santactl/sync: Validate incoming rules better

This necessitated a large refactoring of a bunch of code, hence being a large commit. This moves all event logging into a separate class, moves logging of executions to be from FileOp events rather than Vnode events (so we can get the argv after the execve call has finished) and implements the logging of cached execs.

.travis.yml

@@ -1,5 +1,6 @@
 ---
 language: objective-c
+cache: cocoapods
 
 before_install:
  - gem install cocoapods xcpretty

Conf/Package/Makefile

@@ -0,0 +1,84 @@
+#
+#  Package Makefile for Santa
+#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
+#
+#  Will generate a package based on the latest release. You can replace
+#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
+#
+
+LUGGAGE:=/usr/local/share/luggage/luggage.make
+include ${LUGGAGE}
+
+TITLE:=santa
+REVERSE_DOMAIN:=com.google
+
+# Get latest Release version using the GitHub API. Each release is bound to a
+# git tag, which should always be a semantic version number. The most recent
+# release is always first in the API result.
+PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
+	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
+
+# Get the download URL for the latest Release. Each release should have a
+# tarball named santa-$version.tar.bz2 containing all of the files associated
+# with that release. The tarball layout is:
+#
+#   santa-$version.tar.bz2
+#   +--santa-$version
+#         |-- binaries
+#         |    |-- santa-driver.kext
+#         |    |-- Santa.app
+#         |-- conf
+#         |    |-- install.sh
+#         |    |-- com.google.santad.plist
+#         |    |-- com.google.santagui.plist
+#         |    +-- com.google.santa.asl.conf
+#         +--dsym
+#              |-- santa-driver.kext.dSYM
+#              |-- Santa.app.dSYM
+#              |-- santad.dSYM
+#              +-- santactl.dSYM
+PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
+
+PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
+	pack-applications-Santa.app \
+	pack-Library-LaunchDaemons-com.google.santad.plist \
+	pack-Library-LaunchAgents-com.google.santagui.plist \
+	pack-etc-asl-com.google.santa.asl.conf \
+	pack-script-preinstall \
+	pack-script-postinstall
+
+santa-driver.kext: download
+Santa.app: download
+com.google.santad.plist: download
+com.google.santagui.plist: download
+com.google.santa.asl.conf: download
+
+download:
+	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
+
+	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
+	@rm -rf *.dSYM
+
+pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/asl
+	@sudo chown root:wheel ${WORK_D}/private/etc/asl
+	@sudo chmod 755 ${WORK_D}/private/etc/asl
+	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
+
+pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
+	@sudo mkdir -p ${WORK_D}/Library/Extensions
+	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
+	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
+
+clean: myclean
+
+myclean:
+	@rm -rf *.dSYM
+	@rm -rf Santa.app
+	@rm -rf santa-driver.kext
+	@rm -f config.plist
+	@rm -f com.google.santa.asl.conf
+	@rm -f com.google.santad.plist
+	@rm -f com.google.santagui.plist
+	@rm -f install.sh

Conf/Package/postinstall

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Load the kernel extension, santad, sync client
+# If a user is logged in, also load the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+# Restart syslogd to pick up ASL configuration change
+/usr/bin/killall -HUP syslogd
+
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+sleep 1
+
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+sleep 1
+
+# Create hopefully useful symlink for santactl
+/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "$user" ]] && exit 0
+/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Conf/Package/preinstall

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Unload the kernel extension, santad, sync client
+# If a user is logged in, also unload the GUI agent.
+# If the target volume is not /, do nothing
+
+[[ $3 != "/" ]] && exit 0
+
+/bin/launchctl remove com.google.santad
+
+sleep 1
+
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Remove cruft from old Santa versions
+/bin/rm /usr/libexec/santad
+/bin/rm /usr/sbin/santactl
+/bin/launchctl remove com.google.santasync
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+
+sleep 1
+
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+
+exit 0

Conf/com.google.santa.asl.conf

@@ -1,4 +1,8 @@
 # Copy this file to /etc/asl to log all messages from santa-driver to the log file
-? [S= Message santa-driver:] claim only
-? [S= Message santa-driver:] file /var/log/santa.log format="[$((Time)(utc.3))] $Message"
-> /var/log/santa.log mode=0644 rotate=seq compress file_max=5M all_max=100M
+> /var/log/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
+? [= Sender kernel] [S= Message santa-driver:] claim
+? [= Sender kernel] [S= Message santa-driver:] file /var/log/santa.log
+? [= Sender santad] claim
+? [= Sender santad] file /var/log/santa.log
+? [= Sender santactl] claim
+? [= Sender santactl] file /var/log/santa.log

Conf/com.google.santad.plist

@@ -6,19 +6,15 @@
 				<string>com.google.santad</string>
 				<key>ProgramArguments</key>
 				<array>
-								<string>/usr/libexec/santad</string>
+					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
 				</array>
 				<key>MachServices</key>
 				<dict>
-								<key>SantaXPCNotifications</key>
-								<true/>
-								<key>SantaXPCControl</key>
-								<true/>
+					<key>SantaXPCNotifications</key>
+					<true/>
+					<key>SantaXPCControl</key>
+					<true/>
 				</dict>
-				<key>StandardOutPath</key>
-				<string>/var/log/santa.log</string>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
 				<key>RunAtLoad</key>
 				<true/>
 				<key>KeepAlive</key>

Conf/com.google.santagui.plist

@@ -10,5 +10,7 @@
 				</array>
 				<key>RunAtLoad</key>
 				<true/>
+				<key>KeepAlive</key>
+				<true/>
 </dict>
 </plist>

Conf/com.google.santasync.plist

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-				<key>Label</key>
-				<string>com.google.santasync</string>
-				<key>ProgramArguments</key>
-				<array>
-								<string>/usr/sbin/santactl</string>
-								<string>sync</string>
-				</array>
-				<key>StandardErrorPath</key>
-				<string>/var/log/santa.log</string>
-				<key>ProcessType</key>
-				<string>Background</string>
-				<key>StartInterval</key>
-				<integer>600</integer>
-</dict>
-</plist>

Conf/install.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root" 1>&2
+  exit 1
+fi
+
+if [[ -d "binaries" ]]; then
+  SOURCE="."
+elif [[ -d "../binaries" ]]; then
+  SOURCE=".."
+else
+  echo "Can't find binaries, run install.sh from inside the conf directory" 1>&2
+  exit 1
+fi
+
+# Determine if anyone is logged into the GUI
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+
+# Unload santad and scheduled sync job.
+/bin/launchctl remove com.google.santad >/dev/null 2>&1
+
+# Unload kext.
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+
+# Unload GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove /Library/LaunchAgents/com.google.santagui.plist
+
+# Cleanup cruft from old versions
+/bin/launchctl remove com.google.santasync >/dev/null 2>&1
+/bin/rm /Library/LaunchDaemons/com.google.santasync.plist >/dev/null 2>&1
+/bin/rm /usr/libexec/santad >/dev/null 2>&1
+/bin/rm /usr/sbin/santactl >/dev/null 2>&1
+
+# Copy new files.
+/bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
+/bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
+/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+
+/bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons
+/bin/cp ${SOURCE}/conf/com.google.santagui.plist /Library/LaunchAgents
+/bin/cp ${SOURCE}/conf/com.google.santa.asl.conf /etc/asl/
+
+# Reload syslogd to pick up ASL configuration change.
+/usr/bin/killall -HUP syslogd
+
+# Load kext.
+/sbin/kextload /Library/Extensions/santa-driver.kext
+
+# Load santad and scheduled sync jobs.
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
+
+# Load GUI agent if someone is logged in.
+[[ -n "$GUI_USER" ]] && \
+  /bin/launchctl asuser ${GUI_USER} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+
+exit 0

Podfile

@@ -5,12 +5,13 @@ inhibit_all_warnings!
 target :santad do
   pod 'FMDB'
 
-  post_install do |rep|
-    rep.project.targets.each do |target|
+  post_install do |installer|
+    installer.pods_project.targets.each do |target|
       target.build_configurations.each do |config|
         if config.name != 'Release' then
           break
         end
+
         config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
         config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
       end

Podfile.lock

@@ -14,4 +14,4 @@ SPEC CHECKSUMS:
   FMDB: 96e8f1bcc1329e269330f99770ad4285d9003e52
   OCMock: a10ea9f0a6e921651f96f78b6faee95ebc813b92
 
-COCOAPODS: 0.36.1
+COCOAPODS: 0.38.2

README.md

@@ -1,7 +1,7 @@
 Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
 =====
 
-Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of
+Santa is a binary whitelisting/blacklisting system for OS X. It consists of
 a kernel extension that monitors for executions, a userland daemon that makes
 execution decisions based on the contents of a SQLite database, a GUI agent that
 notifies the user in case of a block decision and a command-line utility for
@@ -46,11 +46,21 @@ server.
 programming interfaces to do its job. This means that the kext code should
 continue to work across OS versions.
 
+Intentions and Expectations
+===========================
+No single system or process will stop *all* attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.
+
+Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.
+
 Known Issues
 ============
-
 Santa is not yet a 1.0 and we have some known issues to be aware of:
 
+* Santa only blocks execution (execve and variants), it doesn't protect against
+dynamic libraries loaded with dlopen, libraries on disk that have been replaced or
+libraries loaded using DYLD_INSERT_LIBRARIES. We are working on also protecting
+against these avenues of attack.
+
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
 found a good way to ensure the kext only accepts connections from a valid client.
@@ -80,7 +90,6 @@ option) if it would be useful to others.
 
