116" id="Kqd-nX-7df"/>
                         </constraints>
@@ -117,17 +125,17 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y">
-                        <rect key="frame" x="18" y="117" width="120" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="SHA-256" id="eKN-Ic-5zy">
+                        <rect key="frame" x="8" y="142" width="120" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Identifier" id="eKN-Ic-5zy">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0">
-                        <rect key="frame" x="175" y="92" width="368" height="17"/>
+                        <rect key="frame" x="165" y="92" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="364" id="on6-pj-m2k"/>
+                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
                             <font key="font" metaFont="system"/>
@@ -135,20 +143,27 @@
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="xe2-U2-WrZ"/>
+                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
                         </connections>
                     </textField>
-                    <box horizontalHuggingPriority="750" title="Box" boxType="separator" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
-                        <rect key="frame" x="154" y="92" width="5" height="92"/>
-                        <color key="borderColor" white="0.0" alpha="0.41999999999999998" colorSpace="calibratedWhite"/>
+                    <box horizontalHuggingPriority="750" title="Line" boxType="custom" borderType="line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
+                        <rect key="frame" x="146" y="92" width="1" height="117"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
+                        </constraints>
+                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
                         <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
                         <font key="titleFont" metaFont="system"/>
                     </box>
                     <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS" userLabel="Publisher Certs">
-                        <rect key="frame" x="51" y="143" width="14" height="14"/>
+                        <rect key="frame" x="40" y="168" width="15" height="15"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="14" id="QTm-Iv-m5p"/>
-                            <constraint firstAttribute="height" constant="14" id="YwG-0s-jop"/>
+                            <constraint firstAttribute="width" constant="15" id="QTm-Iv-m5p"/>
+                            <constraint firstAttribute="height" constant="15" id="YwG-0s-jop"/>
                         </constraints>
                         <buttonCell key="cell" type="bevel" bezelStyle="regularSquare" image="NSInfo" imagePosition="overlaps" alignment="center" refusesFirstResponder="YES" imageScaling="proportionallyDown" inset="2" id="R72-Qy-Xbb">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
@@ -164,7 +179,7 @@
                         </connections>
                     </button>
                     <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL">
-                        <rect key="frame" x="282" y="33" width="110" height="25"/>
+                        <rect key="frame" x="256" y="33" width="110" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
                             <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
@@ -182,7 +197,7 @@ DQ
                         </connections>
                     </button>
                     <button verticalHuggingPriority="750" horizontalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="7ua-5a-uSd">
-                        <rect key="frame" x="158" y="33" width="112" height="25"/>
+                        <rect key="frame" x="132" y="33" width="112" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" priority="900" constant="112" id="Pec-Pa-4aZ"/>
                         </constraints>
@@ -198,48 +213,74 @@ DQ
                             <action selector="openEventDetails:" target="-2" id="VhL-ql-rCV"/>
                         </connections>
                     </button>
+                    <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="f1p-GL-O3o">
+                        <rect key="frame" x="165" y="117" width="294" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="290" id="h3Y-mO-38F"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Parent Name" id="ieo-WK-aDD">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" white="0.0" alpha="0.5" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.parentName" id="arL-Mc-4xj">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
                 </subviews>
                 <constraints>
-                    <constraint firstItem="h6f-PY-cc0" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="1Nc-gl-xMe"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="centerY" secondItem="eQb-0a-76J" secondAttribute="centerY" id="2Aq-1E-Ybz"/>
+                    <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" priority="500" constant="193" id="2uo-Cm-Tfp"/>
+                    <constraint firstItem="h6f-PY-cc0" firstAttribute="top" secondItem="f1p-GL-O3o" secondAttribute="bottom" constant="8" id="496-VQ-Fx5"/>
+                    <constraint firstItem="eQb-0a-76J" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="-116" id="6Q5-Oo-1cI"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="oFj-ol-xpL" secondAttribute="bottom" constant="35" id="7K6-bY-Rn6"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="ALv-0v-szi"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="E6D-7P-17g"/>
                     <constraint firstItem="cJf-k6-OxS" firstAttribute="centerY" secondItem="C3G-wL-u7w" secondAttribute="centerY" id="FdL-ZZ-Vbe"/>
                     <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="30" id="FuB-GX-0jg"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="G0I-O2-S91"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-45" id="GD2-Ka-deo"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="centerY" secondItem="oFj-ol-xpL" secondAttribute="centerY" id="GXI-pT-FM1"/>
-                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="20" id="IwX-ja-ZIs"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="IwX-ja-ZIs"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="top" secondItem="4Li-ul-zIi" secondAttribute="top" id="JY4-N1-j8e"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="leading" priority="999" id="MVr-jY-GDj"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="30" id="Nsl-zf-poH"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="SCl-Ky-VmT"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="centerY" secondItem="pc8-G9-4pJ" secondAttribute="centerY" id="SLv-F7-w5k"/>
                     <constraint firstItem="7ua-5a-uSd" firstAttribute="top" secondItem="oFj-ol-xpL" secondAttribute="bottom" constant="35" id="Scq-zQ-Sao"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="20" id="Seb-c0-MUL"/>
                     <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="V0a-Py-iEc"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="leading" priority="999" id="Z6G-l9-G4a"/>
-                    <constraint firstAttribute="centerX" secondItem="BbV-3h-mmL" secondAttribute="centerX" priority="900" id="acs-5J-vQY"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="top" secondItem="eQb-0a-76J" secondAttribute="bottom" constant="8" id="abm-cM-PN0"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="eQb-0a-76J" secondAttribute="trailing" constant="20" id="b0B-3w-grH"/>
                     <constraint firstItem="KEB-eH-x2Y" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="leading" priority="999" id="b5A-M7-ZsD"/>
                     <constraint firstItem="KEB-eH-x2Y" firstAttribute="centerY" secondItem="PXc-xv-A28" secondAttribute="centerY" id="cHe-pZ-0Oq"/>
                     <constraint firstItem="cD5-Su-lXR" firstAttribute="top" secondItem="t8c-Fx-e5h" secondAttribute="bottom" constant="30" id="dYg-zP-wh2"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="eSz-lz-Fdh"/>
-                    <constraint firstItem="4Li-ul-zIi" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="top" id="fzY-94-y2n"/>
-                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" constant="-0.5" id="h3d-Kc-q88"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="fGd-YS-phP"/>
+                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="h3d-Kc-q88"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="7ua-5a-uSd" secondAttribute="trailing" constant="12" id="ioO-NJ-Jqo"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="lvJ-Rk-UT5" secondAttribute="centerY" id="jfs-YI-7Ae"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="trailing" secondItem="KEB-eH-x2Y" secondAttribute="trailing" id="jlD-Lo-abc"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="trailing" constant="20" id="kOG-Cj-hFG"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="trailing" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" id="lse-kg-lA2"/>
+                    <constraint firstItem="eQb-0a-76J" firstAttribute="top" secondItem="KEB-eH-x2Y" secondAttribute="bottom" constant="8" id="m2z-1O-ifB"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="trailing" secondItem="KEB-eH-x2Y" secondAttribute="trailing" id="pdq-a6-Y73"/>
                     <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="61" id="phL-j9-rPq"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="20" id="qKi-KT-jzJ"/>
-                    <constraint firstItem="PXc-xv-A28" firstAttribute="bottom" secondItem="h6f-PY-cc0" secondAttribute="top" constant="-8" id="sG1-gQ-Qoo"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="bottom" secondItem="PXc-xv-A28" secondAttribute="top" constant="-8" id="snd-8T-LjC"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="20" id="stz-Vm-Kxo"/>
                     <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="tAa-1s-xVZ"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="width" secondItem="eQb-0a-76J" secondAttribute="width" id="u4p-1B-x5B"/>
                     <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="35" id="ukF-FH-DE8"/>
-                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="baseline" secondItem="pc8-G9-4pJ" secondAttribute="baseline" id="xGd-Xr-3Z0"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="bottom" secondItem="C3G-wL-u7w" secondAttribute="top" constant="-8" id="zst-nc-VqA"/>
                 </constraints>
             </view>
-            <point key="canvasLocation" x="113" y="777.5"/>
+            <point key="canvasLocation" x="112.5" y="308"/>
         </window>
     </objects>
     <resources>

Source/SantaGUI/SNTAppDelegate.m

@@ -16,11 +16,13 @@
 
 #import "SNTAboutWindowController.h"
 #import "SNTConfigurator.h"
+#import "SNTFileWatcher.h"
 #import "SNTNotificationManager.h"
 #import "SNTXPCConnection.h"
 
 @interface SNTAppDelegate ()
 @property SNTAboutWindowController *aboutWindowController;
+@property SNTFileWatcher *configFileWatcher;
 @property SNTNotificationManager *notificationManager;
 @property SNTXPCConnection *listener;
 @end
@@ -31,7 +33,12 @@
 
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
   [self setupMenu];
-  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
+
+  self.configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
+                                                            handler:^{
+      [[SNTConfigurator configurator] reloadConfigData];
+  }];
+
   self.notificationManager = [[SNTNotificationManager alloc] init];
 
   NSNotificationCenter *workspaceNotifications = [[NSWorkspace sharedWorkspace] notificationCenter];
@@ -45,12 +52,10 @@
                                object:nil];
 
   [self createConnection];
-
-  // Load configuration from disk ready for first message.
-  (void)[SNTConfigurator configurator];
 }
 
 - (BOOL)applicationShouldHandleReopen:(NSApplication *)sender hasVisibleWindows:(BOOL)flag {
+  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
   [self.aboutWindowController showWindow:self];
   return NO;
 }
@@ -60,14 +65,12 @@
 - (void)createConnection {
   __weak __typeof(self) weakSelf = self;
 
-  self.listener =
-      [[SNTXPCConnection alloc] initClientWithName:[SNTXPCNotifierInterface serviceId]
-                                           options:NSXPCConnectionPrivileged];
+  self.listener = [[SNTXPCConnection alloc] initClientWithName:[SNTXPCNotifierInterface serviceId]
+                                                       options:NSXPCConnectionPrivileged];
   self.listener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
   self.listener.exportedObject = self.notificationManager;
   self.listener.rejectedHandler = ^{
-      [weakSelf performSelectorInBackground:@selector(attemptReconnection)
-                                 withObject:nil];
+      [weakSelf attemptReconnection];
   };
   self.listener.invalidationHandler = self.listener.rejectedHandler;
   [self.listener resume];
@@ -82,9 +85,7 @@
 - (void)attemptReconnection {
   // TODO(rah): Make this smarter.
   sleep(10);
-  [self performSelectorOnMainThread:@selector(createConnection)
-                         withObject:nil
-                      waitUntilDone:NO];
+  [self performSelectorOnMainThread:@selector(createConnection) withObject:nil waitUntilDone:NO];
 }
 
 #pragma mark Menu Management

Source/SantaGUI/SNTMessageWindow.m

@@ -26,6 +26,7 @@
 
 - (IBAction)fadeIn:(id)sender {
   [self setAlphaValue:0.f];
+  [self center];
   [self makeKeyAndOrderFront:sender];
   [NSAnimationContext beginGrouping];
   [[NSAnimationContext currentContext] setDuration:0.15f];

Source/SantaGUI/SNTMessageWindowController.h

@@ -37,7 +37,7 @@
 ///
 ///  The custom message to display for this event
 ///
-@property NSString *customMessage;
+@property(copy) NSString *customMessage;
 
 ///
 ///  The delegate to inform when the notification is dismissed
@@ -47,12 +47,12 @@
 ///
 ///  A 'friendly' string representing the certificate information
 ///
-@property(readonly) NSString *publisherInfo;
+@property(readonly, nonatomic) NSString *publisherInfo;
 
 ///
 ///  An optional message to display with this block.
 ///
-@property(readonly) NSAttributedString *attributedCustomMessage;
+@property(readonly, nonatomic) NSAttributedString *attributedCustomMessage;
 
 ///
 ///  Reference to the "Open Event" button in the XIB. Used to either remove the button

Source/SantaGUI/SNTMessageWindowController.m

@@ -36,7 +36,7 @@
 - (void)loadWindow {
   [super loadWindow];
   [self.window setLevel:NSPopUpMenuWindowLevel];
-  [self.window center];
+  [self.window setMovableByWindowBackground:YES];
 
   if (![[SNTConfigurator configurator] eventDetailURL]) {
     [self.openEventButton removeFromSuperview];
@@ -76,15 +76,15 @@
 }
 
 - (IBAction)openEventDetails:(id)sender {
-  NSString *formatStr = [[SNTConfigurator configurator] eventDetailURL];
+  SNTConfigurator *config = [SNTConfigurator configurator];
 
+  NSString *formatStr = config.eventDetailURL;
   formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
                                                    withString:self.event.fileSHA256];
   formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
                                                    withString:self.event.executingUser];
-  formatStr =
-      [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
-                                           withString:[[SNTConfigurator configurator] machineID]];
+  formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
+                                                   withString:config.machineID];
 
   [self closeWindow:sender];
   [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:formatStr]];
@@ -100,6 +100,10 @@
   }
 }
 
+- (NSString *)shortenedHash {
+  return [self.event.fileSHA256 substringWithRange:NSMakeRange(0, 10)];
+}
+
 - (NSString *)publisherInfo {
   SNTCertificate *leafCert = [self.event.signingChain firstObject];
 
@@ -126,7 +130,7 @@
   NSString *htmlFooter = @"</body></html>";
 
   NSString *message;
-  if (self.customMessage && ![self.customMessage isEqual:@""]) {
+  if ([self.customMessage length] > 0) {
     message = self.customMessage;
   } else {
     message = @"The following application has been blocked from executing<br />"

Source/SantaGUI/SNTNotificationManager.h

@@ -20,5 +20,4 @@
 ///
 @interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate, SNTNotifierXPC>
 
-
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -54,8 +54,8 @@
 
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
   // See if this binary is already in the list of pending notifications.
-  NSPredicate *predicate = [NSPredicate predicateWithFormat:@"event.fileSHA256==%@",
-                               event.fileSHA256];
+  NSPredicate *predicate =
+      [NSPredicate predicateWithFormat:@"event.fileSHA256==%@", event.fileSHA256];
   if ([[self.pendingNotifications filteredArrayUsingPredicate:predicate] count]) return;
 
   if (!event) {

Source/common/SNTCertificate.h

@@ -53,59 +53,59 @@
 ///
 ///  Access the underlying certificate ref.
 ///
-@property(readonly) SecCertificateRef certRef;
+@property(readonly, nonatomic) SecCertificateRef certRef;
 
 ///
 ///  SHA-1 hash of the certificate data.
 ///
-@property(readonly) NSString *SHA1;
+@property(readonly, nonatomic) NSString *SHA1;
 
 ///
 ///  SHA-256 hash of the certificate data.
 ///
-@property(readonly) NSString *SHA256;
+@property(readonly, nonatomic) NSString *SHA256;
 
 ///
 ///  Certificate data.
 ///
-@property(readonly) NSData *certData;
+@property(readonly, nonatomic) NSData *certData;
 
 ///
 ///  Common Name e.g: "Software Signing"
 ///
-@property(readonly) NSString *commonName;
+@property(readonly, nonatomic) NSString *commonName;
 
 ///
 ///  Country Name e.g: "US"
 ///
-@property(readonly) NSString *countryName;
+@property(readonly, nonatomic) NSString *countryName;
 
 ///
 ///  Organizational Name e.g: "Apple Inc."
 ///
-@property(readonly) NSString *orgName;
+@property(readonly, nonatomic) NSString *orgName;
 
 ///
 ///  Organizational Unit Name e.g: "Apple Software"
 ///
-@property(readonly) NSString *orgUnit;
+@property(readonly, nonatomic) NSString *orgUnit;
 
 ///
 ///  Issuer details, same fields as above.
 ///
-@property(readonly) NSString *issuerCommonName;
-@property(readonly) NSString *issuerCountryName;
-@property(readonly) NSString *issuerOrgName;
-@property(readonly) NSString *issuerOrgUnit;
+@property(readonly, nonatomic) NSString *issuerCommonName;
+@property(readonly, nonatomic) NSString *issuerCountryName;
+@property(readonly, nonatomic) NSString *issuerOrgName;
+@property(readonly, nonatomic) NSString *issuerOrgUnit;
 
 ///
 ///  Validity Not Before
 ///
-@property(readonly) NSDate *validFrom;
+@property(readonly, nonatomic) NSDate *validFrom;
 
 ///
 ///  Validity Not After
 ///
-@property(readonly) NSDate *validUntil;
+@property(readonly, nonatomic) NSDate *validUntil;
 
 @end

Source/common/SNTCertificate.m

@@ -80,9 +80,9 @@ static NSString *const kCertDataKey = @"certData";
   NSData *output = nil;
 
   if (SecTransformSetAttribute(transform,
-                             kSecTransformInputAttributeName,
-                             (__bridge CFDataRef)input,
-                             NULL)) {
+                               kSecTransformInputAttributeName,
+                               (__bridge CFDataRef)input,
+                               NULL)) {
     output = CFBridgingRelease(SecTransformExecute(transform, NULL));
   }
   if (transform) CFRelease(transform);
@@ -126,11 +126,12 @@ static NSString *const kCertDataKey = @"certData";
 
 #pragma mark Equality & description
 
-- (BOOL)isEqual:(SNTCertificate *)other {
+- (BOOL)isEqual:(id)other {
   if (self == other) return YES;
   if (![other isKindOfClass:[SNTCertificate class]]) return NO;
 
-  return [self.certData isEqual:other.certData];
+  SNTCertificate *o = other;
+  return [self.certData isEqual:o.certData];
 }
 
 - (NSUInteger)hash {
@@ -138,10 +139,8 @@ static NSString *const kCertDataKey = @"certData";
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"/O=%@/OU=%@/CN=%@",
-          self.orgName,
-          self.orgUnit,
-          self.commonName];
+  return
+      [NSString stringWithFormat:@"/O=%@/OU=%@/CN=%@", self.orgName, self.orgUnit, self.commonName];
 }
 
 #pragma mark NSSecureCoding
@@ -227,7 +226,7 @@ static NSString *const kCertDataKey = @"certData";
     }
     return nil;
   }
-  @catch (NSException *exception) {
+  @catch (NSException *e) {
     return nil;
   }
 }

Source/common/SNTCodesignChecker.h

@@ -38,12 +38,12 @@
 ///
 ///  Returns the leaf certificate that this binary was signed with
 ///
-@property(readonly) SNTCertificate *leafCertificate;
+@property(readonly, nonatomic) SNTCertificate *leafCertificate;
 
 ///
 ///  Returns the on-disk path of this binary.
 ///
-@property(readonly) NSString *binaryPath;
+@property(readonly, nonatomic) NSString *binaryPath;
 
 ///
 ///  Designated initializer

Source/common/SNTCodesignChecker.m

@@ -18,7 +18,6 @@
 
 #import "SNTCertificate.h"
 
-
 /**
  *  kStaticSigningFlags are the flags used when validating signatures on disk.
  *
@@ -38,15 +37,14 @@
  *       kSecCSDoNotValidateResources:                         0.032s
  *       kSecCSDoNotValidateResources | kSecCSCheckNestedCode: 0.033s
  */
-const SecCSFlags kStaticSigningFlags = kSecCSDoNotValidateResources | kSecCSCheckNestedCode;
+static const SecCSFlags kStaticSigningFlags = kSecCSDoNotValidateResources | kSecCSCheckNestedCode;
 
 /**
  *  kSigningFlags are the flags used when validating signatures for running binaries.
  *
  *  No special flags needed currently.
  */
-const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
-
+static const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 @interface SNTCodesignChecker ()
 /// Array of @c SNTCertificate's representing the chain of certs this executable was signed with.
@@ -87,7 +85,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
     // Wrap SecCertificateRef objects in SNTCertificate and put in a new NSArray
     NSMutableArray *mutableCerts = [[NSMutableArray alloc] initWithCapacity:certs.count];
-    for (int i = 0; i < certs.count; ++i) {
+    for (NSUInteger i = 0; i < certs.count; ++i) {
       SecCertificateRef certRef = (__bridge SecCertificateRef)certs[i];
       SNTCertificate *newCert = [[SNTCertificate alloc] initWithSecCertificateRef:certRef];
       [mutableCerts addObject:newCert];
@@ -105,10 +103,10 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
   SecStaticCodeRef codeRef = NULL;
 
   // Get SecStaticCodeRef for binary
-  if (SecStaticCodeCreateWithPath((__bridge CFURLRef)[NSURL fileURLWithPath:binaryPath
-                                                                isDirectory:NO],
-                                  kSecCSDefaultFlags,
-                                  &codeRef) == errSecSuccess) {
+  if (SecStaticCodeCreateWithPath(
+          (__bridge CFURLRef)[NSURL fileURLWithPath:binaryPath isDirectory:NO],
+          kSecCSDefaultFlags,
+          &codeRef) == errSecSuccess) {
     self = [self initWithSecStaticCodeRef:codeRef];
   } else {
     self = nil;
@@ -120,12 +118,13 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 - (instancetype)initWithPID:(pid_t)PID {
   SecCodeRef codeRef = NULL;
-  NSDictionary *attributes = @{(__bridge NSString *)kSecGuestAttributePid: @(PID)};
+  NSDictionary *attributes = @{ (__bridge NSString *)kSecGuestAttributePid : @(PID) };
 
-  if (SecCodeCopyGuestWithAttributes(NULL,
-                                     (__bridge CFDictionaryRef)attributes,
-                                     kSecCSDefaultFlags,
-                                     &codeRef) == errSecSuccess) {
+  if (SecCodeCopyGuestWithAttributes(
+          NULL,
+          (__bridge CFDictionaryRef)attributes,
+          kSecCSDefaultFlags,
+          &codeRef) == errSecSuccess) {
     self = [self initWithSecStaticCodeRef:codeRef];
   } else {
     self = nil;
@@ -170,9 +169,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
   }
 
   return [NSString stringWithFormat:@"%@ binary, signed by %@, located at: %@",
-             binarySource,
-             self.leafCertificate.orgName,
-             self.binaryPath];
+              binarySource, self.leafCertificate.orgName, self.binaryPath];
 }
 
 #pragma mark Public accessors
@@ -183,7 +180,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 - (NSString *)binaryPath {
   CFURLRef path;
-  OSStatus status = SecCodeCopyPath(_codeRef, kSecCSDefaultFlags, &path);
+  OSStatus status = SecCodeCopyPath(self.codeRef, kSecCSDefaultFlags, &path);
   NSURL *pathURL = CFBridgingRelease(path);
   if (status != errSecSuccess) return nil;
   return [pathURL path];

Source/common/SNTCommonEnums.h

@@ -65,4 +65,8 @@ typedef enum {
   EVENTSTATE_MAX
 } santa_eventstate_t;
 
+static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
+static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
+static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";
+
 #endif  // SANTA__COMMON__COMMONENUMS_H

Source/common/SNTConfigurator.h

@@ -16,29 +16,41 @@
 
 ///
 ///  Singleton that provides an interface for managing configuration values on disk
-///  @note This class is designed as a singleton but that is not enforced.
+///  @note This class is designed as a singleton but that is not strictly enforced.
 ///
 @interface SNTConfigurator : NSObject
 
+///  Default config file path
+extern NSString * const kDefaultConfigFilePath;
+
 #pragma mark - Daemon Settings
 
 ///
-///  The operating mode
+///  The operating mode.
 ///
-@property santa_clientmode_t clientMode;
+@property(nonatomic) santa_clientmode_t clientMode;
 
 ///
 ///  Whether or not to log all events, even for whitelisted binaries.
 ///
-@property BOOL logAllEvents;
+@property(nonatomic) BOOL logAllEvents;
 
-# pragma mark - GUI Settings
+///
+///  The regex of whitelisted paths. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
+///  pointless as a path only ever a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(nonatomic) NSRegularExpression *whitelistPathRegex;
+
+#pragma mark - GUI Settings
 
 ///
 ///  The URL to open when the user clicks "More Info..." when opening Santa.app.
 ///  If unset, the button will not be displayed.
 ///
-@property(readonly) NSURL *moreInfoURL;
+@property(readonly, nonatomic) NSURL *moreInfoURL;
 
 ///
 ///  When the user gets a block notification, a button can be displayed which will
@@ -54,77 +66,88 @@
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
-@property(readonly) NSString *eventDetailURL;
+@property(readonly, nonatomic) NSString *eventDetailURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
 ///
-@property(readonly) NSString *eventDetailText;
+@property(readonly, nonatomic) NSString *eventDetailText;
 
-# pragma mark - Sync Settings
+#pragma mark - Sync Settings
 
 ///
-///  The base URL of the sync server
+///  The base URL of the sync server.
 ///
-@property(readonly) NSURL *syncBaseURL;
+@property(readonly, nonatomic) NSURL *syncBaseURL;
 
 ///
-///  The machine owner
+///  If YES, mid-execution event uploads are skipped.
+///  This property is never stored on disk.
 ///
-@property(readonly) NSString *machineOwner;
+@property BOOL syncBackOff;
 
 ///
-///  If set, this over-rides the default machine ID used for syncing
+///  The machine owner.
 ///
-@property(readonly) NSString *machineID;
+@property(readonly, nonatomic) NSString *machineOwner;
 
-# pragma mark Server Auth Settings
+///
+///  If set, this over-rides the default machine ID used for syncing.
+///
+@property(readonly, nonatomic) NSString *machineID;
+
+#pragma mark Server Auth Settings
 
 ///
 ///  If set, this is valid PEM containing one or more certificates to be used to evaluate the
 ///  server's SSL chain, overriding the list of trusted CAs distributed with the OS.
 ///
-@property(readonly) NSData *syncServerAuthRootsData;
+@property(readonly, nonatomic) NSData *syncServerAuthRootsData;
 
 ///
 ///  This property is the same as the above but is a file on disk containing the PEM data.
 ///
-@property(readonly) NSString *syncServerAuthRootsFile;
+@property(readonly, nonatomic) NSString *syncServerAuthRootsFile;
 
-# pragma mark Client Auth Settings
+#pragma mark Client Auth Settings
 
 ///
 ///  If set, this contains the location of a PKCS#12 certificate to be used for sync authentication.
 ///
-@property(readonly) NSString *syncClientAuthCertificateFile;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateFile;
 
 ///
 ///  Contains the password for the pkcs#12 certificate.
 ///
-@property(readonly) NSString *syncClientAuthCertificatePassword;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificatePassword;
 
 ///
 ///  If set, this is the Common Name of a certificate in the System keychain to be used for
 ///  sync authentication. The corresponding private key must also be in the keychain.
 ///
-@property(readonly) NSString *syncClientAuthCertificateCn;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateCn;
 
 ///
 ///  If set, this is the Issuer Name of a certificate in the System keychain to be used for
 ///  sync authentication. The corresponding private key must also be in the keychain.
 ///
-@property(readonly) NSString *syncClientAuthCertificateIssuer;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateIssuer;
 
 ///
-///  Retrieve an initialized singleton configurator object using the default file path
+///  Retrieve an initialized singleton configurator object using the default file path.
 ///
 + (instancetype)configurator;
 
 ///
-///  Designated initializer
+///  Designated initializer.
 ///
 ///  @param filePath The path to the file to use as a backing store.
 ///
 - (instancetype)initWithFilePath:(NSString *)filePath;
 
+///
+///  Re-read config data from disk.
+///
+- (void)reloadConfigData;
+
 @end

Source/common/SNTConfigurator.m

@@ -21,20 +21,21 @@
 @property NSString *configFilePath;
 @property NSMutableDictionary *configData;
 
-@property dispatch_source_t fileMonitoringSource;
-@property(strong) void (^fileEventHandler)(void);
-@property(strong) void (^fileCancelHandler)(void);
+/// Creating NSRegularExpression objects is not fast, so cache it.
+@property NSRegularExpression *cachedWhitelistDirRegex;
 
+/// Array of keys that cannot be changed while santad is running if santad didn't make the change.
+@property(readonly) NSArray *protectedKeys;
 @end
 
 @implementation SNTConfigurator
 
 /// The hard-coded path to the config file
-static NSString * const kConfigFilePath = @"/var/db/santa/config.plist";
+NSString * const kDefaultConfigFilePath = @"/var/db/santa/config.plist";
 
 /// The keys in the config file
 static NSString * const kClientModeKey = @"ClientMode";
-
+static NSString * const kWhitelistRegexKey = @"WhitelistRegex";
 static NSString * const kLogAllEventsKey = @"LogAllEvents";
 
 static NSString * const kMoreInfoURLKey = @"MoreInfoURL";
@@ -62,23 +63,88 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   self = [super init];
   if (self) {
     _configFilePath = filePath;
-    [self beginWatchingConfigFile];
+    [self reloadConfigData];
   }
   return self;
 }
 
-# pragma mark Singleton retriever
+#pragma mark Singleton retriever
 
 + (instancetype)configurator {
   static SNTConfigurator *sharedConfigurator = nil;
   static dispatch_once_t onceToken;
   dispatch_once(&onceToken, ^{
-    sharedConfigurator = [[SNTConfigurator alloc] initWithFilePath:kConfigFilePath];
+      sharedConfigurator = [[SNTConfigurator alloc] initWithFilePath:kDefaultConfigFilePath];
   });
   return sharedConfigurator;
 }
 
-# pragma mark Public Interface
+#pragma mark Protected Keys
+
+- (NSArray *)protectedKeys {
+  return @[ kClientModeKey, kWhitelistRegexKey ];
+}
+
+#pragma mark Public Interface
+
+- (santa_clientmode_t)clientMode {
+  int cm = [self.configData[kClientModeKey] intValue];
+  if (cm > CLIENTMODE_UNKNOWN && cm < CLIENTMODE_MAX) {
+    return (santa_clientmode_t)cm;
+  } else {
+    self.configData[kClientModeKey] = @(CLIENTMODE_MONITOR);
+    return CLIENTMODE_MONITOR;
+  }
+}
+
+- (void)setClientMode:(santa_clientmode_t)newMode {
+  if (newMode > CLIENTMODE_UNKNOWN && newMode < CLIENTMODE_MAX) {
+    self.configData[kClientModeKey] = @(newMode);
+    [self saveConfigToDisk];
+  }
+}
+
+- (NSRegularExpression *)whitelistPathRegex {
+  if (!self.cachedWhitelistDirRegex && self.configData[kWhitelistRegexKey]) {
+    NSString *re = self.configData[kWhitelistRegexKey];
+    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
+    self.cachedWhitelistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
+                                                                             options:0
+                                                                               error:nil];
+  }
+  return self.cachedWhitelistDirRegex;
+}
+
+- (void)setWhitelistPathRegex:(NSRegularExpression *)re {
+  if (!re) {
+    [self.configData removeObjectForKey:kWhitelistRegexKey];
+  } else {
+    self.configData[kWhitelistRegexKey] = [re pattern];
+  }
+  self.cachedWhitelistDirRegex = nil;
+  [self saveConfigToDisk];
+}
+
+- (BOOL)logAllEvents {
+  return [self.configData[kLogAllEventsKey] boolValue];
+}
+
+- (void)setLogAllEvents:(BOOL)logAllEvents {
+  self.configData[kLogAllEventsKey] = @(logAllEvents);
+  [self saveConfigToDisk];
+}
+
+- (NSURL *)moreInfoURL {
+  return [NSURL URLWithString:self.configData[kMoreInfoURLKey]];
+}
+
+- (NSString *)eventDetailURL {
+  return self.configData[kEventDetailURLKey];
+}
+
+- (NSString *)eventDetailText {
+  return self.configData[kEventDetailTextKey];
+}
 
 - (NSURL *)syncBaseURL {
   return [NSURL URLWithString:self.configData[kSyncBaseURLKey]];
@@ -109,17 +175,21 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
 }
 
 - (NSString *)machineOwner {
+  NSString *machineOwner;
+
   if (self.configData[kMachineOwnerPlistFileKey] && self.configData[kMachineOwnerPlistKeyKey]) {
     NSDictionary *plist =
         [NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineOwnerPlistFileKey]];
-    return plist[self.configData[kMachineOwnerPlistKeyKey]];
+    machineOwner = plist[self.configData[kMachineOwnerPlistKeyKey]];
   }
 
   if (self.configData[kMachineOwnerKey]) {
-    return self.configData[kMachineOwnerKey];
+    machineOwner = self.configData[kMachineOwnerKey];
   }
 
-  return @"";
+  if (!machineOwner) machineOwner = @"";
+
+  return machineOwner;
 }
 
 - (NSString *)machineID {
@@ -128,88 +198,26 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   if (self.configData[kMachineIDPlistFileKey] && self.configData[kMachineIDPlistKeyKey]) {
     NSDictionary *plist =
         [NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineIDPlistFileKey]];
-    machineId = plist[kMachineIDPlistKeyKey];
+    machineId = plist[self.configData[kMachineIDPlistKeyKey]];
   }
 
   if (self.configData[kMachineIDKey]) {
     machineId = self.configData[kMachineIDKey];
   }
 
-  if (!machineId || [machineId isEqual:@""]) {
+  if ([machineId length] == 0) {
     machineId = [SNTSystemInfo hardwareUUID];
   }
 
   return machineId;
 }
 
-- (santa_clientmode_t)clientMode {
-  int cm = [self.configData[kClientModeKey] intValue];
-  if (cm > CLIENTMODE_UNKNOWN && cm < CLIENTMODE_MAX) {
-    return cm;
-  } else {
-    self.configData[kClientModeKey] = @(CLIENTMODE_MONITOR);
-    return CLIENTMODE_MONITOR;
-  }
-}
-
-- (void)setClientMode:(santa_clientmode_t)newMode {
-  if (newMode > CLIENTMODE_UNKNOWN && newMode < CLIENTMODE_MAX) {
-    self.configData[kClientModeKey] = @(newMode);
-    [self saveConfigToDisk];
-  }
-}
-
-- (BOOL)logAllEvents {
-  return [self.configData[kLogAllEventsKey] boolValue];
-}
-
-- (void)setLogAllEvents:(BOOL)logAllEvents {
-  self.configData[kLogAllEventsKey] = @(logAllEvents);
-  [self saveConfigToDisk];
-}
-
-- (NSURL *)moreInfoURL {
-  return [NSURL URLWithString:self.configData[kMoreInfoURLKey]];
-}
-
-- (NSString *)eventDetailURL {
-  return self.configData[kEventDetailURLKey];
-}
-
-- (NSString *)eventDetailText {
-  return self.configData[kEventDetailTextKey];
-}
-
-#pragma mark Private
-
-///
-///  Saves the current @c _configData to disk.
-///
-- (void)saveConfigToDisk {
-  [self.configData writeToFile:kConfigFilePath atomically:YES];
-}
-
-///
-///  Populate @c self.configData, using the config file on disk if possible,
-///  otherwise an empty mutable dictionary.
-///
-///  If the config file's permissions are not @c 0644, will attempt to set them
-///  but will fail silently if this cannot be done.
-///
 - (void)reloadConfigData {
   if (!self.configData) self.configData = [NSMutableDictionary dictionary];
 
   NSFileManager *fm = [NSFileManager defaultManager];
   if (![fm fileExistsAtPath:self.configFilePath]) return;
 
-  // Ensure the config file permissions are 0644. Fail silently if they can't be changed.
-  NSDictionary *fileAttrs = [fm attributesOfItemAtPath:self.configFilePath error:nil];
-  if ([fileAttrs filePosixPermissions] != 0644) {
-    [fm setAttributes:@{ NSFilePosixPermissions: @(0644) }
-         ofItemAtPath:self.configFilePath
-                error:nil];
-  }
-
   NSError *error;
   NSData *readData = [NSData dataWithContentsOfFile:self.configFilePath
                                             options:NSDataReadingMappedIfSafe
@@ -229,58 +237,29 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
     return;
   }
 
-  // Ensure user isn't trying to change the client mode while running, only santactl can do that.
-  if (self.configData[kClientModeKey] && configData[kClientModeKey] &&
-      ![self.configData[kClientModeKey] isEqual:configData[kClientModeKey]]) {
-    LOGW(@"Client mode in config file was changed behind our back, resetting.");
-    NSMutableDictionary *configDataMutable = [configData mutableCopy];
-    configDataMutable[kClientModeKey] = self.configData[kClientModeKey];
-    self.configData = configDataMutable;
-    [self saveConfigToDisk];
-  } else {
-    self.configData = [configData mutableCopy];
+  // Ensure no-one is trying to change protected keys behind our back.
+  NSMutableDictionary *configDataMutable = [configData mutableCopy];
+  BOOL changed = NO;
+  for (NSString *key in self.protectedKeys) {
+    if (self.configData[key] && configData[key] &&
+        ![self.configData[key] isEqual:configData[key]] && geteuid() == 0) {
+      NSMutableDictionary *configDataMutable = [configData mutableCopy];
+      configDataMutable[key] = self.configData[key];
+      changed = YES;
+      LOGD(@"Ignoring changed configuration key: %@", key);
+    }
   }
+  self.configData = configDataMutable;
+  if (changed) [self saveConfigToDisk];
 }
 
-- (void)beginWatchingConfigFile {
-  if (self.fileMonitoringSource) return;
+#pragma mark Private
 
-  dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
-  if (!queue) return;
-
-  __weak typeof(self) weakSelf = self;
-  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_WRITE |
-              DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_RENAME);
-
-  self.fileEventHandler = ^{
-    unsigned long l = dispatch_source_get_data(weakSelf.fileMonitoringSource);
-    if (l & DISPATCH_VNODE_DELETE || l & DISPATCH_VNODE_RENAME) {
-      dispatch_source_cancel(weakSelf.fileMonitoringSource);
-    } else {
-      [weakSelf reloadConfigData];
-    }
-  };
-
-  self.fileCancelHandler = ^{
-    int fd;
-    if (weakSelf.fileMonitoringSource) {
-      fd = (int)dispatch_source_get_handle(weakSelf.fileMonitoringSource);
-      close(fd);
-    }
-
-    while ((fd = open([weakSelf.configFilePath fileSystemRepresentation], O_EVTONLY)) < 0) {
-      sleep(1);
-    }
-
-    weakSelf.fileMonitoringSource = dispatch_source_create(
-        DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
-    dispatch_source_set_event_handler(weakSelf.fileMonitoringSource, weakSelf.fileEventHandler);
-    dispatch_source_set_cancel_handler(weakSelf.fileMonitoringSource, weakSelf.fileCancelHandler);
-    dispatch_resume(weakSelf.fileMonitoringSource);
-    [weakSelf reloadConfigData];
-  };
-
-  dispatch_async(queue, self.fileCancelHandler);
+///
+///  Saves the current @c self.configData to disk.
+///
+- (void)saveConfigToDisk {
+  [self.configData writeToFile:self.configFilePath atomically:YES];
 }
 
 @end

Source/common/SNTDropRootPrivs.h

@@ -17,4 +17,4 @@
 ///
 ///  @return YES if dropping was successful or unnecessary.
 ///
-BOOL DropRootPrivileges();
+BOOL DropRootPrivileges(void);

Source/common/SNTDropRootPrivs.m

@@ -16,8 +16,9 @@
 
 BOOL DropRootPrivileges() {
   if (getuid() == 0 || geteuid() == 0 || getgid() == 0 || getegid() == 0) {
-    if (setgid(-2) != 0 || setgroups(0, NULL) != 0 || setegid(-2) != 0 ||
-        setuid(-2) != 0 || seteuid(-2) != 0) {
+    uid_t nobody = (uid_t)-2;
+    if (setgid(nobody) != 0 || setgroups(0, NULL) != 0 || setegid(nobody) != 0 ||
+        setuid(nobody) != 0 || seteuid(nobody) != 0) {
       return false;
     }
 

Source/common/SNTFileInfo.h

@@ -23,6 +23,16 @@
 ///
 ///  @param path The path of the file this instance is to represent. The path will be
 ///      converted to an absolute, standardized path if it isn't already.
+///  @param error If an error occurred and nil is returned, this will be a pointer to an NSError
+///      describing the problem.
+///
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error;
+
+///
+///  Convenience initializer.
+///
+///  @param path The path to the file this instance is to represent. The path will be
+///      converted to an absolute, standardized path if it isn't already.
 ///
 - (instancetype)initWithPath:(NSString *)path;
 

Source/common/SNTFileInfo.m

@@ -23,52 +23,47 @@
 @interface SNTFileInfo ()
 @property NSString *path;
 @property NSData *fileData;
+
+// Cached properties
+@property NSData *firstMachHeaderData;
 @property NSBundle *bundleRef;
 @property NSDictionary *infoDict;
+@property NSArray *architecturesArray;
 @end
 
 @implementation SNTFileInfo
 
-- (instancetype)initWithPath:(NSString *)path {
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
   self = [super init];
-
   if (self) {
-    // Convert to absolute, standardized path
-    path = [path stringByResolvingSymlinksInPath];
-    if (![path isAbsolutePath]) {
-      NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
-      path = [cwd stringByAppendingPathComponent:path];
-    }
-    path = [path stringByStandardizingPath];
-
-    // Determine if file exists.
-    // If path is actually a directory, check to see if it's a bundle and has a CFBundleExecutable.
-    BOOL directory;
-    if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
-      return nil;
-    } else if (directory) {
-      NSString *infoPath = [path stringByAppendingPathComponent:@"Contents/Info.plist"];
-      NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:infoPath];
-      if (d && d[@"CFBundleExecutable"]) {
-        path = [path stringByAppendingPathComponent:@"Contents/MacOS"];
-        _path = [path stringByAppendingPathComponent:d[@"CFBundleExecutable"]];
-      } else {
-        return nil;
+    _path = [self resolvePath:path];
+    if (_path.length == 0) {
+      if (error) {
+        NSString *errStr = @"Unable to resolve empty path";
+        if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:260
+                                 userInfo:@{ NSLocalizedDescriptionKey: errStr }];
       }
-    } else {
-      _path = path;
+      return nil;
     }
 
-    _fileData = [NSData dataWithContentsOfFile:_path options:NSDataReadingMappedIfSafe error:nil];
-    if (!_fileData) return nil;
+    _fileData = [NSData dataWithContentsOfFile:_path
+                                       options:NSDataReadingMappedIfSafe
+                                         error:error];
+    if (_fileData.length == 0) return nil;
   }
 
   return self;
 }
 
+- (instancetype)initWithPath:(NSString *)path {
+  return [self initWithPath:path error:NULL];
+}
+
 - (NSString *)SHA1 {
   unsigned char sha1[CC_SHA1_DIGEST_LENGTH];
-  CC_SHA1([self.fileData bytes], (unsigned int)[self.fileData length], sha1);
+  CC_SHA1(self.fileData.bytes, (unsigned int)self.fileData.length, sha1);
 
   // Convert the binary SHA into hex
   NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
@@ -80,63 +75,66 @@
 }
 
 - (NSString *)SHA256 {
-  unsigned char sha2[CC_SHA256_DIGEST_LENGTH];
-  CC_SHA256(self.fileData.bytes, (unsigned int)self.fileData.length, sha2);
+  unsigned char sha256[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256(self.fileData.bytes, (unsigned int)self.fileData.length, sha256);
 
-  NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH *2];
+  NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
   for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
-    [buf appendFormat:@"%02x", (unsigned char)sha2[i]];
+    [buf appendFormat:@"%02x", (unsigned char)sha256[i]];
   }
 
   return buf;
 }
 
 - (NSString *)machoType {
-  if ([self isDylib])   { return @"Dynamic Library"; }
-  if ([self isKext])    { return @"Kernel Extension"; }
-  if ([self isFat])     { return @"Fat Binary"; }
-  if ([self isMachO])   { return @"Thin Binary"; }
-  if ([self isScript])  { return @"Script"; }
+  if ([self isDylib])  return @"Dynamic Library";
+  if ([self isKext])   return @"Kernel Extension";
+  if ([self isFat])    return @"Fat Binary";
+  if ([self isMachO])  return @"Thin Binary";
+  if ([self isScript]) return @"Script";
   return @"Unknown (not executable?)";
 }
 
 - (NSArray *)architectures {
-  if (![self isMachO]) return nil;
+  if (!self.architecturesArray) {
+    self.architecturesArray = (NSArray *)[NSNull null];
 
-  if ([self isFat]) {
-    NSMutableArray *ret = [[NSMutableArray alloc] init];
+    if ([self isFat]) {
+      NSMutableArray *ret = [[NSMutableArray alloc] init];
 
-    // Retrieve just the fat_header, if possible.
-    NSData *head = [self safeSubdataWithRange:NSMakeRange(0, sizeof(struct fat_header))];
-    if (!head) return nil;
-    struct fat_header *fat_header = (struct fat_header *)[head bytes];
+      // Retrieve just the fat_header, if possible.
+      NSData *head = [self safeSubdataWithRange:NSMakeRange(0, sizeof(struct fat_header))];
+      if (!head) return nil;
+      struct fat_header *fat_header = (struct fat_header *)[head bytes];
 
-    // Get number of architectures in the binary
-    uint32_t narch = NSSwapBigIntToHost(fat_header->nfat_arch);
+      // Get number of architectures in the binary
+      uint32_t narch = NSSwapBigIntToHost(fat_header->nfat_arch);
 
-    // Retrieve just the fat_arch's, make a mutable copy and if necessary swap the bytes
-    NSData *archs = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                           sizeof(struct fat_arch) * narch)];
-    if (!archs) return nil;
-    struct fat_arch *fat_archs = (struct fat_arch *)[archs bytes];
+      // Retrieve just the fat_arch's, make a mutable copy and if necessary swap the bytes
+      NSData *archs = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
+                                                             sizeof(struct fat_arch) * narch)];
+      if (!archs) return nil;
+      struct fat_arch *fat_archs = (struct fat_arch *)[archs bytes];
 
-    // For each arch, get the name of it's architecture
-    for (int i = 0; i < narch; ++i) {
-      [ret addObject:[self nameForCPUType:NSSwapBigIntToHost(fat_archs[i].cputype)]];
+      // For each arch, get the name of its architecture
+      for (uint32_t i = 0; i < narch; ++i) {
+        cpu_type_t cpu = (cpu_type_t)NSSwapBigIntToHost((unsigned int)fat_archs[i].cputype);
+        [ret addObject:[self nameForCPUType:cpu]];
+      }
+
+      self.architecturesArray = ret;
+    } else if ([self firstMachHeader]) {
+      struct mach_header *hdr = [self firstMachHeader];
+      self.architecturesArray = @[ [self nameForCPUType:hdr->cputype] ];
     }
-    return ret;
-  } else {
-    struct mach_header *hdr = [self firstMachHeader];
-    return @[ [self nameForCPUType:hdr->cputype] ];
   }
-  return nil;
+
+  return self.architecturesArray == (NSArray *)[NSNull null] ? nil : self.architecturesArray;
 }
 
 - (BOOL)isDylib {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_DYLIB ||
-      mach_header->filetype == MH_FVMLIB) {
+  if (mach_header && (mach_header->filetype == MH_DYLIB || mach_header->filetype == MH_FVMLIB)) {
     return YES;
   }
 
@@ -145,8 +143,7 @@
 
 - (BOOL)isKext {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_KEXT_BUNDLE) {
+  if (mach_header && mach_header->filetype == MH_KEXT_BUNDLE) {
     return YES;
   }
 
@@ -154,8 +151,7 @@
 }
 
 - (BOOL)isMachO {
-  return ([self.fileData length] >= 160 &&
-          ([self isMachHeader:(struct mach_header *)[self.fileData bytes]] || [self isFat]));
+  return [self firstMachHeader] != nil;
 }
 
 - (BOOL)isFat {
@@ -163,8 +159,6 @@
 }
 
 - (BOOL)isScript {
-  if ([self.fileData length] < 1) return NO;
-
   char magic[2];
   [self.fileData getBytes:&magic length:2];
 
@@ -183,15 +177,15 @@
   return NO;
 }
 
-# pragma mark Bundle Information
+#pragma mark Bundle Information
 
 ///
 ///  Try and determine the bundle that the represented executable is contained within, if any.
 ///
 ///  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
-///  bundle but provides no way to get an NSBundle object when only the executablePath is known. Also,
-///  a bundle can contain multiple binaries within the MacOS folder and we want any of these to count
-///  as being part of the bundle.
+///  bundle but provides no way to get an NSBundle object when only the executablePath is known.
+///  Also a bundle can contain multiple binaries within the MacOS folder and we want any of these
+///  to count as being part of the bundle.
 ///
 ///  This method relies on executable bundles being laid out as follows:
 ///
@@ -206,21 +200,19 @@
 ///  NSBundle reference for Bundle.app.
 ///
 - (NSBundle *)bundle {
-  if (self.bundleRef) return self.bundleRef;
+  if (!self.bundleRef) {
+    self.bundleRef = (NSBundle *)[NSNull null];
 
-  NSArray *pathComponents = [self.path pathComponents];
+    // Check that the full path is at least 4-levels deep:
+    // e.g: /Calendar.app/Contents/MacOS/Calendar
+    NSArray *pathComponents = [self.path pathComponents];
+    if ([pathComponents count] < 4) return nil;
 
-  // Check that the full path is at least 4-levels deep:
-  // e.g: /Calendar.app/Contents/MacOS/Calendar
-  if ([pathComponents count] < 4) return nil;
-
-  pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
-  self.bundleRef = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-
-  // Clear the bundle if it doesn't have a bundle ID
-  if (![self.bundleRef objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = nil;
-
-  return self.bundleRef;
+    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
+    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
+    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
+  }
+  return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
 
 - (NSString *)bundlePath {
@@ -228,38 +220,42 @@
 }
 
 - (NSDictionary *)infoPlist {
-  if (self.infoDict) return self.infoDict;
+  if (!self.infoDict) {
+    self.infoDict = (NSDictionary *)[NSNull null];
 
-  if ([self bundle]) {
-    self.infoDict = [[self bundle] infoDictionary];
-    return self.infoDict;
+    if ([self bundle] && [self.bundle infoDictionary]) {
+      self.infoDict = [self.bundle infoDictionary];
+    } else {
+      // Binaries with embedded Info.plist aren't in an NSBundle but
+      // CFBundleCopyInfoDictionaryForURL will return the embedded info dict.
+      NSURL *url = [NSURL fileURLWithPath:self.path isDirectory:NO];
+      NSDictionary *infoDict =
+      (__bridge_transfer NSDictionary *)CFBundleCopyInfoDictionaryForURL((__bridge CFURLRef)url);
+      if (infoDict) self.infoDict = infoDict;
+    }
   }
-
-  NSURL *url = [NSURL fileURLWithPath:self.path isDirectory:NO];
-  self.infoDict =
-      (__bridge_transfer NSDictionary*)CFBundleCopyInfoDictionaryForURL((__bridge CFURLRef) url);
-  return self.infoDict;
+  return self.infoDict == (NSDictionary *)[NSNull null] ? nil : self.infoDict;
 }
 
 - (NSString *)bundleIdentifier {
-  return [[self infoPlist] objectForKey:@"CFBundleIdentifier"];
+  return [self.infoPlist objectForKey:@"CFBundleIdentifier"];
 }
 
 - (NSString *)bundleName {
-  return [[self infoPlist] objectForKey:@"CFBundleName"];
+  return [self.infoPlist objectForKey:@"CFBundleName"];
 }
 
 - (NSString *)bundleVersion {
-  return [[self infoPlist] objectForKey:@"CFBundleVersion"];
+  return [self.infoPlist objectForKey:@"CFBundleVersion"];
 }
 
 - (NSString *)bundleShortVersionString {
-  return [[self infoPlist] objectForKey:@"CFBundleShortVersionString"];
+  return [self.infoPlist objectForKey:@"CFBundleShortVersionString"];
 }
 
 - (NSArray *)downloadURLs {
   char *path = (char *)[self.path fileSystemRepresentation];
-  size_t size = getxattr(path, "com.apple.metadata:kMDItemWhereFroms", NULL, 0, 0, 0);
+  size_t size = (size_t)getxattr(path, "com.apple.metadata:kMDItemWhereFroms", NULL, 0, 0, 0);
   char *value = malloc(size);
   if (!value) return nil;
 
@@ -282,7 +278,7 @@
   return nil;
 }
 
-# pragma mark Internal Methods
+#pragma mark Internal Methods
 
 ///
 ///  Look through the file for the first mach_header. If the file is thin, this will be the
@@ -290,30 +286,31 @@
 ///  architecture-specific header.
 ///
 - (struct mach_header *)firstMachHeader {
-  if (![self isMachO]) return NULL;
+  if (!self.firstMachHeaderData) {
+    self.firstMachHeaderData = (NSData *)[NSNull null];
 
-  struct mach_header *mach_header = (struct mach_header *)[self.fileData bytes];
-  struct fat_header *fat_header = (struct fat_header *)[self.fileData bytes];
+    if ([self isFatHeader:(struct fat_header *)[self.fileData bytes]]) {
+      // Get the bytes for the fat_arch
+      NSData *archHdr = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
+                                                               sizeof(struct fat_arch))];
+      if (!archHdr) return NULL;
+      struct fat_arch *fat_arch = (struct fat_arch *)[archHdr bytes];
 
-  if ([self isFatHeader:fat_header]) {
-    // Get the bytes for the fat_arch
-    NSData *archHdr = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                             sizeof(struct fat_arch))];
-    if (!archHdr) return nil;
-    struct fat_arch *fat_arch = (struct fat_arch *)[archHdr bytes];
+      // Get bytes for first mach_header
+      NSData *machHdr = [self safeSubdataWithRange:NSMakeRange(NSSwapBigIntToHost(fat_arch->offset),
+                                                               sizeof(struct mach_header))];
+      if (!machHdr || ![self isMachHeader:(struct mach_header *)machHdr.bytes]) return NULL;
 