 Building
 ========
-
 ```sh
 git clone https://github.com/google/santa
 cd santa
@@ -98,7 +107,6 @@ and for security-reasons parts of Santa will not operate properly if not signed.
 
 Kext Signing
 ============
-
 10.9 requires a special Developer ID certificate to sign kernel extensions and
 if the kext is not signed with one of these special certificates a warning will
 be shown when loading the kext for the first time. In 10.10 this is a hard error
@@ -124,11 +132,9 @@ kext-dev mode, instructions for which can be found on the Apple developer site.
 
 Contributing
 ============
-
 Patches to this project are very much welcome. Please see the [CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
 file.
 
 Disclaimer
 ==========
-
 This is **not** an official Google product.

Rakefile

@@ -1,10 +1,9 @@
-require 'timeout'
-
 WORKSPACE           = 'Santa.xcworkspace'
 DEFAULT_SCHEME      = 'All'
 OUTPUT_PATH         = 'Build'
 DIST_PATH           = 'Dist'
-BINARIES            = ['Santa.app', 'santa-driver.kext', 'santad', 'santactl']
+BINARIES            = ['Santa.app', 'santa-driver.kext']
+DSYMS               = ['Santa.app.dSYM', 'santa-driver.kext.dSYM', 'santad.dSYM', 'santactl.dSYM']
 XCPRETTY_DEFAULTS   = '-sc'
 XCODEBUILD_DEFAULTS = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
 
@@ -33,10 +32,8 @@ task :init do
 end
 
 task :remove_existing do
-  system 'sudo rm -rf /santa-driver.kext'
+  system 'sudo rm -rf /Library/Extensions/santa-driver.kext'
   system 'sudo rm -rf /Applications/Santa.app'
-  system 'sudo rm /usr/libexec/santad'
-  system 'sudo rm /usr/sbin/santactl'
 end
 
 desc "Clean"
@@ -82,16 +79,13 @@ namespace :install do
   task :install, [:configuration] do |t, args|
     config = args[:configuration]
     system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
-    system 'sudo cp conf/com.google.santasync.plist /Library/LaunchDaemons'
     system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
     system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
     Rake::Task['build:build'].invoke(config)
     puts "Installing with configuration: #{config}"
     Rake::Task['remove_existing'].invoke()
-    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/santa-driver.kext /"
+    system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/santa-driver.kext /Library/Extensions"
     system "sudo cp -r #{OUTPUT_PATH}/Products/#{config}/Santa.app /Applications"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santad /usr/libexec"
-    system "sudo cp #{OUTPUT_PATH}/Products/#{config}/santactl /usr/sbin"
   end
 end
 
@@ -99,6 +93,7 @@ end
 task :dist do
   desc "Create distribution folder"
 
+  Rake::Task['clean'].invoke()
   Rake::Task['build:build'].invoke("Release")
 
   FileUtils.rm_rf(DIST_PATH)
@@ -109,10 +104,14 @@ task :dist do
 
   BINARIES.each do |x|
     FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}", "#{DIST_PATH}/binaries")
-    FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}.dSYM", "#{DIST_PATH}/dsym")
   end
 
-  Dir.glob("Conf/*") {|x| FileUtils.cp(x, "#{DIST_PATH}/conf")}
+  DSYMS.each do |x|
+    FileUtils.cp_r("#{OUTPUT_PATH}/Products/Release/#{x}", "#{DIST_PATH}/dsym")
+  end
+
+
+  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{DIST_PATH}/conf")}
 
   puts "Distribution folder created"
 end
@@ -130,16 +129,17 @@ namespace :tests do
     Rake::Task['unload'].invoke()
     Rake::Task['install:debug'].invoke()
     Rake::Task['load_kext'].invoke
-    timeout = 30
-    puts "Running kernel tests with a #{timeout} second timeout"
+    FileUtils.mkdir_p("/tmp/santa_kerneltests_tmp")
     begin
-      Timeout::timeout(timeout) {
-        system "sudo #{OUTPUT_PATH}/Products/Debug/KernelTests"
-      }
-    rescue Timeout::Error
-      puts "ERROR: tests ran for longer than #{timeout} seconds and were killed."
+      puts "\033[?25l\033[12h"  # hide cursor
+      puts "Running kernel tests"
+      system "cd /tmp/santa_kerneltests_tmp && sudo #{Dir.pwd}/#{OUTPUT_PATH}/Products/Debug/KernelTests"
+    rescue Exception
+    ensure
+      puts "\033[?25h\033[12l\n\n"  # unhide cursor
+      FileUtils.rm_rf("/tmp/santa_kerneltests_tmp")
+      Rake::Task['unload_kext'].execute
     end
-    Rake::Task['unload_kext'].execute
   end
 end
 
@@ -156,7 +156,7 @@ end
 
 task :unload_gui do
   puts "Unloading GUI agent"
-  system "sudo killall Santa 2>/dev/null"
+  system "launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
 end
 
 desc "Unload"
@@ -169,12 +169,12 @@ end
 
 task :load_kext do
   puts "Loading kernel extension"
-  system "sudo kextload /santa-driver.kext"
+  system "sudo kextload /Library/Extensions/santa-driver.kext"
 end
 
 task :load_gui do
   puts "Loading GUI agent"
-  system "open /Applications/Santa.app"
+  system "launchctl load /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
 end
 
 desc "Load"

Santa.xcodeproj/project.pbxproj

@@ -78,6 +78,10 @@
 		0D4644C5182AF81700098690 /* SantaDecisionManager.cc in Sources */ = {isa = PBXBuildFile; fileRef = 0D4644C3182AF81700098690 /* SantaDecisionManager.cc */; };
 		0D4644C6182AF81700098690 /* SantaDecisionManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 0D4644C4182AF81700098690 /* SantaDecisionManager.h */; };
 		0D4A5007176A4602004F63BF /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0D4A5006176A4602004F63BF /* Security.framework */; };
+		0D536ED71B8E7A2E0039A26D /* bad_pagezero in Resources */ = {isa = PBXBuildFile; fileRef = 0D536ED51B8E7A2E0039A26D /* bad_pagezero */; };
+		0D536ED81B8E7A2E0039A26D /* missing_pagezero in Resources */ = {isa = PBXBuildFile; fileRef = 0D536ED61B8E7A2E0039A26D /* missing_pagezero */; };
+		0D536EDB1B94E9230039A26D /* SNTEventLog.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D536EDA1B94E9230039A26D /* SNTEventLog.m */; };
+		0D536EDC1B94E9230039A26D /* SNTEventLog.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D536EDA1B94E9230039A26D /* SNTEventLog.m */; };
 		0D54E0B11976F8D3000BB59F /* SNTFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD6041190ACCB8006B445C /* SNTFileInfo.m */; };
 		0D59C0E417710E6000748EBF /* SNTCodesignChecker.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D59C0E317710E6000748EBF /* SNTCodesignChecker.m */; };
 		0D63DD5C1906FCB400D346C4 /* SNTDatabaseController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D63DD5B1906FCB400D346C4 /* SNTDatabaseController.m */; };
@@ -113,10 +117,13 @@
 		0DA73CA11934F8100056D7C4 /* SNTLogging.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DA73C9E1934F8100056D7C4 /* SNTLogging.m */; };
 		0DA73CA21934F88D0056D7C4 /* SNTLogging.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DA73C9E1934F8100056D7C4 /* SNTLogging.m */; };
 		0DB390991AB1E11400614002 /* SNTCommandVersion.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB390981AB1E11400614002 /* SNTCommandVersion.m */; };
+		0DB537871AFD36EB00487F92 /* SNTRuleTableTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */; };
 		0DB8ACC1185662DC00FEF9C7 /* SNTApplication.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */; };
 		0DC5D86D191AED220078A5C0 /* SNTRuleTable.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D86C191AED220078A5C0 /* SNTRuleTable.m */; };
 		0DC5D86E191AED220078A5C0 /* SNTRuleTable.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D86C191AED220078A5C0 /* SNTRuleTable.m */; };
 		0DC5D871192160180078A5C0 /* SNTCommandSyncLogUpload.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DC5D870192160180078A5C0 /* SNTCommandSyncLogUpload.m */; };
+		0DC765EA1B28D9EA00BAE651 /* santad in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0D9A7F3D1759330500035EB5 /* santad */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
+		0DC765EB1B28D9EA00BAE651 /* santactl in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0D35BD9E18FD71CE00921A21 /* santactl */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		0DCA552718C95928002A7DAE /* SNTXPCConnection.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D6FDC9518C93A020044685C /* SNTXPCConnection.m */; };
 		0DCD5FBF1909D64A006B445C /* SNTCommandBinaryInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD5FBE1909D64A006B445C /* SNTCommandBinaryInfo.m */; };
 		0DCD6042190ACCB8006B445C /* SNTFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD6041190ACCB8006B445C /* SNTFileInfo.m */; };
@@ -147,6 +154,8 @@
 		0DE50F6C19130358007B2B0C /* SNTStoredEvent.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD604A19105433006B445C /* SNTStoredEvent.m */; };
 		0DE50F6E191304E0007B2B0C /* SNTRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE50F671912716A007B2B0C /* SNTRule.m */; };
 		0DE6788D1784A8C2007A9E52 /* SNTExecutionController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */; };
+		0DE71A751B95F7F900518526 /* SNTCachedDecision.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE71A741B95F7F900518526 /* SNTCachedDecision.m */; };
+		0DE71A761B95F7F900518526 /* SNTCachedDecision.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DE71A741B95F7F900518526 /* SNTCachedDecision.m */; };
 		0DEFB7C01ACB28B000B92AAE /* SNTCommandSyncConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */; };
 		0DEFB7C41ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
 		0DEFB7C51ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
@@ -202,8 +211,36 @@
 			remoteGlobalIDString = 0D9A7F3C1759330400035EB5;
 			remoteInfo = santad;
 		};
+		0DC765E51B28D9C600BAE651 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 0D91BCA8174E8A6500131A7D /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 0D9A7F3C1759330400035EB5;
+			remoteInfo = santad;
+		};
+		0DC765E71B28D9C600BAE651 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 0D91BCA8174E8A6500131A7D /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 0D35BD9D18FD71CE00921A21;
+			remoteInfo = santactl;
+		};
 /* End PBXContainerItemProxy section */
 
+/* Begin PBXCopyFilesBuildPhase section */
+		0DC765E91B28D9CB00BAE651 /* CopyFiles */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = "";
+			dstSubfolderSpec = 6;
+			files = (
+				0DC765EA1B28D9EA00BAE651 /* santad in CopyFiles */,
+				0DC765EB1B28D9EA00BAE651 /* santactl in CopyFiles */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXCopyFilesBuildPhase section */
+
 /* Begin PBXFileReference section */
 		0A84545E322F475FA0B505D5 /* libPods-santad.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santad.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		0D0016A2192BCD3C005E7FCD /* KernelTests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = KernelTests; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -265,6 +302,10 @@
 		0D4644C3182AF81700098690 /* SantaDecisionManager.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SantaDecisionManager.cc; sourceTree = "<group>"; };
 		0D4644C4182AF81700098690 /* SantaDecisionManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SantaDecisionManager.h; sourceTree = "<group>"; };
 		0D4A5006176A4602004F63BF /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = /System/Library/Frameworks/Security.framework; sourceTree = "<absolute>"; };
+		0D536ED51B8E7A2E0039A26D /* bad_pagezero */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = bad_pagezero; sourceTree = "<group>"; };
+		0D536ED61B8E7A2E0039A26D /* missing_pagezero */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = missing_pagezero; sourceTree = "<group>"; };
+		0D536ED91B94E9230039A26D /* SNTEventLog.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTEventLog.h; sourceTree = "<group>"; };
+		0D536EDA1B94E9230039A26D /* SNTEventLog.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTEventLog.m; sourceTree = "<group>"; };
 		0D59C0E217710E6000748EBF /* SNTCodesignChecker.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCodesignChecker.h; sourceTree = "<group>"; };
 		0D59C0E317710E6000748EBF /* SNTCodesignChecker.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCodesignChecker.m; sourceTree = "<group>"; };
 		0D63DD5A1906FCB400D346C4 /* SNTDatabaseController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTDatabaseController.h; sourceTree = "<group>"; };
@@ -301,6 +342,7 @@
 		0DA73C9E1934F8100056D7C4 /* SNTLogging.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTLogging.m; sourceTree = "<group>"; };
 		0DB2B92318085753001C01D9 /* santad-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "santad-Prefix.pch"; sourceTree = "<group>"; };
 		0DB390981AB1E11400614002 /* SNTCommandVersion.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SNTCommandVersion.m; path = version/SNTCommandVersion.m; sourceTree = "<group>"; };
+		0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTRuleTableTest.m; sourceTree = "<group>"; };
 		0DB8ACBF185662DC00FEF9C7 /* SNTApplication.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTApplication.h; sourceTree = "<group>"; };
 		0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = SNTApplication.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
 		0DB8ACE41858D73000FEF9C7 /* santad-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "santad-Info.plist"; sourceTree = "<group>"; };
@@ -330,6 +372,8 @@
 		0DE50F671912716A007B2B0C /* SNTRule.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTRule.m; sourceTree = "<group>"; };
 		0DE6788B1784A8C2007A9E52 /* SNTExecutionController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTExecutionController.h; sourceTree = "<group>"; };
 		0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = SNTExecutionController.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
+		0DE71A731B95F7F900518526 /* SNTCachedDecision.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCachedDecision.h; sourceTree = "<group>"; };
+		0DE71A741B95F7F900518526 /* SNTCachedDecision.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCachedDecision.m; sourceTree = "<group>"; };
 		0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandSyncConstants.m; sourceTree = "<group>"; };
 		0DEFB7C11ACB28BC00B92AAE /* SNTCommandSyncConstants.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTCommandSyncConstants.h; sourceTree = "<group>"; };
 		0DEFB7C21ACDD80100B92AAE /* SNTFileWatcher.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTFileWatcher.h; sourceTree = "<group>"; };
@@ -421,6 +465,7 @@
 				0DD0D490194F9947005F27EB /* SNTExecutionControllerTest.m */,
 				0DD0D48E194F78F8005F27EB /* SNTFileInfoTest.m */,
 				0DEFB7C71ACF0BFE00B92AAE /* SNTFileWatcherTest.m */,
+				0DB537861AFD36EB00487F92 /* SNTRuleTableTest.m */,
 				0D3AFBE618FB32CB0087BCEE /* SNTXPCConnectionTest.m */,
 			);
 			path = LogicTests;
@@ -429,6 +474,8 @@
 		0D260DB018B68E12002A0B55 /* Resources */ = {
 			isa = PBXGroup;
 			children = (
+				0D536ED51B8E7A2E0039A26D /* bad_pagezero */,
+				0D536ED61B8E7A2E0039A26D /* missing_pagezero */,
 				0D2CD4601A81C7B100C9C910 /* dn.plist */,
 				0D6FDC8618C6913D0044685C /* apple.pem */,
 				0D6FDC8218C68D7E0044685C /* GIAG2.crt */,
@@ -655,18 +702,22 @@
 			isa = PBXGroup;
 			children = (
 				0DA73CA519363C9F0056D7C4 /* DataLayer */,
-				0D3AF83118F87CEF0087BCEE /* Resources */,
+				0D9A7F411759330500035EB5 /* main.m */,
 				0DB8ACBF185662DC00FEF9C7 /* SNTApplication.h */,
 				0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */,
+				0DE71A731B95F7F900518526 /* SNTCachedDecision.h */,
+				0DE71A741B95F7F900518526 /* SNTCachedDecision.m */,
 				0D8E18CB19107B56000F89B8 /* SNTDaemonControlController.h */,
 				0D8E18CC19107B56000F89B8 /* SNTDaemonControlController.m */,
 				0D63DD5A1906FCB400D346C4 /* SNTDatabaseController.h */,
 				0D63DD5B1906FCB400D346C4 /* SNTDatabaseController.m */,
 				0D7D01851774F93A005DBAB4 /* SNTDriverManager.h */,
 				0D7D01861774F93A005DBAB4 /* SNTDriverManager.m */,
+				0D536ED91B94E9230039A26D /* SNTEventLog.h */,
+				0D536EDA1B94E9230039A26D /* SNTEventLog.m */,
 				0DE6788B1784A8C2007A9E52 /* SNTExecutionController.h */,
 				0DE6788C1784A8C2007A9E52 /* SNTExecutionController.m */,
-				0D9A7F411759330500035EB5 /* main.m */,
+				0D3AF83118F87CEF0087BCEE /* Resources */,
 			);
 			name = santad;
 			path = Source/santad;
@@ -832,10 +883,13 @@
 				0DD98E691A5DD5C900A754C6 /* Update Module Version */,
 				0D91BCAE174E8A7E00131A7D /* Sources */,
 				0D91BCB0174E8A7E00131A7D /* Headers */,
+				0DC765E91B28D9CB00BAE651 /* CopyFiles */,
 			);
 			buildRules = (
 			);
 			dependencies = (
+				0DC765E61B28D9C600BAE651 /* PBXTargetDependency */,
+				0DC765E81B28D9C600BAE651 /* PBXTargetDependency */,
 			);
 			name = "santa-driver";
 			productName = "santa-driver";
@@ -906,8 +960,10 @@
 				0D6FDC8518C68E500044685C /* GIAG2.pem in Resources */,
 				0D6FDC8318C68D7E0044685C /* GIAG2.crt in Resources */,
 				0D6F12DA19EDE51E006B218E /* tubitak.crt in Resources */,
+				0D536ED71B8E7A2E0039A26D /* bad_pagezero in Resources */,
 				0D2CD4611A81C7B100C9C910 /* dn.plist in Resources */,
 				0D6FDC8718C6913D0044685C /* apple.pem in Resources */,
+				0D536ED81B8E7A2E0039A26D /* missing_pagezero in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1093,6 +1149,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				0D88680C1AC48A1400B86659 /* SNTSystemInfo.m in Sources */,
+				0D536EDC1B94E9230039A26D /* SNTEventLog.m in Sources */,
 				0D63DD5E1906FCB400D346C4 /* SNTDatabaseController.m in Sources */,
 				0D3AFBF018FB4C6C0087BCEE /* SNTDriverManager.m in Sources */,
 				0DCD6044190ACCB8006B445C /* SNTFileInfo.m in Sources */,
@@ -1101,6 +1158,7 @@
 				0DD0D491194F9947005F27EB /* SNTExecutionControllerTest.m in Sources */,
 				0D3AFBEF18FB4C6C0087BCEE /* SNTExecutionController.m in Sources */,
 				0D3AFBEC18FB48E70087BCEE /* SNTEventTable.m in Sources */,
+				0DB537871AFD36EB00487F92 /* SNTRuleTableTest.m in Sources */,
 				0DCD604D19105433006B445C /* SNTStoredEvent.m in Sources */,
 				0DCD605819115E57006B445C /* SNTXPCControlInterface.m in Sources */,
 				0D10BE891A0AAF6700C0C944 /* SNTDropRootPrivs.m in Sources */,
@@ -1117,6 +1175,7 @@
 				0DC5D86E191AED220078A5C0 /* SNTRuleTable.m in Sources */,
 				0D31DF4718D254B3002B300D /* SNTCodesignChecker.m in Sources */,
 				0DD0D492194F9BEF005F27EB /* SNTLogging.m in Sources */,
+				0DE71A761B95F7F900518526 /* SNTCachedDecision.m in Sources */,
 				0DD0D48D194F6D5B005F27EB /* SNTCodesignCheckerTest.m in Sources */,
 				0DCD605919115E5A006B445C /* SNTXPCNotifierInterface.m in Sources */,
 				0DE50F691912B0CD007B2B0C /* SNTRule.m in Sources */,
@@ -1208,6 +1267,7 @@
 				0D9A7F421759330500035EB5 /* main.m in Sources */,
 				0D1AF477187C7A2C00D3298D /* SNTCertificate.m in Sources */,
 				0DA73C9F1934F8100056D7C4 /* SNTLogging.m in Sources */,
+				0DE71A751B95F7F900518526 /* SNTCachedDecision.m in Sources */,
 				0DCD6042190ACCB8006B445C /* SNTFileInfo.m in Sources */,
 				0DEFB7C41ACDD80100B92AAE /* SNTFileWatcher.m in Sources */,
 				0DC5D86D191AED220078A5C0 /* SNTRuleTable.m in Sources */,
@@ -1220,6 +1280,7 @@
 				0D59C0E417710E6000748EBF /* SNTCodesignChecker.m in Sources */,
 				0D42D2B819D2042900955F08 /* SNTConfigurator.m in Sources */,
 				0DCD605519115D17006B445C /* SNTXPCControlInterface.m in Sources */,
+				0D536EDB1B94E9230039A26D /* SNTEventLog.m in Sources */,
 				0DCD604F19115A06006B445C /* SNTXPCNotifierInterface.m in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -1257,6 +1318,16 @@
 			target = 0D9A7F3C1759330400035EB5 /* santad */;
 			targetProxy = 0D9A7F591759393600035EB5 /* PBXContainerItemProxy */;
 		};
+		0DC765E61B28D9C600BAE651 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 0D9A7F3C1759330400035EB5 /* santad */;
+			targetProxy = 0DC765E51B28D9C600BAE651 /* PBXContainerItemProxy */;
+		};
+		0DC765E81B28D9C600BAE651 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 0D35BD9D18FD71CE00921A21 /* santactl */;
+			targetProxy = 0DC765E71B28D9C600BAE651 /* PBXContainerItemProxy */;
+		};
 /* End PBXTargetDependency section */
 
 /* Begin XCBuildConfiguration section */
@@ -1289,8 +1360,10 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
+				WARNING_CFLAGS = "";
 			};
 			name = Debug;
 		};
@@ -1317,8 +1390,10 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
+				WARNING_CFLAGS = "";
 			};
 			name = Release;
 		};
@@ -1367,6 +1442,7 @@
 				);
 				INFOPLIST_FILE = "Tests/LogicTests/Resources/Tests-Info.plist";
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				WARNING_CFLAGS = "";
 				WRAPPER_EXTENSION = xctest;
 			};
 			name = Debug;
@@ -1410,6 +1486,7 @@
 				);
 				INFOPLIST_FILE = "Tests/LogicTests/Resources/Tests-Info.plist";
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				WARNING_CFLAGS = "";
 				WRAPPER_EXTENSION = xctest;
 			};
 			name = Release;
@@ -1448,6 +1525,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santactl-Info.plist";
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
 			};
@@ -1481,6 +1559,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santactl-Info.plist";
+				INSTALL_PATH = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE = "";
 			};
@@ -1574,6 +1653,11 @@
 				PROVISIONING_PROFILE = "";
 				RUN_CLANG_STATIC_ANALYZER = YES;
 				SDKROOT = macosx;
+				WARNING_CFLAGS = (
+					"-Wall",
+					"-Wextra",
+					"-Wno-unused-parameter",
+				);
 			};
 			name = Debug;
 		};
@@ -1589,6 +1673,11 @@
 				PROVISIONING_PROFILE = "";
 				RUN_CLANG_STATIC_ANALYZER = YES;
 				SDKROOT = macosx;
+				WARNING_CFLAGS = (
+					"-Wall",
+					"-Wextra",
+					"-Wno-unused-parameter",
+				);
 			};
 			name = Release;
 		};
@@ -1604,6 +1693,7 @@
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COMBINE_HIDPI_IMAGES = YES;
+				COPY_PHASE_STRIP = NO;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_ENABLE_OBJC_EXCEPTIONS = YES;
 				GCC_OPTIMIZATION_LEVEL = 0;
@@ -1622,7 +1712,10 @@
 				OTHER_LDFLAGS = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				WARNING_CFLAGS = "-Wno-deprecated-register";
+				WARNING_CFLAGS = (
+					"-Wno-deprecated-register",
+					"$(inherit)",
+				);
 				WRAPPER_EXTENSION = kext;
 			};
 			name = Debug;
@@ -1639,6 +1732,7 @@
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COMBINE_HIDPI_IMAGES = YES;
+				COPY_PHASE_STRIP = NO;
 				GCC_ENABLE_OBJC_EXCEPTIONS = YES;
 				GCC_PRECOMPILE_PREFIX_HEADER = YES;
 				GCC_PREPROCESSOR_DEFINITIONS = "";
@@ -1653,7 +1747,10 @@
 				MODULE_VERSION = TO.BE.FILLED;
 				OTHER_LDFLAGS = "";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				WARNING_CFLAGS = "-Wno-deprecated-register";
+				WARNING_CFLAGS = (
+					"-Wno-deprecated-register",
+					"$(inherit)",
+				);
 				WRAPPER_EXTENSION = kext;
 			};
 			name = Release;
@@ -1701,7 +1798,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santad-Info.plist";
-				INSTALL_PATH = /usr/sbin;
+				INSTALL_PATH = "";
 				LIBRARY_SEARCH_PATHS = "$(inherited)";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -1729,7 +1826,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
 				INFOPLIST_FILE = "${DERIVED_FILE_DIR}/santad-Info.plist";
-				INSTALL_PATH = /usr/sbin;
+				INSTALL_PATH = "";
 				LIBRARY_SEARCH_PATHS = "$(inherited)";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -49,6 +49,15 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "0D91BCDC174E8AE600131A7D"
+            BuildableName = "All"
+            BlueprintName = "All"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <AdditionalOptions>
       </AdditionalOptions>
    </LaunchAction>

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0600"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D385DB5180DE4A900418BC6"

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -39,6 +39,15 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "0D91BCB3174E8A7E00131A7D"
+            BuildableName = "santa-driver.kext"
+            BlueprintName = "santa-driver"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <AdditionalOptions>
       </AdditionalOptions>
    </LaunchAction>

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -48,7 +48,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
@@ -66,7 +67,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0510"
+   LastUpgradeVersion = "0620"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -49,7 +49,8 @@
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"
       allowLocationSimulation = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
@@ -67,7 +68,8 @@
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Release"
       debugDocumentVersioning = "YES">
-      <BuildableProductRunnable>
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
          <BuildableReference
             BuildableIdentifier = "primary"
             BlueprintIdentifier = "0D9A7F3C1759330400035EB5"

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14C1514" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14E46" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
@@ -14,7 +14,7 @@
         <customObject id="-1" userLabel="First Responder" customClass="FirstResponder"/>
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
-            <windowStyleMask key="styleMask" titled="YES"/>
+            <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
             <rect key="contentRect" x="196" y="240" width="480" height="200"/>
             <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
             <view key="contentView" id="se5-gp-TjO">
@@ -37,7 +37,7 @@
                         <rect key="frame" x="18" y="65" width="444" height="60"/>
                         <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
                             <font key="font" metaFont="system"/>
-                            <string key="title">Santa is an application whitelisting system for Mac OS X.
+                            <string key="title">Santa is an application whitelisting system for OS X.
 
 There are no user-configurable settings.</string>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -65,6 +65,9 @@ There are no user-configurable settings.</string>
                         <buttonCell key="cell" type="push" title="Dismiss" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uSw-o1-lWW">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
+                            <string key="keyEquivalent" base64-UTF8="YES">
+DQ
+</string>
                         </buttonCell>
                         <connections>
                             <action selector="orderOut:" target="-1" id="6oW-zI-zn5"/>

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14C1514" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14E46" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
@@ -15,14 +15,14 @@
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" showsToolbarButton="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
             <windowStyleMask key="styleMask" utility="YES"/>
-            <rect key="contentRect" x="167" y="107" width="550" height="331"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
+            <rect key="contentRect" x="167" y="107" width="497" height="356"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1600"/>
             <view key="contentView" id="Iwq-Lx-rLv">
-                <rect key="frame" x="0.0" y="0.0" width="550" height="331"/>
+                <rect key="frame" x="0.0" y="0.0" width="497" height="356"/>
                 <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                 <subviews>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
-                        <rect key="frame" x="234" y="261" width="83" height="40"/>
+                        <rect key="frame" x="207" y="286" width="83" height="40"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
                             <font key="font" size="34" name="HelveticaNeue-UltraLight"/>
                             <color key="textColor" red="0.18696189413265307" green="0.18696189413265307" blue="0.18696189413265307" alpha="1" colorSpace="calibratedRGB"/>
@@ -30,11 +30,11 @@
                         </textFieldCell>
                     </textField>
                     <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR">
-                        <rect key="frame" x="25" y="214" width="500" height="17"/>
+                        <rect key="frame" x="22" y="239" width="454" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="496" id="XgJ-EV-tBa"/>
+                            <constraint firstAttribute="width" constant="450" id="XgJ-EV-tBa"/>
                         </constraints>
-                        <textFieldCell key="cell" allowsUndo="NO" sendsActionOnEndEditing="YES" alignment="center" title="A message to the user goes here..." allowsEditingTextAttributes="YES" id="5tH-bG-UJA">
+                        <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" alignment="center" title="A message to the user goes here..." allowsEditingTextAttributes="YES" id="5tH-bG-UJA">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
@@ -44,9 +44,9 @@
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ">
-                        <rect key="frame" x="175" y="167" width="324" height="17"/>
+                        <rect key="frame" x="165" y="192" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="320" id="xVR-j3-dLw"/>
+                            <constraint firstAttribute="width" constant="290" id="xVR-j3-dLw"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="E7T-9h-ofr">
                             <font key="font" metaFont="system"/>
@@ -58,23 +58,23 @@
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
-                        <rect key="frame" x="175" y="117" width="304" height="17"/>
+                        <rect key="frame" x="165" y="142" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="300" id="4hh-R2-86s"/>
+                            <constraint firstAttribute="width" constant="290" id="4hh-R2-86s"/>
                         </constraints>
-                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="File SHA-256" id="X4W-9e-eIu">
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="Part of SHA-256" id="X4W-9e-eIu">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" white="0.0" alpha="0.5" colorSpace="deviceWhite"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.fileSHA256" id="SzX-Ep-rBa"/>
+                            <binding destination="-2" name="value" keyPath="self.shortenedHash" id="xgu-71-9ZT"/>
                         </connections>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w">
-                        <rect key="frame" x="175" y="142" width="309" height="17"/>
+                        <rect key="frame" x="165" y="167" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="305" id="Dem-wH-KHm"/>
+                            <constraint firstAttribute="width" constant="290" id="Dem-wH-KHm"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
                             <font key="font" metaFont="system"/>
@@ -90,15 +90,23 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="oFj-ol-xpL">
-                        <rect key="frame" x="18" y="92" width="120" height="17"/>
+                        <rect key="frame" x="8" y="92" width="120" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="User" id="1ut-uT-hQD">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="eQb-0a-76J">
+                        <rect key="frame" x="8" y="117" width="120" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Parent" id="gze-4A-1w5">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5">
-                        <rect key="frame" x="18" y="142" width="120" height="17"/>
+                        <rect key="frame" x="8" y="167" width="120" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Publisher" id="yL9-yD-JXX">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -106,7 +114,7 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H">
-                        <rect key="frame" x="18" y="167" width="120" height="17"/>
+                        <rect key="frame" x="8" y="192" width="120" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="116" id="Kqd-nX-7df"/>
                         </constraints>
@@ -117,38 +125,45 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y">
-                        <rect key="frame" x="18" y="117" width="120" height="17"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="SHA-256" id="eKN-Ic-5zy">
+                        <rect key="frame" x="8" y="142" width="120" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Identifier" id="eKN-Ic-5zy">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                     </textField>
                     <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0">
-                        <rect key="frame" x="175" y="92" width="368" height="17"/>
+                        <rect key="frame" x="165" y="92" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="364" id="on6-pj-m2k"/>
+                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
                         </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" white="0.0" alpha="0.5" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
                             <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="xe2-U2-WrZ"/>
+                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
                         </connections>
                     </textField>
-                    <box horizontalHuggingPriority="750" title="Box" boxType="separator" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
-                        <rect key="frame" x="154" y="92" width="5" height="92"/>
-                        <color key="borderColor" white="0.0" alpha="0.41999999999999998" colorSpace="calibratedWhite"/>
+                    <box horizontalHuggingPriority="750" title="Line" boxType="custom" borderType="line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
+                        <rect key="frame" x="146" y="92" width="1" height="117"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
+                        </constraints>
+                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
                         <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
                         <font key="titleFont" metaFont="system"/>
                     </box>
                     <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS" userLabel="Publisher Certs">
-                        <rect key="frame" x="51" y="143" width="14" height="14"/>
+                        <rect key="frame" x="40" y="168" width="15" height="15"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="14" id="QTm-Iv-m5p"/>
-                            <constraint firstAttribute="height" constant="14" id="YwG-0s-jop"/>
+                            <constraint firstAttribute="width" constant="15" id="QTm-Iv-m5p"/>
+                            <constraint firstAttribute="height" constant="15" id="YwG-0s-jop"/>
                         </constraints>
                         <buttonCell key="cell" type="bevel" bezelStyle="regularSquare" image="NSInfo" imagePosition="overlaps" alignment="center" refusesFirstResponder="YES" imageScaling="proportionallyDown" inset="2" id="R72-Qy-Xbb">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
@@ -164,7 +179,7 @@
                         </connections>
                     </button>
                     <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL">
-                        <rect key="frame" x="282" y="33" width="110" height="25"/>
+                        <rect key="frame" x="256" y="33" width="110" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
                             <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
@@ -182,7 +197,7 @@ DQ
                         </connections>
                     </button>
                     <button verticalHuggingPriority="750" horizontalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="7ua-5a-uSd">
-                        <rect key="frame" x="158" y="33" width="112" height="25"/>
+                        <rect key="frame" x="132" y="33" width="112" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" priority="900" constant="112" id="Pec-Pa-4aZ"/>
                         </constraints>
@@ -198,48 +213,79 @@ DQ
                             <action selector="openEventDetails:" target="-2" id="VhL-ql-rCV"/>
                         </connections>
                     </button>
+                    <textField horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="f1p-GL-O3o">
+                        <rect key="frame" x="165" y="117" width="294" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="290" id="h3Y-mO-38F"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Parent Name" id="ieo-WK-aDD">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" white="0.0" alpha="0.5" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="displayPatternValue1" keyPath="self.event.parentName" id="Lce-TO-q9V">
+                                <dictionary key="options">
+                                    <string key="NSDisplayPattern">%{value1}@ (%{value2}@)</string>
+                                </dictionary>
+                            </binding>
+                            <binding destination="-2" name="displayPatternValue2" keyPath="self.event.ppid" previousBinding="Lce-TO-q9V" id="ofI-kH-F2d">
+                                <dictionary key="options">
+                                    <string key="NSDisplayPattern">%{value1}@ (%{value2}@)</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
                 </subviews>
                 <constraints>
-                    <constraint firstItem="h6f-PY-cc0" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="1Nc-gl-xMe"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="centerY" secondItem="eQb-0a-76J" secondAttribute="centerY" id="2Aq-1E-Ybz"/>
+                    <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" priority="500" constant="193" id="2uo-Cm-Tfp"/>
+                    <constraint firstItem="h6f-PY-cc0" firstAttribute="top" secondItem="f1p-GL-O3o" secondAttribute="bottom" constant="8" id="496-VQ-Fx5"/>
+                    <constraint firstItem="eQb-0a-76J" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="-116" id="6Q5-Oo-1cI"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="oFj-ol-xpL" secondAttribute="bottom" constant="35" id="7K6-bY-Rn6"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="ALv-0v-szi"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="E6D-7P-17g"/>
                     <constraint firstItem="cJf-k6-OxS" firstAttribute="centerY" secondItem="C3G-wL-u7w" secondAttribute="centerY" id="FdL-ZZ-Vbe"/>
                     <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="30" id="FuB-GX-0jg"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="G0I-O2-S91"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-45" id="GD2-Ka-deo"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="centerY" secondItem="oFj-ol-xpL" secondAttribute="centerY" id="GXI-pT-FM1"/>
-                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="20" id="IwX-ja-ZIs"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="IwX-ja-ZIs"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="top" secondItem="4Li-ul-zIi" secondAttribute="top" id="JY4-N1-j8e"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="leading" priority="999" id="MVr-jY-GDj"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="30" id="Nsl-zf-poH"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="SCl-Ky-VmT"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="centerY" secondItem="pc8-G9-4pJ" secondAttribute="centerY" id="SLv-F7-w5k"/>
                     <constraint firstItem="7ua-5a-uSd" firstAttribute="top" secondItem="oFj-ol-xpL" secondAttribute="bottom" constant="35" id="Scq-zQ-Sao"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="20" id="Seb-c0-MUL"/>
                     <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="V0a-Py-iEc"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="leading" priority="999" id="Z6G-l9-G4a"/>
-                    <constraint firstAttribute="centerX" secondItem="BbV-3h-mmL" secondAttribute="centerX" priority="900" id="acs-5J-vQY"/>
+                    <constraint firstItem="oFj-ol-xpL" firstAttribute="top" secondItem="eQb-0a-76J" secondAttribute="bottom" constant="8" id="abm-cM-PN0"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="eQb-0a-76J" secondAttribute="trailing" constant="20" id="b0B-3w-grH"/>
                     <constraint firstItem="KEB-eH-x2Y" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="leading" priority="999" id="b5A-M7-ZsD"/>
                     <constraint firstItem="KEB-eH-x2Y" firstAttribute="centerY" secondItem="PXc-xv-A28" secondAttribute="centerY" id="cHe-pZ-0Oq"/>
                     <constraint firstItem="cD5-Su-lXR" firstAttribute="top" secondItem="t8c-Fx-e5h" secondAttribute="bottom" constant="30" id="dYg-zP-wh2"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="eSz-lz-Fdh"/>
-                    <constraint firstItem="4Li-ul-zIi" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="top" id="fzY-94-y2n"/>
-                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" constant="-0.5" id="h3d-Kc-q88"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="fGd-YS-phP"/>
+                    <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="h3d-Kc-q88"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="7ua-5a-uSd" secondAttribute="trailing" constant="12" id="ioO-NJ-Jqo"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="lvJ-Rk-UT5" secondAttribute="centerY" id="jfs-YI-7Ae"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="trailing" secondItem="KEB-eH-x2Y" secondAttribute="trailing" id="jlD-Lo-abc"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="trailing" constant="20" id="kOG-Cj-hFG"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="trailing" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" id="lse-kg-lA2"/>
+                    <constraint firstItem="eQb-0a-76J" firstAttribute="top" secondItem="KEB-eH-x2Y" secondAttribute="bottom" constant="8" id="m2z-1O-ifB"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="trailing" secondItem="KEB-eH-x2Y" secondAttribute="trailing" id="pdq-a6-Y73"/>
                     <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="61" id="phL-j9-rPq"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="20" id="qKi-KT-jzJ"/>
-                    <constraint firstItem="PXc-xv-A28" firstAttribute="bottom" secondItem="h6f-PY-cc0" secondAttribute="top" constant="-8" id="sG1-gQ-Qoo"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="bottom" secondItem="PXc-xv-A28" secondAttribute="top" constant="-8" id="snd-8T-LjC"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="20" id="stz-Vm-Kxo"/>
                     <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="tAa-1s-xVZ"/>
+                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="width" secondItem="eQb-0a-76J" secondAttribute="width" id="u4p-1B-x5B"/>
                     <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="35" id="ukF-FH-DE8"/>
-                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="baseline" secondItem="pc8-G9-4pJ" secondAttribute="baseline" id="xGd-Xr-3Z0"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="bottom" secondItem="C3G-wL-u7w" secondAttribute="top" constant="-8" id="zst-nc-VqA"/>
                 </constraints>
             </view>
-            <point key="canvasLocation" x="113" y="777.5"/>
+            <point key="canvasLocation" x="112.5" y="308"/>
         </window>
     </objects>
     <resources>

Source/SantaGUI/SNTAppDelegate.m

@@ -39,23 +39,31 @@
       [[SNTConfigurator configurator] reloadConfigData];
   }];
 
-  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
   self.notificationManager = [[SNTNotificationManager alloc] init];
 
   NSNotificationCenter *workspaceNotifications = [[NSWorkspace sharedWorkspace] notificationCenter];
-  [workspaceNotifications addObserver:self
-                             selector:@selector(killConnection)
-                                 name:NSWorkspaceSessionDidResignActiveNotification
-                               object:nil];
-  [workspaceNotifications addObserver:self
-                             selector:@selector(createConnection)
-                                 name:NSWorkspaceSessionDidBecomeActiveNotification
-                               object:nil];
+
+  [workspaceNotifications addObserverForName:NSWorkspaceSessionDidResignActiveNotification
+                                      object:nil
+                                       queue:[NSOperationQueue currentQueue]
+                                  usingBlock:^(NSNotification *note) {
+      self.listener.invalidationHandler = nil;
+      self.listener.rejectedHandler = nil;
+      [self.listener invalidate];
+      self.listener = nil;
+  }];
+  [workspaceNotifications addObserverForName:NSWorkspaceSessionDidBecomeActiveNotification
+                                      object:nil
+                                       queue:[NSOperationQueue currentQueue]
+                                  usingBlock:^(NSNotification *note) {
+      [self attemptReconnection];
+  }];
 
   [self createConnection];
 }
 
 - (BOOL)applicationShouldHandleReopen:(NSApplication *)sender hasVisibleWindows:(BOOL)flag {
+  self.aboutWindowController = [[SNTAboutWindowController alloc] init];
   [self.aboutWindowController showWindow:self];
   return NO;
 }
@@ -70,25 +78,16 @@
   self.listener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
   self.listener.exportedObject = self.notificationManager;
   self.listener.rejectedHandler = ^{
-      [weakSelf performSelectorInBackground:@selector(attemptReconnection)
-                                 withObject:nil];
+      [weakSelf attemptReconnection];
   };
   self.listener.invalidationHandler = self.listener.rejectedHandler;
   [self.listener resume];
 }
 
-- (void)killConnection {
-  self.listener.invalidationHandler = nil;
-  [self.listener invalidate];
-  self.listener = nil;
-}
-
 - (void)attemptReconnection {
   // TODO(rah): Make this smarter.
-  sleep(10);
-  [self performSelectorOnMainThread:@selector(createConnection)
-                         withObject:nil
-                      waitUntilDone:NO];
+  sleep(5);
+  [self createConnection];
 }
 
 #pragma mark Menu Management

Source/SantaGUI/SNTMessageWindowController.h

@@ -37,7 +37,7 @@
 ///
 ///  The custom message to display for this event
 ///
-@property NSString *customMessage;
+@property(copy) NSString *customMessage;
 
 ///
 ///  The delegate to inform when the notification is dismissed
@@ -47,12 +47,12 @@
 ///
 ///  A 'friendly' string representing the certificate information
 ///
-@property(readonly) NSString *publisherInfo;
+@property(readonly, nonatomic) NSString *publisherInfo;
 
 ///
 ///  An optional message to display with this block.
 ///
-@property(readonly) NSAttributedString *attributedCustomMessage;
+@property(readonly, nonatomic) NSAttributedString *attributedCustomMessage;
 
 ///
 ///  Reference to the "Open Event" button in the XIB. Used to either remove the button

Source/SantaGUI/SNTMessageWindowController.m

@@ -100,6 +100,10 @@
   }
 }
 
+- (NSString *)shortenedHash {
+  return [self.event.fileSHA256 substringWithRange:NSMakeRange(0, 10)];
+}
+
 - (NSString *)publisherInfo {
   SNTCertificate *leafCert = [self.event.signingChain firstObject];
 
@@ -129,8 +133,11 @@
   if ([self.customMessage length] > 0) {
     message = self.customMessage;
   } else {
-    message = @"The following application has been blocked from executing<br />"
-              @"because its trustworthiness cannot be determined.";
+    message = [[SNTConfigurator configurator] defaultBlockMessage];
+    if (!message) {
+      message = @"The following application has been blocked from executing<br />"
+                @"because its trustworthiness cannot be determined.";
+    }
   }
 
   NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];

Source/SantaGUI/SNTNotificationManager.h

@@ -20,5 +20,4 @@
 ///
 @interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate, SNTNotifierXPC>
 
-
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -54,8 +54,8 @@
 
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
   // See if this binary is already in the list of pending notifications.
-  NSPredicate *predicate = [NSPredicate predicateWithFormat:@"event.fileSHA256==%@",
-                               event.fileSHA256];
+  NSPredicate *predicate =
+      [NSPredicate predicateWithFormat:@"event.fileSHA256==%@", event.fileSHA256];
   if ([[self.pendingNotifications filteredArrayUsingPredicate:predicate] count]) return;
 
   if (!event) {

Source/common/SNTCertificate.h

@@ -53,59 +53,59 @@
 ///
 ///  Access the underlying certificate ref.
 ///
-@property(readonly) SecCertificateRef certRef;
+@property(readonly, nonatomic) SecCertificateRef certRef;
 
 ///
 ///  SHA-1 hash of the certificate data.
 ///
-@property(readonly) NSString *SHA1;
+@property(readonly, nonatomic) NSString *SHA1;
 
 ///
 ///  SHA-256 hash of the certificate data.
 ///
-@property(readonly) NSString *SHA256;
+@property(readonly, nonatomic) NSString *SHA256;
 
 ///
 ///  Certificate data.
 ///
-@property(readonly) NSData *certData;
+@property(readonly, nonatomic) NSData *certData;
 
 ///
 ///  Common Name e.g: "Software Signing"
 ///
-@property(readonly) NSString *commonName;
+@property(readonly, nonatomic) NSString *commonName;
 
 ///
 ///  Country Name e.g: "US"
 ///
-@property(readonly) NSString *countryName;
+@property(readonly, nonatomic) NSString *countryName;
 
 ///
 ///  Organizational Name e.g: "Apple Inc."
 ///
-@property(readonly) NSString *orgName;
+@property(readonly, nonatomic) NSString *orgName;
 
 ///
 ///  Organizational Unit Name e.g: "Apple Software"
 ///
-@property(readonly) NSString *orgUnit;
+@property(readonly, nonatomic) NSString *orgUnit;
 
 ///
 ///  Issuer details, same fields as above.
 ///
-@property(readonly) NSString *issuerCommonName;
-@property(readonly) NSString *issuerCountryName;
-@property(readonly) NSString *issuerOrgName;
-@property(readonly) NSString *issuerOrgUnit;
+@property(readonly, nonatomic) NSString *issuerCommonName;
+@property(readonly, nonatomic) NSString *issuerCountryName;
+@property(readonly, nonatomic) NSString *issuerOrgName;
+@property(readonly, nonatomic) NSString *issuerOrgUnit;
 
 ///
 ///  Validity Not Before
 ///
-@property(readonly) NSDate *validFrom;
+@property(readonly, nonatomic) NSDate *validFrom;
 
 ///
 ///  Validity Not After
 ///
-@property(readonly) NSDate *validUntil;
+@property(readonly, nonatomic) NSDate *validUntil;
 
 @end

Source/common/SNTCertificate.m

@@ -80,9 +80,9 @@ static NSString *const kCertDataKey = @"certData";
   NSData *output = nil;
 
   if (SecTransformSetAttribute(transform,
-                             kSecTransformInputAttributeName,
-                             (__bridge CFDataRef)input,
-                             NULL)) {
+                               kSecTransformInputAttributeName,
+                               (__bridge CFDataRef)input,
+                               NULL)) {
     output = CFBridgingRelease(SecTransformExecute(transform, NULL));
   }
   if (transform) CFRelease(transform);
@@ -126,11 +126,12 @@ static NSString *const kCertDataKey = @"certData";
 
 #pragma mark Equality & description
 
-- (BOOL)isEqual:(SNTCertificate *)other {
+- (BOOL)isEqual:(id)other {
   if (self == other) return YES;
   if (![other isKindOfClass:[SNTCertificate class]]) return NO;
 
-  return [self.certData isEqual:other.certData];
+  SNTCertificate *o = other;
+  return [self.certData isEqual:o.certData];
 }
 
 - (NSUInteger)hash {
@@ -138,10 +139,8 @@ static NSString *const kCertDataKey = @"certData";
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"/O=%@/OU=%@/CN=%@",
-          self.orgName,
-          self.orgUnit,
-          self.commonName];
+  return
+      [NSString stringWithFormat:@"/O=%@/OU=%@/CN=%@", self.orgName, self.orgUnit, self.commonName];
 }
 
 #pragma mark NSSecureCoding
@@ -227,7 +226,7 @@ static NSString *const kCertDataKey = @"certData";
     }
     return nil;
   }
-  @catch (NSException *exception) {
+  @catch (NSException *e) {
     return nil;
   }
 }

Source/common/SNTCodesignChecker.h

@@ -38,12 +38,12 @@
 ///
 ///  Returns the leaf certificate that this binary was signed with
 ///
-@property(readonly) SNTCertificate *leafCertificate;
+@property(readonly, nonatomic) SNTCertificate *leafCertificate;
 
 ///
 ///  Returns the on-disk path of this binary.
 ///
-@property(readonly) NSString *binaryPath;
+@property(readonly, nonatomic) NSString *binaryPath;
 
 ///
 ///  Designated initializer

Source/common/SNTCodesignChecker.m

@@ -18,7 +18,6 @@
 
 #import "SNTCertificate.h"
 
-
 /**
  *  kStaticSigningFlags are the flags used when validating signatures on disk.
  *
@@ -38,15 +37,14 @@
  *       kSecCSDoNotValidateResources:                         0.032s
  *       kSecCSDoNotValidateResources | kSecCSCheckNestedCode: 0.033s
  */
-const SecCSFlags kStaticSigningFlags = kSecCSDoNotValidateResources | kSecCSCheckNestedCode;
+static const SecCSFlags kStaticSigningFlags = kSecCSDoNotValidateResources | kSecCSCheckNestedCode;
 
 /**
  *  kSigningFlags are the flags used when validating signatures for running binaries.
  *
  *  No special flags needed currently.
  */
-const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
-
+static const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 @interface SNTCodesignChecker ()
 /// Array of @c SNTCertificate's representing the chain of certs this executable was signed with.
@@ -87,7 +85,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
     // Wrap SecCertificateRef objects in SNTCertificate and put in a new NSArray
     NSMutableArray *mutableCerts = [[NSMutableArray alloc] initWithCapacity:certs.count];
-    for (int i = 0; i < certs.count; ++i) {
+    for (NSUInteger i = 0; i < certs.count; ++i) {
       SecCertificateRef certRef = (__bridge SecCertificateRef)certs[i];
       SNTCertificate *newCert = [[SNTCertificate alloc] initWithSecCertificateRef:certRef];
       [mutableCerts addObject:newCert];
@@ -105,10 +103,10 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
   SecStaticCodeRef codeRef = NULL;
 
   // Get SecStaticCodeRef for binary
-  if (SecStaticCodeCreateWithPath((__bridge CFURLRef)[NSURL fileURLWithPath:binaryPath
-                                                                isDirectory:NO],
-                                  kSecCSDefaultFlags,
-                                  &codeRef) == errSecSuccess) {
+  if (SecStaticCodeCreateWithPath(
+          (__bridge CFURLRef)[NSURL fileURLWithPath:binaryPath isDirectory:NO],
+          kSecCSDefaultFlags,
+          &codeRef) == errSecSuccess) {
     self = [self initWithSecStaticCodeRef:codeRef];
   } else {
     self = nil;
@@ -120,12 +118,13 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 - (instancetype)initWithPID:(pid_t)PID {
   SecCodeRef codeRef = NULL;
-  NSDictionary *attributes = @{(__bridge NSString *)kSecGuestAttributePid: @(PID)};
+  NSDictionary *attributes = @{ (__bridge NSString *)kSecGuestAttributePid : @(PID) };
 
-  if (SecCodeCopyGuestWithAttributes(NULL,
-                                     (__bridge CFDictionaryRef)attributes,
-                                     kSecCSDefaultFlags,
-                                     &codeRef) == errSecSuccess) {
+  if (SecCodeCopyGuestWithAttributes(
+          NULL,
+          (__bridge CFDictionaryRef)attributes,
+          kSecCSDefaultFlags,
+          &codeRef) == errSecSuccess) {
     self = [self initWithSecStaticCodeRef:codeRef];
   } else {
     self = nil;
@@ -170,9 +169,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
   }
 
   return [NSString stringWithFormat:@"%@ binary, signed by %@, located at: %@",
-             binarySource,
-             self.leafCertificate.orgName,
-             self.binaryPath];
+              binarySource, self.leafCertificate.orgName, self.binaryPath];
 }
 
 #pragma mark Public accessors
@@ -183,7 +180,7 @@ const SecCSFlags kSigningFlags = kSecCSDefaultFlags;
 
 - (NSString *)binaryPath {
   CFURLRef path;
-  OSStatus status = SecCodeCopyPath(_codeRef, kSecCSDefaultFlags, &path);
+  OSStatus status = SecCodeCopyPath(self.codeRef, kSecCSDefaultFlags, &path);
   NSURL *pathURL = CFBridgingRelease(path);
   if (status != errSecSuccess) return nil;
   return [pathURL path];

Source/common/SNTCommonEnums.h

@@ -65,4 +65,8 @@ typedef enum {
   EVENTSTATE_MAX
 } santa_eventstate_t;
 
+static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
+static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
+static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";
+
 #endif  // SANTA__COMMON__COMMONENUMS_H

Source/common/SNTConfigurator.h

@@ -28,20 +28,38 @@ extern NSString * const kDefaultConfigFilePath;
 ///
 ///  The operating mode.
 ///
-@property santa_clientmode_t clientMode;
+@property(nonatomic) santa_clientmode_t clientMode;
 
 ///
-///  Whether or not to log all events, even for whitelisted binaries.
+///  If set to NO, file writes won't be logged. Defaults to YES.
 ///
-@property BOOL logAllEvents;
+@property(nonatomic) BOOL logFileChanges;
 
-# pragma mark - GUI Settings
+///
+///  The regex of whitelisted paths. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
+///  pointless as a path only ever has a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(nonatomic) NSRegularExpression *whitelistPathRegex;
+
+///
+///  The regex of blacklisted paths. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
+///  pointless as a path only ever has a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(nonatomic) NSRegularExpression *blacklistPathRegex;
+
+#pragma mark - GUI Settings
 
 ///
 ///  The URL to open when the user clicks "More Info..." when opening Santa.app.
 ///  If unset, the button will not be displayed.
 ///
-@property(readonly) NSURL *moreInfoURL;
+@property(readonly, nonatomic) NSURL *moreInfoURL;
 
 ///
 ///  When the user gets a block notification, a button can be displayed which will
@@ -57,66 +75,78 @@ extern NSString * const kDefaultConfigFilePath;
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
-@property(readonly) NSString *eventDetailURL;
+@property(readonly, nonatomic) NSString *eventDetailURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
 ///
-@property(readonly) NSString *eventDetailText;
+@property(readonly, nonatomic) NSString *eventDetailText;
 
-# pragma mark - Sync Settings
+///
+///  For any rule that doesn't have a custom message, this setting overrides the message
+///  text that is display. If unset, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *defaultBlockMessage;
+
+#pragma mark - Sync Settings
 
 ///
 ///  The base URL of the sync server.
 ///
-@property(readonly) NSURL *syncBaseURL;
+@property(readonly, nonatomic) NSURL *syncBaseURL;
+
+///
+///  If YES, mid-execution event uploads are skipped.
+///  This property is never stored on disk.
+///
+@property BOOL syncBackOff;
 
 ///
 ///  The machine owner.
 ///
-@property(readonly) NSString *machineOwner;
+@property(readonly, nonatomic) NSString *machineOwner;
 
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
 ///
-@property(readonly) NSString *machineID;
+@property(readonly, nonatomic) NSString *machineID;
 
-# pragma mark Server Auth Settings
+#pragma mark Server Auth Settings
 
 ///
 ///  If set, this is valid PEM containing one or more certificates to be used to evaluate the
 ///  server's SSL chain, overriding the list of trusted CAs distributed with the OS.
 ///
-@property(readonly) NSData *syncServerAuthRootsData;
+@property(readonly, nonatomic) NSData *syncServerAuthRootsData;
 
 ///
 ///  This property is the same as the above but is a file on disk containing the PEM data.
 ///
-@property(readonly) NSString *syncServerAuthRootsFile;
+@property(readonly, nonatomic) NSString *syncServerAuthRootsFile;
 
-# pragma mark Client Auth Settings
+#pragma mark Client Auth Settings
 
 ///
 ///  If set, this contains the location of a PKCS#12 certificate to be used for sync authentication.
 ///
-@property(readonly) NSString *syncClientAuthCertificateFile;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateFile;
 
 ///
 ///  Contains the password for the pkcs#12 certificate.
 ///
-@property(readonly) NSString *syncClientAuthCertificatePassword;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificatePassword;
 
 ///
 ///  If set, this is the Common Name of a certificate in the System keychain to be used for
 ///  sync authentication. The corresponding private key must also be in the keychain.
 ///
-@property(readonly) NSString *syncClientAuthCertificateCn;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateCn;
 
 ///
 ///  If set, this is the Issuer Name of a certificate in the System keychain to be used for
 ///  sync authentication. The corresponding private key must also be in the keychain.
 ///
-@property(readonly) NSString *syncClientAuthCertificateIssuer;
+@property(readonly, nonatomic) NSString *syncClientAuthCertificateIssuer;
 
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.

Source/common/SNTConfigurator.m

@@ -20,6 +20,13 @@
 @interface SNTConfigurator ()
 @property NSString *configFilePath;
 @property NSMutableDictionary *configData;
+
+/// Creating NSRegularExpression objects is not fast, so cache them.
+@property NSRegularExpression *cachedWhitelistDirRegex;
+@property NSRegularExpression *cachedBlacklistDirRegex;
+
+/// Array of keys that cannot be changed while santad is running if santad didn't make the change.
+@property(readonly) NSArray *protectedKeys;
 @end
 
 @implementation SNTConfigurator
@@ -29,12 +36,14 @@ NSString * const kDefaultConfigFilePath = @"/var/db/santa/config.plist";
 
 /// The keys in the config file
 static NSString * const kClientModeKey = @"ClientMode";
-
-static NSString * const kLogAllEventsKey = @"LogAllEvents";
+static NSString * const kWhitelistRegexKey = @"WhitelistRegex";
+static NSString * const kBlacklistRegexKey = @"BlacklistRegex";
+static NSString * const kLogFileChangesKey = @"LogFileChanges";
 
 static NSString * const kMoreInfoURLKey = @"MoreInfoURL";
 static NSString * const kEventDetailURLKey = @"EventDetailURL";
 static NSString * const kEventDetailTextKey = @"EventDetailText";
+static NSString * const kDefaultBlockMessage = @"DefaultBlockMessage";
 
 static NSString * const kSyncBaseURLKey = @"SyncBaseURL";
 static NSString * const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
@@ -62,7 +71,7 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self;
 }
 
-# pragma mark Singleton retriever
+#pragma mark Singleton retriever
 
 + (instancetype)configurator {
   static SNTConfigurator *sharedConfigurator = nil;
@@ -73,12 +82,18 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   return sharedConfigurator;
 }
 
-# pragma mark Public Interface
+#pragma mark Protected Keys
+
+- (NSArray *)protectedKeys {
+  return @[ kClientModeKey, kWhitelistRegexKey, kBlacklistRegexKey, kLogFileChangesKey ];
+}
+
+#pragma mark Public Interface
 
 - (santa_clientmode_t)clientMode {
   int cm = [self.configData[kClientModeKey] intValue];
   if (cm > CLIENTMODE_UNKNOWN && cm < CLIENTMODE_MAX) {
-    return cm;
+    return (santa_clientmode_t)cm;
   } else {
     self.configData[kClientModeKey] = @(CLIENTMODE_MONITOR);
     return CLIENTMODE_MONITOR;
@@ -92,12 +107,54 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   }
 }
 
-- (BOOL)logAllEvents {
-  return [self.configData[kLogAllEventsKey] boolValue];
+- (NSRegularExpression *)whitelistPathRegex {
+  if (!self.cachedWhitelistDirRegex && self.configData[kWhitelistRegexKey]) {
+    NSString *re = self.configData[kWhitelistRegexKey];
+    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
+    self.cachedWhitelistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
+                                                                             options:0
+                                                                               error:NULL];
+  }
+  return self.cachedWhitelistDirRegex;
 }
 
-- (void)setLogAllEvents:(BOOL)logAllEvents {
-  self.configData[kLogAllEventsKey] = @(logAllEvents);
+- (void)setWhitelistPathRegex:(NSRegularExpression *)re {
+  if (!re) {
+    [self.configData removeObjectForKey:kWhitelistRegexKey];
+  } else {
+    self.configData[kWhitelistRegexKey] = [re pattern];
+  }
+  self.cachedWhitelistDirRegex = nil;
+  [self saveConfigToDisk];
+}
+
+- (NSRegularExpression *)blacklistPathRegex {
+  if (!self.cachedBlacklistDirRegex && self.configData[kBlacklistRegexKey]) {
+    NSString *re = self.configData[kBlacklistRegexKey];
+    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
+    self.cachedBlacklistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
+                                                                             options:0
+                                                                               error:NULL];
+  }
+  return self.cachedBlacklistDirRegex;
+}
+
+- (void)setBlacklistPathRegex:(NSRegularExpression *)re {
+  if (!re) {
+    [self.configData removeObjectForKey:kBlacklistRegexKey];
+  } else {
+    self.configData[kBlacklistRegexKey] = [re pattern];
+  }
+  self.cachedBlacklistDirRegex = nil;
+  [self saveConfigToDisk];
+}
+
+- (BOOL)logFileChanges {
+  return [self.configData[kLogFileChangesKey] boolValue];
+}
+
+- (void)setLogFileChanges:(BOOL)logFileChanges {
+  self.configData[kLogFileChangesKey] = @(logFileChanges);
   [self saveConfigToDisk];
 }
 
@@ -113,6 +170,10 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kEventDetailTextKey];
 }
 
+- (NSString *)defaultBlockMessage {
+  return self.configData[kDefaultBlockMessage];
+}
+
 - (NSURL *)syncBaseURL {
   return [NSURL URLWithString:self.configData[kSyncBaseURLKey]];
 }
@@ -180,8 +241,6 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
 }
 
 - (void)reloadConfigData {
-  if (!self.configData) self.configData = [NSMutableDictionary dictionary];
-
   NSFileManager *fm = [NSFileManager defaultManager];
   if (![fm fileExistsAtPath:self.configFilePath]) return;
 
@@ -204,16 +263,28 @@ static NSString * const kMachineIDPlistKeyKey = @"MachineIDKey";
     return;
   }
 
-  // Ensure no-one is trying to change the client mode behind Santa's back.
-  if (self.configData[kClientModeKey] && configData[kClientModeKey] &&
-      ![self.configData[kClientModeKey] isEqual:configData[kClientModeKey]] &&
-      geteuid() == 0) {
-    NSMutableDictionary *configDataMutable = [configData mutableCopy];
-    configDataMutable[kClientModeKey] = self.configData[kClientModeKey];
-    self.configData = configDataMutable;
-    [self saveConfigToDisk];
-  } else {
+  if (!self.configData) {
     self.configData = [configData mutableCopy];
+  } else {
+    // Ensure no-one is trying to change protected keys behind our back.
+    NSMutableDictionary *configDataMutable = [configData mutableCopy];
+    BOOL changed = NO;
+    for (NSString *key in self.protectedKeys) {
+      if (geteuid() == 0 &&
+          ((self.configData[key] && !configData[key]) ||
+           (!self.configData[key] && configData[key]) ||
+           (self.configData[key] && ![self.configData[key] isEqual:configData[key]]))) {
+        if (self.configData[key]) {
+          configDataMutable[key] = self.configData[key];
+        } else {
+          [configDataMutable removeObjectForKey:key];
+        }
+        changed = YES;
+        LOGI(@"Ignoring changed configuration key: %@", key);
+      }
+    }
+    self.configData = configDataMutable;
+    if (changed) [self saveConfigToDisk];
   }
 }
 

Source/common/SNTDropRootPrivs.h

@@ -17,4 +17,4 @@
 ///
 ///  @return YES if dropping was successful or unnecessary.
 ///
-BOOL DropRootPrivileges();
+BOOL DropRootPrivileges(void);

Source/common/SNTDropRootPrivs.m

@@ -16,8 +16,9 @@
 
 BOOL DropRootPrivileges() {
   if (getuid() == 0 || geteuid() == 0 || getgid() == 0 || getegid() == 0) {
-    if (setgid(-2) != 0 || setgroups(0, NULL) != 0 || setegid(-2) != 0 ||
-        setuid(-2) != 0 || seteuid(-2) != 0) {
+    uid_t nobody = (uid_t)-2;
+    if (setgid(nobody) != 0 || setgroups(0, NULL) != 0 || setegid(nobody) != 0 ||
+        setuid(nobody) != 0 || seteuid(nobody) != 0) {
       return false;
     }
 

Source/common/SNTFileInfo.h

@@ -23,6 +23,16 @@
 ///
 ///  @param path The path of the file this instance is to represent. The path will be
 ///      converted to an absolute, standardized path if it isn't already.
+///  @param error If an error occurred and nil is returned, this will be a pointer to an NSError
+///      describing the problem.
+///
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error;
+
+///
+///  Convenience initializer.
+///
+///  @param path The path to the file this instance is to represent. The path will be
+///      converted to an absolute, standardized path if it isn't already.
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
@@ -82,6 +92,11 @@
 ///
 - (BOOL)isScript;
 
+///
+///  @return YES if this file has a bad/missing __PAGEZERO .
+///
+- (BOOL)isMissingPageZero;
+
 ///
 ///  @return An NSBundle if this file is part of a bundle.
 ///

Source/common/SNTFileInfo.m

@@ -20,55 +20,70 @@
 #include <mach-o/swap.h>
 #include <sys/xattr.h>
 
+// Simple class to hold the data of a mach_header and the offset within the file
+// in which that header was found.
+@interface MachHeaderWithOffset : NSObject
+@property NSData *data;
+@property uint32_t offset;
+- (instancetype)initWithData:(NSData *)data offset:(uint32_t)offset;
+@end
+@implementation MachHeaderWithOffset
+- (instancetype)initWithData:(NSData *)data offset:(uint32_t)offset {
+  self = [super init];
+  if (self) {
+    _data = data;
+    _offset = offset;
+  }
+  return self;
+}
+@end
+
 @interface SNTFileInfo ()
 @property NSString *path;
 @property NSData *fileData;
+
+// Dictionary of MachHeaderWithOffset objects where the keys are the architecture strings
+@property NSDictionary *machHeaders;
+
+// Cached properties
 @property NSBundle *bundleRef;
 @property NSDictionary *infoDict;
 @end
 
 @implementation SNTFileInfo
 
-- (instancetype)initWithPath:(NSString *)path {
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
   self = [super init];
-
   if (self) {
-    // Convert to absolute, standardized path
-    path = [path stringByResolvingSymlinksInPath];
-    if (![path isAbsolutePath]) {
-      NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
-      path = [cwd stringByAppendingPathComponent:path];
-    }
-    path = [path stringByStandardizingPath];
-
-    // Determine if file exists.
-    // If path is actually a directory, check to see if it's a bundle and has a CFBundleExecutable.
-    BOOL directory;
-    if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
-      return nil;
-    } else if (directory) {
-      NSString *infoPath = [path stringByAppendingPathComponent:@"Contents/Info.plist"];
-      NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:infoPath];
-      if (d && d[@"CFBundleExecutable"]) {
-        path = [path stringByAppendingPathComponent:@"Contents/MacOS"];
-        _path = [path stringByAppendingPathComponent:d[@"CFBundleExecutable"]];
-      } else {
-        return nil;
+    _path = [self resolvePath:path];
+    if (_path.length == 0) {
+      if (error) {