-    // Get bytes for first mach_header
-    NSData *machHdr = [self safeSubdataWithRange:NSMakeRange(NSSwapBigIntToHost(fat_arch->offset),
-                                                             sizeof(struct mach_header))];
-    if (!machHdr) return nil;
-    mach_header = (struct mach_header *)[machHdr bytes];
+      self.firstMachHeaderData = [machHdr copy];
+    } else if ([self isMachHeader:(struct mach_header *)[self.fileData bytes]]) {
+      NSData *machHdr = [self safeSubdataWithRange:NSMakeRange(0, sizeof(struct mach_header))];
+      if (!machHdr) return NULL;
+      self.firstMachHeaderData = [machHdr copy];
+    }
   }
-
-  if ([self isMachHeader:mach_header]) {
-    return mach_header;
-  }
-
-  return NULL;
+  return (self.firstMachHeaderData == (NSData *)[NSNull null] ?
+          NULL :
+          (struct mach_header *)self.firstMachHeaderData.bytes);
 }
 
 - (BOOL)isMachHeader:(struct mach_header *)header {
@@ -333,7 +330,7 @@
   @try {
     return [self.fileData subdataWithRange:range];
   }
-  @catch (NSException *exception) {
+  @catch (NSException *e) {
     return nil;
   }
 }
@@ -354,4 +351,32 @@
   return nil;
 }
 
+- (NSString *)resolvePath:(NSString *)path {
+  // Convert to absolute, standardized path
+  path = [path stringByResolvingSymlinksInPath];
+  if (![path isAbsolutePath]) {
+    NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
+    path = [cwd stringByAppendingPathComponent:path];
+  }
+  path = [path stringByStandardizingPath];
+
+  // Determine if file exists.
+  // If path is actually a directory, check to see if it's a bundle and has a CFBundleExecutable.
+  BOOL directory;
+  if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
+    return nil;
+  } else if (directory) {
+    NSString *infoPath = [path stringByAppendingPathComponent:@"Contents/Info.plist"];
+    NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:infoPath];
+    if (d && d[@"CFBundleExecutable"]) {
+      path = [path stringByAppendingPathComponent:@"Contents/MacOS"];
+      return [path stringByAppendingPathComponent:d[@"CFBundleExecutable"]];
+    } else {
+      return nil;
+    }
+  } else {
+    return path;
+  }
+}
+
 @end

Source/common/SNTFileWatcher.h

@@ -0,0 +1,34 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+///
+///  Simple file watching class using dispatch sources. Will automatically
+///  reload the watch if the file is deleted. Will continue watching for
+///  events until deallocated.
+///
+@interface SNTFileWatcher : NSObject
+
+///
+///  Designated initializer
+///  Initializes the watcher and begins watching for modifications.
+///
+///  @param filePath the file to watch.
+///  @param handler the handler to call when changes happen.
+///
+///  @note Shortly after the file has been opened and monitoring has begun, the provided handler
+///  will be called.
+///
+- (instancetype)initWithFilePath:(NSString *)filePath handler:(void (^)(void))handler;
+
+@end

Source/common/SNTFileWatcher.m

@@ -0,0 +1,101 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTFileWatcher.h"
+
+@interface SNTFileWatcher ()
+@property NSString *filePath;
+@property dispatch_source_t monitoringSource;
+
+@property(strong) void (^eventHandler)(void);
+@property(strong) void (^internalEventHandler)(void);
+@property(strong) void (^internalCancelHandler)(void);
+@end
+
+@implementation SNTFileWatcher
+
+- (instancetype)init {
+  [self doesNotRecognizeSelector:_cmd];
+  return nil;
+}
+
+- (instancetype)initWithFilePath:(NSString *)filePath handler:(void (^)(void))handler {
+  self = [super init];
+  if (self) {
+    _filePath = filePath;
+    _eventHandler = handler;
+
+    if (!_filePath || !_eventHandler) return nil;
+
+    [self beginWatchingFile];
+  }
+  return self;
+}
+
+- (void)dealloc {
+  [self stopWatchingFile];
+}
+
+- (void)beginWatchingFile {
+  __weak __typeof(self) weakSelf = self;
+  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_WRITE |
+              DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_RENAME);
+  dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
+
+  self.internalEventHandler = ^{
+      unsigned long l = dispatch_source_get_data(weakSelf.monitoringSource);
+      if (l & DISPATCH_VNODE_DELETE || l & DISPATCH_VNODE_RENAME) {
+        if (weakSelf.monitoringSource) dispatch_source_cancel(weakSelf.monitoringSource);
+      } else {
+        weakSelf.eventHandler();
+      }
+  };
+
+  self.internalCancelHandler = ^{
+      int fd;
+
+      if (weakSelf.monitoringSource) {
+        fd = (int)dispatch_source_get_handle(weakSelf.monitoringSource);
+        close(fd);
+      }
+
+      const char *filePathCString = [weakSelf.filePath fileSystemRepresentation];
+      while ((fd = open(filePathCString, O_EVTONLY)) < 0) {
+        usleep(1000);
+      }
+
+      weakSelf.monitoringSource =
+          dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
+      dispatch_source_set_event_handler(weakSelf.monitoringSource, weakSelf.internalEventHandler);
+      dispatch_source_set_cancel_handler(weakSelf.monitoringSource, weakSelf.internalCancelHandler);
+      dispatch_resume(weakSelf.monitoringSource);
+
+      weakSelf.eventHandler();
+  };
+
+  dispatch_async(queue, self.internalCancelHandler);
+}
+
+- (void)stopWatchingFile {
+  if (!self.monitoringSource) return;
+
+  int fd = (int)dispatch_source_get_handle(self.monitoringSource);
+  dispatch_source_set_event_handler_f(self.monitoringSource, NULL);
+  dispatch_source_set_cancel_handler(self.monitoringSource, ^{ close(fd); });
+
+  dispatch_source_cancel(self.monitoringSource);
+  self.monitoringSource = nil;
+}
+
+@end

Source/common/SNTKernelCommon.h

@@ -16,11 +16,12 @@
 /// Common defines between kernel <-> userspace
 ///
 
+#include <sys/param.h>
+
 #ifndef SANTA__COMMON__KERNELCOMMON_H
 #define SANTA__COMMON__KERNELCOMMON_H
 
 // Defines the lengths of paths and Vnode IDs passed around.
-#define MAX_PATH_LEN 1024    // ==PATH_LEN from syslimits.h
 #define MAX_VNODE_ID_STR 21  // digits in UINT64_MAX + 1 for NULL-terminator
 
 // Defines the name of the userclient class and the driver bundle ID.
@@ -50,15 +51,20 @@ typedef enum {
   ACTION_RESPOND_CHECKBW_ALLOW = 11,
   ACTION_RESPOND_CHECKBW_DENY = 12,
 
+  // NOTIFY
+  ACTION_NOTIFY_EXEC_ALLOW_NODAEMON = 30,
+  ACTION_NOTIFY_EXEC_ALLOW_CACHED = 31,
+  ACTION_NOTIFY_EXEC_DENY_CACHED = 32,
+
   // SHUTDOWN
-  ACTION_REQUEST_SHUTDOWN = 60,
+  ACTION_REQUEST_SHUTDOWN = 90,
 
   // ERROR
   ACTION_ERROR = 99,
 } santa_action_t;
 
-#define CHECKBW_RESPONSE_VALID(x) (x == ACTION_RESPOND_CHECKBW_ALLOW || \
-  x == ACTION_RESPOND_CHECKBW_DENY)
+#define CHECKBW_RESPONSE_VALID(x) \
+  (x == ACTION_RESPOND_CHECKBW_ALLOW || x == ACTION_RESPOND_CHECKBW_DENY)
 
 // Message struct that is sent down the IODataQueue.
 typedef struct {
@@ -67,7 +73,7 @@ typedef struct {
   uid_t userId;
   pid_t pid;
   pid_t ppid;
-  char path[MAX_PATH_LEN];
+  char path[MAXPATHLEN];
 } santa_message_t;
 
 #endif  // SANTA__COMMON__KERNELCOMMON_H

Source/common/SNTLogging.h

@@ -39,19 +39,20 @@
 
 ///
 ///  Logging function.
-///
 ///  @param level one of the levels defined above
-///  @param destination a FILE, generally should be stdout or stderr
+///  @param destination a FILE, generally stdout/stderr. If the file is closed, the log
+///      will instead be sent to syslog.
 ///  @param format the printf style format string
 ///  @param ... the arguments to format.
 ///
-void logMessage(int level, FILE *destination, NSString *format, ...);
+void logMessage(int level, FILE *destination, NSString *format, ...)
+    __attribute__((format(__NSString__, 3, 4)));
 
 /// Simple logging macros
-#define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__);
-#define LOGI(logFormat, ...) logMessage(LOG_LEVEL_INFO, stdout, logFormat, ##__VA_ARGS__);
-#define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__);
-#define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__);
+#define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__)
+#define LOGI(logFormat, ...) logMessage(LOG_LEVEL_INFO, stdout, logFormat, ##__VA_ARGS__)
+#define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__)
+#define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__)
 
 #endif  // KERNEL
 

Source/common/SNTLogging.m

@@ -14,22 +14,19 @@
 
 #import "SNTLogging.h"
 
+#import <sys/syslog.h>
+
 #ifdef DEBUG
-static int logLevel = LOG_LEVEL_DEBUG;  // default to info
+static int logLevel = LOG_LEVEL_DEBUG;
 #else
-static int logLevel = LOG_LEVEL_INFO;
+static int logLevel = LOG_LEVEL_INFO;  // default to info
 #endif
 
 void logMessage(int level, FILE *destination, NSString *format, ...) {
-  static NSDateFormatter *dateFormatter;
   static NSString *binaryName;
   static dispatch_once_t pred;
 
   dispatch_once(&pred, ^{
-      dateFormatter = [[NSDateFormatter alloc] init];
-      [dateFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
-      [dateFormatter setDateFormat:@"YYYY-MM-dd HH:mm:ss.SSS'Z"];
-
       binaryName = [[NSProcessInfo processInfo] processName];
 
       // If debug logging is enabled, the process must be restarted.
@@ -50,14 +47,20 @@ void logMessage(int level, FILE *destination, NSString *format, ...) {
     fprintf(destination, "%s\n", [s UTF8String]);
   } else {
     NSString *levelName;
+    int syslogLevel = LOG_DEBUG;
     switch (level) {
-      case LOG_LEVEL_ERROR: levelName = @"E"; break;
-      case LOG_LEVEL_WARN: levelName = @"W"; break;
-      case LOG_LEVEL_INFO: levelName = @"I"; break;
-      case LOG_LEVEL_DEBUG: levelName = @"D"; break;
+      case LOG_LEVEL_ERROR: levelName = @"E"; syslogLevel = LOG_ERR; break;
+      case LOG_LEVEL_WARN: levelName = @"W"; syslogLevel = LOG_WARNING; break;
+      case LOG_LEVEL_INFO: levelName = @"I"; syslogLevel = LOG_INFO; break;
+      case LOG_LEVEL_DEBUG: levelName = @"D"; syslogLevel = LOG_DEBUG; break;
     }
 
-    fprintf(destination, "%s\n", [[NSString stringWithFormat:@"[%@] %@ %@: %@",
-               [dateFormatter stringFromDate:[NSDate date]], levelName, binaryName, s] UTF8String]);
+    if (fileno(destination) == -1) {
+      syslog(syslogLevel, "%s\n",
+             [[NSString stringWithFormat:@"%@ %@: %@", levelName, binaryName, s] UTF8String]);
+    } else {
+      fprintf(destination, "%s\n",
+              [[NSString stringWithFormat:@"%@ %@: %@", levelName, binaryName, s] UTF8String]);
+    }
   }
 }

Source/common/SNTRule.h

@@ -22,7 +22,7 @@
 ///
 ///  The hash of the object this rule is for
 ///
-@property NSString *shasum;
+@property(copy) NSString *shasum;
 
 ///
 ///  The state of this rule
@@ -37,7 +37,7 @@
 ///
 ///  A custom message that will be displayed if this rule blocks a binary from executing
 ///
-@property NSString *customMsg;
+@property(copy) NSString *customMsg;
 
 ///
 ///  Designated initializer.

Source/common/SNTRule.m

@@ -22,7 +22,7 @@
                      customMsg:(NSString *)customMsg {
   self = [super init];
   if (self) {
-    _shasum  = shasum;
+    _shasum = shasum;
     _state = state;
     _type = type;
     _customMsg = customMsg;
@@ -34,11 +34,10 @@
 
 #define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
-#define DECODEARRAY(cls, key) \
-    [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
-                            forKey:key]
 
-+ (BOOL)supportsSecureCoding { return YES; }
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
 
 - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(self.shasum, @"shasum");
@@ -58,4 +57,7 @@
   return self;
 }
 
+#undef DECODE
+#undef ENCODE
+
 @end

Source/common/SNTStoredEvent.h

@@ -95,4 +95,9 @@
 ///
 @property NSNumber *ppid;
 
+///
+///  The name of the parent process.
+///
+@property NSString *parentName;
+
 @end

Source/common/SNTStoredEvent.m

@@ -24,7 +24,9 @@
     [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
                                                   forKey:key]
 
-+ (BOOL)supportsSecureCoding {  return YES; }
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
 
 - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(self.idx, @"idx");
@@ -43,6 +45,7 @@
   ENCODE(@(self.decision), @"decision");
   ENCODE(self.pid, @"pid");
   ENCODE(self.ppid, @"ppid");
+  ENCODE(self.parentName, @"parentName");
 
   ENCODE(self.loggedInUsers, @"loggedInUsers");
   ENCODE(self.currentSessions, @"currentSessions");
@@ -64,9 +67,10 @@
 
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");
-    _decision = [DECODE(NSNumber, @"decision") intValue];
+    _decision = (santa_eventstate_t)[DECODE(NSNumber, @"decision") intValue];
     _pid = DECODE(NSNumber, @"pid");
     _ppid = DECODE(NSNumber, @"ppid");
+    _parentName = DECODE(NSString, @"parentName");
 
     _loggedInUsers = DECODEARRAY(NSString, @"loggedInUsers");
     _currentSessions = DECODEARRAY(NSString, @"currentSessions");
@@ -74,11 +78,11 @@
   return self;
 }
 
-- (BOOL)isEqual:(SNTStoredEvent *)other {
+- (BOOL)isEqual:(id)other {
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTStoredEvent class]]) return NO;
-  return ([self.fileSHA256 isEqual:other.fileSHA256] &&
-          [self.idx isEqual:other.idx]);
+  SNTStoredEvent *o;
+  return ([self.fileSHA256 isEqual:o.fileSHA256] && [self.idx isEqual:o.idx]);
 }
 
 - (NSUInteger)hash {
@@ -91,8 +95,8 @@
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@",
-          self.idx, self.fileSHA256];
+  return
+      [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
 @end

Source/common/SNTSystemInfo.m

@@ -21,11 +21,8 @@
       kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
-  NSString *serial = CFBridgingRelease(
-      IORegistryEntryCreateCFProperty(platformExpert,
-                                      CFSTR(kIOPlatformSerialNumberKey),
-                                      kCFAllocatorDefault,
-                                      0));
+  NSString *serial = CFBridgingRelease(IORegistryEntryCreateCFProperty(
+      platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -37,10 +34,8 @@
       kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
-  NSString *uuid = CFBridgingRelease(
-      IORegistryEntryCreateCFProperty(platformExpert,
-                                      CFSTR(kIOPlatformUUIDKey),
-                                      kCFAllocatorDefault, 0));
+  NSString *uuid = CFBridgingRelease(IORegistryEntryCreateCFProperty(
+      platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -65,11 +60,11 @@
   return @(hostname);
 }
 
-# pragma mark - Internal
+#pragma mark - Internal
 
 + (NSDictionary *)_systemVersionDictionary {
-  return [NSDictionary dictionaryWithContentsOfFile:
-      @"/System/Library/CoreServices/SystemVersion.plist"];
+  return [NSDictionary
+      dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
 }
 
 @end

Source/common/SNTXPCConnection.h

@@ -63,7 +63,7 @@ typedef void (^SNTXPCRejectedBlock)(void);
 ///  @warning Do not send a message to this object if you didn't set @c remoteInterface above
 ///  before calling the @c resume method. Doing so will throw an exception.
 ///
-@property(readonly) id remoteObjectProxy;
+@property(readonly, nonatomic) id remoteObjectProxy;
 
 ///
 ///  The interface this object exports.

Source/common/SNTXPCConnection.m

@@ -59,8 +59,7 @@
   if (self) {
     Protocol *validatorProtocol = @protocol(XPCConnectionValidityRequest);
     _validatorInterface = [NSXPCInterface interfaceWithProtocol:validatorProtocol];
-    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name
-                                                                  options:options];
+    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name options:options];
 
     if (!_validatorInterface || !_currentConnection) return nil;
   }
@@ -75,24 +74,22 @@
 #pragma mark Connection set-up
 
 - (void)resume {
-  if (_listenerObject) {
+  if (self.listenerObject) {
     // A new listener doesn't do anything until a client connects.
     self.listenerObject.delegate = self;
     [self.listenerObject resume];
   } else {
     // A new client begins the validation process.
-    NSXPCConnection *connection = _currentConnection;
+    NSXPCConnection *connection = self.currentConnection;
 
-    connection.remoteObjectInterface = _validatorInterface;
+    connection.remoteObjectInterface = self.validatorInterface;
 
     connection.invalidationHandler = ^{
         [self invokeInvalidationHandler];
         self.currentConnection = nil;
     };
 
-    connection.interruptionHandler = ^{
-        [self.currentConnection invalidate];
-    };
+    connection.interruptionHandler = ^{ [self.currentConnection invalidate]; };
 
     [connection resume];
 
@@ -133,7 +130,7 @@
   if (self.currentConnection) return NO;
 
   connection.exportedObject = self;
-  connection.exportedInterface = _validatorInterface;
+  connection.exportedInterface = self.validatorInterface;
 
   connection.invalidationHandler = ^{
       [self invokeInvalidationHandler];

Source/common/SNTXPCControlInterface.h

@@ -25,26 +25,28 @@
 ///
 ///  Kernel ops
 ///
-- (void)cacheCount:(void (^)(uint64_t))reply;
+- (void)cacheCount:(void (^)(int64_t))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
 
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(uint64_t binary, uint64_t certificate))reply;
-- (void)databaseRuleAddRule:(SNTRule *)rule withReply:(void (^)())reply;
-- (void)databaseRuleAddRules:(NSArray *)rules withReply:(void (^)())reply;
+- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply;
+- (void)databaseRuleAddRule:(SNTRule *)rule cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply;
+- (void)databaseRuleAddRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply;
 
-- (void)databaseEventCount:(void (^)(uint64_t count))reply;
-- (void)databaseEventForSHA256:(NSString *)sha256 withReply:(void (^)(SNTStoredEvent *))reply;
+- (void)databaseEventCount:(void (^)(int64_t count))reply;
+- (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
 
 ///
-///  Misc ops
+///  Config ops
 ///
 - (void)clientMode:(void (^)(santa_clientmode_t))reply;
-- (void)setClientMode:(santa_clientmode_t)mode withReply:(void (^)())reply;
+- (void)setClientMode:(santa_clientmode_t)mode reply:(void (^)())reply;
+- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
+- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 
 @end
 

Source/common/SNTXPCControlInterface.m

@@ -32,7 +32,7 @@
             ofReply:YES];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
-        forSelector:@selector(databaseRuleAddRules:withReply:)
+        forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
       argumentIndex:0
             ofReply:NO];
 

Source/santa-driver/SantaDecisionManager.cc

@@ -20,27 +20,34 @@ OSDefineMetaClassAndStructors(SantaDecisionManager, OSObject);
 #pragma mark Object Lifecycle
 
 bool SantaDecisionManager::init() {
+  if (!super::init()) return false;
+
   sdm_lock_grp_ = lck_grp_alloc_init("santa-locks", lck_grp_attr_alloc_init());
   dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, lck_attr_alloc_init());
-  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_, lck_attr_alloc_init());
+  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_,
+                                             lck_attr_alloc_init());
 
   cached_decisions_ = OSDictionary::withCapacity(1000);
 
-  return kIOReturnSuccess;
+  dataqueue_ = IOSharedDataQueue::withEntries(kMaxQueueEvents,
+                                              sizeof(santa_message_t));
+  if (!dataqueue_) return kIOReturnNoMemory;
+
+  client_pid_ = 0;
+
+  return true;
 }
 
 void SantaDecisionManager::free() {
-  if (cached_decisions_) {
-    cached_decisions_->release();
-    cached_decisions_ = NULL;
-  }
+  OSSafeReleaseNULL(dataqueue_);
+  OSSafeReleaseNULL(cached_decisions_);
 
   if (cached_decisions_lock_) {
     lck_rw_free(cached_decisions_lock_, sdm_lock_grp_);
     cached_decisions_lock_ = NULL;
   }
 
-  if (dataqueue_lock_ ) {
+  if (dataqueue_lock_) {
     lck_mtx_free(dataqueue_lock_, sdm_lock_grp_);
     dataqueue_lock_ = NULL;
   }
@@ -55,51 +62,53 @@ void SantaDecisionManager::free() {
 
 #pragma mark Client Management
 
-void SantaDecisionManager::ConnectClient(IOSharedDataQueue *queue, pid_t pid) {
+void SantaDecisionManager::ConnectClient(mach_port_t port, pid_t pid) {
   if (!pid) return;
-  if (!queue) return;
 
   // Any decisions made while the daemon wasn't
   // connected should be cleared
   ClearCache();
 
   lck_mtx_lock(dataqueue_lock_);
-  dataqueue_ = queue;
-  dataqueue_->retain();
+  dataqueue_->setNotificationPort(port);
   lck_mtx_unlock(dataqueue_lock_);
 
-  owning_pid_ = pid;
-  owning_proc_ = proc_find(pid);
+  client_pid_ = pid;
+
+  failed_queue_requests_ = 0;
 }
 
-void SantaDecisionManager::DisconnectClient() {
-  if (owning_pid_ < 1) return;
+void SantaDecisionManager::DisconnectClient(bool itDied) {
+  if (client_pid_ < 1) return;
 
-  owning_pid_ = -1;
+  client_pid_ = -1;
 
   // Ask santad to shutdown, in case it's running.
-  santa_message_t message;
-  message.action = ACTION_REQUEST_SHUTDOWN;
-  message.userId = 0;
-  message.pid = 0;
-  message.ppid = 0;
-  message.vnode_id = 0;
-  PostToQueue(message);
+  if (!itDied) {
+    santa_message_t message = {.action = ACTION_REQUEST_SHUTDOWN};
+    PostToQueue(message);
+    dataqueue_->setNotificationPort(NULL);
+  } else {
+    // If the client died, reset the data queue so when it reconnects
+    // it doesn't get swamped straight away.
+    lck_mtx_lock(dataqueue_lock_);
+    dataqueue_->release();
+    dataqueue_ = IOSharedDataQueue::withEntries(kMaxQueueEvents,
+                                                sizeof(santa_message_t));
+    lck_mtx_unlock(dataqueue_lock_);
+  }
 
-  lck_mtx_lock(dataqueue_lock_);
-  dataqueue_->release();
-  dataqueue_ = NULL;
-  lck_mtx_unlock(dataqueue_lock_);
-
-  proc_rele(owning_proc_);
-  owning_proc_ = NULL;
 }
 
 bool SantaDecisionManager::ClientConnected() {
-  return owning_pid_ > 0;
+  return client_pid_ > 0;
 }
 
-# pragma mark Listener Control
+IOMemoryDescriptor *SantaDecisionManager::GetMemoryDescriptor() {
+  return dataqueue_->getMemoryDescriptor();
+}
+
+#pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
   vnode_listener_ = kauth_listen_scope(KAUTH_SCOPE_VNODE,
@@ -107,7 +116,12 @@ kern_return_t SantaDecisionManager::StartListener() {
                                        reinterpret_cast<void *>(this));
   if (!vnode_listener_) return kIOReturnInternalError;
 
-  LOGD("Vnode listener started.");
+  fileop_listener_ = kauth_listen_scope(KAUTH_SCOPE_FILEOP,
+                                        fileop_scope_callback,
+                                        reinterpret_cast<void *>(this));
+  if (!fileop_listener_) return kIOReturnInternalError;
+
+  LOGD("Listeners started.");
 
   return kIOReturnSuccess;
 }
@@ -116,6 +130,9 @@ kern_return_t SantaDecisionManager::StopListener() {
   kauth_unlisten_scope(vnode_listener_);
   vnode_listener_ = NULL;
 
+  kauth_unlisten_scope(fileop_listener_);
+  fileop_listener_ = NULL;
+
   // Wait for any active invocations to finish before returning
   do {
     IOSleep(5);
@@ -124,7 +141,7 @@ kern_return_t SantaDecisionManager::StopListener() {
   // Delete any cached decisions
   ClearCache();
 
-  LOGD("Vnode listener stopped.");
+  LOGD("Listeners stopped.");
 
   return kIOReturnSuccess;
 }
@@ -151,8 +168,8 @@ void SantaDecisionManager::AddToCache(
     cached_decisions_->setObject(identifier, pending);
     pending->release();  // it was retained when added to the dictionary
   } else {
-    SantaMessage *pending = OSDynamicCast(
-        SantaMessage, cached_decisions_->getObject(identifier));
+    SantaMessage *pending =
+        OSDynamicCast(SantaMessage, cached_decisions_->getObject(identifier));
     if (pending) {
       pending->setAction(decision, microsecs);
     }
@@ -165,7 +182,12 @@ void SantaDecisionManager::CacheCheck(const char *identifier) {
   lck_rw_lock_shared(cached_decisions_lock_);
   bool shouldInvalidate = (cached_decisions_->getObject(identifier) != NULL);
   if (shouldInvalidate) {
-    lck_rw_lock_shared_to_exclusive(cached_decisions_lock_);
+    if (!lck_rw_lock_shared_to_exclusive(cached_decisions_lock_)) {
+      // shared_to_exclusive will return false if a previous reader upgraded
+      // and if that happens the lock will have been unlocked. If that happens,
+      // which is rare, relock exclusively.
+      lck_rw_lock_exclusive(cached_decisions_lock_);
+    }
     cached_decisions_->removeObject(identifier);
     lck_rw_unlock_exclusive(cached_decisions_lock_);
   } else {
@@ -183,13 +205,15 @@ void SantaDecisionManager::ClearCache() {
   lck_rw_unlock_exclusive(cached_decisions_lock_);
 }
 
+#pragma mark Decision Fetching
+
 santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
   santa_action_t result = ACTION_UNSET;
   uint64_t decision_time = 0;
 
   lck_rw_lock_shared(cached_decisions_lock_);
-  SantaMessage *cached_decision = OSDynamicCast(
-      SantaMessage, cached_decisions_->getObject(identifier));
+  SantaMessage *cached_decision =
+      OSDynamicCast(SantaMessage, cached_decisions_->getObject(identifier));
   if (cached_decision) {
     result = cached_decision->getAction();
     decision_time = cached_decision->getMicrosecs();
@@ -224,100 +248,100 @@ santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
   return result;
 }
 