+        NSString *errStr = @"Unable to resolve empty path";
+        if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:260
+                                 userInfo:@{ NSLocalizedDescriptionKey: errStr }];
       }
-    } else {
-      _path = path;
+      return nil;
     }
 
-    _fileData = [NSData dataWithContentsOfFile:_path options:NSDataReadingMappedIfSafe error:nil];
-    if (!_fileData) return nil;
+    _fileData = [NSData dataWithContentsOfFile:_path
+                                       options:NSDataReadingUncached
+                                         error:error];
+    if (_fileData.length == 0) return nil;
+    [self parseMachHeaders];
   }
 
   return self;
 }
 
+- (instancetype)initWithPath:(NSString *)path {
+  return [self initWithPath:path error:NULL];
+}
+
 - (NSString *)SHA1 {
   unsigned char sha1[CC_SHA1_DIGEST_LENGTH];
-  CC_SHA1([self.fileData bytes], (unsigned int)[self.fileData length], sha1);
+  CC_SHA1(self.fileData.bytes, (unsigned int)self.fileData.length, sha1);
 
   // Convert the binary SHA into hex
   NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
@@ -80,118 +95,100 @@
 }
 
 - (NSString *)SHA256 {
-  unsigned char sha2[CC_SHA256_DIGEST_LENGTH];
-  CC_SHA256(self.fileData.bytes, (unsigned int)self.fileData.length, sha2);
+  unsigned char sha256[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256(self.fileData.bytes, (unsigned int)self.fileData.length, sha256);
 
-  NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH *2];
+  NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
   for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
-    [buf appendFormat:@"%02x", (unsigned char)sha2[i]];
+    [buf appendFormat:@"%02x", (unsigned char)sha256[i]];
   }
 
   return buf;
 }
 
 - (NSString *)machoType {
-  if ([self isDylib])   { return @"Dynamic Library"; }
-  if ([self isKext])    { return @"Kernel Extension"; }
-  if ([self isFat])     { return @"Fat Binary"; }
-  if ([self isMachO])   { return @"Thin Binary"; }
-  if ([self isScript])  { return @"Script"; }
+  if ([self isDylib])  return @"Dynamic Library";
+  if ([self isKext])   return @"Kernel Extension";
+  if ([self isFat])    return @"Fat Binary";
+  if ([self isMachO])  return @"Thin Binary";
+  if ([self isScript]) return @"Script";
   return @"Unknown (not executable?)";
 }
 
 - (NSArray *)architectures {
-  if (![self isMachO]) return nil;
-
-  if ([self isFat]) {
-    NSMutableArray *ret = [[NSMutableArray alloc] init];
-
-    // Retrieve just the fat_header, if possible.
-    NSData *head = [self safeSubdataWithRange:NSMakeRange(0, sizeof(struct fat_header))];
-    if (!head) return nil;
-    struct fat_header *fat_header = (struct fat_header *)[head bytes];
-
-    // Get number of architectures in the binary
-    uint32_t narch = NSSwapBigIntToHost(fat_header->nfat_arch);
-
-    // Retrieve just the fat_arch's, make a mutable copy and if necessary swap the bytes
-    NSData *archs = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                           sizeof(struct fat_arch) * narch)];
-    if (!archs) return nil;
-    struct fat_arch *fat_archs = (struct fat_arch *)[archs bytes];
-
-    // For each arch, get the name of it's architecture
-    for (int i = 0; i < narch; ++i) {
-      [ret addObject:[self nameForCPUType:NSSwapBigIntToHost(fat_archs[i].cputype)]];
-    }
-    return ret;
-  } else {
-    struct mach_header *hdr = [self firstMachHeader];
-    return @[ [self nameForCPUType:hdr->cputype] ];
-  }
-  return nil;
+  return [self.machHeaders allKeys];
 }
 
 - (BOOL)isDylib {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_DYLIB ||
-      mach_header->filetype == MH_FVMLIB) {
-    return YES;
-  }
-
+  if (mach_header && mach_header->filetype == MH_DYLIB) return YES;
   return NO;
 }
 
 - (BOOL)isKext {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (!mach_header) return NO;
-  if (mach_header->filetype == MH_KEXT_BUNDLE) {
-    return YES;
-  }
-
+  if (mach_header && mach_header->filetype == MH_KEXT_BUNDLE) return YES;
   return NO;
 }
 
 - (BOOL)isMachO {
-  return ([self.fileData length] >= 160 &&
-          ([self isMachHeader:(struct mach_header *)[self.fileData bytes]] || [self isFat]));
+  return ([self.machHeaders count] > 0);
 }
 
 - (BOOL)isFat {
-  return ([self isFatHeader:(struct fat_header *)[self.fileData bytes]]);
+  return ([self.machHeaders count] > 1);
 }
 
 - (BOOL)isScript {
-  if ([self.fileData length] < 1) return NO;
-
-  char magic[2];
-  [self.fileData getBytes:&magic length:2];
-
+  const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(0, 2)] bytes];
   return (strncmp("#!", magic, 2) == 0);
 }
 
 - (BOOL)isExecutable {
   struct mach_header *mach_header = [self firstMachHeader];
   if (!mach_header) return NO;
-  if (mach_header->filetype == MH_OBJECT ||
-      mach_header->filetype == MH_EXECUTE ||
-      mach_header->filetype == MH_PRELOAD) {
-    return YES;
-  }
-
+  if (mach_header->filetype == MH_OBJECT || mach_header->filetype == MH_EXECUTE) return YES;
   return NO;
 }
 
-# pragma mark Bundle Information
+- (BOOL)isMissingPageZero {
+  // This method only checks i386 arch because the kernel enforces this for other archs
+  // See bsd/kern/mach_loader.c, search for enforce_hard_pagezero.
+  MachHeaderWithOffset *x86Header = self.machHeaders[@"i386"];
+  if (!x86Header) return NO;
+
+  struct mach_header *mh = (struct mach_header *)[x86Header.data bytes];
+  if (mh->filetype != MH_EXECUTE) return NO;
+
+  NSRange range = NSMakeRange(x86Header.offset + sizeof(struct mach_header),
+                              sizeof(struct segment_command));
+  NSData *lcData = [self safeSubdataWithRange:range];
+  if (!lcData) return NO;
+
+  // This code assumes the __PAGEZERO is always the first load-command in the file.
+  // Given that the OS X ABI says "the static linker creates a __PAGEZERO segment
+  // as the first segment of an executable file." this should be OK.
+  struct load_command *lc = (struct load_command *)[lcData bytes];
+  if (lc->cmd == LC_SEGMENT) {
+    struct segment_command *segment = (struct segment_command *)lc;
+    if (segment->vmaddr == 0 && segment->vmsize != 0 &&
+        segment->initprot == 0 && segment->maxprot == 0 &&
+        strcmp("__PAGEZERO", segment->segname) == 0) {
+      return NO;
+    }
+  }
+  return YES;
+}
+
+#pragma mark Bundle Information
 
 ///
 ///  Try and determine the bundle that the represented executable is contained within, if any.
 ///
 ///  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
-///  bundle but provides no way to get an NSBundle object when only the executablePath is known. Also,
-///  a bundle can contain multiple binaries within the MacOS folder and we want any of these to count
-///  as being part of the bundle.
+///  bundle but provides no way to get an NSBundle object when only the executablePath is known.
+///  Also a bundle can contain multiple binaries within the MacOS folder and we want any of these
+///  to count as being part of the bundle.
 ///
 ///  This method relies on executable bundles being laid out as follows:
 ///
@@ -206,21 +203,19 @@
 ///  NSBundle reference for Bundle.app.
 ///
 - (NSBundle *)bundle {
-  if (self.bundleRef) return self.bundleRef;
+  if (!self.bundleRef) {
+    self.bundleRef = (NSBundle *)[NSNull null];
 
-  NSArray *pathComponents = [self.path pathComponents];
+    // Check that the full path is at least 4-levels deep:
+    // e.g: /Calendar.app/Contents/MacOS/Calendar
+    NSArray *pathComponents = [self.path pathComponents];
+    if ([pathComponents count] < 4) return nil;
 
-  // Check that the full path is at least 4-levels deep:
-  // e.g: /Calendar.app/Contents/MacOS/Calendar
-  if ([pathComponents count] < 4) return nil;
-
-  pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
-  self.bundleRef = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-
-  // Clear the bundle if it doesn't have a bundle ID
-  if (![self.bundleRef objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = nil;
-
-  return self.bundleRef;
+    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
+    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
+    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
+  }
+  return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
 
 - (NSString *)bundlePath {
@@ -228,38 +223,89 @@
 }
 
 - (NSDictionary *)infoPlist {
-  if (self.infoDict) return self.infoDict;
+  if (!self.infoDict) {
+    self.infoDict = (NSDictionary *)[NSNull null];
 
-  if ([self bundle]) {
-    self.infoDict = [[self bundle] infoDictionary];
-    return self.infoDict;
+    if (self.bundle) {
+      NSDictionary *d = self.bundle.infoDictionary;
+      if (d) self.infoDict = d;
+    }
+
+    // Look for an embedded Info.plist if there is one.
+    // This could (and used to) use CFBundleCopyInfoDictionaryForURL but that uses mmap to read
+    // the file and so can cause SIGBUS if the file is deleted/truncated while it's working.
+    MachHeaderWithOffset *mhwo = [[self.machHeaders allValues] firstObject];
+    if (!mhwo) return nil;
+
+    struct mach_header *mh = (struct mach_header *)mhwo.data.bytes;
+    if (mh->filetype != MH_EXECUTE) return nil;
+    BOOL is64 = (mh->magic == MH_MAGIC_64 || mh->magic == MH_CIGAM_64);
+    uint32_t ncmds = mh->ncmds;
+    uint32_t nsects = 0;
+    uint64_t offset = mhwo.offset;
+
+    uint32_t sz_header = is64 ? sizeof(struct mach_header_64) : sizeof(struct mach_header);
+    uint32_t sz_segment = is64 ? sizeof(struct segment_command_64) : sizeof(struct segment_command);
+    uint32_t sz_section = is64 ? sizeof(struct section_64) : sizeof(struct section);
+
+    offset += sz_header;
+
+    // Loop through the load commands looking for the segment named __TEXT
+    for (uint32_t i = 0; i < ncmds; i++) {
+      NSData *cmdData = [self safeSubdataWithRange:NSMakeRange(offset, sz_segment)];
+      if (!cmdData) return nil;
+      struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
+        if (strncmp(lc->segname, "__TEXT", 6) == 0) {
+          nsects = lc->nsects;
+          offset += sz_segment;
+          break;
+        }
+      }
+      offset += lc->cmdsize;
+    }
+
+    // Loop through the sections in the __TEXT segment looking for an __info_plist section.
+    for (uint32_t i = 0; i < nsects; i++) {
+      NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
+      if (!sectData) return nil;
+      struct section_64 *sect = (struct section_64 *)[sectData bytes];
+      if (strncmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
+        if (!plistData) return nil;
+        NSDictionary *plist;
+        plist = [NSPropertyListSerialization propertyListWithData:plistData
+                                                          options:NSPropertyListImmutable
+                                                           format:NULL
+                                                            error:NULL];
+        if (plist) self.infoDict = plist;
+        break;
+      }
+      offset += sz_section;
+    }
   }
-
-  NSURL *url = [NSURL fileURLWithPath:self.path isDirectory:NO];
-  self.infoDict =
-      (__bridge_transfer NSDictionary*)CFBundleCopyInfoDictionaryForURL((__bridge CFURLRef) url);
-  return self.infoDict;
+  return self.infoDict == (NSDictionary *)[NSNull null] ? nil : self.infoDict;
 }
 
 - (NSString *)bundleIdentifier {
-  return [[self infoPlist] objectForKey:@"CFBundleIdentifier"];
+  return [self.infoPlist objectForKey:@"CFBundleIdentifier"];
 }
 
 - (NSString *)bundleName {
-  return [[self infoPlist] objectForKey:@"CFBundleName"];
+  return [self.infoPlist objectForKey:@"CFBundleName"];
 }
 
 - (NSString *)bundleVersion {
-  return [[self infoPlist] objectForKey:@"CFBundleVersion"];
+  return [self.infoPlist objectForKey:@"CFBundleVersion"];
 }
 
 - (NSString *)bundleShortVersionString {
-  return [[self infoPlist] objectForKey:@"CFBundleShortVersionString"];
+  return [self.infoPlist objectForKey:@"CFBundleShortVersionString"];
 }
 
 - (NSArray *)downloadURLs {
   char *path = (char *)[self.path fileSystemRepresentation];
-  size_t size = getxattr(path, "com.apple.metadata:kMDItemWhereFroms", NULL, 0, 0, 0);
+  size_t size = (size_t)getxattr(path, "com.apple.metadata:kMDItemWhereFroms", NULL, 0, 0, 0);
   char *value = malloc(size);
   if (!value) return nil;
 
@@ -282,47 +328,79 @@
   return nil;
 }
 
-# pragma mark Internal Methods
+#pragma mark Internal Methods
+
+- (void)parseMachHeaders {
+  if (self.machHeaders) return;
+
+  // Sanity check file length
+  if (self.fileData.length < sizeof(struct mach_header)) {
+    self.machHeaders = [NSDictionary dictionary];
+    return;
+  }
+
+  NSMutableDictionary *machHeaders = [NSMutableDictionary dictionary];
+
+  NSData *machHeader = [self parseSingleMachHeader:self.fileData];
+  if (machHeader) {
+    struct mach_header *mh = (struct mach_header *)[machHeader bytes];
+    MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader offset:0];
+    machHeaders[[self nameForCPUType:mh->cputype]] = mhwo;
+  } else {
+    NSRange range = NSMakeRange(0, sizeof(struct fat_header));
+    NSData *fatHeader = [self safeSubdataWithRange:range];
+    struct fat_header *fh = (struct fat_header *)[fatHeader bytes];
+
+    if (fatHeader && (fh->magic == FAT_MAGIC || fh->magic == FAT_CIGAM)) {
+      int nfat_arch = OSSwapBigToHostInt32(fh->nfat_arch);
+      range = NSMakeRange(sizeof(struct fat_header), sizeof(struct fat_arch) * nfat_arch);
+      NSMutableData *fatArchs = [[self safeSubdataWithRange:range] mutableCopy];
+      if (fatArchs) {
+        struct fat_arch *fat_arch = (struct fat_arch *)[fatArchs mutableBytes];
+        for (int i = 0; i < nfat_arch; i++) {
+          int offset = OSSwapBigToHostInt32(fat_arch[i].offset);
+          int size = OSSwapBigToHostInt32(fat_arch[i].size);
+          int cputype = OSSwapBigToHostInt(fat_arch[i].cputype);
+
+          range = NSMakeRange(offset, size);
+          NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:range]];
+          if (machHeader) {
+            NSString *key = [self nameForCPUType:cputype];
+            MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader
+                                                                             offset:offset];
+            machHeaders[key] = mhwo;
+          }
+        }
+      }
+    }
+  }
+
+  self.machHeaders = [machHeaders copy];
+}
+
+- (NSData *)parseSingleMachHeader:(NSData *)inputData {
+  if (inputData.length < sizeof(struct mach_header)) return nil;
+  struct mach_header *mh = (struct mach_header *)[inputData bytes];
+
+  if (mh->magic == MH_CIGAM || mh->magic == MH_CIGAM_64) {
+    NSMutableData *mutableInput = [inputData mutableCopy];
+    mh = (struct mach_header *)[mutableInput mutableBytes];
+    swap_mach_header(mh, NXHostByteOrder());
+  }
+
+  if (mh->magic == MH_MAGIC || mh->magic == MH_MAGIC_64) {
+    return [NSData dataWithBytes:mh length:sizeof(struct mach_header)];
+  }
+
+  return nil;
+}
 
 ///
-///  Look through the file for the first mach_header. If the file is thin, this will be the
-///  header at the beginning of the file. If the file is fat, it will be the first
-///  architecture-specific header.
+///  Return one of the mach_header's in this file.
 ///
 - (struct mach_header *)firstMachHeader {
-  if (![self isMachO]) return NULL;
+  return (struct mach_header *)([[[[self.machHeaders allValues] firstObject] data] bytes]);
 
-  struct mach_header *mach_header = (struct mach_header *)[self.fileData bytes];
-  struct fat_header *fat_header = (struct fat_header *)[self.fileData bytes];
-
-  if ([self isFatHeader:fat_header]) {
-    // Get the bytes for the fat_arch
-    NSData *archHdr = [self safeSubdataWithRange:NSMakeRange(sizeof(struct fat_header),
-                                                             sizeof(struct fat_arch))];
-    if (!archHdr) return nil;
-    struct fat_arch *fat_arch = (struct fat_arch *)[archHdr bytes];
-
-    // Get bytes for first mach_header
-    NSData *machHdr = [self safeSubdataWithRange:NSMakeRange(NSSwapBigIntToHost(fat_arch->offset),
-                                                             sizeof(struct mach_header))];
-    if (!machHdr) return nil;
-    mach_header = (struct mach_header *)[machHdr bytes];
-  }
-
-  if ([self isMachHeader:mach_header]) {
-    return mach_header;
-  }
-
-  return NULL;
-}
-
-- (BOOL)isMachHeader:(struct mach_header *)header {
-  return (header->magic == MH_MAGIC || header->magic == MH_MAGIC_64 ||
-          header->magic == MH_CIGAM || header->magic == MH_CIGAM_64);
-}
-
-- (BOOL)isFatHeader:(struct fat_header *)header {
-  return (header->magic == FAT_MAGIC || header->magic == FAT_CIGAM);
 }
 
 ///
@@ -333,11 +411,14 @@
   @try {
     return [self.fileData subdataWithRange:range];
   }
-  @catch (NSException *exception) {
+  @catch (NSException *e) {
     return nil;
   }
 }
 
+///
+///  Return a human-readable string for a cpu_type_t.
+///
 - (NSString *)nameForCPUType:(cpu_type_t)cpuType {
   switch (cpuType) {
     case CPU_TYPE_X86:
@@ -354,4 +435,32 @@
   return nil;
 }
 
+- (NSString *)resolvePath:(NSString *)path {
+  // Convert to absolute, standardized path
+  path = [path stringByResolvingSymlinksInPath];
+  if (![path isAbsolutePath]) {
+    NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
+    path = [cwd stringByAppendingPathComponent:path];
+  }
+  path = [path stringByStandardizingPath];
+
+  // Determine if file exists.
+  // If path is actually a directory, check to see if it's a bundle and has a CFBundleExecutable.
+  BOOL directory;
+  if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
+    return nil;
+  } else if (directory) {
+    NSString *infoPath = [path stringByAppendingPathComponent:@"Contents/Info.plist"];
+    NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:infoPath];
+    if (d && d[@"CFBundleExecutable"]) {
+      path = [path stringByAppendingPathComponent:@"Contents/MacOS"];
+      return [path stringByAppendingPathComponent:d[@"CFBundleExecutable"]];
+    } else {
+      return nil;
+    }
+  } else {
+    return path;
+  }
+}
+
 @end

Source/common/SNTFileWatcher.m

@@ -48,7 +48,7 @@
 }
 
 - (void)beginWatchingFile {
-  __weak typeof(self) weakSelf = self;
+  __weak __typeof(self) weakSelf = self;
   int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_WRITE |
               DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_RENAME);
   dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
@@ -70,12 +70,13 @@
         close(fd);
       }
 
-      while ((fd = open([weakSelf.filePath fileSystemRepresentation], O_EVTONLY)) < 0) {
+      const char *filePathCString = [weakSelf.filePath fileSystemRepresentation];
+      while ((fd = open(filePathCString, O_EVTONLY)) < 0) {
         usleep(1000);
       }
 
-      weakSelf.monitoringSource = dispatch_source_create(
-          DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
+      weakSelf.monitoringSource =
+          dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
       dispatch_source_set_event_handler(weakSelf.monitoringSource, weakSelf.internalEventHandler);
       dispatch_source_set_cancel_handler(weakSelf.monitoringSource, weakSelf.internalCancelHandler);
       dispatch_resume(weakSelf.monitoringSource);
@@ -91,9 +92,7 @@
 
   int fd = (int)dispatch_source_get_handle(self.monitoringSource);
   dispatch_source_set_event_handler_f(self.monitoringSource, NULL);
-  dispatch_source_set_cancel_handler(self.monitoringSource, ^{
-      close(fd);
-  });
+  dispatch_source_set_cancel_handler(self.monitoringSource, ^{ close(fd); });
 
   dispatch_source_cancel(self.monitoringSource);
   self.monitoringSource = nil;

Source/common/SNTKernelCommon.h

@@ -16,11 +16,12 @@
 /// Common defines between kernel <-> userspace
 ///
 
+#include <sys/param.h>
+
 #ifndef SANTA__COMMON__KERNELCOMMON_H
 #define SANTA__COMMON__KERNELCOMMON_H
 
 // Defines the lengths of paths and Vnode IDs passed around.
-#define MAX_PATH_LEN 1024    // ==PATH_LEN from syslimits.h
 #define MAX_VNODE_ID_STR 21  // digits in UINT64_MAX + 1 for NULL-terminator
 
 // Defines the name of the userclient class and the driver bundle ID.
@@ -50,24 +51,34 @@ typedef enum {
   ACTION_RESPOND_CHECKBW_ALLOW = 11,
   ACTION_RESPOND_CHECKBW_DENY = 12,
 
+  // NOTIFY
+  ACTION_NOTIFY_EXEC = 20,
+  ACTION_NOTIFY_WRITE = 21,
+  ACTION_NOTIFY_RENAME = 22,
+  ACTION_NOTIFY_LINK = 23,
+  ACTION_NOTIFY_EXCHANGE = 24,
+  ACTION_NOTIFY_DELETE = 25,
+
   // SHUTDOWN
-  ACTION_REQUEST_SHUTDOWN = 60,
+  ACTION_REQUEST_SHUTDOWN = 90,
 
   // ERROR
   ACTION_ERROR = 99,
 } santa_action_t;
 
-#define CHECKBW_RESPONSE_VALID(x) (x == ACTION_RESPOND_CHECKBW_ALLOW || \
-  x == ACTION_RESPOND_CHECKBW_DENY)
+#define CHECKBW_RESPONSE_VALID(x) \
+  (x == ACTION_RESPOND_CHECKBW_ALLOW || x == ACTION_RESPOND_CHECKBW_DENY)
 
 // Message struct that is sent down the IODataQueue.
 typedef struct {
   santa_action_t action;
   uint64_t vnode_id;
-  uid_t userId;
+  uid_t uid;
+  gid_t gid;
   pid_t pid;
   pid_t ppid;
-  char path[MAX_PATH_LEN];
+  char path[MAXPATHLEN];
+  char newpath[MAXPATHLEN];
 } santa_message_t;
 
 #endif  // SANTA__COMMON__KERNELCOMMON_H

Source/common/SNTLogging.h

@@ -32,26 +32,29 @@
 
 #else  // KERNEL
 
-#define LOG_LEVEL_ERROR   1
-#define LOG_LEVEL_WARN    2
-#define LOG_LEVEL_INFO    3
-#define LOG_LEVEL_DEBUG   4
+typedef enum : NSUInteger {
+  LOG_LEVEL_ERROR,
+  LOG_LEVEL_WARN,
+  LOG_LEVEL_INFO,
+  LOG_LEVEL_DEBUG
+} LogLevel;
 
 ///
 ///  Logging function.
-///
 ///  @param level one of the levels defined above
-///  @param destination a FILE, generally should be stdout or stderr
+///  @param destination a FILE, generally stdout/stderr. If the file is closed, the log
+///      will instead be sent to syslog.
 ///  @param format the printf style format string
 ///  @param ... the arguments to format.
 ///
-void logMessage(int level, FILE *destination, NSString *format, ...);
+void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
+    __attribute__((format(__NSString__, 3, 4)));
 
 /// Simple logging macros
-#define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__);
-#define LOGI(logFormat, ...) logMessage(LOG_LEVEL_INFO, stdout, logFormat, ##__VA_ARGS__);
-#define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__);
-#define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__);
+#define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__)
+#define LOGI(logFormat, ...) logMessage(LOG_LEVEL_INFO, stdout, logFormat, ##__VA_ARGS__)
+#define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__)
+#define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__)
 
 #endif  // KERNEL
 

Source/common/SNTLogging.m

@@ -14,28 +14,32 @@
 
 #import "SNTLogging.h"
 
+#import <asl.h>
+
 #ifdef DEBUG
-static int logLevel = LOG_LEVEL_DEBUG;  // default to info
+static LogLevel logLevel = LOG_LEVEL_DEBUG;
 #else
-static int logLevel = LOG_LEVEL_INFO;
+static LogLevel logLevel = LOG_LEVEL_INFO;  // default to info
 #endif
 
-void logMessage(int level, FILE *destination, NSString *format, ...) {
-  static NSDateFormatter *dateFormatter;
-  static NSString *binaryName;
+void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
+  static BOOL useSyslog = NO;
+  static const char *binaryName;
   static dispatch_once_t pred;
 
   dispatch_once(&pred, ^{
-      dateFormatter = [[NSDateFormatter alloc] init];
-      [dateFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
-      [dateFormatter setDateFormat:@"YYYY-MM-dd HH:mm:ss.SSS'Z"];
-
-      binaryName = [[NSProcessInfo processInfo] processName];
+      binaryName = [[[NSProcessInfo processInfo] processName] UTF8String];
 
       // If debug logging is enabled, the process must be restarted.
       if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
         logLevel = LOG_LEVEL_DEBUG;
       }
+
+      // If requested, redirect output to syslog.
+      if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"] ||
+          strcmp(binaryName, "santad") == 0) {
+        useSyslog = YES;
+      }
   });
 
   if (logLevel < level) return;
@@ -45,19 +49,22 @@ void logMessage(int level, FILE *destination, NSString *format, ...) {
   NSString *s = [[NSString alloc] initWithFormat:format arguments:args];
   va_end(args);
 
-  // Only prepend timestamp, severity and binary name if stdout is not a TTY
-  if (isatty(fileno(destination))) {
-    fprintf(destination, "%s\n", [s UTF8String]);
-  } else {
-    NSString *levelName;
+  if (useSyslog) {
+    aslclient client = asl_open(NULL, "com.google.santa", 0);
+    asl_set_filter(client, ASL_FILTER_MASK_UPTO(ASL_LEVEL_DEBUG));
+
+    char *levelName;
+    int syslogLevel = ASL_LEVEL_DEBUG;
     switch (level) {
-      case LOG_LEVEL_ERROR: levelName = @"E"; break;
-      case LOG_LEVEL_WARN: levelName = @"W"; break;
-      case LOG_LEVEL_INFO: levelName = @"I"; break;
-      case LOG_LEVEL_DEBUG: levelName = @"D"; break;
+      case LOG_LEVEL_ERROR: levelName = "E"; syslogLevel = ASL_LEVEL_ERR; break;
+      case LOG_LEVEL_WARN: levelName = "W"; syslogLevel = ASL_LEVEL_WARNING; break;
+      case LOG_LEVEL_INFO: levelName = "I"; syslogLevel = ASL_LEVEL_INFO; break;
+      case LOG_LEVEL_DEBUG: levelName = "D"; syslogLevel = ASL_LEVEL_DEBUG; break;
     }
 
-    fprintf(destination, "%s\n", [[NSString stringWithFormat:@"[%@] %@ %@: %@",
-            [dateFormatter stringFromDate:[NSDate date]], levelName, binaryName, s] UTF8String]);
+    asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName, [s UTF8String]);
+    asl_close(client);
+  } else {
+    fprintf(destination, "%s\n", [s UTF8String]);
   }
 }

Source/common/SNTRule.h

@@ -22,7 +22,7 @@
 ///
 ///  The hash of the object this rule is for
 ///
-@property NSString *shasum;
+@property(copy) NSString *shasum;
 
 ///
 ///  The state of this rule
@@ -37,7 +37,7 @@
 ///
 ///  A custom message that will be displayed if this rule blocks a binary from executing
 ///
-@property NSString *customMsg;
+@property(copy) NSString *customMsg;
 
 ///
 ///  Designated initializer.

Source/common/SNTRule.m

@@ -22,7 +22,7 @@
                      customMsg:(NSString *)customMsg {
   self = [super init];
   if (self) {
-    _shasum  = shasum;
+    _shasum = shasum;
     _state = state;
     _type = type;
     _customMsg = customMsg;
@@ -34,11 +34,10 @@
 
 #define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
-#define DECODEARRAY(cls, key) \
-    [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
-                            forKey:key]
 
-+ (BOOL)supportsSecureCoding { return YES; }
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
 
 - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(self.shasum, @"shasum");
@@ -58,4 +57,28 @@
   return self;
 }
 
+#undef DECODE
+#undef ENCODE
+
+- (BOOL)isEqual:(id)other {
+  if (other == self) return YES;
+  if (![other isKindOfClass:[SNTRule class]]) return NO;
+  SNTRule *o = other;
+  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+}
+
+- (NSUInteger)hash {
+  NSUInteger prime = 31;
+  NSUInteger result = 1;
+  result = prime * result + [self.shasum hash];
+  result = prime * result + self.state;
+  result = prime * result + self.type;
+  return result;
+}
+
+- (NSString *)description {
+  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %d, Type: %d",
+             self.shasum, self.state, self.type];
+}
+
 @end

Source/common/SNTStoredEvent.h

@@ -95,4 +95,9 @@
 ///
 @property NSNumber *ppid;
 
+///
+///  The name of the parent process.
+///
+@property NSString *parentName;
+
 @end

Source/common/SNTStoredEvent.m

@@ -24,7 +24,9 @@
     [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
                                                   forKey:key]
 
-+ (BOOL)supportsSecureCoding {  return YES; }
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
 
 - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(self.idx, @"idx");
@@ -43,6 +45,7 @@
   ENCODE(@(self.decision), @"decision");
   ENCODE(self.pid, @"pid");
   ENCODE(self.ppid, @"ppid");
+  ENCODE(self.parentName, @"parentName");
 
   ENCODE(self.loggedInUsers, @"loggedInUsers");
   ENCODE(self.currentSessions, @"currentSessions");
@@ -64,9 +67,10 @@
 
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");
-    _decision = [DECODE(NSNumber, @"decision") intValue];
+    _decision = (santa_eventstate_t)[DECODE(NSNumber, @"decision") intValue];
     _pid = DECODE(NSNumber, @"pid");
     _ppid = DECODE(NSNumber, @"ppid");
+    _parentName = DECODE(NSString, @"parentName");
 
     _loggedInUsers = DECODEARRAY(NSString, @"loggedInUsers");
     _currentSessions = DECODEARRAY(NSString, @"currentSessions");
@@ -74,11 +78,11 @@
   return self;
 }
 
-- (BOOL)isEqual:(SNTStoredEvent *)other {
+- (BOOL)isEqual:(id)other {
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTStoredEvent class]]) return NO;
-  return ([self.fileSHA256 isEqual:other.fileSHA256] &&
-          [self.idx isEqual:other.idx]);
+  SNTStoredEvent *o = other;
+  return ([self.fileSHA256 isEqual:o.fileSHA256] && [self.idx isEqual:o.idx]);
 }
 
 - (NSUInteger)hash {
@@ -91,8 +95,8 @@
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@",
-          self.idx, self.fileSHA256];
+  return
+      [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
 @end

Source/common/SNTSystemInfo.m

@@ -21,11 +21,8 @@
       kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
-  NSString *serial = CFBridgingRelease(
-      IORegistryEntryCreateCFProperty(platformExpert,
-                                      CFSTR(kIOPlatformSerialNumberKey),
-                                      kCFAllocatorDefault,
-                                      0));
+  NSString *serial = CFBridgingRelease(IORegistryEntryCreateCFProperty(
+      platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -37,10 +34,8 @@
       kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
-  NSString *uuid = CFBridgingRelease(
-      IORegistryEntryCreateCFProperty(platformExpert,
-                                      CFSTR(kIOPlatformUUIDKey),
-                                      kCFAllocatorDefault, 0));
+  NSString *uuid = CFBridgingRelease(IORegistryEntryCreateCFProperty(
+      platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -65,11 +60,11 @@
   return @(hostname);
 }
 
-# pragma mark - Internal
+#pragma mark - Internal
 
 + (NSDictionary *)_systemVersionDictionary {
-  return [NSDictionary dictionaryWithContentsOfFile:
-      @"/System/Library/CoreServices/SystemVersion.plist"];
+  return [NSDictionary
+      dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
 }
 
 @end

Source/common/SNTXPCConnection.h

@@ -63,7 +63,7 @@ typedef void (^SNTXPCRejectedBlock)(void);
 ///  @warning Do not send a message to this object if you didn't set @c remoteInterface above
 ///  before calling the @c resume method. Doing so will throw an exception.
 ///
-@property(readonly) id remoteObjectProxy;
+@property(readonly, nonatomic) id remoteObjectProxy;
 
 ///
 ///  The interface this object exports.

Source/common/SNTXPCConnection.m

@@ -59,8 +59,7 @@
   if (self) {
     Protocol *validatorProtocol = @protocol(XPCConnectionValidityRequest);
     _validatorInterface = [NSXPCInterface interfaceWithProtocol:validatorProtocol];
-    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name
-                                                                  options:options];
+    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name options:options];
 
     if (!_validatorInterface || !_currentConnection) return nil;
   }
@@ -75,24 +74,22 @@
 #pragma mark Connection set-up
 
 - (void)resume {
-  if (_listenerObject) {
+  if (self.listenerObject) {
     // A new listener doesn't do anything until a client connects.
     self.listenerObject.delegate = self;
     [self.listenerObject resume];
   } else {
     // A new client begins the validation process.
-    NSXPCConnection *connection = _currentConnection;
+    NSXPCConnection *connection = self.currentConnection;
 
-    connection.remoteObjectInterface = _validatorInterface;
+    connection.remoteObjectInterface = self.validatorInterface;
 
     connection.invalidationHandler = ^{
         [self invokeInvalidationHandler];
         self.currentConnection = nil;
     };
 
-    connection.interruptionHandler = ^{
-        [self.currentConnection invalidate];
-    };
+    connection.interruptionHandler = ^{ [self.currentConnection invalidate]; };
 
     [connection resume];
 
@@ -133,7 +130,7 @@
   if (self.currentConnection) return NO;
 
   connection.exportedObject = self;
-  connection.exportedInterface = _validatorInterface;
+  connection.exportedInterface = self.validatorInterface;
 
   connection.invalidationHandler = ^{
       [self invokeInvalidationHandler];

Source/common/SNTXPCControlInterface.h

@@ -25,26 +25,28 @@
 ///
 ///  Kernel ops
 ///
-- (void)cacheCount:(void (^)(uint64_t))reply;
+- (void)cacheCount:(void (^)(int64_t))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
 
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(uint64_t binary, uint64_t certificate))reply;
+- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply;
 - (void)databaseRuleAddRule:(SNTRule *)rule cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply;
 - (void)databaseRuleAddRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate reply:(void (^)())reply;
 
-- (void)databaseEventCount:(void (^)(uint64_t count))reply;
+- (void)databaseEventCount:(void (^)(int64_t count))reply;
 - (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
 
 ///
-///  Misc ops
+///  Config ops
 ///
 - (void)clientMode:(void (^)(santa_clientmode_t))reply;
 - (void)setClientMode:(santa_clientmode_t)mode reply:(void (^)())reply;
+- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
+- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 
 @end
 

Source/santa-driver/SantaDecisionManager.cc

@@ -20,89 +20,112 @@ OSDefineMetaClassAndStructors(SantaDecisionManager, OSObject);
 #pragma mark Object Lifecycle
 
 bool SantaDecisionManager::init() {
-  sdm_lock_grp_ = lck_grp_alloc_init("santa-locks", lck_grp_attr_alloc_init());
-  dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, lck_attr_alloc_init());
-  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_, lck_attr_alloc_init());
+  if (!super::init()) return false;
+
+  sdm_lock_grp_attr_ = lck_grp_attr_alloc_init();
+  sdm_lock_grp_ = lck_grp_alloc_init("santa-locks", sdm_lock_grp_attr_);
+
+  sdm_lock_attr_ = lck_attr_alloc_init();
+
+  dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
+  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
 
   cached_decisions_ = OSDictionary::withCapacity(1000);
 
-  owning_pid_ = 0;
+  dataqueue_ = IOSharedDataQueue::withEntries(kMaxQueueEvents,
+                                              sizeof(santa_message_t));
+  if (!dataqueue_) return kIOReturnNoMemory;
 
-  return kIOReturnSuccess;
+  client_pid_ = 0;
+
+  return true;
 }
 
 void SantaDecisionManager::free() {
-  if (cached_decisions_) {
-    cached_decisions_->release();
-    cached_decisions_ = NULL;
-  }
+  OSSafeReleaseNULL(dataqueue_);
+  OSSafeReleaseNULL(cached_decisions_);
 
   if (cached_decisions_lock_) {
     lck_rw_free(cached_decisions_lock_, sdm_lock_grp_);
     cached_decisions_lock_ = NULL;
   }
 
-  if (dataqueue_lock_ ) {
+  if (dataqueue_lock_) {
     lck_mtx_free(dataqueue_lock_, sdm_lock_grp_);
     dataqueue_lock_ = NULL;
   }
 
+  if (sdm_lock_attr_) {
+    lck_attr_free(sdm_lock_attr_);
+    sdm_lock_attr_ = NULL;
+  }
+
   if (sdm_lock_grp_) {
     lck_grp_free(sdm_lock_grp_);
     sdm_lock_grp_ = NULL;
   }
 
+  if (sdm_lock_grp_attr_) {
+    lck_grp_attr_free(sdm_lock_grp_attr_);
+    sdm_lock_grp_attr_ = NULL;
+  }
+
   super::free();
 }
 
 #pragma mark Client Management
 
-void SantaDecisionManager::ConnectClient(IOSharedDataQueue *queue, pid_t pid) {
+void SantaDecisionManager::ConnectClient(mach_port_t port, pid_t pid) {
   if (!pid) return;
-  if (!queue) return;
 
   // Any decisions made while the daemon wasn't
   // connected should be cleared
   ClearCache();
 
   lck_mtx_lock(dataqueue_lock_);
-  dataqueue_ = queue;
-  dataqueue_->retain();
+  dataqueue_->setNotificationPort(port);
   lck_mtx_unlock(dataqueue_lock_);
 
-  owning_pid_ = pid;
-  owning_proc_ = proc_find(pid);
+  client_pid_ = pid;
+
   failed_queue_requests_ = 0;
 }
 
-void SantaDecisionManager::DisconnectClient() {
-  if (owning_pid_ < 1) return;
-
-  owning_pid_ = -1;
+void SantaDecisionManager::DisconnectClient(bool itDied) {
+  if (client_pid_ < 1) return;
+  client_pid_ = 0;
 
   // Ask santad to shutdown, in case it's running.
-  santa_message_t message;
-  message.action = ACTION_REQUEST_SHUTDOWN;
-  message.userId = 0;
-  message.pid = 0;
-  message.ppid = 0;
-  message.vnode_id = 0;
-  PostToQueue(message);
+  if (!itDied) {
+    santa_message_t *message = new santa_message_t;
+    message->action = ACTION_REQUEST_SHUTDOWN;
+    PostToQueue(message);
+    delete message;
+    dataqueue_->setNotificationPort(NULL);
+  } else {
+    // If the client died, reset the data queue so when it reconnects
+    // it doesn't get swamped straight away.
+    lck_mtx_lock(dataqueue_lock_);
+    dataqueue_->release();
+    dataqueue_ = IOSharedDataQueue::withEntries(kMaxQueueEvents,
+                                                sizeof(santa_message_t));
+    lck_mtx_unlock(dataqueue_lock_);
+  }
 
-  lck_mtx_lock(dataqueue_lock_);
-  dataqueue_->release();
-  dataqueue_ = NULL;
-  lck_mtx_unlock(dataqueue_lock_);
-
-  proc_rele(owning_proc_);
-  owning_proc_ = NULL;
 }
 
 bool SantaDecisionManager::ClientConnected() {
-  return owning_pid_ > 0;
+  proc_t p = proc_find(client_pid_);
+  bool is_exiting = proc_exiting(p);
+  proc_rele(p);
+  return (client_pid_ > 0 && !is_exiting);
 }
 
-# pragma mark Listener Control
+IOMemoryDescriptor *SantaDecisionManager::GetMemoryDescriptor() {
+  return dataqueue_->getMemoryDescriptor();
+}
+
+#pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
   vnode_listener_ = kauth_listen_scope(KAUTH_SCOPE_VNODE,
@@ -110,7 +133,12 @@ kern_return_t SantaDecisionManager::StartListener() {
                                        reinterpret_cast<void *>(this));
   if (!vnode_listener_) return kIOReturnInternalError;
 
-  LOGD("Vnode listener started.");
+  fileop_listener_ = kauth_listen_scope(KAUTH_SCOPE_FILEOP,
+                                        fileop_scope_callback,
+                                        reinterpret_cast<void *>(this));
+  if (!fileop_listener_) return kIOReturnInternalError;
+
+  LOGD("Listeners started.");
 
   return kIOReturnSuccess;
 }
@@ -119,6 +147,9 @@ kern_return_t SantaDecisionManager::StopListener() {
   kauth_unlisten_scope(vnode_listener_);
   vnode_listener_ = NULL;
 
+  kauth_unlisten_scope(fileop_listener_);
+  fileop_listener_ = NULL;
+
   // Wait for any active invocations to finish before returning
   do {
     IOSleep(5);
@@ -127,7 +158,7 @@ kern_return_t SantaDecisionManager::StopListener() {
   // Delete any cached decisions
   ClearCache();
 
-  LOGD("Vnode listener stopped.");
+  LOGD("Listeners stopped.");
 
   return kIOReturnSuccess;
 }
@@ -136,39 +167,44 @@ kern_return_t SantaDecisionManager::StopListener() {
 
 void SantaDecisionManager::AddToCache(
     const char *identifier, santa_action_t decision, uint64_t microsecs) {
-  lck_rw_lock_exclusive(cached_decisions_lock_);
-
   if (cached_decisions_->getCount() > kMaxCacheSize) {
     // This could be made a _lot_ smarter, say only removing entries older
     // than a certain time period. However, with a kMaxCacheSize set
     // sufficiently large and a kMaxAllowCacheTimeMilliseconds set
     // sufficiently low, this should only ever occur if someone is purposefully
     // trying to make the cache grow.
-    LOGD("Cache too large, flushing.");
-    cached_decisions_->flushCollection();
+    LOGI("Cache too large, flushing.");
+    ClearCache();
   }
 
   if (decision == ACTION_REQUEST_CHECKBW) {
     SantaMessage *pending = new SantaMessage();
     pending->setAction(ACTION_REQUEST_CHECKBW, 0);
+    lck_rw_lock_exclusive(cached_decisions_lock_);
     cached_decisions_->setObject(identifier, pending);
+    lck_rw_unlock_exclusive(cached_decisions_lock_);
     pending->release();  // it was retained when added to the dictionary
   } else {
-    SantaMessage *pending = OSDynamicCast(
-        SantaMessage, cached_decisions_->getObject(identifier));
+    lck_rw_lock_exclusive(cached_decisions_lock_);
+    SantaMessage *pending =
+        OSDynamicCast(SantaMessage, cached_decisions_->getObject(identifier));
     if (pending) {
       pending->setAction(decision, microsecs);
     }
+    lck_rw_unlock_exclusive(cached_decisions_lock_);
   }
-
-  lck_rw_unlock_exclusive(cached_decisions_lock_);
 }
 
 void SantaDecisionManager::CacheCheck(const char *identifier) {
   lck_rw_lock_shared(cached_decisions_lock_);
   bool shouldInvalidate = (cached_decisions_->getObject(identifier) != NULL);
   if (shouldInvalidate) {
-    lck_rw_lock_shared_to_exclusive(cached_decisions_lock_);
+    if (!lck_rw_lock_shared_to_exclusive(cached_decisions_lock_)) {
+      // shared_to_exclusive will return false if a previous reader upgraded
+      // and if that happens the lock will have been unlocked. If that happens,
+      // which is rare, relock exclusively.
+      lck_rw_lock_exclusive(cached_decisions_lock_);
+    }
     cached_decisions_->removeObject(identifier);
     lck_rw_unlock_exclusive(cached_decisions_lock_);
   } else {
@@ -186,13 +222,15 @@ void SantaDecisionManager::ClearCache() {
   lck_rw_unlock_exclusive(cached_decisions_lock_);
 }
 
+#pragma mark Decision Fetching
+
 santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
   santa_action_t result = ACTION_UNSET;
   uint64_t decision_time = 0;
 
   lck_rw_lock_shared(cached_decisions_lock_);
-  SantaMessage *cached_decision = OSDynamicCast(
-      SantaMessage, cached_decisions_->getObject(identifier));
+  SantaMessage *cached_decision =
+      OSDynamicCast(SantaMessage, cached_decisions_->getObject(identifier));
   if (cached_decision) {
     result = cached_decision->getAction();
     decision_time = cached_decision->getMicrosecs();
@@ -227,105 +265,107 @@ santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
   return result;
 }
 
-# pragma mark Queue Management
-
-bool SantaDecisionManager::PostToQueue(santa_message_t message) {
-  lck_mtx_lock(dataqueue_lock_);
-  bool kr = false;
-  if (dataqueue_) {
-    kr = dataqueue_->enqueue(&message, sizeof(message));
-  }
-  lck_mtx_unlock(dataqueue_lock_);
-  return kr;
-}
-
-santa_action_t SantaDecisionManager::FetchDecision(
-    const kauth_cred_t credential,
-    const vfs_context_t vfs_context,
-    const vnode_t vnode) {
+santa_action_t SantaDecisionManager::GetFromDaemon(
+    santa_message_t *message, const char *vnode_id_str) {
   santa_action_t return_action = ACTION_UNSET;
 
-  // Fetch Vnode ID & string
-  uint64_t vnode_id = GetVnodeIDForVnode(vfs_context, vnode);
-  char vnode_id_str[MAX_VNODE_ID_STR];
-  snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-
-  // Check to see if item is in cache
-  return_action = GetFromCache(vnode_id_str);
-
-  // If item wasn't in cache, fetch decision from daemon.
-  if (!CHECKBW_RESPONSE_VALID(return_action)) {
-    // Add pending request to cache
+  // Wait for the daemon to respond or die.
+  do {
+    // Add pending request to cache.
     AddToCache(vnode_id_str, ACTION_REQUEST_CHECKBW, 0);
 
-    // Get path
-    char path[MAX_PATH_LEN];
-    int name_len = MAX_PATH_LEN;
-    if (vn_getpath(vnode, path, &name_len) != 0) {
-      path[0] = '\0';
-    }
-
-    if (!ClientConnected()) {
-      LOGI("Execution request without daemon running: %s", path);
-      AddToCache(vnode_id_str,
-                 ACTION_RESPOND_CHECKBW_ALLOW,
-                 GetCurrentUptime());
-      return ACTION_RESPOND_CHECKBW_ALLOW;
-    }
-
-    // Prepare to send message to daemon
-    santa_message_t message;
-    strncpy(message.path, path, MAX_PATH_LEN);
-    message.userId = kauth_cred_getuid(credential);
-    message.pid = proc_selfpid();
-    message.ppid = proc_selfppid();
-    message.action = ACTION_REQUEST_CHECKBW;
-    message.vnode_id = vnode_id;
-
-    // Wait for the daemon to respond or die.
-    do {
-      // Send request to daemon...
-      if (!PostToQueue(message)) {
-        OSIncrementAtomic(&failed_queue_requests_);
-        if (failed_queue_requests_ > kMaxQueueFailures) {
-          LOGE("Failed to queue more than %d requests, killing daemon", kMaxQueueFailures);
-          proc_signal(owning_pid_, SIGKILL);
-        }
-        LOGE("Failed to queue request for %s.", path);
-        CacheCheck(vnode_id_str);
-        return ACTION_ERROR;
+    // Send request to daemon...
+    if (!PostToQueue(message)) {
+      OSIncrementAtomic(&failed_queue_requests_);
+      if (failed_queue_requests_ > kMaxQueueFailures) {
+        LOGE("Failed to queue more than %d requests, killing daemon",
+             kMaxQueueFailures);
+        proc_signal(client_pid_, SIGKILL);
+        client_pid_ = 0;
       }
-
-      // ... and wait for it to respond. If after kRequestLoopSleepMilliseconds
-      // * kMaxRequestLoops it still hasn't responded, send request again.
-      for (int i = 0; i < kMaxRequestLoops; ++i) {
-        IOSleep(kRequestLoopSleepMilliseconds);
-        return_action = GetFromCache(vnode_id_str);
-        if (CHECKBW_RESPONSE_VALID(return_action)) break;
-      }
-    } while (!CHECKBW_RESPONSE_VALID(return_action) &&
-             proc_exiting(owning_proc_) == 0);
-
-    // If response is still not valid, the daemon exited
-    if (!CHECKBW_RESPONSE_VALID(return_action)) {
-      LOGE("Daemon process did not respond correctly. Allowing executions "
-           "until it comes back.");
+      LOGE("Failed to queue request for %s.", message->path);
       CacheCheck(vnode_id_str);
       return ACTION_ERROR;
     }
+
+    do {
+      IOSleep(kRequestLoopSleepMilliseconds);
+      return_action = GetFromCache(vnode_id_str);
+    } while (return_action == ACTION_REQUEST_CHECKBW && ClientConnected());
+  } while (!CHECKBW_RESPONSE_VALID(return_action) && ClientConnected());
+
+  // If response is still not valid, the daemon exited
+  if (!CHECKBW_RESPONSE_VALID(return_action)) {
+    LOGE("Daemon process did not respond correctly. Allowing executions "
+         "until it comes back. Executable path: %s", message->path);
+    CacheCheck(vnode_id_str);
+    return ACTION_ERROR;
   }
 
   return return_action;
 }
 
-# pragma mark Misc
+santa_action_t SantaDecisionManager::FetchDecision(
+    const kauth_cred_t cred,
+    const vnode_t vp,
+    const uint64_t vnode_id,
+    const char *vnode_id_str) {
+  santa_action_t return_action = ACTION_UNSET;
+  if (!ClientConnected()) return ACTION_RESPOND_CHECKBW_ALLOW;
 
-uint64_t SantaDecisionManager::GetVnodeIDForVnode(const vfs_context_t context,
-                                                  const vnode_t vp) {
+  // Check to see if item is in cache
+  return_action = GetFromCache(vnode_id_str);
+
+  // If item was in cache return it.
+  if CHECKBW_RESPONSE_VALID(return_action) return return_action;
+
+  // Get path
+  char path[MAXPATHLEN];
+  int name_len = MAXPATHLEN;
+  if (vn_getpath(vp, path, &name_len) != 0) {
+    path[0] = '\0';
+  }
+
+  santa_message_t *message = NewMessage();
+  strlcpy(message->path, path, sizeof(message->path));
+  message->action = ACTION_REQUEST_CHECKBW;
+  message->vnode_id = vnode_id;
+  santa_action_t ret = GetFromDaemon(message, vnode_id_str);
+  delete message;
+  return ret;
+}
+
+#pragma mark Misc
+
+santa_message_t* SantaDecisionManager::NewMessage() {
+  santa_message_t *message = new santa_message_t;
+  message->uid = kauth_getuid();
+  message->gid = kauth_getgid();
+  message->pid = proc_selfpid();
+  message->ppid = proc_selfppid();
+  return message;
+}
+
+bool SantaDecisionManager::PostToQueue(santa_message_t *message) {
+  bool kr = false;
+  lck_mtx_lock(dataqueue_lock_);
+  kr = dataqueue_->enqueue(message, sizeof(santa_message_t));
+  if (!kr) {
+    // If enqueue failed, pop an item off the queue and try again.
+    uint32_t dataSize = sizeof(santa_message_t);
+    dataqueue_->dequeue(0, &dataSize);
+    kr = dataqueue_->enqueue(message, sizeof(santa_message_t));
+  }
+  lck_mtx_unlock(dataqueue_lock_);
+  return kr;
+}
+
+uint64_t SantaDecisionManager::GetVnodeIDForVnode(
+    const vfs_context_t ctx, const vnode_t vp) {
   struct vnode_attr vap;
   VATTR_INIT(&vap);
   VATTR_WANTED(&vap, va_fileid);
-  vnode_getattr(vp, &vap, context);
+  vnode_getattr(vp, &vap, ctx);
   return vap.va_fileid;
 }
 
@@ -336,7 +376,7 @@ uint64_t SantaDecisionManager::GetCurrentUptime() {
   return (uint64_t)((sec * 1000000) + usec);
 }
 
-# pragma mark Invocation Tracking & PID comparison
+#pragma mark Invocation Tracking & PID comparison
 
 void SantaDecisionManager::IncrementListenerInvocations() {
   OSIncrementAtomic(&listener_invocations_);
@@ -346,81 +386,153 @@ void SantaDecisionManager::DecrementListenerInvocations() {
   OSDecrementAtomic(&listener_invocations_);
 }
 
+int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
+                                        const vfs_context_t ctx,
+                                        const vnode_t vp,
+                                        int *errno) {
+  // Only operate on regular files (not directories, symlinks, etc.).
+  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
+
+  // Get ID for the vnode and convert it to a string.
+  uint64_t vnode_id = GetVnodeIDForVnode(ctx, vp);
+  char vnode_str[MAX_VNODE_ID_STR];
+  snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
+
+  // Fetch decision
+  santa_action_t returnedAction = FetchDecision(cred, vp, vnode_id, vnode_str);
+
+  // If file has dirty blocks, remove from cache and deny. This would usually
+  // be the case if a file has been written to and flushed but not yet
+  // closed.
+  if (vnode_hasdirtyblks(vp)) {
+    CacheCheck(vnode_str);
+    returnedAction = ACTION_RESPOND_CHECKBW_DENY;
+  }
+
+  switch (returnedAction) {
+    case ACTION_RESPOND_CHECKBW_ALLOW:
+      return KAUTH_RESULT_ALLOW;
+    case ACTION_RESPOND_CHECKBW_DENY:
+      *errno = EPERM;
+      return KAUTH_RESULT_DENY;
+    default:
+      // NOTE: Any unknown response or error condition causes us to fail open.
+      // Whilst from a security perspective this is bad, it's important that
+      // we don't break user's machines.
+      return KAUTH_RESULT_DEFER;
+  }
+}
+
+void SantaDecisionManager::FileOpCallback(
+    const kauth_action_t action, const vnode_t vp,
+    const char *path, const char *new_path) {
+  if (vp) {
+    vfs_context_t context = vfs_context_create(NULL);
+    uint64_t vnode_id = GetVnodeIDForVnode(context, vp);
+    vfs_context_rele(context);
+
+    if (action == KAUTH_FILEOP_CLOSE) {
+      char vnode_id_str[MAX_VNODE_ID_STR];
+      snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
+      CacheCheck(vnode_id_str);
+    } else if (action == KAUTH_FILEOP_EXEC) {
+      santa_message_t *message = NewMessage();
+      message->vnode_id = vnode_id;
+      message->action = ACTION_NOTIFY_EXEC;
+      strlcpy(message->path, path, sizeof(message->path));
+      PostToQueue(message);
+      delete message;
+      return;
+    }
+  }
+
+  // Filter out modifications to locations that are not that useful.
+  if (ClientConnected() &&
+      !strprefix(path, "/private/tmp") &&
+      !strprefix(path, "/private/var/folders") &&
+      !strprefix(path, "/.") &&
+      !strprefix(path, "/dev")) {
+    santa_message_t *message = NewMessage();
+    strlcpy(message->path, path, sizeof(message->path));
+    if (new_path) strlcpy(message->newpath, new_path, sizeof(message->newpath));
+
+    switch (action) {
+      case KAUTH_FILEOP_CLOSE:
+        message->action = ACTION_NOTIFY_WRITE; break;
+      case KAUTH_FILEOP_RENAME:
+        message->action = ACTION_NOTIFY_RENAME; break;
+      case KAUTH_FILEOP_LINK:
+        message->action = ACTION_NOTIFY_LINK; break;
+      case KAUTH_FILEOP_EXCHANGE:
+        message->action = ACTION_NOTIFY_EXCHANGE; break;
+      case KAUTH_FILEOP_DELETE:
+        message->action = ACTION_NOTIFY_DELETE; break;
+      default: delete message; return;
+    }
+
+    PostToQueue(message);
+    delete message;
+  }
+}
+
 #undef super
 
-#pragma mark Kauth Callback
+#pragma mark Kauth Callbacks
+
+extern "C" int fileop_scope_callback(
+    kauth_cred_t credential, void *idata, kauth_action_t action,
+    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
+  SantaDecisionManager *sdm = OSDynamicCast(
+      SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
+
+  vnode_t vp = NULL;
+  char *path = NULL;
+  char *new_path = NULL;
+
+  switch (action) {
+    case KAUTH_FILEOP_CLOSE:
+      if (!(arg2 & KAUTH_FILEOP_CLOSE_MODIFIED)) return KAUTH_RESULT_DEFER;
+      // Intentional fall-through
+    case KAUTH_FILEOP_DELETE:
+    case KAUTH_FILEOP_EXEC:
+      vp = reinterpret_cast<vnode_t>(arg0);
+      if (vp && vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
+      path = reinterpret_cast<char *>(arg1);
+      break;
+    case KAUTH_FILEOP_RENAME:
+    case KAUTH_FILEOP_EXCHANGE:
+    case KAUTH_FILEOP_LINK:
+      path = reinterpret_cast<char *>(arg0);
+      new_path = reinterpret_cast<char *>(arg1);
+      break;
+    default:
+      return KAUTH_RESULT_DEFER;
+  }
+
+  sdm->IncrementListenerInvocations();
+  sdm->FileOpCallback(action, vp, path, new_path);
+  sdm->DecrementListenerInvocations();
+
+  return KAUTH_RESULT_DEFER;
+}
 
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  // The default action is to defer
-  int returnResult = KAUTH_RESULT_DEFER;
-
-  // Cast arguments to correct types
-  if (idata == NULL) {
-    LOGE("Vnode callback established without valid decision manager.");
-    return returnResult;
-  }
-  SantaDecisionManager *sdm = OSDynamicCast(
-      SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
-  vfs_context_t vfs_context = reinterpret_cast<vfs_context_t>(arg0);
-  vnode_t vnode = reinterpret_cast<vnode_t>(arg1);
-
-  // Only operate on regular files (not directories, symlinks, etc.)
-  vtype vt = vnode_vtype(vnode);
-  if (vt != VREG) return returnResult;
-
-  // Don't operate on ACCESS events, as they're advisory
-  if (action & KAUTH_VNODE_ACCESS) return returnResult;
-
-  // Filter for only writes
-  if (action & KAUTH_VNODE_WRITE_DATA ||
-      action & KAUTH_VNODE_APPEND_DATA ||
-      action & KAUTH_VNODE_DELETE) {
-    char vnode_id_str[MAX_VNODE_ID_STR];
-    snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu",
-             sdm->GetVnodeIDForVnode(vfs_context, vnode));
-
-    // If an execution request is pending, deny write
-    if (sdm->GetFromCache(vnode_id_str) == ACTION_REQUEST_CHECKBW) {
-      LOGD("Denying write due to pending execution: %s", vnode_id_str);
-      *(reinterpret_cast<int *>(arg3)) = EACCES;
-      return KAUTH_RESULT_DENY;
-    }
-
-    // Otherwise remove from cache
-    sdm->CacheCheck(vnode_id_str);
-
-    return returnResult;
+  if (action & KAUTH_VNODE_ACCESS ||
+      !(action & KAUTH_VNODE_EXECUTE) ||
+      idata == NULL) {
+    return KAUTH_RESULT_DEFER;
   }
 
-  // Filter for only EXECUTE actions
-  if (action & KAUTH_VNODE_EXECUTE) {
-    sdm->IncrementListenerInvocations();
+  SantaDecisionManager *sdm =
+      OSDynamicCast(SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
-    // Fetch decision
-    santa_action_t returnedAction = sdm->FetchDecision(
-        credential, vfs_context, vnode);
-
-    switch (returnedAction) {
-      case ACTION_RESPOND_CHECKBW_ALLOW:
-        returnResult = KAUTH_RESULT_ALLOW;
-        break;
-      case ACTION_RESPOND_CHECKBW_DENY:
-        *(reinterpret_cast<int *>(arg3)) = EACCES;
-        returnResult = KAUTH_RESULT_DENY;
-        break;
-      default:
-        // NOTE: Any unknown response or error condition causes us to fail open.
-        // Whilst from a security perspective this is bad, it's important that
-        // we don't break user's machines.
-        break;
-    }
-
-    sdm->DecrementListenerInvocations();
-
-    return returnResult;
-  }
-
-  return returnResult;
+  sdm->IncrementListenerInvocations();
+  int result = sdm->VnodeCallback(credential,
+                                  reinterpret_cast<vfs_context_t>(arg0),
+                                  reinterpret_cast<vnode_t>(arg1),
+                                  reinterpret_cast<int *>(arg3));
+  sdm->DecrementListenerInvocations();
+  return result;
 }

Source/santa-driver/SantaDecisionManager.h

@@ -15,7 +15,9 @@
 #ifndef SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H
 #define SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H
 
+#include <IOKit/IODataQueueShared.h>
 #include <IOKit/IOLib.h>
+#include <IOKit/IOMemoryDescriptor.h>
 #include <IOKit/IOSharedDataQueue.h>
 #include <libkern/c++/OSDictionary.h>
 #include <sys/kauth.h>
@@ -26,40 +28,6 @@
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
 
-///
-///  The maximum number of milliseconds a cached deny message should be
-///  considered valid.
-///
-const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
-
-///
-///  The maximum number of milliseconds a cached allow message should be
-///  considered valid.
-///
-const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
-
-///
-///  While waiting for a response from the daemon, this is the number of
-///  milliseconds to sleep for before checking the cache for a response.
-///
-const int kRequestLoopSleepMilliseconds = 10;
-
-///
-///  While waiting for a response from the daemon, this is the maximum number
-///  of loops to wait before sending the request again.
-///
-const int kMaxRequestLoops = 50;
-
-///
-///  Maximum number of entries in the in-kernel cache.
-///
-const int kMaxCacheSize = 10000;
-
-///
-///  Maximum number of PostToQueue failures to allow.
-///
-const int kMaxQueueFailures = 10;
-
 ///
 ///  SantaDecisionManager is responsible for intercepting Vnode execute actions
 ///  and responding to the request appropriately.
@@ -73,33 +41,37 @@ class SantaDecisionManager : public OSObject {
  public:
   ///  Used for initialization after instantiation. Required because
   ///  constructors cannot throw inside kernel-space.
-  bool init();
+  bool init() override;
 
   ///  Called automatically when retain count drops to 0.
-  void free();
+  void free() override;
+
+  ///  Called by SantaDriverClient during connection to provide the shared
+  ///  dataqueue memory to the client.
+  IOMemoryDescriptor *GetMemoryDescriptor();
 
   ///  Called by SantaDriverClient when a client connects, providing the data
   ///  queue used to pass messages and the pid of the client process.
-  void ConnectClient(IOSharedDataQueue *queue, pid_t pid);
+  void ConnectClient(mach_port_t port, pid_t pid);
 
   ///  Called by SantaDriverClient when a client disconnects
-  void DisconnectClient();
+  void DisconnectClient(bool itDied = false);
 
   ///  Returns whether a client is currently connected or not.
   bool ClientConnected();
 
-  ///  Starts the kauth listener.
+  ///  Starts the kauth listeners.
   kern_return_t StartListener();
 
-  ///  Stops the kauth listener. After stopping new callback requests,
+  ///  Stops the kauth listeners. After stopping new callback requests,
   ///  waits until all current invocations have finished before clearing the
   ///  cache and returning.
   kern_return_t StopListener();
-  
+
   ///  Adds a decision to the cache, with a timestamp.
   void AddToCache(const char *identifier,
                   const santa_action_t decision,
-                  const uint64_t microsecs);
+                  const uint64_t microsecs = GetCurrentUptime());
 
   ///  Checks to see if a given identifier is in the cache and removes it.
   void CacheCheck(const char *identifier);
@@ -110,37 +82,123 @@ class SantaDecisionManager : public OSObject {
   ///  Clears the cache.
   void ClearCache();
 
-  ///  Fetches a response from the cache, first checking to see if the
-  ///  entry has expired.
-  santa_action_t GetFromCache(const char *identifier);
-
-  ///  Posts the requested message to the client data queue, if there is one.
-  ///  Uses dataqueue_lock_ to ensure two threads don't try to write to the
-  ///  queue at the same time.
-  bool PostToQueue(santa_message_t);
-
-  ///  Fetches an execution decision for a file, first using the cache and then
-  ///  by sending a message to the daemon and waiting until a response arrives.
-  ///  If a daemon isn't connected, will allow execution and cache, logging
-  ///  the path to the executed file.
-  santa_action_t FetchDecision(const kauth_cred_t credential,
-                               const vfs_context_t vfs_context,
-                               const vnode_t vnode);
-
-  ///  Fetches the vnode_id for a given vnode.
-  uint64_t GetVnodeIDForVnode(const vfs_context_t context, const vnode_t vp);
-
-  ///  Returns the current system uptime in microseconds
-  uint64_t GetCurrentUptime();
-
   ///  Increments the count of active vnode callback's pending.
   void IncrementListenerInvocations();
 
   ///  Decrements the count of active vnode callback's pending.
   void DecrementListenerInvocations();
 
+  ///
+  ///  Vnode Callback
+  ///  @param cred The kauth credential for this request.
+  ///  @param ctx The VFS context for this request.
+  ///  @param vp The Vnode for this request.
+  ///  @param errno A pointer to return an errno style error.
+  ///  @return int A valid KAUTH_RESULT_*.
+  ///
+  int VnodeCallback(const kauth_cred_t cred, const vfs_context_t ctx,
+                    const vnode_t vp, int *errno);
+  ///
+  ///  FileOp Callback
+  ///  @param vp The Vnode for this request.
+  ///
+  void FileOpCallback(kauth_action_t action, const vnode_t vp, const char *path, const char *new_path);
+
+ protected:
+  ///
+  ///  The maximum number of milliseconds a cached deny message should be
+  ///  considered valid.
+  ///
+  const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
+
+  ///
+  ///  The maximum number of milliseconds a cached allow message should be
+  ///  considered valid.
+  ///
+  const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
+
+  ///
+  ///  While waiting for a response from the daemon, this is the number of
+  ///  milliseconds to sleep for before checking the cache for a response.
+  ///
+  const int kRequestLoopSleepMilliseconds = 10;
+
+  ///
+  ///  Maximum number of entries in the in-kernel cache.
+  ///
+  const int kMaxCacheSize = 10000;
+
+  ///
+  ///  Maximum number of PostToQueue failures to allow.
+  ///
+  const int kMaxQueueFailures = 10;
+
+  ///
+  ///  The maximum number of messages can be kept in
+  ///  the IODataQueue at any time.
+  ///
+  const int kMaxQueueEvents = 512;
+
+  ///  Fetches a response from the cache, first checking to see if the
+  ///  entry has expired.
+  santa_action_t GetFromCache(const char *identifier);
+
+  ///  Fetches a response from the daemon. Handles both daemon death
+  ///  and failure to post messages to the daemon.
+  ///
+  ///  @param message The message to send to the daemon
+  ///  @param identifier The vnode ID string for this request
+  ///  @return santa_action_t The response for this request
+  ///
+  santa_action_t GetFromDaemon(santa_message_t *message,
+                               const char *identifier);
+
+  ///
+  ///  Fetches an execution decision for a file, first using the cache and then
+  ///  by sending a message to the daemon and waiting until a response arrives.
+  ///  If a daemon isn't connected, will allow execution and cache, logging
+  ///  the path to the executed file.
+  ///
+  ///  @param cred The credential for this request.
+  ///  @param vp The Vnode for this request.
+  ///  @param vnode_id The ID for this vnode.
+  ///  @param vnode_id_str A string representation of the above ID.
+  ///
+  santa_action_t FetchDecision(const kauth_cred_t cred,
+                               const vnode_t vp,
+                               const uint64_t vnode_id,
+                               const char *vnode_id_str);
+
+  ///
+  ///  Posts the requested message to the client data queue.
+  ///
+  ///  @param message The message to send
+  ///  @return bool true if sending was successful.
+  ///
+  bool PostToQueue(santa_message_t *message);
+
+  ///
+  ///  Fetches the vnode_id for a given vnode.
+  ///
+  ///  @param ctx The VFS context to use.
+  ///  @param vp The Vnode to get the ID for
+  ///  @return uint64_t The Vnode ID as a 64-bit unsigned int.
+  ///
+  uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp);
+
+  ///
+  ///  Creates a new santa_message_t with some fields pre-filled.
+  ///
+  santa_message_t* NewMessage();
+
+  ///  Returns the current system uptime in microseconds
+  static uint64_t GetCurrentUptime();
+
  private:
   lck_grp_t *sdm_lock_grp_;
+  lck_grp_attr_t *sdm_lock_grp_attr_;
+
+  lck_attr_t *sdm_lock_attr_;
   lck_rw_t *cached_decisions_lock_;
   lck_mtx_t *dataqueue_lock_;
 
@@ -151,10 +209,10 @@ class SantaDecisionManager : public OSObject {
 
   SInt32 listener_invocations_;
 
-  pid_t owning_pid_;
-  proc_t owning_proc_;
+  pid_t client_pid_;
 
   kauth_listener_t vnode_listener_;
+  kauth_listener_t fileop_listener_;
 };
 
 ///
@@ -171,4 +229,19 @@ extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
 
+///
+///  The kauth callback function for the FileOp scope
+///  @param actor's credentials
+///  @param data that was passed when the listener was registered
+///  @param action that was requested
+///  @param depends on action, usually the vnode ref.
+///  @param depends on action.
+///  @param depends on action, usually 0.
+///  @param depends on action, usually 0.
+///
+extern "C" int fileop_scope_callback(
+    kauth_cred_t credential, void *idata, kauth_action_t action,
+    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+
+
 #endif  // SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H

Source/santa-driver/SantaDriver.cc

@@ -24,8 +24,12 @@ bool SantaDriver::start(IOService *provider) {
   if (!super::start(provider)) return false;
 
   santaDecisionManager = new SantaDecisionManager;
-  santaDecisionManager->init();
-  santaDecisionManager->StartListener();
+  if (!santaDecisionManager->init() ||
+      santaDecisionManager->StartListener() != kIOReturnSuccess) {
+    santaDecisionManager->release();
+    santaDecisionManager = NULL;
+    return false;
+  }
 
   registerService();
 
@@ -44,7 +48,7 @@ void SantaDriver::stop(IOService *provider) {
   super::stop(provider);
 }
 
-SantaDecisionManager* SantaDriver::GetDecisionManager() {
+SantaDecisionManager *SantaDriver::GetDecisionManager() {
   return santaDecisionManager;
 }
 

Source/santa-driver/SantaDriver.h

@@ -31,17 +31,16 @@ class com_google_SantaDriver : public IOService {
 
  public:
   ///  Called by the kernel when the kext is loaded
-  bool start(IOService *provider);
+  bool start(IOService *provider) override;
 
   ///  Called by the kernel when the kext is unloaded
-  void stop(IOService *provider);
+  void stop(IOService *provider) override;
 
   ///  Returns a pointer to the SantaDecisionManager created in start().
-  SantaDecisionManager* GetDecisionManager();
+  SantaDecisionManager *GetDecisionManager();
 
  private:
   SantaDecisionManager *santaDecisionManager;
-
 };
 
 #endif  // SANTA__SANTA_DRIVER__SANTADRIVER_H

Source/santa-driver/SantaDriverClient.cc

@@ -36,77 +36,58 @@ bool SantaDriverClient::initWithTask(
 }
 
 bool SantaDriverClient::start(IOService *provider) {
-  fProvider = OSDynamicCast(com_google_SantaDriver, provider);
+  myProvider = OSDynamicCast(com_google_SantaDriver, provider);
 
-  if (!fProvider) return false;
+  if (!myProvider) return false;
   if (!super::start(provider)) return false;
 
-  fSDM = fProvider->GetDecisionManager();
-
-  if (!fSDM) return false;
+  decisionManager = myProvider->GetDecisionManager();
+  if (!decisionManager) return false;
 
   return true;
 }
 
 void SantaDriverClient::stop(IOService *provider) {
   super::stop(provider);
-  fProvider = NULL;
+  myProvider = NULL;
+  decisionManager = NULL;
 }
 
 IOReturn SantaDriverClient::clientClose() {
-  terminate(kIOServiceSynchronous);
-  return kIOReturnSuccess;
+  decisionManager->DisconnectClient(true);
+  return terminate(kIOServiceSynchronous) ? kIOReturnSuccess : kIOReturnError;
 }
 
 bool SantaDriverClient::terminate(IOOptionBits options) {
-  fSDM->DisconnectClient();
+  decisionManager->DisconnectClient();
   LOGI("Client disconnected.");
 
-  if (fSharedMemory) {
-    fSharedMemory->release();
-    fSharedMemory = NULL;
-  }
-
-  if (fDataQueue) {
-    fDataQueue->release();
-    fDataQueue = NULL;
-  }
-
-  if (fProvider && fProvider->isOpen(this)) fProvider->close(this);
+  if (myProvider && myProvider->isOpen(this)) myProvider->close(this);
 
   return super::terminate(options);
 }
 
 #pragma mark Fetching memory and data queue notifications
 
-IOReturn SantaDriverClient::registerNotificationPort(mach_port_t port,
-                                                     UInt32 type,
-                                                     UInt32 ref) {
-  if ((!fDataQueue) || (port == MACH_PORT_NULL)) return kIOReturnError;
+IOReturn SantaDriverClient::registerNotificationPort(
+    mach_port_t port, UInt32 type, UInt32 ref) {
+  if (port == MACH_PORT_NULL) return kIOReturnError;
 
-  fDataQueue->setNotificationPort(port);
+  decisionManager->ConnectClient(port, proc_selfpid());
+  LOGI("Client connected, PID: %d.", proc_selfpid());
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::clientMemoryForType(UInt32 type,
-                                                IOOptionBits *options,
-                                                IOMemoryDescriptor **memory) {
-  *memory = NULL;
+IOReturn SantaDriverClient::clientMemoryForType(
+    UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory) {
+  if (type != kIODefaultMemoryType) return kIOReturnNoMemory;
+
   *options = 0;
+  *memory = decisionManager->GetMemoryDescriptor();
+  (*memory)->retain();
 
-  if (type == kIODefaultMemoryType) {
-    if (!fSharedMemory) return kIOReturnNoMemory;
-    fSharedMemory->retain();  // client will decrement this ref
-    *memory = fSharedMemory;
-
-    fSDM->ConnectClient(fDataQueue, proc_selfpid());
-    LOGI("Client connected, PID: %d.", proc_selfpid());
-
-    return kIOReturnSuccess;
-  }
-
-  return kIOReturnNoMemory;
+  return kIOReturnSuccess;
 }
 
 #pragma mark Callable Methods
@@ -114,23 +95,11 @@ IOReturn SantaDriverClient::clientMemoryForType(UInt32 type,
 IOReturn SantaDriverClient::open() {
   if (isInactive()) return kIOReturnNotAttached;
 
-  if (!fProvider->open(this)) {
+  if (!myProvider->open(this)) {
     LOGW("A second client tried to connect.");
     return kIOReturnExclusiveAccess;
   }
 
-  fDataQueue = IOSharedDataQueue::withCapacity((sizeof(santa_message_t) +
-                                                DATA_QUEUE_ENTRY_HEADER_SIZE)
-                                                * kMaxQueueEvents);
-  if (!fDataQueue) return kIOReturnNoMemory;
-
-  fSharedMemory = fDataQueue->getMemoryDescriptor();
-  if (!fSharedMemory) {
-    fDataQueue->release();
-    fDataQueue = NULL;
-    return kIOReturnVMError;
-  }
-
   return kIOReturnSuccess;
 }
 
@@ -145,9 +114,7 @@ IOReturn SantaDriverClient::static_open(
 IOReturn SantaDriverClient::allow_binary(const uint64_t vnode_id) {