-# pragma mark Queue Management
-
-bool SantaDecisionManager::PostToQueue(santa_message_t message) {
-  lck_mtx_lock(dataqueue_lock_);
-  bool kr = false;
-  if (dataqueue_) {
-    kr = dataqueue_->enqueue(&message, sizeof(message));
-  }
-  lck_mtx_unlock(dataqueue_lock_);
-  return kr;
-}
-
-santa_action_t SantaDecisionManager::FetchDecision(
-    const kauth_cred_t credential,
-    const vfs_context_t vfs_context,
-    const vnode_t vnode) {
+santa_action_t SantaDecisionManager::GetFromDaemon(
+    const santa_message_t message, const char *vnode_id_str) {
   santa_action_t return_action = ACTION_UNSET;
 
-  // Fetch Vnode ID & string
-  uint64_t vnode_id = GetVnodeIDForVnode(vfs_context, vnode);
-  char vnode_id_str[MAX_VNODE_ID_STR];
-  snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-
-  // Check to see if item is in cache
-  return_action = GetFromCache(vnode_id_str);
-
-  // If item wasn't in cache, fetch decision from daemon.
-  if (!CHECKBW_RESPONSE_VALID(return_action)) {
-    // Add pending request to cache
-    AddToCache(vnode_id_str, ACTION_REQUEST_CHECKBW, 0);
-
-    // Get path
-    char path[MAX_PATH_LEN];
-    int name_len = MAX_PATH_LEN;
-    if (vn_getpath(vnode, path, &name_len) != 0) {
-      path[0] = '\0';
-    }
-
-    if (!ClientConnected()) {
-      LOGI("Execution request without daemon running: %s", path);
-      AddToCache(vnode_id_str,
-                 ACTION_RESPOND_CHECKBW_ALLOW,
-                 GetCurrentUptime());
-      return ACTION_RESPOND_CHECKBW_ALLOW;
-    }
-
-    // Prepare to send message to daemon
-    santa_message_t message;
-    strncpy(message.path, path, MAX_PATH_LEN);
-    message.userId = kauth_cred_getuid(credential);
-    message.pid = proc_selfpid();
-    message.ppid = proc_selfppid();
-    message.action = ACTION_REQUEST_CHECKBW;
-    message.vnode_id = vnode_id;
-
-    // Wait for the daemon to respond or die.
-    do {
-      // Send request to daemon...
-      if (!PostToQueue(message)) {
-        LOGE("Failed to queue request for %s.", path);
-        CacheCheck(vnode_id_str);
-        return ACTION_ERROR;
+  // Wait for the daemon to respond or die.
+  do {
+    // Send request to daemon...
+    if (!PostToQueue(message)) {
+      OSIncrementAtomic(&failed_queue_requests_);
+      if (failed_queue_requests_ > kMaxQueueFailures) {
+        LOGE("Failed to queue more than %d requests, killing daemon",
+             kMaxQueueFailures);
+        proc_signal(client_pid_, SIGKILL);
       }
-
-      // ... and wait for it to respond. If after kRequestLoopSleepMilliseconds
-      // * kMaxRequestLoops it still hasn't responded, send request again.
-      for (int i = 0; i < kMaxRequestLoops; ++i) {
-        IOSleep(kRequestLoopSleepMilliseconds);
-        return_action = GetFromCache(vnode_id_str);
-        if (CHECKBW_RESPONSE_VALID(return_action)) break;
-      }
-    } while (!CHECKBW_RESPONSE_VALID(return_action) &&
-             proc_exiting(owning_proc_) == 0);
-
-    // If response is still not valid, the daemon exited
-    if (!CHECKBW_RESPONSE_VALID(return_action)) {
-      LOGE("Daemon process did not respond correctly. Allowing executions "
-           "until it comes back.");
+      LOGE("Failed to queue request for %s.", message.path);
       CacheCheck(vnode_id_str);
       return ACTION_ERROR;
     }
+
+    do {
+      IOSleep(kRequestLoopSleepMilliseconds);
+      return_action = GetFromCache(vnode_id_str);
+    } while (return_action == ACTION_REQUEST_CHECKBW && ClientConnected());
+  } while (!CHECKBW_RESPONSE_VALID(return_action) && ClientConnected());
+
+  // If response is still not valid, the daemon exited
+  if (!CHECKBW_RESPONSE_VALID(return_action)) {
+    LOGE("Daemon process did not respond correctly. Allowing executions "
+         "until it comes back.");
+    CacheCheck(vnode_id_str);
+    return ACTION_ERROR;
   }
 
   return return_action;
 }
 
-# pragma mark Misc
+santa_action_t SantaDecisionManager::FetchDecision(
+    const kauth_cred_t cred,
+    const vnode_t vp,
+    const uint64_t vnode_id,
+    const char *vnode_id_str) {
+  santa_action_t return_action = ACTION_UNSET;
 
-uint64_t SantaDecisionManager::GetVnodeIDForVnode(const vfs_context_t context,
-                                                  const vnode_t vp) {
+  // Check to see if item is in cache
+  return_action = GetFromCache(vnode_id_str);
+
+  // If item wasn in cache return it.
+  if CHECKBW_RESPONSE_VALID(return_action) return return_action;
+
+  // Add pending request to cache.
+  AddToCache(vnode_id_str, ACTION_REQUEST_CHECKBW, 0);
+
+  // Get path
+  char path[MAXPATHLEN];
+  int name_len = MAXPATHLEN;
+  if (vn_getpath(vp, path, &name_len) != 0) {
+    path[0] = '\0';
+  }
+
+  // Prepare message to send to daemon.
+  santa_message_t message = {};
+  strlcpy(message.path, path, sizeof(message.path));
+  message.userId = kauth_cred_getuid(cred);
+  message.pid = proc_selfpid();
+  message.ppid = proc_selfppid();
+  message.action = ACTION_REQUEST_CHECKBW;
+  message.vnode_id = vnode_id;
+
+  if (ClientConnected()) {
+    return GetFromDaemon(message, vnode_id_str);
+  } else {
+    LOGI("Execution request without daemon running: %s", path);
+    message.action = ACTION_NOTIFY_EXEC_ALLOW_NODAEMON;
+    PostToQueue(message);
+    return ACTION_RESPOND_CHECKBW_ALLOW;
+  }
+}
+
+#pragma mark Misc
+
+bool SantaDecisionManager::PostToQueue(santa_message_t message) {
+  bool kr = false;
+  lck_mtx_lock(dataqueue_lock_);
+  kr = dataqueue_->enqueue(&message, sizeof(message));
+  lck_mtx_unlock(dataqueue_lock_);
+  return kr;
+}
+
+uint64_t SantaDecisionManager::GetVnodeIDForVnode(
+    const vfs_context_t ctx, const vnode_t vp) {
   struct vnode_attr vap;
   VATTR_INIT(&vap);
   VATTR_WANTED(&vap, va_fileid);
-  vnode_getattr(vp, &vap, context);
+  vnode_getattr(vp, &vap, ctx);
   return vap.va_fileid;
 }
 
@@ -328,7 +352,7 @@ uint64_t SantaDecisionManager::GetCurrentUptime() {
   return (uint64_t)((sec * 1000000) + usec);
 }
 
-# pragma mark Invocation Tracking & PID comparison
+#pragma mark Invocation Tracking & PID comparison
 
 void SantaDecisionManager::IncrementListenerInvocations() {
   OSIncrementAtomic(&listener_invocations_);
@@ -338,81 +362,94 @@ void SantaDecisionManager::DecrementListenerInvocations() {
   OSDecrementAtomic(&listener_invocations_);
 }
 
+int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
+                                        const vfs_context_t ctx,
+                                        const vnode_t vp,
+                                        int *errno) {
+  // Only operate on regular files (not directories, symlinks, etc.).
+  vtype vt = vnode_vtype(vp);
+  if (vt != VREG) return KAUTH_RESULT_DEFER;
+
+  // Get ID for the vnode and convert it to a string.
+  uint64_t vnode_id = GetVnodeIDForVnode(ctx, vp);
+  char vnode_str[MAX_VNODE_ID_STR];
+  snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
+
+  // Fetch decision
+  santa_action_t returnedAction = FetchDecision(cred, vp, vnode_id, vnode_str);
+
+  // If file has dirty blocks, remove from cache and deny. This would usually
+  // be the case if a file has been written to and flushed but not yet
+  // closed.
+  if (vnode_hasdirtyblks(vp)) {
+    CacheCheck(vnode_str);
+    returnedAction = ACTION_RESPOND_CHECKBW_DENY;
+  }
+
+  switch (returnedAction) {
+    case ACTION_RESPOND_CHECKBW_ALLOW:
+      return KAUTH_RESULT_ALLOW;
+    case ACTION_RESPOND_CHECKBW_DENY:
+      *errno = EPERM;
+      return KAUTH_RESULT_DENY;
+    default:
+      // NOTE: Any unknown response or error condition causes us to fail open.
+      // Whilst from a security perspective this is bad, it's important that
+      // we don't break user's machines.
+      return KAUTH_RESULT_DEFER;
+  }
+}
+
+int SantaDecisionManager::FileOpCallback(const vnode_t vp) {
+  vfs_context_t context = vfs_context_create(NULL);
+  char vnode_id_str[MAX_VNODE_ID_STR];
+  snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu",
+           GetVnodeIDForVnode(context, vp));
+  CacheCheck(vnode_id_str);
+  vfs_context_rele(context);
+  return KAUTH_RESULT_DEFER;
+}
+
 #undef super
 
-#pragma mark Kauth Callback
+#pragma mark Kauth Callbacks
+
+extern "C" int fileop_scope_callback(
+    kauth_cred_t credential, void *idata, kauth_action_t action,
+    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
+  if (action != KAUTH_FILEOP_CLOSE ||
+      !(arg2 & KAUTH_FILEOP_CLOSE_MODIFIED) ||
+      idata == NULL) {
+    return KAUTH_RESULT_DEFER;
+  }
+
+  SantaDecisionManager *sdm = OSDynamicCast(
+      SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
+
+  sdm->IncrementListenerInvocations();
+  sdm->FileOpCallback(reinterpret_cast<vnode_t>(arg0));
+  sdm->DecrementListenerInvocations();
+
+  return KAUTH_RESULT_DEFER;
+}
 
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  // The default action is to defer
-  int returnResult = KAUTH_RESULT_DEFER;
-
-  // Cast arguments to correct types
-  if (idata == NULL) {
-    LOGE("Vnode callback established without valid decision manager.");
-    return returnResult;
-  }
-  SantaDecisionManager *sdm = OSDynamicCast(
-      SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
-  vfs_context_t vfs_context = reinterpret_cast<vfs_context_t>(arg0);
-  vnode_t vnode = reinterpret_cast<vnode_t>(arg1);
-
-  // Only operate on regular files (not directories, symlinks, etc.)
-  vtype vt = vnode_vtype(vnode);
-  if (vt != VREG) return returnResult;
-
-  // Don't operate on ACCESS events, as they're advisory
-  if (action & KAUTH_VNODE_ACCESS) return returnResult;
-
-  // Filter for only writes
-  if (action & KAUTH_VNODE_WRITE_DATA ||
-      action & KAUTH_VNODE_APPEND_DATA ||
-      action & KAUTH_VNODE_DELETE) {
-    char vnode_id_str[MAX_VNODE_ID_STR];
-    snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu",
-             sdm->GetVnodeIDForVnode(vfs_context, vnode));
-
-    // If an execution request is pending, deny write
-    if (sdm->GetFromCache(vnode_id_str) == ACTION_REQUEST_CHECKBW) {
-      LOGD("Denying write due to pending execution: %s", vnode_id_str);
-      *(reinterpret_cast<int *>(arg3)) = EACCES;
-      return KAUTH_RESULT_DENY;
-    }
-
-    // Otherwise remove from cache
-    sdm->CacheCheck(vnode_id_str);
-
-    return returnResult;
+  if (action & KAUTH_VNODE_ACCESS ||
+      !(action & KAUTH_VNODE_EXECUTE) ||
+      idata == NULL) {
+    return KAUTH_RESULT_DEFER;
   }
 
-  // Filter for only EXECUTE actions
-  if (action & KAUTH_VNODE_EXECUTE) {
-    sdm->IncrementListenerInvocations();
+  SantaDecisionManager *sdm =
+      OSDynamicCast(SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
-    // Fetch decision
-    santa_action_t returnedAction = sdm->FetchDecision(
-        credential, vfs_context, vnode);
-
-    switch (returnedAction) {
-      case ACTION_RESPOND_CHECKBW_ALLOW:
-        returnResult = KAUTH_RESULT_ALLOW;
-        break;
-      case ACTION_RESPOND_CHECKBW_DENY:
-        *(reinterpret_cast<int *>(arg3)) = EACCES;
-        returnResult = KAUTH_RESULT_DENY;
-        break;
-      default:
-        // NOTE: Any unknown response or error condition causes us to fail open.
-        // Whilst from a security perspective this is bad, it's important that
-        // we don't break user's machines.
-        break;
-    }
-
-    sdm->DecrementListenerInvocations();
-
-    return returnResult;
-  }
-
-  return returnResult;
+  sdm->IncrementListenerInvocations();
+  int result = sdm->VnodeCallback(credential,
+                                  reinterpret_cast<vfs_context_t>(arg0),
+                                  reinterpret_cast<vnode_t>(arg1),
+                                  reinterpret_cast<int *>(arg3));
+  sdm->DecrementListenerInvocations();
+  return result;
 }

Source/santa-driver/SantaDecisionManager.h

@@ -15,7 +15,9 @@
 #ifndef SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H
 #define SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H
 
+#include <IOKit/IODataQueueShared.h>
 #include <IOKit/IOLib.h>
+#include <IOKit/IOMemoryDescriptor.h>
 #include <IOKit/IOSharedDataQueue.h>
 #include <libkern/c++/OSDictionary.h>
 #include <sys/kauth.h>
@@ -26,35 +28,6 @@
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
 
-///
-///  The maximum number of milliseconds a cached deny message should be
-///  considered valid.
-///
-const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
-
-///
-///  The maximum number of milliseconds a cached allow message should be
-///  considered valid.
-///
-const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
-
-///
-///  While waiting for a response from the daemon, this is the number of
-///  milliseconds to sleep for before checking the cache for a response.
-///
-const int kRequestLoopSleepMilliseconds = 10;
-
-///
-///  While waiting for a response from the daemon, this is the maximum number
-///  of loops to wait before sending the request again.
-///
-const int kMaxRequestLoops = 50;
-
-///
-///  Maximum number of entries in the in-kernel cache.
-///
-const int kMaxCacheSize = 10000;
-
 ///
 ///  SantaDecisionManager is responsible for intercepting Vnode execute actions
 ///  and responding to the request appropriately.
@@ -68,33 +41,37 @@ class SantaDecisionManager : public OSObject {
  public:
   ///  Used for initialization after instantiation. Required because
   ///  constructors cannot throw inside kernel-space.
-  bool init();
+  bool init() override;
 
   ///  Called automatically when retain count drops to 0.
-  void free();
+  void free() override;
+
+  ///  Called by SantaDriverClient during connection to provide the shared
+  ///  dataqueue memory to the client.
+  IOMemoryDescriptor *GetMemoryDescriptor();
 
   ///  Called by SantaDriverClient when a client connects, providing the data
   ///  queue used to pass messages and the pid of the client process.
-  void ConnectClient(IOSharedDataQueue *queue, pid_t pid);
+  void ConnectClient(mach_port_t port, pid_t pid);
 
   ///  Called by SantaDriverClient when a client disconnects
-  void DisconnectClient();
+  void DisconnectClient(bool itDied = false);
 
   ///  Returns whether a client is currently connected or not.
   bool ClientConnected();
 
-  ///  Starts the kauth listener.
+  ///  Starts the kauth listeners.
   kern_return_t StartListener();
 
-  ///  Stops the kauth listener. After stopping new callback requests,
+  ///  Stops the kauth listeners. After stopping new callback requests,
   ///  waits until all current invocations have finished before clearing the
   ///  cache and returning.
   kern_return_t StopListener();
-  
+
   ///  Adds a decision to the cache, with a timestamp.
   void AddToCache(const char *identifier,
                   const santa_action_t decision,
-                  const uint64_t microsecs);
+                  const uint64_t microsecs = GetCurrentUptime());
 
   ///  Checks to see if a given identifier is in the cache and removes it.
   void CacheCheck(const char *identifier);
@@ -105,35 +82,114 @@ class SantaDecisionManager : public OSObject {
   ///  Clears the cache.
   void ClearCache();
 
-  ///  Fetches a response from the cache, first checking to see if the
-  ///  entry has expired.
-  santa_action_t GetFromCache(const char *identifier);
-
-  ///  Posts the requested message to the client data queue, if there is one.
-  ///  Uses dataqueue_lock_ to ensure two threads don't try to write to the
-  ///  queue at the same time.
-  bool PostToQueue(santa_message_t);
-
-  ///  Fetches an execution decision for a file, first using the cache and then
-  ///  by sending a message to the daemon and waiting until a response arrives.
-  ///  If a daemon isn't connected, will allow execution and cache, logging
-  ///  the path to the executed file.
-  santa_action_t FetchDecision(const kauth_cred_t credential,
-                               const vfs_context_t vfs_context,
-                               const vnode_t vnode);
-
-  ///  Fetches the vnode_id for a given vnode.
-  uint64_t GetVnodeIDForVnode(const vfs_context_t context, const vnode_t vp);
-
-  ///  Returns the current system uptime in microseconds
-  uint64_t GetCurrentUptime();
-
   ///  Increments the count of active vnode callback's pending.
   void IncrementListenerInvocations();
 
   ///  Decrements the count of active vnode callback's pending.
   void DecrementListenerInvocations();
 
+  ///
+  ///  Vnode Callback
+  ///  @param cred The kauth credential for this request.
+  ///  @param ctx The VFS context for this request.
+  ///  @param vp The Vnode for this request.
+  ///  @param errno A pointer to return an errno style error.
+  ///  @return int A valid KAUTH_RESULT_*.
+  ///
+  int VnodeCallback(const kauth_cred_t cred, const vfs_context_t ctx,
+                    const vnode_t vp, int *errno);
+  ///
+  ///  FileOp Callback
+  ///  @param vp The Vnode for this request.
+  ///  @return int Should always be KAUTH_RESULT_DEFER.
+  ///
+  int FileOpCallback(const vnode_t vp);
+
+ protected:
+  ///
+  ///  The maximum number of milliseconds a cached deny message should be
+  ///  considered valid.
+  ///
+  const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
+
+  ///
+  ///  The maximum number of milliseconds a cached allow message should be
+  ///  considered valid.
+  ///
+  const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
+
+  ///
+  ///  While waiting for a response from the daemon, this is the number of
+  ///  milliseconds to sleep for before checking the cache for a response.
+  ///
+  const int kRequestLoopSleepMilliseconds = 10;
+
+  ///
+  ///  Maximum number of entries in the in-kernel cache.
+  ///
+  const int kMaxCacheSize = 10000;
+
+  ///
+  ///  Maximum number of PostToQueue failures to allow.
+  ///
+  const int kMaxQueueFailures = 10;
+
+  ///
+  ///  The maximum number of messages can be kept in
+  ///  the IODataQueue at any time.
+  ///
+  const int kMaxQueueEvents = 512;
+
+  ///  Fetches a response from the cache, first checking to see if the
+  ///  entry has expired.
+  santa_action_t GetFromCache(const char *identifier);
+
+  ///  Fetches a response from the daemon. Handles both daemon death
+  ///  and failure to post messages to the daemon.
+  ///
+  ///  @param message The message to send to the daemon
+  ///  @param identifier The vnode ID string for this request
+  ///  @return santa_action_t The response for this request
+  ///
+  santa_action_t GetFromDaemon(const santa_message_t message,
+                               const char *identifier);
+
+  ///
+  ///  Fetches an execution decision for a file, first using the cache and then
+  ///  by sending a message to the daemon and waiting until a response arrives.
+  ///  If a daemon isn't connected, will allow execution and cache, logging
+  ///  the path to the executed file.
+  ///
+  ///  @param cred The credential for this request.
+  ///  @param vp The Vnode for this request.
+  ///  @param vnode_id The ID for this vnode.
+  ///  @param vnode_id_str A string representation of the above ID.
+  ///
+  santa_action_t FetchDecision(const kauth_cred_t cred,
+                               const vnode_t vp,
+                               const uint64_t vnode_id,
+                               const char *vnode_id_str);
+
+  ///
+  ///  Posts the requested message to the client data queue.
+  ///
+  ///  @param message The message to send
+  ///  @return bool true if sending was successful.
+  ///
+  bool PostToQueue(santa_message_t message);
+
+  ///
+  ///  Fetches the vnode_id for a given vnode.
+  ///
+  ///  @param ctx The VFS context to use.
+  ///  @param vp The Vnode to get the ID for
+  ///  @return uint64_t The Vnode ID as a 64-bit unsigned int.
+  ///
+  uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp);
+
+  ///  Returns the current system uptime in microseconds
+  static uint64_t GetCurrentUptime();
+
  private:
   lck_grp_t *sdm_lock_grp_;
   lck_rw_t *cached_decisions_lock_;
@@ -142,13 +198,14 @@ class SantaDecisionManager : public OSObject {
   OSDictionary *cached_decisions_;
 
   IOSharedDataQueue *dataqueue_;
+  SInt32 failed_queue_requests_;
 
   SInt32 listener_invocations_;
 
-  pid_t owning_pid_;
-  proc_t owning_proc_;
+  pid_t client_pid_;
 
   kauth_listener_t vnode_listener_;
+  kauth_listener_t fileop_listener_;
 };
 
 ///
@@ -165,4 +222,19 @@ extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
 
+///
+///  The kauth callback function for the FileOp scope
+///  @param actor's credentials
+///  @param data that was passed when the listener was registered
+///  @param action that was requested
+///  @param depends on action, usually the vnode ref.
+///  @param depends on action.
+///  @param depends on action, usually 0.
+///  @param depends on action, usually 0.
+///
+extern "C" int fileop_scope_callback(
+    kauth_cred_t credential, void *idata, kauth_action_t action,
+    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+
+
 #endif  // SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H

Source/santa-driver/SantaDriver.cc

@@ -24,8 +24,12 @@ bool SantaDriver::start(IOService *provider) {
   if (!super::start(provider)) return false;
 
   santaDecisionManager = new SantaDecisionManager;
-  santaDecisionManager->init();
-  santaDecisionManager->StartListener();
+  if (!santaDecisionManager->init() ||
+      santaDecisionManager->StartListener() != kIOReturnSuccess) {
+    santaDecisionManager->release();
+    santaDecisionManager = NULL;
+    return false;
+  }
 
   registerService();
 
@@ -44,7 +48,7 @@ void SantaDriver::stop(IOService *provider) {
   super::stop(provider);
 }
 
-SantaDecisionManager* SantaDriver::GetDecisionManager() {
+SantaDecisionManager *SantaDriver::GetDecisionManager() {
   return santaDecisionManager;
 }
 

Source/santa-driver/SantaDriver.h

@@ -31,17 +31,16 @@ class com_google_SantaDriver : public IOService {
 
  public:
   ///  Called by the kernel when the kext is loaded
-  bool start(IOService *provider);
+  bool start(IOService *provider) override;
 
   ///  Called by the kernel when the kext is unloaded
-  void stop(IOService *provider);
+  void stop(IOService *provider) override;
 
   ///  Returns a pointer to the SantaDecisionManager created in start().
-  SantaDecisionManager* GetDecisionManager();
+  SantaDecisionManager *GetDecisionManager();
 
  private:
   SantaDecisionManager *santaDecisionManager;
-
 };
 
 #endif  // SANTA__SANTA_DRIVER__SANTADRIVER_H

Source/santa-driver/SantaDriverClient.cc

@@ -36,73 +36,58 @@ bool SantaDriverClient::initWithTask(
 }
 
 bool SantaDriverClient::start(IOService *provider) {
-  fProvider = OSDynamicCast(com_google_SantaDriver, provider);
+  myProvider = OSDynamicCast(com_google_SantaDriver, provider);
 
-  if (!fProvider) return false;
+  if (!myProvider) return false;
   if (!super::start(provider)) return false;
 
-  fSDM = fProvider->GetDecisionManager();
+  decisionManager = myProvider->GetDecisionManager();
+  if (!decisionManager) return false;
 
   return true;
 }
 
 void SantaDriverClient::stop(IOService *provider) {
   super::stop(provider);
-
-  fSDM = NULL;
-  fProvider = NULL;
+  myProvider = NULL;
+  decisionManager = NULL;
 }
 
 IOReturn SantaDriverClient::clientClose() {
-  terminate(kIOServiceSynchronous);
-  return kIOReturnSuccess;
+  decisionManager->DisconnectClient(true);
+  return terminate(kIOServiceSynchronous) ? kIOReturnSuccess : kIOReturnError;
 }
 
 bool SantaDriverClient::terminate(IOOptionBits options) {
-  fSDM->DisconnectClient();
+  decisionManager->DisconnectClient();
   LOGI("Client disconnected.");
 
-  fSharedMemory->release();
-  fSharedMemory = NULL;
-
-  fDataQueue->release();
-  fDataQueue = NULL;
-
-  if (fProvider && fProvider->isOpen(this)) fProvider->close(this);
+  if (myProvider && myProvider->isOpen(this)) myProvider->close(this);
 
   return super::terminate(options);
 }
 
 #pragma mark Fetching memory and data queue notifications
 
-IOReturn SantaDriverClient::registerNotificationPort(mach_port_t port,
-                                                     UInt32 type,
-                                                     UInt32 ref) {
-  if ((!fDataQueue) || (port == MACH_PORT_NULL)) return kIOReturnError;
+IOReturn SantaDriverClient::registerNotificationPort(
+    mach_port_t port, UInt32 type, UInt32 ref) {
+  if (port == MACH_PORT_NULL) return kIOReturnError;
 
-  fDataQueue->setNotificationPort(port);
+  decisionManager->ConnectClient(port, proc_selfpid());
+  LOGI("Client connected, PID: %d.", proc_selfpid());
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::clientMemoryForType(UInt32 type,
-                                                IOOptionBits *options,
-                                                IOMemoryDescriptor **memory) {
-  *memory = NULL;
+IOReturn SantaDriverClient::clientMemoryForType(
+    UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory) {
+  if (type != kIODefaultMemoryType) return kIOReturnNoMemory;
+
   *options = 0;
+  *memory = decisionManager->GetMemoryDescriptor();
+  (*memory)->retain();
 