   char vnode_id_str[21];
   snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  fSDM->AddToCache(vnode_id_str,
-                   ACTION_RESPOND_CHECKBW_ALLOW,
-                   fSDM->GetCurrentUptime());
+  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_CHECKBW_ALLOW);
 
   return kIOReturnSuccess;
 }
@@ -157,16 +124,16 @@ IOReturn SantaDriverClient::static_allow_binary(
     void *reference,
     IOExternalMethodArguments *arguments) {
   if (!target) return kIOReturnBadArgument;
+  if (arguments->scalarInput == NULL) return kIOReturnBadArgument;
+
   return target->allow_binary(
-      *(static_cast<const uint64_t *>(arguments->scalarInput)));
+      static_cast<const uint64_t>(*arguments->scalarInput));
 }
 
 IOReturn SantaDriverClient::deny_binary(const uint64_t vnode_id) {
   char vnode_id_str[21];
   snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  fSDM->AddToCache(vnode_id_str,
-                   ACTION_RESPOND_CHECKBW_DENY,
-                   fSDM->GetCurrentUptime());
+  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_CHECKBW_DENY);
 
   return kIOReturnSuccess;
 }
@@ -176,12 +143,14 @@ IOReturn SantaDriverClient::static_deny_binary(
     void *reference,
     IOExternalMethodArguments *arguments) {
   if (!target) return kIOReturnBadArgument;
+  if (arguments->scalarInput == NULL) return kIOReturnBadArgument;
+
   return target->deny_binary(
-      *(static_cast<const uint64_t *>(arguments->scalarInput)));
+      static_cast<const uint64_t>(*arguments->scalarInput));
 }
 
 IOReturn SantaDriverClient::clear_cache() {
-  fSDM->ClearCache();
+  decisionManager->ClearCache();
   return kIOReturnSuccess;
 }
 
@@ -194,7 +163,7 @@ IOReturn SantaDriverClient::static_clear_cache(
 }
 
 IOReturn SantaDriverClient::cache_count(uint64_t *output) {
-  *output = fSDM->CacheCount();
+  *output = decisionManager->CacheCount();
   return kIOReturnSuccess;
 }
 

Source/santa-driver/SantaDriverClient.h

@@ -16,9 +16,6 @@
 #define SANTA__SANTA_DRIVER__SANTADRIVERUSERCLIENT_H
 
 #include <IOKit/IOUserClient.h>
-#include <IOKit/IOSharedDataQueue.h>
-#include <IOKit/IOLib.h>
-#include <IOKit/IODataQueueShared.h>
 #include <sys/kauth.h>
 #include <sys/vnode.h>
 #include <sys/proc.h>
@@ -28,9 +25,6 @@
 #include "SantaMessage.h"
 #include "SNTKernelCommon.h"
 
-// The maximum number of messages can be kept in the IODataQueue at any time.
-const int kMaxQueueEvents = 256;
-
 ///
 ///  This class is instantiated by IOKit when a new client process attempts to
 ///  connect to the driver. Starting, stopping, handling connections, allocating
@@ -39,33 +33,34 @@ const int kMaxQueueEvents = 256;
 ///  Documentation on how the IOUserClient parts of this code work can be found
 ///  here:
 ///  https://developer.apple.com/library/mac/samplecode/SimpleUserClient/Listings/User_Client_Info_txt.html
+///  https://developer.apple.com/library/mac/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/WritingDeviceDriver.pdf
 ///
 class com_google_SantaDriverClient : public IOUserClient {
   OSDeclareDefaultStructors(com_google_SantaDriverClient);
 
  public:
   ///  Called as part of IOServiceOpen in clients
-  bool initWithTask(task_t owningTask, void *securityID, UInt32 type);
+  bool initWithTask(task_t owningTask, void *securityID, UInt32 type) override;
 
   ///  Called after initWithTask as part of IOServiceOpen
-  bool start(IOService *provider);
+  bool start(IOService *provider) override;
 
   ///  Called when this class is stopping
-  void stop(IOService *provider);
+  void stop(IOService *provider) override;
 
   ///  Called when a client disconnects
-  IOReturn clientClose();
+  IOReturn clientClose() override;
 
   ///  Called when the driver is shutting down
-  bool terminate(IOOptionBits options);
+  bool terminate(IOOptionBits options) override;
 
   ///  Called in clients with IOConnectSetNotificationPort
   IOReturn registerNotificationPort(
-      mach_port_t port, UInt32 type, UInt32 refCon);
+      mach_port_t port, UInt32 type, UInt32 refCon) override;
 
   ///  Called in clients with IOConnectMapMemory
   IOReturn clientMemoryForType(
-      UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory);
+      UInt32 type, IOOptionBits *options, IOMemoryDescriptor **memory) override;
 
   ///  Called in clients with IOConnectCallScalarMethod etc. Dispatches
   ///  to the requested selector using the SantaDriverMethods enum in
@@ -74,7 +69,7 @@ class com_google_SantaDriverClient : public IOUserClient {
       UInt32 selector,
       IOExternalMethodArguments *arguments,
       IOExternalMethodDispatch *dispatch,
-      OSObject *target, void *reference);
+      OSObject *target, void *reference) override;
 
   ///
   ///  The userpsace callable methods are below. Each method corresponds
@@ -118,10 +113,8 @@ class com_google_SantaDriverClient : public IOUserClient {
       IOExternalMethodArguments *arguments);
 
  private:
-  IOSharedDataQueue *fDataQueue;
-  IOMemoryDescriptor *fSharedMemory;
-  com_google_SantaDriver *fProvider;
-  SantaDecisionManager *fSDM;
+  com_google_SantaDriver *myProvider;
+  SantaDecisionManager *decisionManager;
 };
 
 #endif  // SANTA__SANTA_DRIVER__SANTADRIVERUSERCLIENT_H

Source/santa-driver/SantaMessage.cc

@@ -24,8 +24,8 @@ santa_action_t SantaMessage::getAction() const {
   return action_;
 }
 
-void SantaMessage::setAction(const santa_action_t action,
-                             const uint64_t microsecs) {
+void SantaMessage::setAction(
+    const santa_action_t action, const uint64_t microsecs) {
   action_ = action;
   microsecs_ = microsecs;
 }

Source/santactl/SNTCommandController.m

@@ -36,7 +36,7 @@ static NSMutableDictionary *registeredCommands;
 
   int longestCommandName = 0;
   for (NSString *cmdName in registeredCommands) {
-    if ([cmdName length] > longestCommandName) {
+    if ((int)[cmdName length] > longestCommandName) {
       longestCommandName = (int)[cmdName length];
     }
   }

Source/santactl/binaryinfo/SNTCommandBinaryInfo.m

@@ -25,7 +25,7 @@
 
 @implementation SNTCommandBinaryInfo
 
-REGISTER_COMMAND_NAME(@"binaryinfo");
+REGISTER_COMMAND_NAME(@"binaryinfo")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -55,26 +55,33 @@ REGISTER_COMMAND_NAME(@"binaryinfo");
 
   SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
   if (!fileInfo) {
-    printf("Invalid file\n");
+    printf("Invalid or empty file\n");
     exit(1);
   }
 
-  printf("%-12s: %s\n", "Path", [[fileInfo path] UTF8String]);
-  printf("%-12s: %s\n", "SHA-256", [[fileInfo SHA256] UTF8String]);
-  printf("%-12s: %s\n", "SHA-1", [[fileInfo SHA1] UTF8String]);
+  printf("%-19s: %s\n", "Path", [[fileInfo path] UTF8String]);
+  printf("%-19s: %s\n", "SHA-256", [[fileInfo SHA256] UTF8String]);
+  printf("%-19s: %s\n", "SHA-1", [[fileInfo SHA1] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Name", [[fileInfo bundleName] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Version", [[fileInfo bundleVersion] UTF8String]);
+  printf("%-19s: %s\n", "Bundle Version Str", [[fileInfo bundleShortVersionString] UTF8String]);
 
   NSArray *archs = [fileInfo architectures];
   if (archs) {
-    printf("%-12s: %s (%s)\n", "Type",
+    printf("%-19s: %s (%s)\n", "Type",
            [[fileInfo machoType] UTF8String],
            [[archs componentsJoinedByString:@", "] UTF8String]);
   } else {
-    printf("%-12s: %s\n", "Type", [[fileInfo machoType] UTF8String]);
+    printf("%-19s: %s\n", "Type", [[fileInfo machoType] UTF8String]);
+  }
+
+  if ([fileInfo isMissingPageZero]) {
+    printf("%-19s: %s\n", "Page Zero", "__PAGEZERO segment missing/bad!");
   }
 
   SNTCodesignChecker *csc = [[SNTCodesignChecker alloc] initWithBinaryPath:filePath];
 
-  printf("%-12s: %s\n", "Code-signed", (csc) ? "Yes" : "No");
+  printf("%-19s: %s\n", "Code-signed", (csc) ? "Yes" : "No");
 
   if (csc) {
     printf("Signing chain:\n");

Source/santactl/flushcache/SNTCommandFlushCache.m

@@ -23,7 +23,7 @@
 
 @implementation SNTCommandFlushCache
 
-REGISTER_COMMAND_NAME(@"flushcache");
+REGISTER_COMMAND_NAME(@"flushcache")
 
 + (BOOL)requiresRoot {
   return YES;

Source/santactl/rule/SNTCommandRule.m

@@ -32,7 +32,7 @@
 
 @implementation SNTCommandRule
 
-REGISTER_COMMAND_NAME(@"rule");
+REGISTER_COMMAND_NAME(@"rule")
 
 + (BOOL)requiresRoot {
   return YES;
@@ -56,46 +56,50 @@ REGISTER_COMMAND_NAME(@"rule");
           @"  --sha256 {sha256}: hash to add\n");
 }
 
++ (void)printErrorUsageAndExit:(NSString *)error {
+  printf("%s\n\n", [error UTF8String]);
+  printf("%s\n", [[self longHelpText] UTF8String]);
+  exit(1);
+}
+
 + (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
   SNTConfigurator *config = [SNTConfigurator configurator];
-  
+
   // Ensure we have no privileges
   if (!DropRootPrivileges()) {
     printf("Failed to drop root privileges.\n");
     exit(1);
   }
-  
+
   if ([config syncBaseURL] != nil) {
     printf("SyncBaseURL is set, rules are managed centrally.\n");
     exit(1);
   }
-  
+
   NSString *action = [arguments firstObject];
-  
+
   // add or remove
   if (!action) {
-    printf("Missing action - add or remove?\n");
-    exit(1);
+    [self printErrorUsageAndExit:@"Missing action"];
   }
 
   int state = RULESTATE_UNKNOWN;
-  
+
   if ([action compare:@"add" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
   } else if ([action compare:@"remove" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
     state = RULESTATE_REMOVE;
   } else {
-    printf("Unknown action, expected add or remove.\n");
-    exit(1);
+    [self printErrorUsageAndExit:@"Unknown action"];
   }
-  
+
   NSString *customMsg = @"";
   NSString *SHA256 = nil;
   NSString *filePath = nil;
-  
+
   // parse arguments
-  for (int i=1; i < [arguments count] ; i++ ) {
+  for (NSUInteger i = 1; i < [arguments count] ; i++ ) {
     NSString* argument = [arguments objectAtIndex:i];
-    
+
     if ([argument compare:@"--whitelist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
       state = RULESTATE_WHITELIST;
     } else if ([argument compare:@"--blacklist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
@@ -103,54 +107,50 @@ REGISTER_COMMAND_NAME(@"rule");
     } else if ([argument compare:@"--silent-blacklist" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
       state = RULESTATE_SILENT_BLACKLIST;
     } else if ([argument compare:@"--message" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
-      if (++i > ([arguments count])) {
-        printf("No message specified.\n");
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"No message specified"];
       }
-      
+
       customMsg = [arguments objectAtIndex:i];
     } else if ([argument compare:@"--path" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
-      if (++i > ([arguments count])) {
-        printf("No path specified.\n");
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"No path specified"];
       }
-      
+
       filePath = [arguments objectAtIndex:i];
     } else if ([argument compare:@"--sha256" options:NSCaseInsensitiveSearch] == NSOrderedSame) {
-      if (++i > ([arguments count])) {
-        printf("No SHA-256 specified.\n");
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"No SHA-256 specified"];
       }
-      
+
       SHA256 = [arguments objectAtIndex:i];
     } else {
-      printf("Unknown argument %s.\n", [argument UTF8String]);
-      exit(1);
+      [self printErrorUsageAndExit:[@"Unknown argument: %@" stringByAppendingString:argument]];
     }
   }
-  
+
   if (state == RULESTATE_UNKNOWN) {
-    printf("No state specified.\n");
-    exit(1);
+    [self printErrorUsageAndExit:@"No state specified"];
   }
-  
+
   if (filePath) {
     SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
     if (!fileInfo) {
-      printf("Not a regular file or executable bundle.\n");
-      exit(1);
+      [self printErrorUsageAndExit:@"Provided path is not a regular file or executable bundle"];
     }
 
     SHA256 = [fileInfo SHA256];
   } else if (SHA256) {
   } else {
-    printf("No SHA-256 or binary specified.\n");
-    exit(1);
+    [self printErrorUsageAndExit:@"Either SHA-256 or path to file must be specified"];
   }
-  
+
   SNTRule *newRule = [[SNTRule alloc] init];
   newRule.shasum = SHA256;
   newRule.state = state;
   newRule.type = RULETYPE_BINARY;
   newRule.customMsg = customMsg;
-  
+
   [[daemonConn remoteObjectProxy] databaseRuleAddRule:newRule cleanSlate:NO reply:^{
       if (state == RULESTATE_REMOVE) {
         printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
@@ -159,7 +159,6 @@ REGISTER_COMMAND_NAME(@"rule");
       }
       exit(0);
   }];
-
 }
 
 @end

Source/santactl/status/SNTCommandStatus.m

@@ -22,7 +22,7 @@
 
 @implementation SNTCommandStatus
 
-REGISTER_COMMAND_NAME(@"status");
+REGISTER_COMMAND_NAME(@"status")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -58,8 +58,8 @@ REGISTER_COMMAND_NAME(@"status");
   printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
 
   // Kext status
-  __block uint64_t cacheCount = -1;
-  [[daemonConn remoteObjectProxy] cacheCount:^(uint64_t count) {
+  __block int64_t cacheCount = -1;
+  [[daemonConn remoteObjectProxy] cacheCount:^(int64_t count) {
       cacheCount = count;
   }];
   do { usleep(5000); } while (cacheCount == -1);
@@ -67,12 +67,12 @@ REGISTER_COMMAND_NAME(@"status");
   printf("  %-25s | %lld\n", "Kernel cache count", cacheCount);
 
   // Database counts
-  __block uint64_t eventCount = 1, binaryRuleCount = -1, certRuleCount = -1;
-  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(uint64_t binary, uint64_t certificate) {
+  __block int64_t eventCount = -1, binaryRuleCount = -1, certRuleCount = -1;
+  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
       binaryRuleCount = binary;
       certRuleCount = certificate;
   }];
-  [[daemonConn remoteObjectProxy] databaseEventCount:^(uint64_t count) {
+  [[daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
       eventCount = count;
   }];
   do { usleep(5000); } while (eventCount == -1 || binaryRuleCount == -1 || certRuleCount == -1);

Source/santactl/sync/NSData+Zlib.m

@@ -14,7 +14,7 @@
 
 #import "NSData+Zlib.h"
 
-#import <zlib.h>
+#include <zlib.h>
 
 @implementation NSData (Zlib)
 
@@ -29,7 +29,7 @@
     stream.total_out = 0;
     stream.avail_out = 0;
 
-    int chunkSize = 16384;
+    NSUInteger chunkSize = 16384;
 
     int windowSize = 15;
     if (includeHeader) {
@@ -63,4 +63,4 @@
   return [self compressIncludingGzipHeader:YES];
 }
 
-@end
+@end

Source/santactl/sync/SNTAuthenticatingURLSession.h

@@ -27,7 +27,7 @@
 ///  If set, this is the user-agent to send with requests, otherwise remains the default
 ///  CFNetwork-based name.
 ///
-@property(nonatomic) NSString *userAgent;
+@property(copy, nonatomic) NSString *userAgent;
 
 ///
 ///  If set to YES, this session refuses redirect requests. Defaults to NO.
@@ -38,24 +38,24 @@
 ///  If set, the server that we connect to _must_ match this string. Redirects to other
 ///  hosts will not be allowed.
 ///
-@property(nonatomic) NSString *serverHostname;
+@property(copy, nonatomic) NSString *serverHostname;
 
 ///
 ///  This should be PEM data containing one or more certificates to use to verify the server's
 ///  certificate chain. This will override the trusted roots in the System Roots.
 ///
-@property(nonatomic) NSData *serverRootsPemData;
+@property(copy, nonatomic) NSData *serverRootsPemData;
 
 ///
 ///  If set and client certificate authentication is needed, the pkcs#12 file will be loaded
 ///
-@property(nonatomic) NSString *clientCertFile;
+@property(copy, nonatomic) NSString *clientCertFile;
 
 ///
 ///  If set and client certificate authentication is needed, the password being used for
 ///  loading the clientCertFile
 ///
-@property(nonatomic) NSString *clientCertPassword;
+@property(copy, nonatomic) NSString *clientCertPassword;
 
 ///
 ///  If set and client certificate authentication is needed, will search the keychain for a
@@ -65,7 +65,7 @@
 ///  @note If this property is not set and neither is |clientCertIssuerCn|, the allowed issuers
 ///  provided by the server will be used to find a matching certificate.
 ///
-@property(nonatomic) NSString *clientCertCommonName;
+@property(copy, nonatomic) NSString *clientCertCommonName;
 
 ///
 ///  If set and client certificate authentication is needed, will search the keychain for a
@@ -76,7 +76,7 @@
 ///  @note If this property is not set and neither is |clientCertCommonName|, the allowed issuers
 ///      provided by the server will be used to find a matching certificate.
 ///
-@property(nonatomic) NSString *clientCertIssuerCn;
+@property(copy, nonatomic) NSString *clientCertIssuerCn;
 
 /// Designated initializer
 - (instancetype)initWithSessionConfiguration:(NSURLSessionConfiguration *)configuration;

Source/santactl/sync/SNTAuthenticatingURLSession.m

@@ -31,7 +31,7 @@
 }
 
 - (instancetype)init {
-  NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration];
+  NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration];
   [config setTLSMinimumSupportedProtocol:kTLSProtocol12];
   [config setHTTPShouldUsePipelining:YES];
   return [self initWithSessionConfiguration:config];
@@ -58,24 +58,24 @@
   NSURLProtectionSpace *protectionSpace = challenge.protectionSpace;
 
   if (challenge.previousFailureCount > 0) {
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (self.serverHostname && ![self.serverHostname isEqual:protectionSpace.host]) {
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (![protectionSpace.protocol isEqual:NSURLProtectionSpaceHTTPS]) {
     LOGE(@"%@ is not a secure protocol", protectionSpace.protocol);
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
   if (!protectionSpace.receivesCredentialSecurely) {
     LOGE(@"Secure authentication or protocol cannot be established.");
-    completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
     return;
   }
 
@@ -88,7 +88,7 @@
       return;
     } else {
       LOGE(@"Server asked for client authentication but no usable client certificate found.");
-      completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
       return;
     }
   } else if (authMethod == NSURLAuthenticationMethodServerTrust) {
@@ -98,7 +98,7 @@
       return;
     } else {
       LOGE(@"Unable to verify server identity.");
-      completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
       return;
     }
   }
@@ -112,6 +112,8 @@
                     newRequest:(NSURLRequest *)request
              completionHandler:(void (^)(NSURLRequest *))completionHandler {
     if (self.refusesRedirects) {
+      LOGD(@"Rejected redirection to: %@", request.URL);
+      [task cancel];  // without this, the connection hangs until timeout!?!
       completionHandler(NULL);
     } else {
       completionHandler(request);
@@ -136,7 +138,7 @@
 ///
 - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
   __block OSStatus err = errSecSuccess;
-  __block SecIdentityRef foundIdentity;
+  __block SecIdentityRef foundIdentity = NULL;
 
   if (self.clientCertFile) {
     NSError *error;
@@ -169,7 +171,8 @@
     err = SecItemCopyMatching((__bridge CFDictionaryRef)@{
           (id)kSecClass : (id)kSecClassIdentity,
           (id)kSecReturnRef : @YES,
-          (id)kSecMatchLimit : (id)kSecMatchLimitAll }, (CFTypeRef *)&cfIdentities);
+          (id)kSecMatchLimit : (id)kSecMatchLimitAll
+    }, (CFTypeRef *)&cfIdentities);
 
     if (err != errSecSuccess) {
       LOGD(@"Client Trust: Failed to load client identities, SecItemCopyMatching returned: %d",
@@ -213,12 +216,16 @@
         } else {
           for (NSData *allowedIssuer in protectionSpace.distinguishedNames) {
             SNTDERDecoder *decoder = [[SNTDERDecoder alloc] initWithData:allowedIssuer];
-            if (!decoder) continue;
+
+            if (!decoder) {
+              LOGW(@"Unable to decode allowed distinguished name.");
+              continue;
+            }
+
             if ([clientCert.issuerCommonName isEqual:decoder.commonName] &&
                 [clientCert.issuerCountryName isEqual:decoder.countryName] &&
                 [clientCert.issuerOrgName isEqual:decoder.organizationName] &&
                 [clientCert.issuerOrgUnit isEqual:decoder.organizationalUnit]) {
-
               foundIdentity = identityRef;
               CFRetain(foundIdentity);
               *stop = YES;
@@ -295,7 +302,7 @@
   }
 
   // Print details about the server's leaf certificate.
-  SecCertificateRef firstCert = SecTrustGetCertificateAtIndex(protectionSpace.serverTrust, 0);
+  SecCertificateRef firstCert = SecTrustGetCertificateAtIndex(serverTrust, 0);
   if (firstCert) {
     SNTCertificate *cert = [[SNTCertificate alloc] initWithSecCertificateRef:firstCert];
     LOGD(@"Server Trust: Server leaf cert: %@", cert);

Source/santactl/sync/SNTCommandSync.m

@@ -35,7 +35,7 @@
 
 @implementation SNTCommandSync
 
-REGISTER_COMMAND_NAME(@"sync");
+REGISTER_COMMAND_NAME(@"sync")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -46,7 +46,7 @@ REGISTER_COMMAND_NAME(@"sync");
 }
 
 + (NSString *)shortHelpText {
-  return @"Synchronizes Santa with the server.";
+  return @"Synchronizes Santa with a configured server.";
 }
 
 + (NSString *)longHelpText {
@@ -168,11 +168,11 @@ REGISTER_COMMAND_NAME(@"sync");
                               completionHandler:^(BOOL success) {
       if (success) {
         LOGI(@"Log upload complete");
-        [self eventUpload];
       } else {
-        LOGE(@"Log upload failed, aborting run");
-        exit(1);
+        LOGE(@"Log upload failed, continuing anyway");
       }
+      [self eventUpload];
+
   }];
 }
 
@@ -198,11 +198,11 @@ REGISTER_COMMAND_NAME(@"sync");
                                               daemonConn:self.daemonConn
                                        completionHandler:^(BOOL success) {
       if (success) {
-       LOGI(@"Event upload complete");
-       exit(0);
+        LOGI(@"Event upload complete");
+        exit(0);
       } else {
-       LOGW(@"Event upload failed");
-       exit(1);
+        LOGW(@"Event upload failed");
+        exit(1);
       }
   }];
 }

Source/santactl/sync/SNTCommandSyncConstants.h

@@ -30,6 +30,7 @@ extern NSString * const kClientMode;
 extern NSString * const kClientModeMonitor;
 extern NSString * const kClientModeLockdown;
 extern NSString * const kCleanSync;
+extern NSString * const kWhitelistRegex;
 
 extern NSString * const kEvents;
 extern NSString * const kFileSHA256;
@@ -55,6 +56,7 @@ extern NSString * const kFileBundleVersion;
 extern NSString * const kFileBundleShortVersionString;
 extern NSString * const kPID;
 extern NSString * const kPPID;
+extern NSString * const kParentName;
 extern NSString * const kSigningChain;
 extern NSString * const kCertSHA256;
 extern NSString * const kCertCN;
@@ -77,3 +79,5 @@ extern NSString * const kRuleTypeBinary;
 extern NSString * const kRuleTypeCertificate;
 extern NSString * const kRuleCustomMsg;
 extern NSString * const kCursor;
+
+extern NSString * const kBackoffInterval;

Source/santactl/sync/SNTCommandSyncConstants.m

@@ -32,6 +32,7 @@ NSString * const kClientMode = @"client_mode";
 NSString * const kClientModeMonitor = @"MONITOR";
 NSString * const kClientModeLockdown = @"LOCKDOWN";
 NSString * const kCleanSync = @"clean_sync";
+NSString * const kWhitelistRegex = @"whitelist_regex";
 
 NSString * const kEvents = @"events";
 NSString * const kFileSHA256 = @"file_sha256";
@@ -57,6 +58,7 @@ NSString * const kFileBundleVersion = @"file_bundle_version";
 NSString * const kFileBundleShortVersionString = @"file_bundle_version_string";
 NSString * const kPID = @"pid";
 NSString * const kPPID = @"ppid";
+NSString * const kParentName = @"parent_name";
 NSString * const kSigningChain = @"signing_chain";
 NSString * const kCertSHA256 = @"sha256";
 NSString * const kCertCN = @"cn";
@@ -79,3 +81,5 @@ NSString * const kRuleTypeBinary = @"BINARY";
 NSString * const kRuleTypeCertificate = @"CERTIFICATE";
 NSString * const kRuleCustomMsg = @"custom_msg";
 NSString * const kCursor = @"cursor";
+
+NSString * const kBackoffInterval = @"backoff";

Source/santactl/sync/SNTCommandSyncEventUpload.m

@@ -16,6 +16,7 @@
 
 #include "SNTLogging.h"
 
+#import "NSData+Zlib.h"
 #import "SNTCertificate.h"
 #import "SNTCommandSyncConstants.h"
 #import "SNTCommandSyncState.h"
@@ -71,7 +72,7 @@
 + (void)uploadEventsFromArray:(NSArray *)events
                         toURL:(NSURL *)url
                     inSession:(NSURLSession *)session
-                    batchSize:(int32_t)batchSize
+                    batchSize:(NSUInteger)batchSize
                    daemonConn:(SNTXPCConnection *)daemonConn
             completionHandler:(void (^)(BOOL success))handler {
   NSMutableArray *uploadEvents = [[NSMutableArray alloc] init];
@@ -97,6 +98,13 @@
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
   [req setHTTPMethod:@"POST"];
   [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
+
+  NSData *compressed = [requestBody zlibCompressed];
+  if (compressed) {
+    requestBody = compressed;
+    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
+  }
+
   [req setHTTPBody:requestBody];
 
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
@@ -104,12 +112,12 @@
                                                         NSError *error) {
       long statusCode = [(NSHTTPURLResponse *)response statusCode];
       if (statusCode != 200) {
-          LOGE(@"HTTP Response: %d %@",
+          LOGE(@"HTTP Response: %ld %@",
                statusCode,
                [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
       } else {
-        LOGI(@"Uploaded %d events", eventIds.count);
+        LOGI(@"Uploaded %lu events", eventIds.count);
 
         [[daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:eventIds];
 
@@ -164,9 +172,10 @@
 
   ADDKEY(newEvent, kPID, event.pid);
   ADDKEY(newEvent, kPPID, event.ppid);
+  ADDKEY(newEvent, kParentName, event.parentName);
 
   NSMutableArray *signingChain = [NSMutableArray arrayWithCapacity:event.signingChain.count];
-  for (int i = 0; i < event.signingChain.count; i++) {
+  for (NSUInteger i = 0; i < event.signingChain.count; i++) {
     SNTCertificate *cert = [event.signingChain objectAtIndex:i];
 
     NSMutableDictionary *certDict = [NSMutableDictionary dictionary];

Source/santactl/sync/SNTCommandSyncLogUpload.m

@@ -37,10 +37,29 @@
       [NSString stringWithFormat:@"multipart/form-data; charset=UTF-8; boundary=%@", boundary];
   [req setValue:contentType forHTTPHeaderField:@"Content-Type"];
 
+  NSArray *logsToUpload = [self logsToUpload];
+
+  // Upload the logs
+  [[session uploadTaskWithRequest:req
+                         fromData:[self requestBodyWithLogs:logsToUpload andBoundary:boundary]
+                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+      long statusCode = [(NSHTTPURLResponse *)response statusCode];
+      if (statusCode != 200) {
+        LOGE(@"HTTP Response: %ld %@",
+             statusCode,
+             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
+        handler(NO);
+      } else {
+        LOGI(@"Uploaded %lu logs", [logsToUpload count]);
+        handler(YES);
+      }
+  }] resume];
+}
+
++ (NSData *)requestBodyWithLogs:(NSArray *)logsToUpload andBoundary:(NSString *)boundary {
   // Prepare the body of the request, encoded as a multipart/form-data.
   // Along the way, gzip the individual log files and append .gz to their filenames.
   NSMutableData *reqBody = [[NSMutableData alloc] init];
-  NSArray *logsToUpload = [SNTCommandSyncLogUpload logsToUpload];
   for (NSString *log in logsToUpload) {
     [reqBody appendData:
         [[NSString stringWithFormat:@"--%@\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
@@ -48,30 +67,16 @@
         [[NSString stringWithFormat:@"Content-Disposition: form-data; "
             @"name=\"%@\"; "
             @"filename=\"%@.gz\"\r\n", kLogUploadField, [log lastPathComponent]]
-         dataUsingEncoding:NSUTF8StringEncoding]];
+      dataUsingEncoding:NSUTF8StringEncoding]];
     [reqBody appendData:
         [@"Content-Type: application/x-gzip\r\n\r\n" dataUsingEncoding:NSUTF8StringEncoding]];
     [reqBody appendData:[[NSData dataWithContentsOfFile:log] gzipCompressed]];
     [reqBody appendData:[@"\r\n" dataUsingEncoding:NSUTF8StringEncoding]];
   }
   [reqBody appendData:
-     [[NSString stringWithFormat:@"--%@--\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
+      [[NSString stringWithFormat:@"--%@--\r\n", boundary] dataUsingEncoding:NSUTF8StringEncoding]];
 
-  // Upload the logs
-  [[session uploadTaskWithRequest:req
-                         fromData:reqBody
-                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
-      long statusCode = [(NSHTTPURLResponse *)response statusCode];
-      if (statusCode != 200) {
-        LOGE(@"HTTP Response: %d %@",
-             statusCode,
-             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-        handler(NO);
-      } else {
-        LOGI(@"Uploaded %d logs", [logsToUpload count]);
-        handler(YES);
-      }
-  }] resume];
+  return reqBody;
 }
 
 + (NSArray *)logsToUpload {

Source/santactl/sync/SNTCommandSyncPostflight.m

@@ -18,6 +18,8 @@
 
 #import "SNTCommandSyncConstants.h"
 #import "SNTCommandSyncState.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
 
 @implementation SNTCommandSyncPostflight
 
@@ -33,15 +35,22 @@
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
-      long statusCode = [(NSHTTPURLResponse *)response statusCode];
-      if (statusCode != 200) {
-        LOGE(@"HTTP Response: %d %@",
-             statusCode,
-             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-        handler(NO);
-      } else {
-        handler(YES);
+    long statusCode = [(NSHTTPURLResponse *)response statusCode];
+    if (statusCode != 200) {
+      LOGE(@"HTTP Response: %ld %@",
+           statusCode,
+           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
+      handler(NO);
+    } else {
+      NSDictionary *r = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
+
+      NSString *backoffInterval = r[kBackoffInterval];
+      if (backoffInterval) {
+        [[daemonConn remoteObjectProxy] setNextSyncInterval:[backoffInterval intValue] reply:^{}];
       }
+
+      handler(YES);
+    }
   }] resume];
 }
 

Source/santactl/sync/SNTCommandSyncPreflight.m

@@ -17,6 +17,7 @@
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
 
+#import "NSData+Zlib.h"
 #import "SNTCommandSyncConstants.h"
 #import "SNTCommandSyncState.h"
 #import "SNTSystemInfo.h"
@@ -47,17 +48,25 @@
   NSData *requestBody = [NSJSONSerialization dataWithJSONObject:requestDict
                                                         options:0
                                                           error:nil];
+
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
   [req setHTTPMethod:@"POST"];
   [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
-  [req setHTTPBody:requestBody];
+
+  NSData *compressed = [requestBody zlibCompressed];
+  if (compressed) {
+    requestBody = compressed;
+    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
+  }
+
+  [req setHTTPBody:requestBody];  
 
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
       long statusCode = [(NSHTTPURLResponse *)response statusCode];
       if (statusCode != 200) {
-        LOGE(@"HTTP Response: %d %@",
+        LOGE(@"HTTP Response: %ld %@",
              statusCode,
              [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
@@ -73,9 +82,12 @@
             [[daemonConn remoteObjectProxy] setClientMode:CLIENTMODE_LOCKDOWN reply:^{}];
         }
 
+        if ([r[kWhitelistRegex] isKindOfClass:[NSString class]]) {
+          [[daemonConn remoteObjectProxy] setWhitelistPathRegex:r[kWhitelistRegex] reply:^{}];
+        }
+
         if ([r[kCleanSync] boolValue]) {
           syncState.cleanSync = YES;
-          LOGD(@"Clean sync requested by server");
         }
 
         handler(YES);

Source/santactl/sync/SNTCommandSyncRuleDownload.m

@@ -60,8 +60,11 @@
   [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
                                                         NSURLResponse *response,
                                                         NSError *error) {
-      if ([(NSHTTPURLResponse *)response statusCode] != 200) {
-        LOGD(@"HTTP Response Code: %d", [(NSHTTPURLResponse *)response statusCode]);
+      long statusCode = [(NSHTTPURLResponse *)response statusCode];
+      if (statusCode != 200) {
+        LOGE(@"HTTP Response: %ld %@",
+             statusCode,
+             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
         handler(NO);
       } else {
         NSDictionary *resp = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
@@ -72,37 +75,8 @@
 
         NSArray *receivedRules = resp[kRules];
         for (NSDictionary *rule in receivedRules) {
-          if (![rule isKindOfClass:[NSDictionary class]]) continue;
-
-          SNTRule *newRule = [[SNTRule alloc] init];
-          newRule.shasum = rule[kRuleSHA256];
-
-          if ([rule[kRulePolicy] isEqual:kRulePolicyWhitelist]) {
-            newRule.state = RULESTATE_WHITELIST;
-          } else if ([rule[kRulePolicy] isEqual:kRulePolicyBlacklist]) {
-            newRule.state = RULESTATE_BLACKLIST;
-          } else if ([rule[kRulePolicy] isEqual:kRulePolicySilentBlacklist]) {
-            newRule.state = RULESTATE_SILENT_BLACKLIST;
-          } else if ([rule[kRulePolicy] isEqual:kRulePolicyRemove]) {
-            newRule.state = RULESTATE_REMOVE;
-          } else {
-            continue;
-          }
-
-          if ([rule[kRuleType] isEqual:kRuleTypeBinary]) {
-            newRule.type = RULETYPE_BINARY;
-          } else if ([rule[kRuleType] isEqual:kRuleTypeCertificate]) {
-            newRule.type = RULETYPE_CERT;
-          } else {
-            continue;
-          }
-
-          NSString *customMsg = rule[kRuleCustomMsg];
-          if (customMsg) {
-            newRule.customMsg = customMsg;
-          }
-
-          [syncState.downloadedRules addObject:newRule];
+          SNTRule *r = [self ruleFromDictionary:rule];
+          if (r) [syncState.downloadedRules addObject:r];
         }
 
         if (resp[kCursor]) {
@@ -113,17 +87,56 @@
                             daemonConn:daemonConn
                      completionHandler:handler];
         } else {
-          [[daemonConn remoteObjectProxy] databaseRuleAddRules:syncState.downloadedRules
-                                                    cleanSlate:syncState.cleanSync
-                                                         reply:^{
-              if (syncState.downloadedRules.count) {
-                LOGI(@"Added %d rule(s)", syncState.downloadedRules.count);
-              }
-              handler(YES);
-          }];
+          if (syncState.downloadedRules.count) {
+            [[daemonConn remoteObjectProxy] databaseRuleAddRules:syncState.downloadedRules
+                                                      cleanSlate:syncState.cleanSync
+                                                           reply:^{
+                LOGI(@"Added %lu rule(s)", syncState.downloadedRules.count);
+                handler(YES);
+            }];
+          } else {
+            handler(YES);
+          }
         }
       }
   }] resume];
 }
 
++ (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
+  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
+
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.shasum = dict[kRuleSHA256];
+  if (newRule.shasum.length != 64) return nil;
+
+  NSString *policyString = dict[kRulePolicy];
+  if ([policyString isEqual:kRulePolicyWhitelist]) {
+    newRule.state = RULESTATE_WHITELIST;
+  } else if ([policyString isEqual:kRulePolicyBlacklist]) {
+    newRule.state = RULESTATE_BLACKLIST;
+  } else if ([policyString isEqual:kRulePolicySilentBlacklist]) {
+    newRule.state = RULESTATE_SILENT_BLACKLIST;
+  } else if ([policyString isEqual:kRulePolicyRemove]) {
+    newRule.state = RULESTATE_REMOVE;
+  } else {
+    return nil;
+  }
+
+  NSString *ruleTypeString = dict[kRuleType];
+  if ([ruleTypeString isEqual:kRuleTypeBinary]) {
+    newRule.type = RULETYPE_BINARY;
+  } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
+    newRule.type = RULETYPE_CERT;
+  } else {
+    return nil;
+  }
+
+  NSString *customMsg = dict[kRuleCustomMsg];
+  if (customMsg.length) {
+    newRule.customMsg = customMsg;
+  }
+
+  return newRule;
+}
+
 @end

Source/santactl/sync/SNTCommandSyncState.h

@@ -20,8 +20,8 @@
 @property NSURL *syncBaseURL;
 
 /// Machine identifier and owner
-@property NSString *machineID;
-@property NSString *machineOwner;
+@property(copy) NSString *machineID;
+@property(copy) NSString *machineOwner;
 
 /// Clean sync flag, sent from server. If True, all existing rules
 /// should be deleted before inserting any new rules.

Source/santactl/sync/SNTDERDecoder.m

@@ -134,8 +134,10 @@
                       data.length,
                       kSequenceOfSetOfOIDValueTemplate,
                       &a);
-  SecAsn1CoderRelease(coder);
-  if (err != errSecSuccess) return nil;
+  if (err != errSecSuccess) {
+    SecAsn1CoderRelease(coder);
+    return nil;
+  }
 
   // The data is decoded but now it's in a number of embedded structs.
   // Massage that into a nice dictionary of OID->String pairs.
@@ -145,7 +147,10 @@
     OIDKeyValue *keyValue = anAttr->vals[0];
 
     // Sanity check
-    if (keyValue->value.Length > data.length) return nil;
+    if (keyValue->value.Length > data.length) {
+      SecAsn1CoderRelease(coder);
+      return nil;
+    }
 
     // Get the string value. First try creating as a UTF-8 string. If that fails,
     // fallback to trying as an ASCII string. If it still doesn't work, continue on
@@ -169,6 +174,7 @@
     dict[objectId] = valueString;
   }
 
+  SecAsn1CoderRelease(coder);
   return dict;
 }
 

Source/santactl/version/SNTCommandVersion.m

@@ -16,6 +16,7 @@
 
 #include <IOKit/kext/KextManager.h>
 
+#import "SNTCommonEnums.h"
 #import "SNTFileInfo.h"
 #import "SNTKernelCommon.h"
 #import "SNTXPCConnection.h"
@@ -25,7 +26,7 @@
 
 @implementation SNTCommandVersion
 
-REGISTER_COMMAND_NAME(@"version");
+REGISTER_COMMAND_NAME(@"version")
 
 + (BOOL)requiresRoot {
   return NO;
@@ -61,8 +62,7 @@ REGISTER_COMMAND_NAME(@"version");
     return loadedKexts[@(USERCLIENT_ID)][@"CFBundleVersion"];
   }
 
-  SNTFileInfo *driverInfo =
-      [[SNTFileInfo alloc] initWithPath:@"/Library/Extensions/santa-driver.kext"];
+  SNTFileInfo *driverInfo = [[SNTFileInfo alloc] initWithPath:@(kKextPath)];
   if (driverInfo) {
     return [driverInfo.bundleVersion stringByAppendingString:@" (unloaded)"];
   }
@@ -71,13 +71,13 @@ REGISTER_COMMAND_NAME(@"version");
 }
 
 + (NSString *)santadVersion {
-  SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@"/usr/libexec/santad"];
+  SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@(kSantaDPath)];
   return daemonInfo.bundleVersion;
 }
 
 + (NSString *)santaAppVersion {
   SNTFileInfo *guiInfo =
-  [[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
+      [[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
   return guiInfo.bundleVersion;
 }
 

Source/santad/Resources/santad-Prefix.pch

@@ -1,3 +1,3 @@
 #ifdef __OBJC__
 #import <Foundation/Foundation.h>
-#endif
+#endif

Source/santad/SNTApplication.m

@@ -12,7 +12,6 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <pwd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -25,6 +24,7 @@
 #import "SNTDaemonControlController.h"
 #import "SNTDatabaseController.h"
 #import "SNTDriverManager.h"
+#import "SNTEventLog.h"
 #import "SNTEventTable.h"
 #import "SNTExecutionController.h"
 #import "SNTFileWatcher.h"
@@ -35,6 +35,7 @@
 
 @interface SNTApplication ()
 @property SNTDriverManager *driverManager;
+@property SNTEventLog *eventLog;
 @property SNTEventTable *eventTable;
 @property SNTExecutionController *execController;
 @property SNTFileWatcher *configFileWatcher;
@@ -60,13 +61,13 @@
 
     // Initialize tables
     _ruleTable = [SNTDatabaseController ruleTable];
-    if (! _ruleTable) {
+    if (!_ruleTable) {
       LOGE(@"Failed to initialize rule table.");
       return nil;
     }
 
     _eventTable = [SNTDatabaseController eventTable];
-    if (! _eventTable) {
+    if (!_eventTable) {
       LOGE(@"Failed to initialize event table.");
       return nil;
     }
@@ -94,11 +95,14 @@
         chmod([kDefaultConfigFilePath fileSystemRepresentation], 0644);
     }];
 
+    _eventLog = [[SNTEventLog alloc] init];
+
     // Initialize the binary checker object
     _execController = [[SNTExecutionController alloc] initWithDriverManager:_driverManager
                                                                   ruleTable:_ruleTable
                                                                  eventTable:_eventTable
-                                                         notifierConnection:_notifierConnection];
+                                                         notifierConnection:_notifierConnection
+                                                                   eventLog:_eventLog];
     if (!_execController) return nil;
   }
 
@@ -109,8 +113,8 @@
   LOGI(@"Connected to driver, activating.");
 
   // Create a concurrent queue to put requests on, then set its priority to high.
-  dispatch_queue_t q = dispatch_queue_create("com.google.santad.driver_queue",
-                                             DISPATCH_QUEUE_CONCURRENT);
+  dispatch_queue_t q =
+      dispatch_queue_create("com.google.santad.driver_queue", DISPATCH_QUEUE_CONCURRENT);
   dispatch_set_target_queue(q, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0));
 
   [self.driverManager listenWithBlock:^(santa_message_t message) {
@@ -118,24 +122,29 @@
         switch (message.action) {
           case ACTION_REQUEST_SHUTDOWN: {
             LOGI(@"Driver requested a shutdown");
-            // Sleep before exiting to give driver chance to ready itself
             exit(0);
           }
-          case ACTION_REQUEST_CHECKBW: {
-            // Validate the binary aynchronously on a concurrent queue so we don't
-            // hold up other execution requests in the background.
+          case ACTION_NOTIFY_DELETE:
+          case ACTION_NOTIFY_EXCHANGE:
+          case ACTION_NOTIFY_LINK:
+          case ACTION_NOTIFY_RENAME:
+          case ACTION_NOTIFY_WRITE: {
             dispatch_async(q, ^{
-                struct passwd *user = getpwuid(message.userId);
-                NSString *userName;
-                if (user) {
-                  userName = @(user->pw_name);
-                }
-
-                [self.execController validateBinaryWithPath:@(message.path)
-                                                   userName:userName
-                                                        pid:@(message.pid)
-                                                       ppid:@(message.ppid)
-                                                    vnodeId:message.vnode_id];
+              if ([[SNTConfigurator configurator] logFileChanges]) {
+                [self.eventLog logFileModification:message];
+              }
+            });
+            break;
+          }
+          case ACTION_NOTIFY_EXEC: {
+            dispatch_async(q, ^{
+              [self.eventLog logAllowedExecution:message];
+            });
+            break;
+          }
+          case ACTION_REQUEST_CHECKBW: {
+            dispatch_async(q, ^{
+                [self.execController validateBinaryWithMessage:message];
             });
             break;
           }

Source/santad/SNTCachedDecision.h

@@ -0,0 +1,32 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include "SNTCommonEnums.h"
+
+///
+///  Store information about executions from decision making for later logging.
+///
+@interface SNTCachedDecision : NSObject
+
+@property uint64_t vnodeId;
+@property santa_eventstate_t decision;
+@property NSString *decisionExtra;
+@property NSString *sha256;
+@property NSString *certSHA256;
+@property NSString *certCommonName;
+
+@property NSString *customMsg;
+@property BOOL silentBlock;
+
+@end

Source/santad/SNTCachedDecision.m

@@ -0,0 +1,18 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCachedDecision.h"
+
+@implementation SNTCachedDecision
+@end

Source/santad/SNTDaemonControlController.m

@@ -17,25 +17,65 @@
 #import "SNTConfigurator.h"
 #import "SNTDatabaseController.h"
 #import "SNTDriverManager.h"
+#import "SNTDropRootPrivs.h"
 #import "SNTEventTable.h"
 #import "SNTLogging.h"
 #import "SNTRule.h"
 #import "SNTRuleTable.h"
 
+@interface SNTDaemonControlController ()
+@property dispatch_source_t syncTimer;
+@end
+
 @implementation SNTDaemonControlController
 
 - (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager {
   self = [super init];
   if (self) {
     _driverManager = driverManager;
+
+    _syncTimer = [self createSyncTimer];
+    [self rescheduleSyncSecondsFromNow:30];
   }
   return self;
 }
 
+- (dispatch_source_t)createSyncTimer {
+  dispatch_source_t syncTimerQ = dispatch_source_create(
+      DISPATCH_SOURCE_TYPE_TIMER, 0, 0,
+      dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+
+  dispatch_source_set_event_handler(syncTimerQ, ^{
+      [self rescheduleSyncSecondsFromNow:600];
+
+      if (![[SNTConfigurator configurator] syncBaseURL]) return;
+      [[SNTConfigurator configurator] setSyncBackOff:NO];
+
+      if (fork() == 0) {
+        // Ensure we have no privileges
+        if (!DropRootPrivileges()) {
+          _exit(EPERM);
+        }
+
+        _exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "--syslog", NULL));
+      }
+  });
+
+  dispatch_resume(syncTimerQ);
+
+  return syncTimerQ;
+}
+
+- (void)rescheduleSyncSecondsFromNow:(uint64_t)seconds {
+  uint64_t interval = seconds * NSEC_PER_SEC;
+  uint64_t leeway = (seconds * 0.05) * NSEC_PER_SEC;
+  dispatch_source_set_timer(self.syncTimer, dispatch_walltime(NULL, interval), interval, leeway);
+}
+
 #pragma mark Kernel ops
 
-- (void)cacheCount:(void (^)(uint64_t))reply; {
-  uint64_t count = [self.driverManager cacheCount];
+- (void)cacheCount:(void (^)(int64_t))reply {
+  int64_t count = [self.driverManager cacheCount];
   reply(count);
 }
 
@@ -45,7 +85,7 @@
 
 #pragma mark Database ops
 
-- (void)databaseRuleCounts:(void (^)(uint64_t binary, uint64_t certificate))reply {
+- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply {
   SNTRuleTable *rdb = [SNTDatabaseController ruleTable];
   reply([rdb binaryRuleCount], [rdb certificateRuleCount]);
 }
@@ -67,7 +107,7 @@
   reply();
 }
 
-- (void)databaseEventCount:(void (^)(uint64_t count))reply {
+- (void)databaseEventCount:(void (^)(int64_t count))reply {
   reply([[SNTDatabaseController eventTable] pendingEventsCount]);
 }
 
@@ -94,4 +134,18 @@
   reply();
 }
 
+- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply {
+  [self rescheduleSyncSecondsFromNow:seconds];
+  [[SNTConfigurator configurator] setSyncBackOff:YES];
+  reply();
+}
+
+- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply {
+  NSRegularExpression *re = [NSRegularExpression regularExpressionWithPattern:pattern
+                                                                      options:0
+                                                                        error:NULL];
+  [[SNTConfigurator configurator] setWhitelistPathRegex:re];
+  reply();
+}
+
 @end

Source/santad/SNTDatabaseController.m

@@ -14,6 +14,9 @@
 
 #import "SNTDatabaseController.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+
 #import "SNTEventTable.h"
 #import "SNTLogging.h"
 #import "SNTRuleTable.h"
@@ -31,11 +34,11 @@ static NSString * const kEventsDatabaseName = @"events.db";
       [self createDatabasePath];
       NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kEventsDatabaseName];
       eventDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
+      chown([fullPath UTF8String], 0, 0);
+      chmod([fullPath UTF8String], 0600);
 
-  #ifndef DEBUG
-      [eventDatabaseQueue inDatabase:^(FMDatabase *db) {
-          db.logsErrors = NO;
-    }];
+#ifndef DEBUG
+      [eventDatabaseQueue inDatabase:^(FMDatabase *db) { db.logsErrors = NO; }];
 #endif
   });
 
@@ -49,11 +52,11 @@ static NSString * const kEventsDatabaseName = @"events.db";
       [self createDatabasePath];
       NSString *fullPath = [kDatabasePath stringByAppendingPathComponent:kRulesDatabaseName];
       ruleDatabaseQueue = [[FMDatabaseQueue alloc] initWithPath:fullPath];
+      chown([fullPath UTF8String], 0, 0);
+      chmod([fullPath UTF8String], 0600);
 
-  #ifndef DEBUG
-      [ruleDatabaseQueue inDatabase:^(FMDatabase *db) {
-          db.logsErrors = NO;
-    }];
+#ifndef DEBUG
+      [ruleDatabaseQueue inDatabase:^(FMDatabase *db) { db.logsErrors = NO; }];
 #endif
   });
   return [[SNTRuleTable alloc] initWithDatabaseQueue:ruleDatabaseQueue];
@@ -65,9 +68,11 @@ static NSString * const kEventsDatabaseName = @"events.db";
 + (void)createDatabasePath {
   NSFileManager *fm = [NSFileManager defaultManager];
 
-  NSDictionary *attrs = @{ NSFileOwnerAccountName: @"root",
-                           NSFileGroupOwnerAccountName: @"wheel",
-                           NSFilePosixPermissions: @0755 };
+  NSDictionary *attrs = @{
+    NSFileOwnerAccountName : @"root",
+    NSFileGroupOwnerAccountName : @"wheel",
+    NSFilePosixPermissions : @0755
+  };
 
   if (![fm fileExistsAtPath:kDatabasePath]) {
     [fm createDirectoryAtPath:kDatabasePath

Source/santad/SNTDatabaseTable.h

@@ -28,7 +28,7 @@
 ///  is the current version of the table. The return value is the new version of the table. If
 ///  updating the table failed, return a negative number. If there was no update to apply, return 0.
 ///
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version;
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version;
 
 ///
 ///  Wrappers around the respective FMDatabaseQueue methods. If the object we initialized with was

Source/santad/SNTDatabaseTable.m

@@ -38,17 +38,17 @@
   return nil;
 }
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
   [self doesNotRecognizeSelector:_cmd];
-  return -1;
+  return 0;
 }
 
 /// Called at the end of initialization to ensure the table in the
 /// database exists and uses the latest schema.
 - (void)updateTableSchema {
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
-      int currentVersion = [db userVersion];
-      int newVersion = [self initializeDatabase:db fromVersion:currentVersion];
+      uint32_t currentVersion = [db userVersion];
+      uint32_t newVersion = [self initializeDatabase:db fromVersion:currentVersion];
       if (newVersion < 1) return;
 
       LOGD(@"Updated %@ from version %d to %d", [self className], currentVersion, newVersion);

Source/santad/SNTDriverManager.m

@@ -83,12 +83,10 @@ static const int MAX_DELAY = 15;
   IOServiceClose(_connection);
 }
 
-# pragma mark Incoming messages
+#pragma mark Incoming messages
 
 - (void)listenWithBlock:(void (^)(santa_message_t message))callback {
   kern_return_t kr;
-  santa_message_t vdata;
-  UInt32 dataSize;
 
   mach_vm_address_t address = 0;
   mach_vm_size_t size = 0;
@@ -120,20 +118,20 @@ static const int MAX_DELAY = 15;
   }
 
   self.queueMemory = (IODataQueueMemory *)address;
-  dataSize = sizeof(vdata);
 
-  while (IODataQueueWaitForAvailableData(self.queueMemory,
-                                         self.receivePort) == kIOReturnSuccess) {
+  do {
     while (IODataQueueDataAvailable(self.queueMemory)) {
+      santa_message_t vdata;
+      uint32_t dataSize = sizeof(vdata);
       kr = IODataQueueDequeue(self.queueMemory, &vdata, &dataSize);
       if (kr == kIOReturnSuccess) {
         callback(vdata);
       } else {
-        LOGD(@"Error receiving data: %d", kr);
+        LOGE(@"Error dequeuing data: %d", kr);
         exit(2);
       }
     }
-  }
+  } while (IODataQueueWaitForAvailableData(self.queueMemory, self.receivePort) == kIOReturnSuccess);
 
   IOConnectUnmapMemory(self.connection, kIODefaultMemoryType, mach_task_self(), address);
   mach_port_destroy(mach_task_self(), self.receivePort);

Source/santad/SNTEventLog.h

@@ -0,0 +1,30 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+
+#import "SNTKernelCommon.h"
+@class SNTCachedDecision;
+
+///
+///  Logs execution and file write events to syslog
+///
+@interface SNTEventLog : NSObject
+
+- (void)logFileModification:(santa_message_t)message;
+
+- (void)saveDecisionDetails:(SNTCachedDecision *)cd;
+- (void)logDeniedExecution:(SNTCachedDecision *)cd withMessage:(santa_message_t)message;
+- (void)logAllowedExecution:(santa_message_t)message;
+
+@end

Source/santad/SNTEventLog.m

@@ -0,0 +1,216 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTEventLog.h"
+
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+
+#import "SNTCachedDecision.h"
+#import "SNTCertificate.h"
+#import "SNTCommonEnums.h"
+#import "SNTFileInfo.h"
+#import "SNTKernelCommon.h"
+#import "SNTLogging.h"
+
+@interface SNTEventLog ()
+@property NSMutableDictionary *detailStore;
+@end
+
+@implementation SNTEventLog
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _detailStore = [NSMutableDictionary dictionaryWithCapacity:10000];
+  }
+  return self;
+}
+
+- (void)saveDecisionDetails:(SNTCachedDecision *)cd {
+  self.detailStore[@(cd.vnodeId)] = cd;
+}
+
+- (void)logFileModification:(santa_message_t)message {
+  NSString *action, *path, *newpath, *sha256, *outStr;
+
+  path = @(message.path);
+
+  switch (message.action) {
+    case ACTION_NOTIFY_DELETE: {
+      action = @"DELETE";
+      break;
+    }
+    case ACTION_NOTIFY_EXCHANGE: {
+      action = @"EXCHANGE";
+      newpath = @(message.newpath);
+      break;
+    }
+    case ACTION_NOTIFY_LINK: {
+      action = @"LINK";
+      newpath = @(message.newpath);
+      break;
+    }
+    case ACTION_NOTIFY_RENAME: {
+      action = @"RENAME";
+      newpath = @(message.newpath);
+      break;
+    }
+    case ACTION_NOTIFY_WRITE: {
+      action = @"WRITE";
+      struct stat filestat;
+      stat(message.path, &filestat);
+
+      if (filestat.st_size < 1024 * 1024) {
+        SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:path];
+        sha256 = fileInfo.SHA256;
+      } else {
+        sha256 = @"(too large)";
+      }
+      break;
+    }
+    default: action = @"UNKNOWN"; break;
+  }
+
+  outStr = [NSString stringWithFormat:@"action=%@|path=%@", action, [self sanitizeString:path]];
+  if (newpath) {
+    outStr = [outStr stringByAppendingFormat:@"|newpath=%@", [self sanitizeString:newpath]];
+  }
+  outStr = [outStr stringByAppendingFormat:@"|pid=%d|ppid=%d|uid=%d|gid=%d",
+               message.pid, message.ppid, message.uid, message.gid];
+  if (sha256) {
+    outStr = [outStr stringByAppendingFormat:@"|sha256=%@", sha256];
+  }
+
+  LOGI(@"%@", outStr);
+}
+
+- (void)logDeniedExecution:(SNTCachedDecision *)cd withMessage:(santa_message_t)message {
+  [self logExecution:message withDecision:cd];
+}
+
+- (void)logAllowedExecution:(santa_message_t)message {
+  SNTCachedDecision *cd = self.detailStore[@(message.vnode_id)];
+  [self logExecution:message withDecision:cd];
+}
+
+- (void)logExecution:(santa_message_t)message withDecision:(SNTCachedDecision *)cd {
+  NSString *d, *r, *args, *outLog;
+
+  switch (cd.decision) {
+    case EVENTSTATE_ALLOW_BINARY:
+      d = @"ALLOW"; r = @"BINARY"; args = [self argsForPid:message.pid]; break;
+    case EVENTSTATE_ALLOW_CERTIFICATE:
+      d = @"ALLOW"; r = @"CERTIFICATE"; args = [self argsForPid:message.pid]; break;
+    case EVENTSTATE_ALLOW_SCOPE:
+      d = @"ALLOW"; r = @"SCOPE"; args = [self argsForPid:message.pid]; break;
+    case EVENTSTATE_ALLOW_UNKNOWN:
+      d = @"ALLOW"; r = @"UNKNOWN"; args = [self argsForPid:message.pid]; break;
+    case EVENTSTATE_BLOCK_BINARY:
+      d = @"DENY"; r = @"BINARY"; break;
+    case EVENTSTATE_BLOCK_CERTIFICATE:
+      d = @"DENY"; r = @"CERT"; break;
+    case EVENTSTATE_BLOCK_SCOPE:
+      d = @"DENY"; r = @"SCOPE"; break;
+    case EVENTSTATE_BLOCK_UNKNOWN:
+      d = @"DENY"; r = @"UNKNOWN"; break;
+    default:
+      d = @"ALLOW"; r = @"NOTRUNNING"; args = [self argsForPid:message.pid]; break;
+  }
+
+  outLog = [NSString stringWithFormat:@"action=EXEC|decision=%@|reason=%@", d, r];
+
+  if (cd.decisionExtra) {
+    outLog = [outLog stringByAppendingFormat:@"|explain=%@", cd.decisionExtra];
+  }
+
+  outLog = [outLog stringByAppendingFormat:@"|sha256=%@|path=%@|args=%@",
+               cd.sha256, [self sanitizeString:@(message.path)], [self sanitizeString:args]];
+
+  if (cd.certSHA256) {
+    outLog = [outLog stringByAppendingFormat:@"|cert_sha256=%@|cert_cn=%@",
+                 cd.certSHA256, [self sanitizeString:cd.certCommonName]];
+  }
+
+  outLog = [outLog stringByAppendingFormat:@"|pid=%d|ppid=%d|uid=%d|gid=%d",
+               message.pid, message.ppid, message.uid, message.gid];
+
+  LOGI(@"%@", outLog);
+}
+
+#pragma mark Helpers
+
+- (NSString *)sanitizeString:(NSString *)inStr {
+  inStr = [inStr stringByReplacingOccurrencesOfString:@"|" withString:@"<pipe>"];
+  inStr = [inStr stringByReplacingOccurrencesOfString:@"\n" withString:@"\\n"];
+  inStr = [inStr stringByReplacingOccurrencesOfString:@"\r" withString:@"\\r"];
+  return inStr;
+}
+
+- (NSString *)argsForPid:(pid_t)pid {
+  int mib[3];
+
+  // Get size of buffer required to store process arguments.
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_ARGMAX;
+  int argmax;
+  size_t size = sizeof(argmax);
+
+  if (sysctl(mib, 2, &argmax, &size, NULL, 0) == -1) return nil;
+
+  // Create buffer to store args
+  NSMutableData *argsdata = [NSMutableData dataWithCapacity:argmax];
+  char *argsdatabytes = (char *)argsdata.mutableBytes;
+
+  // Fetch args
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_PROCARGS2;
+  mib[2] = pid;
+  size = (size_t)argmax;
+  if (sysctl(mib, 3, argsdatabytes, &size, NULL, 0) == -1) return nil;
+
+  // Get argc
+  int argc;
+  memcpy(&argc, argsdatabytes, sizeof(argc));
+
+  // Get pointer to beginning of string space
+  char *cp;
+  cp = (char *) argsdatabytes + sizeof(argc);
+
+  // Skip over exec_path
+  for (; cp < &argsdatabytes[size]; cp++) {
+    if (*cp == '\0') {
+      cp++;
+      break;
+    }
+  }
+
+  // Skip trailing NULL bytes
+  for (; cp < &argsdatabytes[size]; cp++) if (*cp != '\0') break;
+
+  // Loop over the argv array, stripping newlines in each arg and putting in a new array.
+  NSMutableArray *args = [NSMutableArray arrayWithCapacity:argc];
+  for (int i = 0; i < argc; i++) {
+    NSString *arg = @(cp);
+    [args addObject:arg];
+
+    // Move the pointer past this string and the terminator at the end.
+    cp += strlen(cp) + 1;
+  }
+
+  // Return the args as a space-separated list
+  return [args componentsJoinedByString:@" "];
+}
+
+@end

Source/santad/SNTEventTable.h

@@ -24,6 +24,7 @@
 
 ///
 ///  Add event to the database.
+///
 ///  @param event the event to store.
 ///  @return YES if event was successfully stored.
 ///
@@ -31,18 +32,23 @@
 
 ///
 ///  Retrieves all events in the database
+///
 ///  @return NSArray of SNTStoredEvent's
 ///
 - (NSArray *)pendingEvents;
 
 ///
 ///  Retrieves number of events in database without fetching every event.
+///
 ///  @return Number of events in database.
 ///
 - (NSUInteger)pendingEventsCount;
 
 ///
-///  Retrieve an event from the database.
+///  Retrieve an event from the database with a given SHA-256. If multiple events
+///  exist for the same SHA-256, just the first is returned.
+///
+///  @param sha256 a SHA-256 of the binary to return an event for.
 ///  @return a single SNTStoredEvent.
 ///
 - (SNTStoredEvent *)pendingEventForSHA256:(NSString *)sha256;
@@ -50,12 +56,15 @@
 ///
 ///  Delete a single event from the database using its index.
 ///
-- (void)deleteEventWithId:(NSNumber *)id;
+///  @param index the event ID.
+///
+- (void)deleteEventWithId:(NSNumber *)index;
 
 ///
 ///  Delete multiple events from the database with an array of IDs.
+///
 ///  @param indexes an array of event IDs.
 ///
-- (void)deleteEventsWithIds:(NSArray *)ids;
+- (void)deleteEventsWithIds:(NSArray *)indexes;
 
 @end

Source/santad/SNTEventTable.m

@@ -20,17 +20,15 @@
 
 @implementation SNTEventTable
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
   int newVersion = 0;
 
   if (version < 1) {
     [db executeUpdate:@"CREATE TABLE 'events' ("
-        "'idx' INTEGER PRIMARY KEY AUTOINCREMENT,"
-        "'filesha256' TEXT NOT NULL,"
-        "'eventdata' BLOB"
-        @");"];
+                      @"'idx' INTEGER PRIMARY KEY AUTOINCREMENT,"
+                      @"'filesha256' TEXT NOT NULL,"
+                      @"'eventdata' BLOB);"];
     [db executeUpdate:@"CREATE INDEX filesha256 ON events (filesha256);"];
-
     newVersion = 1;
   }
 
@@ -43,7 +41,6 @@
   if (!event.fileSHA256 ||
       !event.filePath ||
       !event.occurrenceDate ||
-      !event.executingUser ||
       !event.decision) return NO;
 
   NSData *eventData = [NSKeyedArchiver archivedDataWithRootObject:event];
@@ -57,16 +54,6 @@
   return success;
 }
 
-- (SNTStoredEvent *)eventFromResultSet:(FMResultSet *)rs {
-  NSData *eventData = [rs dataForColumn:@"eventdata"];
-  if (!eventData) return nil;
-
-  SNTStoredEvent *event = [NSKeyedUnarchiver unarchiveObjectWithData:eventData];
-  event.idx = @([rs intForColumn:@"idx"]);
-
-  return event;
-}
-
 #pragma mark Querying/Retreiving
 
 - (NSUInteger)pendingEventsCount {
@@ -81,8 +68,8 @@
   __block SNTStoredEvent *storedEvent;
 
   [self inDatabase:^(FMDatabase *db) {
-      FMResultSet *rs = [db executeQuery:@"SELECT * FROM events WHERE filesha256=? LIMIT 1;",
-                            sha256];
+      FMResultSet *rs =
+          [db executeQuery:@"SELECT * FROM events WHERE filesha256=? LIMIT 1;", sha256];
 
       if ([rs next]) {
         storedEvent = [self eventFromResultSet:rs];
@@ -101,7 +88,13 @@
       FMResultSet *rs = [db executeQuery:@"SELECT * FROM events"];
 
       while ([rs next]) {
-        [pendingEvents addObject:[self eventFromResultSet:rs]];
+        id obj = [self eventFromResultSet:rs];
+        if (obj) {
+          [pendingEvents addObject:obj];
+        } else {
+          NSNumber *idx = [rs objectForColumnName:@"idx"];
+          [db executeUpdate:@"DELETE FROM events WHERE idx=?", idx];
+        }
       }
 
       [rs close];
@@ -110,6 +103,16 @@
   return pendingEvents;
 }
 
+- (SNTStoredEvent *)eventFromResultSet:(FMResultSet *)rs {
+  NSData *eventData = [rs dataForColumn:@"eventdata"];
+  if (!eventData) return nil;
+
+  SNTStoredEvent *event = [NSKeyedUnarchiver unarchiveObjectWithData:eventData];
+  event.idx = @([rs intForColumn:@"idx"]);
+
+  return event;
+}
+
 #pragma mark Deleting
 
 - (void)deleteEventWithId:(NSNumber *)index {
@@ -122,6 +125,9 @@
   for (NSNumber *index in indexes) {
     [self deleteEventWithId:index];
   }
+  [self inDatabase:^(FMDatabase *db) {
+      [db executeUpdate:@"VACUUM"];
+  }];
 }
 
 @end

Source/santad/SNTExecutionController.h

@@ -13,9 +13,11 @@
 ///    limitations under the License.
 
 #include "SNTCommonEnums.h"
+#include "SNTKernelCommon.h"
 
 @class SNTCodesignChecker;
 @class SNTDriverManager;
+@class SNTEventLog;
 @class SNTEventTable;
 @class SNTRuleTable;
 @class SNTXPCConnection;
@@ -29,36 +31,28 @@
 ///    + (If denied or unknown) Storing details about the execution event to the database
 ///      for upload and spwaning santactl to quickly try and send that to the server.
 ///    + (If denied) Potentially sending a message to SantaGUI to notify the user
-///    + Logging the event to the log file
 ///
 @interface SNTExecutionController : NSObject
 
 @property SNTDriverManager *driverManager;
-@property SNTRuleTable *ruleTable;
+@property SNTEventLog *eventLog;
 @property SNTEventTable *eventTable;
+@property SNTRuleTable *ruleTable;
 @property SNTXPCConnection *notifierConnection;
 
 - (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager
                             ruleTable:(SNTRuleTable *)ruleTable
                            eventTable:(SNTEventTable *)eventTable
-                   notifierConnection:(SNTXPCConnection *)notifierConn;
+                   notifierConnection:(SNTXPCConnection *)notifierConn
+                             eventLog:(SNTEventLog *)eventLog;
 
 ///
 ///  Handles the logic of deciding whether to allow the binary to run or not, sends the response to
 ///  the kernel, logs the event to the log and if necessary stores the event in the database and
 ///  sends a notification to the GUI agent.
 ///
-///  @param path the binary that's being executed
-///  @param userName the user who's executing the binary
-///  @param pid the process id being executed
-///  @param ppid the parent process id
-///  @param vnoteId the id of the vnode being executed
+///  @param message The message sent from the kernel.
 ///
-- (void)validateBinaryWithPath:(NSString *)path
-                      userName:(NSString *)userName
-                           pid:(NSNumber *)pid
-                          ppid:(NSNumber *)ppid
-                       vnodeId:(uint64_t)vnodeId;
-
+- (void)validateBinaryWithMessage:(santa_message_t)message;
 
 @end

Source/santad/SNTExecutionController.m

@@ -14,15 +14,20 @@
 
 #import "SNTExecutionController.h"
 
+#include <libproc.h>
+#include <pwd.h>
 #include <utmpx.h>
 
 #include "SNTLogging.h"
 
+#import "SNTCachedDecision.h"
 #import "SNTCertificate.h"
 #import "SNTCodesignChecker.h"
+#import "SNTCommonEnums.h"
 #import "SNTConfigurator.h"
 #import "SNTDriverManager.h"
 #import "SNTDropRootPrivs.h"
+#import "SNTEventLog.h"
 #import "SNTEventTable.h"
 #import "SNTFileInfo.h"
 #import "SNTRule.h"
@@ -38,14 +43,15 @@
 - (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager
                             ruleTable:(SNTRuleTable *)ruleTable
                            eventTable:(SNTEventTable *)eventTable
-                   notifierConnection:(SNTXPCConnection *)notifier {
+                   notifierConnection:(SNTXPCConnection *)notifier
+                             eventLog:(SNTEventLog *)eventLog {
   self = [super init];
   if (self) {
     _driverManager = driverManager;
     _ruleTable = ruleTable;
     _eventTable = eventTable;
     _notifierConnection = notifier;
-    LOGI(@"Log format: Decision (A|D), Reason (B|C|S|?), SHA-256, Path, Cert SHA-256, Cert CN");
+    _eventLog = eventLog;
 
     // Workaround for xpcproxy/libsecurity bug on Yosemite
     // This establishes the XPC connection between libsecurity and syspolicyd.
@@ -57,56 +63,103 @@
 
 #pragma mark Binary Validation
 
-- (void)validateBinaryWithPath:(NSString *)path
-                      userName:(NSString *)userName
-                           pid:(NSNumber *)pid
-                          ppid:(NSNumber *)ppid
-                       vnodeId:(uint64_t)vnodeId {
-  SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path];
-  NSString *sha256 = [binInfo SHA256];
-
-  // These will be filled in either in later steps
-  santa_action_t respondedAction = ACTION_UNSET;
-  SNTRule *rule;
-
-  // Step 1 - binary rule?
-  rule = [self.ruleTable binaryRuleForSHA256:sha256];
+- (santa_eventstate_t)makeDecision:(SNTCachedDecision *)cd binaryInfo:(SNTFileInfo *)fi {
+  SNTRule *rule = [self.ruleTable binaryRuleForSHA256:cd.sha256];
   if (rule) {
-    respondedAction = [self actionForRuleState:rule.state];
-    [self.driverManager postToKernelAction:respondedAction forVnodeID:vnodeId];
-  }
-
-  SNTCodesignChecker *csInfo = [[SNTCodesignChecker alloc] initWithBinaryPath:path];
-
-  // Step 2 - cert rule?
-  if (!rule) {
-    rule = [self.ruleTable certificateRuleForSHA256:csInfo.leafCertificate.SHA256];
-    if (rule) {
-      respondedAction = [self actionForRuleState:rule.state];
-      [self.driverManager postToKernelAction:respondedAction forVnodeID:vnodeId];
+    switch (rule.state) {
+      case RULESTATE_WHITELIST:
+        return EVENTSTATE_ALLOW_BINARY;
+      case RULESTATE_SILENT_BLACKLIST:
+        cd.silentBlock = YES;
+      case RULESTATE_BLACKLIST:
+        cd.customMsg = rule.customMsg;
+        return EVENTSTATE_BLOCK_BINARY;
+      default: break;
     }
   }
 
-  // Step 3 - in scope?
-  if (![self fileIsInScope:path]) {
-    [self.driverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW forVnodeID:vnodeId];
-    [self logDecisionForEventState:EVENTSTATE_ALLOW_SCOPE sha256:sha256 path:path leafCert:nil];
+  rule = [self.ruleTable certificateRuleForSHA256:cd.certSHA256];
+  if (rule) {
+    switch (rule.state) {
+      case RULESTATE_WHITELIST:
+        return EVENTSTATE_ALLOW_CERTIFICATE;
+      case RULESTATE_SILENT_BLACKLIST:
+        cd.silentBlock = YES;
+      case RULESTATE_BLACKLIST:
+        cd.customMsg = rule.customMsg;
+        return EVENTSTATE_BLOCK_CERTIFICATE;
+      default: break;
+    }
+  }
+
+  NSString *msg = [self fileIsScopeBlacklisted:fi];
+  if (msg) {
+    cd.decisionExtra = msg;
+    return EVENTSTATE_BLOCK_SCOPE;
+  }
+
+  msg = [self fileIsScopeWhitelisted:fi];
+  if (msg) {
+    cd.decisionExtra = msg;
+    return EVENTSTATE_ALLOW_SCOPE;
+  }
+
+  switch ([[SNTConfigurator configurator] clientMode]) {
+    case CLIENTMODE_MONITOR: return EVENTSTATE_ALLOW_UNKNOWN;
+    case CLIENTMODE_LOCKDOWN: return EVENTSTATE_BLOCK_UNKNOWN;
+    default: return EVENTSTATE_BLOCK_UNKNOWN;
+  }
+}
+
+- (void)validateBinaryWithMessage:(santa_message_t)message {
+  // Get info about the file. If we can't get this info, allow execution and log an error.
+  NSError *fileInfoError;
+  SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:@(message.path) error:&fileInfoError];
+  if (!binInfo) {
+    LOGW(@"Failed to read file %@: %@", binInfo.path, fileInfoError.localizedDescription);
+    [self.driverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
+                                forVnodeID:message.vnode_id];
     return;
   }
 
-  // Step 4 - default rule :-(
-  if (!rule) {
-    respondedAction = [self defaultDecision];
-    [self.driverManager postToKernelAction:respondedAction forVnodeID:vnodeId];
-  }
+  // Get codesigning info about the file.
+  SNTCodesignChecker *csInfo = [[SNTCodesignChecker alloc] initWithBinaryPath:binInfo.path];
+
+  // Actually make the decision.
+  SNTCachedDecision *cd = [[SNTCachedDecision alloc] init];
+  cd.sha256 = binInfo.SHA256;
+  cd.certCommonName = csInfo.leafCertificate.commonName;
+  cd.certSHA256 = csInfo.leafCertificate.SHA256;
+  cd.vnodeId = message.vnode_id;
+  cd.decision = [self makeDecision:cd binaryInfo:binInfo];
+
+  // Save decision details for logging the execution later.
+  santa_action_t action = [self actionForEventState:cd.decision];
+  if (action == ACTION_RESPOND_CHECKBW_ALLOW) [self.eventLog saveDecisionDetails:cd];
+
+  // Get name of parent process. Do this before responding to be sure parent doesn't go away.
+  char pname[PROC_PIDPATHINFO_MAXSIZE];
+  proc_name(message.ppid, pname, PROC_PIDPATHINFO_MAXSIZE);
+
+  // Send the decision to the kernel.
+  [self.driverManager postToKernelAction:action forVnodeID:cd.vnodeId];
+
+  // Log to database if necessary.
+  if (cd.decision != EVENTSTATE_ALLOW_BINARY &&
+      cd.decision != EVENTSTATE_ALLOW_CERTIFICATE &&
+      cd.decision != EVENTSTATE_ALLOW_SCOPE) {
 
-  // Step 5 - log to database and potentially alert user
-  if (respondedAction == ACTION_RESPOND_CHECKBW_DENY ||
-      !rule ||
-      [[SNTConfigurator configurator] logAllEvents]) {
     SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
-    se.fileSHA256 = sha256;
-    se.filePath = path;