-  if (type == kIODefaultMemoryType) {
-    if (!fSharedMemory) return kIOReturnNoMemory;
-    fSharedMemory->retain();  // client will decrement this ref
-    *memory = fSharedMemory;
-
-    fSDM->ConnectClient(fDataQueue, proc_selfpid());
-    LOGI("Client connected, PID: %d.", proc_selfpid());
-
-    return kIOReturnSuccess;
-  }
-
-  return kIOReturnNoMemory;
+  return kIOReturnSuccess;
 }
 
 #pragma mark Callable Methods
@@ -110,23 +95,11 @@ IOReturn SantaDriverClient::clientMemoryForType(UInt32 type,
 IOReturn SantaDriverClient::open() {
   if (isInactive()) return kIOReturnNotAttached;
 
-  if (!fProvider->open(this)) {
+  if (!myProvider->open(this)) {
     LOGW("A second client tried to connect.");
     return kIOReturnExclusiveAccess;
   }
 
-  fDataQueue = IOSharedDataQueue::withCapacity((sizeof(santa_message_t) +
-                                                DATA_QUEUE_ENTRY_HEADER_SIZE)
-                                                * kMaxQueueEvents);
-  if (!fDataQueue) return kIOReturnNoMemory;
-
-  fSharedMemory = fDataQueue->getMemoryDescriptor();
-  if (!fSharedMemory) {
-    fDataQueue->release();
-    fDataQueue = NULL;
-    return kIOReturnVMError;
-  }
-
   return kIOReturnSuccess;
 }
 
@@ -141,9 +114,7 @@ IOReturn SantaDriverClient::static_open(
 IOReturn SantaDriverClient::allow_binary(const uint64_t vnode_id) {
   char vnode_id_str[21];
   snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  fSDM->AddToCache(vnode_id_str,
-                   ACTION_RESPOND_CHECKBW_ALLOW,
-                   fSDM->GetCurrentUptime());
+  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_CHECKBW_ALLOW);
 
   return kIOReturnSuccess;
 }
@@ -160,9 +131,7 @@ IOReturn SantaDriverClient::static_allow_binary(
 IOReturn SantaDriverClient::deny_binary(const uint64_t vnode_id) {
   char vnode_id_str[21];
   snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  fSDM->AddToCache(vnode_id_str,
-                   ACTION_RESPOND_CHECKBW_DENY,
-                   fSDM->GetCurrentUptime());
+  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_CHECKBW_DENY);
 
   return kIOReturnSuccess;
 }
@@ -177,7 +146,7 @@ IOReturn SantaDriverClient::static_deny_binary(
 }
 
 IOReturn SantaDriverClient::clear_cache() {
-  fSDM->ClearCache();
+  decisionManager->ClearCache();
   return kIOReturnSuccess;
 }
 
@@ -190,7 +159,7 @@ IOReturn SantaDriverClient::static_clear_cache(
 }
 
 IOReturn SantaDriverClient::cache_count(uint64_t *output) {
-  *output = fSDM->CacheCount();
+  *output = decisionManager->CacheCount();
   return kIOReturnSuccess;
 }
 

Source/santa-driver/SantaDriverClient.h

@@ -16,9 +16,6 @@
 #define SANTA__SANTA_DRIVER__SANTADRIVERUSERCLIENT_H
 
 #include <IOKit/IOUserClient.h>
-#include <IOKit/IOSharedDataQueue.h>
-#include <IOKit/IOLib.h>
-#include <IOKit/IODataQueueShared.h>
 #include <sys/kauth.h>
 #include <sys/vnode.h>
 #include <sys/proc.h>
@@ -28,9 +25,6 @@
 #include "SantaMessage.h"
 #include "SNTKernelCommon.h"
 
-// The maximum number of messages can be kept in the IODataQueue at any time.
-const int kMaxQueueEvents = 256;
-
 ///
 ///  This class is instantiated by IOKit when a new client process attempts to
 ///  connect to the driver. Starting, stopping, handling connections, allocating
@@ -39,39 +33,34 @@ const int kMaxQueueEvents = 256;
 ///  Documentation on how the IOUserClient parts of this code work can be found
 ///  here:
 ///  https://developer.apple.com/library/mac/samplecode/SimpleUserClient/Listings/User_Client_Info_txt.html
+///  https://developer.apple.com/library/mac/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/WritingDeviceDriver.pdf
 ///
 class com_google_SantaDriverClient : public IOUserClient {
   OSDeclareDefaultStructors(com_google_SantaDriverClient);
 
- private:
-  IOSharedDataQueue *fDataQueue;
-  IOMemoryDescriptor *fSharedMemory;
-  com_google_SantaDriver *fProvider;
-  SantaDecisionManager *fSDM;
-
  public:
   ///  Called as part of IOServiceOpen in clients
-  bool initWithTask(task_t owningTask, void *securityID, UInt32 type);
+  bool initWithTask(task_t owningTask, void *securityID, UInt32 type) override;
 
   ///  Called after initWithTask as part of IOServiceOpen
-  bool start(IOService *provider);
+  bool start(IOService *provider) override;
 
   ///  Called when this class is stopping
-  void stop(IOService *provider);
+  void stop(IOService *provider) override;
 
   ///  Called when a client disconnects
-  IOReturn clientClose();
+  IOReturn clientClose() override;
 
   ///  Called when the driver is shutting down
-  bool terminate(IOOptionBits options);
+  bool terminate(IOOptionBits options) override;
 
   ///  Called in clients with IOConnectSetNotificationPort
   IOReturn registerNotificationPort(
-      mach_port_t port, UInt32 type, UInt32 refCon);
+      mach_port_t port, UInt32 type, UInt32 refCon) override;
 
   ///  Called in clients with IOConnectMapMemory
   IOReturn clientMemoryForType(
-      UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory);
+      UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory) override;
 
   ///  Called in clients with IOConnectCallScalarMethod etc. Dispatches
   ///  to the requested selector using the SantaDriverMethods enum in
@@ -80,7 +69,7 @@ class com_google_SantaDriverClient : public IOUserClient {
       UInt32 selector,
       IOExternalMethodArguments *arguments,
       IOExternalMethodDispatch *dispatch,
-      OSObject *target, void *reference);
+      OSObject *target, void *reference) override;
 
   ///
   ///  The userpsace callable methods are below. Each method corresponds
@@ -122,6 +111,10 @@ class com_google_SantaDriverClient : public IOUserClient {
       com_google_SantaDriverClient *target,
       void *reference,
       IOExternalMethodArguments *arguments);
+
+ private:
+  com_google_SantaDriver *myProvider;
+  SantaDecisionManager *decisionManager;
 };
 
 #endif  // SANTA__SANTA_DRIVER__SANTADRIVERUSERCLIENT_H

Source/santa-driver/SantaMessage.cc

@@ -24,8 +24,8 @@ santa_action_t SantaMessage::getAction() const {
   return action_;
 }
 
-void SantaMessage::setAction(const santa_action_t action,
-                             const uint64_t microsecs) {
+void SantaMessage::setAction(
+    const santa_action_t action, const uint64_t microsecs) {
   action_ = action;
   microsecs_ = microsecs;
 }

Source/santa-driver/SantaMessage.h

@@ -26,10 +26,6 @@
 class SantaMessage : public OSObject {
   OSDeclareDefaultStructors(SantaMessage)
 
- private:
-  santa_action_t action_;
-  uint64_t microsecs_;
-
  public:
   // Returns the time the action was last set.
   uint64_t getMicrosecs() const;
@@ -39,6 +35,10 @@ class SantaMessage : public OSObject {
 
   // Sets the acion and receive time.
   void setAction(const santa_action_t action, const uint64_t microsecs);
+
+ private:
+  santa_action_t action_;
+  uint64_t microsecs_;
 };
 
 #endif  // SANTA__SANTA_DRIVER__SANTAMESSAGE_H

Source/santactl/SNTCommandController.m

@@ -36,7 +36,7 @@ static NSMutableDictionary *registeredCommands;
 
   int longestCommandName = 0;
   for (NSString *cmdName in registeredCommands) {
-    if ([cmdName length] > longestCommandName) {
+    if ((int)[cmdName length] > longestCommandName) {
       longestCommandName = (int)[cmdName length];
     }
   }

Source/santactl/binaryinfo/SNTCommandBinaryInfo.m

@@ -25,7 +25,7 @@
 
 @implementation SNTCommandBinaryInfo
 
-REGISTER_COMMAND_NAME(@"binaryinfo");
+REGISTER_COMMAND_NAME(@"binaryinfo")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -55,26 +55,29 @@ REGISTER_COMMAND_NAME(@"binaryinfo");
 
   SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
   if (!fileInfo) {
-    printf("Invalid file\n");
+    printf("Invalid or empty file\n");
     exit(1);
   }
 
-  printf("%-12s: %s\n", "Path", [[fileInfo path] UTF8String]);
-  printf("%-12s: %s\n", "SHA-256", [[fileInfo SHA256] UTF8String]);
-  printf("%-12s: %s\n", "SHA-1", [[fileInfo SHA1] UTF8String]);
+  printf("%-19s: %s\n", "Path", [[fileInfo path] UTF8String]);
+  printf("%-19s: %s\n", "SHA-256", [[fileInfo SHA256] UTF8String]);
+  printf("%-19s: %s\n", "SHA-1", [[fileInfo SHA1] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Name", [[fileInfo bundleName] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Version", [[fileInfo bundleVersion] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Version Str", [[fileInfo bundleShortVersionString] UTF8String]);
 
   NSArray *archs = [fileInfo architectures];
   if (archs) {
-    printf("%-12s: %s (%s)\n", "Type",
+    printf("%-19s: %s (%s)\n", "Type",
            [[fileInfo machoType] UTF8String],
            [[archs componentsJoinedByString:@", "] UTF8String]);
   } else {
-    printf("%-12s: %s\n", "Type", [[fileInfo machoType] UTF8String]);
+    printf("%-19s: %s\n", "Type", [[fileInfo machoType] UTF8String]);
   }
 
   SNTCodesignChecker *csc = [[SNTCodesignChecker alloc] initWithBinaryPath:filePath];
 
-  printf("%-12s: %s\n", "Code-signed", (csc) ? "Yes" : "No");
+  printf("%-19s: %s\n", "Code-signed", (csc) ? "Yes" : "No");
 
   if (csc) {
     printf("Signing chain:\n");

Source/santactl/flushcache/SNTCommandFlushCache.m

@@ -23,7 +23,7 @@
 
 @implementation SNTCommandFlushCache
 
-REGISTER_COMMAND_NAME(@"flushcache");
+REGISTER_COMMAND_NAME(@"flushcache")
 
 + (BOOL)requiresRoot {
   return YES;

Source/santactl/rule/SNTCommandRule.m

@@ -32,7 +32,7 @@
 
 @implementation SNTCommandRule
 
-REGISTER_COMMAND_NAME(@"rule");
+REGISTER_COMMAND_NAME(@"rule")
 
 + (BOOL)requiresRoot {
   return YES;
@@ -58,20 +58,20 @@ REGISTER_COMMAND_NAME(@"rule");
 
 + (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
   SNTConfigurator *config = [SNTConfigurator configurator];
-  
+
   // Ensure we have no privileges
   if (!DropRootPrivileges()) {
     printf("Failed to drop root privileges.\n");
     exit(1);
   }
-  
+
   if ([config syncBaseURL] != nil) {
     printf("SyncBaseURL is set, rules are managed centrally.\n");
     exit(1);
   }
-  
+
   NSString *action = [arguments firstObject];
-  
+
   // add or remove
   if (!action) {
     printf("Missing action - add or remove?\n");
@@ -79,7 +79,7 @@ REGISTER_COMMAND_NAME(@"rule");
   }
 
   int state = RULESTATE_UNKNOWN;
-  
+
   if ([action compare:@"add" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
   } else if ([action compare:@"remove" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
     state = RULESTATE_REMOVE;
@@ -87,15 +87,15 @@ REGISTER_COMMAND_NAME(@"rule");
     printf("Unknown action, expected add or remove.\n");
     exit(1);
   }
-  
+
   NSString *customMsg = @"";
   NSString *SHA256 = nil;
   NSString *filePath = nil;
-  
+
   // parse arguments
-  for (int i=1; i < [arguments count] ; i++ ) {
+  for (NSUInteger i = 1; i < [arguments count] ; i++ ) {
     NSString* argument = [arguments objectAtIndex:i];
-    
+
     if ([argument compare:@"--whitelist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
       state = RULESTATE_WHITELIST;
     } else if ([argument compare:@"--blacklist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
@@ -106,31 +106,31 @@ REGISTER_COMMAND_NAME(@"rule");
       if (++i > ([arguments count])) {
         printf("No message specified.\n");
       }
-      
+
       customMsg = [arguments objectAtIndex:i];
     } else if ([argument compare:@"--path" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
       if (++i > ([arguments count])) {
         printf("No path specified.\n");
       }
-      
+
       filePath = [arguments objectAtIndex:i];
     } else if ([argument compare:@"--sha256" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
       if (++i > ([arguments count])) {
         printf("No SHA-256 specified.\n");
       }
-      
+
       SHA256 = [arguments objectAtIndex:i];
     } else {
       printf("Unknown argument %s.\n", [argument UTF8String]);
       exit(1);
     }
   }
-  
+
   if (state == RULESTATE_UNKNOWN) {
     printf("No state specified.\n");
     exit(1);
   }
-  
+
   if (filePath) {
     SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
     if (!fileInfo) {
@@ -144,22 +144,21 @@ REGISTER_COMMAND_NAME(@"rule");
     printf("No SHA-256 or binary specified.\n");
     exit(1);
   }
-  
+
   SNTRule *newRule = [[SNTRule alloc] init];
   newRule.shasum = SHA256;
   newRule.state = state;
   newRule.type = RULETYPE_BINARY;
   newRule.customMsg = customMsg;
-  
-  [[daemonConn remoteObjectProxy] databaseRuleAddRule:newRule withReply:^{
-    if (state == RULESTATE_REMOVE) {
-      printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-    } else {
-      printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-    }
-    exit(0);
-  }];
 
+  [[daemonConn remoteObjectProxy] databaseRuleAddRule:newRule cleanSlate:NO reply:^{
+      if (state == RULESTATE_REMOVE) {
+        printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+      } else {
+        printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+      }
+      exit(0);
+  }];
 }
 
 @end

Source/santactl/status/SNTCommandStatus.m

@@ -22,7 +22,7 @@
 
 @implementation SNTCommandStatus
 
-REGISTER_COMMAND_NAME(@"status");
+REGISTER_COMMAND_NAME(@"status")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -41,9 +41,25 @@ REGISTER_COMMAND_NAME(@"status");
 }
 
 + (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+  // Daemon status
+  __block NSString *clientMode;
+  [[daemonConn remoteObjectProxy] clientMode:^(santa_clientmode_t cm) {
+      switch (cm) {
+        case CLIENTMODE_MONITOR:
+          clientMode = @"Monitor"; break;
+        case CLIENTMODE_LOCKDOWN:
+          clientMode = @"Lockdown"; break;
+        default:
+          clientMode = [NSString stringWithFormat:@"Unknown (%d)", cm]; break;
+      }
+  }];
+  do { usleep(5000); } while (!clientMode);
+  printf(">>> Daemon Info\n");
+  printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
+
   // Kext status
-  __block uint64_t cacheCount = -1;
-  [[daemonConn remoteObjectProxy] cacheCount:^(uint64_t count) {
+  __block int64_t cacheCount = -1;
+  [[daemonConn remoteObjectProxy] cacheCount:^(int64_t count) {
       cacheCount = count;
   }];
   do { usleep(5000); } while (cacheCount == -1);
@@ -51,12 +67,12 @@ REGISTER_COMMAND_NAME(@"status");
   printf("  %-25s | %lld\n", "Kernel cache count", cacheCount);
 
   // Database counts
-  __block uint64_t eventCount = 1, binaryRuleCount = -1, certRuleCount = -1;
-  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(uint64_t binary, uint64_t certificate) {
+  __block int64_t eventCount = -1, binaryRuleCount = -1, certRuleCount = -1;
+  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
       binaryRuleCount = binary;
       certRuleCount = certificate;
   }];
-  [[daemonConn remoteObjectProxy] databaseEventCount:^(uint64_t count) {
+  [[daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
       eventCount = count;
   }];
   do { usleep(5000); } while (eventCount == -1 || binaryRuleCount == -1 || certRuleCount == -1);

Source/santactl/sync/NSData+Zlib.m

@@ -14,7 +14,7 @@
 
 #import "NSData+Zlib.h"
 
-#import <zlib.h>
+#include <zlib.h>
 
 @implementation NSData (Zlib)
 
@@ -29,7 +29,7 @@
     stream.total_out = 0;
     stream.avail_out = 0;
 
-    int chunkSize = 16384;
+    NSUInteger chunkSize = 16384;
 
     int windowSize = 15;
     if (includeHeader) {
@@ -63,4 +63,4 @@
   return [self compressIncludingGzipHeader:YES];
 }
 
-@end
+@end

Source/santactl/sync/SNTAuthenticatingURLSession.h

@@ -27,7 +27,7 @@
 ///  If set, this is the user-agent to send with requests, otherwise remains the default
 ///  CFNetwork-based name.
 ///
-@property(nonatomic) NSString *userAgent;
+@property(copy, nonatomic) NSString *userAgent;
 
 ///
 ///  If set to YES, this session refuses redirect requests. Defaults to NO.
@@ -38,24 +38,24 @@
 ///  If set, the server that we connect to _must_ match this string. Redirects to other
 ///  hosts will not be allowed.
 ///
-@property(nonatomic) NSString *serverHostname;
+@property(copy, nonatomic) NSString *serverHostname;
 
 ///
 ///  This should be PEM data containing one or more certificates to use to verify the server's
 ///  certificate chain. This will override the trusted roots in the System Roots.
 ///
-@property(nonatomic) NSData *serverRootsPemData;
+@property(copy, nonatomic) NSData *serverRootsPemData;
 
 ///
 ///  If set and client certificate authentication is needed, the pkcs#12 file will be loaded
 ///
-@property(nonatomic) NSString *clientCertFile;
+@property(copy, nonatomic) NSString *clientCertFile;
 
 ///
 ///  If set and client certificate authentication is needed, the password being used for
 ///  loading the clientCertFile
 ///
-@property(nonatomic) NSString *clientCertPassword;
+@property(copy, nonatomic) NSString *clientCertPassword;
 
 ///
 ///  If set and client certificate authentication is needed, will search the keychain for a
@@ -65,7 +65,7 @@
 ///  @note If this property is not set and neither is |clientCertIssuerCn|, the allowed issuers
 ///  provided by the server will be used to find a matching certificate.
 ///
-@property(nonatomic) NSString *clientCertCommonName;
+@property(copy, nonatomic) NSString *clientCertCommonName;
 
 ///
 ///  If set and client certificate authentication is needed, will search the keychain for a
@@ -76,7 +76,7 @@
 ///  @note If this property is not set and neither is |clientCertCommonName|, the allowed issuers
 ///      provided by the server will be used to find a matching certificate.
 ///
-@property(nonatomic) NSString *clientCertIssuerCn;
+@property(copy, nonatomic) NSString *clientCertIssuerCn;
 
 /// Designated initializer
 - (instancetype)initWithSessionConfiguration:(NSURLSessionConfiguration *)configuration;

Source/santactl/sync/SNTAuthenticatingURLSession.m

@@ -58,24 +58,24 @@
   NSURLProtectionSpace *protectionSpace = challenge.protectionSpace;
 
   if (challenge.previousFailureCount > 0) {
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (self.serverHostname && ![self.serverHostname isEqual:protectionSpace.host]) {
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (![protectionSpace.protocol isEqual:NSURLProtectionSpaceHTTPS]) {
-    LOGD(@"Protection Space: %@ is not a secure protocol", protectionSpace.protocol);
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    LOGE(@"%@ is not a secure protocol", protectionSpace.protocol);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (!protectionSpace.receivesCredentialSecurely) {
-    LOGD(@"Protection Space: secure authentication or protocol cannot be established.");
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    LOGE(@"Secure authentication or protocol cannot be established.");
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
@@ -88,7 +88,7 @@
       return;
     } else {
       LOGE(@"Server asked for client authentication but no usable client certificate found.");
-      completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
       return;
     }
   } else if (authMethod == NSURLAuthenticationMethodServerTrust) {
@@ -97,8 +97,8 @@
       completionHandler(NSURLSessionAuthChallengeUseCredential, cred);
       return;
     } else {
-      LOGE(@"Server asked for client authentication but no usable client certificate found.");
-      completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+      LOGE(@"Unable to verify server identity.");
+      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
       return;
     }
   }
@@ -111,11 +111,13 @@
     willPerformHTTPRedirection:(NSHTTPURLResponse *)response
                     newRequest:(NSURLRequest *)request
              completionHandler:(void (^)(NSURLRequest *))completionHandler {
-  if (self.refusesRedirects) {
-    completionHandler(NULL);
-  } else {
-    completionHandler(request);
-  }
+    if (self.refusesRedirects) {
+      LOGD(@"Rejected redirection to: %@", request.URL);
+      [task cancel];  // without this, the connection hangs until timeout!?!
+      completionHandler(NULL);
+    } else {
+      completionHandler(request);
+    }
 }
 
 #pragma mark Private Helpers for URLSession:didReceiveChallenge:completionHandler:
@@ -136,13 +138,13 @@
 ///
 - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
   __block OSStatus err = errSecSuccess;
-  __block SecIdentityRef foundIdentity;
+  __block SecIdentityRef foundIdentity = NULL;
 
   if (self.clientCertFile) {
     NSError *error;
     NSData *data = [NSData dataWithContentsOfFile:self.clientCertFile options:0 error:&error];
     if (error) {
-      LOGE(@"Client Trust: Couldn't open client certificate %@: %@",
+      LOGD(@"Client Trust: Couldn't open client certificate %@: %@",
            self.clientCertFile,
            [error localizedDescription]);
       return nil;
@@ -158,7 +160,7 @@
     NSArray *identities = CFBridgingRelease(cfIdentities);
 
     if (err != errSecSuccess) {
-      LOGE(@"Client Trust: Couldn't load client certificate %@: %d", self.clientCertFile, err);
+      LOGD(@"Client Trust: Couldn't load client certificate %@: %d", self.clientCertFile, err);
       return nil;
     }
 
@@ -169,7 +171,8 @@
     err = SecItemCopyMatching((__bridge CFDictionaryRef)@{
           (id)kSecClass : (id)kSecClassIdentity,
           (id)kSecReturnRef : @YES,
-          (id)kSecMatchLimit : (id)kSecMatchLimitAll }, (CFTypeRef *)&cfIdentities);
+          (id)kSecMatchLimit : (id)kSecMatchLimitAll
+    }, (CFTypeRef *)&cfIdentities);
 
     if (err != errSecSuccess) {
       LOGD(@"Client Trust: Failed to load client identities, SecItemCopyMatching returned: %d",
@@ -181,56 +184,63 @@
 
     // Manually iterate through available identities to find one with an allowed issuer.
     [identities enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
-      SecIdentityRef identityRef = (__bridge SecIdentityRef)obj;
+        SecIdentityRef identityRef = (__bridge SecIdentityRef)obj;
 
-      SecCertificateRef certificate = NULL;
-      err = SecIdentityCopyCertificate(identityRef, &certificate);
-      if (err != errSecSuccess) {
-        LOGD(@"Client Trust: Failed to read certificate data: %d. Skipping identity.", (int)err);
-        return;
-      }
-
-      SNTCertificate *clientCert = [[SNTCertificate alloc] initWithSecCertificateRef:certificate];
-      CFRelease(certificate);
-
-      // Switch identity finding method depending on config
-      if (self.clientCertCommonName && clientCert.commonName) {
-        if ([clientCert.commonName compare:self.clientCertCommonName
-                                   options:NSCaseInsensitiveSearch] == NSOrderedSame) {
-          foundIdentity = identityRef;
-          CFRetain(foundIdentity);
-          *stop = YES;
-          return;  // return from enumeration block
+        SecCertificateRef certificate = NULL;
+        err = SecIdentityCopyCertificate(identityRef, &certificate);
+        if (err != errSecSuccess) {
+          LOGD(@"Client Trust: Failed to read certificate data: %d. Skipping identity.", (int)err);
+          return;
         }
-      } else if (self.clientCertIssuerCn && clientCert.issuerCommonName) {
-        if ([clientCert.issuerCommonName compare:self.clientCertIssuerCn
-                                         options:NSCaseInsensitiveSearch] == NSOrderedSame) {
-          foundIdentity = identityRef;
-          CFRetain(foundIdentity);
-          *stop = YES;
-          return;  // return from enumeration block
-        }
-      } else {
-        for (NSData *allowedIssuer in protectionSpace.distinguishedNames) {
-          SNTDERDecoder *decoder = [[SNTDERDecoder alloc] initWithData:allowedIssuer];
-          if (!decoder) continue;
-          if ([clientCert.issuerCommonName isEqual:decoder.commonName] &&
-              [clientCert.issuerCountryName isEqual:decoder.countryName] &&
-              [clientCert.issuerOrgName isEqual:decoder.organizationName] &&
-              [clientCert.issuerOrgUnit isEqual:decoder.organizationalUnit]) {
 
+        SNTCertificate *clientCert = [[SNTCertificate alloc] initWithSecCertificateRef:certificate];
+        CFRelease(certificate);
+
+        // Switch identity finding method depending on config
+        if (self.clientCertCommonName && clientCert.commonName) {
+          if ([clientCert.commonName compare:self.clientCertCommonName
+                                     options:NSCaseInsensitiveSearch] == NSOrderedSame) {
             foundIdentity = identityRef;
             CFRetain(foundIdentity);
             *stop = YES;
             return;  // return from enumeration block
           }
+        } else if (self.clientCertIssuerCn && clientCert.issuerCommonName) {
+          if ([clientCert.issuerCommonName compare:self.clientCertIssuerCn
+                                           options:NSCaseInsensitiveSearch] == NSOrderedSame) {
+            foundIdentity = identityRef;
+            CFRetain(foundIdentity);
+            *stop = YES;
+            return;  // return from enumeration block
+          }
+        } else {
+          for (NSData *allowedIssuer in protectionSpace.distinguishedNames) {
+            SNTDERDecoder *decoder = [[SNTDERDecoder alloc] initWithData:allowedIssuer];
+
+            if (!decoder) {
+              LOGW(@"Unable to decode allowed distinguished name.");
+              continue;
+            }
+
+            if ([clientCert.issuerCommonName isEqual:decoder.commonName] &&
+                [clientCert.issuerCountryName isEqual:decoder.countryName] &&
+                [clientCert.issuerOrgName isEqual:decoder.organizationName] &&
+                [clientCert.issuerOrgUnit isEqual:decoder.organizationalUnit]) {
+              foundIdentity = identityRef;
+              CFRetain(foundIdentity);
+              *stop = YES;
+              return;  // return from enumeration block
+            }
+          }
         }
-      }
     }];
   }
 
   if (foundIdentity) {
-    LOGD(@"Client Trust: Valid client identity %@.", foundIdentity);
+    SecCertificateRef certificate = NULL;
+    err = SecIdentityCopyCertificate(foundIdentity, &certificate);
+    SNTCertificate *clientCert = [[SNTCertificate alloc] initWithSecCertificateRef:certificate];
+    LOGD(@"Client Trust: Valid client identity %@.", clientCert);
     NSURLCredential *cred =
         [NSURLCredential credentialWithIdentity:foundIdentity
                                    certificates:nil
@@ -278,7 +288,7 @@
     // Set this array of certs as the anchors to trust.
     err = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)certRefs);
     if (err != errSecSuccess) {
-      LOGE(@"Server Trust: Could not set anchor certificates: %d", err);
+      LOGD(@"Server Trust: Could not set anchor certificates: %d", err);
       return nil;
     }
   }
@@ -287,12 +297,12 @@
   SecTrustResultType result = kSecTrustResultInvalid;
   err = SecTrustEvaluate(serverTrust, &result);
   if (err != errSecSuccess) {
-    LOGE(@"Server Trust: Unable to evaluate certificate chain for server: %d", err);
+    LOGD(@"Server Trust: Unable to evaluate certificate chain for server: %d", err);
     return nil;
   }
 
   // Print details about the server's leaf certificate.
-  SecCertificateRef firstCert = SecTrustGetCertificateAtIndex(protectionSpace.serverTrust, 0);
+  SecCertificateRef firstCert = SecTrustGetCertificateAtIndex(serverTrust, 0);
   if (firstCert) {
     SNTCertificate *cert = [[SNTCertificate alloc] initWithSecCertificateRef:firstCert];
     LOGD(@"Server Trust: Server leaf cert: %@", cert);
@@ -301,7 +311,7 @@
   // Having a trust level "unspecified" by the user is the usual result, described at
   // https://developer.apple.com/library/mac/qa/qa1360
   if (result != kSecTrustResultProceed && result != kSecTrustResultUnspecified) {
-    LOGE(@"Server Trust: Server isn't trusted. SecTrustResultType: %d", result);
+    LOGD(@"Server Trust: Server isn't trusted. SecTrustResultType: %d", result);
     return nil;
   }
 

Source/santactl/sync/SNTCommandSync.m

@@ -20,7 +20,7 @@
 #import "SNTCommandSyncPostflight.h"
 #import "SNTCommandSyncPreflight.h"
 #import "SNTCommandSyncRuleDownload.h"
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncState.h"
 #import "SNTConfigurator.h"
 #import "SNTDropRootPrivs.h"
 #import "SNTLogging.h"
@@ -30,12 +30,12 @@
 @interface SNTCommandSync : NSObject<SNTCommand>
 @property NSURLSession *session;
 @property SNTXPCConnection *daemonConn;
-@property SNTCommandSyncStatus *progress;
+@property SNTCommandSyncState *syncState;
 @end
 
 @implementation SNTCommandSync
 
-REGISTER_COMMAND_NAME(@"sync");
+REGISTER_COMMAND_NAME(@"sync")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -46,7 +46,7 @@ REGISTER_COMMAND_NAME(@"sync");
 }
 
 + (NSString *)shortHelpText {
-  return @"Synchronizes Santa with the server.";
+  return @"Synchronizes Santa with a configured server.";
 }
 
 + (NSString *)longHelpText {
@@ -112,24 +112,26 @@ REGISTER_COMMAND_NAME(@"sync");
   s.daemonConn = daemonConn;
 
   // Gather some data needed during some sync stages
-  s.progress = [[SNTCommandSyncStatus alloc] init];
+  s.syncState = [[SNTCommandSyncState alloc] init];
 
-  s.progress.syncBaseURL = config.syncBaseURL;
-  if (!s.progress.syncBaseURL) {
+  s.syncState.syncBaseURL = config.syncBaseURL;
+  if (!s.syncState.syncBaseURL) {
     LOGE(@"Missing SyncBaseURL. Can't sync without it.");
     exit(1);
+  } else if (![s.syncState.syncBaseURL.scheme isEqual:@"https"]) {
+    LOGW(@"SyncBaseURL is not over HTTPS!");
   }
-  authURLSession.serverHostname = s.progress.syncBaseURL.host;
+  authURLSession.serverHostname = s.syncState.syncBaseURL.host;
 
-  s.progress.machineID = config.machineID;
-  if (!s.progress.machineID || [s.progress.machineID isEqual:@""]) {
+  s.syncState.machineID = config.machineID;
+  if ([s.syncState.machineID length] == 0) {
     LOGE(@"Missing Machine ID. Can't sync without it.");
     exit(1);
   }
 
-  s.progress.machineOwner = config.machineOwner;
-  if (!s.progress.machineOwner) {
-    s.progress.machineOwner = @"";
+  s.syncState.machineOwner = config.machineOwner;
+  if ([s.syncState.machineOwner length] == 0) {
+    s.syncState.machineOwner = @"";
     LOGW(@"Missing Machine Owner.");  
   }
 
@@ -142,12 +144,12 @@ REGISTER_COMMAND_NAME(@"sync");
 
 - (void)preflight {
   [SNTCommandSyncPreflight performSyncInSession:self.session
-                                       progress:self.progress
+                                      syncState:self.syncState
                                      daemonConn:self.daemonConn
                               completionHandler:^(BOOL success) {
       if (success) {
         LOGI(@"Preflight complete");
-        if (self.progress.uploadLogURL) {
+        if (self.syncState.uploadLogURL) {
           [self logUpload];
         } else {
           [self eventUpload];
@@ -161,22 +163,22 @@ REGISTER_COMMAND_NAME(@"sync");
 
 - (void)logUpload {
   [SNTCommandSyncLogUpload performSyncInSession:self.session
-                                       progress:self.progress
+                                      syncState:self.syncState
                                      daemonConn:self.daemonConn
                               completionHandler:^(BOOL success) {
       if (success) {
         LOGI(@"Log upload complete");
-        [self eventUpload];
       } else {
-        LOGE(@"Log upload failed, aborting run");
-        exit(1);
+        LOGE(@"Log upload failed, continuing anyway");
       }
+      [self eventUpload];
+
   }];
 }
 
 - (void)eventUpload {
   [SNTCommandSyncEventUpload performSyncInSession:self.session
-                                         progress:self.progress
+                                        syncState:self.syncState
                                        daemonConn:self.daemonConn
                                 completionHandler:^(BOOL success) {
       if (success) {
@@ -192,22 +194,22 @@ REGISTER_COMMAND_NAME(@"sync");
 - (void)eventUploadSingleEvent:(NSString *)sha256 {
   [SNTCommandSyncEventUpload uploadSingleEventWithSHA256:sha256
                                                  session:self.session
-                                                progress:self.progress
+                                               syncState:self.syncState
                                               daemonConn:self.daemonConn
                                        completionHandler:^(BOOL success) {
       if (success) {
-       LOGI(@"Event upload complete");
-       exit(0);
+        LOGI(@"Event upload complete");
+        exit(0);
       } else {
-       LOGW(@"Event upload failed");
-       exit(1);
+        LOGW(@"Event upload failed");
+        exit(1);
       }
   }];
 }
 
 - (void)ruleDownload {
   [SNTCommandSyncRuleDownload performSyncInSession:self.session
-                                          progress:self.progress
+                                         syncState:self.syncState
                                         daemonConn:self.daemonConn
                                  completionHandler:^(BOOL success) {
       if (success) {
@@ -222,7 +224,7 @@ REGISTER_COMMAND_NAME(@"sync");
 
 - (void)postflight {
   [SNTCommandSyncPostflight performSyncInSession:self.session
-                                        progress:self.progress
+                                       syncState:self.syncState
                                       daemonConn:self.daemonConn
                                completionHandler:^(BOOL success) {
       if (success) {

Source/santactl/sync/SNTCommandSyncConstants.h

@@ -0,0 +1,83 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+extern NSString * const kURLPreflight;
+extern NSString * const kURLEventUpload;
+extern NSString * const kURLRuleDownload;
+extern NSString * const kURLPostflight;
+
+extern NSString * const kSerialNumber;
+extern NSString * const kHostname;
+extern NSString * const kSantaVer;
+extern NSString * const kOSVer;
+extern NSString * const kOSBuild;
+extern NSString * const kPrimaryUser;
+extern NSString * const kRequestCleanSync;
+extern NSString * const kBatchSize;
+extern NSString * const kUploadLogsURL;
+extern NSString * const kClientMode;
+extern NSString * const kClientModeMonitor;
+extern NSString * const kClientModeLockdown;
+extern NSString * const kCleanSync;
+extern NSString * const kWhitelistRegex;
+
+extern NSString * const kEvents;
+extern NSString * const kFileSHA256;
+extern NSString * const kFilePath;
+extern NSString * const kFileName;
+extern NSString * const kExecutingUser;
+extern NSString * const kExecutionTime;
+extern NSString * const kDecision;
+extern NSString * const kDecisionAllowUnknown;
+extern NSString * const kDecisionAllowBinary;
+extern NSString * const kDecisionAllowCertificate;
+extern NSString * const kDecisionAllowScope;
+extern NSString * const kDecisionBlockUnknown;
+extern NSString * const kDecisionBlockBinary;
+extern NSString * const kDecisionBlockCertificate;
+extern NSString * const kDecisionBlockScope;
+extern NSString * const kDecisionUnknown;
+extern NSString * const kLoggedInUsers;
+extern NSString * const kCurrentSessions;
+extern NSString * const kFileBundleID;
+extern NSString * const kFileBundleName;
+extern NSString * const kFileBundleVersion;
+extern NSString * const kFileBundleShortVersionString;
+extern NSString * const kPID;
+extern NSString * const kPPID;
+extern NSString * const kParentName;
+extern NSString * const kSigningChain;
+extern NSString * const kCertSHA256;
+extern NSString * const kCertCN;
+extern NSString * const kCertOrg;
+extern NSString * const kCertOU;
+extern NSString * const kCertValidFrom;
+extern NSString * const kCertValidUntil;
+
+extern NSString * const kLogUploadField;
+
+extern NSString * const kRules;
+extern NSString * const kRuleSHA256;
+extern NSString * const kRulePolicy;
+extern NSString * const kRulePolicyWhitelist;
+extern NSString * const kRulePolicyBlacklist;
+extern NSString * const kRulePolicySilentBlacklist;
+extern NSString * const kRulePolicyRemove;
+extern NSString * const kRuleType;
+extern NSString * const kRuleTypeBinary;
+extern NSString * const kRuleTypeCertificate;
+extern NSString * const kRuleCustomMsg;
+extern NSString * const kCursor;
+
+extern NSString * const kBackoffInterval;

Source/santactl/sync/SNTCommandSyncConstants.m

@@ -0,0 +1,85 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncConstants.h"
+
+NSString * const kURLPreflight = @"preflight/";
+NSString * const kURLEventUpload = @"eventupload/";
+NSString * const kURLRuleDownload = @"ruledownload/";
+NSString * const kURLPostflight = @"postflight/";
+
+NSString * const kSerialNumber = @"serial_num";
+NSString * const kHostname = @"hostname";
+NSString * const kSantaVer = @"santa_version";
+NSString * const kOSVer = @"os_version";
+NSString * const kOSBuild = @"os_build";
+NSString * const kPrimaryUser = @"primary_user";
+NSString * const kRequestCleanSync = @"request_clean_sync";
+NSString * const kBatchSize = @"batch_size";
+NSString * const kUploadLogsURL = @"upload_logs_url";
+NSString * const kClientMode = @"client_mode";
+NSString * const kClientModeMonitor = @"MONITOR";
+NSString * const kClientModeLockdown = @"LOCKDOWN";
+NSString * const kCleanSync = @"clean_sync";
+NSString * const kWhitelistRegex = @"whitelist_regex";
+
+NSString * const kEvents = @"events";
+NSString * const kFileSHA256 = @"file_sha256";
+NSString * const kFilePath = @"file_path";
+NSString * const kFileName = @"file_name";
+NSString * const kExecutingUser = @"executing_user";
+NSString * const kExecutionTime = @"execution_time";
+NSString * const kDecision = @"decision";
+NSString * const kDecisionAllowUnknown = @"ALLOW_UNKNOWN";
+NSString * const kDecisionAllowBinary = @"ALLOW_BINARY";
+NSString * const kDecisionAllowCertificate = @"ALLOW_CERTIFICATE";
+NSString * const kDecisionAllowScope = @"ALLOW_SCOPE";
+NSString * const kDecisionBlockUnknown = @"BLOCK_UNKNOWN";
+NSString * const kDecisionBlockBinary = @"BLOCK_BINARY";
+NSString * const kDecisionBlockCertificate = @"BLOCK_CERTIFICATE";
+NSString * const kDecisionBlockScope = @"BLOCK_SCOPE";
+NSString * const kDecisionUnknown = @"UNKNOWN";
+NSString * const kLoggedInUsers = @"logged_in_users";
+NSString * const kCurrentSessions = @"current_sessions";
+NSString * const kFileBundleID = @"file_bundle_id";
+NSString * const kFileBundleName = @"file_bundle_name";
+NSString * const kFileBundleVersion = @"file_bundle_version";
+NSString * const kFileBundleShortVersionString = @"file_bundle_version_string";
+NSString * const kPID = @"pid";
+NSString * const kPPID = @"ppid";
+NSString * const kParentName = @"parent_name";
+NSString * const kSigningChain = @"signing_chain";
+NSString * const kCertSHA256 = @"sha256";
+NSString * const kCertCN = @"cn";
+NSString * const kCertOrg = @"org";
+NSString * const kCertOU = @"ou";
+NSString * const kCertValidFrom = @"valid_from";
+NSString * const kCertValidUntil = @"valid_until";
+
+NSString * const kLogUploadField = @"files";
+
+NSString * const kRules = @"rules";
+NSString * const kRuleSHA256 = @"sha256";
+NSString * const kRulePolicy = @"policy";
+NSString * const kRulePolicyWhitelist = @"WHITELIST";
+NSString * const kRulePolicyBlacklist = @"BLACKLIST";
+NSString * const kRulePolicySilentBlacklist = @"SILENT_BLACKLIST";
+NSString * const kRulePolicyRemove = @"REMOVE";
+NSString * const kRuleType = @"rule_type";
+NSString * const kRuleTypeBinary = @"BINARY";
+NSString * const kRuleTypeCertificate = @"CERTIFICATE";
+NSString * const kRuleCustomMsg = @"custom_msg";
+NSString * const kCursor = @"cursor";
+
+NSString * const kBackoffInterval = @"backoff";

Source/santactl/sync/SNTCommandSyncEventUpload.h

@@ -12,19 +12,19 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncStatus;
+@class SNTCommandSyncState;
 @class SNTXPCConnection;
 
 @interface SNTCommandSyncEventUpload : NSObject
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler;
 
 + (void)uploadSingleEventWithSHA256:(NSString *)SHA256
                             session:(NSURLSession *)session
-                           progress:(SNTCommandSyncStatus *)progress
+                          syncState:(SNTCommandSyncState *)syncState
                          daemonConn:(SNTXPCConnection *)daemonConn
                   completionHandler:(void (^)(BOOL success))handler;
 

Source/santactl/sync/SNTCommandSyncEventUpload.m

@@ -17,7 +17,8 @@
 #include "SNTLogging.h"
 
 #import "SNTCertificate.h"
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
 #import "SNTStoredEvent.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
@@ -25,11 +26,11 @@
 @implementation SNTCommandSyncEventUpload
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[@"eventupload/" stringByAppendingString:progress.machineID]
-                      relativeToURL:progress.syncBaseURL];
+  NSURL *url = [NSURL URLWithString:[kURLEventUpload stringByAppendingString:syncState.machineID]
+                      relativeToURL:syncState.syncBaseURL];
 
   [[daemonConn remoteObjectProxy] databaseEventsPending:^(NSArray *events) {
       if ([events count] == 0) {
@@ -38,7 +39,7 @@
         [self uploadEventsFromArray:events
                               toURL:url
                           inSession:session
-                          batchSize:progress.eventBatchSize
+                          batchSize:syncState.eventBatchSize
                          daemonConn:daemonConn
                   completionHandler:handler];
       }
@@ -47,12 +48,12 @@
 
 + (void)uploadSingleEventWithSHA256:(NSString *)SHA256
                             session:(NSURLSession *)session
-                           progress:(SNTCommandSyncStatus *)progress
+                          syncState:(SNTCommandSyncState *)syncState
                          daemonConn:(SNTXPCConnection *)daemonConn
                   completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[@"eventupload/" stringByAppendingString:progress.machineID]
-                      relativeToURL:progress.syncBaseURL];
-  [[daemonConn remoteObjectProxy] databaseEventForSHA256:SHA256 withReply:^(SNTStoredEvent *event) {
+  NSURL *url = [NSURL URLWithString:[kURLEventUpload stringByAppendingString:syncState.machineID]
+                      relativeToURL:syncState.syncBaseURL];
+  [[daemonConn remoteObjectProxy] databaseEventForSHA256:SHA256 reply:^(SNTStoredEvent *event) {
       if (!event) {
         handler(YES);
         return;
@@ -70,7 +71,7 @@
 + (void)uploadEventsFromArray:(NSArray *)events
                         toURL:(NSURL *)url
                     inSession:(NSURLSession *)session
-                    batchSize:(int32_t)batchSize
+                    batchSize:(NSUInteger)batchSize
                    daemonConn:(SNTXPCConnection *)daemonConn
             completionHandler:(void (^)(BOOL success))handler {
   NSMutableArray *uploadEvents = [[NSMutableArray alloc] init];
@@ -83,7 +84,7 @@
     if (eventIds.count >= batchSize) break;
   }
 
-  NSDictionary *uploadReq = @{ @"events": uploadEvents };
+  NSDictionary *uploadReq = @{ kEvents: uploadEvents };
 
   NSData *requestBody;
   @try {
@@ -101,11 +102,14 @@
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
-      if ([(NSHTTPURLResponse *)response statusCode] != 200) {
-        LOGD(@"HTTP Response Code: %d", [(NSHTTPURLResponse *)response statusCode]);
+      long statusCode = [(NSHTTPURLResponse *)response statusCode];
+      if (statusCode != 200) {
+          LOGE(@"HTTP Response: %ld %@",
+               statusCode,
+               [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
       } else {
-        LOGI(@"Uploaded %d events", eventIds.count);
+        LOGI(@"Uploaded %lu events", eventIds.count);
 
         [[daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:eventIds];
 
@@ -129,38 +133,54 @@
 #define ADDKEY(dict, key, value) if (value) dict[key] = value
   NSMutableDictionary *newEvent = [NSMutableDictionary dictionary];
 
-  ADDKEY(newEvent, @"file_sha256", event.fileSHA256);
-  ADDKEY(newEvent, @"file_path", [event.filePath stringByDeletingLastPathComponent]);
-  ADDKEY(newEvent, @"file_name", [event.filePath lastPathComponent]);
-  ADDKEY(newEvent, @"executing_user", event.executingUser);
-  ADDKEY(newEvent, @"execution_time", @([event.occurrenceDate timeIntervalSince1970]));
-  ADDKEY(newEvent, @"decision", @(event.decision));
-  ADDKEY(newEvent, @"logged_in_users", event.loggedInUsers);
-  ADDKEY(newEvent, @"current_sessions", event.currentSessions);
+  ADDKEY(newEvent, kFileSHA256, event.fileSHA256);
+  ADDKEY(newEvent, kFilePath, [event.filePath stringByDeletingLastPathComponent]);
+  ADDKEY(newEvent, kFileName, [event.filePath lastPathComponent]);
+  ADDKEY(newEvent, kExecutingUser, event.executingUser);
+  ADDKEY(newEvent, kExecutionTime, @([event.occurrenceDate timeIntervalSince1970]));
+  ADDKEY(newEvent, kLoggedInUsers, event.loggedInUsers);
+  ADDKEY(newEvent, kCurrentSessions, event.currentSessions);
 
-  ADDKEY(newEvent, @"file_bundle_id", event.fileBundleID);
-  ADDKEY(newEvent, @"file_bundle_name", event.fileBundleName);
-  ADDKEY(newEvent, @"file_bundle_version", event.fileBundleVersion);
-  ADDKEY(newEvent, @"file_bundle_version_string", event.fileBundleVersionString);
+  switch (event.decision) {
+    case EVENTSTATE_ALLOW_UNKNOWN: ADDKEY(newEvent, kDecision, kDecisionAllowUnknown); break;
+    case EVENTSTATE_ALLOW_BINARY: ADDKEY(newEvent, kDecision, kDecisionAllowBinary); break;
+    case EVENTSTATE_ALLOW_CERTIFICATE:
+      ADDKEY(newEvent, kDecision, kDecisionAllowCertificate);
+      break;
+    case EVENTSTATE_ALLOW_SCOPE: ADDKEY(newEvent, kDecision, kDecisionAllowScope); break;
+    case EVENTSTATE_BLOCK_UNKNOWN: ADDKEY(newEvent, kDecision, kDecisionBlockUnknown); break;
+    case EVENTSTATE_BLOCK_BINARY: ADDKEY(newEvent, kDecision, kDecisionBlockBinary); break;
+    case EVENTSTATE_BLOCK_CERTIFICATE:
+      ADDKEY(newEvent, kDecision, kDecisionBlockCertificate);
+      break;
+    case EVENTSTATE_BLOCK_SCOPE: ADDKEY(newEvent, kDecision, kDecisionBlockScope); break;
+    default: ADDKEY(newEvent, kDecision, kDecisionUnknown);
+  }
 
-  ADDKEY(newEvent, @"pid", event.pid);
-  ADDKEY(newEvent, @"ppid", event.ppid);
+  ADDKEY(newEvent, kFileBundleID, event.fileBundleID);
+  ADDKEY(newEvent, kFileBundleName, event.fileBundleName);
+  ADDKEY(newEvent, kFileBundleVersion, event.fileBundleVersion);
+  ADDKEY(newEvent, kFileBundleShortVersionString, event.fileBundleVersionString);
+
+  ADDKEY(newEvent, kPID, event.pid);
+  ADDKEY(newEvent, kPPID, event.ppid);
+  ADDKEY(newEvent, kParentName, event.parentName);
 
   NSMutableArray *signingChain = [NSMutableArray arrayWithCapacity:event.signingChain.count];
-  for (int i = 0; i < event.signingChain.count; i++) {
+  for (NSUInteger i = 0; i < event.signingChain.count; i++) {
     SNTCertificate *cert = [event.signingChain objectAtIndex:i];
 
     NSMutableDictionary *certDict = [NSMutableDictionary dictionary];
-    ADDKEY(certDict, @"sha256", cert.SHA256);
-    ADDKEY(certDict, @"cn", cert.commonName);
-    ADDKEY(certDict, @"org", cert.orgName);
-    ADDKEY(certDict, @"ou", cert.orgUnit);
-    ADDKEY(certDict, @"valid_from", @([cert.validFrom timeIntervalSince1970]));
-    ADDKEY(certDict, @"valid_until", @([cert.validUntil timeIntervalSince1970]));
+    ADDKEY(certDict, kCertSHA256, cert.SHA256);
+    ADDKEY(certDict, kCertCN, cert.commonName);
+    ADDKEY(certDict, kCertOrg, cert.orgName);
+    ADDKEY(certDict, kCertOU, cert.orgUnit);
+    ADDKEY(certDict, kCertValidFrom, @([cert.validFrom timeIntervalSince1970]));
+    ADDKEY(certDict, kCertValidUntil, @([cert.validUntil timeIntervalSince1970]));
 
     [signingChain addObject:certDict];
   }
-  newEvent[@"signing_chain"] = signingChain;
+  newEvent[kSigningChain] = signingChain;
 
   return newEvent;
 #undef ADDKEY

Source/santactl/sync/SNTCommandSyncLogUpload.h

@@ -12,13 +12,13 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncStatus;
+@class SNTCommandSyncState;
 @class SNTXPCConnection;
 
 @interface SNTCommandSyncLogUpload : NSObject
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler;
 

Source/santactl/sync/SNTCommandSyncLogUpload.m

@@ -19,15 +19,16 @@
 #include "SNTCommonEnums.h"
 #include "SNTLogging.h"
 
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
 
 @implementation SNTCommandSyncLogUpload
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = progress.uploadLogURL;
+  NSURL *url = syncState.uploadLogURL;
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
   [req setHTTPMethod:@"POST"];
   NSString *boundary = @"----santa-sync-upload-boundary";
@@ -36,38 +37,46 @@
       [NSString stringWithFormat:@"multipart/form-data; charset=UTF-8; boundary=%@", boundary];
   [req setValue:contentType forHTTPHeaderField:@"Content-Type"];
 
+  NSArray *logsToUpload = [self logsToUpload];
+
+  // Upload the logs
+  [[session uploadTaskWithRequest:req
+                         fromData:[self requestBodyWithLogs:logsToUpload andBoundary:boundary]
+                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+      long statusCode = [(NSHTTPURLResponse *)response statusCode];
+      if (statusCode != 200) {
+        LOGE(@"HTTP Response: %ld %@",
+             statusCode,
+             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
+        handler(NO);
+      } else {
+        LOGI(@"Uploaded %lu logs", [logsToUpload count]);
+        handler(YES);
+      }
+  }] resume];
+}
+
++ (NSData *)requestBodyWithLogs:(NSArray *)logsToUpload andBoundary:(NSString *)boundary {
   // Prepare the body of the request, encoded as a multipart/form-data.
   // Along the way, gzip the individual log files and append .gz to their filenames.
   NSMutableData *reqBody = [[NSMutableData alloc] init];
-  NSArray *logsToUpload = [SNTCommandSyncLogUpload logsToUpload];
   for (NSString *log in logsToUpload) {
     [reqBody appendData:
         [[NSString stringWithFormat:@"--%@\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
     [reqBody appendData:
         [[NSString stringWithFormat:@"Content-Disposition: form-data; "
-            @"name=\"files\"; "
-            @"filename=\"%@.gz\"\r\n", [log lastPathComponent]]
-         dataUsingEncoding:NSUTF8StringEncoding]];
+            @"name=\"%@\"; "
+            @"filename=\"%@.gz\"\r\n", kLogUploadField, [log lastPathComponent]]
+      dataUsingEncoding:NSUTF8StringEncoding]];
     [reqBody appendData:
         [@"Content-Type: application/x-gzip\r\n\r\n" dataUsingEncoding:NSUTF8StringEncoding]];
     [reqBody appendData:[[NSData dataWithContentsOfFile:log] gzipCompressed]];
     [reqBody appendData:[@"\r\n" dataUsingEncoding:NSUTF8StringEncoding]];
   }
   [reqBody appendData:
-     [[NSString stringWithFormat:@"--%@--\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
+      [[NSString stringWithFormat:@"--%@--\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
 
-  // Upload the logs
-  [[session uploadTaskWithRequest:req
-                         fromData:reqBody
-                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
-      if ([(NSHTTPURLResponse *)response statusCode] != 200) {
-        LOGD(@"HTTP Response Code: %d", [(NSHTTPURLResponse *)response statusCode]);
-        handler(NO);
-      } else {
-        LOGI(@"Uploaded %d logs", [logsToUpload count]);
-        handler(YES);
-      }
-  }] resume];
+  return reqBody;
 }
 
 + (NSArray *)logsToUpload {

Source/santactl/sync/SNTCommandSyncPostflight.h

@@ -12,13 +12,13 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncStatus;
+@class SNTCommandSyncState;
 @class SNTXPCConnection;
 
 @interface SNTCommandSyncPostflight : NSObject
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler;
 

Source/santactl/sync/SNTCommandSyncPostflight.m

@@ -16,26 +16,39 @@
 
 #include "SNTLogging.h"
 
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
 
 @implementation SNTCommandSyncPostflight
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[@"postflight/" stringByAppendingString:progress.machineID]
-                      relativeToURL:progress.syncBaseURL];
+  NSURL *url = [NSURL URLWithString:[kURLPostflight stringByAppendingString:syncState.machineID]
+                      relativeToURL:syncState.syncBaseURL];
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
   [req setHTTPMethod:@"POST"];
 
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
-    if ([(NSHTTPURLResponse *)response statusCode] != 200) {
-      LOGD(@"HTTP Response Code: %d", [(NSHTTPURLResponse *)response statusCode]);
+    long statusCode = [(NSHTTPURLResponse *)response statusCode];
+    if (statusCode != 200) {
+      LOGE(@"HTTP Response: %ld %@",
+           statusCode,
+           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
       handler(NO);
     } else {
+      NSDictionary *r = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
+
+      NSString *backoffInterval = r[kBackoffInterval];
+      if (backoffInterval) {
+        [[daemonConn remoteObjectProxy] setNextSyncInterval:[backoffInterval intValue] reply:^{}];
+      }
+
       handler(YES);
     }
   }] resume];

Source/santactl/sync/SNTCommandSyncPreflight.h

@@ -12,13 +12,13 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncStatus;
+@class SNTCommandSyncState;
 @class SNTXPCConnection;
 
 @interface SNTCommandSyncPreflight : NSObject
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler;
 

Source/santactl/sync/SNTCommandSyncPreflight.m

@@ -17,7 +17,8 @@
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
 
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
 #import "SNTSystemInfo.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
@@ -25,20 +26,23 @@
 @implementation SNTCommandSyncPreflight
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[@"preflight/" stringByAppendingString:progress.machineID]
-                      relativeToURL:progress.syncBaseURL];
+  NSURL *url = [NSURL URLWithString:[kURLPreflight stringByAppendingString:syncState.machineID]
+                      relativeToURL:syncState.syncBaseURL];
 
   NSMutableDictionary *requestDict = [NSMutableDictionary dictionary];
-  requestDict[@"serial_no"] = [SNTSystemInfo serialNumber];
-  requestDict[@"hostname"] = [SNTSystemInfo shortHostname];
-  requestDict[@"santa_version"] =
-      [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
-  requestDict[@"os_version"] = [SNTSystemInfo osVersion];
-  requestDict[@"os_build"] = [SNTSystemInfo osBuild];
-  requestDict[@"primary_user"] = progress.machineOwner;
+  requestDict[kSerialNumber] = [SNTSystemInfo serialNumber];
+  requestDict[kHostname] = [SNTSystemInfo shortHostname];
+  requestDict[kSantaVer] = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
+  requestDict[kOSVer] = [SNTSystemInfo osVersion];
+  requestDict[kOSBuild] = [SNTSystemInfo osBuild];
+  requestDict[kPrimaryUser] = syncState.machineOwner;
+
+  if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--clean"]) {
+    requestDict[kRequestCleanSync] = @YES;
+  }
 
   NSData *requestBody = [NSJSONSerialization dataWithJSONObject:requestDict
                                                         options:0
@@ -53,17 +57,28 @@
                                                         NSError *error) {
       long statusCode = [(NSHTTPURLResponse *)response statusCode];
       if (statusCode != 200) {
-        LOGD(@"HTTP Response: %@",
+        LOGE(@"HTTP Response: %ld %@",
+             statusCode,
              [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
       } else {
         NSDictionary *r = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
 
-        progress.eventBatchSize = [r[@"batch_size"] intValue];
-        progress.uploadLogURL = [NSURL URLWithString:r[@"upload_logs_url"]];
+        syncState.eventBatchSize = [r[kBatchSize] intValue];
+        syncState.uploadLogURL = [NSURL URLWithString:r[kUploadLogsURL]];
 
-        if (r[@"client_mode"]) {
-          [[daemonConn remoteObjectProxy] setClientMode:[r[@"client_mode"] intValue] withReply:^{}];
+        if ([r[kClientMode] isEqual:kClientModeMonitor]) {
+            [[daemonConn remoteObjectProxy] setClientMode:CLIENTMODE_MONITOR reply:^{}];
+        } else if ([r[kClientMode] isEqual:kClientModeLockdown]) {
+            [[daemonConn remoteObjectProxy] setClientMode:CLIENTMODE_LOCKDOWN reply:^{}];
+        }
+
+        if ([r[kWhitelistRegex] isKindOfClass:[NSString class]]) {
+          [[daemonConn remoteObjectProxy] setWhitelistPathRegex:r[kWhitelistRegex] reply:^{}];
+        }
+
+        if ([r[kCleanSync] boolValue]) {
+          syncState.cleanSync = YES;
         }
 
         handler(YES);

Source/santactl/sync/SNTCommandSyncRuleDownload.h

@@ -12,13 +12,13 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncStatus;
+@class SNTCommandSyncState;
 @class SNTXPCConnection;
 
 @interface SNTCommandSyncRuleDownload : NSObject
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler;
 

Source/santactl/sync/SNTCommandSyncRuleDownload.m

@@ -14,7 +14,8 @@
 
 #import "SNTCommandSyncRuleDownload.h"
 
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
 #import "SNTRule.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
@@ -24,15 +25,15 @@
 @implementation SNTCommandSyncRuleDownload
 
 + (void)performSyncInSession:(NSURLSession *)session
-                    progress:(SNTCommandSyncStatus *)progress
+                   syncState:(SNTCommandSyncState *)syncState
                   daemonConn:(SNTXPCConnection *)daemonConn
            completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[@"ruledownload/" stringByAppendingString:progress.machineID]
-                      relativeToURL:progress.syncBaseURL];
+  NSURL *url = [NSURL URLWithString:[kURLRuleDownload stringByAppendingString:syncState.machineID]
+                      relativeToURL:syncState.syncBaseURL];
   [self ruleDownloadWithCursor:nil
                            url:url
                        session:session
-                      progress:progress
+                     syncState:syncState
                     daemonConn:daemonConn
              completionHandler:handler];
 }
@@ -40,14 +41,14 @@
 + (void)ruleDownloadWithCursor:(NSString *)cursor
                            url:(NSURL *)url
                        session:(NSURLSession *)session
-                      progress:(SNTCommandSyncStatus *)progress
+                     syncState:(SNTCommandSyncState *)syncState
                     daemonConn:(SNTXPCConnection *)daemonConn
              completionHandler:(void (^)(BOOL success))handler {
 
-  NSDictionary *requestDict = (cursor ? @{ @"cursor": cursor } : @{});
+  NSDictionary *requestDict = (cursor ? @{ kCursor: cursor } : @{});
 
-  if (!progress.downloadedRules) {
-    progress.downloadedRules = [NSMutableArray array];
+  if (!syncState.downloadedRules) {
+    syncState.downloadedRules = [NSMutableArray array];
   }
 
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
@@ -59,8 +60,11 @@
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
-      if ([(NSHTTPURLResponse *)response statusCode] != 200) {
-        LOGD(@"HTTP Response Code: %d", [(NSHTTPURLResponse *)response statusCode]);
+      long statusCode = [(NSHTTPURLResponse *)response statusCode];
+      if (statusCode != 200) {
+        LOGE(@"HTTP Response: %ld %@",
+             statusCode,
+             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
       } else {
         NSDictionary *resp = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
@@ -69,58 +73,69 @@
           handler(NO);
         }
 
-        NSArray *receivedRules = resp[@"rules"];
+        NSArray *receivedRules = resp[kRules];
         for (NSDictionary *rule in receivedRules) {
-          if (![rule isKindOfClass:[NSDictionary class]]) continue;
-
-          SNTRule *newRule = [[SNTRule alloc] init];
-          newRule.shasum = rule[@"sha256"];
-
-          if ([rule[@"policy"] isEqual:@"WHITELIST"]) {
-            newRule.state = RULESTATE_WHITELIST;
-          } else if ([rule[@"policy"] isEqual:@"BLACKLIST"]) {
-            newRule.state = RULESTATE_BLACKLIST;
-          } else if ([rule[@"policy"] isEqual:@"SILENT_BLACKLIST"]) {
-            newRule.state = RULESTATE_SILENT_BLACKLIST;
-          } else if ([rule[@"policy"] isEqual:@"REMOVE"]) {
-            newRule.state = RULESTATE_REMOVE;
-          } else {
-            continue;
-          }
-
-          if ([rule[@"rule_type"] isEqual:@"BINARY"]) {
-            newRule.type = RULETYPE_BINARY;
-          } else if ([rule[@"rule_type"] isEqual:@"CERTIFICATE"]) {
-            newRule.type = RULETYPE_CERT;
-          } else {
-            continue;
-          }
-
-          NSString *customMsg = rule[@"custom_msg"];
-          if (customMsg) {
-            newRule.customMsg = customMsg;
-          }
-
-          [progress.downloadedRules addObject:newRule];
+          SNTRule *r = [self ruleFromDictionary:rule];
+          if (r) [syncState.downloadedRules addObject:r];
         }
 
-        if (resp[@"cursor"]) {
-          [self ruleDownloadWithCursor:resp[@"cursor"]
+        if (resp[kCursor]) {
+          [self ruleDownloadWithCursor:resp[kCursor]
                                    url:url
                                session:session
-                              progress:progress
+                             syncState:syncState
                             daemonConn:daemonConn
                      completionHandler:handler];
         } else {
-          [[daemonConn remoteObjectProxy] databaseRuleAddRules:progress.downloadedRules withReply:^{
-              if (progress.downloadedRules.count) {
-                LOGI(@"Added %d rule(s)", progress.downloadedRules.count);
-              }
-              handler(YES);
-          }];
+          if (syncState.downloadedRules.count) {
+            [[daemonConn remoteObjectProxy] databaseRuleAddRules:syncState.downloadedRules
+                                                      cleanSlate:syncState.cleanSync
+                                                           reply:^{
+                LOGI(@"Added %lu rule(s)", syncState.downloadedRules.count);
+                handler(YES);
+            }];
+          } else {
+            handler(YES);
+          }
         }
       }
   }] resume];
 }
 
++ (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
+  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
+
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.shasum = dict[kRuleSHA256];
+
+  NSString *policyString = dict[kRulePolicy];
+  if ([policyString isEqual:kRulePolicyWhitelist]) {
+    newRule.state = RULESTATE_WHITELIST;
+  } else if ([policyString isEqual:kRulePolicyBlacklist]) {
+    newRule.state = RULESTATE_BLACKLIST;
+  } else if ([policyString isEqual:kRulePolicySilentBlacklist]) {
+    newRule.state = RULESTATE_SILENT_BLACKLIST;
+  } else if ([policyString isEqual:kRulePolicyRemove]) {
+    newRule.state = RULESTATE_REMOVE;
+  } else {
+    return nil;
+  }
+
+  NSString *ruleTypeString = dict[kRuleType];
+  if ([ruleTypeString isEqual:kRuleTypeBinary]) {
+    newRule.type = RULETYPE_BINARY;
+  } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
+    newRule.type = RULETYPE_CERT;
+  } else {
+    return nil;
+  }
+
+  NSString *customMsg = dict[kRuleCustomMsg];
+  if (customMsg) {
+    newRule.customMsg = customMsg;
+  }
+
+  return newRule;
+}
+
 @end

Source/santactl/sync/SNTCommandSyncState.h

@@ -14,14 +14,18 @@
 
 /// An instance of this class is passed to each stage of the sync process for storing data
 /// that might be needed in later stages.
-@interface SNTCommandSyncStatus : NSObject
+@interface SNTCommandSyncState : NSObject
 
 /// The base API URL
 @property NSURL *syncBaseURL;
 
 /// Machine identifier and owner
-@property NSString *machineID;
-@property NSString *machineOwner;
+@property(copy) NSString *machineID;
+@property(copy) NSString *machineOwner;
+
+/// Clean sync flag, sent from server. If True, all existing rules
+/// should be deleted before inserting any new rules.
+@property BOOL cleanSync;
 
 /// Batch size for uploading events, sent from server
 @property int32_t eventBatchSize;

Source/santactl/sync/SNTCommandSyncState.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommandSyncStatus.h"
+#import "SNTCommandSyncState.h"
 
-@implementation SNTCommandSyncStatus
+@implementation SNTCommandSyncState
 @end

Source/santactl/sync/SNTDERDecoder.m

@@ -134,8 +134,10 @@
                       data.length,
                       kSequenceOfSetOfOIDValueTemplate,
                       &a);
-  SecAsn1CoderRelease(coder);
-  if (err != errSecSuccess) return nil;
+  if (err != errSecSuccess) {
+    SecAsn1CoderRelease(coder);
+    return nil;
+  }
 
   // The data is decoded but now it's in a number of embedded structs.
   // Massage that into a nice dictionary of OID->String pairs.
@@ -145,7 +147,10 @@
     OIDKeyValue *keyValue = anAttr->vals[0];
 
     // Sanity check
-    if (keyValue->value.Length > data.length) return nil;
+    if (keyValue->value.Length > data.length) {
+      SecAsn1CoderRelease(coder);
+      return nil;
+    }
 
     // Get the string value. First try creating as a UTF-8 string. If that fails,
     // fallback to trying as an ASCII string. If it still doesn't work, continue on
@@ -169,6 +174,7 @@
     dict[objectId] = valueString;
   }
 
+  SecAsn1CoderRelease(coder);
   return dict;
 }
 

Source/santactl/version/SNTCommandVersion.m

@@ -16,6 +16,7 @@
 
 #include <IOKit/kext/KextManager.h>
 
+#import "SNTCommonEnums.h"
 #import "SNTFileInfo.h"
 #import "SNTKernelCommon.h"
 #import "SNTXPCConnection.h"
@@ -25,7 +26,7 @@
 
 @implementation SNTCommandVersion
 
-REGISTER_COMMAND_NAME(@"version");
+REGISTER_COMMAND_NAME(@"version")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -61,8 +62,7 @@ REGISTER_COMMAND_NAME(@"version");
     return loadedKexts[@(USERCLIENT_ID)][@"CFBundleVersion"];
   }
 
-  SNTFileInfo *driverInfo =
-      [[SNTFileInfo alloc] initWithPath:@"/Library/Extensions/santa-driver.kext"];
+  SNTFileInfo *driverInfo = [[SNTFileInfo alloc] initWithPath:@(kKextPath)];
   if (driverInfo) {
     return [driverInfo.bundleVersion stringByAppendingString:@" (unloaded)"];
   }
@@ -71,13 +71,13 @@ REGISTER_COMMAND_NAME(@"version");
 }
 
 + (NSString *)santadVersion {
-  SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@"/usr/libexec/santad"];
+  SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@(kSantaDPath)];
   return daemonInfo.bundleVersion;
 }
 
 + (NSString *)santaAppVersion {
   SNTFileInfo *guiInfo =
-  [[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
+      [[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
   return guiInfo.bundleVersion;
 }
 

Source/santad/Resources/santad-Prefix.pch

@@ -1,3 +1,3 @@
 #ifdef __OBJC__
 #import <Foundation/Foundation.h>
-#endif
+#endif

Source/santad/SNTApplication.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <pwd.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 
 #import "SNTApplication.h"
@@ -26,6 +26,7 @@
 #import "SNTDriverManager.h"
 #import "SNTEventTable.h"
 #import "SNTExecutionController.h"
+#import "SNTFileWatcher.h"
 #import "SNTRuleTable.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
@@ -35,6 +36,7 @@
 @property SNTDriverManager *driverManager;
 @property SNTEventTable *eventTable;
 @property SNTExecutionController *execController;
+@property SNTFileWatcher *configFileWatcher;
 @property SNTRuleTable *ruleTable;
 @property SNTXPCConnection *controlConnection;
 @property SNTXPCConnection *notifierConnection;
@@ -57,13 +59,13 @@
 
     // Initialize tables
     _ruleTable = [SNTDatabaseController ruleTable];
-    if (! _ruleTable) {
+    if (!_ruleTable) {
       LOGE(@"Failed to initialize rule table.");
       return nil;
     }
 
     _eventTable = [SNTDatabaseController eventTable];
-    if (! _eventTable) {
+    if (!_eventTable) {
       LOGE(@"Failed to initialize event table.");
       return nil;
     }
@@ -82,6 +84,15 @@
         [[SNTDaemonControlController alloc] initWithDriverManager:_driverManager];
     [_controlConnection resume];
 
+    _configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
+                                                          handler:^{
+        [[SNTConfigurator configurator] reloadConfigData];
+
+        // Ensure config file remains root:wheel 0644
+        chown([kDefaultConfigFilePath fileSystemRepresentation], 0, 0);
+        chmod([kDefaultConfigFilePath fileSystemRepresentation], 0644);
+    }];
+
     // Initialize the binary checker object
     _execController = [[SNTExecutionController alloc] initWithDriverManager:_driverManager
                                                                   ruleTable:_ruleTable
@@ -97,8 +108,8 @@
   LOGI(@"Connected to driver, activating.");
 
   // Create a concurrent queue to put requests on, then set its priority to high.
-  dispatch_queue_t q = dispatch_queue_create("com.google.santad.driver_queue",
-                                             DISPATCH_QUEUE_CONCURRENT);
+  dispatch_queue_t q =
+      dispatch_queue_create("com.google.santad.driver_queue", DISPATCH_QUEUE_CONCURRENT);
   dispatch_set_target_queue(q, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0));
 
   [self.driverManager listenWithBlock:^(santa_message_t message) {
@@ -106,24 +117,19 @@
         switch (message.action) {
           case ACTION_REQUEST_SHUTDOWN: {
             LOGI(@"Driver requested a shutdown");
-            // Sleep before exiting to give driver chance to ready itself
             exit(0);
           }
+          case ACTION_NOTIFY_EXEC_ALLOW_NODAEMON:
+          case ACTION_NOTIFY_EXEC_ALLOW_CACHED:
+          case ACTION_NOTIFY_EXEC_DENY_CACHED: {
+            // TODO(rah): Implement.
+            break;
+          }
           case ACTION_REQUEST_CHECKBW: {
             // Validate the binary aynchronously on a concurrent queue so we don't
             // hold up other execution requests in the background.
             dispatch_async(q, ^{
-                struct passwd *user = getpwuid(message.userId);
-                NSString *userName;
-                if (user) {
-                  userName = @(user->pw_name);
-                }
-
-                [self.execController validateBinaryWithPath:@(message.path)
-                                                   userName:userName
-                                                        pid:@(message.pid)
-                                                       ppid:@(message.ppid)
-                                                    vnodeId:message.vnode_id];
+                [self.execController validateBinaryWithMessage:message];
             });
             break;
           }

Source/santad/SNTDaemonControlController.m

@@ -17,25 +17,68 @@
 #import "SNTConfigurator.h"
 #import "SNTDatabaseController.h"
 #import "SNTDriverManager.h"
+#import "SNTDropRootPrivs.h"
 #import "SNTEventTable.h"
 #import "SNTLogging.h"
 #import "SNTRule.h"
 #import "SNTRuleTable.h"
 
+@interface SNTDaemonControlController ()
+@property dispatch_source_t syncTimer;
+@end
+
 @implementation SNTDaemonControlController
 
 - (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager {
   self = [super init];
   if (self) {
     _driverManager = driverManager;
+
+    _syncTimer = [self createSyncTimer];
+    [self rescheduleSyncSecondsFromNow:600];
   }
   return self;
 }
 
+- (dispatch_source_t)createSyncTimer {
+  dispatch_source_t syncTimerQ = dispatch_source_create(
+      DISPATCH_SOURCE_TYPE_TIMER, 0, 0,
+      dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+
+  dispatch_source_set_event_handler(syncTimerQ, ^{
+    [self rescheduleSyncSecondsFromNow:600];
+
+    if (![[SNTConfigurator configurator] syncBaseURL]) return;
+    [[SNTConfigurator configurator] setSyncBackOff:NO];
+
+    pid_t child = fork();
+    if (child == 0) {
+      // Ensure we have no privileges
+      if (!DropRootPrivileges()) {
+        _exit(1);
+      }
+
+      fclose(stdout);
+
+      _exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", NULL));
+    }
+  });
+
+  dispatch_resume(syncTimerQ);
+
+  return syncTimerQ;
+}
+
+- (void)rescheduleSyncSecondsFromNow:(uint64_t)seconds {
+  uint64_t interval = seconds * NSEC_PER_SEC;
+  uint64_t leeway = (seconds * 0.05) * NSEC_PER_SEC;
+  dispatch_source_set_timer(self.syncTimer, dispatch_walltime(NULL, interval), interval, leeway);
+}
+
 #pragma mark Kernel ops
 
-- (void)cacheCount:(void (^)(uint64_t))reply; {
-  uint64_t count = [self.driverManager cacheCount];
+- (void)cacheCount:(void (^)(int64_t))reply {
+  int64_t count = [self.driverManager cacheCount];
   reply(count);
 }
 
@@ -45,21 +88,21 @@
 
 #pragma mark Database ops
 
-- (void)databaseRuleCounts:(void (^)(uint64_t binary, uint64_t certificate))reply {
+- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply {
   SNTRuleTable *rdb = [SNTDatabaseController ruleTable];
   reply([rdb binaryRuleCount], [rdb certificateRuleCount]);
 }
 
-- (void)databaseRuleAddRule:(SNTRule *)rule withReply:(void (^)())reply {
-  [self databaseRuleAddRules:@[ rule ] withReply:reply];
+- (void)databaseRuleAddRule:(SNTRule *)rule cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply {
+  [self databaseRuleAddRules:@[ rule ] cleanSlate:cleanSlate reply:reply];
 }
 
-- (void)databaseRuleAddRules:(NSArray *)rules withReply:(void (^)())reply {
-  [[SNTDatabaseController ruleTable] addRules:rules];
+- (void)databaseRuleAddRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply {
+  [[SNTDatabaseController ruleTable] addRules:rules cleanSlate:cleanSlate];
 
   // If any rules were added that were not whitelist, flush cache.
   NSPredicate *p = [NSPredicate predicateWithFormat:@"SELF.state != %d", RULESTATE_WHITELIST];
-  if ([rules filteredArrayUsingPredicate:p].count) {
+  if ([rules filteredArrayUsingPredicate:p].count || cleanSlate) {
     LOGI(@"Received non-whitelist rule, flushing cache");
     [self.driverManager flushCache];
   }
@@ -67,11 +110,11 @@
   reply();
 }
 
-- (void)databaseEventCount:(void (^)(uint64_t count))reply {
+- (void)databaseEventCount:(void (^)(int64_t count))reply {
   reply([[SNTDatabaseController eventTable] pendingEventsCount]);
 }
 
-- (void)databaseEventForSHA256:(NSString *)sha256 withReply:(void (^)(SNTStoredEvent *))reply {
+- (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply {
   reply([[SNTDatabaseController eventTable] pendingEventForSHA256:sha256]);
 }
 
@@ -89,9 +132,23 @@
   reply([[SNTConfigurator configurator] clientMode]);
 }
 
-- (void)setClientMode:(santa_clientmode_t)mode withReply:(void (^)())reply {
+- (void)setClientMode:(santa_clientmode_t)mode reply:(void (^)())reply {
   [[SNTConfigurator configurator] setClientMode:mode];
   reply();
 }
 
+- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply {
+  [self rescheduleSyncSecondsFromNow:seconds];
+  [[SNTConfigurator configurator] setSyncBackOff:YES];
+  reply();
+}
+
+- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply {
+  NSRegularExpression *re = [NSRegularExpression regularExpressionWithPattern:pattern
+                                                                      options:0
+                                                                        error:NULL];
+  [[SNTConfigurator configurator] setWhitelistPathRegex:re];
+  reply();
+}
+
 @end

Source/santad/SNTDatabaseController.m

@@ -28,14 +28,12 @@ static NSString * const kEventsDatabaseName = @"events.db";
   static FMDatabaseQueue *eventDatabaseQueue = nil;
   static dispatch_once_t eventDatabaseToken;
   dispatch_once(&eventDatabaseToken, ^{
-    [self createDatabasePath];
-    NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kEventsDatabaseName];
-    eventDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
+      [self createDatabasePath];
+      NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kEventsDatabaseName];
+      eventDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
 
-#ifndef DEBUG
-    [eventDatabaseQueue inDatabase:^(FMDatabase *db) {
-      db.logsErrors = NO;
-    }];
+  #ifndef DEBUG
+      [eventDatabaseQueue inDatabase:^(FMDatabase *db) { db.logsErrors = NO; }];
 #endif
   });
 
@@ -46,14 +44,12 @@ static NSString * const kEventsDatabaseName = @"events.db";
   static FMDatabaseQueue *ruleDatabaseQueue = nil;
   static dispatch_once_t ruleDatabaseToken;
   dispatch_once(&ruleDatabaseToken, ^{
-    [self createDatabasePath];
-    NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kRulesDatabaseName];
-    ruleDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
+      [self createDatabasePath];
+      NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kRulesDatabaseName];
+      ruleDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
 
-#ifndef DEBUG
-    [ruleDatabaseQueue inDatabase:^(FMDatabase *db) {
-      db.logsErrors = NO;
-    }];
+  #ifndef DEBUG
+      [ruleDatabaseQueue inDatabase:^(FMDatabase *db) { db.logsErrors = NO; }];
 #endif
   });
   return [[SNTRuleTable alloc] initWithDatabaseQueue:ruleDatabaseQueue];
@@ -65,9 +61,11 @@ static NSString * const kEventsDatabaseName = @"events.db";
 + (void)createDatabasePath {
   NSFileManager *fm = [NSFileManager defaultManager];
 
-  NSDictionary *attrs = @{ NSFileOwnerAccountName: @"root",
-                           NSFileGroupOwnerAccountName: @"wheel",
-                           NSFilePosixPermissions: @0755 };
+  NSDictionary *attrs = @{
+    NSFileOwnerAccountName : @"root",
+    NSFileGroupOwnerAccountName : @"wheel",
+    NSFilePosixPermissions : @0755
+  };
 
   if (![fm fileExistsAtPath:kDatabasePath]) {
     [fm createDirectoryAtPath:kDatabasePath

Source/santad/SNTDatabaseTable.h

@@ -28,7 +28,7 @@
 ///  is the current version of the table. The return value is the new version of the table. If
 ///  updating the table failed, return a negative number. If there was no update to apply, return 0.
 ///
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version;
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version;
 
 ///
 ///  Wrappers around the respective FMDatabaseQueue methods. If the object we initialized with was

Source/santad/SNTDatabaseTable.m

@@ -38,18 +38,17 @@
   return nil;
 }
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
   [self doesNotRecognizeSelector:_cmd];
-  return -1;
+  return 0;
 }
 
 /// Called at the end of initialization to ensure the table in the
 /// database exists and uses the latest schema.
 - (void)updateTableSchema {
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
-
-      int currentVersion = [db userVersion];
-      int newVersion = [self initializeDatabase:db fromVersion:currentVersion];
+      uint32_t currentVersion = [db userVersion];
+      uint32_t newVersion = [self initializeDatabase:db fromVersion:currentVersion];
       if (newVersion < 1) return;
 
       LOGD(@"Updated %@ from version %d to %d", [self className], currentVersion, newVersion);

Source/santad/SNTDriverManager.m

@@ -83,7 +83,7 @@ static const int MAX_DELAY = 15;
   IOServiceClose(_connection);
 }
 
-# pragma mark Incoming messages
+#pragma mark Incoming messages
 
 - (void)listenWithBlock:(void (^)(santa_message_t message))callback {
   kern_return_t kr;
@@ -122,18 +122,17 @@ static const int MAX_DELAY = 15;
   self.queueMemory = (IODataQueueMemory *)address;
   dataSize = sizeof(vdata);
 
-  while (IODataQueueWaitForAvailableData(self.queueMemory,
-                                         self.receivePort) == kIOReturnSuccess) {
+  do {
     while (IODataQueueDataAvailable(self.queueMemory)) {
       kr = IODataQueueDequeue(self.queueMemory, &vdata, &dataSize);
       if (kr == kIOReturnSuccess) {
         callback(vdata);
       } else {
-        LOGD(@"Error receiving data: %d", kr);
+        LOGE(@"Error dequeuing data: %d", kr);
         exit(2);
       }
     }
-  }
+  } while (IODataQueueWaitForAvailableData(self.queueMemory, self.receivePort) == kIOReturnSuccess);
 
   IOConnectUnmapMemory(self.connection, kIODefaultMemoryType, mach_task_self(), address);
   mach_port_destroy(mach_task_self(), self.receivePort);

Source/santad/SNTEventTable.h

@@ -24,6 +24,7 @@
 
 ///
 ///  Add event to the database.
+///
 ///  @param event the event to store.
 ///  @return YES if event was successfully stored.
 ///
@@ -31,18 +32,23 @@
 
 ///
 ///  Retrieves all events in the database
+///
 ///  @return NSArray of SNTStoredEvent's
 ///
 - (NSArray *)pendingEvents;
 
 ///
 ///  Retrieves number of events in database without fetching every event.
+///
 ///  @return Number of events in database.
 ///
 - (NSUInteger)pendingEventsCount;
 
 ///
-///  Retrieve an event from the database.
+///  Retrieve an event from the database with a given SHA-256. If multiple events
+///  exist for the same SHA-256, just the first is returned.
+///
+///  @param sha256 a SHA-256 of the binary to return an event for.
 ///  @return a single SNTStoredEvent.
 ///
 - (SNTStoredEvent *)pendingEventForSHA256:(NSString *)sha256;
@@ -50,12 +56,15 @@
 ///
 ///  Delete a single event from the database using its index.
 ///
-- (void)deleteEventWithId:(NSNumber *)id;
+///  @param index the event ID.
+///
+- (void)deleteEventWithId:(NSNumber *)index;
 
 ///
 ///  Delete multiple events from the database with an array of IDs.
+///
 ///  @param indexes an array of event IDs.
 ///
-- (void)deleteEventsWithIds:(NSArray *)ids;
+- (void)deleteEventsWithIds:(NSArray *)indexes;
 
 @end

Source/santad/SNTEventTable.m

@@ -20,17 +20,15 @@
 
 @implementation SNTEventTable
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
   int newVersion = 0;
 
   if (version < 1) {
     [db executeUpdate:@"CREATE TABLE 'events' ("
-        "'idx' INTEGER PRIMARY KEY AUTOINCREMENT,"
-        "'filesha256' TEXT NOT NULL,"
-        "'eventdata' BLOB"
-        @");"];
+                      @"'idx' INTEGER PRIMARY KEY AUTOINCREMENT,"
+                      @"'filesha256' TEXT NOT NULL,"
+                      @"'eventdata' BLOB);"];
     [db executeUpdate:@"CREATE INDEX filesha256 ON events (filesha256);"];
-
     newVersion = 1;
   }
 
@@ -57,16 +55,6 @@
   return success;
 }
 
-- (SNTStoredEvent *)eventFromResultSet:(FMResultSet *)rs {
-  NSData *eventData = [rs dataForColumn:@"eventdata"];
-  if (!eventData) return nil;
-
-  SNTStoredEvent *event = [NSKeyedUnarchiver unarchiveObjectWithData:eventData];
-  event.idx = @([rs intForColumn:@"idx"]);
-
-  return event;
-}
-
 #pragma mark Querying/Retreiving
 
 - (NSUInteger)pendingEventsCount {
@@ -81,8 +69,8 @@
   __block SNTStoredEvent *storedEvent;
 
   [self inDatabase:^(FMDatabase *db) {
-      FMResultSet *rs = [db executeQuery:@"SELECT * FROM events WHERE filesha256=? LIMIT 1;",
-                            sha256];
+      FMResultSet *rs =
+          [db executeQuery:@"SELECT * FROM events WHERE filesha256=? LIMIT 1;", sha256];
 
       if ([rs next]) {
         storedEvent = [self eventFromResultSet:rs];
@@ -101,7 +89,13 @@
       FMResultSet *rs = [db executeQuery:@"SELECT * FROM events"];
 
       while ([rs next]) {
-        [pendingEvents addObject:[self eventFromResultSet:rs]];
+        id obj = [self eventFromResultSet:rs];
+        if (obj) {
+          [pendingEvents addObject:obj];
+        } else {
+          NSNumber *idx = [rs objectForColumnName:@"idx"];
+          [db executeUpdate:@"DELETE FROM events WHERE idx=?", idx];
+        }
       }
 
       [rs close];
@@ -110,6 +104,16 @@
   return pendingEvents;
 }
 
+- (SNTStoredEvent *)eventFromResultSet:(FMResultSet *)rs {
+  NSData *eventData = [rs dataForColumn:@"eventdata"];
+  if (!eventData) return nil;
+
+  SNTStoredEvent *event = [NSKeyedUnarchiver unarchiveObjectWithData:eventData];
+  event.idx = @([rs intForColumn:@"idx"]);
+
+  return event;
+}
+
 #pragma mark Deleting
 
 - (void)deleteEventWithId:(NSNumber *)index {
@@ -122,6 +126,9 @@
   for (NSNumber *index in indexes) {
     [self deleteEventWithId:index];
   }
+  [self inDatabase:^(FMDatabase *db) {
+      [db executeUpdate:@"VACUUM"];
+  }];
 }
 
 @end

Source/santad/SNTExecutionController.h

@@ -13,6 +13,7 @@
 ///    limitations under the License.
 
 #include "SNTCommonEnums.h"
+#include "SNTKernelCommon.h"
 
 @class SNTCodesignChecker;
 @class SNTDriverManager;
@@ -48,17 +49,8 @@
 ///  the kernel, logs the event to the log and if necessary stores the event in the database and
 ///  sends a notification to the GUI agent.
 ///
-///  @param path the binary that's being executed
-///  @param userName the user who's executing the binary
-///  @param pid the process id being executed
-///  @param ppid the parent process id
-///  @param vnoteId the id of the vnode being executed
+///  @param message The message sent from the kernel.
 ///
-- (void)validateBinaryWithPath:(NSString *)path
-                      userName:(NSString *)userName
-                           pid:(NSNumber *)pid
-                          ppid:(NSNumber *)ppid
-                       vnodeId:(uint64_t)vnodeId;
-
+- (void)validateBinaryWithMessage:(santa_message_t)message;
 
 @end

Source/santad/SNTExecutionController.m

@@ -14,12 +14,15 @@
 
 #import "SNTExecutionController.h"
 
+#include <libproc.h>
+#include <pwd.h>
 #include <utmpx.h>
 
 #include "SNTLogging.h"
 
 #import "SNTCertificate.h"
 #import "SNTCodesignChecker.h"
+#import "SNTCommonEnums.h"
 #import "SNTConfigurator.h"
 #import "SNTDriverManager.h"
 #import "SNTDropRootPrivs.h"
@@ -45,7 +48,6 @@
     _ruleTable = ruleTable;
     _eventTable = eventTable;
     _notifierConnection = notifier;
-    LOGI(@"Log format: Decision (A|D), Reason (B|C|S|?), SHA-256, Path, Cert SHA-256, Cert CN");
 
     // Workaround for xpcproxy/libsecurity bug on Yosemite
     // This establishes the XPC connection between libsecurity and syspolicyd.
@@ -57,18 +59,30 @@
 
 #pragma mark Binary Validation
 
-- (void)validateBinaryWithPath:(NSString *)path
-                      userName:(NSString *)userName
-                           pid:(NSNumber *)pid
-                          ppid:(NSNumber *)ppid
-                       vnodeId:(uint64_t)vnodeId {
-  SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path];
+- (void)validateBinaryWithMessage:(santa_message_t)message {
+  NSString *path = @(message.path);
+  uint64_t vnodeId = message.vnode_id;
+
+  NSError *fileInfoError;
+  SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path error:&fileInfoError];
   NSString *sha256 = [binInfo SHA256];
 
+  // If we can't read the file and hash properly, log an error.
+  if (!binInfo || !sha256) {
+    LOGW(@"Failed to read file %@: %@", path, fileInfoError.localizedDescription);
+    [self.driverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW forVnodeID:vnodeId];
+    [self logDecisionForEventState:EVENTSTATE_ALLOW_UNKNOWN sha256:nil path:path leafCert:nil];
+    return;
+  }
+
   // These will be filled in either in later steps
   santa_action_t respondedAction = ACTION_UNSET;
   SNTRule *rule;
 
+  // Get name of parent process. Do this before responding to be sure parent doesn't go away.
+  char pname[PROC_PIDPATHINFO_MAXSIZE];
+  proc_name(message.ppid, pname, PROC_PIDPATHINFO_MAXSIZE);
+
   // Step 1 - binary rule?
   rule = [self.ruleTable binaryRuleForSHA256:sha256];
   if (rule) {
@@ -88,7 +102,7 @@
   }
 
   // Step 3 - in scope?
-  if (![self fileIsInScope:path]) {
+  if (!rule && ![self fileIsInScope:path]) {
     [self.driverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW forVnodeID:vnodeId];
     [self logDecisionForEventState:EVENTSTATE_ALLOW_SCOPE sha256:sha256 path:path leafCert:nil];
     return;
@@ -119,11 +133,19 @@
     }
 
     se.signingChain = csInfo.certificates;
-    se.executingUser = userName;
     se.occurrenceDate = [[NSDate alloc] init];
     se.decision = [self eventStateForDecision:respondedAction type:rule.type];
-    se.pid = pid;
-    se.ppid = ppid;
+    se.pid = @(message.pid);
+    se.ppid = @(message.ppid);
+    se.parentName = @(pname);
+
+    struct passwd *user = getpwuid(message.userId);
+    endpwent();
+    NSString *userName;
+    if (user) {
+      userName = @(user->pw_name);
+    }
+    se.executingUser = userName;
 
     NSArray *loggedInUsers, *currentSessions;
     [self loggedInUsers:&loggedInUsers sessions:&currentSessions];
@@ -135,14 +157,18 @@
     if (respondedAction == ACTION_RESPOND_CHECKBW_DENY) {
       // So the server has something to show the user straight away, initiate an event
       // upload for the blocked binary rather than waiting for the next sync.
-      // The event upload is skipped if the full path is equal to that of /usr/sbin/santactl so that
+      // The event upload is skipped if the full path is equal to that of santactl so that
       /// on the off chance that santactl is not whitelisted, we don't get into an infinite loop.
-      if (![path isEqual:@"/usr/sbin/santactl"]) {
+      if (![path isEqual:@(kSantaCtlPath)] &&
+          [[SNTConfigurator configurator] syncBaseURL]
+          && ![[SNTConfigurator configurator] syncBackOff]) {
         [self initiateEventUploadForSHA256:sha256];
       }
 
-      [[self.notifierConnection remoteObjectProxy] postBlockNotification:se
-                                                       withCustomMessage:rule.customMsg];
+      if (!rule || rule.state != RULESTATE_SILENT_BLACKLIST) {
+        [[self.notifierConnection remoteObjectProxy] postBlockNotification:se
+                                                         withCustomMessage:rule.customMsg];
+      }
     }
   }
 
@@ -157,51 +183,45 @@
 ///  Checks whether the file at @c path is in-scope for checking with Santa.
 ///
 ///  Files that are out of scope:
-///    + Non Mach-O files
-///    + Files in whitelisted directories.
+///    + Non Mach-O files that are not part of an installer package.
+///    + Files in whitelisted path.
 ///
 ///  @return @c YES if file is in scope, @c NO otherwise.
 ///
 - (BOOL)fileIsInScope:(NSString *)path {
-  // Determine if file is within a whitelisted directory.
-  if ([self pathIsInWhitelistedDir:path]) {
+  // Determine if file is within a whitelisted path
+  NSRegularExpression *re = [[SNTConfigurator configurator] whitelistPathRegex];
+  if ([re numberOfMatchesInString:path options:0 range:NSMakeRange(0, path.length)]) {
     return NO;
   }
 
-  // If file is not a Mach-O file, we're not interested.
-  // TODO(rah): Consider adding an option to check scripts
+  // If file is not a Mach-O file, we're not interested unless it's part of an install package.
+  // TODO(rah): Consider adding an option to check all scripts.
+  // TODO(rah): Consider adding an option to disable package script checks.
   SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path];
-  if (![binInfo isMachO]) {
+  if (![binInfo isMachO] && ![path hasPrefix:@"/private/tmp/PKInstallSandbox."]) {
     return NO;
   }
 
   return YES;
 }
 
-- (BOOL)pathIsInWhitelistedDir:(NSString *)path {
-  // TODO(rah): Implement this.
-  return NO;
-}
-
 - (santa_eventstate_t)eventStateForDecision:(santa_action_t)decision type:(santa_ruletype_t)type {
-  if (decision == ACTION_RESPOND_CHECKBW_ALLOW) {
-    if (type == RULETYPE_BINARY) {
-      return EVENTSTATE_ALLOW_BINARY;
-    } else if (type == RULETYPE_CERT) {
-      return EVENTSTATE_ALLOW_CERTIFICATE;
-    } else {
-      return EVENTSTATE_ALLOW_UNKNOWN;
-    }
-  } else if (decision == ACTION_RESPOND_CHECKBW_DENY) {
-    if (type == RULETYPE_BINARY) {
-      return EVENTSTATE_BLOCK_BINARY;
-    } else if (decision == RULETYPE_CERT) {
-      return EVENTSTATE_BLOCK_CERTIFICATE;
-    } else {
-      return EVENTSTATE_BLOCK_UNKNOWN;
-    }
-  } else {
-    return EVENTSTATE_UNKNOWN;
+  switch (decision) {
+    case ACTION_RESPOND_CHECKBW_ALLOW:
+      switch (type) {
+        case RULETYPE_BINARY: return EVENTSTATE_ALLOW_BINARY;
+        case RULETYPE_CERT: return EVENTSTATE_ALLOW_CERTIFICATE;
+        default: return EVENTSTATE_ALLOW_UNKNOWN;
+
+      }
+    case ACTION_RESPOND_CHECKBW_DENY:
+      switch (type) {
+        case RULETYPE_BINARY: return EVENTSTATE_BLOCK_BINARY;
+        case RULETYPE_CERT: return EVENTSTATE_BLOCK_CERTIFICATE;
+        default: return EVENTSTATE_BLOCK_UNKNOWN;
+      }
+    default: return EVENTSTATE_UNKNOWN;
   }
 }
 
@@ -235,8 +255,8 @@
 
   if (cert && cert.SHA256 && cert.commonName) {
     // Also ensure there are no pipes in the cert's common name.
-    NSString *printCommonName = [cert.commonName stringByReplacingOccurrencesOfString:@"|"
-                                                                           withString:@"<pipe>"];
+    NSString *printCommonName =
+        [cert.commonName stringByReplacingOccurrencesOfString:@"|" withString:@"<pipe>"];
     outLog = [NSString stringWithFormat:@"%@|%@|%@|%@|%@|%@",
                  d, r, sha256, printPath, cert.SHA256, printCommonName];
   } else {
@@ -249,7 +269,6 @@
 }
 
 - (void)initiateEventUploadForSHA256:(NSString *)sha256 {
-  signal(SIGCHLD, SIG_IGN);
   pid_t child = fork();
   if (child == 0) {
     fclose(stdout);
@@ -257,24 +276,18 @@
 
     // Ensure we have no privileges
     if (!DropRootPrivileges()) {
-      exit(1);
+      _exit(1);
     }
 
-    exit(execl("/usr/sbin/santactl", "/usr/sbin/santactl", "sync",
-               "singleevent", [sha256 UTF8String], NULL));
+    _exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "singleevent", [sha256 UTF8String], NULL));
   }
 }
 
 - (santa_action_t)defaultDecision {
   switch ([[SNTConfigurator configurator] clientMode]) {
-    case CLIENTMODE_MONITOR:
-      return ACTION_RESPOND_CHECKBW_ALLOW;
-    case CLIENTMODE_LOCKDOWN:
-      return ACTION_RESPOND_CHECKBW_DENY;
-    default:
-      // This should never happen, panic and lockdown.
-      LOGE(@"Client mode is unset while enforcement is in effect. Blocking.");
-      return ACTION_RESPOND_CHECKBW_DENY;
+    case CLIENTMODE_MONITOR: return ACTION_RESPOND_CHECKBW_ALLOW;
+    case CLIENTMODE_LOCKDOWN: return ACTION_RESPOND_CHECKBW_DENY;
+    default: return ACTION_RESPOND_CHECKBW_DENY;  // This can't happen.
   }
 }
 
@@ -291,11 +304,10 @@
 }
 
 - (void)loggedInUsers:(NSArray **)users sessions:(NSArray **)sessions {
-  struct utmpx *nxt;
-
   NSMutableDictionary *loggedInUsers = [[NSMutableDictionary alloc] init];
   NSMutableDictionary *loggedInHosts = [[NSMutableDictionary alloc] init];
 
+  struct utmpx *nxt;
   while ((nxt = getutxent())) {
     if (nxt->ut_type != USER_PROCESS) continue;
 
@@ -308,12 +320,12 @@
       sessionName = [NSString stringWithFormat:@"%s@%s", nxt->ut_user, nxt->ut_line];
     }
 
-    if (userName && ![userName isEqual:@""]) {
-      loggedInUsers[userName] = @"";
+    if (userName.length > 0) {
+      loggedInUsers[userName] = [NSNull null];
     }
 
-    if (sessionName && ![sessionName isEqual:@":"]) {
-      loggedInHosts[sessionName] = @"";
+    if (sessionName.length > 1) {
+      loggedInHosts[sessionName] = [NSNull null];
     }
   }
 

Source/santad/SNTRuleTable.h

@@ -27,17 +27,17 @@
 ///
 ///  @return Number of rules in the database
 ///
-- (long)ruleCount;
+- (NSUInteger)ruleCount;
 
 ///
 ///  @return Number of binary rules in the database
 ///
-- (long)binaryRuleCount;
+- (NSUInteger)binaryRuleCount;
 
 ///
 ///  @return Number of certificate rules in the database
 ///
-- (long)certificateRuleCount;
+- (NSUInteger)certificateRuleCount;
 
 ///
 ///  @return Rule for binary with given SHA-256
@@ -54,8 +54,9 @@
 ///  transaction will abort if any rule fails to add.
 ///
 ///  @param rules Array of SNTRule's to add.
+///  @param cleanSlate If true, remove all rules before adding the new rules.
 ///  @return YES if all rules were added successfully.
 ///
-- (BOOL)addRules:(NSArray *)rules;
+- (BOOL)addRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate;
 
 @end

Source/santad/SNTRuleTable.m

@@ -16,12 +16,13 @@
 
 #import "SNTCertificate.h"
 #import "SNTCodesignChecker.h"
+#import "SNTLogging.h"
 #import "SNTRule.h"
 
 @implementation SNTRuleTable
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
-  int newVersion = 0;
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
+  uint32_t newVersion = 0;
 
   if (version < 1) {
     [db executeUpdate:@"CREATE TABLE 'rules' ("
@@ -54,24 +55,24 @@
 
 #pragma mark Entry Counts
 
-- (long)ruleCount {
-  __block long count = 0;
+- (NSUInteger)ruleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
-      count = [db longForQuery:@"SELECT COUNT(*) FROM rules"];
+    count = [db longForQuery:@"SELECT COUNT(*) FROM rules"];
   }];
   return count;
 }
 
-- (long)binaryRuleCount {
-  __block long count = 0;
+- (NSUInteger)binaryRuleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
       count = [db longForQuery:@"SELECT COUNT(*) FROM binrules"];
   }];
   return count;
 }
 
-- (long)certificateRuleCount {
-  __block long count = 0;
+- (NSUInteger)certificateRuleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
       count = [db longForQuery:@"SELECT COUNT(*) FROM certrules"];
   }];
@@ -95,7 +96,7 @@
   [self inDatabase:^(FMDatabase *db) {
       FMResultSet *rs = [db executeQuery:@"SELECT * FROM certrules WHERE shasum=? LIMIT 1", SHA256];
       if ([rs next]) {
-          rule = [self ruleFromResultSet:rs];
+        rule = [self ruleFromResultSet:rs];
       }
       [rs close];
   }];
@@ -119,13 +120,21 @@
 
 #pragma mark Adding
 
-- (BOOL)addRules:(NSArray *)rules {
+- (BOOL)addRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate {
   __block BOOL failed = NO;
 
+  if (!rules || rules.count < 1) {
+    LOGE(@"Received request to add rules with nil/empty array.");
+    return NO;
+  }
+
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
+      if (cleanSlate) {
+        [db executeUpdate:@"DELETE FROM rules"];
+      }
+
       for (SNTRule *rule in rules) {
-        if (![rule isKindOfClass:[SNTRule class]] ||
-            !rule.shasum || rule.shasum.length == 0 ||
+        if (![rule isKindOfClass:[SNTRule class]] || rule.shasum.length == 0 ||
             rule.state == RULESTATE_UNKNOWN || rule.type == RULETYPE_UNKNOWN) {
           *rollback = failed = YES;
           return;
@@ -139,8 +148,8 @@
           }
         } else {
           if (![db executeUpdate:@"INSERT OR REPLACE INTO rules "
-                                @"(shasum, state, type, custommsg) "
-                                @"VALUES (?, ?, ?, ?);",
+                                 @"(shasum, state, type, custommsg) "
+                                 @"VALUES (?, ?, ?, ?);",
                   rule.shasum, @(rule.state), @(rule.type), rule.customMsg]) {
             *rollback = failed = YES;
             return;

Source/santad/main.m

@@ -14,12 +14,71 @@
 
 #include "SNTLogging.h"
 
+#include <pthread/pthread.h>
+#include <sys/resource.h>
+
 #import "SNTApplication.h"
 
+///  Converts a timeval struct to double, converting the microseconds value to seconds.
+static inline double timeval_to_double(struct timeval tv) {
+  return (double)tv.tv_sec + (double)tv.tv_usec / 1000000.0;
+}
+
+///  The watchdog thread function, used to monitor santad CPU/RAM usage and print a warning
+///  if it goes over certain thresholds.
+void *watchdogThreadFunction(__unused void *idata) {
+  pthread_setname_np("com.google.santa.watchdog");
+
+  // Number of seconds to wait between checks.
+  const int timeInterval = 60;
+
+  // Amount of CPU usage to trigger warning, as a percentage averaged over timeInterval
+  // santad's usual CPU usage is 0-3% but can occasionally spike if lots of processes start at once.
+  const int cpuWarnThreshold = 20.0;
+
+  // Amount of RAM usage to trigger warning, in MB.
+  // santad's usual RAM usage is between 5-50MB but can spike if lots of processes start at once.
+  const int memWarnThreshold = 250;
+
+  double prevTotalTime = 0.0;
+  double prevRamUseMB = 0.0;
+  struct rusage usage;
+  struct mach_task_basic_info taskInfo;
+  mach_msg_type_number_t taskInfoCount = MACH_TASK_BASIC_INFO_COUNT;
+
+  while(true) {
+    @autoreleasepool {
+      sleep(timeInterval);
+
+      // CPU
+      getrusage(RUSAGE_SELF, &usage);
+      double totalTime = timeval_to_double(usage.ru_utime) + timeval_to_double(usage.ru_stime);
+      double percentage = (((totalTime - prevTotalTime) / (double)timeInterval) * 100.0);
+      prevTotalTime = totalTime;
+
+      if (percentage > cpuWarnThreshold) {
+        LOGW(@"Watchdog: potentially high CPU use, ~%.2f%% over last %d seconds.",
+             percentage, timeInterval);
+      }
+
+      // RAM
+      if (KERN_SUCCESS == task_info(mach_task_self(), MACH_TASK_BASIC_INFO,
+                                    (task_info_t)&taskInfo, &taskInfoCount)) {
+        double ramUseMB = (double) taskInfo.resident_size / 1024 / 1024;
+        if (ramUseMB > memWarnThreshold && ramUseMB > prevRamUseMB) {
+          LOGW(@"Watchdog: potentially high RAM use, RSS is %.2fMB.", ramUseMB);
+        }
+        prevRamUseMB = ramUseMB;
+      }
+    }
+  }
+  return NULL;
+}
+
 int main(int argc, const char *argv[]) {
   @autoreleasepool {
-    // Do not buffer stdout
-    setbuf(stdout, NULL);
+    // Do not wait on child processes
+    signal(SIGCHLD, SIG_IGN);
 
     NSDictionary *infoDict = [[NSBundle mainBundle] infoDictionary];
 
@@ -28,11 +87,19 @@ int main(int argc, const char *argv[]) {
       return 0;
     }
 
+    // Close stdout/stderr so logging goes to syslog
+    fclose(stdout);
+    fclose(stderr);
+
     LOGI(@"Started, version %@", infoDict[@"CFBundleVersion"]);
 
     SNTApplication *s = [[SNTApplication alloc] init];
     [s performSelectorInBackground:@selector(run) withObject:nil];
 
+    // Create watchdog thread
+    pthread_t watchdogThread;
+    pthread_create(&watchdogThread, NULL, watchdogThreadFunction, NULL);
+
     [[NSRunLoop mainRunLoop] run];
   }
 }