+    se.occurrenceDate = [[NSDate alloc] init];
+    se.fileSHA256 = cd.sha256;
+    se.filePath = binInfo.path;
+    se.decision = cd.decision;
+
+    se.signingChain = csInfo.certificates;
+    se.pid = @(message.pid);
+    se.ppid = @(message.ppid);
+    se.parentName = @(pname);
+
     se.fileBundleID = [binInfo bundleIdentifier];
     se.fileBundleName = [binInfo bundleName];
 
@@ -118,12 +171,11 @@
       se.fileBundleVersion = [binInfo bundleVersion];
     }
 
-    se.signingChain = csInfo.certificates;
-    se.executingUser = userName;
-    se.occurrenceDate = [[NSDate alloc] init];
-    se.decision = [self eventStateForDecision:respondedAction type:rule.type];
-    se.pid = pid;
-    se.ppid = ppid;
+    struct passwd *user = getpwuid(message.uid);
+    endpwent();
+    if (user) {
+      se.executingUser = @(user->pw_name);
+    }
 
     NSArray *loggedInUsers, *currentSessions;
     [self loggedInUsers:&loggedInUsers sessions:&currentSessions];
@@ -132,170 +184,101 @@
 
     [self.eventTable addStoredEvent:se];
 
-    if (respondedAction == ACTION_RESPOND_CHECKBW_DENY) {
+    // If binary was blocked, do the needful
+    if (action != ACTION_RESPOND_CHECKBW_ALLOW) {
+      [self.eventLog logDeniedExecution:cd withMessage:message];
+
       // So the server has something to show the user straight away, initiate an event
       // upload for the blocked binary rather than waiting for the next sync.
-      // The event upload is skipped if the full path is equal to that of /usr/sbin/santactl so that
-      /// on the off chance that santactl is not whitelisted, we don't get into an infinite loop.
-      if (![path isEqual:@"/usr/sbin/santactl"]) {
-        [self initiateEventUploadForSHA256:sha256];
-      }
+      [self initiateEventUploadForEvent:se];
 
-      [[self.notifierConnection remoteObjectProxy] postBlockNotification:se
-                                                       withCustomMessage:rule.customMsg];
+      if (!cd.silentBlock) {
+        [[self.notifierConnection remoteObjectProxy] postBlockNotification:se
+                                                         withCustomMessage:cd.customMsg];
+      }
     }
   }
-
-  // Step 6 - log to log file
-  [self logDecisionForEventState:[self eventStateForDecision:respondedAction type:rule.type]
-                          sha256:sha256
-                            path:path
-                        leafCert:csInfo.leafCertificate];
 }
 
 ///
 ///  Checks whether the file at @c path is in-scope for checking with Santa.
 ///
 ///  Files that are out of scope:
-///    + Non Mach-O files
-///    + Files in whitelisted directories.
+///    + Non Mach-O files that are not part of an installer package.
+///    + Files in whitelisted path.
 ///
 ///  @return @c YES if file is in scope, @c NO otherwise.
 ///
-- (BOOL)fileIsInScope:(NSString *)path {
-  // Determine if file is within a whitelisted directory.
-  if ([self pathIsInWhitelistedDir:path]) {
-    return NO;
+- (NSString *)fileIsScopeWhitelisted:(SNTFileInfo *)fi {
+  // Determine if file is within a whitelisted path
+  NSRegularExpression *re = [[SNTConfigurator configurator] whitelistPathRegex];
+  if ([re numberOfMatchesInString:fi.path options:0 range:NSMakeRange(0, fi.path.length)]) {
+    return @"Whitelist Regex";
   }
 
-  // If file is not a Mach-O file, we're not interested.
-  // TODO(rah): Consider adding an option to check scripts
-  SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path];
-  if (![binInfo isMachO]) {
-    return NO;
+  // If file is not a Mach-O file, we're not interested unless it's part of an install package.
+  // TODO(rah): Consider adding an option to check all scripts.
+  // TODO(rah): Consider adding an option to disable package script checks.
+  if (!fi.isMachO && ![fi.path hasPrefix:@"/private/tmp/PKInstallSandbox."]) {
+    return @"Not a Mach-O";
   }
 
-  return YES;
+  return nil;
 }
 
-- (BOOL)pathIsInWhitelistedDir:(NSString *)path {
-  // TODO(rah): Implement this.
-  return NO;
-}
-
-- (santa_eventstate_t)eventStateForDecision:(santa_action_t)decision type:(santa_ruletype_t)type {
-  if (decision == ACTION_RESPOND_CHECKBW_ALLOW) {
-    if (type == RULETYPE_BINARY) {
-      return EVENTSTATE_ALLOW_BINARY;
-    } else if (type == RULETYPE_CERT) {
-      return EVENTSTATE_ALLOW_CERTIFICATE;
-    } else {
-      return EVENTSTATE_ALLOW_UNKNOWN;
-    }
-  } else if (decision == ACTION_RESPOND_CHECKBW_DENY) {
-    if (type == RULETYPE_BINARY) {
-      return EVENTSTATE_BLOCK_BINARY;
-    } else if (decision == RULETYPE_CERT) {
-      return EVENTSTATE_BLOCK_CERTIFICATE;
-    } else {
-      return EVENTSTATE_BLOCK_UNKNOWN;
-    }
-  } else {
-    return EVENTSTATE_UNKNOWN;
-  }
-}
-
-- (void)logDecisionForEventState:(santa_eventstate_t)eventState
-                          sha256:(NSString *)sha256
-                            path:(NSString *)path
-                        leafCert:(SNTCertificate *)cert {
-  NSString *d, *r, *outLog;
-
-  switch (eventState) {
-    case EVENTSTATE_ALLOW_BINARY:
-      d = @"A"; r = @"B"; break;
-    case EVENTSTATE_ALLOW_CERTIFICATE:
-      d = @"A"; r = @"C"; break;
-    case EVENTSTATE_ALLOW_SCOPE:
-      d = @"A"; r = @"S"; break;
-    case EVENTSTATE_ALLOW_UNKNOWN:
-      d = @"A"; r = @"?"; break;
-    case EVENTSTATE_BLOCK_BINARY:
-      d = @"D"; r = @"B"; break;
-    case EVENTSTATE_BLOCK_CERTIFICATE:
-      d = @"D"; r = @"C"; break;
-    case EVENTSTATE_BLOCK_UNKNOWN:
-      d = @"D"; r = @"?"; break;
-    default:
-      d = @"?"; r = @"?"; break;
+- (NSString *)fileIsScopeBlacklisted:(SNTFileInfo *)fi {
+  NSRegularExpression *re = [[SNTConfigurator configurator] blacklistPathRegex];
+  if ([re numberOfMatchesInString:fi.path options:0 range:NSMakeRange(0, fi.path.length)]) {
+    return @"Blacklist Regex";
   }
 
-  // Ensure there are no pipes in the path name (as this will be confusing in the log)
-  NSString *printPath = [path stringByReplacingOccurrencesOfString:@"|" withString:@"<pipe>"];
+  if (fi.isMissingPageZero) return @"Missing __PAGEZERO";
 
-  if (cert && cert.SHA256 && cert.commonName) {
-    // Also ensure there are no pipes in the cert's common name.
-    NSString *printCommonName = [cert.commonName stringByReplacingOccurrencesOfString:@"|"
-                                                                           withString:@"<pipe>"];
-    outLog = [NSString stringWithFormat:@"%@|%@|%@|%@|%@|%@",
-                 d, r, sha256, printPath, cert.SHA256, printCommonName];
-  } else {
-    outLog = [NSString stringWithFormat:@"%@|%@|%@|%@", d, r, sha256, printPath];
-  }
-
-  // Now make sure none of the log line has a newline in it.
-  LOGI(@"%@", [[outLog componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]]
-                                   componentsJoinedByString:@" "]);
+  return nil;
 }
 
-- (void)initiateEventUploadForSHA256:(NSString *)sha256 {
-  signal(SIGCHLD, SIG_IGN);
-  pid_t child = fork();
-  if (child == 0) {
-    fclose(stdout);
-    fclose(stderr);
+- (void)initiateEventUploadForEvent:(SNTStoredEvent *)event {
+  // The event upload is skipped if the full path is equal to that of santactl so that
+  // on the off chance that santactl is not whitelisted, we don't get into an infinite loop.
+  // It's also skipped if there isn't a server configured or the last sync caused a backoff.
+  if ([event.filePath isEqual:@(kSantaCtlPath)] ||
+      ![[SNTConfigurator configurator] syncBaseURL] ||
+      [[SNTConfigurator configurator] syncBackOff]) return;
 
+  if (fork() == 0) {
     // Ensure we have no privileges
     if (!DropRootPrivileges()) {
-      exit(1);
+      _exit(EPERM);
     }
 
-    exit(execl("/usr/sbin/santactl", "/usr/sbin/santactl", "sync",
-               "singleevent", [sha256 UTF8String], NULL));
+    _exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "singleevent",
+                [event.fileSHA256 UTF8String], NULL));
   }
 }
 
-- (santa_action_t)defaultDecision {
-  switch ([[SNTConfigurator configurator] clientMode]) {
-    case CLIENTMODE_MONITOR:
-      return ACTION_RESPOND_CHECKBW_ALLOW;
-    case CLIENTMODE_LOCKDOWN:
-      return ACTION_RESPOND_CHECKBW_DENY;
-    default:
-      // This should never happen, panic and lockdown.
-      LOGE(@"Client mode is unset while enforcement is in effect. Blocking.");
-      return ACTION_RESPOND_CHECKBW_DENY;
-  }
-}
-
-- (santa_action_t)actionForRuleState:(santa_rulestate_t)state {
+- (santa_action_t)actionForEventState:(santa_eventstate_t)state {
   switch (state) {
-    case RULESTATE_WHITELIST:
+    case EVENTSTATE_ALLOW_BINARY:
+    case EVENTSTATE_ALLOW_CERTIFICATE:
+    case EVENTSTATE_ALLOW_SCOPE:
+    case EVENTSTATE_ALLOW_UNKNOWN:
       return ACTION_RESPOND_CHECKBW_ALLOW;
-    case RULESTATE_BLACKLIST:
-    case RULESTATE_SILENT_BLACKLIST:
+    case EVENTSTATE_BLOCK_BINARY:
+    case EVENTSTATE_BLOCK_CERTIFICATE:
+    case EVENTSTATE_BLOCK_SCOPE:
+    case EVENTSTATE_BLOCK_UNKNOWN:
       return ACTION_RESPOND_CHECKBW_DENY;
     default:
-      return ACTION_ERROR;
+      LOGW(@"Invalid event state %d", state);
+      return ACTION_RESPOND_CHECKBW_DENY;
   }
 }
 
 - (void)loggedInUsers:(NSArray **)users sessions:(NSArray **)sessions {
-  struct utmpx *nxt;
-
   NSMutableDictionary *loggedInUsers = [[NSMutableDictionary alloc] init];
   NSMutableDictionary *loggedInHosts = [[NSMutableDictionary alloc] init];
 
+  struct utmpx *nxt;
   while ((nxt = getutxent())) {
     if (nxt->ut_type != USER_PROCESS) continue;
 
@@ -308,11 +291,11 @@
       sessionName = [NSString stringWithFormat:@"%s@%s", nxt->ut_user, nxt->ut_line];
     }
 
-    if ([userName length] > 0) {
+    if (userName.length > 0) {
       loggedInUsers[userName] = [NSNull null];
     }
 
-    if ([sessionName length] > 1) {
+    if (sessionName.length > 1) {
       loggedInHosts[sessionName] = [NSNull null];
     }
   }

Source/santad/SNTRuleTable.h

@@ -27,17 +27,17 @@
 ///
 ///  @return Number of rules in the database
 ///
-- (long)ruleCount;
+- (NSUInteger)ruleCount;
 
 ///
 ///  @return Number of binary rules in the database
 ///
-- (long)binaryRuleCount;
+- (NSUInteger)binaryRuleCount;
 
 ///
 ///  @return Number of certificate rules in the database
 ///
-- (long)certificateRuleCount;
+- (NSUInteger)certificateRuleCount;
 
 ///
 ///  @return Rule for binary with given SHA-256
@@ -54,7 +54,7 @@
 ///  transaction will abort if any rule fails to add.
 ///
 ///  @param rules Array of SNTRule's to add.
-///  @param cleanslate If true, remove all rules before adding the new rules.
+///  @param cleanSlate If true, remove all rules before adding the new rules.
 ///  @return YES if all rules were added successfully.
 ///
 - (BOOL)addRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate;

Source/santad/SNTRuleTable.m

@@ -16,12 +16,13 @@
 
 #import "SNTCertificate.h"
 #import "SNTCodesignChecker.h"
+#import "SNTLogging.h"
 #import "SNTRule.h"
 
 @implementation SNTRuleTable
 
-- (int)initializeDatabase:(FMDatabase *)db fromVersion:(int)version {
-  int newVersion = 0;
+- (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
+  uint32_t newVersion = 0;
 
   if (version < 1) {
     [db executeUpdate:@"CREATE TABLE 'rules' ("
@@ -54,24 +55,24 @@
 
 #pragma mark Entry Counts
 
-- (long)ruleCount {
-  __block long count = 0;
+- (NSUInteger)ruleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
-      count = [db longForQuery:@"SELECT COUNT(*) FROM rules"];
+    count = [db longForQuery:@"SELECT COUNT(*) FROM rules"];
   }];
   return count;
 }
 
-- (long)binaryRuleCount {
-  __block long count = 0;
+- (NSUInteger)binaryRuleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
       count = [db longForQuery:@"SELECT COUNT(*) FROM binrules"];
   }];
   return count;
 }
 
-- (long)certificateRuleCount {
-  __block long count = 0;
+- (NSUInteger)certificateRuleCount {
+  __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
       count = [db longForQuery:@"SELECT COUNT(*) FROM certrules"];
   }];
@@ -95,7 +96,7 @@
   [self inDatabase:^(FMDatabase *db) {
       FMResultSet *rs = [db executeQuery:@"SELECT * FROM certrules WHERE shasum=? LIMIT 1", SHA256];
       if ([rs next]) {
-          rule = [self ruleFromResultSet:rs];
+        rule = [self ruleFromResultSet:rs];
       }
       [rs close];
   }];
@@ -122,14 +123,18 @@
 - (BOOL)addRules:(NSArray *)rules cleanSlate:(BOOL)cleanSlate {
   __block BOOL failed = NO;
 
+  if (!rules || rules.count < 1) {
+    LOGE(@"Received request to add rules with nil/empty array.");
+    return NO;
+  }
+
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
       if (cleanSlate) {
         [db executeUpdate:@"DELETE FROM rules"];
       }
 
       for (SNTRule *rule in rules) {
-        if (![rule isKindOfClass:[SNTRule class]] ||
-            !rule.shasum || rule.shasum.length == 0 ||
+        if (![rule isKindOfClass:[SNTRule class]] || rule.shasum.length == 0 ||
             rule.state == RULESTATE_UNKNOWN || rule.type == RULETYPE_UNKNOWN) {
           *rollback = failed = YES;
           return;
@@ -143,8 +148,8 @@
           }
         } else {
           if (![db executeUpdate:@"INSERT OR REPLACE INTO rules "
-                                @"(shasum, state, type, custommsg) "
-                                @"VALUES (?, ?, ?, ?);",
+                                 @"(shasum, state, type, custommsg) "
+                                 @"VALUES (?, ?, ?, ?);",
                   rule.shasum, @(rule.state), @(rule.type), rule.customMsg]) {
             *rollback = failed = YES;
             return;

Source/santad/main.m

@@ -14,12 +14,71 @@
 
 #include "SNTLogging.h"
 
+#include <pthread/pthread.h>
+#include <sys/resource.h>
+
 #import "SNTApplication.h"
 
+///  Converts a timeval struct to double, converting the microseconds value to seconds.
+static inline double timeval_to_double(struct timeval tv) {
+  return (double)tv.tv_sec + (double)tv.tv_usec / 1000000.0;
+}
+
+///  The watchdog thread function, used to monitor santad CPU/RAM usage and print a warning
+///  if it goes over certain thresholds.
+void *watchdogThreadFunction(__unused void *idata) {
+  pthread_setname_np("com.google.santa.watchdog");
+
+  // Number of seconds to wait between checks.
+  const int timeInterval = 60;
+
+  // Amount of CPU usage to trigger warning, as a percentage averaged over timeInterval
+  // santad's usual CPU usage is 0-3% but can occasionally spike if lots of processes start at once.
+  const int cpuWarnThreshold = 20.0;
+
+  // Amount of RAM usage to trigger warning, in MB.
+  // santad's usual RAM usage is between 5-50MB but can spike if lots of processes start at once.
+  const int memWarnThreshold = 250;
+
+  double prevTotalTime = 0.0;
+  double prevRamUseMB = 0.0;
+  struct rusage usage;
+  struct mach_task_basic_info taskInfo;
+  mach_msg_type_number_t taskInfoCount = MACH_TASK_BASIC_INFO_COUNT;
+
+  while(true) {
+    @autoreleasepool {
+      sleep(timeInterval);
+
+      // CPU
+      getrusage(RUSAGE_SELF, &usage);
+      double totalTime = timeval_to_double(usage.ru_utime) + timeval_to_double(usage.ru_stime);
+      double percentage = (((totalTime - prevTotalTime) / (double)timeInterval) * 100.0);
+      prevTotalTime = totalTime;
+
+      if (percentage > cpuWarnThreshold) {
+        LOGW(@"Watchdog: potentially high CPU use, ~%.2f%% over last %d seconds.",
+             percentage, timeInterval);
+      }
+
+      // RAM
+      if (KERN_SUCCESS == task_info(mach_task_self(), MACH_TASK_BASIC_INFO,
+                                    (task_info_t)&taskInfo, &taskInfoCount)) {
+        double ramUseMB = (double) taskInfo.resident_size / 1024 / 1024;
+        if (ramUseMB > memWarnThreshold && ramUseMB > prevRamUseMB) {
+          LOGW(@"Watchdog: potentially high RAM use, RSS is %.2fMB.", ramUseMB);
+        }
+        prevRamUseMB = ramUseMB;
+      }
+    }
+  }
+  return NULL;
+}
+
 int main(int argc, const char *argv[]) {
   @autoreleasepool {
-    // Do not buffer stdout
-    setbuf(stdout, NULL);
+    // Do not wait on child processes
+    signal(SIGCHLD, SIG_IGN);
 
     NSDictionary *infoDict = [[NSBundle mainBundle] infoDictionary];
 
@@ -28,11 +87,19 @@ int main(int argc, const char *argv[]) {
       return 0;
     }
 
+    // Close stdout/stderr so logging goes to syslog
+    fclose(stdout);
+    fclose(stderr);
+
     LOGI(@"Started, version %@", infoDict[@"CFBundleVersion"]);
 
     SNTApplication *s = [[SNTApplication alloc] init];
     [s performSelectorInBackground:@selector(run) withObject:nil];
 
+    // Create watchdog thread
+    pthread_t watchdogThread;
+    pthread_create(&watchdogThread, NULL, watchdogThreadFunction, NULL);
+
     [[NSRunLoop mainRunLoop] run];
   }
 }

Tests/KernelTests/main.m

@@ -29,23 +29,30 @@
 ///
 
 #define TSTART(testName) \
-    printf("   %-50s ", testName);
+    do { printf("   %-50s ", testName); } while (0)
 #define TPASS() \
-    printf("\x1b[32mPASS\x1b[0m\n");
+    do { printf("\x1b[32mPASS\x1b[0m\n"); } while (0)
 #define TPASSINFO(fmt, ...) \
-    printf("\x1b[32mPASS\x1b[0m\n      " fmt "\n", ##__VA_ARGS__);
+    do { printf("\x1b[32mPASS\x1b[0m\n      " fmt "\n", ##__VA_ARGS__); } while (0)
 #define TFAIL() \
-    printf("\x1b[31mFAIL\x1b[0m\n"); \
-    exit(1);
+    do { \
+      printf("\x1b[31mFAIL\x1b[0m\n"); \
+      exit(1); \
+    } while (0)
 #define TFAILINFO(fmt, ...) \
-    printf("\x1b[31mFAIL\x1b[0m\n   -> " fmt "\n\nTest failed.\n\n", ##__VA_ARGS__); \
-    exit(1);
+    do { \
+      printf("\x1b[31mFAIL\x1b[0m\n   -> " fmt "\n\nTest failed.\n\n", ##__VA_ARGS__); \
+      exit(1); \
+    } while (0)
 
 @interface SantaKernelTests : NSObject
 @property io_connect_t connection;
 @property int timesSeenLs;
 @property int timesSeenCat;
 @property int timesSeenCp;
+
+@property int testExeIteration;
+@property int timesSeenTestExeIteration;
 - (void)runTests;
 @end
 
@@ -60,16 +67,15 @@
   t.standardInput = nil;
   t.standardOutput = nil;
   t.standardError = nil;
-
   return t;
 }
 
 - (NSString *)sha256ForPath:(NSString *)path {
   unsigned char sha256[CC_SHA256_DIGEST_LENGTH];
-  NSData *psData = [NSData dataWithContentsOfFile:path
-                                          options:NSDataReadingMappedIfSafe
-                                            error:nil];
-  CC_SHA256([psData bytes], (unsigned int)[psData length], sha256);
+  NSData *fData = [NSData dataWithContentsOfFile:path
+                                         options:NSDataReadingMappedIfSafe
+                                           error:nil];
+  CC_SHA256([fData bytes], (unsigned int)[fData length], sha256);
   char buf[CC_SHA256_DIGEST_LENGTH * 2 + 1];
   for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
     snprintf(buf + (2*i), 4, "%02x", (unsigned char)sha256[i]);
@@ -80,8 +86,8 @@
 
 #pragma mark - Driver Helpers
 
-/// Call in-kernel function: |kSantaUserClientReceive| passing the |action| and |vnodeId| via a
-/// |santa_message_t| struct.
+/// Call in-kernel function: |kSantaUserClientAllowBinary| or |kSantaUserClientDenyBinary|
+/// passing the |vnodeID|.
 - (void)postToKernelAction:(santa_action_t)action forVnodeID:(uint64_t)vnodeid {
   if (action == ACTION_RESPOND_CHECKBW_ALLOW) {
     IOConnectCallScalarMethod(self.connection, kSantaUserClientAllowBinary, &vnodeid, 1, 0, 0);
@@ -188,17 +194,26 @@
   }
   TPASS();
 
-  // Fetch the SHA-256 of /bin/ps, as we'll be using that for the cache invalidation test.
-  NSString *psSHA = [self sha256ForPath:@"/bin/ps"];
+  // Fetch the SHA-256 of /bin/ed, as we'll be using that for the cache invalidation test.
+  NSString *edSHA = [self sha256ForPath:@"/bin/ed"];
+
+  // Create the RE used for matching testexe's
+  NSString *cwd = [[NSFileManager defaultManager] currentDirectoryPath];
+  NSString *pattern = [cwd stringByAppendingPathComponent:@"testexe\\.(\\d+)"];
+  NSRegularExpression *re = [NSRegularExpression regularExpressionWithPattern:pattern
+                                                                      options:0
+                                                                        error:NULL];
 
   /// Begin listening for events
   queueMemory = (IODataQueueMemory *)address;
-  while (IODataQueueWaitForAvailableData(queueMemory, receivePort) == kIOReturnSuccess) {
+  do {
     while (IODataQueueDataAvailable(queueMemory)) {
       dataSize = sizeof(vdata);
       kr = IODataQueueDequeue(queueMemory, &vdata, &dataSize);
       if (kr == kIOReturnSuccess) {
-        if ([[self sha256ForPath:@(vdata.path)] isEqual:psSHA]) {
+        if (vdata.action != ACTION_REQUEST_CHECKBW) continue;
+
+        if ([[self sha256ForPath:@(vdata.path)] isEqual:edSHA]) {
           [self postToKernelAction:ACTION_RESPOND_CHECKBW_DENY forVnodeID:vdata.vnode_id];
         } else if (strncmp("/bin/mv", vdata.path, strlen("/bin/mv")) == 0) {
           [self postToKernelAction:ACTION_RESPOND_CHECKBW_DENY forVnodeID:vdata.vnode_id];
@@ -220,6 +235,26 @@
           }
           TPASSINFO("Received pid, ppid: %d, %d", vdata.pid, vdata.ppid);
         } else {
+          NSString *path = @(vdata.path);
+
+          // If current executable is one of our test exe's from handlesLotsOfBinaries,
+          // check that the number has increased.
+          NSArray *matches = [re matchesInString:path
+                                         options:0
+                                           range:NSMakeRange(0, path.length)];
+          if (matches.count == 1 && [matches[0] numberOfRanges] == 2) {
+            NSUInteger count = [[path substringWithRange:[matches[0] rangeAtIndex:1]] intValue];
+            if (count <= self.testExeIteration && count > 0) {
+              self.timesSeenTestExeIteration++;
+              if (self.timesSeenTestExeIteration > 2) {
+                TFAILINFO("Saw same binary several times");
+              }
+            } else {
+              self.timesSeenTestExeIteration = 0;
+              self.testExeIteration = (int)count;
+            }
+          }
+
           // Allow everything not related to our testing.
           [self postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW forVnodeID:vdata.vnode_id];
         }
@@ -227,7 +262,7 @@
         TFAILINFO("Error receiving data: %d", kr);
       }
     }
-  }
+  }  while (IODataQueueWaitForAvailableData(queueMemory, receivePort) == kIOReturnSuccess);
 
   IOConnectUnmapMemory(self.connection, kIODefaultMemoryType, mach_task_self(), address);
   mach_port_destroy(mach_task_self(), receivePort);
@@ -239,11 +274,11 @@
 - (void)receiveAndBlockTests {
   TSTART("Blocks denied binaries");
 
-  NSTask *ps = [self taskWithPath:@"/bin/ps"];
+  NSTask *ed = [self taskWithPath:@"/bin/ed"];
 
   @try {
-    [ps launch];
-    [ps waitUntilExit];
+    [ed launch];
+    [ed waitUntilExit];
     TFAIL();
   }
   @catch (NSException *exception) {
@@ -282,12 +317,12 @@
 
   // Copy the ls binary to a new file
   NSFileManager *fm = [NSFileManager defaultManager];
-  if (![fm copyItemAtPath:@"/bin/pwd" toPath:@"santakerneltests_tmp" error:nil]) {
+  if (![fm copyItemAtPath:@"/bin/pwd" toPath:@"invalidacachetest_tmp" error:nil]) {
     TFAILINFO("Failed to create temp file");
   }
 
   // Launch the new file to put it in the cache
-  NSTask *pwd = [self taskWithPath:@"santakerneltests_tmp"];
+  NSTask *pwd = [self taskWithPath:@"invalidacachetest_tmp"];
   [pwd launch];
   [pwd waitUntilExit];
 
@@ -296,28 +331,42 @@
     TFAILINFO("First launch of test binary failed");
   }
 
-  // Now replace the contents of the test file (which is cached) with the contents of /bin/ps,
+  // Now replace the contents of the test file (which is cached) with the contents of /bin/ed,
   // which is 'blacklisted' by SHA-256 during the tests.
-  FILE *infile = fopen("/bin/ps", "r");
-  FILE *outfile = fopen("santakerneltests_tmp", "w");
+  FILE *infile = fopen("/bin/ed", "r");
+  FILE *outfile = fopen("invalidacachetest_tmp", "w");
   int ch;
   while ((ch = fgetc(infile)) != EOF) {
     fputc(ch, outfile);
   }
   fclose(infile);
-  fclose(outfile);
 
   // Now try running the temp file again. If it succeeds, the test failed.
-  NSTask *ps = [self taskWithPath:@"santakerneltests_tmp"];
+  NSTask *ed = [self taskWithPath:@"invalidacachetest_tmp"];
 
   @try {
-    [ps launch];
-    [ps waitUntilExit];
-    TFAIL();
+    [ed launch];
+    [ed waitUntilExit];
+    TFAILINFO("Launched after write while file open");
+    [fm removeItemAtPath:@"invalidacachetest_tmp" error:nil];
+  } @catch (NSException *exception) {
+    // This is a pass, but we have more to do.
+  }
+
+  // Close the file to flush the write.
+  fclose(outfile);
+
+  // And try running the temp file again. If it succeeds, the test failed.
+  ed = [self taskWithPath:@"invalidacachetest_tmp"];
+
+  @try {
+    [ed launch];
+    [ed waitUntilExit];
+    TFAILINFO("Launched after file closed");
   } @catch (NSException *exception) {
     TPASS();
   } @finally {
-    [fm removeItemAtPath:@"santakerneltests_tmp" error:nil];
+    [fm removeItemAtPath:@"invalidacachetest_tmp" error:nil];
   }
 }
 
@@ -358,12 +407,12 @@
   } else if (pid > 0) {
     int status;
     waitpid(pid, &status, 0);
-    if (WIFEXITED(status) && WEXITSTATUS(status) == EACCES) {
+    if (WIFEXITED(status) && WEXITSTATUS(status) == EPERM) {
       TPASS();
     } else if (WIFSTOPPED(status)) {
       TFAILINFO("Process was executed and is waiting for debugger");
     } else {
-      TFAILINFO("Process did not exit with EACCESS as expected");
+      TFAILINFO("Process did not exit with EPERM as expected");
     }
   } else if (pid == 0) {
     fclose(stdout);
@@ -374,6 +423,36 @@
   }
 }
 
+/// Tests that the kernel can handle _lots_ of executions.
+- (void)handlesLotsOfBinaries {
+  TSTART("Handles lots of binaries");
+
+  const int LIMIT = 12000;
+
+  for (int i = 0; i < LIMIT; i++) {
+    printf("\033[s");  // save cursor position
+
+    printf("%d/%i", i+1, LIMIT);
+
+    NSString *fname = [@"testexe" stringByAppendingFormat:@".%i", i];
+    [[NSFileManager defaultManager] copyItemAtPath:@"/bin/hostname" toPath:fname error:NULL];
+
+    @try {
+      NSTask *testexec = [self taskWithPath:fname];
+      [testexec launch];
+      [testexec waitUntilExit];
+    } @catch (NSException *e) {
+      TFAILINFO("Failed to launch");
+    }
+
+    unlink([fname UTF8String]);
+    printf("\033[u");  // restore cursor position
+  }
+  printf("\033[K\033[u");  // clear line, restore cursor position
+
+  TPASS();
+}
+
 #pragma mark - Main
 
 - (void)runTests {
@@ -388,7 +467,7 @@
   [self performSelectorInBackground:@selector(beginListening) withObject:nil];
 
   // Wait for driver to finish getting ready
-  sleep(1.0);
+  sleep(1);
   printf("\n-> Functional tests:\033[m\n");
 
   [self receiveAndBlockTests];
@@ -396,6 +475,7 @@
   [self invalidatesCacheTests];
   [self clearCacheTests];
   [self blocksDeniedTracedBinaries];
+  [self handlesLotsOfBinaries];
 
   printf("\nAll tests passed.\n\n");
 }

Tests/LogicTests/SNTEventTableTest.m

@@ -113,4 +113,23 @@
   XCTAssertEqual(self.sut.pendingEventsCount, 0);
 }
 
+- (void)testDeleteCorruptEvent {
+  [self.dbq inDatabase:^(FMDatabase *db) {
+      [db executeUpdate:@"INSERT INTO events (filesha256) VALUES ('deadbeef')"];
+  }];
+
+  NSArray *events = [self.sut pendingEvents];
+  for (SNTStoredEvent *event in events) {
+    if ([event.fileSHA256 isEqual:@"deadbeef"]) XCTFail("Received bad event");
+  }
+
+  [self.dbq inDatabase:^(FMDatabase *db) {
+      FMResultSet *rs = [db executeQuery:@"SELECT * FROM events WHERE filesha256='deadbeef'"];
+      if ([rs next]) {
+        XCTFail("Bad event was not deleted.");
+      }
+      [rs close];
+  }];
+}
+
 @end

Tests/LogicTests/SNTExecutionControllerTest.m

@@ -26,10 +26,6 @@
 #import "SNTRule.h"
 #import "SNTRuleTable.h"
 
-@interface SNTExecutionController (Testing)
-- (BOOL)fileIsInScope:(NSString *)path;
-@end
-
 @interface SNTExecutionControllerTest : XCTestCase
 @property id mockConfigurator;
 @property id mockCodesignChecker;
@@ -55,13 +51,13 @@
 
   self.mockConfigurator = OCMClassMock([SNTConfigurator class]);
   OCMStub([self.mockConfigurator configurator]).andReturn(self.mockConfigurator);
-  OCMStub([self.mockConfigurator configurator]).andReturn(self.mockConfigurator);
 
   self.mockDriverManager = OCMClassMock([SNTDriverManager class]);
 
   self.mockFileInfo = OCMClassMock([SNTFileInfo class]);
   OCMStub([self.mockFileInfo alloc]).andReturn(self.mockFileInfo);
-  OCMStub([self.mockFileInfo initWithPath:OCMOCK_ANY]).andReturn(self.mockFileInfo);
+  OCMStub([self.mockFileInfo initWithPath:OCMOCK_ANY
+                                    error:[OCMArg setTo:nil]]).andReturn(self.mockFileInfo);
 
   self.mockRuleDatabase = OCMClassMock([SNTRuleTable class]);
   self.mockEventDatabase = OCMClassMock([SNTEventTable class]);
@@ -69,7 +65,18 @@
   self.sut = [[SNTExecutionController alloc] initWithDriverManager:self.mockDriverManager
                                                          ruleTable:self.mockRuleDatabase
                                                         eventTable:self.mockEventDatabase
-                                                notifierConnection:nil];
+                                                notifierConnection:nil
+                                                          eventLog:nil];
+}
+
+///  Return a pre-configured santa_message_ t for testing with.
+- (santa_message_t)getMessage {
+  santa_message_t message = {0};
+  message.pid = 12;
+  message.ppid = 1;
+  message.vnode_id = 1234;
+  strncpy(message.path, "/a/file", 7);
+  return message;
 }
 
 - (void)tearDown {
@@ -83,124 +90,106 @@
 }
 
 - (void)testBinaryWhitelistRule {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
-
-  OCMExpect([self.mockFileInfo SHA256]).andReturn(@"a");
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = RULESTATE_WHITELIST;
-  OCMExpect([self.mockRuleDatabase binaryRuleForSHA256:@"a"]).andReturn(rule);
+  OCMStub([self.mockRuleDatabase binaryRuleForSHA256:@"a"]).andReturn(rule);
 
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 }
 
 - (void)testBinaryBlacklistRule {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
-
-  OCMExpect([self.mockFileInfo SHA256]).andReturn(@"a");
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = RULESTATE_BLACKLIST;
-  OCMExpect([self.mockRuleDatabase binaryRuleForSHA256:@"a"]).andReturn(rule);
+  OCMStub([self.mockRuleDatabase binaryRuleForSHA256:@"a"]).andReturn(rule);
 
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
                                             forVnodeID:1234]);
 }
 
 - (void)testCertificateWhitelistRule {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
 
   id cert = OCMClassMock([SNTCertificate class]);
-  OCMExpect([self.mockCodesignChecker leafCertificate]).andReturn(cert);
-  OCMExpect([cert SHA256]).andReturn(@"a");
+  OCMStub([self.mockCodesignChecker leafCertificate]).andReturn(cert);
+  OCMStub([cert SHA256]).andReturn(@"a");
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = RULESTATE_WHITELIST;
-  OCMExpect([self.mockRuleDatabase certificateRuleForSHA256:@"a"]).andReturn(rule);
+  OCMStub([self.mockRuleDatabase certificateRuleForSHA256:@"a"]).andReturn(rule);
 
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 }
 
 - (void)testCertificateBlacklistRule {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
 
   id cert = OCMClassMock([SNTCertificate class]);
-  OCMExpect([self.mockCodesignChecker leafCertificate]).andReturn(cert);
-  OCMExpect([cert SHA256]).andReturn(@"a");
+  OCMStub([self.mockCodesignChecker leafCertificate]).andReturn(cert);
+  OCMStub([cert SHA256]).andReturn(@"a");
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = RULESTATE_BLACKLIST;
-  OCMExpect([self.mockRuleDatabase certificateRuleForSHA256:@"a"]).andReturn(rule);
+  OCMStub([self.mockRuleDatabase certificateRuleForSHA256:@"a"]).andReturn(rule);
 
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
 
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
                                             forVnodeID:1234]);
 }
 
 - (void)testDefaultDecision {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(YES);
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
 
   OCMExpect([self.mockConfigurator clientMode]).andReturn(CLIENTMODE_MONITOR);
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 
   OCMExpect([self.mockConfigurator clientMode]).andReturn(CLIENTMODE_LOCKDOWN);
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(12)
-                              ppid:@(1)
-                           vnodeId:1234];
+  [self.sut validateBinaryWithMessage:[self getMessage]];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
                                             forVnodeID:1234]);
 }
 
 - (void)testOutOfScope {
-  id mockSut = OCMPartialMock(self.sut);
-  OCMStub([mockSut fileIsInScope:OCMOCK_ANY]).andReturn(NO);
+  OCMStub([self.mockFileInfo isMachO]).andReturn(NO);
 
-  OCMExpect([self.mockConfigurator clientMode]).andReturn(CLIENTMODE_LOCKDOWN);
-  [self.sut validateBinaryWithPath:@"/a/file"
-                          userName:@"nobody"
-                               pid:@(24)
-                              ppid:@(1)   
-                           vnodeId:1234];
+  OCMStub([self.mockConfigurator clientMode]).andReturn(CLIENTMODE_LOCKDOWN);
+  [self.sut validateBinaryWithMessage:[self getMessage]];
   OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
                                             forVnodeID:1234]);
 }
 
+- (void)testMissingShasum {
+  [self.sut validateBinaryWithMessage:[self getMessage]];
+  OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_ALLOW
+                                            forVnodeID:1234]);
+}
+
+- (void)testPageZero {
+  OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
+  OCMStub([self.mockFileInfo isMissingPageZero]).andReturn(YES);
+
+  [self.sut validateBinaryWithMessage:[self getMessage]];
+  OCMVerify([self.mockDriverManager postToKernelAction:ACTION_RESPOND_CHECKBW_DENY
+                                            forVnodeID:1234]);
+}
+
 @end

Tests/LogicTests/SNTFileInfoTest.m

@@ -26,7 +26,7 @@
   XCTAssertNotNil(sut);
   XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
 
-  sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../bin/ls"];
+  sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../../../../../../../bin/ls"];
   XCTAssertEqualObjects(sut.path, @"/bin/ls");
 
   sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/qlmanage"];
@@ -35,17 +35,24 @@
 }
 
 - (void)testSHA1 {
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/sbin/launchd"];
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
 
   XCTAssertNotNil(sut.SHA1);
   XCTAssertEqual(sut.SHA1.length, 40);
+  XCTAssertEqualObjects(sut.SHA1, @"3a865bf47b4ceba20496e0e66e39e4cfa101ffe6");
 }
 
 - (void)testSHA256 {
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/sbin/launchd"];
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
 
   XCTAssertNotNil(sut.SHA256);
   XCTAssertEqual(sut.SHA256.length, 64);
+  XCTAssertEqualObjects(sut.SHA256,
+                        @"5e089b65a1e7a4696d84a34510710b6993d1de21250c41daaec63d9981083eba");
 }
 
 - (void)testExecutable {
@@ -60,6 +67,20 @@
   XCTAssertFalse(sut.isScript);
 }
 
+- (void)testPageZero {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertTrue(sut.isMissingPageZero);
+
+  path = [[NSBundle bundleForClass:[self class]] pathForResource:@"bad_pagezero" ofType:@""];
+  sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertTrue(sut.isMissingPageZero);
+
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/sbin/bless"];
+  XCTAssertFalse(sut.isMissingPageZero);
+}
+
 - (void)testKext {
   SNTFileInfo *sut =
       [[SNTFileInfo alloc] initWithPath: