log deny because of dirty vnode (#267)

* log dirty vnode blocks

* review update

.gitignore

@@ -1,8 +1,12 @@
 .DS_Store
 Build
-Dist
+santa-*
+!santa-driver
+!*.md
 Pods
 Santa.xcodeproj/xcuserdata
 Santa.xcodeproj/project.xcworkspace
 Santa.xcworkspace/xcuserdata
 Santa.xcworkspace/xcshareddata
+Source/DevelopmentTeam.xcconfig
+default.profraw

.travis.yml

@@ -1,11 +1,12 @@
 ---
 language: objective-c
-cache: cocoapods
+cache:
+  - bundler
+  - cocoapods
 sudo: false
-osx_image: xcode7
+osx_image: xcode9.3
 
 before_install:
- - gem install activesupport
  - gem install cocoapods xcpretty
  - pod setup >/dev/null
 

CONTRIBUTING.md

@@ -29,8 +29,8 @@ rake tests:kernel  # only necessary if you're changing the kext code
 
 All code submissions should try to match the surrounding code.  Wherever possible,
 code should adhere to either the
-[Google Objective-C Style Guide](http://google-styleguide.googlecode.com/svn/trunk/objcguide.xml)
-or the [Google C++ Style Guide](http://google-styleguide.googlecode.com/svn/trunk/cppguide.html).
+[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
+or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
 
 ### The small print
 Contributions made by corporations are covered by a different agreement than

Conf/Package/Makefile

@@ -32,6 +32,7 @@ PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/rele
 #         |    |-- com.google.santad.plist
 #         |    |-- com.google.santagui.plist
 #         |    +-- com.google.santa.asl.conf
+#         |    +-- com.google.santa.newsyslog.conf
 #         +--dsym
 #              |-- santa-driver.kext.dSYM
 #              |-- Santa.app.dSYM
@@ -44,6 +45,7 @@ PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
 	pack-Library-LaunchDaemons-com.google.santad.plist \
 	pack-Library-LaunchAgents-com.google.santagui.plist \
 	pack-etc-asl-com.google.santa.asl.conf \
+	pack-etc-newsyslog.d-com.google.santa.newsyslog.conf \
 	pack-script-preinstall \
 	pack-script-postinstall
 
@@ -52,6 +54,7 @@ Santa.app: download
 com.google.santad.plist: download
 com.google.santagui.plist: download
 com.google.santa.asl.conf: download
+com.google.santa.newsyslog.conf: download
 
 download:
 	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
@@ -65,6 +68,12 @@ pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
 	@sudo chmod 755 ${WORK_D}/private/etc/asl
 	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
 
+pack-etc-newsyslog.d-com.google.santa.newsyslog.conf: com.google.santa.newsyslog.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/newsyslog.d
+	@sudo chown root:wheel ${WORK_D}/private/etc/newsyslog.d
+	@sudo chmod 755 ${WORK_D}/private/etc/newsyslog.d
+	@sudo install -m 644 -o root -g wheel com.google.santa.newsyslog.conf ${WORK_D}/private/etc/newsyslog.d
+
 pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
 	@sudo mkdir -p ${WORK_D}/Library/Extensions
 	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
@@ -79,6 +88,8 @@ myclean:
 	@rm -rf santa-driver.kext
 	@rm -f config.plist
 	@rm -f com.google.santa.asl.conf
+	@rm -f com.google.santa.newsyslog.conf
 	@rm -f com.google.santad.plist
 	@rm -f com.google.santagui.plist
 	@rm -f install.sh
+	@rm -f uninstall.sh

Conf/Package/postinstall

@@ -18,7 +18,8 @@ sleep 1
 sleep 1
 
 # Create hopefully useful symlink for santactl
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+mkdir -p /usr/local/bin
+/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
 
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -z "$user" ]] && exit 0

Conf/com.google.santa.asl.conf

@@ -1,6 +1,6 @@
 # Copy this file to /etc/asl to log all messages from santa-driver to the log file
-> /var/log/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
+> /var/db/santa/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
 ? [= Sender kernel] [S= Message santa-driver:] claim
-? [= Sender kernel] [S= Message santa-driver:] file /var/log/santa.log
+? [= Sender kernel] [S= Message santa-driver:] file /var/db/santa/santa.log
 ? [= Facility com.google.santa] claim
-? [= Facility com.google.santa] file /var/log/santa.log
+? [= Facility com.google.santa] file /var/db/santa/santa.log

Conf/com.google.santa.newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      NZ

Conf/install.sh

@@ -36,11 +36,13 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 # Copy new files.
 /bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
 /bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
+mkdir -p /usr/local/bin
 /bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
 
 /bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${SOURCE}/conf/com.google.santagui.plist /Library/LaunchAgents
 /bin/cp ${SOURCE}/conf/com.google.santa.asl.conf /etc/asl/
+/bin/cp ${SOURCE}/conf/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd

Conf/uninstall.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Uninstalls Santa from the boot volume, clearing up everything but logs/configs.
+# Unloads the kernel extension, services, and deletes component files.
+# If a user is logged in, also unloads the GUI agent.
+
+[ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
+
+/bin/launchctl remove com.google.santad
+sleep 1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+# and to clean out the log config, although it won't write after wiping the binary
+/usr/bin/killall -HUP syslogd
+# delete artifacts on-disk
+/bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
+/bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
+/bin/rm -f /usr/local/bin/santactl # just a symlink
+#uncomment to remove the config file and all databases, log files
+#/bin/rm -rf /var/db/santa
+#/bin/rm -f /var/log/santa*
+exit 0

Docs/deployment/com.google.santa.example.mobileconfig

@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>

Docs/deployment/configuration.md

@@ -0,0 +1,178 @@
+# Important
+
+Santa v0.9.21 has moved to using an Apple [Configuration Profile](https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html) to manage the local configuration. The old config file (`/var/db/santa/config.plist`) is no longer used.
+
+# Configuration
+
+Two configuration methods can be used to control Santa: a local configuration profile and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration profile and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
+
+## Local Configuration Profile
+
+| Key                           | Value Type | Description                              |
+| ----------------------------- | ---------- | ---------------------------------------- |
+| ClientMode*                   | Integer    | 1 = MONITOR, 2 = LOCKDOWN, defaults to MONITOR |
+| FileChangesRegex*             | String     | The regex of paths to log file changes. Regexes are specified in ICU format. |
+| WhitelistRegex*               | String     | A regex to whitelist if the binary or certificate scopes did not allow execution.  Regexes are specified in ICU format. |
+| BlacklistRegex*               | String     | A regex to blacklist if the binary or certificate scopes did not block an execution.  Regexes are specified in ICU format. |
+| EnablePageZeroProtection      | Bool       | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to YES, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in MONITOR mode, **unless** the binary is whitelisted by an explicit rule. |
+| MoreInfoURL                   | String     | The URL to open when the user clicks "More Info..." when opening Santa.app.  If unset, the button will not be displayed. |
+| EventDetailURL                | String     | See the [EventDetailURL](#eventdetailurl) section below. |
+| EventDetailText               | String     | Related to the above property, this string represents the text to show on the button. |
+| UnknownBlockMessage           | String     | In Lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured a reasonable default is provided. |
+| BannedBlockMessage            | String     | This is the message shown to the user when a binary is blocked because of a rule if that rule doesn't provide a custom message. If this is not configured a reasonable  default is provided. |
+| ModeNotificationMonitor       | String     | The notification text to display when the client goes into Monitor mode. Defaults to "Switching into Monitor mode". |
+| ModeNotificationLockdown      | String     | The notification text to display when the client goes into Lockdown mode. Defaults to "Switching into Lockdown mode". |
+| SyncBaseURL*                  | String     | The base URL of the sync server.         |
+| ClientAuthCertificateFile     | String     | If set, this contains the location of a PKCS#12 certificate to be used for sync authentication. |
+| ClientAuthCertificatePassword | String     | Contains the password for the PKCS#12 certificate. |
+| ClientAuthCertificateCN       | String     | If set, this is the Common Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ClientAuthCertificateIssuerCN | String     | If set, this is the Issuer Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ServerAuthRootsData           | Data       | If set, this is valid PEM containing one or more certificates to be used to evaluate the server's SSL chain, overriding the list of trusted CAs distributed with the OS. |
+| ServerAuthRootsFile           | String     | The same as the above but is a path to a file on disk containing the PEM data. |
+| MachineOwner                  | String     | The machine owner.                       |
+| MachineID                     | String     | The machine ID.                          |
+| MachineOwnerPlist             | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineOwnerKey               | String     | The key to use on MachineOwnerPlist.     |
+| MachineIDPlist                | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineIDKey                  | String     | The key to use on MachineIDPlist.        |
+| EventLogType                  | String     | Defines how event logs are stored. Options are 1) syslog: Sent to ASL or ULS (if built with the 10.12 SDK or later). 2) filelog: Sent to a file on disk. Use EventLogPath to specify a path. Defaults to filelog      |
+| EventLogPath                  | String     | If EventLogType is set to filelog, EventLogPath will provide the path to save logs. Defaults to /var/db/santa/santa.log. If you change this value ensure you also update com.google.santa.newsyslog.conf with the new path.        |
+
+*overridable by the sync server: run `santactl status` to check the current running config
+
+##### EventDetailURL
+
+When the user gets a block notification, a button can be displayed which will take them to a web page with more information about that event.
+
+This property contains a kind of format string to be turned into the URL to send them to. The following sequences will be replaced in the final URL:
+
+| Key          | Description                              |
+| ------------ | ---------------------------------------- |
+| %file_sha%   | SHA-256 of the file that was blocked     |
+| %machine_id% | ID of the machine                        |
+| %username%   | The executing user                       |
+| %bundle_id%  | Bundle ID of the binary, if applicable   |
+| %bundle_ver% | Bundle version of the binary, if applicable |
+
+For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
+
+##### Example Configuration Profile
+
+Here is an example of a configuration profile that could be set. It was generated with Tim Sutton's great [mcxToProfile](https://github.com/timsutton/mcxToProfile) tool. A copy is also available [here](com.google.santa.example.mobileconfig).
+
+A few key points to when creating your configuration profile:
+
+* `com.google.santa` needs to be the key inside `PayloadContent`
+* The `PayloadScope` needs to be `System`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
+
+```
+
+Configuration profiles have a `.mobileconfig` file extension. There are many ways to install configuration profiles:
+
+* Double click them in Finder
+* Use the `/usr/bin/profiles` tool
+* Use an MDM
+
+## Sync server Provided Configuration
+
+| Key                            | Value Type | Description                              |
+| ------------------------------ | ---------- | ---------------------------------------- |
+| client_mode                    | String     | MONITOR or LOCKDOWN, defaults to MONITOR. |
+| clean_sync**                   | Bool       | If set to `True` Santa will clear all local rules and download a fresh copy from the sync-server. Defaults to `False`. |
+| batch_size                     | Integer    | The number of rules to download or events to upload per request. Multiple requests will be made if there is more work than can fit in single request. Defaults to 50. |
+| upload_logs_url**              | String     | If set, the endpoint to send Santa's current logs. No default. |
+| whitelist_regex                | String     | Same as the "Local Configuration" WhitelistRegex. No default. |
+| blacklist_regex                | String     | Same as the "Local Configuration" BlacklistRegex. No default. |
+| fcm_token*                     | String     | The FCM token used by Santa to listen for FCM messages. Unique for every machine. No default. |
+| fcm_full_sync_interval*        | Integer    | The full sync interval if a fcm_token is set. Defaults to  14400 secs (4 hours). |
+| fcm_global_rule_sync_deadline* | Integer    | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |
+| bundles_enabled*               | Bool       | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
+
+*Held only in memory. Not persistent upon process restart.
+
+**Performed once per preflight run (if set).

Docs/details/events.md

@@ -0,0 +1,141 @@
+# Events
+
+Events are a defined set of data, core to how Santa interacts with a sync server. Events are generated when there is a blocked `execve()` while in Lockdown or Monitor mode. Events are also generated in Monitor mode for an `execve()` that was allowed to run, but would have been blocked in Lockdown mode. This allows an admin to roll out Santa to their macOS fleet in Monitor mode but still collect meaningful data. The events collected while in Monitor mode can be used to build a reasonably comprehensive whitelist of signing certificates and binaries before switching the fleet to Lockdown mode.
+
+##### Event Data
+
+Events begin their life as an [SNTStoredEvent](https://github.com/google/santa/blob/master/Source/common/SNTStoredEvent.h) object. The SNTStoredEvent class is just a simple storage class that has properties for all the relevant bits of information. More importantly the class implements the [NSSecureCoding](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) protocol. This allows the objects to be encoded and decoded for storage in the events sqlite3 database on disk and sent over XPC to another process.
+
+Events are temporarily stored in a database until they are uploaded. The format is subject the change; accessing the events database directly will most likely break in future releases. If direct access to the events database is required, raise a [issue on the Santa GitHub](https://github.com/google/santa/issues).
+
+###### JSON
+
+Before an event is uploaded to a sync server, the event data is copied into a JSON blob. Here is an example of Firefox being blocked and sent for upload:
+
+```json
+{
+  "events": [
+    {
+      "file_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app/Contents/MacOS",
+      "file_bundle_version": "5417.6.28",
+      "parent_name": "launchd",
+      "logged_in_users": [
+        "bur"
+      ],
+      "quarantine_timestamp": 0,
+      "signing_chain": [
+        {
+          "cn": "Developer ID Application: Mozilla Corporation (43AQ936H96)",
+          "valid_until": 1652123338,
+          "org": "Mozilla Corporation",
+          "valid_from": 1494270538,
+          "ou": "43AQ936H96",
+          "sha256": "96f18e09d65445985c7df5df74ef152a0bc42e8934175a626180d9700c343e7b"
+        },
+        {
+          "cn": "Developer ID Certification Authority",
+          "valid_until": 1801519935,
+          "org": "Apple Inc.",
+          "valid_from": 1328134335,
+          "ou": "Apple Certification Authority",
+          "sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f"
+        },
+        {
+          "cn": "Apple Root CA",
+          "valid_until": 2054670036,
+          "org": "Apple Inc.",
+          "valid_from": 1146001236,
+          "ou": "Apple Certification Authority",
+          "sha256": "b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024"
+        }
+      ],
+      "file_bundle_name": "Firefox",
+      "executing_user": "bur",
+      "ppid": 1,
+      "file_bundle_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app",
+      "file_name": "firefox",
+      "execution_time": 1501691337.059514,
+      "file_sha256": "dd78f456a0929faf5dcbb6d952992d900bfdf025e1e77af60f0b029f0b85bf09",
+      "decision": "BLOCK_BINARY",
+      "file_bundle_id": "org.mozilla.firefox",
+      "file_bundle_version_string": "54.0.1",
+      "pid": 49368,
+      "current_sessions": [
+        "bur@console",
+        "bur@ttys000",
+        "bur@ttys001",
+        "bur@ttys002",
+        "bur@ttys003",
+        "bur@ttys004"
+      ]
+    }
+  ]
+}
+```
+
+
+
+##### Event Lifecycle
+
+1. santad generates a new event
+2. santad compares, or adds if not present, the event's SHA-256 file hash to an in-memory cache with a timeout of 10 min. If an event with an matching hash is present in cache, the event is dropped.
+3. santad saves the event to `/var/db/santa/events.db` with a unique ID assigned as the key.
+4. santad sends an XPC message to the santactl daemon. The message contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread.
+
+##### Bundle Events
+
+Bundle events are a special type of event that are generated when a sync server supports receiving the associated bundle events, instead of just the original event. For example: `/Applications/Keynote.app/Contents/MacOS/Keynote` is blocked and an event representing the binary is uploaded. A whitelist rule is created for that one binary. Great, you can now run `/Applications/Keynote.app/Contents/MacOS/Keynote`, but what about all the other supporting binaries contained in the bundle? You would have to wait until they are executed until an event would be generated. It is very common for a bundle to contain multiple binaries, as shown here with Keynote.app. Waiting to get a block is not a very good user experience.
+
+```sh
+⇒  santactl bundleinfo /Applications/Keynote.app
+Hashing time: 1047 ms
+9 events found
+BundleHash: b475667ab1ab6eddea48bfc2bed76fcef89b8f85ed456c8068351292f7cb4806
+BundleID: com.apple.iWork.Keynote
+	SHA-256: be3aa404ee79c2af863132b93b0eedfdbc34c6e35d4fda2ade6dd637692ead84
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.MovieCompatibilityConverter.xpc/Contents/MacOS/com.apple.iWork.MovieCompatibilityConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 3b2582fd5e7652b653276b3980c248dc973e8082e9d0678c96a08d7d1a8366ba
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.PICTConverter.xpc/Contents/MacOS/com.apple.iWork.PICTConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: f1bf3be05d511d7c7f651cf7b130d4977f8d28d0bfcd7c5de4144b95eaab7ad7
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b59bc8548c91088a40d9023abb5d22fa8731b4aa17693fcb5b98c795607d219a
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.BitmapTracer.xpc/Contents/MacOS/com.apple.iWork.BitmapTracer
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 08cb407f541d867f1a63dc3ae44eeedd5181ca06c61df6ef62b5dc7192951a4b
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b965ae7be992d1ce818262752d0cf44297a88324a593c67278d78ca4d16fcc39
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 59668dc27314f0f6f5daa5f02b564c176f64836c88e2dfe166e90548f47336f1
+	Path: /Applications/Keynote.app/Contents/MacOS/Keynote
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 7ce324f919b14e14d327004b09f83ca81345fd4438c87ead4b699f89e9485595
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.ExternalResourceValidator.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceValidator
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 6b47f551565d886388eeec5e876b6de9cdd71ef36d43b0762e6ebf02bdd8515d
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceAccessor
+```
+
+Bundle events provide a mechanism to generate and upload events for all the executable Mach-O binaries within a bundle. To enable bundle event generation a configuration must be set in the preflight sync stage on the sync server. Once set the sync server can use bundle events to drive a better user experience.
+
+Bundle events can be differentiated by the existence of these fields:
+
+| Field                    | Value                                    |
+| ------------------------ | ---------------------------------------- |
+| decision                 | BUNDLE_BINARY                            |
+| file_bundle_hash         | Super Hash of all binary hashes          |
+| file_bundle_hash_millis  | The time in milliseconds it took to find all of the binaries, hash and produce a super hash |
+| file_bundle_binary_count | Number of binaries within the bundle     |
+
+To avoid redundant uploads of a bundle event Santa will wait for the sync server to ask for them. The server will respond to event uploads with a request like this:
+
+| Field                        | Value                                    |
+| ---------------------------- | ---------------------------------------- |
+| event_upload_bundle_binaries | An array of bundle hashes that the sync server needs to be uploaded |
+
+When santactl receives this type of request, it sends an XPC reply to santad to save all the bundle events to the events.db. It then attempts to upload all the bundle events, purging the successes from the events.db. Any failures will be uploaded during the next full sync.
+

Docs/details/ipc.md

@@ -0,0 +1,43 @@
+# Interprocess Communication (IPC)
+
+Most IPC within Santa is done by way of Apple's [XPC](https://developer.apple.com/documentation/xpc?language=objc). Santa wraps [NSXPCConnection](https://developer.apple.com/documentation/foundation/nsxpcconnection?language=objc) to provide client multiplexing, signature validation of connecting clients and forced connection establishment. This is called SNTXPCConnection.
+
+Communication between santad and santa-driver (KEXT) is done with a [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and IOKit/IOKitLib.h functions.
+
+##### Who starts who?
+
+The santad and Santa (GUI) processes are both started and kept alive by launchd as a LaunchDaemon and a LaunchAgent, respectively. This means santad runs as root and Santa (GUI) runs as the console user. 
+
+There can be multiple Santa (GUI) processes running, one per user logged into the GUI (assuming fast-user switching is enabled). While multiple processes might be running, only the one for the user currently logged-in will be connected to santad and receiving notifications.
+
+When using a sync server, the santactl process is started by santad. Before the new process starts, all privileges are dropped. santactl runs as _nobody_.
+
+The santabs process is started by launchd via an XPC service connection from santad. XPC services inherit their initiator's privileges meaning santabs runs as root, which is necessary to ensure it has permission to read all files.
+
+| Process  | Parent Process | Running User |
+| -------- | -------------- | ------------ |
+| santad   | launchd        | root         |
+| Santa    | launchd        | user         |
+| santactl | santad         | nobody       |
+| santabs  | launchd        | root         |
+
+
+
+##### Who communicates with who?
+
+In short, santad has two-way communication with every other process. In addition, Santa and santabs have two-way communication between each other. For other combinations, there is no direct communication.
+
+![Santa IPC](santa_ipc.png)
+
+##### SNTXPCConnection and two way communication
+
+`SNTXPCConnection` enforces a server / client model for XPC connections. This allows for strong signature validation and forced connection establishment. The only problem with this model is the lack of two-way communication. For example, process A can call methods on process B and retrieve a response, but process B cannot call methods on process A.
+
+To accomplish two-way communication, the following approach can be used:
+
+1. Process A creates a server with an anonymous `NSXPCListener`.
+2. Process A sends the anonymous `NSXPCListenerEndpoint` to process B over an already established `SNTXPCConnection`.
+3. Process B can now communicate directly with process A.
+
+This is a powerful notion. It enables forced connection establishment between both processes, which is critical when reliability is a concern.
+

Docs/details/logs.md

@@ -0,0 +1,30 @@
+# Logs
+
+Santa currently logs to `/var/db/santa/santa.log` by default. All executions and disk mounts are logged here. File operations can also be configured to be logged. See the `FileChangesRegex` key in the [configuration.md](../deployment/configuration.md) document.
+
+To view the logs:
+
+```sh
+tail -F /var/db/santa/santa.log
+```
+
+The `-F` will continue watching the path even when the current file fills up and rolls over.
+
+##### macOS Unified Logging System (ULS)
+
+Currently all of the most recent releases of Santa are built with the macOS 10.11 SDK. This allows Santa to continue to log to Apple System Logger (ASL) instead of ULS. However, on macOS 10.12+ all of the Kernel logs are sent to ULS. See the KEXT Logging section below for more details.
+
+If you are building Santa yourself and using the macOS 10.12+ SDKs, Santa's logs will be sent to ULS.
+
+Work is currently underway to bypass ASL and ULS altogether, allowing Santa to continue logging to `/var/db/santa/santa.log`. This change will also allow us to add alternative logging formats, like Protocol Buffer or JSON.
+
+##### KEXT Logging
+
+Streaming logs from the santa-driver KEXT does not work properly. Logs are generated but they will likely be garbled or show inaccurate data.
+
+Instead, `show` can be used to view the santa-driver KEXT logs:
+
+```sh
+/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
+```
+

Docs/details/mode.md

@@ -0,0 +1,53 @@
+# Mode
+
+Santa can run in one of two modes, Lockdown or Monitor. To check the current status run the following command:
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 13.59%)
+  Watchdog RAM Events       | 0  (Peak: 31.49MB)
+>>> Kernel Info
+  Root cache count          | 107
+  Non-root cache count      | 0
+>>> Database Info
+  Binary Rules              | 5
+  Certificate Rules         | 2
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server-hostname.com
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/02 21:44:17 -0400
+  Last Successful Rule Sync | 2017/08/02 21:44:17 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+##### Monitor mode
+
+The default mode. Running Santa in Monitor Mode will stop any binaries matching blacklist rules, but will not stop unknown binaries from running. This is a flexible state, allowing virtually zero user interruption but still gives protection against known blacklisted binaries. In addition execution events that would have been blocked in Lockdown mode are generated and can be collected and analyzed by a sync server.
+
+##### Lockdown mode
+
+Running Santa in Lockdown Mode will stop all blacklisted binaries and additionally will prevent all unknown binaries from running. This means that if the binary has no rules or scopes that apply, then it will be blocked.
+
+##### Changing Modes
+
+There are two ways to change the running mode: changing the configuration profile and with a sync server configuration.
+
+###### Change modes with the configuration profile
+
+Set the `ClientMode` in your configuration profile to the integer value `1` for MONITOR or `2` for LOCKDOWN.
+
+```xml
+<key>ClientMode</key>
+<integer>1</integer>
+```
+
+Install your new configuration profile, it will overwrite any old `com.google.santa` profiles you may have already install. See the [configuration](../deployment/configuration.md) document for more details.
+
+###### Change modes with a sync server
+
+The mode is set in the preflight sync stage. Use the key `client_mode` and a value of `MONITOR` or `LOCKDOWN`.

Docs/details/rules.md

@@ -0,0 +1,104 @@
+# Rules
+
+Rules provide the primary evaluation mechanism for whitelisting and blacklisting binaries with Santa on macOS. There are two types of rules: binary and certificate.
+
+##### Binary Rules
+
+Binary rules use the SHA-256 hash of the entire binary as an identifier. This is the most specific rule in Santa. Even a small change in the binary will alter the SHA-256 hash, invalidating the rule.
+
+##### Certificate Rules
+
+Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule . A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing.
+
+```sh
+⇒  santactl fileinfo /Applications/Dropbox.app --key "Signing Chain"
+Signing Chain:
+     1. SHA-256             : 2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2
+        SHA-1               : 86ec91f726ba9caa09665b2109c49117f0b93134
+        Common Name         : Developer ID Application: Dropbox, Inc.
+        Organization        : Dropbox, Inc.
+        Organizational Unit : G7HH3F8CAK
+        Valid From          : 2012/06/19 16:10:30 -0400
+        Valid Until         : 2017/06/20 16:10:30 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+If you wanted to whitelist or blacklist all software signed with this perticular Dropbox signing certificate you would use the leaf SHA-256 fingerprint.
+
+`2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2`
+
+Santa does not evaluate the `Valid From` or `Valid Until` fields, nor does it check the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) for revoked certificates. Adding rules for the certificate chain's intermediates or roots has no effect on binaries signing by a leaf. Santa ignores the chain and is only concerned with the leaf certificate's SHA-256 hash.
+
+##### Rule Evaluation
+
+When a process is trying to `execve()` santad retrieves information on the binary,  including a hash of the entire file and the signing chain (if any). The hash and signing leaf certificate are then passed through the [SNTPolicyProcessor](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.h). Rules are evaluated from most specific to least specific. First binary (either whitelist or blacklist), then certificate (either whitelist or blacklist). If no rules are found that apply, scopes are then searched. See the [scopes.md](scopes.md) document for more information on scopes.
+
+You can use the `santactl fileinfo` command to check the status of any given binary on the filesystem.
+
+###### Whitelisted with a Binary Rule 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key Rule
+Whitelisted (Binary)
+```
+
+###### Whitelisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Safari.app --key Rule
+Whitelisted (Certificate)
+```
+
+###### Blacklisted with a Binary Rule
+
+```sh
+⇒  santactl fileinfo /usr/bin/yes --key Rule
+Blacklisted (Binary)
+```
+
+###### Blacklisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Malware.app --key Rule
+Blacklisted (Certificate)
+```
+
+You can also check arbitrary SHA-256 binary and certificate hashes for rules. The rule verb needs to be run with root privileges.
+
+For checking the SHA-256 hash of `/usr/bin/yes`:
+
+```sh
+sudo santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /usr/bin/yes)
+Blacklisted (Binary)
+```
+
+For checking the SHA-256 hash of `/usr/bin/yes ` signing certificate:
+
+```sh
+⇒  sudo santactl rule --check --certificate --sha256 $(santactl fileinfo --cert-index 1 --key SHA-256 /usr/bin/yes)
+Whitelisted (Certificate)
+```
+
+##### Built-in rules
+
+To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup:
+
+* The signing certificate santad is signed with
+* The signing certificate launchd is signed with
+
+By creating these two rules at startup, Santa should never block critical Apple system binaries or other Santa components.

Docs/details/santa-driver.md

@@ -0,0 +1,94 @@
+# santa-driver
+
+santa-driver is a macOS [kernel extension](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html) (KEXT) that makes use of the [Kernel Authorization](https://developer.apple.com/library/content/technotes/tn2127/_index.html) (Kauth) KPI. This allows santa-driver to listen for events and either deny or defer the decision of those events. The santa-driver acts as an intermediary layer between Kauth and santad, with some caching to lower the overhead of decision making.
+
+##### Kauth
+
+santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments:
+
+* `const char *scope`
+* `kauth_scope_callback_t _callback`_
+* `void *contex`
+
+It returns a `kauth_listener_t` that is stored for later use, in Santa's case to stop listening.
+
+###### KAUTH_SCOPE_VNODE
+
+Here is how santa-driver starts listening for `KAUTH_SCOPE_VNODE` events.
+
+```c++
+vnode_listener_ = kauth_listen_scope(
+    KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
+```
+
+The function `vnode_scope_callback` is called for every vnode event. There are many types of vnode events, they complete list can be viewed in the kauth.h. There are many types of vnode events, the complete list can be viewed in kauth.h. Santa is only concerned with regular files generating `KAUTH_VNODE_EXECUTE` [1] and `KAUTH_VNODE_WRITE_DATA` events. All non-regular files and unnecessary vnode events are filtered out.
+
+Here is how santa-driver stops listening for `KAUTH_SCOPE_VNODE` events:
+
+```c++
+kauth_unlisten_scope(vnode_listener_);
+```
+
+[1] `KAUTH_VNODE_EXECUTE` events that do not have the `KAUTH_VNODE_ACCESS` advisory bit set.
+
+###### KAUTH_SCOPE_FILEOP
+
+Santa also listens for file operations, this is mainly used for logging [1] and cache invalidation. 
+
+* `KAUTH_FILEOP_DELETE`, `KAUTH_FILEOP_RENAME`, `KAUTH_FILEOP_EXCHANGE` and `KAUTH_FILEOP_LINK` are logged
+* `KAUTH_FILEOP_EXEC` is used to log `execve()`s. Since the `KAUTH_VNODE_EXECUTE` is used to allow or deny an `execve()` the process arguments have not been setup yet. Since `KAUTH_FILEOP_EXEC` is triggered after an `execve()` it is used to log the `execve()`.
+
+[1] `KAUTH_FILEOP_CLOSE` is used to invalidate that file's representation in the cache. If a file has changed it needs to be re-evalauted. This is particularly necessary for files that were added to the cache with an action of allow.
+
+##### Driver Interface
+
+santa-driver implements an [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and santad interacts with it through IOKit/IOKitLib.h functions.
+
+[//]: # "TODO(bur, rah) Flesh out the details"
+
+##### Cache
+
+To aid in performance, santa-driver utilizes a caching system to hold the state of all observed `execve()` events.
+
+###### Key
+
+The key is a `uint64_t`. The top 32 bits hold the filesystem ID, while the bottom 32 bits hold the file unique ID. Together we call this the vnode_id.
+
+```c++
+uint64_t vnode_id = (((uint64_t)fsid << 32) | fileid);
+```
+
+###### Value
+
+The value is a `uint64_t` containing the action necessary, along with the decision timestamp. The action is stored in the top 8 bits. The decision timestamp is stored in the remaining 56 bits.
+
+```c++
+santa_action_t action = (santa_action_t)(cache_val >> 56);
+uint64_t decision_time = (cache_val & ~(0xFF00000000000000));
+```
+
+The possible actions are:
+
+| Actions                 | Expiry Time      | Description                              |
+| ----------------------- | ---------------- | ---------------------------------------- |
+| `ACTION_REQUEST_BINARY` | None             | Awaiting an allow or deny decision from santad. |
+| `ACTION_RESPOND_ALLOW`  | None             | Allow the `execve()`                     |
+| `ACTION_RESPOND_DENY`   | 500 milliseconds | Deny the `execve()`, but re-evalaute after 500 milliseconds. If someone is trying to run a banned binary continually every millisecond for example, only 2 evaluation requests to santad for would occur per second. This mitigates a denial of service type attack on santad. |
+
+###### Invalidation
+
+Besides the expiry time for individual entries, the entire cache will be cleared if any of the following events takes place:
+
+* Addition of a blacklist rule
+* Addition of a blacklist regex scope
+* Cache fills up. This defaults to `5000` entries for the root volume and `500` for all other mounted volumes.
+
+To view the current kernel cache count see the "Kernel info" section of `santactl status`:
+
+```sh
+⇒  santactl status
+>>> Kernel Info
+    Root cache count          | 107
+    Non-root cache count      | 0
+```
+

Docs/details/santa-gui.md

@@ -0,0 +1,11 @@
+# Santa GUI
+
+The Santa GUI process is pretty simple. It's only job is the display user GUI notifications. There are two types of notifications it can display:
+
+A notification when an `execve()` is blocked.
+
+![Block](block.png)
+
+Notifications when specific rules arrive (when using FCM for push notifications).
+
+![Notification](push.png)

Docs/details/santabs.md

@@ -0,0 +1,44 @@
+# santabs
+
+The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.
+
+##### Events
+
+The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.
+
+When there is an `execve()` that is blocked within a bundle, a few actions take place:
+
+1. The highest ancestor bundle in the tree is found
+
+   * So `/Applications/DVD Player.app/Contents/MacOS/DVD Player` would be `/Applications/DVD Player.app`
+   * Or `/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension` would be `/Applications/Safari.app`
+
+2. The ancestor bundle is then searched for Mach-O executables
+
+   * For Safari that would currently be 4 binaries
+
+   * ```sh
+     Hashing time: 53 ms
+     4 events found
+     BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
+     BundleID: com.apple.Safari
+     	SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
+     	Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
+     BundleID: com.apple.Safari
+     	SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
+     	Path: /Applications/Safari.app/Contents/MacOS/Safari
+     BundleID: com.apple.Safari
+     	SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
+     	Path: /Applications/Safari.app/Contents/Resources/appdiagnose
+     BundleID: com.apple.Safari
+     	SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
+     	Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
+     ```
+
+3. Events are created for each binary and the bundle hash is calculated
+
+4. These events are sent to the sync server for processing
+
+##### Bundle Hash
+
+The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.

Docs/details/santactl.md

@@ -0,0 +1,425 @@
+# santactl
+
+This may be the most complex part of Santa. It does two types of work:
+
+1. It contains all of the code and functionality for syncing with a sync-server.
+2. It can be used to view the state and configuration of Santa as a whole. It can also inspect individual files. When running without a sync server it also a supported method of managing the rules database.
+
+The details of santactl's syncing functionality are covered in the syncing.md document. This document will cover the status work that santactl performs.
+
+##### status
+
+To view the status of Santa run `santactl status`
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 2.19%)
+  Watchdog RAM Events       | 0  (Peak: 29.45MB)
+>>> Kernel Info
+  Kernel cache count        | 123
+>>> Database Info
+  Binary Rules              | 321
+  Certificate Rules         | 123
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server.com/santa/
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/10 15:05:32 -0400
+  Last Successful Rule Sync | 2017/08/10 15:29:21 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+The status command also has the ability to print JSON output `santactl status --json`
+
+```sh
+⇒  santactl status --json
+{
+  "kernel" : {
+    "cache_count" : 123
+  },
+  "daemon" : {
+    "watchdog_ram_events" : 0,
+    "watchdog_ram_peak" : 29.44921875,
+    "watchdog_cpu_events" : 0,
+    "file_logging" : true,
+    "mode" : "Monitor",
+    "watchdog_cpu_peak" : 2.188006666666666
+  },
+  "database" : {
+    "events_pending_upload" : 0,
+    "certificate_rules" : 123,
+    "binary_rules" : 321
+  },
+  "sync" : {
+    "last_successful_rule" : "2017\/08\/10 15:29:21 -0400",
+    "push_notifications" : "Connected",
+    "bundle_scanning" : true,
+    "clean_required" : false,
+    "server" : "https:\/\//sync-server.com\/santa\/",
+    "last_successful_full" : "2017\/08\/10 15:05:32 -0400"
+  }
+}
+```
+
+##### version
+
+To view all of the component versions `santactl version`
+
+```sh
+⇒  santactl version
+santa-driver    | 0.9.19
+santad          | 0.9.19
+santactl        | 0.9.19
+SantaGUI        | 0.9.19
+```
+
+Again, a JSON version is available `santactl version --json`
+
+```sh
+⇒  santactl version --json
+{
+  "santa-driver" : "0.9.19",
+  "santad" : "0.9.19",
+  "SantaGUI" : "0.9.19",
+  "santactl" : "0.9.19"
+}
+```
+
+##### fileinfo
+
+The fileinfo verb is very powerful and can be used to tease out just about anything you wish to know about a file, with respect to the domain of Santa.
+
+Here is an example of using `santactl fileinfo ` to inspect the main executable within `/Applications/Hex Fiend.app`. 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app
+Path                 : /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+SHA-256              : efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+SHA-1                : 5585e6fb94eace1bd37da9a0a2f928e992d7c60c
+Bundle Name          : Hex Fiend
+Bundle Version       : 170205
+Bundle Version Str   : 2.5
+Download Referrer URL: http://ridiculousfish.com/hexfiend/
+Download URL         : http://ridiculousfish.com/hexfiend/files/Hex_Fiend_2.5.dmg
+Download Timestamp   : 2017/06/29 12:52:16 -0400
+Download Agent       : com.google.Chrome
+Type                 : Executable (x86-64)
+Code-signed          : Yes
+Rule                 : Whitelisted (Unknown)
+Signing Chain:
+     1. SHA-256             : ba1be5d2d60a43658a0c6ebf61b577e428439b53ef2e0b96ba90285e2c82a1b2
+        SHA-1               : 8fdbf6d6c22a97c472fb4961b7733ab0d8830ff7
+        Common Name         : Developer ID Application: Kevin Wojniak
+        Organization        : Kevin Wojniak
+        Organizational Unit : QK92QP33YN
+        Valid From          : 2012/10/30 01:07:40 -0400
+        Valid Until         : 2017/10/31 01:07:40 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+Any of the desired information can be targeted with the `--key` flag
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+```
+
+Multiple `--key` flags are allowed
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+Whitelisted (Unknown)
+```
+
+The `--json` flag can also be used at any point
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule --json
+{
+  "SHA-256" : "efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1",
+  "Rule" : "Whitelisted (Unknown)"
+}
+```
+
+Multiple files are also supported as input
+
+```sh
+⇒  santactl fileinfo /bin/* --key SHA-256 --key Rule --json
+[
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9f9b36ec79b9fcaf649e17f2f94c544dd408c2ab630e73d7c62a7a43f1bc7b1d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "08a09d2d9bade16872acdf5da1c4e9d29582ed985480a9e73fd389e98293c40d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "48e4b938b363201ec11d06a13d8080c1bd77187d286780259b9304c96edc5324",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7cbba457df4c02d6a7fb93046fea0e869732c65a2225bee6f2e8ec290d38c57b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "39e894d1705656451f592884a56bcc76e7ffbb9ed2a8b81d5f2878e1c0e68dbe",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "8555ed4622410aa7b4379041acabf80fe452a90efe3be2697406935ff0d6822e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cee3e29089f8919ee904328904a7492995cfa398b027857fbf8b3e601397b308",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da2cfa9fc2cabd41907f9d0931cea79000a19520fe0b3d73fc40537408730e40",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "73aee02c4761e5501b1fdfa51ccd316bf735017a5cc0a09d5bcc46f4e7112be9",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "3a1c4ca5a038b42b1fbfca6f9bec25d307a8af40afbe9c48b307372fe8167a2f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dc8e1c5b6ec49602dd968eb88286e330220233f7cfa6e73fd37fc983a365084",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "78fd9b8749c2a216ca76ff4541754d4cf5a5e2e8c00710a85c3fdab171486f92",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4daaf12bd42adee60549872126e15186c75d89e760f078bfa6a45a861f6400f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dba1cbb01bce47a9610a40cbcbc27704a754e31a889503eb0670c3a25f7ad72",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4c5517ff40a33006028853a19734d8cda8e2942cb9ba27b8310e07f18677487",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a944b104742db59204b45f1dae657bd6a845ff2374e1ade3cf9f09cc428154cf",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "09e143cf3b6c4dcc98676cc45543613b83b6527b502d4dacb42b3f6c7036ef5a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "47cea771e93aff464f1060a6a1a2c3855401e6cd22c3971b2b76fae92e8c33b4",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5682f15628ae15e5c29aa37f19ec421bbe4aca47734864b6363b73a16f891888",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83c29a2445d84daf51eebd51668753fb39600a136efc20aba7298a812b44974c",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cccd818698aa802b116586a773643d0b951067dea8284304acaae62ac97b362b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "2bf2d10a7529a88d340ce0255da52dbef9873ccb44e46d23af03abf70b8e54ca",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "956f2dc7ba31663dd3a9b70e84e6a2491980165426b90cacd10db4bd010c3353",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da1a3ae959751b211928f175f6c8987408a976be44690022c92d45ef5a8cb6e5",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "1e51209ae4549a72432ad504341c0731a282b33ba99c5f7f4e2abc9993e09b0a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "17372eafbe9e920d5715a9cffa59f881ef4ed949785c1e2adf9c067d550dbde6",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "b1834d55b76c65d57cef1219a30331452301e84b6e315f2a17e5b5b295ce1648",
+  "Rule" : "Whitelisted (Certificate)"
+}
+]
+```
+
+Recursive lookups of an application or directory is a soon to be added feature
+
+```sh
+⇒  santactl fileinfo --recursive /Applications/Santa.app --key SHA-256 --key Rule --key Type --json
+[
+{
+  "SHA-256" : "c149c10c83abaf6b602401106f098b68d47a1a433ab02455cef2ca8057cf4a82",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "c339c3e5e04c732ae493dbc4a26d18fccc8bb48cea0cc0762ccd8754ef318a0b",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "6ee757ab65d7c93e8b6a467b44cd2f0d10b6db7da8b6200e778c3ca279ea5619",
+  "Type" : "Executable (x86-64)",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "82502191c9484b04d685374f9879a0066069c49b8acae7a04b01d38d07e8eca0",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "9814019f865a540d3635012a75db932eaefc9a62468750f2294350690430aadf",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "05a9c9dbbf0a7a30f083e3dccd8db3d96845e0644930977b4e284c65083b89ac",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "e1db8fdffc5017684f962c51fad059dcaa06ab5d551186aa85711f80b727d23d",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+}
+]
+```
+
+##### rule
+
+The rule command is covered in the [rules.md](rules.md) document.
+
+##### sync
+
+The sync command is covered in the [syncing.md](syncing.md) document.
+
+##### Debug Commands
+
+There are a few commands that are not included in the release versions of Santa. They are mainly used during development and only accessible with a debug build of Santa.
+
+##### bundleinfo
+
+This prints info about all of the executable Mach-O files within a bundle. It also prints the calculated bundle hash for that particular bundle. A bundle hash is a notion used by Santa to represent a set of binaries.
+
+```sh
+⇒  santactl bundleinfo /Applications/Hex\ Fiend.app
+Hashing time: 12 ms
+4 events found
+BundleHash: 33da3e2d5e2ccbdb9d34fb9753c2c18805e6325853d2fb4eb947915c90113efc
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: e592a7c65f803675c0b7d55ab7d2a1a2696c9f097a99dc28a4083d7387e53d95
+	Path: /Applications/Hex Fiend.app/Contents/Library/LaunchServices/com.ridiculousfish.HexFiend.PrivilegedHelper
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: ce23d39a1a8ff2b42baad5a0204b24b57590bb7ff74c9552b3ba10d9c1517279
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+	Path: /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: 148d6ae55176b619e5eb9f5000922b3ca4c126206fc5782f925d112027f9db3c
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
+```
+
+See the [santabs.md](santabs.md) document for more information on bundles and bundle hashes.
+
+##### checkcache
+
+This is used to check if a particular file is apart of santa-driver's kernel cache. Mainly for debugging purposes.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+⇒  /usr/bin/yes
+y
+y
+y
+y
+y
+^C
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+```
+
+##### flushcache
+
+This can be used to flush santa-driver's kernel cache, as shown here.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+⇒  sudo santactl flushcache
+Cache flush requested
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+```

Docs/details/santad.md

@@ -0,0 +1,23 @@
+# santad
+
+The santad process does the heavy lifting when it comes to making decisions about binary executions. It also handles brokering all of the XPC connections between the various components of Santa. It does all of this with performance being at the forefront. 
+
+##### A note on performance
+
+On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes `execve()` at the same time, the CPU and memory usage can spike. All of the `execve()` decisions are made on high priority threads to ensure decisions are posted back to the kernel as soon as possible. A watchdog thread will log warnings when sustained high CPU (>20%) and memory (>250MB) usage by santad is detected.
+
+##### On Launch
+
+The very first thing santad does once it has been launched is to load and connect to santa-driver. Only one connection may be active at any given time.
+
+At this point, santa-driver is loaded and running in the kernel, but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages, it needs to setup a few more things:
+
+* The rule and event databases are initialized
+* Connections to Santa (GUI) and santactl sync daemon are established. 
+* The config file is processed.
+
+santad is now ready to start processing decision and logging messages from santa-driver. The listeners are started and santad sits in a run loop awaiting messages from santa-driver. 
+
+##### Running
+
+Messages are read from a shared memory queue (`IODataQueueMemory` ) on a single thread. A callback is invoked for each message. The callback then dispatches all the work of processing a decision message to a concurrent high priority queue. The log messages are dispatched to a low priority queue for processing.

Docs/details/scopes.md

@@ -0,0 +1,27 @@
+# Scopes
+
+In addition to rules, Santa can whitelist or blacklist based on scopes. Currently, only a few scopes are implemented. They fall into one of two categories: a whitelist scope or blacklist scope. Scopes are evaluated after rules, with blacklist evaluation preceding whitelist.
+
+Scopes are a broader way of whitelisting or blacklisting `execve()`s.
+
+For configuration of scopes see [configuration.md](../deployment/configuration.md).
+
+##### Blacklist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Blacklist Path Regex | Yes          |
+| Missing __PAGEZERO   | Yes          |
+
+##### Whitelist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Whitelist Path Regex | Yes          |
+| Not a Mach-O         | No           |
+
+As seen above, Santa will whitelist any non Mach-O binary under a whitelist scope. However, a blacklist regex or binary SHA-256 rule can be used to block non Mach-O `execve()`s since they are evaluated before the whitelist scopes.
+
+##### Regex Caveats
+
+The paths covered by the whitelist and blacklist regex patterns are not tracked. If an `execve()` is allowed initially, then moved into a blacklist directory, Santa has no knowledge of that move. Since santa-driver caches decisions, the recently moved file will continue to be allowed to `execve()` even though it is now within a blacklisted regex path. The cache holds "allow" decisions until invalidated and "deny" decisions for 500 milliseconds. Going from a blacklist path to a whitelist path is not largely affected.

Docs/development/building.md

@@ -0,0 +1,108 @@
+
+
+# Building
+
+Santa makes use of [rake](https://ruby.github.io/rake/) for building and testing Santa. All of the [releases](https://github.com/google/santa/releases) are made using this same process. Santa's releases are codesigned with Google's KEXT signing certificate. This allows Santa to be loaded with SIP fully enabled.
+
+#### Cloning
+
+Clone the source and change into the directory.
+
+```sh
+git clone https://github.com/google/santa
+cd santa
+```
+
+The above command will default to using the `master` branch. If you wanted to build, run or test a specific version of Santa use this command.
+
+```sh
+git checkout <version, i.e. 0.9.19>
+```
+
+#### Building
+
+Build a debug version of Santa. This keeps all the debug symbols, adds additional logs and does not optimize the compiled output. For speed sensitive tests make sure to benchmark a release version too.
+
+```sh
+rake build:debug
+```
+
+Build a release version of Santa.
+
+```sh
+rake build:release
+```
+
+Both of these just output the binaries that makeup Santa in the default Xcode build location. To actually run  what was built, see the next section.
+
+#### Running
+
+On macOS 10.11+ System Integrity Protection (SIP) prevents loading of kernel extensions that are not signed by an Apple KEXT signing certificate. To be able to load and test a non-release version of Santa, SIP will have to be configured to allow non-Apple KEXT signing certificates.
+
+__This is only to be done a machine that is actively developing, unloading and loading kernel extensions.__
+
+1. Boot into Recovery Mode: Reboot and hold down `command+r`
+2. From the utilities menu select `Terminal`
+3. Disable the KEXT feature of SIP: `csrutil enable --without kext`
+4. Reboot
+
+You should now be able to load and run a non-release version of Santa.
+
+Build and run a debug version of Santa.
+
+```sh
+rake reload:debug
+```
+
+Build and run a release version of Santa.
+
+```sh
+rake reload:release
+```
+
+#### Debugging
+
+Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… `. Below are the four components of Santa and who to debug the process as. 
+
+Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode.
+
+Note: Xcode can attach to santad without interruption, however any breakpoints in the decision making codepath can deadlock the machine. Using lldb directly to attach to santad will deadlock the machine.
+
+| process  | user |
+| -------- | ---- |
+| santad   | root |
+| Santa*   | me   |
+| santactl | me   |
+| santabs  | root |
+
+Xcode will then wait for the process to start. Issue this command to restart all the Santa processes in debug mode.
+
+*The Santa (GUI) process is the only component of Santa that can be launched and debugged from Xcode directly. All the other components are launched with privileges and/or are scoped to an XPC service that launchd scopes to a hosting bundle. Thus the need for the `Attach to Process by PID or Name…` technique.  See the [ipc](../details/ipc.md) document for for details.
+
+```sh
+rake reload:debug
+```
+
+Now the process is attached in Xcode and you can debug your day away.
+
+#### Tests
+
+Run all the logic / unit tests
+
+```sh
+rake tests:logic
+```
+
+Run all of santa-driver kernel extension tests
+
+```sh
+rake tests:kernel
+```
+
+#### Releases
+
+Creates a release build of Santa with a version based of the newest tag. Also saves the dsym files for each component of Santa. This makes debugging and interpreting future crashes or kernel panics much easier.
+
+```sh
+rake dist
+```

Docs/index.md

@@ -0,0 +1,46 @@
+# Welcome to the Santa Docs
+
+Santa is a binary whitelisting / blacklisting system for macOS. Here you will find the documentation for understanding how Santa works, how to deploy it and how to contribute.
+
+#### Introduction
+
+The following documents give an overview of how Santa accomplishes binary whitelisting / blacklisting at the enterprise scale.
+
+- [Binary Whitelisting](introduction/binary-whitelisting-overview.md): How Santa makes allow or deny decisions for any `execve()` taking place.
+- [Syncing](introduction/syncing-overview.md): How configuration and whitelist / blacklist rules are applied from a sync server.
+
+#### Deployment
+
+* [Configuration](deployment/configuration.md): The local and sync server configuration options.
+
+#### Development
+
+* [Building Santa](development/building.md): How to build and load Santa for testing on a development machine.
+* [Contributing](../CONTRIBUTING.md): How to contribute a bug fix or new feature to Santa.
+
+#### Details
+
+For those who want even more details on how Santa works under the hood, this section is for you.
+
+###### Binaries
+
+There are five main components that make up Santa whose core functionality is described in snippets below. For additional detail on each component, visit their respective pages. These quick descriptions do not encompass all the jobs performed by each component, but do provide a quick look at the basic functionality utilized to achieve the goal of binary whitelisting / blacklisting.
+
+* [santa-driver](details/santa-driver.md): A macOS kernel extension that participates in `execve()` decisions.
+* [santad](details/santad.md): A user-land root daemon that makes decisions on behalf of santa-driver requests.
+* [santactl](details/santactl.md): A user-land anonymous daemon that communicates with a sync server for configurations and policies. santactl can also be used by a user to manually configure Santa when using the local configuration.
+* [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `execve()` is blocked.
+* [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them. 
+
+###### Concepts
+
+Additional documentation on the concepts that support the operation of the main components:
+
+* [mode](details/mode.md): An operating mode, either Monitor or Lockdown.
+* [events](details/events.md): Represents an `execve()` that was blocked, or would have been blocked, depending on the mode.
+* [rules](details/rules.md): Represents allow or deny decisions for a given `execve()`. Can either be a binary's SHA-256 hash or a leaf code-signing certificate's SHA-256 hash.
+* [scopes](details/scopes.md): The level at which an `execve()` was allowed or denied from taking place.
+* [syncing](introduction/syncing-overview.md): How Santa communicates with a TLS server for configuration, rules and event uploading.
+* [ipc](details/ipc.md): How all the components of Santa communicate.
+  duction/syncing-overview.
+* [logs](details/logs.md): What and where Santa logs.

Docs/introduction/binary-whitelisting-overview.md

@@ -0,0 +1,31 @@
+# Binary Whitelisting Overview
+
+#### Background
+
+The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes the Kernel Authorization (Kauth) KPI. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document.
+
+#### Flow of an execve()
+
+This is a high level overview of the binary whitelisting / blacklisting decision process. For a more detailed account of each part, see the respective documentation. This flow does not cover the logging component of Santa, see the [logs.md](../details/logs.md) documentation for more info.
+
+###### Kernel Space
+
+0. santa-driver registers itself as a `KAUTH_SCOPE_VNODE` listener. This flow follows how santa-driver handles `KAUTH_VNODE_EXECUTE` events.
+1. A santa-driver Kauth callback function is executed by the kernel when a process is trying to `execve()`. In most cases, the `execve()` takes place right after a process calls `fork()` to start a new process. This function is running on a kernel thread representing the new process. Information on where to find the executable is provided. This information is known as the `vnode_id`.
+2. santa-driver then checks if its cache has an allow or deny entry for the `vnode_id`. If so it returns that decision to the Kauth KPI. 
+   * If Kauth receives a deny, it will stop the `execve()` from taking place. 
+   * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer.
+3. If there is no entry for the `vnode_id` in the cache a few actions occur:
+   * santa-driver hands off the decision making to santad.
+   * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`.  This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation.
+   * If the executing file is written to while any of the threads are waiting for a response the `ACTION_REQUEST_BINARY` entry is removed, forcing the decision-making process to be restarted.
+
+###### User Space
+
+1. santad is listening for decision requests from santa-driver.
+   * More information is collected about the executable that lives at the `vnode_id`. Since this codepath has a sleeping kernel thread waiting for a decision, extra care is taken to be as performant as possible.
+2. santad uses the information it has gathered to make a decision to allow or deny the `execve()`. There are more details on how these decisions are made in the [rules.md](../details/rules.md) and [scopes.md](../details/scopes.md) documents.
+3. The decision is posted back to santa-driver.
+4. If there was a deny decision, a message is sent to Santa GUI to display a user popup notification.
+
+

Docs/introduction/syncing-overview.md

@@ -0,0 +1,27 @@
+# Syncing Overview
+
+#### Background
+
+Santa can be run and configured without a sync server. Doing so will enable an admin to configure rules with the `santactl rule` command. Using a sync server will enable an admin to configures rules and multiple other settings from the sync server itself. Santa was designed from the start with a sync server in mind. This allows an admin to easily configure and sync rules across a fleet of macOS systems. This document explains the syncing process.
+
+#### Flow of a full sync
+
+This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events.
+
+0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `execve()` `santactl sync —-daemon`. Before the new process calls `execve()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes.
+1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync server to process.
+2. The full sync starts. There are a number of stages to a full sync:
+   1. preflight: The sync server can set various settings for Santa.
+   2. logupload (optional): The sync server can request that the Santa logs be uploaded to an endpoint.
+   3. eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
+   4. ruledownload: Download rules from the sync server.
+   5. postflight: Updates timestamps for successful syncs.
+3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this:
+   1. The sync server can send down a configuration in the preflight to override the 10min interval. It can be anything greater than 10min.
+   2. Firebase Cloud Messaging (FCM) can be used. The sync server can send down a configuration in the preflight to have the santactl daemon to start listening for FCM messages. If a connection to FCM is made, the full sync interval drops to a default of 4 hours. This can be further configured by a preflight configuration. The FCM connection allows the sync-sever to talk directly with Santa. This way we can reduce polling the sync server dramatically.
+4. Full syncs will continue to take place at their configured interval. If configured FCM messages will continue to be digested and acted upon.
+
+#### santactl XPC interface
+
+When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.
+

Docs/theme/Santa.css

@@ -0,0 +1,3 @@
+.wy-side-nav-search {
+  background-color: rgb(253, 67, 69);
+}

Podfile

@@ -2,47 +2,58 @@ platform :osx, "10.9"
 
 inhibit_all_warnings!
 
-def mol_pods
+target :Santa do
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
+  pod 'MOLXPCConnection'
 end
 
-def fmdb_pod
+target :santad do
   pod 'FMDB'
+  pod 'MOLCertificate'
+  pod 'MOLCodesignChecker'
+  pod 'MOLXPCConnection'
+  target :santabs do
+    pod 'FMDB'
+    pod 'MOLCertificate'
+    pod 'MOLCodesignChecker'
+    pod 'MOLXPCConnection'
+  end
+end
 
-  # This is necessary to get FMDB to not NSLog stuff.
-  post_install do |installer|
-    installer.pods_project.targets.each do |target|
-      target.build_configurations.each do |config|
-        if config.name != 'Release' then
-          break
-        end
+target :santactl do
+  pod 'FMDB'
+  pod 'MOLAuthenticatingURLSession'
+  pod 'MOLCertificate'
+  pod 'MOLCodesignChecker'
+  pod 'MOLFCMClient', '~> 1.3'
+  pod 'MOLXPCConnection'
+end
 
-        config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
-        config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
+target :LogicTests do
+  pod 'FMDB'
+  pod 'MOLAuthenticatingURLSession'
+  pod 'MOLCertificate'
+  pod 'MOLCodesignChecker'
+  pod 'MOLXPCConnection'
+  pod 'OCMock'
+end
+
+post_install do |installer|
+  installer.pods_project.targets.each do |target|
+    target.build_configurations.each do |config|
+      if config.name != 'Release' then
+        break
       end
+
+      # This is necessary to get FMDB to not NSLog stuff.
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
+
+      # Enable more compiler optimizations.
+      config.build_settings['GCC_OPTIMIZATION_LEVEL'] = 'fast'
+      config.build_settings['LLVM_LTO'] = 'YES'
     end
   end
 end
 
-target :Santa do
-  mol_pods
-end
-
-target :santad do
-  mol_pods
-  fmdb_pod
-end
-
-target :santactl do
-  mol_pods
-  fmdb_pod
-  pod 'MOLAuthenticatingURLSession'
-end
-
-target :LogicTests do
-  mol_pods
-  fmdb_pod
-  pod 'MOLAuthenticatingURLSession'
-  pod 'OCMock'
-end

Podfile.lock

@@ -1,28 +1,36 @@
 PODS:
-  - FMDB (2.6.2):
-    - FMDB/standard (= 2.6.2)
-  - FMDB/standard (2.6.2)
-  - MOLAuthenticatingURLSession (1.6):
-    - MOLCertificate (~> 1.3)
-  - MOLCertificate (1.4)
-  - MOLCodesignChecker (1.5):
-    - MOLCertificate (~> 1.3)
-  - OCMock (3.3)
+  - FMDB (2.7.2):
+    - FMDB/standard (= 2.7.2)
+  - FMDB/standard (2.7.2)
+  - MOLAuthenticatingURLSession (2.4):
+    - MOLCertificate (~> 1.8)
+  - MOLCertificate (1.8)
+  - MOLCodesignChecker (1.10):
+    - MOLCertificate (~> 1.8)
+  - MOLFCMClient (1.7):
+    - MOLAuthenticatingURLSession (~> 2.4)
+  - MOLXPCConnection (1.1):
+    - MOLCodesignChecker (~> 1.9)
+  - OCMock (3.4.1)
 
 DEPENDENCIES:
   - FMDB
   - MOLAuthenticatingURLSession
   - MOLCertificate
   - MOLCodesignChecker
+  - MOLFCMClient (~> 1.3)
+  - MOLXPCConnection
   - OCMock
 
 SPEC CHECKSUMS:
-  FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
-  MOLAuthenticatingURLSession: f956240458fb24b61e5607d735948dc9babfb4e3
-  MOLCertificate: da0bfeb5fa968bb4ac284569fa3f7d5f8f7abe23
-  MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
-  OCMock: d68685bde31f69cb61d518dcb39269080c78b5ed
+  FMDB: 6198a90e7b6900cfc046e6bc0ef6ebb7be9236aa
+  MOLAuthenticatingURLSession: c238aa1c9a7b1077eb39a6f40204bfe76a7d204e
+  MOLCertificate: c999513316d511c69f290fbf313dfe8dca4ad592
+  MOLCodesignChecker: b0d5db9d2f9bd94e0fd093891a5d40e5ad77cbc0
+  MOLFCMClient: ee45348909351f232e2759c580329072ae7e02d4
+  MOLXPCConnection: de9d5535928f59766a768384e411077b83ec2f9c
+  OCMock: 2cd0716969bab32a2283ff3a46fd26a8c8b4c5e3
 
-PODFILE CHECKSUM: 3a8673334ffd78cdbd6576c85e6635248eb1b504
+PODFILE CHECKSUM: ddca043a7ace9ec600c108621c56d13a50d17236
 
-COCOAPODS: 1.0.0
+COCOAPODS: 1.4.0

README.md

@@ -1,4 +1,6 @@
-Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
+Santa
+[![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
+[![Documentation Status](https://readthedocs.org/projects/santa/badge/?version=latest)](https://santa.readthedocs.io/en/latest/?badge=latest)
 =====
 
 <p align="center">
@@ -7,34 +9,65 @@ Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](h
 </a>
 </p>
 
-Santa is a binary whitelisting/blacklisting system for OS X. It consists of
+Santa is a binary whitelisting/blacklisting system for macOS. It consists of
 a kernel extension that monitors for executions, a userland daemon that makes
 execution decisions based on the contents of a SQLite database, a GUI agent that
 notifies the user in case of a block decision and a command-line utility for
 managing the system and synchronizing the database with a server.
 
-Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
+Santa is not yet at 1.0. We're writing more tests, fixing bugs, working on TODOs
 and finishing up a security audit.
 
-Santa is named because it keeps track of binaries that are naughty and nice.
+It is named Santa because it keeps track of binaries that are naughty or nice.
 
 Santa is a project of Google's Macintosh Operations Team.
 
-Features
+Docs
+========
+The Santa docs are stored in the [Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the Docs instance is available here: https://santa.readthedocs.io.
+
+Admin-Related Features
 ========
 
-* Multiple modes: MONITOR and LOCKDOWN. In MONITOR mode all binaries except
-those marked as blacklisted will be allowed to run, whilst being logged and
-recorded in the database. In LOCKDOWN mode, only whitelisted binaries are
+* Multiple modes: In the default MONITOR mode, all binaries except 
+those marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only whitelisted binaries are
 allowed to run.
 
-* Codesign listing: Binaries can be whitelisted/blacklisted by their signing
-certificate, so you can trust/block all binaries by a given publisher. The
-binary will only be whitelisted by certificate if its signature validates
-correctly. However, a decision for a binary will override a decision for a
-certificate; i.e. you can whitelist a certificate while blacklisting a binary
-signed by that certificate or vice-versa.
+* Event logging: When the kext is loaded, all binary launches are logged.
+When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
+* Certificate-based rules, with override levels: Instead of relying on a binary's hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
+certificate. You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates. A
+binary can only be whitelisted by its certificate if its signature validates
+correctly, but a rule for a binary's fingerprint will override a decision for a
+certificate; i.e. you can whitelist a certificate while blacklisting a binary
+signed with that certificate, or vice-versa.
+
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
+
+* Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct separate cert than other Google apps.
+
+Intentions and Expectations
+===========================
+No single system or process will stop *all* attacks, or provide 100% security.
+Santa is written with the intention of helping protect users from themselves.
+People often download malware and trust it, giving the malware credentials, or
+allowing unknown software to exfiltrate more data about your system. As a
+centrally managed component, Santa can help stop the spread of malware among a
+large fleet of machines. Independently, Santa can aid in analyzing what is
+running on your computer.
+
+Santa is part of a defense-in-depth strategy, and you should continue to protect
+hosts in whatever other ways you see fit.
+
+Get Help
+========
+If you have questions or otherwise need help getting started, the
+[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
+great place. Please consult the [wiki](https://github.com/google/santa/wiki) and [issues](https://github.com/google/santa/issues) as well.
+
+Security and Performance-Related Features
+============
 * In-kernel caching: whitelisted binaries are cached in the kernel so the
 processing required to make a request is only done if the binary
 isn't already cached.
@@ -44,42 +77,17 @@ daemon, the GUI agent and the command-line utility) communicate with each other
 using XPC and check that their signing certificates are identical before any
 communication is accepted.
 
-* Event logging: all executions processed by the userland agent are logged and
-all unknown or denied binaries are also stored in the database for upload to a
-server.
-
 * Kext uses only KPIs: the kernel extension only uses provided kernel
 programming interfaces to do its job. This means that the kext code should
 continue to work across OS versions.
 
-Intentions and Expectations
-===========================
-No single system or process will stop *all* attacks, or provide 100% security.
-Santa is written with the intention of helping protect users from themselves.
-People often download malware and trust it, giving the malware credentials, or
-allowing unknown software to exfiltrate more data about your system. As a
-centrally managed component, Santa can help stop the spread of malware among a
-larger fleet of machines. Additionally, Santa can aid in analyzing what is
-running in your fleet.
-
-Santa is part of a defense-in-depth strategy, and you should continue to protect
-hosts in whatever other ways you see fit.
-
-Get Help
-========
-
-If you have questions or need help getting started, the
-[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is the
-best place to start.
-
 Known Issues
 ============
-Santa is not yet a 1.0 and we have some known issues to be aware of:
+Santa is not yet at 1.0 and we have some known issues to be aware of:
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
-dynamic libraries loaded with dlopen, libraries on disk that have been replaced or
-libraries loaded using `DYLD_INSERT_LIBRARIES`. We are working on also protecting
-against these avenues of attack.
+dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or
+libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version 0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were exploited in some versions of macOS. We are working on also protecting against similar avenues of attack.
 
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
@@ -89,13 +97,12 @@ found a good way to ensure the kext only accepts connections from a valid client
 only the root user can read/write it. We're considering approaches to secure
 this further.
 
-* Sync client: the command-line client includes a command to synchronize with a
-management server, including the uploading of events that have occurred on the
-machine and to download new rules. We're still very heavily working on this
-server (which is AppEngine-based and will be open-sourced in the future), so the
-sync client code is unfinished. It does show the 'API' that we're expecting to
-use so if you'd like to write your own management server, feel free to look at
-how the client currently works (and suggest changes!)
+* Sync client: The `santactl` command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the
+machine and downloads new rules. There are several open-source servers you can sync with:
+
+    * [Upvote](https://github.com/google/upvote) - An AppEngine-based server that implements social voting to make managing a large fleet easier.
+    * [Moroz](https://github.com/groob/moroz) - A simple golang server that serves hardcoded rules from simple configuration files.
+    * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A centralized service that pulls data from multiple sources and deploy configurations to multiple services.
 
 * Scripts: Santa is currently written to ignore any execution that isn't a
 binary. This is because after weighing the administration cost vs the benefit,
@@ -104,7 +111,7 @@ of temporary generated scripts, which we can't possibly whitelist and not doing
 so would cause problems. We're happy to revisit this (or at least make it an
 option) if it would be useful to others.
 
-* Documentation: There currently isn't any.
+* Documentation: This is currently limited.
 
 * Tests: There aren't enough of them.
 
@@ -119,6 +126,7 @@ A tool like Santa doesn't really lend itself to screenshots, so here's a video i
 
 Building
 ========
+
 ```sh
 git clone https://github.com/google/santa
 cd santa
@@ -134,9 +142,11 @@ rake build:debug
 Note: the Xcode project is setup to use any installed "Mac Developer" certificate
 and for security-reasons parts of Santa will not operate properly if not signed.
 
+For more details on building see the [building.md](https://github.com/google/santa/blob/master/Docs/development/building.md) document.
+
 Kext Signing
 ============
-Kernel extensions on OS X 10.9 and later must be signed using an Apple-provided
+Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
 Developer ID certificate with a kernel extension flag. Without it, the only way
 to load an extension is to enable kext-dev-mode or disable SIP, depending on the
 OS version.

Rakefile

@@ -1,11 +1,14 @@
+require 'openssl'
+
 WORKSPACE           = 'Santa.xcworkspace'
 DEFAULT_SCHEME      = 'All'
 OUTPUT_PATH         = 'Build'
-DIST_PATH           = 'Dist'
 BINARIES            = ['Santa.app', 'santa-driver.kext']
 DSYMS               = ['Santa.app.dSYM', 'santa-driver.kext.dSYM', 'santad.dSYM', 'santactl.dSYM']
 XCPRETTY_DEFAULTS   = '-sc'
 XCODEBUILD_DEFAULTS = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
+DEVTEAM_FILE        = 'Source/DevelopmentTeam.xcconfig'
+DEVTEAM_CERT_CN     = 'Mac Developer'
 $DISABLE_XCPRETTY   = false
 
 task :default do
@@ -45,6 +48,13 @@ task :init do
     puts "xcpretty is not installed. Install with 'sudo gem install xcpretty'"
     $DISABLE_XCPRETTY = true
   end
+  cert_pem = `security find-certificate -p -c '#{DEVTEAM_CERT_CN}'`
+  cert = OpenSSL::X509::Certificate.new cert_pem
+  team_id = cert.subject.to_a.find {|f| f[0] == "OU"}[1]
+  File.open(DEVTEAM_FILE, 'w') { |f|
+    f.puts("// This file is auto-generated. Do not edit manually")
+    f.puts("DEVELOPMENT_TEAM = #{team_id}")
+  }
 end
 
 task :remove_existing do
@@ -56,7 +66,7 @@ desc "Clean"
 task :clean => :init do
   puts "Cleaning"
   FileUtils.rm_rf(OUTPUT_PATH)
-  FileUtils.rm_rf(DIST_PATH)
+  xcodebuild("-scheme All clean")
 end
 
 # Build
@@ -96,6 +106,8 @@ namespace :install do
     system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
     system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
     system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
+    system 'sudo cp conf/com.google.santa.newsyslog.conf /etc/newsyslog.d/'
+    system '/usr/bin/killall -HUP syslogd'
     Rake::Task['build:build'].invoke(config)
     puts "Installing with configuration: #{config}"
     Rake::Task['remove_existing'].invoke()
@@ -111,24 +123,26 @@ task :dist do
   Rake::Task['clean'].invoke()
   Rake::Task['build:build'].invoke("Release")
 
-  FileUtils.rm_rf(DIST_PATH)
+  dist_path = "santa-#{`defaults read #{xcodebuilddir}/Release/santa-driver.kext/Contents/Info.plist CFBundleVersion`.strip}"
 
-  FileUtils.mkdir_p("#{DIST_PATH}/binaries")
-  FileUtils.mkdir_p("#{DIST_PATH}/conf")
-  FileUtils.mkdir_p("#{DIST_PATH}/dsym")
+  FileUtils.rm_rf(dist_path)
+
+  FileUtils.mkdir_p("#{dist_path}/binaries")
+  FileUtils.mkdir_p("#{dist_path}/conf")
+  FileUtils.mkdir_p("#{dist_path}/dsym")
 
   BINARIES.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{DIST_PATH}/binaries")
+    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/binaries")
   end
 
   DSYMS.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{DIST_PATH}/dsym")
+    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/dsym")
   end
 
 
-  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{DIST_PATH}/conf")}
+  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{dist_path}/conf")}
 
-  puts "Distribution folder created"
+  puts "Distribution folder #{dist_path} created"
 end
 
 # Tests

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -27,7 +27,8 @@
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES"
-      codeCoverageEnabled = "YES">
+      codeCoverageEnabled = "YES"
+      enableAddressSanitizer = "YES">
       <Testables>
          <TestableReference
             skipped = "NO">
@@ -47,6 +48,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -45,6 +46,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/LogicTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
          <TestableReference
@@ -55,6 +56,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -45,6 +46,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -36,6 +37,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/santabs.xcscheme

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "0910"
+   version = "1.3">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+               BuildableName = "santabs.xpc"
+               BlueprintName = "santabs"
+               ReferencedContainer = "container:Santa.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <Testables>
+      </Testables>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+            BuildableName = "santabs.xpc"
+            BlueprintName = "santabs"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+            BuildableName = "santabs.xpc"
+            BlueprintName = "santabs"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -45,6 +46,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0720"
+   LastUpgradeVersion = "0910"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,6 +26,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -46,6 +47,7 @@
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       debugAsWhichUser = "root"
+      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,8 +1,8 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14E46" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="10117" systemVersion="16D32" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="10117"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTAboutWindowController">
@@ -16,7 +16,7 @@
         <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
             <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
             <rect key="contentRect" x="196" y="240" width="480" height="200"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1417"/>
             <view key="contentView" id="se5-gp-TjO">
                 <rect key="frame" x="0.0" y="0.0" width="480" height="200"/>
                 <autoresizingMask key="autoresizingMask"/>
@@ -37,7 +37,7 @@
                         <rect key="frame" x="18" y="65" width="444" height="60"/>
                         <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
                             <font key="font" metaFont="system"/>
-                            <string key="title">Santa is an application whitelisting system for OS X.
+                            <string key="title">Santa is an application whitelisting system for macOS.
 
 There are no user-configurable settings.</string>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,14 +1,19 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="9532" systemVersion="15E65" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="13529" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
-        <development version="6300" identifier="xcode"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="9532"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="13529"/>
+        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
+        <capability name="system font weights other than Regular or Bold" minToolsVersion="7.0"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTMessageWindowController">
             <connections>
                 <outlet property="applicationNameLabel" destination="qgf-Jf-cJr" id="1JX-X8-03v"/>
+                <outlet property="bundleHashLabel" destination="xP7-jE-NF8" id="i8B-Gs-2E3"/>
+                <outlet property="bundleHashTitle" destination="MhO-U0-MLR" id="KT0-bK-fpV"/>
+                <outlet property="foundFileCountLabel" destination="LHV-gV-vyf" id="Sr0-T2-xGx"/>
+                <outlet property="hashingIndicator" destination="VyY-Yg-JOe" id="Yq4-tZ-9ep"/>
                 <outlet property="openEventButton" destination="7ua-5a-uSd" id="9s4-ZA-Vlo"/>
                 <outlet property="window" destination="9Bq-yh-54f" id="Uhs-WF-TV9"/>
             </connections>
@@ -17,14 +22,15 @@
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window title="Santa Blocked Execution" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" showsToolbarButton="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
             <windowStyleMask key="styleMask" utility="YES"/>
-            <rect key="contentRect" x="167" y="107" width="497" height="439"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1417"/>
+            <rect key="contentRect" x="167" y="107" width="540" height="479"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="3840" height="1578"/>
             <view key="contentView" id="Iwq-Lx-rLv">
-                <rect key="frame" x="0.0" y="0.0" width="497" height="439"/>
+                <rect key="frame" x="0.0" y="0.0" width="540" height="479"/>
                 <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                 <subviews>
                     <button focusRingType="none" verticalHuggingPriority="750" fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="kiB-jZ-69S">
-                        <rect key="frame" x="-6" y="411" width="37" height="32"/>
+                        <rect key="frame" x="16" y="451" width="37" height="32"/>
+                        <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/>
                         <buttonCell key="cell" type="push" title="Hidden Button" alternateTitle="This button exists so neither of the other two buttons is pre-selected when the dialog opens." bezelStyle="rounded" alignment="center" borderStyle="border" focusRingType="none" transparent="YES" imageScaling="proportionallyDown" inset="2" id="XGa-Sl-F4t">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
@@ -36,22 +42,8 @@
                             <outlet property="nextKeyView" destination="7ua-5a-uSd" id="vl5-A8-O0H"/>
                         </connections>
                     </button>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
-                        <rect key="frame" x="206" y="368" width="85" height="41"/>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" refusesFirstResponder="YES" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
-                            <font key="font" metaFont="systemUltraLight" size="34"/>
-                            <color key="textColor" red="0.20000000000000001" green="0.20000000000000001" blue="0.20000000000000001" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                            <userDefinedRuntimeAttributes>
-                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
-                            </userDefinedRuntimeAttributes>
-                        </textFieldCell>
-                        <connections>
-                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="z5y-RR-IEH"/>
-                        </connections>
-                    </textField>
                     <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="22" y="329" width="454" height="17"/>
+                        <rect key="frame" x="43" y="369" width="454" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="450" id="XgJ-EV-tBa"/>
                         </constraints>
@@ -65,58 +57,10 @@
                             <outlet property="nextKeyView" destination="7ua-5a-uSd" id="VC7-bE-uHc"/>
                         </connections>
                     </textField>
-                    <box horizontalHuggingPriority="750" title="Line" boxType="custom" borderType="line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
-                        <rect key="frame" x="146" y="132" width="1" height="167"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
-                        </constraints>
-                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
-                        <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
-                        <font key="titleFont" metaFont="system"/>
-                    </box>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pDa-fA-vnC" userLabel="Label: Application">
-                        <rect key="frame" x="8" y="282" width="120" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="116" id="8mA-zi-Ev7"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Application" id="Hy7-WF-6xW">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                            <userDefinedRuntimeAttributes>
-                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
-                            </userDefinedRuntimeAttributes>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="hidden" keyPath="self.event.fileBundleName" id="r2Q-hh-Uy5">
-                                <dictionary key="options">
-                                    <string key="NSValueTransformerName">NSIsNil</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
-                    <textField toolTip="Application Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="qgf-Jf-cJr" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="282" width="294" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="290" id="Pav-ZA-iAu"/>
-                        </constraints>
-                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Application Name" id="3UG-ca-d1k">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.fileBundleName" id="enC-Cl-UWt">
-                                <dictionary key="options">
-                                    <string key="NSNullPlaceholder">Unknown</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H" userLabel="Label: Path">
-                        <rect key="frame" x="8" y="257" width="120" height="17"/>
+                        <rect key="frame" x="8" y="297" width="142" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="116" id="Kqd-nX-7df"/>
+                            <constraint firstAttribute="width" constant="138" id="Kqd-nX-7df"/>
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Filename" id="KgY-X1-ESG">
                             <font key="font" metaFont="systemBold"/>
@@ -128,9 +72,9 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YNz-ka-cBi" userLabel="Label: Path">
-                        <rect key="frame" x="8" y="232" width="120" height="17"/>
+                        <rect key="frame" x="8" y="272" width="142" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="116" id="3wU-P0-gAC"/>
+                            <constraint firstAttribute="width" constant="138" id="3wU-P0-gAC"/>
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Path" id="adC-be-Beh">
                             <font key="font" metaFont="systemBold"/>
@@ -141,10 +85,10 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="257" width="294" height="17"/>
+                    <textField toolTip="Binary Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="297" width="315" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="xVR-j3-dLw"/>
+                            <constraint firstAttribute="width" constant="311" id="xVR-j3-dLw"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Name" id="E7T-9h-ofr">
                             <font key="font" metaFont="system"/>
@@ -156,7 +100,7 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5" userLabel="Label: Publisher">
-                        <rect key="frame" x="8" y="207" width="120" height="17"/>
+                        <rect key="frame" x="8" y="247" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Publisher" id="yL9-yD-JXX">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -167,9 +111,9 @@
                         </textFieldCell>
                     </textField>
                     <textField toolTip="Publisher" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w" userLabel="Publisher" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="207" width="294" height="17"/>
+                        <rect key="frame" x="187" y="247" width="315" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="Dem-wH-KHm"/>
+                            <constraint firstAttribute="width" constant="311" id="Dem-wH-KHm"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
                             <font key="font" metaFont="system"/>
@@ -185,7 +129,7 @@
                         </connections>
                     </textField>
                     <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS" userLabel="Publisher Certs Button">
-                        <rect key="frame" x="40" y="208" width="15" height="15"/>
+                        <rect key="frame" x="62" y="248" width="15" height="15"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="15" id="QTm-Iv-m5p"/>
                             <constraint firstAttribute="height" constant="15" id="YwG-0s-jop"/>
@@ -207,7 +151,7 @@
                         </connections>
                     </button>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y" userLabel="Label: Identifier">
-                        <rect key="frame" x="8" y="182" width="120" height="17"/>
+                        <rect key="frame" x="8" y="222" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Identifier" id="eKN-Ic-5zy">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -217,8 +161,8 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
-                        <rect key="frame" x="165" y="182" width="219" height="17"/>
+                    <textField toolTip="SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
+                        <rect key="frame" x="187" y="222" width="219" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="215" id="4hh-R2-86s"/>
                         </constraints>
@@ -234,8 +178,26 @@
                             <binding destination="-2" name="value" keyPath="self.event.fileSHA256" id="9KB-0b-qLV"/>
                         </connections>
                     </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="MhO-U0-MLR" userLabel="Label: Bundle Identifier">
+                        <rect key="frame" x="8" y="197" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Bundle Identifier" id="LEe-u0-52o">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.needsBundleHash" id="2kb-3z-Kyn">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSNegateBoolean</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="eQb-0a-76J" userLabel="Label: Parent">
-                        <rect key="frame" x="8" y="157" width="120" height="17"/>
+                        <rect key="frame" x="8" y="157" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Parent" id="gze-4A-1w5">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -246,7 +208,7 @@
                         </textFieldCell>
                     </textField>
                     <textField toolTip="Parent Process" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="f1p-GL-O3o" userLabel="Parent" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="157" width="294" height="17"/>
+                        <rect key="frame" x="187" y="157" width="294" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="290" id="h3Y-mO-38F"/>
                         </constraints>
@@ -269,7 +231,7 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="oFj-ol-xpL" userLabel="Label: User">
-                        <rect key="frame" x="8" y="132" width="120" height="17"/>
+                        <rect key="frame" x="8" y="132" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="User" id="1ut-uT-hQD">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -279,26 +241,8 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField toolTip="Executing User" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="132" width="294" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
-                            <font key="font" metaFont="system"/>
-                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
-                                <dictionary key="options">
-                                    <string key="NSNullPlaceholder">Unknown</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
                     <button verticalHuggingPriority="750" horizontalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="7ua-5a-uSd">
-                        <rect key="frame" x="132" y="33" width="112" height="25"/>
+                        <rect key="frame" x="154" y="33" width="112" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" priority="900" constant="112" id="Pec-Pa-4aZ"/>
                         </constraints>
@@ -315,13 +259,40 @@ DQ
                             <outlet property="nextKeyView" destination="BbV-3h-mmL" id="Xkz-va-iGc"/>
                         </connections>
                     </button>
+                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bDE-Tl-UHg" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="272" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="p1W-f9-KBX"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="H1b-Ui-CYo">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.filePath" id="Sry-KY-HDb"/>
+                        </connections>
+                    </textField>
+                    <button translatesAutoresizingMaskIntoConstraints="NO" id="5D8-GP-a4l">
+                        <rect key="frame" x="113" y="80" width="315" height="29"/>
+                        <constraints>
+                            <constraint firstAttribute="height" constant="25" id="KvD-X6-CsO"/>
+                        </constraints>
+                        <buttonCell key="cell" type="check" title="Prevent future notifications for this application for a day" bezelStyle="regularSquare" imagePosition="left" alignment="center" inset="2" id="R5Y-Uc-rEP">
+                            <behavior key="behavior" changeContents="YES" doesNotDimImage="YES" lightByContents="YES"/>
+                            <font key="font" metaFont="smallSystem"/>
+                        </buttonCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.silenceFutureNotifications" id="tEb-2A-sht"/>
+                        </connections>
+                    </button>
                     <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL" userLabel="Dismiss Button">
-                        <rect key="frame" x="256" y="33" width="110" height="25"/>
+                        <rect key="frame" x="278" y="33" width="110" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
                             <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
                         </constraints>
-                        <buttonCell key="cell" type="roundTextured" title="Dismiss" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
+                        <buttonCell key="cell" type="roundTextured" title="Ignore" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
                             <string key="keyEquivalent" base64-UTF8="YES">
@@ -335,61 +306,152 @@ DQ
                             <outlet property="nextKeyView" destination="7ua-5a-uSd" id="4KL-Z2-1op"/>
                         </connections>
                     </button>
-                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bDE-Tl-UHg" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="232" width="294" height="17"/>
+                    <textField toolTip="Executing User" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="132" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="p1W-f9-KBX"/>
+                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
                         </constraints>
-                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="H1b-Ui-CYo">
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
                             <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.filePath" id="Sry-KY-HDb"/>
+                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
                         </connections>
                     </textField>
-                    <button translatesAutoresizingMaskIntoConstraints="NO" id="5D8-GP-a4l">
-                        <rect key="frame" x="91" y="80" width="315" height="29"/>
+                    <progressIndicator wantsLayer="YES" canDrawConcurrently="YES" horizontalHuggingPriority="750" verticalHuggingPriority="750" maxValue="1" bezeled="NO" controlSize="small" style="bar" translatesAutoresizingMaskIntoConstraints="NO" id="VyY-Yg-JOe">
+                        <rect key="frame" x="187" y="199" width="217" height="12"/>
                         <constraints>
-                            <constraint firstAttribute="height" constant="25" id="KvD-X6-CsO"/>
+                            <constraint firstAttribute="width" constant="217" id="M22-Dv-KIP"/>
                         </constraints>
-                        <buttonCell key="cell" type="check" title="Prevent future notifications for this application for a day" bezelStyle="regularSquare" imagePosition="left" alignment="center" inset="2" id="R5Y-Uc-rEP">
-                            <behavior key="behavior" changeContents="YES" doesNotDimImage="YES" lightByContents="YES"/>
-                            <font key="font" metaFont="smallSystem"/>
-                        </buttonCell>
+                    </progressIndicator>
+                    <textField toolTip="Bundle SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="xP7-jE-NF8">
+                        <rect key="frame" x="187" y="197" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="s7W-o9-2nN"/>
+                        </constraints>
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="Calculating..." id="yJa-yL-X9a">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.silenceFutureNotifications" id="tEb-2A-sht"/>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleHash" id="CnT-q6-bot"/>
                         </connections>
-                    </button>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LHV-gV-vyf">
+                        <rect key="frame" x="187" y="182" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="LUu-Vd-peN"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="1000 related binaries" id="AVM-vB-hB8">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                    </textField>
+                    <box horizontalHuggingPriority="750" boxType="custom" borderType="line" title="Line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
+                        <rect key="frame" x="168" y="132" width="1" height="207"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
+                        </constraints>
+                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
+                        <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
+                        <font key="titleFont" metaFont="system"/>
+                    </box>
+                    <textField toolTip="Application Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="qgf-Jf-cJr" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="322" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="Pav-ZA-iAu"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Application Name" id="3UG-ca-d1k">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleName" id="enC-Cl-UWt">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pDa-fA-vnC" userLabel="Label: Application">
+                        <rect key="frame" x="8" y="322" width="142" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="138" id="8mA-zi-Ev7"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Application" id="Hy7-WF-6xW">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.fileBundleName" id="r2Q-hh-Uy5">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSIsNil</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
+                        <rect key="frame" x="229" y="408" width="82" height="41"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" refusesFirstResponder="YES" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
+                            <font key="font" metaFont="systemUltraLight" size="34"/>
+                            <color key="textColor" red="0.20000000000000001" green="0.20000000000000001" blue="0.20000000000000001" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <outlet property="nextKeyView" destination="7ua-5a-uSd" id="z5y-RR-IEH"/>
+                        </connections>
+                    </textField>
                 </subviews>
                 <constraints>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="0AD-PS-5V1"/>
                     <constraint firstItem="f1p-GL-O3o" firstAttribute="centerY" secondItem="eQb-0a-76J" secondAttribute="centerY" id="2Aq-1E-Ybz"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" priority="500" constant="193" id="2uo-Cm-Tfp"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="top" secondItem="f1p-GL-O3o" secondAttribute="bottom" constant="8" id="496-VQ-Fx5"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="5Mr-By-PAU"/>
                     <constraint firstItem="pDa-fA-vnC" firstAttribute="centerY" secondItem="qgf-Jf-cJr" secondAttribute="centerY" id="AKX-pe-hEX"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="ALv-0v-szi"/>
-                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="E6D-7P-17g"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="FPe-Rd-G4n"/>
                     <constraint firstItem="cJf-k6-OxS" firstAttribute="centerY" secondItem="C3G-wL-u7w" secondAttribute="centerY" id="FdL-ZZ-Vbe"/>
                     <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="30" id="FuB-GX-0jg"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="G0I-O2-S91"/>
-                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-45" id="GD2-Ka-deo"/>
+                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-67" id="GD2-Ka-deo"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="GT2-tO-2td"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="centerY" secondItem="oFj-ol-xpL" secondAttribute="centerY" id="GXI-pT-FM1"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="top" secondItem="pDa-fA-vnC" secondAttribute="top" id="Gd4-Nr-n5G"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="HUT-MI-jsR"/>
                     <constraint firstItem="qgf-Jf-cJr" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="Ht4-Lg-U5N"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="IA0-dy-2be"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="IwX-ja-ZIs"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="top" secondItem="4Li-ul-zIi" secondAttribute="top" priority="500" id="JY4-N1-j8e"/>
                     <constraint firstItem="YNz-ka-cBi" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="KmX-kX-VCN"/>
                     <constraint firstItem="5D8-GP-a4l" firstAttribute="centerX" secondItem="Iwq-Lx-rLv" secondAttribute="centerX" id="LkH-F4-Ncm"/>
-                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" priority="950" constant="30" id="Nsl-zf-poH"/>
+                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" priority="950" constant="55" id="Nsl-zf-poH"/>
                     <constraint firstItem="YNz-ka-cBi" firstAttribute="centerY" secondItem="bDE-Tl-UHg" secondAttribute="centerY" id="ObQ-RA-S5V"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="SCl-Ky-VmT"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="centerY" secondItem="pc8-G9-4pJ" secondAttribute="centerY" id="SLv-F7-w5k"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="20" id="Seb-c0-MUL"/>
                     <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="V0a-Py-iEc"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="top" secondItem="VyY-Yg-JOe" secondAttribute="bottom" id="Vjr-NX-j8V"/>
+                    <constraint firstItem="MhO-U0-MLR" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="Vly-VE-BwU"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="leading" priority="999" id="Z6G-l9-G4a"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="top" secondItem="bDE-Tl-UHg" secondAttribute="bottom" constant="8" id="ZoS-xV-2WA"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="aMJ-Wb-vRS"/>
@@ -401,22 +463,28 @@ DQ
                     <constraint firstItem="qgf-Jf-cJr" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="30" id="esg-lX-BAT"/>
                     <constraint firstItem="f1p-GL-O3o" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="fGd-YS-phP"/>
                     <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="h3d-Kc-q88"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="LHV-gV-vyf" secondAttribute="bottom" constant="8" id="h4h-K3-BTd"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" priority="700" constant="8" id="hXw-6Z-lb2"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="7ua-5a-uSd" secondAttribute="trailing" constant="12" id="ioO-NJ-Jqo"/>
                     <constraint firstItem="bDE-Tl-UHg" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="jdk-ak-soQ"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="lvJ-Rk-UT5" secondAttribute="centerY" id="jfs-YI-7Ae"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="trailing" constant="20" id="kOG-Cj-hFG"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="MhO-U0-MLR" secondAttribute="trailing" constant="20" id="ke9-wW-5fr"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="qgf-Jf-cJr" secondAttribute="bottom" constant="8" id="lWU-tC-vWg"/>
                     <constraint firstItem="5D8-GP-a4l" firstAttribute="top" secondItem="h6f-PY-cc0" secondAttribute="bottom" constant="25" id="lYd-VZ-lBs"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="18" id="lei-uP-T8m"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="xP7-jE-NF8" secondAttribute="bottom" priority="701" constant="8" id="oY4-e7-lsz"/>
                     <constraint firstItem="7ua-5a-uSd" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="pCX-eX-erN"/>
-                    <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="61" id="phL-j9-rPq"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="pdC-x8-Nao"/>
+                    <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="60" id="phL-j9-rPq"/>
                     <constraint firstItem="bDE-Tl-UHg" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="bottom" constant="8" id="pis-of-f93"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="20" id="qKi-KT-jzJ"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="bottom" secondItem="PXc-xv-A28" secondAttribute="top" constant="-8" id="snd-8T-LjC"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="20" id="stz-Vm-Kxo"/>
                     <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="tAa-1s-xVZ"/>
                     <constraint firstItem="eQb-0a-76J" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="u1y-6V-moc"/>
-                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="width" secondItem="eQb-0a-76J" secondAttribute="width" id="u4p-1B-x5B"/>
                     <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="35" id="ukF-FH-DE8"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="vB8-c5-pfO"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="YNz-ka-cBi" secondAttribute="trailing" constant="20" id="vfq-83-tKI"/>
                     <constraint firstItem="pDa-fA-vnC" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="z6s-ga-iAk"/>
                 </constraints>
@@ -424,8 +492,9 @@ DQ
             <connections>
                 <outlet property="initialFirstResponder" destination="kiB-jZ-69S" id="I96-dS-lq5"/>
             </connections>
-            <point key="canvasLocation" x="302.5" y="304.5"/>
+            <point key="canvasLocation" x="274" y="326.5"/>
         </window>
+        <userDefaultsController representsSharedInstance="YES" id="iXx-cu-WYe"/>
     </objects>
     <resources>
         <image name="NSInfo" width="32" height="32"/>

Source/SantaGUI/Resources/Santa-Prefix.pch

@@ -1,3 +0,0 @@
-#ifdef __OBJC__
-  #import <Cocoa/Cocoa.h>
-#endif

Source/SantaGUI/SNTAboutWindowController.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 @interface SNTAboutWindowController : NSWindowController
 
 @property IBOutlet NSButton *moreInfoButton;

Source/SantaGUI/SNTAccessibleTextField.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 /**
    An NSTextField subclass that provides an accessiblity label equal to:
    (self.toolTip + self.stringValue) where available. It also sets the

Source/SantaGUI/SNTAppDelegate.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 ///
 /// Initiates and manages the connection to santad
 ///

Source/SantaGUI/SNTAppDelegate.m

@@ -14,19 +14,19 @@
 
 #import "SNTAppDelegate.h"
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 #import "SNTAboutWindowController.h"
 #import "SNTConfigurator.h"
-#import "SNTFileWatcher.h"
 #import "SNTNotificationManager.h"
 #import "SNTStrengthify.h"
-#import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
 @interface SNTAppDelegate ()
 @property SNTAboutWindowController *aboutWindowController;
-@property SNTFileWatcher *configFileWatcher;
 @property SNTNotificationManager *notificationManager;
-@property SNTXPCConnection *listener;
+@property MOLXPCConnection *daemonListener;
+@property MOLXPCConnection *bundleListener;
 @end
 
 @implementation SNTAppDelegate
@@ -35,12 +35,6 @@
 
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
   [self setupMenu];
-
-  self.configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
-                                                            handler:^(unsigned long data) {
-    [[SNTConfigurator configurator] reloadConfigData];
-  }];
-
   self.notificationManager = [[SNTNotificationManager alloc] init];
 
   NSNotificationCenter *workspaceNotifications = [[NSWorkspace sharedWorkspace] notificationCenter];
@@ -49,18 +43,24 @@
                                       object:nil
                                        queue:[NSOperationQueue currentQueue]
                                   usingBlock:^(NSNotification *note) {
-    self.listener.invalidationHandler = nil;
-    [self.listener invalidate];
-    self.listener = nil;
+    self.daemonListener.invalidationHandler = nil;
+    [self.daemonListener invalidate];
+    self.daemonListener = nil;
+
+    self.bundleListener.invalidationHandler = nil;
+    [self.bundleListener invalidate];
+    self.bundleListener = nil;
   }];
   [workspaceNotifications addObserverForName:NSWorkspaceSessionDidBecomeActiveNotification
                                       object:nil
                                        queue:[NSOperationQueue currentQueue]
                                   usingBlock:^(NSNotification *note) {
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
+    [self attemptBundleReconnection];
   }];
 
-  [self createConnection];
+  [self createDaemonConnection];
+  [self createBundleConnection];
 }
 
 - (BOOL)applicationShouldHandleReopen:(NSApplication *)sender hasVisibleWindows:(BOOL)flag {
@@ -71,38 +71,78 @@
 
 #pragma mark Connection handling
 
-- (void)createConnection {
+- (void)createDaemonConnection {
   dispatch_semaphore_t sema = dispatch_semaphore_create(0);
 
   WEAKIFY(self);
 
   // Create listener for return connection from daemon.
   NSXPCListener *listener = [NSXPCListener anonymousListener];
-  self.listener = [[SNTXPCConnection alloc] initServerWithListener:listener];
-  self.listener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
-  self.listener.exportedObject = self.notificationManager;
-  self.listener.acceptedHandler = ^{
+  self.daemonListener = [[MOLXPCConnection alloc] initServerWithListener:listener];
+  self.daemonListener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
+  self.daemonListener.exportedObject = self.notificationManager;
+  self.daemonListener.acceptedHandler = ^{
     dispatch_semaphore_signal(sema);
   };
-  self.listener.invalidationHandler = ^{
+  self.daemonListener.invalidationHandler = ^{
     STRONGIFY(self);
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
   };
-  [self.listener resume];
+  [self.daemonListener resume];
 
   // Tell daemon to connect back to the above listener.
-  SNTXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
   [daemonConn resume];
   [[daemonConn remoteObjectProxy] setNotificationListener:listener.endpoint];
+  [daemonConn invalidate];
 
   // Now wait for the connection to come in.
   if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
   }
 }
 
-- (void)attemptReconnection {
-  [self performSelectorInBackground:@selector(createConnection) withObject:nil];
+- (void)attemptDaemonReconnection {
+  self.daemonListener.invalidationHandler = nil;
+  [self.daemonListener invalidate];
+  [self performSelectorInBackground:@selector(createDaemonConnection) withObject:nil];
+}
+
+- (void)createBundleConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  WEAKIFY(self);
+
+  // Create listener for return connection from the bundle service.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.bundleListener = [[MOLXPCConnection alloc] initServerWithListener:listener];
+  self.bundleListener.exportedInterface = [SNTXPCNotifierInterface bundleNotifierInterface];
+  self.bundleListener.exportedObject = self.notificationManager;
+  self.bundleListener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
+  };
+  self.bundleListener.invalidationHandler = ^{
+    STRONGIFY(self);
+    [self attemptBundleReconnection];
+  };
+  [self.bundleListener resume];
+
+  // Tell santabs to connect back to the above listener.
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy] setBundleNotificationListener:listener.endpoint];
+  [daemonConn invalidate];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptBundleReconnection];
+  }
+}
+
+- (void)attemptBundleReconnection {
+  self.bundleListener.invalidationHandler = nil;
+  [self.bundleListener invalidate];
+  [self performSelectorInBackground:@selector(createBundleConnection) withObject:nil];
 }
 
 #pragma mark Menu Management

Source/SantaGUI/SNTMessageWindow.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 ///
 ///  An NSPanel that can become key/main and can fade in/out.
 ///

Source/SantaGUI/SNTMessageWindowController.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 @class SNTStoredEvent;
 
 @protocol SNTMessageWindowControllerDelegate
@@ -29,6 +31,40 @@
 - (IBAction)closeWindow:(id)sender;
 - (IBAction)showCertInfo:(id)sender;
 
+///  Reference to the "Bundle Hash" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashLabel;
+
+///  Reference to the "Bundle Identifier" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashTitle;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSProgressIndicator *hashingIndicator;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSTextField *foundFileCountLabel;
+
+///
+///  Reference to the "Open Event" button in the XIB. Used to either remove the button
+///  if it isn't needed or set its title if it is.
+///
+@property(weak) IBOutlet NSButton *openEventButton;
+
+///
+///  The execution event that this window is for
+///
+@property(readonly) SNTStoredEvent *event;
+
+///
+///  The root progress object. Child nodes are vended to santad to report on work being done.
+///
+@property NSProgress *progress;
+
 ///
 ///  The delegate to inform when the notification is dismissed
 ///

Source/SantaGUI/SNTMessageWindowController.m

@@ -16,17 +16,14 @@
 
 #import <SecurityInterface/SFCertificatePanel.h>
 
-#import "MOLCertificate.h"
+#import <MOLCertificate/MOLCertificate.h>
+
 #import "SNTBlockMessage.h"
 #import "SNTConfigurator.h"
-#import "SNTFileInfo.h"
 #import "SNTMessageWindow.h"
 #import "SNTStoredEvent.h"
 
 @interface SNTMessageWindowController ()
-///  The execution event that this window is for
-@property SNTStoredEvent *event;
-
 ///  The custom message to display for this event
 @property(copy) NSString *customMessage;
 
@@ -36,13 +33,9 @@
 ///  An optional message to display with this block.
 @property(readonly, nonatomic) NSAttributedString *attributedCustomMessage;
 
-///  Reference to the "Open Event" button in the XIB. Used to either remove the button
-///  if it isn't needed or set its title if it is.
-@property IBOutlet NSButton *openEventButton;
-
 ///  Reference to the "Application Name" label in the XIB. Used to remove if application
 ///  doesn't have a CFBundleName.
-@property IBOutlet NSTextField *applicationNameLabel;
+@property(weak) IBOutlet NSTextField *applicationNameLabel;
 
 ///  Linked to checkbox in UI to prevent future notifications for this binary.
 @property BOOL silenceFutureNotifications;
@@ -55,10 +48,34 @@
   if (self) {
     _event = event;
     _customMessage = message;
+    _progress = [NSProgress discreteProgressWithTotalUnitCount:1];
+    [_progress addObserver:self
+                forKeyPath:@"fractionCompleted"
+                   options:NSKeyValueObservingOptionNew
+                   context:NULL];
   }
   return self;
 }
 
+- (void)dealloc {
+  [_progress removeObserver:self forKeyPath:@"fractionCompleted"];
+}
+
+- (void)observeValueForKeyPath:(NSString *)keyPath
+                      ofObject:(id)object
+                        change:(NSDictionary *)change
+                       context:(void *)context {
+  if ([keyPath isEqualToString:@"fractionCompleted"]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      NSProgress *progress = object;
+      if (progress.fractionCompleted != 0.0) {
+        self.hashingIndicator.indeterminate = NO;
+      }
+      self.hashingIndicator.doubleValue = progress.fractionCompleted;
+    });
+  }
+}
+
 - (void)loadWindow {
   [super loadWindow];
   [self.window setLevel:NSPopUpMenuWindowLevel];
@@ -73,6 +90,18 @@
     }
   }
 
+  if (!self.event.needsBundleHash) {
+    [self.bundleHashLabel removeFromSuperview];
+    [self.hashingIndicator removeFromSuperview];
+    [self.foundFileCountLabel removeFromSuperview];
+  } else {
+    self.openEventButton.enabled = NO;
+    self.hashingIndicator.indeterminate = YES;
+    [self.hashingIndicator startAnimation:self];
+    self.bundleHashLabel.hidden = YES;
+    self.foundFileCountLabel.stringValue = @"";
+  }
+
   if (!self.event.fileBundleName) {
     [self.applicationNameLabel removeFromSuperview];
   }
@@ -83,6 +112,7 @@
 }
 
 - (IBAction)closeWindow:(id)sender {
+  [self.progress cancel];
   [(SNTMessageWindow *)self.window fadeOut:sender];
 }
 
@@ -123,7 +153,7 @@
   if (![key isEqualToString:@"event"]) {
     return [NSSet setWithObject:@"event"];
   } else {
-    return nil;
+    return [NSSet set];
   }
 }
 

Source/SantaGUI/SNTNotificationManager.h

@@ -12,12 +12,15 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 #import "SNTMessageWindowController.h"
 #import "SNTXPCNotifierInterface.h"
 
 ///
 ///  Keeps track of pending notifications and ensures only one is presented to the user at a time.
 ///
-@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate, SNTNotifierXPC>
+@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate,
+                                             SNTNotifierXPC, SNTBundleNotifierXPC>
 
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -14,17 +14,32 @@
 
 #import "SNTNotificationManager.h"
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 #import "SNTBlockMessage.h"
 #import "SNTConfigurator.h"
 #import "SNTLogging.h"
 #import "SNTStoredEvent.h"
+#import "SNTStrengthify.h"
+#import "SNTXPCControlInterface.h"
 
 @interface SNTNotificationManager ()
+
 ///  The currently displayed notification
 @property SNTMessageWindowController *currentWindowController;
 
 ///  The queue of pending notifications
 @property(readonly) NSMutableArray *pendingNotifications;
+
+///  The connection to the bundle service
+@property MOLXPCConnection *bundleServiceConnection;
+
+///  A semaphore to block bundle hashing until a connection is established
+@property dispatch_semaphore_t bundleServiceSema;
+
+// A serial queue for holding hashBundleBinaries requests
+@property dispatch_queue_t hashBundleBinariesQueue;
+
 @end
 
 @implementation SNTNotificationManager
@@ -35,6 +50,9 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   self = [super init];
   if (self) {
     _pendingNotifications = [[NSMutableArray alloc] init];
+    _bundleServiceSema = dispatch_semaphore_create(0);
+    _hashBundleBinariesQueue = dispatch_queue_create("com.google.santagui.hashbundlebinaries",
+                                                     DISPATCH_QUEUE_SERIAL);
   }
   return self;
 }
@@ -48,7 +66,16 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   if ([self.pendingNotifications count]) {
     self.currentWindowController = [self.pendingNotifications firstObject];
     [self.currentWindowController showWindow:self];
+    if (self.currentWindowController.event.needsBundleHash) {
+      dispatch_async(self.hashBundleBinariesQueue, ^{
+        [self hashBundleBinariesForEvent:self.currentWindowController.event];
+      });
+    }
   } else {
+    // Tear down the bundle service
+    self.bundleServiceSema = dispatch_semaphore_create(0);
+    [self.bundleServiceConnection invalidate];
+    self.bundleServiceConnection = nil;
     [NSApp hide:self];
   }
 }
@@ -65,7 +92,7 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   [ud setObject:d forKey:silencedNotificationsKey];
 }
 
-#pragma mark SNTNotifierXPC protocol method
+#pragma mark SNTNotifierXPC protocol methods
 
 - (void)postClientModeNotification:(SNTClientMode)clientmode {
   NSUserNotification *un = [[NSUserNotification alloc] init];
@@ -76,14 +103,16 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
     case SNTClientModeMonitor:
       un.informativeText = @"Switching into Monitor mode";
       customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
-      customMsg = [SNTBlockMessage stringFromHTML:customMsg];
-      if (customMsg.length) un.informativeText = customMsg;
+      if (!customMsg) break;
+      if (!customMsg.length) return;
+      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
       break;
     case SNTClientModeLockdown:
       un.informativeText = @"Switching into Lockdown mode";
       customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
-      customMsg = [SNTBlockMessage stringFromHTML:customMsg];      
-      if (customMsg.length) un.informativeText = customMsg;
+      if (!customMsg) break;
+      if (!customMsg.length) return;
+      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
       break;
     default:
       return;
@@ -131,6 +160,118 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
     if (!self.currentWindowController) {
       self.currentWindowController = pendingMsg;
       [pendingMsg showWindow:nil];
+      if (self.currentWindowController.event.needsBundleHash) {
+        dispatch_async(self.hashBundleBinariesQueue, ^{
+          [self hashBundleBinariesForEvent:self.currentWindowController.event];
+        });
+      }
+    }
+  });
+}
+
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  un.informativeText = message ?: @"Requested application can now be run";
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
+
+#pragma mark SNTBundleNotifierXPC protocol methods
+
+- (void)updateCountsForEvent:(SNTStoredEvent *)event
+                 binaryCount:(uint64_t)binaryCount
+                   fileCount:(uint64_t)fileCount
+                 hashedCount:(uint64_t)hashedCount {
+  if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      self.currentWindowController.foundFileCountLabel.stringValue =
+          [NSString stringWithFormat:@"%llu binaries / %llu %@",
+               binaryCount, hashedCount ?: fileCount, hashedCount ? @"hashed" : @"files"];
+    });
+  }
+}
+
+- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithListener:listener];
+  c.remoteInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  [c resume];
+  self.bundleServiceConnection = c;
+
+  WEAKIFY(self);
+  self.bundleServiceConnection.invalidationHandler = ^{
+    STRONGIFY(self);
+    if (self.currentWindowController) {
+      [self updateBlockNotification:self.currentWindowController.event withBundleHash:nil];
+    }
+    self.bundleServiceConnection.invalidationHandler = nil;
+    [self.bundleServiceConnection invalidate];
+  };
+
+  dispatch_semaphore_signal(self.bundleServiceSema);
+}
+
+#pragma mark SNTBundleNotifierXPC helper methods
+
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event {
+  self.currentWindowController.foundFileCountLabel.stringValue = @"Searching for files...";
+
+  // Wait a max of 6 secs for the bundle service. Should the bundle service fall over, it will
+  // reconnect within 5 secs. Otherwise abandon bundle hashing and display the blockable event.
+  if (dispatch_semaphore_wait(self.bundleServiceSema,
+                              dispatch_time(DISPATCH_TIME_NOW, 6 * NSEC_PER_SEC))) {
+    [self updateBlockNotification:event withBundleHash:nil];
+    return;
+  }
+
+  // Let all future requests flow, until the connection is terminated and we go back to waiting.
+  dispatch_semaphore_signal(self.bundleServiceSema);
+
+  // NSProgress becomes current for this thread. XPC messages vend a child node to the receiver.
+  [self.currentWindowController.progress becomeCurrentWithPendingUnitCount:100];
+
+  // Start hashing. Progress is reported to the root NSProgress (currentWindowController.progress).
+  [[self.bundleServiceConnection remoteObjectProxy]
+      hashBundleBinariesForEvent:event
+                           reply:^(NSString *bh, NSArray<SNTStoredEvent *> *events, NSNumber *ms) {
+    // Revert to displaying the blockable event if we fail to calculate the bundle hash
+    if (!bh) return [self updateBlockNotification:event withBundleHash:nil];
+
+    event.fileBundleHash = bh;
+    event.fileBundleBinaryCount = @(events.count);
+    event.fileBundleHashMilliseconds = ms;
+    event.fileBundleExecutableRelPath = [events.firstObject fileBundleExecutableRelPath];
+    for (SNTStoredEvent *se in events) {
+      se.fileBundleHash = bh;
+      se.fileBundleBinaryCount = @(events.count);
+      se.fileBundleHashMilliseconds = ms;
+    }
+
+    // Send the results to santad. It will decide if they need to be synced.
+    MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+    [daemonConn resume];
+    [[daemonConn remoteObjectProxy] syncBundleEvent:event relatedEvents:events];
+    [daemonConn invalidate];
+
+    // Update the UI with the bundle hash. Also make the openEventButton available.
+    [self updateBlockNotification:event withBundleHash:bh];
+  }];
+  [self.currentWindowController.progress resignCurrent];
+}
+
+- (void)updateBlockNotification:(SNTStoredEvent *)event withBundleHash:(NSString *)bundleHash {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+      if (bundleHash) {
+        [self.currentWindowController.bundleHashLabel setHidden:NO];
+      } else {
+        [self.currentWindowController.bundleHashLabel removeFromSuperview];
+        [self.currentWindowController.bundleHashTitle removeFromSuperview];
+      }
+      self.currentWindowController.event.fileBundleHash = bundleHash;
+      [self.currentWindowController.foundFileCountLabel removeFromSuperview];
+      [self.currentWindowController.hashingIndicator setHidden:YES];
+      [self.currentWindowController.openEventButton setEnabled:YES];
     }
   });
 }

Source/SantaGUI/main.m

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Cocoa/Cocoa.h>
+
 #import "SNTAppDelegate.h"
 
 int main(int argc, const char *argv[]) {

Source/common/SNTBlockMessage.h

@@ -12,6 +12,12 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#ifdef SANTAGUI
+#import <Cocoa/Cocoa.h>
+#else
+#import <Foundation/Foundation.h>
+#endif
+
 @class SNTStoredEvent;
 
 @interface SNTBlockMessage : NSObject

Source/common/SNTBlockMessage.m

@@ -92,18 +92,13 @@
 + (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
-  NSString *formatStr;
-  if (config.eventDetailBundleURL && event.fileBundleID) {
-    formatStr = config.eventDetailBundleURL;
-  } else {
-    formatStr = config.eventDetailURL;
-  }
-
+  NSString *formatStr = config.eventDetailURL;
   if (!formatStr.length) return nil;
 
   if (event.fileSHA256) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                                     withString:event.fileSHA256];
+    formatStr =
+        [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                             withString:event.fileBundleHash ?: event.fileSHA256];
   }
   if (event.executingUser) {
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
@@ -113,14 +108,6 @@
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
                                                      withString:config.machineID];
   }
-  if (event.fileBundleID) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_id%"
-                                                     withString:event.fileBundleID];
-  }
-  if (event.fileBundleVersionString) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_ver%"
-                                                     withString:event.fileBundleVersionString];
-  }
 
   return [NSURL URLWithString:formatStr];
 }

Source/common/SNTCommonEnums.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  These enums are used in various places throughout the Santa client code.
 ///  The integer values are also stored in the database and so shouldn't be changed.
@@ -41,19 +43,25 @@ typedef NS_ENUM(NSInteger, SNTClientMode) {
 };
 
 typedef NS_ENUM(NSInteger, SNTEventState) {
-  SNTEventStateUnknown,
+  // Bits 0-15 bits store non-decision types
+  SNTEventStateUnknown = 0,
+  SNTEventStateBundleBinary = 1,
 
-  SNTEventStateAllowUnknown = 1,
-  SNTEventStateAllowBinary = 2,
-  SNTEventStateAllowCertificate = 3,
-  SNTEventStateAllowScope = 4,
+  // Bits 16-23 store deny decision types
+  SNTEventStateBlockUnknown = 1 << 16,
+  SNTEventStateBlockBinary = 1 << 17,
+  SNTEventStateBlockCertificate = 1 << 18,
+  SNTEventStateBlockScope = 1 << 19,
 
-  SNTEventStateBlockUnknown = 5,
-  SNTEventStateBlockBinary = 6,
-  SNTEventStateBlockCertificate = 7,
-  SNTEventStateBlockScope = 8,
+  // Bits 24-31 store allow decision types
+  SNTEventStateAllowUnknown = 1 << 24,
+  SNTEventStateAllowBinary = 1 << 25,
+  SNTEventStateAllowCertificate = 1 << 26,
+  SNTEventStateAllowScope = 1 << 27,
 
-  SNTEventStateBundleBinary = 9,
+  // Block and Allow masks
+  SNTEventStateBlock = 0xFF << 16,
+  SNTEventStateAllow = 0xFF << 24
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleTableError) {
@@ -64,6 +72,20 @@ typedef NS_ENUM(NSInteger, SNTRuleTableError) {
   SNTRuleTableErrorRemoveFailed
 };
 
+// This enum type is used to indicate what should be done with the related bundle events that are
+// generated when an initiating blocked bundle event occurs.
+typedef NS_ENUM(NSInteger, SNTBundleEventAction) {
+  SNTBundleEventActionDropEvents,
+  SNTBundleEventActionStoreEvents,
+  SNTBundleEventActionSendEvents,
+};
+
+// Indicates where to store event logs.
+typedef NS_ENUM(NSInteger, SNTEventLogType) {
+  SNTEventLogTypeSyslog,
+  SNTEventLogTypeFilelog,
+};
+
 static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
 static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
 static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";

Source/common/SNTConfigurator.h

@@ -12,32 +12,28 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 #import "SNTCommonEnums.h"
 
 ///
 ///  Singleton that provides an interface for managing configuration values on disk
 ///  @note This class is designed as a singleton but that is not strictly enforced.
+///  @note All properties are KVO compliant.
 ///
 @interface SNTConfigurator : NSObject
 
-///  Default config file path
-extern NSString *const kDefaultConfigFilePath;
-
 #pragma mark - Daemon Settings
 
 ///
 ///  The operating mode.
 ///
-@property(nonatomic) SNTClientMode clientMode;
+@property(readonly, nonatomic) SNTClientMode clientMode;
 
 ///
-///  The regex of paths to log file changes for. Regexes are specified in ICU format.
+///  Set the operating mode as received from a sync server.
 ///
-///  The regex flags IXSM can be used, though the s (dotalL) and m (multiline) flags are
-///  pointless as a path only ever has a single line.
-///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
-///
-@property(nonatomic) NSRegularExpression *fileChangesRegex;
+- (void)setSyncServerClientMode:(SNTClientMode)newMode;
 
 ///
 ///  The regex of whitelisted paths. Regexes are specified in ICU format.
@@ -46,7 +42,12 @@ extern NSString *const kDefaultConfigFilePath;
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(nonatomic) NSRegularExpression *whitelistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *whitelistPathRegex;
+
+///
+///  Set the regex of whitelisted paths as received from a sync server.
+///
+- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re;
 
 ///
 ///  The regex of blacklisted paths. Regexes are specified in ICU format.
@@ -55,7 +56,21 @@ extern NSString *const kDefaultConfigFilePath;
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(nonatomic) NSRegularExpression *blacklistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *blacklistPathRegex;
+
+///
+///  Set the regex of blacklisted paths as received from a sync server.
+///
+- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re;
+
+///
+///  The regex of paths to log file changes for. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotalL) and m (multiline) flags are
+///  pointless as a path only ever has a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(readonly, nonatomic) NSRegularExpression *fileChangesRegex;
 
 ///
 ///  Enable __PAGEZERO protection, defaults to YES
@@ -64,6 +79,25 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) BOOL enablePageZeroProtection;
 
+///
+///  Defines how event logs are stored. Options are:
+///    SNTEventLogTypeSyslog: Sent to ASL or ULS (if built with the 10.12 SDK or later).
+///    SNTEventLogTypeFilelog: Sent to a file on disk. Use eventLogPath to specify a path.
+///    Defaults to SNTEventLogTypeFilelog.
+///    For mobileconfigs use EventLogType as the key and syslog or filelog strings as the value.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) SNTEventLogType eventLogType;
+
+///
+///  If eventLogType is set to Filelog, eventLogPath will provide the path to save logs.
+///  Defaults to /var/db/santa/santa.log.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSString *eventLogPath;
+
 #pragma mark - GUI Settings
 
 ///
@@ -75,8 +109,6 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 ///  When the user gets a block notification, a button can be displayed which will
 ///  take them to a web page with more information about that event.
-///  There are two properties, one for individual binaries and one for binaries that are part
-///  of a bundle. If the latter is not set the former will be used.
 ///
 ///  This property contains a kind of format string to be turned into the URL to send them to.
 ///  The following sequences will be replaced in the final URL:
@@ -84,15 +116,12 @@ extern NSString *const kDefaultConfigFilePath;
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
-///  %bundle_id%   -- bundle id of the binary, if applicable.
-///  %bundle_ver%  -- bundle version of the binary, if applicable.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
 @property(readonly, nonatomic) NSString *eventDetailURL;
-@property(readonly, nonatomic) NSString *eventDetailBundleURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
@@ -131,21 +160,20 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSURL *syncBaseURL;
 
-///
-///  If YES, mid-execution event uploads are skipped.
-///  This property is never stored on disk.
-///
-@property BOOL syncBackOff;
-
 ///
 ///  The machine owner.
 ///
 @property(readonly, nonatomic) NSString *machineOwner;
 
 ///
-///  The last date of successful sync.
+///  The last date of a successful full sync.
 ///
-@property(nonatomic) NSDate *syncLastSuccess;
+@property(nonatomic) NSDate *fullSyncLastSuccess;
+
+///
+///  The last date of a successful rule sync.
+///
+@property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
 ///  If YES a clean sync is required.
@@ -157,6 +185,12 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSString *machineID;
 
+///
+///  If YES, enables bundle detection for blocked events. This property is not stored on disk.
+///  Its value is set by a sync server that supports bundles. Defaults to NO.
+///
+@property BOOL bundlesEnabled;
+
 #pragma mark Server Auth Settings
 
 ///
@@ -200,15 +234,8 @@ extern NSString *const kDefaultConfigFilePath;
 + (instancetype)configurator;
 
 ///
-///  Designated initializer.
+///  Clear the sync server configuration from the effective configuration.
 ///
-///  @param filePath The path to the file to use as a backing store.
-///
-- (instancetype)initWithFilePath:(NSString *)filePath;
-
-///
-///  Re-read config data from disk.
-///
-- (void)reloadConfigData;
+- (void)clearSyncState;
 
 @end

Source/common/SNTConfigurator.m

@@ -14,46 +14,35 @@
 
 #import "SNTConfigurator.h"
 
+#include <sys/stat.h>
+
 #import "SNTLogging.h"
+#import "SNTStrengthify.h"
 #import "SNTSystemInfo.h"
 
 @interface SNTConfigurator ()
-@property NSString *configFilePath;
-@property NSMutableDictionary *configData;
+/// A NSUserDefaults object set to use the com.google.santa suite.
+@property(readonly, nonatomic) NSUserDefaults *defaults;
 
-/// Creating NSRegularExpression objects is not fast, so cache them.
-@property NSRegularExpression *cachedFileChangesRegex;
-@property NSRegularExpression *cachedWhitelistDirRegex;
-@property NSRegularExpression *cachedBlacklistDirRegex;
+// Keys and expected value types.
+@property(readonly, nonatomic) NSDictionary *syncServerKeyTypes;
+@property(readonly, nonatomic) NSDictionary *forcedConfigKeyTypes;
 
-/// Array of keys that cannot be changed while santad is running if santad didn't make the change.
-@property(readonly) NSArray *protectedKeys;
+/// Holds the configurations from a sync server and mobileconfig.
+@property NSMutableDictionary *syncState;
+@property NSMutableDictionary *configState;
 @end
 
 @implementation SNTConfigurator
 
-/// The hard-coded path to the config file
-NSString *const kDefaultConfigFilePath = @"/var/db/santa/config.plist";
+/// The hard-coded path to the sync state file.
+NSString *const kSyncStateFilePath = @"/var/db/santa/sync-state.plist";
 
-/// The keys in the config file
-static NSString *const kClientModeKey = @"ClientMode";
-static NSString *const kFileChangesRegexKey = @"FileChangesRegex";
-static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
-static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
-static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection";
-
-static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
-static NSString *const kEventDetailURLKey = @"EventDetailURL";
-static NSString *const kEventDetailBundleURLKey = @"EventDetailBundleURL";
-static NSString *const kEventDetailTextKey = @"EventDetailText";
-static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
-static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
-static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
-static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
+/// The domain used by mobileconfig.
+static NSString *const kMobileConfigDomain = @"com.google.santa";
 
+/// The keys managed by a mobileconfig.
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
-static NSString *const kSyncLastSuccess = @"SyncLastSuccess";
-static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
 static NSString *const kClientAuthCertificateCNKey = @"ClientAuthCertificateCN";
@@ -63,18 +52,86 @@ static NSString *const kServerAuthRootsFileKey = @"ServerAuthRootsFile";
 
 static NSString *const kMachineOwnerKey = @"MachineOwner";
 static NSString *const kMachineIDKey = @"MachineID";
-
 static NSString *const kMachineOwnerPlistFileKey = @"MachineOwnerPlist";
 static NSString *const kMachineOwnerPlistKeyKey = @"MachineOwnerKey";
-
 static NSString *const kMachineIDPlistFileKey = @"MachineIDPlist";
 static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 
-- (instancetype)initWithFilePath:(NSString *)filePath {
+static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
+static NSString *const kEventDetailURLKey = @"EventDetailURL";
+static NSString *const kEventDetailTextKey = @"EventDetailText";
+static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
+static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
+static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
+static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
+
+static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection";
+
+static NSString *const kFileChangesRegexKey = @"FileChangesRegex";
+
+static NSString *const kEventLogType = @"EventLogType";
+static NSString *const kEventLogPath = @"EventLogPath";
+
+// The keys managed by a sync server or mobileconfig.
+static NSString *const kClientModeKey = @"ClientMode";
+static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
+static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
+
+// The keys managed by a sync server.
+static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
+static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
+static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
+
+- (instancetype)init {
   self = [super init];
   if (self) {
-    _configFilePath = filePath;
-    [self reloadConfigData];
+    Class number = [NSNumber class];
+    Class re = [NSRegularExpression class];
+    Class date = [NSDate class];
+    Class string = [NSString class];
+    Class data = [NSData class];
+    _syncServerKeyTypes = @{
+      kClientModeKey : number,
+      kWhitelistRegexKey : re,
+      kBlacklistRegexKey : re,
+      kFullSyncLastSuccess : date,
+      kRuleSyncLastSuccess : date,
+      kSyncCleanRequired : number
+    };
+    _forcedConfigKeyTypes = @{
+      kClientModeKey : number,
+      kFileChangesRegexKey : re,
+      kWhitelistRegexKey : re,
+      kBlacklistRegexKey : re,
+      kEnablePageZeroProtectionKey : number,
+      kMoreInfoURLKey : string,
+      kEventDetailURLKey : string,
+      kEventDetailTextKey : string,
+      kUnknownBlockMessage : string,
+      kBannedBlockMessage : string,
+      kModeNotificationMonitor : string,
+      kModeNotificationLockdown : string,
+      kSyncBaseURLKey : string,
+      kClientAuthCertificateFileKey : string,
+      kClientAuthCertificatePasswordKey : string,
+      kClientAuthCertificateCNKey : string,
+      kClientAuthCertificateIssuerKey : string,
+      kServerAuthRootsDataKey  : data,
+      kServerAuthRootsFileKey : string,
+      kMachineOwnerKey : string,
+      kMachineIDKey : string,
+      kMachineOwnerPlistFileKey : string,
+      kMachineOwnerPlistKeyKey : string,
+      kMachineIDPlistFileKey : string,
+      kMachineIDPlistKeyKey : string,
+      kEventLogType : string,
+      kEventLogPath : string,
+    };
+    _defaults = [NSUserDefaults standardUserDefaults];
+    [_defaults addSuiteNamed:@"com.google.santa"];
+    _configState = [self readForcedConfig];
+    _syncState = [self readSyncStateFromDisk] ?: [NSMutableDictionary dictionary];
+    [self startWatchingDefaults];
   }
   return self;
 }
@@ -82,291 +139,422 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 #pragma mark Singleton retriever
 
 + (instancetype)configurator {
-  static SNTConfigurator *sharedConfigurator = nil;
+  static SNTConfigurator *sharedConfigurator;
   static dispatch_once_t onceToken;
   dispatch_once(&onceToken, ^{
-    sharedConfigurator = [[SNTConfigurator alloc] initWithFilePath:kDefaultConfigFilePath];
+    sharedConfigurator = [[SNTConfigurator alloc] init];
   });
   return sharedConfigurator;
 }
 
-#pragma mark Protected Keys
++ (NSSet *)syncAndConfigStateSet {
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [[self syncStateSet] setByAddingObjectsFromSet:[self configStateSet]];
+  });
+  return set;
+}
 
-- (NSArray *)protectedKeys {
-  return @[ kClientModeKey, kWhitelistRegexKey, kBlacklistRegexKey,
-            kFileChangesRegexKey, kSyncBaseURLKey ];
++ (NSSet *)syncStateSet {
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [NSSet setWithObject:NSStringFromSelector(@selector(syncState))];
+  });
+  return set;
+}
+
++ (NSSet *)configStateSet {
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [NSSet setWithObject:NSStringFromSelector(@selector(configState))];
+  });
+  return set;
+}
+
+#pragma mark KVO Dependencies
+
++ (NSSet *)keyPathsForValuesAffectingClientMode {
+  return [self syncAndConfigStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingWhitelistPathRegex {
+  return [self syncAndConfigStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingBlacklistPathRegex {
+  return [self syncAndConfigStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFileChangesRegex {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncBaseURL {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnablePageZeroProtection {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingMoreInfoURL {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEventDetailURL {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEventDetailText {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingUnknownBlockMessage {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingBannedBlockMessage {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingModeNotificationMonitor {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingModeNotificationLockdown {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateFile {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificatePassword {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateCn {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateIssuer {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncServerAuthRootsData {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncServerAuthRootsFile {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingMachineOwner {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingMachineID {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFullSyncLastSuccess {
+  return [self syncStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingRuleSyncLastSuccess {
+  return [self syncStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingSyncCleanRequired {
+  return [self syncStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEventLogType {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEventLogPath {
+  return [self configStateSet];
 }
 
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
-  NSInteger cm = [self.configData[kClientModeKey] longValue];
+  SNTClientMode cm = [self.syncState[kClientModeKey] longLongValue];
   if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
-    return (SNTClientMode)cm;
-  } else {
-    LOGE(@"Client mode was set to bad value: %ld. Resetting to MONITOR.", cm);
-    self.configData[kClientModeKey] = @(SNTClientModeMonitor);
-    return SNTClientModeMonitor;
+    return cm;
   }
+
+  cm = [self.configState[kClientModeKey] longLongValue];
+  if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
+    return cm;
+  }
+
+  return SNTClientModeMonitor;
 }
 
-- (void)setClientMode:(SNTClientMode)newMode {
+- (void)setSyncServerClientMode:(SNTClientMode)newMode {
   if (newMode == SNTClientModeMonitor || newMode == SNTClientModeLockdown) {
-    self.configData[kClientModeKey] = @(newMode);
-    [self saveConfigToDisk];
+    [self updateSyncStateForKey:kClientModeKey value:@(newMode)];
   } else {
     LOGW(@"Ignoring request to change client mode to %ld", newMode);
   }
 }
 
 - (NSRegularExpression *)whitelistPathRegex {
-  if (!self.cachedWhitelistDirRegex && self.configData[kWhitelistRegexKey]) {
-    NSString *re = self.configData[kWhitelistRegexKey];
-    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
-    self.cachedWhitelistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
-                                                                             options:0
-                                                                               error:NULL];
-  }
-  return self.cachedWhitelistDirRegex;
+  return self.syncState[kWhitelistRegexKey] ?: self.configState[kWhitelistRegexKey];
 }
 
-- (void)setWhitelistPathRegex:(NSRegularExpression *)re {
-  if (!re) {
-    [self.configData removeObjectForKey:kWhitelistRegexKey];
-  } else {
-    self.configData[kWhitelistRegexKey] = [re pattern];
-  }
-  self.cachedWhitelistDirRegex = nil;
-  [self saveConfigToDisk];
+- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re {
+  [self updateSyncStateForKey:kWhitelistRegexKey value:re];
 }
 
 - (NSRegularExpression *)blacklistPathRegex {
-  if (!self.cachedBlacklistDirRegex && self.configData[kBlacklistRegexKey]) {
-    NSString *re = self.configData[kBlacklistRegexKey];
-    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
-    self.cachedBlacklistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
-                                                                             options:0
-                                                                               error:NULL];
-  }
-  return self.cachedBlacklistDirRegex;
+  return self.syncState[kBlacklistRegexKey] ?: self.configState[kBlacklistRegexKey];
 }
 
-- (void)setBlacklistPathRegex:(NSRegularExpression *)re {
-  if (!re) {
-    [self.configData removeObjectForKey:kBlacklistRegexKey];
-  } else {
-    self.configData[kBlacklistRegexKey] = [re pattern];
-  }
-  self.cachedBlacklistDirRegex = nil;
-  [self saveConfigToDisk];
+- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re {
+  [self updateSyncStateForKey:kBlacklistRegexKey value:re];
 }
 
 - (NSRegularExpression *)fileChangesRegex {
-  if (!self.cachedFileChangesRegex && self.configData[kFileChangesRegexKey]) {
-    NSString *re = self.configData[kFileChangesRegexKey];
-    if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
-    self.cachedFileChangesRegex = [NSRegularExpression regularExpressionWithPattern:re
-                                                                            options:0
-                                                                              error:NULL];
-  }
-  return self.cachedFileChangesRegex;
-}
-
-- (void)setFileChangesRegex:(NSRegularExpression *)re {
-  if (!re) {
-    [self.configData removeObjectForKey:kFileChangesRegexKey];
-  } else {
-    self.configData[kFileChangesRegexKey] = [re pattern];
-  }
-  self.cachedFileChangesRegex = nil;
-  [self saveConfigToDisk];
-}
-
-- (BOOL)enablePageZeroProtection {
-  NSNumber *keyValue = self.configData[kEnablePageZeroProtectionKey];
-  return keyValue ? [keyValue boolValue] : YES;
-}
-
-- (NSURL *)moreInfoURL {
-  return [NSURL URLWithString:self.configData[kMoreInfoURLKey]];
-}
-
-- (NSString *)eventDetailURL {
-  return self.configData[kEventDetailURLKey];
-}
-
-- (NSString *)eventDetailBundleURL {
-  return self.configData[kEventDetailBundleURLKey];
-}
-
-- (NSString *)eventDetailText {
-  return self.configData[kEventDetailTextKey];
-}
-
-- (NSString *)unknownBlockMessage {
-  return self.configData[kUnknownBlockMessage];
-}
-
-- (NSString *)bannedBlockMessage {
-  return self.configData[kBannedBlockMessage];
-}
-
-- (NSString *)modeNotificationMonitor {
-  return self.configData[kModeNotificationMonitor];
-}
-
-- (NSString *)modeNotificationLockdown {
-  return self.configData[kModeNotificationLockdown];
+  return self.configState[kFileChangesRegexKey];
 }
 
 - (NSURL *)syncBaseURL {
-  NSString *urlStr = self.configData[kSyncBaseURLKey];
-  if (urlStr) {
-    NSURL *url = [NSURL URLWithString:urlStr];
-    if (!url) LOGW(@"SyncBaseURL is not a valid URL!");
-    return url;
-  }
-  return nil;
+  NSString *urlString = self.configState[kSyncBaseURLKey];
+  NSURL *url = [NSURL URLWithString:urlString];
+  if (urlString && !url) LOGW(@"SyncBaseURL is not a valid URL!");
+  return url;
+}
+
+- (BOOL)enablePageZeroProtection {
+  NSNumber *number = self.configState[kEnablePageZeroProtectionKey];
+  return number ? [number boolValue] : YES;
+}
+
+- (NSURL *)moreInfoURL {
+  return [NSURL URLWithString:self.configState[kMoreInfoURLKey]];
+}
+
+- (NSString *)eventDetailURL {
+  return self.configState[kEventDetailURLKey];
+}
+
+- (NSString *)eventDetailText {
+  return self.configState[kEventDetailTextKey];
+}
+
+- (NSString *)unknownBlockMessage {
+  return self.configState[kUnknownBlockMessage];
+}
+
+- (NSString *)bannedBlockMessage {
+  return self.configState[kBannedBlockMessage];
+}
+
+- (NSString *)modeNotificationMonitor {
+  return self.configState[kModeNotificationMonitor];
+}
+
+- (NSString *)modeNotificationLockdown {
+  return self.configState[kModeNotificationLockdown];
 }
 
 - (NSString *)syncClientAuthCertificateFile {
-  return self.configData[kClientAuthCertificateFileKey];
+  return self.configState[kClientAuthCertificateFileKey];
 }
 
 - (NSString *)syncClientAuthCertificatePassword {
-  return self.configData[kClientAuthCertificatePasswordKey];
+  return self.configState[kClientAuthCertificatePasswordKey];
 }
 
 - (NSString *)syncClientAuthCertificateCn {
-  return self.configData[kClientAuthCertificateCNKey];
+  return self.configState[kClientAuthCertificateCNKey];
 }
 
 - (NSString *)syncClientAuthCertificateIssuer {
-  return self.configData[kClientAuthCertificateIssuerKey];
+  return self.configState[kClientAuthCertificateIssuerKey];
 }
 
 - (NSData *)syncServerAuthRootsData {
-  return self.configData[kServerAuthRootsDataKey];
+  return self.configState[kServerAuthRootsDataKey];
 }
 
 - (NSString *)syncServerAuthRootsFile {
-  return self.configData[kServerAuthRootsFileKey];
+  return self.configState[kServerAuthRootsFileKey];
 }
 
-- (NSDate *)syncLastSuccess {
-  return self.configData[kSyncLastSuccess];
+- (NSDate *)fullSyncLastSuccess {
+  return self.syncState[kFullSyncLastSuccess];
 }
 
-- (void)setSyncLastSuccess:(NSDate *)syncLastSuccess {
-  self.configData[kSyncLastSuccess] = syncLastSuccess;
-  [self saveConfigToDisk];
+- (void)setFullSyncLastSuccess:(NSDate *)fullSyncLastSuccess {
+  [self updateSyncStateForKey:kFullSyncLastSuccess value:fullSyncLastSuccess];
+  self.ruleSyncLastSuccess = fullSyncLastSuccess;
+}
+
+- (NSDate *)ruleSyncLastSuccess {
+  return self.syncState[kRuleSyncLastSuccess];
+}
+
+- (void)setRuleSyncLastSuccess:(NSDate *)ruleSyncLastSuccess {
+  [self updateSyncStateForKey:kRuleSyncLastSuccess value:ruleSyncLastSuccess];
 }
 
 - (BOOL)syncCleanRequired {
-  return [self.configData[kSyncCleanRequired] boolValue];
+  return [self.syncState[kSyncCleanRequired] boolValue];
 }
 
 - (void)setSyncCleanRequired:(BOOL)syncCleanRequired {
-  self.configData[kSyncCleanRequired] = @(syncCleanRequired);
-  [self saveConfigToDisk];
+  [self updateSyncStateForKey:kSyncCleanRequired value:@(syncCleanRequired)];
 }
 
 - (NSString *)machineOwner {
-  NSString *machineOwner;
+  NSString *machineOwner = self.configState[kMachineOwnerKey];
+  if (machineOwner) return machineOwner;
 
-  if (self.configData[kMachineOwnerPlistFileKey] && self.configData[kMachineOwnerPlistKeyKey]) {
-    NSDictionary *plist =
-        [NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineOwnerPlistFileKey]];
-    machineOwner = plist[self.configData[kMachineOwnerPlistKeyKey]];
+  NSString *plistPath = self.configState[kMachineOwnerPlistFileKey];
+  NSString *plistKey = self.configState[kMachineOwnerPlistKeyKey];
+  if (plistPath && plistKey) {
+    NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
+    machineOwner = [plist[plistKey] isKindOfClass:[NSString class]] ? plist[plistKey] : nil;
   }
 
-  if (self.configData[kMachineOwnerKey]) {
-    machineOwner = self.configData[kMachineOwnerKey];
-  }
-
-  if (!machineOwner) machineOwner = @"";
-
-  return machineOwner;
+  return machineOwner ?: @"";
 }
 
 - (NSString *)machineID {
-  NSString *machineId;
+  NSString *machineId = self.configState[kMachineIDKey];
+  if (machineId) return machineId;
 
-  if (self.configData[kMachineIDPlistFileKey] && self.configData[kMachineIDPlistKeyKey]) {
-    NSDictionary *plist =
-        [NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineIDPlistFileKey]];
-    machineId = plist[self.configData[kMachineIDPlistKeyKey]];
+  NSString *plistPath = self.configState[kMachineIDPlistFileKey];
+  NSString *plistKey = self.configState[kMachineIDPlistKeyKey];
+
+  if (plistPath && plistKey) {
+    NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
+    machineId = [plist[plistKey] isKindOfClass:[NSString class]] ? plist[plistKey] : nil;
   }
 
-  if (self.configData[kMachineIDKey]) {
-    machineId = self.configData[kMachineIDKey];
-  }
-
-  if ([machineId length] == 0) {
-    machineId = [SNTSystemInfo hardwareUUID];
-  }
-
-  return machineId;
+  return machineId.length ? machineId : [SNTSystemInfo hardwareUUID];
 }
 
-- (void)reloadConfigData {
-  NSFileManager *fm = [NSFileManager defaultManager];
-  if (![fm fileExistsAtPath:self.configFilePath]) return;
+- (SNTEventLogType)eventLogType {
+  NSString *s = [self.configState[kEventLogType] lowercaseString];
+  return [s isEqualToString:@"syslog"] ? SNTEventLogTypeSyslog : SNTEventLogTypeFilelog;
+}
 
-  NSError *error;
-  NSData *readData = [NSData dataWithContentsOfFile:self.configFilePath
-                                            options:NSDataReadingMappedIfSafe
-                                              error:&error];
-  if (error) {
-    LOGE(@"Could not read configuration file: %@, replacing.", [error localizedDescription]);
-    [self saveConfigToDisk];
-    return;
-  }
-
-  NSMutableDictionary *configData =
-      [NSPropertyListSerialization propertyListWithData:readData
-                                                options:NSPropertyListMutableContainers
-                                                 format:NULL
-                                                  error:&error];
-  if (error) {
-    LOGE(@"Could not parse configuration file: %@, replacing.", [error localizedDescription]);
-    [self saveConfigToDisk];
-    return;
-  }
-
-  if (self.syncBaseURL) {
-    // Ensure no-one is trying to change protected keys behind our back.
-    BOOL changed = NO;
-    if (geteuid() == 0) {
-      for (NSString *key in self.protectedKeys) {
-        if (((self.configData[key] && !configData[key]) ||
-             (!self.configData[key] && configData[key]) ||
-             (self.configData[key] && ![self.configData[key] isEqual:configData[key]]))) {
-          if (self.configData[key]) {
-            configData[key] = self.configData[key];
-          } else {
-            [configData removeObjectForKey:key];
-          }
-          changed = YES;
-          LOGI(@"Ignoring changed configuration key: %@", key);
-        }
-      }
-    }
-    self.configData = configData;
-    if (changed) [self saveConfigToDisk];
-  } else {
-    self.configData = configData;
-  }
+- (NSString *)eventLogPath {
+  return self.configState[kEventLogPath] ?: @"/var/db/santa/santa.log";
 }
 
 #pragma mark Private
 
 ///
-///  Saves the current @c self.configData to disk.
+///  Update the syncState. Triggers a KVO event for all dependents.
 ///
-- (void)saveConfigToDisk {
+- (void)updateSyncStateForKey:(NSString *)key value:(id)value {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    NSMutableDictionary *syncState = self.syncState.mutableCopy;
+    syncState[key] = value;
+    self.syncState = syncState;
+    [self saveSyncStateToDisk];
+  });
+}
+
+///
+///  Read the saved syncState.
+///
+- (NSMutableDictionary *)readSyncStateFromDisk {
+  // Only read the sync state if a sync server is configured.
+  if (!self.syncBaseURL) return nil;
+  // Only santad should read this file.
+  if (geteuid() != 0) return nil;
+  NSMutableDictionary *syncState =
+      [NSMutableDictionary dictionaryWithContentsOfFile:kSyncStateFilePath];
+  for (NSString *key in syncState.allKeys) {
+    if (self.syncServerKeyTypes[key] == [NSRegularExpression class]) {
+      NSString *pattern = [syncState[key] isKindOfClass:[NSString class]] ? syncState[key] : nil;
+      syncState[key] = [self expressionForPattern:pattern];
+    } else if (![syncState[key] isKindOfClass:self.syncServerKeyTypes[key]]) {
+      syncState[key] = nil;
+      continue;
+    }
+  }
+  return syncState;
+}
+
+///
+///  Saves the current effective syncState to disk.
+///
+- (void)saveSyncStateToDisk {
+  // Only save the sync state if a sync server is configured.
+  if (!self.syncBaseURL) return;
+  // Only santad should write to this file.
   if (geteuid() != 0) return;
-  [self.configData writeToFile:self.configFilePath atomically:YES];
+  // Either remove
+  NSMutableDictionary *syncState = self.syncState.mutableCopy;
+  syncState[kWhitelistRegexKey] = [syncState[kWhitelistRegexKey] pattern];
+  syncState[kBlacklistRegexKey] = [syncState[kBlacklistRegexKey] pattern];
+  [syncState writeToFile:kSyncStateFilePath atomically:YES];
+  [[NSFileManager defaultManager] setAttributes:@{ NSFilePosixPermissions : @0644 }
+                                   ofItemAtPath:kSyncStateFilePath error:NULL];
+}
+
+- (void)clearSyncState {
+  self.syncState = [NSMutableDictionary dictionary];
+}
+
+#pragma mark Private Defaults Methods
+
+- (NSRegularExpression *)expressionForPattern:(NSString *)pattern {
+  if (!pattern) return nil;
+  if (![pattern hasPrefix:@"^"]) pattern = [@"^" stringByAppendingString:pattern];
+  return [NSRegularExpression regularExpressionWithPattern:pattern options:0 error:NULL];
+}
+
+- (NSMutableDictionary *)readForcedConfig {
+  NSMutableDictionary *forcedConfig = [NSMutableDictionary dictionary];
+  for (NSString *key in self.forcedConfigKeyTypes) {
+    id obj = [self forcedConfigValueForKey:key];
+    forcedConfig[key] = [obj isKindOfClass:self.forcedConfigKeyTypes[key]] ? obj : nil;
+    // Create the regex objects now
+    if (self.forcedConfigKeyTypes[key] == [NSRegularExpression class]) {
+      NSString *pattern = [obj isKindOfClass:[NSString class]] ? obj : nil;
+      forcedConfig[key] = [self expressionForPattern:pattern];
+    }
+  }
+  return forcedConfig;
+}
+
+- (id)forcedConfigValueForKey:(NSString *)key {
+  id obj = [self.defaults objectForKey:key];
+  return [self.defaults objectIsForcedForKey:key inDomain:kMobileConfigDomain] ? obj : nil;
+}
+
+- (void)startWatchingDefaults {
+  // Only santad should listen.
+  if (geteuid() != 0) return;
+  [[NSNotificationCenter defaultCenter] addObserver:self
+                                           selector:@selector(defaultsChanged:)
+                                               name:NSUserDefaultsDidChangeNotification
+                                             object:nil];
+}
+
+- (void)defaultsChanged:(void *)v {
+  SEL handleChange = @selector(handleChange);
+  [NSObject cancelPreviousPerformRequestsWithTarget:self selector:handleChange object:nil];
+  [self performSelector:handleChange withObject:nil afterDelay:5.0f];
+}
+
+///
+///  Update the configState. Triggers a KVO event for all dependents.
+///
+- (void)handleChange {
+  self.configState = [self readForcedConfig];
 }
 
 @end

Source/common/SNTDropRootPrivs.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  Simple function to check and drop root privileges.
 ///

Source/common/SNTFileInfo.h

@@ -12,6 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+@class MOLCodesignChecker;
+
 ///
 ///  Represents a binary on disk, providing access to details about that binary
 ///  such as the SHA-1, SHA-256, Info.plist and the Mach-O data.
@@ -36,6 +40,18 @@
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
+
+///
+///  Initializer for already resolved paths.
+///
+///  @param path The path of the file this instance is to represent. The path will
+///      not be converted and will be used as is. If the path is not a regular file this method will
+///      return nil and fill in an error.
+///  @param error If an error occurred and nil is returned, this will be a pointer to an NSError
+///      describing the problem.
+///
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error;
+
 ///
 ///  @return Path of this file.
 ///
@@ -84,6 +100,11 @@
 ///
 - (BOOL)isDylib;
 
+///
+///  @return YES if this file is a bundle executable (QuickLook/Spotlight plugin, etc.)
+///
+- (BOOL)isBundle;
+
 ///
 ///  @return YES if this file is a kernel extension.
 ///
@@ -104,11 +125,31 @@
 ///
 - (BOOL)isDMG;
 
+///
+///  @return NSString describing the kind of file (executable, bundle, script, etc.)
+///
+- (NSString *)humanReadableFileType;
+
 ///
 ///  @return YES if this file has a bad/missing __PAGEZERO .
 ///
 - (BOOL)isMissingPageZero;
 
+///
+///  If set to YES, the bundle* and infoPlist methods will search for and use the highest NSBundle
+///  found in the tree. Defaults to NO, which uses the first found bundle, if any.
+///
+///  @example:
+///      An SNTFileInfo object that represents
+///        /Applications/Photos.app/Contents/XPCServices/com.apple.Photos.librarychooserservice.xpc
+///      useAncestorBundle is set to YES
+///        /Applications/Photos.app will be used to get data backing all the bundle methods
+///
+///  @note: The NSBundle object backing the bundle* and infoPlist methods is cached once found.
+///         Setting the useAncestorBundle propery will clear this cache and force a re-search.
+///
+@property(nonatomic) BOOL useAncestorBundle;
+
 ///
 ///  @return An NSBundle if this file is part of a bundle.
 ///
@@ -171,4 +212,16 @@
 ///
 - (NSUInteger)fileSize;
 
+///
+///  @return The underlying file handle.
+///
+@property(readonly) NSFileHandle *fileHandle;
+
+///
+///  @return Returns an instance of MOLCodeSignChecker initialized with the file's binary path.
+///  Both the MOLCodesignChecker and any resulting NSError are cached and returned on subsequent
+///  calls.  You may pass in NULL for the error if you don't care to receive it.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error;
+
 @end

Source/common/SNTFileInfo.m

@@ -15,14 +15,16 @@
 #import "SNTFileInfo.h"
 
 #import <CommonCrypto/CommonDigest.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 
+#include <mach-o/arch.h>
 #include <mach-o/loader.h>
 #include <mach-o/swap.h>
 #include <pwd.h>
 #include <sys/stat.h>
 #include <sys/xattr.h>
 
-#import <FMDB/FMDB.h>
+#import <fmdb/FMDB.h>
 
 // Simple class to hold the data of a mach_header and the offset within the file
 // in which that header was found.
@@ -53,33 +55,40 @@
 @property NSDictionary *infoDict;
 @property NSDictionary *quarantineDict;
 @property NSDictionary *cachedHeaders;
+@property MOLCodesignChecker *cachedCodesignChecker;
+@property(nonatomic) NSError *codesignCheckerError;
 @end
 
 @implementation SNTFileInfo
 
 extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
-- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error {
   self = [super init];
   if (self) {
-    NSBundle *bndl;
-    _path = [self resolvePath:path bundle:&bndl];
-    _bundleRef = bndl;
-    if (_path.length == 0) {
+    _path = path;
+    if (!_path.length) {
       if (error) {
-        NSString *errStr = @"Unable to resolve empty path";
-        if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+        NSString *errStr = @"Unable to use empty path";
         *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
-                                     code:260
+                                     code:270
                                  userInfo:@{NSLocalizedDescriptionKey : errStr}];
       }
       return nil;
     }
 
-    _fileHandle = [NSFileHandle fileHandleForReadingAtPath:_path];
-
     struct stat fileStat;
-    fstat(_fileHandle.fileDescriptor, &fileStat);
+    lstat(_path.UTF8String, &fileStat);
+    if (!((S_IFMT & fileStat.st_mode) == S_IFREG)) {
+      if (error) {
+        NSString *errStr = [NSString stringWithFormat:@"Non regular file: %s", strerror(errno)];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:290
+                                 userInfo:@{NSLocalizedDescriptionKey : errStr}];
+      }
+      return nil;
+    }
+
     _fileSize = fileStat.st_size;
 
     if (_fileSize == 0) return nil;
@@ -90,11 +99,41 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
         _fileOwnerHomeDir = @(pwd->pw_dir);
       }
     }
+
+    int fd = open([_path UTF8String], O_RDONLY | O_CLOEXEC);
+    if (fd < 0) {
+      if (error) {
+        NSString *errStr = [NSString stringWithFormat:@"Unable to open file: %s", strerror(errno)];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:280
+                                 userInfo:@{NSLocalizedDescriptionKey : errStr}];
+      }
+      return nil;
+    }
+    _fileHandle = [[NSFileHandle alloc] initWithFileDescriptor:fd closeOnDealloc:YES];
   }
 
   return self;
 }
 
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+  NSBundle *bndl;
+  NSString *resolvedPath = [self resolvePath:path bundle:&bndl];
+  if (!resolvedPath.length) {
+    if (error) {
+      NSString *errStr = @"Unable to resolve empty path";
+      if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+      *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                   code:260
+                               userInfo:@{NSLocalizedDescriptionKey : errStr}];
+    }
+    return nil;
+  }
+  self = [self initWithResolvedPath:resolvedPath error:error];
+  if (self && bndl) _bundleRef = bndl;
+  return self;
+}
+
 - (instancetype)initWithPath:(NSString *)path {
   return [self initWithPath:path error:NULL];
 }
@@ -102,7 +141,9 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 #pragma mark Hashing
 
 - (void)hashSHA1:(NSString **)sha1 SHA256:(NSString **)sha256 {
-  const int chunkSize = 4096;
+  const int MAX_CHUNK_SIZE = 256 * 1024;  // 256 KB
+  const size_t chunkSize = _fileSize > MAX_CHUNK_SIZE ? MAX_CHUNK_SIZE : _fileSize;
+  char chunk[chunkSize];
 
   CC_SHA1_CTX c1;
   CC_SHA256_CTX c256;
@@ -110,46 +151,59 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   if (sha1) CC_SHA1_Init(&c1);
   if (sha256) CC_SHA256_Init(&c256);
 
-  for (uint64_t offset = 0; offset < self.fileSize; offset += chunkSize) {
-    @autoreleasepool {
-      int readSize = 0;
-      if (offset + chunkSize > self.fileSize) {
-        readSize = (int)(self.fileSize - offset);
-      } else {
-        readSize = chunkSize;
-      }
+  int fd = self.fileHandle.fileDescriptor;
 
-      NSData *chunk = [self safeSubdataWithRange:NSMakeRange(offset, readSize)];
-      if (!chunk) {
-        if (sha1) CC_SHA1_Final(NULL, &c1);
-        if (sha256) CC_SHA256_Final(NULL, &c256);
-        return;
-      }
+  fcntl(fd, F_RDAHEAD, 1);
+  struct radvisory radv;
+  radv.ra_offset = 0;
+  const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
+  radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
+  fcntl(fd, F_RDADVISE, &radv);
+  ssize_t bytesRead;
 
-      if (sha1) CC_SHA1_Update(&c1, chunk.bytes, readSize);
-      if (sha256) CC_SHA256_Update(&c256, chunk.bytes, readSize);
+  for (uint64_t offset = 0; offset < _fileSize;) {
+    bytesRead = pread(fd, chunk, chunkSize, offset);
+    if (bytesRead > 0) {
+      if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
+      if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
+      offset += bytesRead;
+    } else if (bytesRead == -1 && errno == EINTR) {
+      continue;
+    } else {
+      return;
     }
   }
 
+  // We turn off Read Ahead that we turned on
+  fcntl(fd, F_RDAHEAD, 0);
   if (sha1) {
-    unsigned char dgst[CC_SHA1_DIGEST_LENGTH];
-    CC_SHA1_Final(dgst, &c1);
-
-    NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
-    for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; ++i) {
-      [buf appendFormat:@"%02x", (unsigned char)dgst[i]];
-    }
-    *sha1 = [buf copy];
+    unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+    CC_SHA1_Final(digest, &c1);
+    NSString *const SHA1FormatString =
+        @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
+    *sha1 = [[NSString alloc]
+        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2],
+                       digest[3], digest[4], digest[5], digest[6], digest[7],
+                       digest[8], digest[9], digest[10], digest[11], digest[12],
+                       digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19]];
   }
   if (sha256) {
-    unsigned char dgst[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256_Final(dgst, &c256);
+    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+    CC_SHA256_Final(digest, &c256);
+    NSString *const SHA256FormatString =
+        @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+         "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
 
-    NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
-    for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; ++i) {
-      [buf appendFormat:@"%02x", (unsigned char)dgst[i]];
-    }
-    *sha256 = [buf copy];
+    *sha256 = [[NSString alloc]
+        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2],
+                       digest[3], digest[4], digest[5], digest[6], digest[7],
+                       digest[8], digest[9], digest[10], digest[11], digest[12],
+                       digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19], digest[20],
+                       digest[21], digest[22], digest[23], digest[24],
+                       digest[25], digest[26], digest[27], digest[28],
+                       digest[29], digest[30], digest[31]];
   }
 }
 
@@ -171,22 +225,26 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.machHeaders allKeys];
 }
 
-- (BOOL)isExecutable {
+- (uint32_t)machFileType {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_EXECUTE) return YES;
-  return NO;
+  if (mach_header) return mach_header->filetype;
+  return -1;
+}
+
+- (BOOL)isExecutable {
+  return [self machFileType] == MH_EXECUTE;
 }
 
 - (BOOL)isDylib {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_DYLIB) return YES;
-  return NO;
+  return [self machFileType] == MH_DYLIB;
+}
+
+- (BOOL)isBundle {
+  return [self machFileType] == MH_BUNDLE;
 }
 
 - (BOOL)isKext {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_KEXT_BUNDLE) return YES;
-  return NO;
+  return [self machFileType] == MH_KEXT_BUNDLE;
 }
 
 - (BOOL)isMachO {
@@ -199,18 +257,30 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
 - (BOOL)isScript {
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(0, 2)] bytes];
-  return (strncmp("#!", magic, 2) == 0);
+  return (magic && memcmp("#!", magic, 2) == 0);
 }
 
 - (BOOL)isXARArchive {
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(0, 4)] bytes];
-  return (strncmp("xar!", magic, 4) == 0);
+  return (magic && memcmp("xar!", magic, 4) == 0);
 }
 
 - (BOOL)isDMG {
+  if (self.fileSize < 512) return NO;
   NSUInteger last512 = self.fileSize - 512;
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(last512, 4)] bytes];
-  return (magic && strncmp("koly", magic, 4) == 0);
+  return (magic && memcmp("koly", magic, 4) == 0);
+}
+
+- (NSString *)humanReadableFileType {
+  if ([self isExecutable]) return @"Executable";
+  if ([self isDylib]) return @"Dynamic Library";
+  if ([self isBundle]) return @"Bundle/Plugin";
+  if ([self isKext]) return @"Kernel Extension";
+  if ([self isScript]) return @"Script";
+  if ([self isXARArchive]) return @"XAR Archive";
+  if ([self isDMG]) return @"Disk Image";
+  return @"Unknown";
 }
 
 #pragma mark Page Zero
@@ -218,7 +288,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (BOOL)isMissingPageZero {
   // This method only checks i386 arch because the kernel enforces this for other archs
   // See bsd/kern/mach_loader.c, search for enforce_hard_pagezero.
-  MachHeaderWithOffset *x86Header = self.machHeaders[[self nameForCPUType:CPU_TYPE_X86]];
+  MachHeaderWithOffset *x86Header = self.machHeaders[[self nameForCPUType:CPU_TYPE_X86
+                                                               cpuSubType:CPU_SUBTYPE_I386_ALL]];
   if (!x86Header) return NO;
 
   struct mach_header *mh = (struct mach_header *)[x86Header.data bytes];
@@ -230,7 +301,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   if (!lcData) return NO;
 
   // This code assumes the __PAGEZERO is always the first load-command in the file.
-  // Given that the OS X ABI says "the static linker creates a __PAGEZERO segment
+  // Given that the macOS ABI says "the static linker creates a __PAGEZERO segment
   // as the first segment of an executable file." this should be OK.
   struct load_command *lc = (struct load_command *)[lcData bytes];
   if (lc->cmd == LC_SEGMENT) {
@@ -246,38 +317,62 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
 #pragma mark Bundle Information
 
+///
+///  Directories with a "Contents/Info.plist" entry can be mistaken as a bundle. To be considered an
+///  ancestor, the bundle must have a valid extension.
+///
+- (NSSet *)allowedAncestorExtensions {
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [NSSet setWithArray:@[
+      @"app",
+      @"bundle",
+      @"framework",
+      @"kext",
+      @"xctest",
+      @"xpc",
+    ]];
+  });
+  return set;
+}
+
 ///
 ///  Try and determine the bundle that the represented executable is contained within, if any.
 ///
 ///  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
 ///  bundle but provides no way to get an NSBundle object when only the executablePath is known.
-///  Also a bundle can contain multiple binaries within the MacOS folder and we want any of these
+///  Also a bundle can contain multiple binaries within its subdirectories and we want any of these
 ///  to count as being part of the bundle.
 ///
-///  This method relies on executable bundles being laid out as follows:
+///  This method walks up the path until a bundle is found, if any.
 ///
-/// @code
-/// Bundle.app/
-///    Contents/
-///       MacOS/
-///         executable
-/// @endcode
-///
-///  If @c self.path is the full path to @c executable above, this method would return an
-///  NSBundle reference for Bundle.app.
+///  @param ancestor YES this will return the highest NSBundle, with a valid extension, found in the
+///                  tree. NO will return the the lowest NSBundle, without validating the extension.
 ///
+- (NSBundle *)findBundleWithAncestor:(BOOL)ancestor {
+  NSBundle *bundle;
+  NSMutableArray *pathComponents = [[self.path pathComponents] mutableCopy];
+
+  // Ignore the root path "/", for some reason this is considered a bundle.
+  while (pathComponents.count > 1) {
+    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
+    if ([bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
+      if (!ancestor ||
+          [[self allowedAncestorExtensions] containsObject:bndl.bundlePath.pathExtension]) {
+        bundle = bndl;
+      }
+      if (!ancestor) break;
+    }
+    [pathComponents removeLastObject];
+  }
+  return bundle;
+}
+
 - (NSBundle *)bundle {
   if (!self.bundleRef) {
-    self.bundleRef = (NSBundle *)[NSNull null];
-
-    // Check that the full path is at least 4-levels deep:
-    // e.g: /Calendar.app/Contents/MacOS/Calendar
-    NSArray *pathComponents = [self.path pathComponents];
-    if ([pathComponents count] < 4) return nil;
-
-    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
-    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
+    self.bundleRef =
+        [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
   }
   return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
@@ -286,6 +381,14 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.bundle bundlePath];
 }
 
+- (void)setUseAncestorBundle:(BOOL)useAncestorBundle {
+  if (self.useAncestorBundle != useAncestorBundle) {
+    self.bundleRef = nil;
+    self.infoDict = nil;
+  }
+  _useAncestorBundle = useAncestorBundle;
+}
+
 - (NSDictionary *)infoPlist {
   if (!self.infoDict) {
     NSDictionary *d = [self embeddedPlist];
@@ -365,13 +468,13 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   if (machHeader) {
     struct mach_header *mh = (struct mach_header *)[machHeader bytes];
     MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader offset:0];
-    machHeaders[[self nameForCPUType:mh->cputype]] = mhwo;
+    machHeaders[[self nameForCPUType:mh->cputype cpuSubType:mh->cpusubtype]] = mhwo;
   } else {
     NSRange range = NSMakeRange(0, sizeof(struct fat_header));
     NSData *fatHeader = [self safeSubdataWithRange:range];
     struct fat_header *fh = (struct fat_header *)[fatHeader bytes];
 
-    if (fatHeader && (fh->magic == FAT_MAGIC || fh->magic == FAT_CIGAM)) {
+    if (fatHeader && (fh->magic == FAT_CIGAM || fh->magic == FAT_MAGIC)) {
       int nfat_arch = OSSwapBigToHostInt32(fh->nfat_arch);
       range = NSMakeRange(sizeof(struct fat_header), sizeof(struct fat_arch) * nfat_arch);
       NSMutableData *fatArchs = [[self safeSubdataWithRange:range] mutableCopy];
@@ -381,11 +484,12 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
           int offset = OSSwapBigToHostInt32(fat_arch[i].offset);
           int size = OSSwapBigToHostInt32(fat_arch[i].size);
           int cputype = OSSwapBigToHostInt(fat_arch[i].cputype);
+          int cpusubtype = OSSwapBigToHostInt(fat_arch[i].cpusubtype);
 
           range = NSMakeRange(offset, size);
           NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:range]];
           if (machHeader) {
-            NSString *key = [self nameForCPUType:cputype];
+            NSString *key = [self nameForCPUType:cputype cpuSubType:cpusubtype];
             MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader
                                                                              offset:offset];
             machHeaders[key] = mhwo;
@@ -445,7 +549,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     if (!cmdData) return nil;
     struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
     if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
-      if (strncmp(lc->segname, "__TEXT", 6) == 0) {
+      if (memcmp(lc->segname, "__TEXT", 6) == 0) {
         nsects = lc->nsects;
         offset += sz_segment;
         break;
@@ -459,7 +563,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
     if (!sectData) return nil;
     struct section_64 *sect = (struct section_64 *)[sectData bytes];
-    if (sect && strncmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+    if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
       NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
       if (!plistData) return nil;
       NSDictionary *plist;
@@ -492,8 +596,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *d = [self.fileHandle readDataOfLength:range.length];
     if (d.length != range.length) return nil;
     return d;
-  }
-  @catch (NSException *e) {
+  } @catch (NSException *e) {
     return nil;
   }
 }
@@ -504,7 +607,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///  is not the one who downloaded the file.
 ///
 - (NSDictionary *)quarantineData {
-  if (!self.quarantineDict && self.fileOwnerHomeDir) {
+  if (!self.quarantineDict && self.fileOwnerHomeDir && NSURLQuarantinePropertiesKey) {
     self.quarantineDict = (NSDictionary *)[NSNull null];
 
     NSURL *url = [NSURL fileURLWithPath:self.path];
@@ -570,20 +673,15 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///
 ///  Return a human-readable string for a cpu_type_t.
 ///
-- (NSString *)nameForCPUType:(cpu_type_t)cpuType {
-  switch (cpuType) {
-    case CPU_TYPE_X86:
-      return @"i386";
-    case CPU_TYPE_X86_64:
-      return @"x86-64";
-    case CPU_TYPE_POWERPC:
-      return @"ppc";
-    case CPU_TYPE_POWERPC64:
-      return @"ppc64";
-    default:
-      return @"unknown";
+- (NSString *)nameForCPUType:(cpu_type_t)cpuType cpuSubType:(cpu_subtype_t)cpuSubType {
+  const NXArchInfo *archInfo = NXGetArchInfoFromCpuType(cpuType, cpuSubType);
+  NSString *arch;
+  if (archInfo && archInfo->name) {
+    arch = @(archInfo->name);
+  } else {
+    arch = [NSString stringWithFormat:@"%i:%i", cpuType, cpuSubType];
   }
-  return nil;
+  return arch;
 }
 
 ///
@@ -608,7 +706,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   BOOL directory;
   if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
     return nil;
-  } else if (directory) {
+  } else if (directory && ![path isEqualToString:@"/"]) {
     NSBundle *bndl = [NSBundle bundleWithPath:path];
     if (bundle) *bundle = bndl;
     return [bndl executablePath];
@@ -617,4 +715,18 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   }
 }
 
+///
+///  Cache and return a MOLCodeSignChecker for the given file.  If there was an error creating the
+///  code sign checker it will be returned in the passed-in error parameter.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error {
+  if (!self.cachedCodesignChecker && !self.codesignCheckerError) {
+    NSError *e;
+    self.cachedCodesignChecker = [[MOLCodesignChecker alloc] initWithBinaryPath:self.path error:&e];
+    self.codesignCheckerError = e;
+  }
+  if (error) *error = self.codesignCheckerError;
+  return self.cachedCodesignChecker;
+}
+
 @end

Source/common/SNTFileWatcher.h

@@ -1,34 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-///
-///  Simple file watching class using dispatch sources. Will automatically
-///  reload the watch if the file is deleted and continue watching for
-///  events until deallocated.
-///
-@interface SNTFileWatcher : NSObject
-
-///
-///  Designated initializer
-///  Initializes the watcher and begins watching for modifications.
-///
-///  @param filePath the file to watch.
-///  @param handler the handler to call when changes happen. The argument to the block is the
-///      type of change that happened as a bitmask to be compared with DISPATCH_VNODE_* constants.
-///      The handler is always be called on the main thread.
-///
-- (nonnull instancetype)initWithFilePath:(nonnull NSString *)filePath
-                                 handler:(nonnull void (^)(unsigned long))handler;
-
-@end

Source/common/SNTFileWatcher.m

@@ -1,104 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTFileWatcher.h"
-
-#import "SNTStrengthify.h"
-
-@interface SNTFileWatcher ()
-@property NSString *filePath;
-@property(strong) void (^handler)(unsigned long);
-
-@property dispatch_source_t source;
-@end
-
-@implementation SNTFileWatcher
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-- (instancetype)initWithFilePath:(nonnull NSString *)filePath
-                         handler:(nonnull void (^)(unsigned long))handler {
-  self = [super init];
-  if (self) {
-    _filePath = filePath;
-    _handler = handler;
-    [self startWatchingFile];
-  }
-  return self;
-}
-
-- (void)dealloc {
-  [self stopWatchingFile];
-}
-
-- (void)startWatchingFile {
-  dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
-  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_RENAME |
-              DISPATCH_VNODE_WRITE | DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_ATTRIB);
-
-  dispatch_async(queue, ^{
-    int fd = -1;
-    while ((fd = open([self.filePath fileSystemRepresentation], O_EVTONLY)) < 0) {
-      usleep(200000);  // wait 200ms
-    }
-    self.source = dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
-
-    WEAKIFY(self);
-
-    dispatch_source_set_event_handler(self.source, ^{
-      STRONGIFY(self);
-      unsigned long data = dispatch_source_get_data(self.source);
-      dispatch_async(dispatch_get_main_queue(), ^{
-        self.handler(data);
-      });
-      if (data & DISPATCH_VNODE_DELETE || data & DISPATCH_VNODE_RENAME) {
-        [self stopWatchingFile];
-        [self startWatchingFile];
-      }
-    });
-
-    dispatch_source_set_registration_handler(self.source, ^{
-      STRONGIFY(self);
-      dispatch_async(dispatch_get_main_queue(), ^{
-        self.handler(0);
-      });
-    });
-
-    dispatch_source_set_cancel_handler(self.source, ^{
-      STRONGIFY(self);
-      int fd = (int)dispatch_source_get_handle(self.source);
-      if (fd > 0) close(fd);
-    });
-    
-    dispatch_resume(self.source);
-  });
-}
-
-- (void)stopWatchingFile {
-  if (!self.source) return;
-
-  int fd = (int)dispatch_source_get_handle(self.source);
-  dispatch_source_set_event_handler_f(self.source, NULL);
-  dispatch_source_set_cancel_handler(self.source, ^{
-    close(fd);
-  });
-
-  dispatch_source_cancel(self.source);
-  self.source = nil;
-}
-
-@end

Source/common/SNTKernelCommon.h

@@ -28,13 +28,19 @@
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
 
+// Branch prediction
+#define likely(x)   __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
 // List of methods supported by the driver.
 enum SantaDriverMethods {
   kSantaUserClientOpen,
   kSantaUserClientAllowBinary,
   kSantaUserClientDenyBinary,
+  kSantaUserClientAcknowledgeBinary,
   kSantaUserClientClearCache,
   kSantaUserClientCacheCount,
+  kSantaUserClientCheckCache,
 
   // Any methods supported by the driver should be added above this line to
   // ensure this remains the count of methods.
@@ -58,6 +64,8 @@ typedef enum {
   // RESPONSES
   ACTION_RESPOND_ALLOW = 20,
   ACTION_RESPOND_DENY = 21,
+  ACTION_RESPOND_TOOLONG = 22,
+  ACTION_RESPOND_ACK = 23,
 
   // NOTIFY
   ACTION_NOTIFY_EXEC = 30,

Source/common/SNTLogging.h

@@ -21,17 +21,21 @@
 
 #ifdef KERNEL
 
+#include <IOKit/IOLib.h>
+
 #ifdef DEBUG
-#define LOGD(...) IOLog("D santa-driver: " __VA_ARGS__); IOLog("\n")
+#define LOGD(format, ...) IOLog("D santa-driver: " format "\n", ##__VA_ARGS__);
 #else  // DEBUG
-#define LOGD(...)
+#define LOGD(format, ...)
 #endif  // DEBUG
-#define LOGI(...) IOLog("I santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGW(...) IOLog("W santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGE(...) IOLog("E santa-driver: " __VA_ARGS__); IOLog("\n")
+#define LOGI(format, ...) IOLog("I santa-driver: " format "\n", ##__VA_ARGS__);
+#define LOGW(format, ...) IOLog("W santa-driver: " format "\n", ##__VA_ARGS__);
+#define LOGE(format, ...) IOLog("E santa-driver: " format "\n", ##__VA_ARGS__);
 
 #else  // KERNEL
 
+#import <Foundation/Foundation.h>
+
 typedef enum : NSUInteger {
   LOG_LEVEL_ERROR,
   LOG_LEVEL_WARN,

Source/common/SNTLogging.m

@@ -29,12 +29,12 @@ void syslogClientDestructor(void *arg) {
 
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   static BOOL useSyslog = NO;
-  static const char *binaryName;
+  static NSString *binaryName;
   static dispatch_once_t pred;
   static pthread_key_t syslogKey = 0;
 
   dispatch_once(&pred, ^{
-    binaryName = [[[NSProcessInfo processInfo] processName] UTF8String];
+    binaryName = [[NSProcessInfo processInfo] processName];
 
     // If debug logging is enabled, the process must be restarted.
     if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
@@ -52,7 +52,7 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
 
   va_list args;
   va_start(args, format);
-  NSString *s = [[NSString alloc] initWithFormat:format arguments:args];
+  NSMutableString *s = [[NSMutableString alloc] initWithFormat:format arguments:args];
   va_end(args);
 
   if (useSyslog) {
@@ -76,7 +76,7 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
       case LOG_LEVEL_INFO:
         levelName = "I";
-        syslogLevel = ASL_LEVEL_INFO;
+        syslogLevel = ASL_LEVEL_NOTICE; // Maps to ULS Default
         break;
       case LOG_LEVEL_DEBUG:
         levelName = "D";
@@ -84,8 +84,10 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
     }
 
-    asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName, [s UTF8String]);
+    asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName.UTF8String, s.UTF8String);
   } else {
-    fprintf(destination, "%s\n", [s UTF8String]);
+    [s appendString:@"\n"];
+    size_t len = [s lengthOfBytesUsingEncoding:NSUTF8StringEncoding];
+    fwrite([s UTF8String], len, 1, destination);
   }
 }

Source/common/SNTRule.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 #import "SNTCommonEnums.h"
 
 ///

Source/common/SNTRule.m

@@ -32,6 +32,8 @@
 
 #pragma mark NSSecureCoding
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
 #define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
 
@@ -59,6 +61,7 @@
 
 #undef DECODE
 #undef ENCODE
+#pragma clang diagnostic pop
 
 - (BOOL)isEqual:(id)other {
   if (other == self) return YES;

Source/common/SNTStoredEvent.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 #import "SNTCommonEnums.h"
 
 ///
@@ -20,7 +22,7 @@
 @interface SNTStoredEvent : NSObject<NSSecureCoding>
 
 ///
-///  An index for this event, empty unless the event came from the database.
+///  An index for this event, randomly generated during initialization.
 ///
 @property NSNumber *idx;
 
@@ -34,6 +36,28 @@
 ///
 @property NSString *filePath;
 
+///
+///  Set to YES if the event is a part of a bundle. When an event is passed to SantaGUI this propery
+///  will be used as an indicator to to kick off bundle hashing as necessary. Default value is NO.
+///
+@property BOOL needsBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the calculated hash of all the nested
+///  executables within the bundle.
+///
+@property NSString *fileBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the time in ms it took to hash the bundle.
+///
+@property NSNumber *fileBundleHashMilliseconds;
+
+///
+///  If the executed file was part of a bundle, this is the total count of related mach-o binaries.
+///
+@property NSNumber *fileBundleBinaryCount;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleDisplayName, if it exists
 ///  or the CFBundleName if not.
@@ -45,6 +69,11 @@
 ///
 @property NSString *fileBundlePath;
 
+///
+///  The relative path to the bundle's main executable.
+///
+@property NSString *fileBundleExecutableRelPath;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleID.
 ///

Source/common/SNTStoredEvent.m

@@ -14,10 +14,13 @@
 
 #import "SNTStoredEvent.h"
 
-#import "MOLCertificate.h"
+#import <MOLCertificate/MOLCertificate.h>
 
 @implementation SNTStoredEvent
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+
 #define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
 #define DECODEARRAY(cls, key) \
@@ -33,8 +36,13 @@
   ENCODE(self.fileSHA256, @"fileSHA256");
   ENCODE(self.filePath, @"filePath");
 
+  ENCODE(@(self.needsBundleHash), @"needsBundleHash");
+  ENCODE(self.fileBundleHash, @"fileBundleHash");
+  ENCODE(self.fileBundleHashMilliseconds, @"fileBundleHashMilliseconds");
+  ENCODE(self.fileBundleBinaryCount, @"fileBundleBinaryCount");
   ENCODE(self.fileBundleName, @"fileBundleName");
   ENCODE(self.fileBundlePath, @"fileBundlePath");
+  ENCODE(self.fileBundleExecutableRelPath, @"fileBundleExecutableRelPath");
   ENCODE(self.fileBundleID, @"fileBundleID");
   ENCODE(self.fileBundleVersion, @"fileBundleVersion");
   ENCODE(self.fileBundleVersionString, @"fileBundleVersionString");
@@ -57,6 +65,14 @@
   ENCODE(self.quarantineAgentBundleID, @"quarantineAgentBundleID");
 }
 
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _idx = @(arc4random());
+  }
+  return self;
+}
+
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
@@ -64,8 +80,13 @@
     _fileSHA256 = DECODE(NSString, @"fileSHA256");
     _filePath = DECODE(NSString, @"filePath");
 
+    _needsBundleHash = [DECODE(NSNumber, @"needsBundleHash") boolValue];
+    _fileBundleHash = DECODE(NSString, @"fileBundleHash");
+    _fileBundleHashMilliseconds = DECODE(NSNumber, @"fileBundleHashMilliseconds");
+    _fileBundleBinaryCount = DECODE(NSNumber, @"fileBundleBinaryCount");
     _fileBundleName = DECODE(NSString, @"fileBundleName");
     _fileBundlePath = DECODE(NSString, @"fileBundlePath");
+    _fileBundleExecutableRelPath = DECODE(NSString, @"fileBundleExecutableRelPath");
     _fileBundleID = DECODE(NSString, @"fileBundleID");
     _fileBundleVersion = DECODE(NSString, @"fileBundleVersion");
     _fileBundleVersionString = DECODE(NSString, @"fileBundleVersionString");
@@ -111,4 +132,6 @@
       [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
+#pragma clang diagnostic pop
+
 @end

Source/common/SNTSystemInfo.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  Simple class for fetching system information
 ///

Source/common/SNTXPCBundleServiceInterface.h

@@ -0,0 +1,57 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+@class SNTStoredEvent;
+
+///  A block that takes the calculated bundle hash, associated events and hashing time in ms.
+typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNumber *);
+
+///  Protocol implemented by santabs and utilized by SantaGUI for bundle hashing
+@protocol SNTBundleServiceXPC
+
+///
+///  @param listener The listener to connect back to the SantaGUI.
+///
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+
+///
+///  Hash a bundle for an event. The SNTBundleHashBlock will be called with nil parameters if a
+///  failure or cancellation occurs.
+///
+///  @param event The event that includes the fileBundlePath to be hashed. This method will
+///      attempt to to find and use the ancestor bundle as a starting point.
+///  @param reply A SNTBundleHashBlock to be executed upon completion or cancellation.
+///
+///  @note If there is a current NSProgress when called this method will report back its progress.
+///
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
+
+@end
+
+@interface SNTXPCBundleServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTBundleServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning.
+///
++ (NSXPCInterface *)bundleServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceId;
+
+@end

Source/common/SNTXPCBundleServiceInterface.m

@@ -0,0 +1,36 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTXPCBundleServiceInterface.h"
+
+#import "SNTStoredEvent.h"
+
+@implementation SNTXPCBundleServiceInterface
+
++ (NSXPCInterface *)bundleServiceInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleServiceXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(hashBundleBinariesForEvent:reply:)
+      argumentIndex:1
+            ofReply:YES];
+
+  return r;
+}
+
++ (NSString *)serviceId {
+  return @"com.google.santabs";
+}
+
+@end

Source/common/SNTXPCConnection.h

@@ -1,126 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-/**
-  A wrapper around NSXPCListener and NSXPCConnection to provide client multiplexing, signature
-  validation of connecting clients and forced connection establishment.
-
-  Example server started by @c launchd where the @c launchd job has a @c MachServices key:
-
-  @code
-   SNTXPCConnection *conn = [[SNTXPCConnection alloc] initServerWithName:@"MyServer"];
-   conn.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyServerProtocol)];
-   conn.exportedObject = myObject;
-   [conn resume];
-  @endcode
-
-  Example client, connecting to above server:
-
-  @code
-   SNTXPCConnection *conn = [[SNTXPCConnection alloc] initClientWithName:"MyServer"
-                                                             withOptions:0];
-   conn.remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyServerProtocol)];
-   conn.invalidationHandler = ^{ NSLog(@"Connection invalidated") };
-   [conn resume];
-  @endcode
-
-  The client can send a message to the server with:
-
-  @code
-   [conn.remoteObjectProxy selectorInRemoteInterface];
-  @endcode
- 
-  One advantage of the way that SNTXPCConnection works over using NSXPCConnection directly is that
-  from the client-side once the resume method has finished, the connection is either valid or the
-  invalidation handler will be called. Ordinarily, the connection doesn't actually get made until
-  the first message is sent across it.
- 
-  @note messages are always delivered on a background thread!
-*/
-@interface SNTXPCConnection : NSObject<NSXPCListenerDelegate>
-
-/**
-  Initialize a new server with a given listener, provided by `[NSXPCListener anonymousListener]`.
-*/
-- (nullable instancetype)initServerWithListener:(nonnull NSXPCListener *)listener;
-
-/**
-  Initializer for the 'server' side of the connection, started by launchd.
-
-  @param name MachService name, must match the MachServices key in the launchd.plist
-*/
-- (nullable instancetype)initServerWithName:(nonnull NSString *)name;
-
-/**
-  Initializer a new client to a service exported by a LaunchDaemon.
-
-  @param name MachService name
-  @param privileged Use YES if the server is running as root.
-*/
-- (nullable instancetype)initClientWithName:(nonnull NSString *)name privileged:(BOOL)privileged;
-
-/**
-  Initialize a new client with a listener endpoint sent from another process.
-
-  @param listener An NSXPCListenerEndpoint to connect to.
-*/
-- (nullable instancetype)initClientWithListener:(nonnull NSXPCListenerEndpoint *)listener;
-
-/**
-  Call when the properties of the object have been set-up and you're ready for connections.
- 
-  For clients, this call can take up to 2s to complete for connection to finish establishing though
-  in basically all cases it will actually complete in a few milliseconds.
-*/
-- (void)resume;
-
-/**
-  Invalidate the connection(s). This must be done before the object can be released.
-*/
-- (void)invalidate;
-
-/**
-  The interface the remote object should conform to. (client)
-*/
-@property(retain, nullable) NSXPCInterface *remoteInterface;
-
-/**
-  A proxy to the object at the other end of the connection. (client)
- 
-  @note If the connection to the server failed, this will be nil, so you can safely send messages
-  and rely on the invalidationHandler for handling the failure.
-*/
-@property(readonly, nonatomic, nullable) id remoteObjectProxy;
-
-/**
-  The interface this object exports. (server)
-*/
-@property(retain, nullable) NSXPCInterface *exportedInterface;
-
-/**
-  The object that responds to messages from the other end. (server)
-*/
-@property(retain, nullable) id exportedObject;
-
-/**
-  A block to run when a/the connection is accepted and fully established.
-*/
-@property(copy, nullable) void (^acceptedHandler)(void);
-
-/**
-  A block to run when a/the connection is invalidated/interrupted/rejected.
-*/
-@property(copy, nullable) void (^invalidationHandler)(void);
-
-@end

Source/common/SNTXPCConnection.m

@@ -1,191 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTXPCConnection.h"
-
-#import "MOLCodesignChecker.h"
-
-#import "SNTStrengthify.h"
-
-/**
-  Protocol used during connection establishment, @see SNTXPCConnectionInterface
-*/
-@protocol SNTXPCConnectionProtocol
-- (void)connectWithReply:(void (^)())reply;
-@end
-
-/**
-  Recipient object used during connection establishment. Each incoming connection
-  has one of these objects created which accept the message in the protocol
-  and call the block provided during creation before replying.
-
-  This allows the server to reset the connection's exporteed interface and
-  object to the correct values after the client has sent the establishment message.
-*/
-@interface SNTXPCConnectionInterface : NSObject<SNTXPCConnectionProtocol>
-@property(strong) void (^block)(void);
-@end
-
-@implementation SNTXPCConnectionInterface
-- (void)connectWithReply:(void (^)())reply {
-  if (self.block) self.block();
-  reply();
-}
-@end
-
-@interface SNTXPCConnection ()
-@property NSXPCInterface *validationInterface;
-
-/// The XPC listener (server only).
-@property NSXPCListener *listenerObject;
-
-/// The current connection object (client only).
-@property NSXPCConnection *currentConnection;
-@end
-
-@implementation SNTXPCConnection
-
-#pragma mark Initializers
-
-- (instancetype)initServerWithListener:(NSXPCListener *)listener {
-  self = [super init];
-  if (self) {
-    _listenerObject = listener;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)initServerWithName:(NSString *)name {
-  return [self initServerWithListener:[[NSXPCListener alloc] initWithMachServiceName:name]];
-}
-
-- (instancetype)initClientWithListener:(NSXPCListenerEndpoint *)listener {
-  self = [super init];
-  if (self) {
-    _currentConnection = [[NSXPCConnection alloc] initWithListenerEndpoint:listener];
-    if (!_currentConnection) return nil;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)initClientWithName:(NSString *)name privileged:(BOOL)privileged {
-  self = [super init];
-  if (self) {
-    NSXPCConnectionOptions options = (privileged ? NSXPCConnectionPrivileged : 0);
-    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name options:options];
-    if (!_currentConnection) return nil;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-#pragma mark Connection set-up
-
-- (void)resume {
-  if (self.listenerObject) {
-    self.listenerObject.delegate = self;
-    [self.listenerObject resume];
-  } else {
-    WEAKIFY(self);
-
-    // Set-up the connection with the remote interface set to the validation interface,
-    // send a message to the listener to finish establishing the connection
-    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-    self.currentConnection.remoteObjectInterface = self.validationInterface;
-    self.currentConnection.interruptionHandler = self.invalidationHandler;
-    self.currentConnection.invalidationHandler = self.invalidationHandler;
-    [self.currentConnection resume];
-    [[self.currentConnection remoteObjectProxy] connectWithReply:^{
-      STRONGIFY(self);
-      // The connection is now established
-      [self.currentConnection suspend];
-      self.currentConnection.remoteObjectInterface = self.remoteInterface;
-      [self.currentConnection resume];
-      dispatch_semaphore_signal(sema);
-      if (self.acceptedHandler) self.acceptedHandler();
-    }];
-    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC))) {
-      // Connection was not established in a reasonable time, invalidate.
-      self.currentConnection.remoteObjectInterface = nil;  // ensure clients don't try to use it.
-      [self.currentConnection invalidate];
-    }
-  }
-}
-
-- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)connection {
-  pid_t pid = connection.processIdentifier;
-  MOLCodesignChecker *otherCS = [[MOLCodesignChecker alloc] initWithPID:pid];
-  if (![otherCS signingInformationMatches:[[MOLCodesignChecker alloc] initWithSelf]]) {
-    return NO;
-  }
-
-  // The client passed the code signature check, now we need to resume the listener and
-  // return YES so that the client can send the connectWithReply message. Once the client does
-  // we reset the connection's exportedInterface and exportedObject.
-  SNTXPCConnectionInterface *ci = [[SNTXPCConnectionInterface alloc] init];
-  WEAKIFY(self);
-  WEAKIFY(connection);
-  ci.block = ^{
-    STRONGIFY(self)
-    STRONGIFY(connection);
-    [connection suspend];
-    connection.invalidationHandler = connection.interruptionHandler = ^{
-      if (self.invalidationHandler) self.invalidationHandler();
-    };
-    connection.exportedInterface = self.exportedInterface;
-    connection.exportedObject = self.exportedObject;
-    [connection resume];
-
-    // The connection is now established.
-    if (self.acceptedHandler) self.acceptedHandler();
-  };
-  connection.exportedInterface = self.validationInterface;
-  connection.exportedObject = ci;
-  [connection resume];
-
-  return YES;
-}
-
-- (id)remoteObjectProxy {
-  if (self.currentConnection.remoteObjectInterface &&
-      self.currentConnection.remoteObjectInterface != self.validationInterface) {
-    return [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *error) {
-      [self.currentConnection invalidate];
-    }];
-  }
-  return nil;
-}
-
-#pragma mark Connection tear-down
-
-- (void)invalidate {
-  if (self.currentConnection) {
-    [self.currentConnection invalidate];
-    self.currentConnection = nil;
-  } else if (self.listenerObject) {
-    [self.listenerObject invalidate];
-  }
-}
-
-@end

Source/common/SNTXPCControlInterface.h

@@ -12,11 +12,18 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+#import <MOLCertificate/MOLCertificate.h>
+
+#import "SNTCachedDecision.h"
 #import "SNTCommonEnums.h"
+#import "SNTKernelCommon.h"
+#import "SNTXPCBundleServiceInterface.h"
 
 @class SNTRule;
 @class SNTStoredEvent;
-@class SNTXPCConnection;
+@class MOLXPCConnection;
 
 ///
 ///  Protocol implemented by santad and utilized by santactl
@@ -26,8 +33,9 @@
 ///
 ///  Kernel ops
 ///
-- (void)cacheCount:(void (^)(int64_t))reply;
+- (void)cacheCounts:(void (^)(uint64_t rootCache, uint64_t nonRootCache))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
+- (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply;
 
 ///
 ///  Database ops
@@ -36,32 +44,66 @@
 - (void)databaseRuleAddRules:(NSArray *)rules
                   cleanSlate:(BOOL)cleanSlate
                        reply:(void (^)(NSError *error))reply;
-
 - (void)databaseEventCount:(void (^)(int64_t count))reply;
-- (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
-- (void)databaseBinaryRuleForSHA256:(NSString *)sha256 reply:(void (^)(SNTRule *))reply;
-- (void)databaseCertificateRuleForSHA256:(NSString *)sha256 reply:(void (^)(SNTRule *))reply;
+- (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
+                  certificateSHA256:(NSString *)certificateSHA256
+                              reply:(void (^)(SNTRule *))reply;
+///
+///  Decision ops
+///
+
+///
+///  @param filePath A Path to the file, can be nil.
+///  @param fileSHA256 The pre-calculated SHA256 hash for the file, can be nil. If nil the hash will
+///                    be calculated by this method from the filePath.
+///  @param certificateSHA256 A SHA256 hash of the signing certificate, can be nil.
+///  @note If fileInfo and signingCertificate are both passed in, the most specific rule will be
+///        returned. Binary rules take precedence over cert rules.
+///
+- (void)decisionForFilePath:(NSString *)filePath
+                 fileSHA256:(NSString *)fileSHA256
+          certificateSHA256:(NSString *)certificateSHA256
+                      reply:(void (^)(SNTEventState))reply;
 
 ///
 ///  Config ops
 ///
 - (void)watchdogInfo:(void (^)(uint64_t, uint64_t, double, double))reply;
 - (void)clientMode:(void (^)(SNTClientMode))reply;
-- (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply;
+- (void)setClientMode:(SNTClientMode)mode reply:(void (^)(void))reply;
 - (void)xsrfToken:(void (^)(NSString *))reply;
-- (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
-- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
-- (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
-- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
-- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
-- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;
+- (void)setXsrfToken:(NSString *)token reply:(void (^)(void))reply;
+- (void)fullSyncLastSuccess:(void (^)(NSDate *))reply;
+- (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
+- (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply;
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
+- (void)syncCleanRequired:(void (^)(BOOL))reply;
+- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
+- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)bundlesEnabled:(void (^)(BOOL))reply;
+- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
 
 ///
 ///  GUI Ops
 ///
 - (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+
+///
+///  Syncd Ops
+///
+- (void)setSyncdListener:(NSXPCListenerEndpoint *)listener;
+- (void)pushNotifications:(void (^)(BOOL))reply;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)(void))reply;
+
+///
+///  Bundle Ops
+///
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
+- (void)syncBundleEvent:(SNTStoredEvent *)event relatedEvents:(NSArray<SNTStoredEvent *> *)events;
 
 @end
 
@@ -79,9 +121,9 @@
 + (NSXPCInterface *)controlInterface;
 
 ///
-///  Retrieve a pre-configured SNTXPCConnection for communicating with santad.
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santad.
 ///  Connections just needs any handlers set and then can be resumed and used.
 ///
-+ (SNTXPCConnection *)configuredConnection;
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCControlInterface.m

@@ -14,9 +14,10 @@
 
 #import "SNTXPCControlInterface.h"
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 #import "SNTRule.h"
 #import "SNTStoredEvent.h"
-#import "SNTXPCConnection.h"
 
 @implementation SNTXPCControlInterface
 
@@ -37,11 +38,21 @@
       argumentIndex:0
             ofReply:NO];
 
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(hashBundleBinariesForEvent:reply:)
+      argumentIndex:1
+            ofReply:YES];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(syncBundleEvent:relatedEvents:)
+      argumentIndex:1
+            ofReply:NO];
+
   return r;
 }
 
-+ (SNTXPCConnection *)configuredConnection {
-  SNTXPCConnection *c = [[SNTXPCConnection alloc] initClientWithName:[self serviceId]
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceId]
                                                           privileged:YES];
   c.remoteInterface = [self controlInterface];
   return c;

Source/common/SNTXPCNotifierInterface.h

@@ -12,7 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 #import "SNTCommonEnums.h"
+#import "SNTXPCBundleServiceInterface.h"
 
 @class SNTStoredEvent;
 
@@ -20,6 +23,17 @@
 @protocol SNTNotifierXPC
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message;
 - (void)postClientModeNotification:(SNTClientMode)clientmode;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message;
+@end
+
+/// Protocol implemented by SantaGUI and utilized by santabs
+@protocol SNTBundleNotifierXPC
+- (void)updateCountsForEvent:(SNTStoredEvent *)event
+                 binaryCount:(uint64_t)binaryCount
+                   fileCount:(uint64_t)fileCount
+                 hashedCount:(uint64_t)hashedCount;
+
+- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener;
 @end
 
 @interface SNTXPCNotifierInterface : NSObject
@@ -30,4 +44,10 @@
 ///
 + (NSXPCInterface *)notifierInterface;
 
+///
+///  @return an initialized NSXPCInterface for the SNTBundleNotifierXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)bundleNotifierInterface;
+
 @end

Source/common/SNTXPCNotifierInterface.m

@@ -20,4 +20,8 @@
   return [NSXPCInterface interfaceWithProtocol:@protocol(SNTNotifierXPC)];
 }
 
++ (NSXPCInterface *)bundleNotifierInterface {
+  return [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleNotifierXPC)];
+}
+
 @end

Source/common/SNTXPCSyncdInterface.h

@@ -0,0 +1,37 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import "SNTCommonEnums.h"
+
+@class SNTStoredEvent;
+
+/// Protocol implemented by santactl and utilized by santad
+@protocol SNTSyncdXPC
+- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle;
+- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
+                              reply:(void (^)(SNTBundleEventAction))reply;
+- (void)isFCMListening:(void (^)(BOOL))reply;
+@end
+
+@interface SNTXPCSyncdInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTSyncdXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)syncdInterface;
+
+@end

Source/common/SNTXPCSyncdInterface.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2016 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,22 +12,21 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTKernelCommon.h"
+#import "SNTXPCSyncdInterface.h"
 
-@class SNTCachedDecision;
+#import "SNTStoredEvent.h"
 
-///
-///  Logs execution and file write events to syslog
-///
-@interface SNTEventLog : NSObject
+@implementation SNTXPCSyncdInterface
 
-- (void)logDiskAppeared:(NSDictionary *)diskProperties;
-- (void)logDiskDisappeared:(NSDictionary *)diskProperties;
++ (NSXPCInterface *)syncdInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncdXPC)];
 
-- (void)logFileModification:(santa_message_t)message;
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(postEventsToSyncServer:isFromBundle:)
+      argumentIndex:0
+            ofReply:NO];
 
-- (void)saveDecisionDetails:(SNTCachedDecision *)cd;
-- (void)logDeniedExecution:(SNTCachedDecision *)cd withMessage:(santa_message_t)message;
-- (void)logAllowedExecution:(santa_message_t)message;
+  return r;
+}
 
 @end

Source/santa-driver/SantaCache.h

@@ -0,0 +1,301 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#ifndef SANTA__SANTA_DRIVER__SANTACACHE_H
+#define SANTA__SANTA_DRIVER__SANTACACHE_H
+
+#include <libkern/OSAtomic.h>
+#include <libkern/OSTypes.h>
+#include <stdint.h>
+#include <sys/cdefs.h>
+
+#include "SNTKernelCommon.h"
+
+#ifdef KERNEL
+#include <IOKit/IOLib.h>
+#else // KERNEL
+// Support for unit testing.
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#define panic(args...) printf(args); printf("\n"); abort()
+#define IOMalloc malloc
+#define IOMallocAligned(sz, alignment) malloc(sz);
+#define IOFree(addr, sz) free(addr)
+#define IOFreeAligned(addr, sz) free(addr)
+#define OSTestAndSet OSAtomicTestAndSet
+#define OSTestAndClear(bit, addr) OSAtomicTestAndClear(bit, addr) == 0
+#define OSIncrementAtomic(addr) OSAtomicIncrement64((volatile int64_t *)addr)
+#define OSDecrementAtomic(addr) OSAtomicDecrement64((volatile int64_t *)addr)
+#endif // KERNEL
+
+/**
+  A somewhat simple, concurrent linked-list hash table intended for use in IOKit kernel extensions.
+  Maps 64-bit unsigned integer keys to values.
+
+  Enforces a maximum size by clearing all entries if a new value
+  is added that would go over the maximum size declared at creation.
+
+  The number of buckets is calculated as `maximum_size` / `per_bucket`
+  rounded up to the next power of 2. Locking is done per-bucket.
+*/
+template<class T> class SantaCache {
+ public:
+  /**
+    Initialize a newly created cache.
+
+    @param maximum_size The maximum number of entries in this cache. Once this
+        number is reached all the entries will be purged.
+    @param per_bucket The target number of entries in each bucket when cache is full.
+        A higher number will result in better performance but higher memory usage.
+        Cannot be higher than 64 to try and ensure buckets don't overflow.
+  */
+  SantaCache(uint64_t maximum_size = 10000, uint8_t per_bucket = 5) {
+    if (unlikely(per_bucket < 1)) per_bucket = 1;
+    if (unlikely(per_bucket > 64)) per_bucket = 64;
+    max_size_ = maximum_size;
+    bucket_count_ = 1 << (32 - __builtin_clz(
+        ((uint32_t)max_size_ / per_bucket) - 1));
+    buckets_ = (struct bucket *)IOMalloc(bucket_count_ * sizeof(struct bucket));
+    bzero(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Clear and free memory
+  */
+  ~SantaCache() {
+    clear();
+    IOFree(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Get an element from the cache. Returns zero_ if item doesn't exist.
+  */
+  T get(uint64_t key) {
+    struct bucket *bucket = &buckets_[hash(key)];
+    lock(bucket);
+    struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+    while (entry != nullptr) {
+      if (entry->key == key) {
+        T val = entry->value;
+        unlock(bucket);
+        return val;
+      }
+      entry = entry->next;
+    }
+    unlock(bucket);
+    return zero_;
+  }
+
+  /**
+    Set an element in the cache.
+
+    @note If the cache is full when this is called, this will
+          empty the cache before inserting the new value.
+
+    @param key, The key
+    @param value, The value with parameterized type
+    @param previous_value, If the has_prev_value parameter is true the new
+        value will only be set if this parameter is equal to the provided value.
+        This allows set to become a CAS operation.
+    @param has_prev_value, Pass true if previous_value should be used.
+
+    @return the previous value (which may be zero_)
+  */
+  T set(uint64_t key, T value, T previous_value, bool has_prev_value) {
+    struct bucket *bucket = &buckets_[hash(key)];
+    lock(bucket);
+    struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+    struct entry *previous_entry = nullptr;
+    while (entry != nullptr) {
+      if (entry->key == key) {
+        T existing_value = entry->value;
+
+        if (has_prev_value && previous_value != existing_value) {
+          unlock(bucket);
+          return existing_value;
+        }
+
+        entry->value = value;
+
+        if (value == zero_) {
+          if (previous_entry != nullptr) {
+            previous_entry->next = entry->next;
+          } else {
+            bucket->head = (struct entry *)((uintptr_t)entry->next + 1);
+          }
+          IOFreeAligned(entry, sizeof(struct entry));
+          OSDecrementAtomic(&count_);
+        }
+
+        unlock(bucket);
+        return existing_value;
+      }
+      previous_entry = entry;
+      entry = entry->next;
+    }
+
+    // If value is zero_, we're clearing but there's nothing to clear
+    // so we don't need to do anything else. Alternatively, if has_prev_value
+    // is true and is not zero_ we don't want to set a value.
+    if (value == zero_ || (has_prev_value && previous_value != zero_)) {
+      unlock(bucket);
+      return zero_;
+    }
+
+    // Check that adding this new item won't take the cache
+    // over its maximum size.
+    if (count_ + 1 > max_size_) {
+      unlock(bucket);
+      lock(&clear_bucket_);
+      // Check again in case clear has already run while waiting for lock
+      if (count_ + 1 > max_size_) {
+        clear();
+      }
+      lock(bucket);
+      unlock(&clear_bucket_);
+    }
+
+    // Allocate a new entry, set the key and value, then put this new entry at
+    // the head of this bucket's linked list.
+    struct entry *new_entry = (struct entry *)IOMallocAligned(
+        sizeof(struct entry), 2);
+    new_entry->key = key;
+    new_entry->value = value;
+    new_entry->next = (struct entry *)((uintptr_t)bucket->head - 1);
+    bucket->head = (struct entry *)((uintptr_t)new_entry + 1);
+    OSIncrementAtomic(&count_);
+
+    unlock(bucket);
+    return zero_;
+  }
+
+  /**
+    Overload to allow setting without providing a previous value
+  */
+  T set(uint64_t key, T value) {
+    return set(key, value, {}, false);
+  }
+
+  /**
+    Overload to allow setting while providing a previous value
+  */
+  T set(uint64_t key, T value, T previous_value) {
+    return set(key, value, previous_value, true);
+  }
+
+  /**
+    An alias for `set(key, zero_)`
+  */
+  inline void remove(uint64_t key) {
+    set(key, zero_);
+  }
+
+  /**
+    Remove all entries and free bucket memory.
+  */
+  void clear() {
+    for (uint32_t i = 0; i < bucket_count_; ++i) {
+      struct bucket *bucket = &buckets_[i];
+      // We grab the lock so nothing can use this bucket while we're erasing it
+      // and never release it. It'll be 'released' when the bzero call happens
+      // at the end of this function.
+      lock(bucket);
+
+      // Free the bucket's entries, if there are any.
+      struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+      while (entry != nullptr) {
+        struct entry *next_entry = entry->next;
+        IOFreeAligned(entry, sizeof(struct entry));
+        entry = next_entry;
+      }
+    }
+
+    // Reset cache count, no atomicity needed as we hold all the bucket locks.
+    count_ = 0;
+
+    // This resets all of the bucket counts and locks. Releasing the locks for
+    // each bucket isn't really atomic here but each bucket will be zero'd
+    // before the lock is released as the lock is the last thing in a bucket.
+    bzero(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Return number of entries currently in cache.
+  */
+  inline uint64_t count() const {
+    return count_;
+  }
+
+ private:
+  struct entry {
+    uint64_t key;
+    T value;
+    struct entry *next;
+  };
+
+  struct bucket {
+    // The least significant bit of this pointer is always 0 (due to alignment),
+    // so we utilize that bit as the lock for the bucket.
+    struct entry *head;
+  };
+
+  /**
+    Lock a bucket. Spins until the lock is acquired.
+  */
+  inline void lock(struct bucket *bucket) const {
+    while (OSTestAndSet(7, (volatile uint8_t *)&bucket->head));
+  }
+
+  /**
+    Unlock a bucket. Panics if the lock wasn't locked.
+  */
+  inline void unlock(struct bucket *bucket) const {
+    if (unlikely(OSTestAndClear(7, (volatile uint8_t *)&bucket->head))) {
+      panic("SantaCache::unlock(): Tried to unlock an unlocked lock");
+    }
+  }
+
+  uint64_t count_ = 0;
+
+  uint64_t max_size_;
+  uint32_t bucket_count_;
+
+  struct bucket *buckets_;
+
+  /**
+    Holder for a 'zero' entry for the current type
+  */
+  const T zero_ = {};
+
+  /**
+    Special bucket used when automatically clearing due to size
+    to prevent two threads trying to clear at the same time and
+    getting stuck.
+  */
+  struct bucket clear_bucket_ = {};
+
+  /**
+    Hash a key to determine which bucket it belongs in.
+
+    Multiplicative hash using a prime near to the golden ratio, per Knuth.
+    This seems to have good bucket distribution generally and for the range of
+    values we expect to see.
+  */
+  inline uint64_t hash(uint64_t input) const {
+    return (input * 11400714819323198549ul) % bucket_count_;
+  }
+};
+
+#endif // SANTA__SANTA_DRIVER__SANTACACHE_H

Source/santa-driver/SantaCachedDecision.h

@@ -1,44 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#ifndef SANTA__SANTA_DRIVER__SANTACACHEDDECISION_H
-#define SANTA__SANTA_DRIVER__SANTACACHEDDECISION_H
-
-#include <libkern/c++/OSObject.h>
-
-#include "SNTKernelCommon.h"
-
-///
-///  An OSObject subclass to store a @c santa_action_t and a timestamp.
-///  Only OSObject subclasses can be inserted into an OSDictionary.
-///
-class SantaCachedDecision : public OSObject {
-  OSDeclareDefaultStructors(SantaCachedDecision)
-
- public:
-  // Returns the time the action was last set.
-  uint64_t getMicrosecs() const;
-
-  // Returns the set action.
-  santa_action_t getAction() const;
-
-  // Sets the acion and receive time.
-  void setAction(const santa_action_t action, const uint64_t microsecs);
-
- private:
-  santa_action_t action_;
-  uint64_t microsecs_;
-};
-
-#endif  // SANTA__SANTA_DRIVER__SANTACACHEDDECISIONWRAPPER_H

Source/santa-driver/SantaDecisionManager.cc

@@ -24,40 +24,36 @@ bool SantaDecisionManager::init() {
 
   sdm_lock_grp_attr_ = lck_grp_attr_alloc_init();
   sdm_lock_grp_ = lck_grp_alloc_init("santa-locks", sdm_lock_grp_attr_);
-
   sdm_lock_attr_ = lck_attr_alloc_init();
 
   decision_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
   log_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
-  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
-  vnode_pid_map_lock_ = lck_rw_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
 
-  cached_decisions_ = OSDictionary::withCapacity(1000);
-  vnode_pid_map_ = OSDictionary::withCapacity(1000);
+  root_decision_cache_ = new SantaCache<uint64_t>(5000, 2);
+  non_root_decision_cache_ = new SantaCache<uint64_t>(500, 2);
+  vnode_pid_map_ = new SantaCache<uint64_t>(2000, 5);
 
-  decision_dataqueue_ = IOSharedDataQueue::withEntries(kMaxDecisionQueueEvents,
-                                                       sizeof(santa_message_t));
+  decision_dataqueue_ = IOSharedDataQueue::withEntries(
+      kMaxDecisionQueueEvents, sizeof(santa_message_t));
   if (!decision_dataqueue_) return kIOReturnNoMemory;
 
-  log_dataqueue_ = IOSharedDataQueue::withEntries(kMaxLogQueueEvents,
-                                                  sizeof(santa_message_t));
+  log_dataqueue_ = IOSharedDataQueue::withEntries(
+      kMaxLogQueueEvents, sizeof(santa_message_t));
   if (!log_dataqueue_) return kIOReturnNoMemory;
 
   client_pid_ = 0;
+  root_fsid_ = 0;
+
+  ts_ = { .tv_sec = kRequestLoopSleepMilliseconds / 1000,
+          .tv_nsec = kRequestLoopSleepMilliseconds % 1000 * 1000000 };
 
   return true;
 }
 
 void SantaDecisionManager::free() {
-  if (cached_decisions_lock_) {
-    lck_rw_free(cached_decisions_lock_, sdm_lock_grp_);
-    cached_decisions_lock_ = nullptr;
-  }
-
-  if (vnode_pid_map_lock_) {
-    lck_rw_free(vnode_pid_map_lock_, sdm_lock_grp_);
-    vnode_pid_map_lock_ = nullptr;
-  }
+  delete root_decision_cache_;
+  delete non_root_decision_cache_;
+  delete vnode_pid_map_;
 
   if (decision_dataqueue_lock_) {
     lck_mtx_free(decision_dataqueue_lock_, sdm_lock_grp_);
@@ -86,8 +82,6 @@ void SantaDecisionManager::free() {
 
   OSSafeReleaseNULL(decision_dataqueue_);
   OSSafeReleaseNULL(log_dataqueue_);
-  OSSafeReleaseNULL(cached_decisions_);
-  OSSafeReleaseNULL(vnode_pid_map_);
 
   super::free();
 }
@@ -97,12 +91,23 @@ void SantaDecisionManager::free() {
 void SantaDecisionManager::ConnectClient(pid_t pid) {
   if (!pid) return;
 
+  client_pid_ = pid;
+
+  // Determine root fsid
+  vfs_context_t ctx = vfs_context_create(NULL);
+  if (ctx) {
+    vnode_t root = vfs_rootvnode();
+    if (root) {
+      root_fsid_ = GetVnodeIDForVnode(ctx, root) >> 32;
+      vnode_put(root);
+    }
+    vfs_context_rele(ctx);
+  }
+
   // Any decisions made while the daemon wasn't
   // connected should be cleared
   ClearCache();
 
-  client_pid_ = pid;
-
   failed_decision_queue_requests_ = 0;
   failed_log_queue_requests_ = 0;
 }
@@ -136,6 +141,7 @@ void SantaDecisionManager::DisconnectClient(bool itDied) {
 }
 
 bool SantaDecisionManager::ClientConnected() const {
+  if (client_pid_ <= 0) return false;
   auto p = proc_find(client_pid_);
   auto is_exiting = false;
   if (p) {
@@ -168,14 +174,13 @@ IOMemoryDescriptor *SantaDecisionManager::GetLogMemoryDescriptor() const {
 #pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
-  vnode_listener_ = kauth_listen_scope(KAUTH_SCOPE_VNODE,
-                                       vnode_scope_callback,
-                                       reinterpret_cast<void *>(this));
+  vnode_listener_ = kauth_listen_scope(
+      KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
   if (!vnode_listener_) return kIOReturnInternalError;
 
-  fileop_listener_ = kauth_listen_scope(KAUTH_SCOPE_FILEOP,
-                                        fileop_scope_callback,
-                                        reinterpret_cast<void *>(this));
+  fileop_listener_ = kauth_listen_scope(
+      KAUTH_SCOPE_FILEOP, fileop_scope_callback,
+      reinterpret_cast<void *>(this));
   if (!fileop_listener_) return kIOReturnInternalError;
 
   LOGD("Listeners started.");
@@ -205,100 +210,87 @@ kern_return_t SantaDecisionManager::StopListener() {
 
 #pragma mark Cache Management
 
+/**
+  Return the correct cache for a given identifier.
+
+  @param identifier The identifier
+  @return SantaCache* The cache to use
+*/
+SantaCache<uint64_t>* SantaDecisionManager::CacheForIdentifier(
+    const uint64_t identifier) {
+  return (identifier >> 32 == root_fsid_) ?
+    root_decision_cache_ : non_root_decision_cache_;
+}
+
 void SantaDecisionManager::AddToCache(
-    const char *identifier, santa_action_t decision, uint64_t microsecs) {
-  if (cached_decisions_->getCount() > kMaxCacheSize) {
-    // This could be made a _lot_ smarter, say only removing entries older
-    // than a certain time period. However, with a kMaxCacheSize set
-    // sufficiently large and a kMaxAllowCacheTimeMilliseconds set
-    // sufficiently low, this should only ever occur if someone is purposefully
-    // trying to make the cache grow.
-    LOGI("Cache too large, flushing.");
-    ClearCache();
+    uint64_t identifier, santa_action_t decision, uint64_t microsecs) {
+  // Decision is stored in upper 8 bits, timestamp in remaining 56.
+  uint64_t val = ((uint64_t)decision << 56) | (microsecs & 0xFFFFFFFFFFFFFF);
+
+  auto decision_cache = CacheForIdentifier(identifier);
+
+  switch (decision) {
+    case ACTION_REQUEST_BINARY:
+      decision_cache->set(identifier, val, 0);
+      break;
+    case ACTION_RESPOND_ACK:
+      decision_cache->set(identifier, val, ((uint64_t)ACTION_REQUEST_BINARY << 56));
+      break;
+    case ACTION_RESPOND_ALLOW:
+    case ACTION_RESPOND_DENY:
+      // TODO(bur): Avoid calling set() twice, finding and locking buckets is fast, but not free.
+      if (decision_cache->set(identifier, val, ((uint64_t)ACTION_REQUEST_BINARY << 56))) {
+        decision_cache->set(identifier, val, ((uint64_t)ACTION_RESPOND_ACK << 56));
+      }
+      break;
+    default:
+      break;
   }
 
-  if (decision == ACTION_REQUEST_BINARY) {
-    auto pending = new SantaCachedDecision();
-    pending->setAction(ACTION_REQUEST_BINARY, 0);
-    lck_rw_lock_exclusive(cached_decisions_lock_);
-    cached_decisions_->setObject(identifier, pending);
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-    pending->release();  // it was retained when added to the dictionary
-  } else {
-    lck_rw_lock_exclusive(cached_decisions_lock_);
-    auto pending = OSDynamicCast(
-        SantaCachedDecision, cached_decisions_->getObject(identifier));
-    if (pending) {
-      pending->setAction(decision, microsecs);
-    }
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-  }
+  wakeup((void *)identifier);
 }
 
-void SantaDecisionManager::CacheCheck(const char *identifier) {
-  lck_rw_lock_shared(cached_decisions_lock_);
-  auto shouldInvalidate = (cached_decisions_->getObject(identifier) != nullptr);
-  if (shouldInvalidate) {
-    if (!lck_rw_lock_shared_to_exclusive(cached_decisions_lock_)) {
-      // shared_to_exclusive will return false if a previous reader upgraded
-      // and if that happens the lock will have been unlocked. If that happens,
-      // which is rare, relock exclusively.
-      lck_rw_lock_exclusive(cached_decisions_lock_);
-    }
-    cached_decisions_->removeObject(identifier);
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-  } else {
-    lck_rw_unlock_shared(cached_decisions_lock_);
-  }
+void SantaDecisionManager::RemoveFromCache(uint64_t identifier) {
+  CacheForIdentifier(identifier)->remove(identifier);
+  if (unlikely(!identifier)) return;
+  wakeup((void *)identifier);
 }
 
-uint64_t SantaDecisionManager::CacheCount() const {
-  return cached_decisions_->getCount();
+uint64_t SantaDecisionManager::RootCacheCount() const {
+  return root_decision_cache_->count();
 }
 
-void SantaDecisionManager::ClearCache() {
-  lck_rw_lock_exclusive(cached_decisions_lock_);
-  cached_decisions_->flushCollection();
-  lck_rw_unlock_exclusive(cached_decisions_lock_);
+uint64_t SantaDecisionManager::NonRootCacheCount() const {
+  return non_root_decision_cache_->count();
+}
+
+void SantaDecisionManager::ClearCache(bool non_root_only) {
+  if (!non_root_only) root_decision_cache_->clear();
+  non_root_decision_cache_->clear();
 }
 
 #pragma mark Decision Fetching
 
-santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
+santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
   auto result = ACTION_UNSET;
   uint64_t decision_time = 0;
 
-  lck_rw_lock_shared(cached_decisions_lock_);
-  SantaCachedDecision *cached_decision = OSDynamicCast(
-      SantaCachedDecision, cached_decisions_->getObject(identifier));
-  if (cached_decision) {
-    result = cached_decision->getAction();
-    decision_time = cached_decision->getMicrosecs();
-  }
-  lck_rw_unlock_shared(cached_decisions_lock_);
+  auto decision_cache = CacheForIdentifier(identifier);
+
+  uint64_t cache_val = decision_cache->get(identifier);
+  if (cache_val == 0) return result;
+
+  // Decision is stored in upper 8 bits, timestamp in remaining 56.
+  result = (santa_action_t)(cache_val >> 56);
+  decision_time = (cache_val & ~(0xFF00000000000000));
 
   if (RESPONSE_VALID(result)) {
-    auto diff_time = GetCurrentUptime();
-
-    if (result == ACTION_RESPOND_ALLOW) {
-      if ((kMaxAllowCacheTimeMilliseconds * 1000) > diff_time) {
-        diff_time = 0;
-      } else {
-        diff_time -= (kMaxAllowCacheTimeMilliseconds * 1000);
+    if (result == ACTION_RESPOND_DENY) {
+      auto expiry_time = decision_time + (kMaxDenyCacheTimeMilliseconds * 1000);
+      if (expiry_time < GetCurrentUptime()) {
+        decision_cache->remove(identifier);
+        return ACTION_UNSET;
       }
-    } else if (result == ACTION_RESPOND_DENY) {
-      if ((kMaxDenyCacheTimeMilliseconds * 1000) > diff_time) {
-        diff_time = 0;
-      } else {
-        diff_time -= (kMaxDenyCacheTimeMilliseconds * 1000);
-      }
-    }
-
-    if (decision_time < diff_time) {
-      lck_rw_lock_exclusive(cached_decisions_lock_);
-      cached_decisions_->removeObject(identifier);
-      lck_rw_unlock_exclusive(cached_decisions_lock_);
-      return ACTION_UNSET;
     }
   }
 
@@ -306,63 +298,89 @@ santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
 }
 
 santa_action_t SantaDecisionManager::GetFromDaemon(
-    santa_message_t *message, const char *vnode_id_str) {
+    santa_message_t *message, uint64_t identifier) {
   auto return_action = ACTION_UNSET;
 
+#ifdef DEBUG
+  clock_sec_t secs = 0;
+  clock_usec_t microsecs = 0;
+  clock_get_system_microtime(&secs, &microsecs);
+  uint64_t uptime = (secs * 1000000) + microsecs;
+#endif
+
   // Wait for the daemon to respond or die.
   do {
-    // Add pending request to cache.
-    AddToCache(vnode_id_str, ACTION_REQUEST_BINARY, 0);
+    // Add pending request to cache, to be replaced
+    // by daemon with actual response.
+    AddToCache(identifier, ACTION_REQUEST_BINARY, 0);
 
-    // Send request to daemon...
+    // Send request to daemon.
     if (!PostToDecisionQueue(message)) {
-      OSIncrementAtomic(&failed_decision_queue_requests_);
-      if (failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
-        LOGE("Failed to queue more than %d requests, killing daemon",
-             kMaxDecisionQueueFailures);
-        proc_signal(client_pid_, SIGKILL);
-        client_pid_ = 0;
-      }
       LOGE("Failed to queue request for %s.", message->path);
-      CacheCheck(vnode_id_str);
+      RemoveFromCache(identifier);
       return ACTION_ERROR;
     }
 
+    // Check the cache every kRequestLoopSleepMilliseconds. Break this loop and send the request
+    // again if kRequestCacheChecks is reached. Don't break the loop if the daemon is working on the
+    // request, indicated with ACTION_RESPOND_ACK.
+    auto cache_check_count = 0;
     do {
-      IOSleep(kRequestLoopSleepMilliseconds);
-      return_action = GetFromCache(vnode_id_str);
-    } while (return_action == ACTION_REQUEST_BINARY && ClientConnected());
+      msleep((void *)message->vnode_id, NULL, 0, "", &ts_);
+      return_action = GetFromCache(identifier);
+    } while (ClientConnected() &&
+             ((return_action == ACTION_REQUEST_BINARY && ++cache_check_count < kRequestCacheChecks)
+             || (return_action == ACTION_RESPOND_ACK)));
   } while (!RESPONSE_VALID(return_action) && ClientConnected());
 
   // If response is still not valid, the daemon exited
   if (!RESPONSE_VALID(return_action)) {
     LOGE("Daemon process did not respond correctly. Allowing executions "
          "until it comes back. Executable path: %s", message->path);
-    CacheCheck(vnode_id_str);
+    RemoveFromCache(identifier);
     return ACTION_ERROR;
   }
 
+#ifdef DEBUG
+  clock_get_system_microtime(&secs, &microsecs);
+  LOGD("Decision time: %4lldms (%s)",
+       (((secs * 1000000) + microsecs) - uptime) / 1000, message->path);
+#endif
+
   return return_action;
 }
 
 santa_action_t SantaDecisionManager::FetchDecision(
     const kauth_cred_t cred,
     const vnode_t vp,
-    const uint64_t vnode_id,
-    const char *vnode_id_str) {
-  if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
+    const uint64_t vnode_id) {
+  while (true) {
+    if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
 
-  // Check to see if item is in cache
-  auto return_action = GetFromCache(vnode_id_str);
+    // Check to see if item is in cache
+    auto return_action = GetFromCache(vnode_id);
 
-  // If item was in cache return it.
-  if (RESPONSE_VALID(return_action)) return return_action;
+    // If item was in cache with a valid response, return it.
+    // If item is in cache but hasn't received a response yet, sleep for a bit.
+    // If item is not in cache, break out of loop to send request to daemon.
+    if (RESPONSE_VALID(return_action)) {
+      return return_action;
+    } else if (return_action == ACTION_REQUEST_BINARY || return_action == ACTION_RESPOND_ACK) {
+      // This thread will now sleep for kRequestLoopSleepMilliseconds (1s) or
+      // until AddToCache is called, indicating a response has arrived.
+      msleep((void *)vnode_id, NULL, 0, "", &ts_);
+    } else {
+      break;
+    }
+  }
 
   // Get path
   char path[MAXPATHLEN];
   int name_len = MAXPATHLEN;
-  if (vn_getpath(vp, path, &name_len) != 0) {
-    path[0] = '\0';
+  path[MAXPATHLEN - 1] = 0;
+
+  if (vn_getpath(vp, path, &name_len) == ENOSPC) {
+    return ACTION_RESPOND_TOOLONG;
   }
 
   auto message = NewMessage(cred);
@@ -370,7 +388,7 @@ santa_action_t SantaDecisionManager::FetchDecision(
   message->action = ACTION_REQUEST_BINARY;
   message->vnode_id = vnode_id;
   proc_name(message->ppid, message->pname, sizeof(message->pname));
-  return_action = GetFromDaemon(message, vnode_id_str);
+  auto return_action = GetFromDaemon(message, vnode_id);
   delete message;
   return return_action;
 }
@@ -380,6 +398,14 @@ santa_action_t SantaDecisionManager::FetchDecision(
 bool SantaDecisionManager::PostToDecisionQueue(santa_message_t *message) {
   lck_mtx_lock(decision_dataqueue_lock_);
   auto kr = decision_dataqueue_->enqueue(message, sizeof(santa_message_t));
+  if (!kr) {
+    if (++failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
+      LOGE("Failed to queue more than %d decision requests, killing daemon",
+           kMaxDecisionQueueFailures);
+      proc_signal(client_pid_, SIGKILL);
+      client_pid_ = 0;
+    }
+  }
   lck_mtx_unlock(decision_dataqueue_lock_);
   return kr;
 }
@@ -388,7 +414,7 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
   lck_mtx_lock(log_dataqueue_lock_);
   auto kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   if (!kr) {
-    if (OSCompareAndSwap(0, 1, &failed_log_queue_requests_)) {
+    if (failed_log_queue_requests_++ == 0) {
       LOGW("Dropping log queue messages");
     }
     // If enqueue failed, pop an item off the queue and try again.
@@ -396,7 +422,9 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
     log_dataqueue_->dequeue(0, &dataSize);
     kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   } else {
-    OSCompareAndSwap(1, 0, &failed_log_queue_requests_);
+    if (failed_log_queue_requests_ > 0) {
+      failed_log_queue_requests_--;
+    }
   }
   lck_mtx_unlock(log_dataqueue_lock_);
   return kr;
@@ -418,45 +446,44 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
                                         const vfs_context_t ctx,
                                         const vnode_t vp,
                                         int *errno) {
-  // Only operate on regular files (not directories, symlinks, etc.).
-  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
-
-  // Get ID for the vnode and convert it to a string.
+  // Get ID for the vnode
   auto vnode_id = GetVnodeIDForVnode(ctx, vp);
-  char vnode_str[MAX_VNODE_ID_STR];
-  snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
+  if (!vnode_id) return KAUTH_RESULT_DEFER;
 
   // Fetch decision
-  auto returnedAction = FetchDecision(cred, vp, vnode_id, vnode_str);
+  auto returnedAction = FetchDecision(cred, vp, vnode_id);
 
   // If file has dirty blocks, remove from cache and deny. This would usually
   // be the case if a file has been written to and flushed but not yet
   // closed.
   if (vnode_hasdirtyblks(vp)) {
-    CacheCheck(vnode_str);
+    RemoveFromCache(vnode_id);
     returnedAction = ACTION_RESPOND_DENY;
+
+    char path[MAXPATHLEN];
+    int len = MAXPATHLEN;
+    path[MAXPATHLEN - 1] = 0;
+    LOGW("file has dirty blocks: %s", vn_getpath(vp, path, &len) ? "unknown" : path);
   }
 
   switch (returnedAction) {
     case ACTION_RESPOND_ALLOW: {
       auto proc = vfs_context_proc(ctx);
       if (proc) {
-        auto pidWrapper = new SantaPIDAndPPID;
-        pidWrapper->pid = proc_pid(proc);
-        pidWrapper->ppid = proc_ppid(proc);
-        lck_rw_lock_exclusive(vnode_pid_map_lock_);
-        if (vnode_pid_map_->getCount() > 5000) {
-          vnode_pid_map_->flushCollection();
-        }
-        vnode_pid_map_->setObject(vnode_str, pidWrapper);
-        lck_rw_unlock_exclusive(vnode_pid_map_lock_);
-        pidWrapper->release();
+        pid_t pid = proc_pid(proc);
+        pid_t ppid = proc_ppid(proc);
+        // pid_t is 32-bit; pid is in upper 32 bits, ppid in lower.
+        uint64_t val = ((uint64_t)pid << 32) | (ppid & 0xFFFFFFFF);
+        vnode_pid_map_->set(vnode_id, val);
       }
       return KAUTH_RESULT_ALLOW;
     }
     case ACTION_RESPOND_DENY:
       *errno = EPERM;
       return KAUTH_RESULT_DENY;
+    case ACTION_RESPOND_TOOLONG:
+      *errno = ENAMETOOLONG;
+      return KAUTH_RESULT_DENY;
     default:
       // NOTE: Any unknown response or error condition causes us to fail open.
       // Whilst from a security perspective this is bad, it's important that
@@ -468,33 +495,24 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
 void SantaDecisionManager::FileOpCallback(
     const kauth_action_t action, const vnode_t vp,
     const char *path, const char *new_path) {
+  if (!ClientConnected() || proc_selfpid() == client_pid_) return;
+
   if (vp) {
     auto context = vfs_context_create(nullptr);
     auto vnode_id = GetVnodeIDForVnode(context, vp);
     vfs_context_rele(context);
 
-    if (action == KAUTH_FILEOP_CLOSE) {
-      char vnode_id_str[MAX_VNODE_ID_STR];
-      snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-      CacheCheck(vnode_id_str);
-    } else if (action == KAUTH_FILEOP_EXEC) {
+    if (action == KAUTH_FILEOP_EXEC) {
       auto message = NewMessage(nullptr);
       message->vnode_id = vnode_id;
       message->action = ACTION_NOTIFY_EXEC;
       strlcpy(message->path, path, sizeof(message->path));
-
-      char vnode_str[MAX_VNODE_ID_STR];
-      snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-
-      lck_rw_lock_shared(vnode_pid_map_lock_);
-      auto pidWrapper = OSDynamicCast(
-          SantaPIDAndPPID, vnode_pid_map_->getObject(vnode_str));
-      if (pidWrapper) {
-        message->pid = pidWrapper->pid;
-        message->ppid = pidWrapper->ppid;
+      uint64_t val = vnode_pid_map_->get(vnode_id);
+      if (val) {
+        // pid_t is 32-bit, so pid is in upper 32 bits, ppid in lower.
+        message->pid = (val >> 32);
+        message->ppid = (val & ~0xFFFFFFFF00000000);
       }
-      lck_rw_unlock_shared(vnode_pid_map_lock_);
-
       PostToLogQueue(message);
       delete message;
       return;
@@ -503,8 +521,7 @@ void SantaDecisionManager::FileOpCallback(
 
   // Filter out modifications to locations that are definitely
   // not useful or made by santad.
-  if (proc_selfpid() != client_pid_ &&
-      !strprefix(path, "/.") && !strprefix(path, "/dev")) {
+  if (!strprefix(path, "/.") && !strprefix(path, "/dev")) {
     auto message = NewMessage(nullptr);
     strlcpy(message->path, path, sizeof(message->path));
     if (new_path) strlcpy(message->newpath, new_path, sizeof(message->newpath));
@@ -526,7 +543,9 @@ void SantaDecisionManager::FileOpCallback(
       case KAUTH_FILEOP_DELETE:
         message->action = ACTION_NOTIFY_DELETE;
         break;
-      default: delete message; return;
+      default:
+        delete message;
+        return;
     }
 
     PostToLogQueue(message);
@@ -542,14 +561,16 @@ extern "C" int fileop_scope_callback(
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
+  if (unlikely(sdm == nullptr)) {
+    LOGE("fileop_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
   vnode_t vp = nullptr;
   char *path = nullptr;
   char *new_path = nullptr;
 
   switch (action) {
-    case KAUTH_FILEOP_CLOSE:
-      if (!(arg2 & KAUTH_FILEOP_CLOSE_MODIFIED)) return KAUTH_RESULT_DEFER;
-    // Intentional fall-through
     case KAUTH_FILEOP_DELETE:
     case KAUTH_FILEOP_EXEC:
       vp = reinterpret_cast<vnode_t>(arg0);
@@ -576,20 +597,39 @@ extern "C" int fileop_scope_callback(
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  if (action & KAUTH_VNODE_ACCESS ||
-      !(action & KAUTH_VNODE_EXECUTE) ||
-      idata == nullptr) {
-    return KAUTH_RESULT_DEFER;
-  }
-
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
-  sdm->IncrementListenerInvocations();
-  int result = sdm->VnodeCallback(credential,
-                                  reinterpret_cast<vfs_context_t>(arg0),
-                                  reinterpret_cast<vnode_t>(arg1),
-                                  reinterpret_cast<int *>(arg3));
-  sdm->DecrementListenerInvocations();
-  return result;
+  if (unlikely(sdm == nullptr)) {
+    LOGE("vnode_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
+  vnode_t vp = reinterpret_cast<vnode_t>(arg1);
+
+  // We only care about regular files.
+  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
+
+  if ((action & KAUTH_VNODE_EXECUTE) && !(action & KAUTH_VNODE_ACCESS)) {
+    sdm->IncrementListenerInvocations();
+    int result = sdm->VnodeCallback(credential,
+                                    reinterpret_cast<vfs_context_t>(arg0),
+                                    vp,
+                                    reinterpret_cast<int *>(arg3));
+    sdm->DecrementListenerInvocations();
+    return result;
+  } else if (action & KAUTH_VNODE_WRITE_DATA || action & KAUTH_VNODE_APPEND_DATA) {
+    sdm->IncrementListenerInvocations();
+    if (!(action & KAUTH_VNODE_ACCESS)) {
+      auto vnode_id = sdm->GetVnodeIDForVnode(reinterpret_cast<vfs_context_t>(arg0), vp);
+      sdm->RemoveFromCache(vnode_id);
+    }
+    char path[MAXPATHLEN];
+    int pathlen = MAXPATHLEN;
+    vn_getpath(vp, path, &pathlen);
+    sdm->FileOpCallback(KAUTH_FILEOP_CLOSE, vp, path, nullptr);
+    sdm->DecrementListenerInvocations();
+  }
+
+  return KAUTH_RESULT_DEFER;
 }

Source/santa-driver/SantaDecisionManager.h

@@ -24,10 +24,9 @@
 #include <sys/proc.h>
 #include <sys/vnode.h>
 
+#include "SantaCache.h"
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
-#include "SantaCachedDecision.h"
-#include "SantaPIDAndPPID.h"
 
 ///
 ///  SantaDecisionManager is responsible for intercepting Vnode execute actions
@@ -40,178 +39,90 @@ class SantaDecisionManager : public OSObject {
   OSDeclareDefaultStructors(SantaDecisionManager);
 
  public:
-  ///  Used for initialization after instantiation. Required because
-  ///  constructors cannot throw inside kernel-space.
+  /// Used for initialization after instantiation.
   bool init() override;
 
-  ///  Called automatically when retain count drops to 0.
+  /// Called automatically when retain count drops to 0.
   void free() override;
 
-  ///  Called by SantaDriverClient during connection to provide the shared
-  ///  dataqueue memory to the client.
+  /**
+    Called by SantaDriverClient during connection to provide the shared
+    dataqueue memory to the client for the decision queue.
+  */
   IOMemoryDescriptor *GetDecisionMemoryDescriptor() const;
+
+  /**
+    Called by SantaDriverClient during connection to provide the shared
+    dataqueue memory to the client for the logging queue.
+  */
   IOMemoryDescriptor *GetLogMemoryDescriptor() const;
 
-  ///  Called by SantaDriverClient when a client connects to the decision queue,
-  ///  providing the pid of the client process.
+  /**
+    Called by SantaDriverClient when a client connects to the decision queue,
+    providing the pid of the client process.
+  */
   void ConnectClient(pid_t pid);
 
-  ///  Called by SantaDriverClient when a client disconnects
+  /// Called by SantaDriverClient when a client disconnects
   void DisconnectClient(bool itDied = false);
 
-  ///  Returns whether a client is currently connected or not.
+  /// Returns whether a client is currently connected or not.
   bool ClientConnected() const;
 
-  ///  Sets the Mach port for notifying the decision queue.
+  /// Sets the Mach port for notifying the decision queue.
   void SetDecisionPort(mach_port_t port);
 
-  ///  Sets the Mach port for notifying the log queue.
+  /// Sets the Mach port for notifying the log queue.
   void SetLogPort(mach_port_t port);
 
-  ///  Starts the kauth listeners.
+  /// Starts the kauth listeners.
   kern_return_t StartListener();
 
-  ///  Stops the kauth listeners. After stopping new callback requests,
-  ///  waits until all current invocations have finished before clearing the
-  ///  cache and returning.
+  /**
+    Stops the kauth listeners. After stopping new callback requests, waits 
+    until all current invocations have finished before clearing the cache and
+    returning.
+  */
   kern_return_t StopListener();
 
-  ///  Adds a decision to the cache, with a timestamp.
-  void AddToCache(const char *identifier,
+  /// Adds a decision to the cache, with a timestamp.
+  void AddToCache(uint64_t identifier,
                   const santa_action_t decision,
                   const uint64_t microsecs = GetCurrentUptime());
 
-  ///  Checks to see if a given identifier is in the cache and removes it.
-  void CacheCheck(const char *identifier);
+  /**
+    Fetches a response from the cache, first checking to see if the entry 
+    has expired.
+  */
+  santa_action_t GetFromCache(uint64_t identifier);
 
-  ///  Returns the number of entries in the cache.
-  uint64_t CacheCount() const;
+  /// Checks to see if a given identifier is in the cache and removes it.
+  void RemoveFromCache(uint64_t identifier);
 
-  ///  Clears the cache.
-  void ClearCache();
+  /// Returns the number of entries in the cache.
+  uint64_t RootCacheCount() const;
+  uint64_t NonRootCacheCount() const;
 
-  ///  Increments the count of active callbacks pending.
+  /**
+    Clears the cache(s). If non_root_only is true, only the non-root cache 
+    is cleared.
+  */
+  void ClearCache(bool non_root_only = false);
+
+  /// Increments the count of active callbacks pending.
   void IncrementListenerInvocations();
 
-  ///  Decrements the count of active callbacks pending.
+  /// Decrements the count of active callbacks pending.
   void DecrementListenerInvocations();
 
-  ///
-  ///  Vnode Callback
-  ///  @param cred The kauth credential for this request.
-  ///  @param ctx The VFS context for this request.
-  ///  @param vp The Vnode for this request.
-  ///  @param errno A pointer to return an errno style error.
-  ///  @return int A valid KAUTH_RESULT_*.
-  ///
-  int VnodeCallback(const kauth_cred_t cred, const vfs_context_t ctx,
-                    const vnode_t vp, int *errno);
-  ///
-  ///  FileOp Callback
-  ///  @param action The performed action
-  ///  @param vp The Vnode for this request. May be nullptr.
-  ///  @param path The path being operated on.
-  ///  @param new_path The target path for moves and links.
-  ///
-  void FileOpCallback(kauth_action_t action, const vnode_t vp,
-                      const char *path, const char *new_path);
+  /**
+   Fetches the vnode_id for a given vnode.
 
- protected:
-  ///
-  ///  The maximum number of milliseconds a cached deny message should be
-  ///  considered valid.
-  ///
-  static const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
-
-  ///
-  ///  The maximum number of milliseconds a cached allow message should be
-  ///  considered valid.
-  ///
-  static const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
-
-  ///
-  ///  While waiting for a response from the daemon, this is the number of
-  ///  milliseconds to sleep for before checking the cache for a response.
-  ///
-  static const uint32_t kRequestLoopSleepMilliseconds = 10;
-
-  ///
-  ///  Maximum number of entries in the in-kernel cache.
-  ///
-  static const uint32_t kMaxCacheSize = 10000;
-
-  ///
-  ///  Maximum number of PostToDecisionQueue failures to allow.
-  ///
-  static const uint32_t kMaxDecisionQueueFailures = 10;
-
-  ///
-  ///  The maximum number of messages can be kept in
-  ///  the decision data queue at any time.
-  ///
-  static const uint32_t kMaxDecisionQueueEvents = 512;
-
-  ///
-  ///  The maximum number of messages can be kept
-  ///  in the logging data queue at any time.
-  ///
-  static const uint32_t kMaxLogQueueEvents = 1024;
-
-  ///  Fetches a response from the cache, first checking to see if the
-  ///  entry has expired.
-  santa_action_t GetFromCache(const char *identifier);
-
-  ///  Fetches a response from the daemon. Handles both daemon death
-  ///  and failure to post messages to the daemon.
-  ///
-  ///  @param message The message to send to the daemon
-  ///  @param identifier The vnode ID string for this request
-  ///  @return santa_action_t The response for this request
-  ///
-  santa_action_t GetFromDaemon(santa_message_t *message,
-                               const char *identifier);
-
-  ///
-  ///  Fetches an execution decision for a file, first using the cache and then
-  ///  by sending a message to the daemon and waiting until a response arrives.
-  ///  If a daemon isn't connected, will allow execution and cache, logging
-  ///  the path to the executed file.
-  ///
-  ///  @param cred The credential for this request.
-  ///  @param vp The Vnode for this request.
-  ///  @param vnode_id The ID for this vnode.
-  ///  @param vnode_id_str A string representation of the above ID.
-  ///
-  santa_action_t FetchDecision(const kauth_cred_t cred,
-                               const vnode_t vp,
-                               const uint64_t vnode_id,
-                               const char *vnode_id_str);
-
-  ///
-  ///  Posts the requested message to the decision data queue.
-  ///
-  ///  @param message The message to send
-  ///  @return bool true if sending was successful.
-  ///
-  bool PostToDecisionQueue(santa_message_t *message);
-
-  ///
-  ///  Posts the requested message to the logging data queue.
-  ///
-  ///  @param message The message to send
-  ///  @return bool true if sending was successful.
-  ///
-  bool PostToLogQueue(santa_message_t *message);
-
-  ///
-  ///  Fetches the vnode_id for a given vnode.
-  ///
-  ///  @param ctx The VFS context to use.
-  ///  @param vp The Vnode to get the ID for
-  ///  @return uint64_t The Vnode ID as a 64-bit unsigned int.
-  ///
-  static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx,
-                                            const vnode_t vp) {
+   @param ctx The VFS context to use.
+   @param vp The Vnode to get the ID for
+   @return uint64_t The Vnode ID as a 64-bit unsigned int.
+   */
+  static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp) {
     struct vnode_attr vap;
     VATTR_INIT(&vap);
     VATTR_WANTED(&vap, va_fsid);
@@ -220,11 +131,111 @@ class SantaDecisionManager : public OSObject {
     return (((uint64_t)vap.va_fsid << 32) | vap.va_fileid);
   }
 
-  ///
-  ///  Creates a new santa_message_t with some fields pre-filled.
-  ///  @param credential The kauth_cred_t for this action, if available.
-  ///         If nullptr, will get the credential for the current process.
-  ///
+  /**
+    Vnode Callback
+
+    @param cred The kauth credential for this request.
+    @param ctx The VFS context for this request.
+    @param vp The Vnode for this request.
+    @param errno A pointer to return an errno style error.
+    @return int A valid KAUTH_RESULT_*.
+  */
+  int VnodeCallback(const kauth_cred_t cred, const vfs_context_t ctx,
+                    const vnode_t vp, int *errno);
+  /**
+    FileOp Callback
+
+    @param action The performed action
+    @param vp The Vnode for this request. May be nullptr.
+    @param path The path being operated on.
+    @param new_path The target path for moves and links.
+  */
+  void FileOpCallback(kauth_action_t action, const vnode_t vp,
+                      const char *path, const char *new_path);
+
+ private:
+  /**
+    While waiting for a response from the daemon, this is the maximum number of
+    milliseconds to sleep for before checking the cache for a response.
+  */
+  static const uint32_t kRequestLoopSleepMilliseconds = 1000;
+
+  /**
+    While waiting for a response from the daemon, this is the maximum number cache checks before
+    re-sending the request.
+  */
+  static const uint32_t kRequestCacheChecks = 5;
+
+  /**
+    The maximum number of milliseconds a cached deny message should be
+    considered valid.
+  */
+  static const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
+
+  /// Maximum number of entries in the in-kernel cache.
+  static const uint32_t kMaxCacheSize = 10000;
+
+  /// Maximum number of PostToDecisionQueue failures to allow.
+  static const uint32_t kMaxDecisionQueueFailures = 10;
+
+  /**
+    The maximum number of messages that can be kept in the decision data queue
+    at any time.
+  */
+  static const uint32_t kMaxDecisionQueueEvents = 512;
+
+  /**
+    The maximum number of messages that can be kept in the logging data queue
+    at any time.
+  */
+  static const uint32_t kMaxLogQueueEvents = 2048;
+
+  /**
+    Fetches a response from the daemon. Handles both daemon death
+    and failure to post messages to the daemon.
+
+    @param message The message to send to the daemon
+    @param identifier The vnode ID string for this request
+    @return santa_action_t The response for this request
+  */
+  santa_action_t GetFromDaemon(santa_message_t *message, uint64_t identifier);
+
+  /**
+    Fetches an execution decision for a file, first using the cache and then
+    by sending a message to the daemon and waiting until a response arrives.
+    If a daemon isn't connected, will allow execution and cache, logging
+    the path to the executed file.
+
+    @param cred The credential for this request.
+    @param vp The Vnode for this request.
+    @param vnode_id The ID for this vnode.
+    @return santa_action_t The response for this request
+  */
+  santa_action_t FetchDecision(
+      const kauth_cred_t cred, const vnode_t vp, const uint64_t vnode_id);
+
+  /**
+    Posts the requested message to the decision data queue.
+
+    @param message The message to send
+    @return bool true if sending was successful.
+  */
+  bool PostToDecisionQueue(santa_message_t *message);
+
+  /**
+    Posts the requested message to the logging data queue.
+
+    @param message The message to send
+    @return bool true if sending was successful.
+  */
+  bool PostToLogQueue(santa_message_t *message);
+
+  /**
+    Creates a new santa_message_t with some fields pre-filled.
+
+    @param credential The kauth_cred_t for this action, if available.
+           If nullptr, will get the credential for the current process.
+  */
   static inline santa_message_t *NewMessage(kauth_cred_t credential) {
     bool should_release = false;
     if (credential == nullptr) {
@@ -241,13 +252,13 @@ class SantaDecisionManager : public OSObject {
     if (should_release) {
       kauth_cred_unref(&credential);
     }
-    
+
     return message;
   }
 
-  ///
-  ///  Returns the current system uptime in microseconds
-  ///
+  /**
+    Returns the current system uptime in microseconds
+  */
   static inline uint64_t GetCurrentUptime() {
     clock_sec_t sec;
     clock_usec_t usec;
@@ -255,23 +266,33 @@ class SantaDecisionManager : public OSObject {
     return (uint64_t)((sec * 1000000) + usec);
   }
 
- private:
+  SantaCache<uint64_t> *root_decision_cache_;
+  SantaCache<uint64_t> *non_root_decision_cache_;
+  SantaCache<uint64_t> *vnode_pid_map_;
+
+  /**
+    Return the correct cache for a given identifier.
+
+    @param identifier The identifier
+    @return SantaCache* The cache to use
+  */
+  SantaCache<uint64_t>* CacheForIdentifier(const uint64_t identifier);
+
+  // This is the file system ID of the root filesystem,
+  // used to determine which cache to use for requests
+  uint32_t root_fsid_;
+
   lck_grp_t *sdm_lock_grp_;
   lck_grp_attr_t *sdm_lock_grp_attr_;
-
   lck_attr_t *sdm_lock_attr_;
-  lck_rw_t *cached_decisions_lock_;
+
   lck_mtx_t *decision_dataqueue_lock_;
   lck_mtx_t *log_dataqueue_lock_;
-  lck_rw_t *vnode_pid_map_lock_;
-
-  OSDictionary *cached_decisions_;
-  OSDictionary *vnode_pid_map_;
 
   IOSharedDataQueue *decision_dataqueue_;
   IOSharedDataQueue *log_dataqueue_;
-  int32_t failed_decision_queue_requests_;
-  int32_t failed_log_queue_requests_;
+  uint32_t failed_decision_queue_requests_;
+  uint32_t failed_log_queue_requests_;
 
   int32_t listener_invocations_;
 
@@ -279,34 +300,48 @@ class SantaDecisionManager : public OSObject {
 
   kauth_listener_t vnode_listener_;
   kauth_listener_t fileop_listener_;
+
+  struct timespec ts_;
 };
 
-///
-///  The kauth callback function for the Vnode scope
-///  @param actor's credentials
-///  @param data that was passed when the listener was registered
-///  @param action that was requested
-///  @param VFS context
-///  @param Vnode being operated on
-///  @param Parent Vnode. May be nullptr.
-///  @param Pointer to an errno-style error.
-///
-extern "C" int vnode_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+/**
+  The kauth callback function for the Vnode scope
 
-///
-///  The kauth callback function for the FileOp scope
-///  @param actor's credentials
-///  @param data that was passed when the listener was registered
-///  @param action that was requested
-///  @param depends on action, usually the vnode ref.
-///  @param depends on action.
-///  @param depends on action, usually 0.
-///  @param depends on action, usually 0.
-///
+  @param actor's credentials
+  @param data that was passed when the listener was registered
+  @param action that was requested
+  @param VFS context
+  @param Vnode being operated on
+  @param Parent Vnode. May be nullptr.
+  @param Pointer to an errno-style error.
+*/
+extern "C" int vnode_scope_callback(
+    kauth_cred_t credential,
+    void *idata,
+    kauth_action_t action,
+    uintptr_t arg0,
+    uintptr_t arg1,
+    uintptr_t arg2,
+    uintptr_t arg3);
+
+/**
+  The kauth callback function for the FileOp scope
+
+  @param actor's credentials
+  @param data that was passed when the listener was registered
+  @param action that was requested
+  @param depends on action, usually the vnode ref.
+  @param depends on action.
+  @param depends on action, usually 0.
+  @param depends on action, usually 0.
+*/
 extern "C" int fileop_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+    kauth_cred_t credential,
+    void *idata,
+    kauth_action_t action,
+    uintptr_t arg0,
+    uintptr_t arg1,
+    uintptr_t arg2,
+    uintptr_t arg3);
 
 #endif  // SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H

Source/santa-driver/SantaDriverClient.cc

@@ -110,87 +110,90 @@ IOReturn SantaDriverClient::clientMemoryForType(
 
 #pragma mark Callable Methods
 
-IOReturn SantaDriverClient::open() {
-  if (isInactive()) return kIOReturnNotAttached;
+IOReturn SantaDriverClient::open(
+    OSObject *target,
+    void *reference,
+    IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  if (!myProvider->open(this)) {
+  if (me->isInactive()) return kIOReturnNotAttached;
+  if (!me->myProvider->open(me)) {
     LOGW("A second client tried to connect.");
     return kIOReturnExclusiveAccess;
   }
 
-  return kIOReturnSuccess;
-}
-
-IOReturn SantaDriverClient::static_open(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->open();
-}
-
-IOReturn SantaDriverClient::allow_binary(const uint64_t vnode_id) {
-  char vnode_id_str[21];
-  snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_ALLOW);
+  LOGI("Client connected.");
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_allow_binary(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::allow_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->allow_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
-
-IOReturn SantaDriverClient::deny_binary(const uint64_t vnode_id) {
-  char vnode_id_str[21];
-  snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_DENY);
+  const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  if (!vnode_id) return kIOReturnInvalid;
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ALLOW);
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_deny_binary(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::deny_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->deny_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
+  const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  if (!vnode_id) return kIOReturnInvalid;
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_DENY);
 
-IOReturn SantaDriverClient::clear_cache() {
-  decisionManager->ClearCache();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_clear_cache(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->clear_cache();
-}
+IOReturn SantaDriverClient::acknowledge_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  if (!vnode_id) return kIOReturnInvalid;
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ACK, 0);
 
-IOReturn SantaDriverClient::cache_count(uint64_t *output) {
-  *output = decisionManager->CacheCount();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_cache_count(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->cache_count(&(arguments->scalarOutput[0]));
+IOReturn SantaDriverClient::clear_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  const bool non_root_only = static_cast<const bool>(arguments->scalarInput[0]);
+  me->decisionManager->ClearCache(non_root_only);
+
+  return kIOReturnSuccess;
+}
+
+IOReturn SantaDriverClient::cache_count(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  arguments->scalarOutput[0] = me->decisionManager->RootCacheCount();
+  arguments->scalarOutput[1] = me->decisionManager->NonRootCacheCount();
+  return kIOReturnSuccess;
+}
+
+IOReturn SantaDriverClient::check_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  const uint64_t input = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  arguments->scalarOutput[0] = me->decisionManager->GetFromCache(input);
+
+  return kIOReturnSuccess;
 }
 
 #pragma mark Method Resolution
@@ -203,60 +206,24 @@ IOReturn SantaDriverClient::externalMethod(
     void *reference) {
   ///  Array of methods callable by clients. The order of these must match the
   ///  order of the items in SantaDriverMethods in SNTKernelCommon.h
-  IOExternalMethodDispatch sMethods[kSantaUserClientNMethods] = {
-    {
-      reinterpret_cast<IOExternalMethodAction>(&SantaDriverClient::static_open),
-      0,  // input scalar
-      0,  // input struct
-      0,  // output scalar
-      0   // output struct
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_allow_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_deny_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_clear_cache),
-      0,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_cache_count),
-      0,
-      0,
-      1,
-      0
-    }
+  static IOExternalMethodDispatch sMethods[kSantaUserClientNMethods] = {
+    // Function ptr, input scalar count, input struct size, output scalar count, output struct size
+    { &SantaDriverClient::open, 0, 0, 0, 0 },
+    { &SantaDriverClient::allow_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::deny_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::acknowledge_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::clear_cache, 1, 0, 0, 0 },
+    { &SantaDriverClient::cache_count, 0, 0, 2, 0 },
+    { &SantaDriverClient::check_cache, 1, 0, 1, 0 }
   };
 
-  if (selector < static_cast<UInt32>(kSantaUserClientNMethods)) {
-    dispatch = &(sMethods[selector]);
-    if (!target) target = this;
-  } else {
+  if (selector > static_cast<UInt32>(kSantaUserClientNMethods)) {
     return kIOReturnBadArgument;
   }
 
-  return super::externalMethod(selector,
-                               arguments,
-                               dispatch,
-                               target,
-                               reference);
+  dispatch = &(sMethods[selector]);
+  if (!target) target = this;
+  return super::externalMethod(selector, arguments, dispatch, target, reference);
 }
 
 #undef super

Source/santa-driver/SantaDriverClient.h

@@ -72,44 +72,38 @@ class com_google_SantaDriverClient : public IOUserClient {
 
   ///
   ///  The userpsace callable methods are below. Each method corresponds
-  ///  to an entry in SantaDriverMethods. Each method has a static version
-  ///  which just calls the method on the provided target.
+  ///  to an entry in SantaDriverMethods.
   ///
 
   ///  Called during client connection.
-  IOReturn open();
-  static IOReturn static_open(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn open(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to allow a binary.
-  IOReturn allow_binary(uint64_t vnode_id);
-  static IOReturn static_allow_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn allow_binary(
+      OSObject *target, void *reference,IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to deny a binary.
-  IOReturn deny_binary(uint64_t vnode_id);
-  static IOReturn static_deny_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn deny_binary(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
+
+  ///  The daemon calls this to acknowledge a binary request. This is used for large binaries that
+  ///  may take a while to reach a decision.
+  static IOReturn acknowledge_binary(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to empty the cache.
-  IOReturn clear_cache();
-  static IOReturn static_clear_cache(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn clear_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to find out how many items are in the cache
-  IOReturn cache_count(uint64_t *output);
-  static IOReturn static_cache_count(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn cache_count(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
+
+  ///  The daemon calls this to find out the status of a vnode_id in the cache.
+  ///  Output will be a santa_action_t.
+  static IOReturn check_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
  private:
   com_google_SantaDriver *myProvider;

Source/santabs/Resources/santabs-Info.plist

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>santabs</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>XPC!</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>XPCService</key>
+	<dict>
+		<key>ServiceType</key>
+		<string>Application</string>
+	</dict>
+</dict>
+</plist>

Source/santabs/SNTBundleService.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2017 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,20 +12,9 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include "SantaCachedDecision.h"
+#import <Foundation/Foundation.h>
 
-OSDefineMetaClassAndStructors(SantaCachedDecision, OSObject);
+#import "SNTXPCBundleServiceInterface.h"
 
-uint64_t SantaCachedDecision::getMicrosecs() const {
-  return microsecs_;
-}
-
-santa_action_t SantaCachedDecision::getAction() const {
-  return action_;
-}
-
-void SantaCachedDecision::setAction(
-    const santa_action_t action, const uint64_t microsecs) {
-  action_ = action;
-  microsecs_ = microsecs;
-}
+@interface SNTBundleService : NSObject<SNTBundleServiceXPC>
+@end

Source/santabs/SNTBundleService.m

@@ -0,0 +1,312 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTBundleService.h"
+
+#import <CommonCrypto/CommonDigest.h>
+#import <pthread/pthread.h>
+
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTFileInfo.h"
+#import "SNTStoredEvent.h"
+#import "SNTXPCNotifierInterface.h"
+
+@interface SNTBundleService ()
+@property MOLXPCConnection *notifierConnection;
+@property MOLXPCConnection *listener;
+@property(nonatomic) dispatch_queue_t queue;
+@end
+
+@implementation SNTBundleService
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
+  }
+  return self;
+}
+
+#pragma mark Connection handling
+
+// Create a listener for SantaGUI to connect
+- (void)createConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  // Create listener for return connection from SantaGUI.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.listener = [[MOLXPCConnection alloc] initServerWithListener:listener];
+  self.listener.exportedInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  self.listener.exportedObject = self;
+  self.listener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
+  };
+
+  // Exit when SantaGUI is done with us.
+  self.listener.invalidationHandler = ^{
+    exit(0);
+  };
+
+  [self.listener resume];
+
+  // Tell SantaGUI to connect back to the above listener.
+  [[self.notifierConnection remoteObjectProxy] setBundleServiceListener:listener.endpoint];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptReconnection];
+  }
+}
+
+- (void)attemptReconnection {
+  [self performSelectorOnMainThread:@selector(createConnection) withObject:nil waitUntilDone:NO];
+}
+
+#pragma mark SNTBundleServiceXPC Methods
+
+// Connect to the SantaGUI
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithListener:listener];
+    c.remoteInterface = [SNTXPCNotifierInterface bundleNotifierInterface];
+    [c resume];
+    self.notifierConnection = c;
+    [self createConnection];
+  });
+}
+
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event
+                             reply:(SNTBundleHashBlock)reply {
+  NSProgress *progress =
+      [NSProgress currentProgress] ? [NSProgress progressWithTotalUnitCount:100] : nil;
+
+  NSDate *startTime = [NSDate date];
+
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  dispatch_async(self.queue, ^{
+    // Use the highest bundle we can find.
+    SNTFileInfo *b = [[SNTFileInfo alloc] initWithPath:event.fileBundlePath];
+    b.useAncestorBundle = YES;
+    event.fileBundlePath = b.bundlePath;
+
+    // If path to the bundle is unavailable, stop. SantaGUI will revert to
+    // using the offending blockable.
+    if (!event.fileBundlePath) {
+      reply(nil, nil, 0);
+      dispatch_semaphore_signal(sema);
+      return;
+    }
+
+    // Reuse the bundle infomation when creating the related binary events.
+    event.fileBundleID = b.bundleIdentifier;
+    event.fileBundleName = b.bundleName;
+    event.fileBundleVersion = b.bundleVersion;
+    event.fileBundleVersionString = b.bundleShortVersionString;
+
+    // For most apps this should be "Contents/MacOS/AppName"
+    if (b.bundle.executablePath.length > b.bundlePath.length) {
+      event.fileBundleExecutableRelPath =
+          [b.bundle.executablePath substringFromIndex:b.bundlePath.length + 1];
+    }
+
+    NSDictionary *relatedEvents = [self findRelatedBinaries:event progress:progress];
+    NSString *bundleHash = [self calculateBundleHashFromSHA256Hashes:relatedEvents.allKeys
+                                                            progress:progress];
+
+    NSNumber *ms = [NSNumber numberWithDouble:[startTime timeIntervalSinceNow] * -1000.0];
+
+    reply(bundleHash, relatedEvents.allValues, ms);
+    dispatch_semaphore_signal(sema);
+  });
+
+  // Master timeout of 10 min. Don't block the calling thread. NSProgress updates will be coming
+  // in over this thread.
+  dispatch_async(self.queue, ^{
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 600 * NSEC_PER_SEC))) {
+      [progress cancel];
+    }
+  });
+}
+
+#pragma mark Internal Methods
+
+/**
+  Find binaries within a bundle given the bundle's event. It will run until a timeout occurs,
+  or until the NSProgress is cancelled. Search is done within the bundle concurrently.
+
+  @param event The SNTStoredEvent to begin searching.
+  @return An NSDictionary object with keys of fileSHA256 and values of SNTStoredEvent objects.
+*/
+- (NSDictionary *)findRelatedBinaries:(SNTStoredEvent *)event progress:(NSProgress *)progress {
+  // Find all files and folders within the fileBundlePath
+  NSFileManager *fm = [NSFileManager defaultManager];
+  NSArray *subpaths = [fm subpathsOfDirectoryAtPath:event.fileBundlePath error:NULL];
+
+  // This array is used to store pointers to executable SNTFileInfo objects. There will be one block
+  // dispatched per file in dirEnum. These blocks will write pointers to this array concurrently.
+  // No locks are used since every file has a slot.
+  //
+  // Xcode.app has roughly 500k files, 8bytes per pointer is ~4MB for this array. This size to space
+  // ratio seems appropriate as Xcode.app is in the upper bounds of bundle size.
+  __block void **fis = calloc(subpaths.count, sizeof(void *));
+
+  // Counts used as additional progress information in SantaGUI
+  __block volatile int64_t binaryCount = 0;
+  __block volatile int64_t sentBinaryCount = 0;
+
+  // Account for 80% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:80];
+    p = [NSProgress progressWithTotalUnitCount:subpaths.count * 100];
+  }
+
+  // Dispatch a block for every file in dirEnum.
+  dispatch_apply(subpaths.count, self.queue, ^(size_t i) {
+    @autoreleasepool {
+      if (progress.isCancelled) return;
+
+      dispatch_sync(dispatch_get_main_queue(), ^{
+        p.completedUnitCount++;
+        if (progress && ((i % 500) == 0 || binaryCount > sentBinaryCount)) {
+          sentBinaryCount = binaryCount;
+          [[self.notifierConnection remoteObjectProxy] updateCountsForEvent:event
+                                                                binaryCount:binaryCount
+                                                                  fileCount:i
+                                                                hashedCount:0];
+        }
+      });
+
+      NSString *subpath = subpaths[i];
+
+      NSString *file =
+          [event.fileBundlePath stringByAppendingPathComponent:subpath].stringByStandardizingPath;
+      SNTFileInfo *fi = [[SNTFileInfo alloc] initWithResolvedPath:file error:NULL];
+      if (!fi.isExecutable) return;
+
+      fis[i] = (__bridge_retained void *)fi;
+      OSAtomicIncrement64Barrier(&binaryCount);
+    }
+  });
+
+  [progress resignCurrent];
+
+  NSMutableArray *fileInfos = [NSMutableArray arrayWithCapacity:binaryCount];
+  for (NSUInteger i = 0; i < subpaths.count; i++) {
+    if (fis[i]) [fileInfos addObject:(__bridge_transfer SNTFileInfo *)fis[i]];
+  }
+
+  free(fis);
+
+  return [self generateEventsFromBinaries:fileInfos blockingEvent:event progress:progress];
+}
+
+- (NSDictionary *)generateEventsFromBinaries:(NSArray *)fis
+                               blockingEvent:(SNTStoredEvent *)event
+                                    progress:(NSProgress *)progress {
+  if (progress.isCancelled) return nil;
+
+  NSMutableDictionary *relatedEvents = [NSMutableDictionary dictionaryWithCapacity:fis.count];
+
+  // Account for 15% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:15];
+    p = [NSProgress progressWithTotalUnitCount:fis.count * 100];
+  }
+
+  dispatch_apply(fis.count, self.queue, ^(size_t i) {
+    @autoreleasepool {
+      if (progress.isCancelled) return;
+
+      SNTFileInfo *fi = fis[i];
+
+      SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+      se.filePath = fi.path;
+      se.fileSHA256 = fi.SHA256;
+      se.occurrenceDate = [NSDate distantFuture];
+      se.decision = SNTEventStateBundleBinary;
+
+      se.fileBundlePath = event.fileBundlePath;
+      se.fileBundleExecutableRelPath = event.fileBundleExecutableRelPath;
+      se.fileBundleID = event.fileBundleID;
+      se.fileBundleName = event.fileBundleName;
+      se.fileBundleVersion = event.fileBundleVersion;
+      se.fileBundleVersionString = event.fileBundleVersionString;
+
+      MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
+      se.signingChain = cs.certificates;
+
+      dispatch_sync(dispatch_get_main_queue(), ^{
+        relatedEvents[se.fileSHA256] = se;
+        p.completedUnitCount++;
+        if (progress) {
+          [[self.notifierConnection remoteObjectProxy] updateCountsForEvent:event
+                                                                binaryCount:fis.count
+                                                                  fileCount:0
+                                                                hashedCount:i];
+        }
+      });
+    }
+  });
+
+  [progress resignCurrent];
+
+  return relatedEvents;
+}
+
+- (NSString *)calculateBundleHashFromSHA256Hashes:(NSArray *)hashes
+                                         progress:(NSProgress *)progress {
+  if (!hashes.count) return nil;
+
+  // Account for 5% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:5];
+    p = [NSProgress progressWithTotalUnitCount:5 * 100];
+  }
+
+  NSMutableArray *sortedHashes = [hashes mutableCopy];
+  [sortedHashes sortUsingSelector:@selector(localizedCaseInsensitiveCompare:)];
+  NSString *sha256Hashes = [sortedHashes componentsJoinedByString:@""];
+
+  CC_SHA256_CTX c256;
+  CC_SHA256_Init(&c256);
+  CC_SHA256_Update(&c256, (const void *)sha256Hashes.UTF8String, (CC_LONG)sha256Hashes.length);
+  unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256_Final(digest, &c256);
+
+  NSString *const SHA256FormatString =
+    @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+    "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
+
+  NSString *sha256 = [[NSString alloc] initWithFormat:SHA256FormatString,
+      digest[0], digest[1], digest[2], digest[3],
+      digest[4], digest[5], digest[6], digest[7],
+      digest[8], digest[9], digest[10], digest[11],
+      digest[12], digest[13], digest[14], digest[15],
+      digest[16], digest[17], digest[18], digest[19],
+      digest[20], digest[21], digest[22], digest[23],
+      digest[24], digest[25], digest[26], digest[27],
+      digest[28], digest[29], digest[30], digest[31]];
+
+  p.completedUnitCount++;
+  [progress resignCurrent];
+  return sha256;
+}
+
+@end

Source/santabs/main.m

@@ -0,0 +1,28 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTBundleService.h"
+#import "SNTXPCBundleServiceInterface.h"
+
+int main(int argc, const char *argv[]) {
+  MOLXPCConnection *c =
+      [[MOLXPCConnection alloc] initServerWithListener:[NSXPCListener serviceListener]];
+  c.exportedInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  c.exportedObject = [[SNTBundleService alloc] init];
+  [c resume];
+}

Source/santactl/Commands/SNTCommandBundleInfo.m

@@ -0,0 +1,80 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommand.h"
+#import "SNTCommandController.h"
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTFileInfo.h"
+#import "SNTLogging.h"
+#import "SNTStoredEvent.h"
+#import "SNTXPCControlInterface.h"
+
+@interface SNTCommandBundleInfo : SNTCommand<SNTCommandProtocol>
+@end
+
+@implementation SNTCommandBundleInfo
+
+#ifdef DEBUG
+REGISTER_COMMAND_NAME(@"bundleinfo")
+#endif
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return YES;
+}
+
++ (NSString *)shortHelpText {
+  return @"Searches a bundle for binaries";
+}
+
++ (NSString *)longHelpText {
+  return @"Searches a bundle for binaries";
+}
+
+- (void)runWithArguments:(NSArray *)arguments {
+  NSError *error;
+  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:arguments.firstObject error:&error];
+  if (!fi) {
+    printf("%s\n", error.description.UTF8String);
+    exit(1);
+  } else if (!fi.bundle) {
+    printf("Not a bundle\n");
+    exit(2);
+  }
+
+  SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+  se.fileBundlePath = fi.bundlePath;
+
+  [[self.daemonConn remoteObjectProxy]
+      hashBundleBinariesForEvent:se
+                           reply:^(NSString *hash, NSArray<SNTStoredEvent *> *events,
+                                   NSNumber *time) {
+    printf("Hashing time: %llu ms\n", time.unsignedLongLongValue);
+    printf("%lu events found\n", events.count);
+    printf("BundleHash: %s\n", hash.UTF8String);
+
+    for (SNTStoredEvent *event in events) {
+      printf("BundleID: %s \n\tSHA-256: %s \n\tPath: %s\n",
+             event.fileBundleID.UTF8String, event.fileSHA256.UTF8String, event.filePath.UTF8String);
+    }
+    exit(0);
+  }];
+}
+
+@end

Source/santactl/Commands/SNTCommandCheckCache.m

@@ -0,0 +1,76 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import "SNTCommand.h"
+#import "SNTCommandController.h"
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTLogging.h"
+#import "SNTXPCControlInterface.h"
+
+#include <sys/stat.h>
+
+@interface SNTCommandCheckCache : SNTCommand<SNTCommandProtocol>
+@end
+
+@implementation SNTCommandCheckCache
+
+#ifdef DEBUG
+REGISTER_COMMAND_NAME(@"checkcache")
+#endif
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return YES;
+}
+
++ (NSString *)shortHelpText {
+  return @"Prints the status of a file in the kernel cache.";
+}
+
++ (NSString *)longHelpText {
+  return (@"Checks the in-kernel cache for desired file.\n"
+          @"Returns 0 if successful, 1 otherwise");
+}
+
+- (void)runWithArguments:(NSArray *)arguments {
+  uint64_t vnodeID = [self vnodeIDForFile:arguments.firstObject];
+  [[self.daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
+                                                  withReply:^(santa_action_t action) {
+    if (action == ACTION_RESPOND_ALLOW) {
+      LOGI(@"File exists in [whitelist] kernel cache");
+      exit(0);
+    } else if (action == ACTION_RESPOND_DENY) {
+      LOGI(@"File exists in [blacklist] kernel cache");
+      exit(0);
+    } else if (action == ACTION_UNSET) {
+      LOGE(@"File does not exist in cache");
+      exit(1);
+    }
+  }];
+}
+
+- (uint64_t)vnodeIDForFile:(NSString *)path {
+  struct stat fstat = {};
+  stat(path.fileSystemRepresentation, &fstat);
+  return (((uint64_t)fstat.st_dev << 32) | fstat.st_ino);
+}
+
+@end

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -12,24 +12,127 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
-#include "SNTLogging.h"
+#import <objc/runtime.h>
+#import <MOLCertificate/MOLCertificate.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <MOLXPCConnection/MOLXPCConnection.h>
 
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
+#import "SNTCachedDecision.h"
 #import "SNTFileInfo.h"
+#import "SNTLogging.h"
 #import "SNTRule.h"
-#import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandFileInfo : NSObject<SNTCommand>
+// file info keys
+static NSString *const kPath = @"Path";
+static NSString *const kBundleName = @"Bundle Name";
+static NSString *const kBundleVersion = @"Bundle Version";
+static NSString *const kBundleVersionStr = @"Bundle Version Str";
+static NSString *const kDownloadReferrerURL = @"Download Referrer URL";
+static NSString *const kDownloadURL = @"Download URL";
+static NSString *const kDownloadTimestamp = @"Download Timestamp";
+static NSString *const kDownloadAgent = @"Download Agent";
+static NSString *const kType = @"Type";
+static NSString *const kPageZero = @"Page Zero";
+static NSString *const kCodeSigned = @"Code-signed";
+static NSString *const kRule = @"Rule";
+static NSString *const kSigningChain = @"Signing Chain";
+static NSString *const kUniversalSigningChain = @"Universal Signing Chain";
+
+// signing chain keys
+static NSString *const kCommonName = @"Common Name";
+static NSString *const kOrganization = @"Organization";
+static NSString *const kOrganizationalUnit = @"Organizational Unit";
+static NSString *const kValidFrom = @"Valid From";
+static NSString *const kValidUntil = @"Valid Until";
+
+// shared file info & signing chain keys
+static NSString *const kSHA256 = @"SHA-256";
+static NSString *const kSHA1 = @"SHA-1";
+
+// Message displayed when daemon communication fails
+static NSString *const kCommunicationErrorMsg = @"Could not communicate with daemon";
+
+// Used by longHelpText to display a list of valid keys passed in as an array.
+NSString *formattedStringForKeyArray(NSArray<NSString *> *array) {
+  NSMutableString *result = [[NSMutableString alloc] init];
+  for (NSString *key in array) {
+    [result appendString:[NSString stringWithFormat:@"                       \"%@\"\n", key]];
+  }
+  return result;
+}
+
+@interface SNTCommandFileInfo : SNTCommand<SNTCommandProtocol>
+
+// Properties set from commandline flags
+@property(nonatomic) BOOL recursive;
+@property(nonatomic) BOOL jsonOutput;
+@property(nonatomic) int certIndex;  // 0 means no cert-index specified
+@property(nonatomic, copy) NSArray<NSString *> *outputKeyList;
+@property(nonatomic, copy) NSDictionary<NSString *, NSRegularExpression *> *outputFilters;
+
+// Flag indicating when to use TTY colors
+@property(readonly, nonatomic) BOOL prettyOutput;
+
+// Flag needed when printing JSON for multiple files to get commas right
+@property(nonatomic) BOOL jsonPreviousEntry;
+
+// Flag used to avoid multiple attempts to connect to daemon
+@property(nonatomic) BOOL daemonUnavailable;
+
+// Common date formatter
+@property(nonatomic) NSDateFormatter *dateFormatter;
+
+// Maximum length of output key name, used for formatting
+@property(nonatomic) NSUInteger maxKeyWidth;
+
+// Valid key lists
+@property(readonly, nonatomic) NSArray<NSString *> *fileInfoKeys;
+@property(readonly, nonatomic) NSArray<NSString *> *signingChainKeys;
+
+// Block type to be used with propertyMap values.  The first SNTCommandFileInfo parameter
+// is really required only for the the rule property getter which needs access to the daemon
+// connection, but downloadTimestamp & signingChain also use it for a shared date formatter.
+typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *, SNTFileInfo *);
+
+// on read generated properties
+@property(readonly, copy, nonatomic) SNTAttributeBlock path;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha256;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha1;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleName;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleVersion;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleShortVersionString;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadReferrerURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadTimestamp;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadAgent;
+@property(readonly, copy, nonatomic) SNTAttributeBlock type;
+@property(readonly, copy, nonatomic) SNTAttributeBlock pageZero;
+@property(readonly, copy, nonatomic) SNTAttributeBlock codeSigned;
+@property(readonly, copy, nonatomic) SNTAttributeBlock rule;
+@property(readonly, copy, nonatomic) SNTAttributeBlock signingChain;
+@property(readonly, copy, nonatomic) SNTAttributeBlock universalSigningChain;
+
+// Mapping between property string keys and SNTAttributeBlocks
+@property(nonatomic) NSDictionary<NSString *, SNTAttributeBlock> *propertyMap;
+
+// Serial queue and dispatch group used for printing output
+@property(nonatomic) dispatch_queue_t printQueue;
+@property(nonatomic) dispatch_group_t printGroup;
+
 @end
 
 @implementation SNTCommandFileInfo
 
 REGISTER_COMMAND_NAME(@"fileinfo")
 
+#pragma mark SNTCommand protocol methods
+
 + (BOOL)requiresRoot {
   return NO;
 }
@@ -43,189 +146,675 @@ REGISTER_COMMAND_NAME(@"fileinfo")
 }
 
 + (NSString *)longHelpText {
-  return (@"The details provided will be the same ones Santa uses to make a decision\n"
+  return [NSString stringWithFormat:
+          @"The details provided will be the same ones Santa uses to make a decision\n"
           @"about executables. This includes SHA-256, SHA-1, code signing information and\n"
-          @"the type of file.");
+          @"the type of file."
+          @"\n"
+          @"Usage: santactl fileinfo [options] [file-paths]\n"
+          @"    --recursive (-r): Search directories recursively.\n"
+          @"    --json: Output in JSON format.\n"
+          @"    --key: Search and return this one piece of information.\n"
+          @"           You may specify multiple keys by repeating this flag.\n"
+          @"           Valid Keys:\n"
+          @"%@\n"
+          @"           Valid keys when using --cert-index:\n"
+          @"%@\n"
+          @"    --cert-index: Supply an integer corresponding to a certificate of the\n"
+          @"                  signing chain to show info only for that certificate.\n"
+          @"                     1 for the leaf certificate\n"
+          @"                    -1 for the root certificate\n"
+          @"                     2 and up for the intermediates / root\n"
+          @"\n"
+          @"    --filter: Use predicates of the form 'key=regex' to filter out which files\n"
+          @"              are displayed. Valid keys are the same as for --key. Value is a\n"
+          @"              case-insensitive regular expression which must match anywhere in\n"
+          @"              the keyed property value for the file's info to be displayed.\n"
+          @"              You may specify multiple filters by repeating this flag.\n"
+          @"\n"
+          @"Examples: santactl fileinfo --cert-index 1 --key SHA-256 --json /usr/bin/yes\n"
+          @"          santactl fileinfo --key SHA-256 --json /usr/bin/yes\n"
+          @"          santactl fileinfo /usr/bin/yes /bin/*\n"
+          @"          santactl fileinfo /usr/bin -r --key Path --key SHA-256 --key Rule\n"
+          @"          santactl fileinfo /usr/bin/* --filter Type=Script --filter Path=zip",
+          formattedStringForKeyArray(self.fileInfoKeys),
+          formattedStringForKeyArray(self.signingChainKeys)];
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  NSString *filePath = [arguments firstObject];
++ (NSArray<NSString *> *)fileInfoKeys {
+  return @[ kPath, kSHA256, kSHA1, kBundleName, kBundleVersion, kBundleVersionStr,
+            kDownloadReferrerURL, kDownloadURL, kDownloadTimestamp, kDownloadAgent,
+            kType, kPageZero, kCodeSigned, kRule, kSigningChain, kUniversalSigningChain ];
+}
 
-  if (!filePath) {
-    printf("Missing file path\n");
-    exit(1);
++ (NSArray<NSString *> *)signingChainKeys {
+  return @[ kSHA256, kSHA1, kCommonName, kOrganization, kOrganizationalUnit, kValidFrom,
+            kValidUntil ];
+}
+
+- (instancetype)initWithDaemonConnection:(MOLXPCConnection *)daemonConn {
+  self = [super initWithDaemonConnection:daemonConn];
+  if (self) {
+    _dateFormatter = [[NSDateFormatter alloc] init];
+    _dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+
+    _propertyMap = @{ kPath : self.path,
+                      kSHA256 : self.sha256,
+                      kSHA1 : self.sha1,
+                      kBundleName : self.bundleName,
+                      kBundleVersion : self.bundleVersion,
+                      kBundleVersionStr : self.bundleVersionStr,
+                      kDownloadReferrerURL : self.downloadReferrerURL,
+                      kDownloadURL : self.downloadURL,
+                      kDownloadTimestamp : self.downloadTimestamp,
+                      kDownloadAgent : self.downloadAgent,
+                      kType : self.type,
+                      kPageZero : self.pageZero,
+                      kCodeSigned : self.codeSigned,
+                      kRule : self.rule,
+                      kSigningChain : self.signingChain,
+                      kUniversalSigningChain : self.universalSigningChain };
+
+    _printQueue = dispatch_queue_create("com.google.santactl.print_queue", DISPATCH_QUEUE_SERIAL);
   }
+  return self;
+}
 
-  SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
-  if (!fileInfo) {
-    printf("Invalid or empty file\n");
-    exit(1);
-  }
+#pragma mark property getters
 
-  NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
-  dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+- (SNTAttributeBlock)path {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.path;
+  };
+}
 
-  if (isatty(STDOUT_FILENO)) printf("Hashing...");
-  NSString *sha1, *sha256;
-  [fileInfo hashSHA1:&sha1 SHA256:&sha256];
-  if (isatty(STDOUT_FILENO)) printf("\r");
+- (SNTAttributeBlock)sha256 {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.SHA256;
+  };
+}
 
-  [self printKey:@"Path" value:fileInfo.path];
-  [self printKey:@"SHA-256" value:sha256];
-  [self printKey:@"SHA-1" value:sha1];
+- (SNTAttributeBlock)sha1 {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.SHA1;
+  };
+}
 
-  if (fileInfo.bundlePath) {
-    [self printKey:@"Bundle Name" value:fileInfo.bundleName];
-    [self printKey:@"Bundle Version" value:fileInfo.bundleVersion];
-    [self printKey:@"Bundle Version Str" value:fileInfo.bundleShortVersionString];
-  }
+- (SNTAttributeBlock)bundleName {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleName;
+  };
+}
 
-  if (fileInfo.quarantineDataURL) {
-    [self printKey:@"Download Referer URL" value:fileInfo.quarantineRefererURL];
-    [self printKey:@"Download URL" value:fileInfo.quarantineDataURL];
-    [self printKey:@"Download Timestamp"
-             value:[dateFormatter stringFromDate:fileInfo.quarantineTimestamp]];
-    [self printKey:@"Download Agent" value:fileInfo.quarantineAgentBundleID];
-  }
+- (SNTAttributeBlock)bundleVersion {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleVersion;
+  };
+}
 
-  NSArray *archs = [fileInfo architectures];
-  if (archs.count == 0) {
-    [self printKey:@"Type" value:[self humanReadableFileType:fileInfo]];
-    exit(0);
-  }
+- (SNTAttributeBlock)bundleVersionStr {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleShortVersionString;
+  };
+}
 
-  NSString *s = [NSString stringWithFormat:@"%@ (%@)",
-                                           [self humanReadableFileType:fileInfo],
-                                           [archs componentsJoinedByString:@", "]];
-  [self printKey:@"Type" value:s];
+- (SNTAttributeBlock)downloadReferrerURL {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineRefererURL;
+  };
+}
 
-  if ([fileInfo isMissingPageZero]) {
-    [self printKey:@"Page Zero" value:@"__PAGEZERO segment missing/bad!"];
-  }
+- (SNTAttributeBlock)downloadURL {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineDataURL;
+  };
+}
 
-  // Code signature state
-  NSError *error;
-  MOLCodesignChecker *csc = [[MOLCodesignChecker alloc] initWithBinaryPath:filePath error:&error];
-  if (error) {
-    switch (error.code) {
-      case errSecCSUnsigned:
-        [self printKey:@"Code-signed" value:@"No"];
-        break;
-      case errSecCSSignatureFailed:
-      case errSecCSStaticCodeChanged:
-      case errSecCSSignatureNotVerifiable:
-      case errSecCSSignatureUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but code/signature changed/unverifiable"];
-        break;
-      case errSecCSResourceDirectoryFailed:
-      case errSecCSResourceNotSupported:
-      case errSecCSResourceRulesInvalid:
-      case errSecCSResourcesInvalid:
-      case errSecCSResourcesNotFound:
-      case errSecCSResourcesNotSealed:
-        [self printKey:@"Code-signed" value:@"Yes, but resources invalid"];
-        break;
-      case errSecCSReqFailed:
-      case errSecCSReqInvalid:
-      case errSecCSReqUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but failed requirement validation"];
-        break;
-      case errSecCSInfoPlistFailed:
-        [self printKey:@"Code-signed" value:@"Yes, but can't validate as Info.plist is missing"];
-        break;
-      default: {
-        NSString *val = [NSString stringWithFormat:@"Yes, but failed to validate (%ld)",
-                         error.code];
-        [self printKey:@"Code-signed" value:val];
-        break;
+- (SNTAttributeBlock)downloadTimestamp {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return [cmd.dateFormatter stringFromDate:fileInfo.quarantineTimestamp];
+  };
+}
+
+- (SNTAttributeBlock)downloadAgent {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineAgentBundleID;
+  };
+}
+
+- (SNTAttributeBlock)type {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    NSArray *archs = [fileInfo architectures];
+    if (archs.count == 0) {
+      return [fileInfo humanReadableFileType];
+    }
+    return [NSString stringWithFormat:@"%@ (%@)",
+        [fileInfo humanReadableFileType], [archs componentsJoinedByString:@", "]];
+  };
+}
+
+- (SNTAttributeBlock)pageZero {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    if ([fileInfo isMissingPageZero]) {
+      return @"__PAGEZERO segment missing/bad!";
+    }
+    return nil;
+  };
+}
+
+- (SNTAttributeBlock)codeSigned {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    NSError *error;
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&error];
+    if (error) {
+      switch (error.code) {
+        case errSecCSUnsigned:
+          return @"No";
+        case errSecCSSignatureFailed:
+        case errSecCSStaticCodeChanged:
+        case errSecCSSignatureNotVerifiable:
+        case errSecCSSignatureUnsupported:
+          return @"Yes, but code/signature changed/unverifiable";
+        case errSecCSResourceDirectoryFailed:
+        case errSecCSResourceNotSupported:
+        case errSecCSResourceRulesInvalid:
+        case errSecCSResourcesInvalid:
+        case errSecCSResourcesNotFound:
+        case errSecCSResourcesNotSealed:
+          return @"Yes, but resources invalid";
+        case errSecCSReqFailed:
+        case errSecCSReqInvalid:
+        case errSecCSReqUnsupported:
+          return @"Yes, but failed requirement validation";
+        case errSecCSInfoPlistFailed:
+          return @"Yes, but can't validate as Info.plist is missing";
+        case errSecCSSignatureInvalid:
+          if ([error.domain isEqualToString:@"com.google.molcodesignchecker"]) {
+            return @"Yes, but signing is not consistent for all architectures";
+          }
+        default: {
+          return [NSString stringWithFormat:@"Yes, but failed to validate (%ld)", error.code];
+        }
+      }
+    } else if (csc.signatureFlags & kSecCodeSignatureAdhoc) {
+      return @"Yes, but ad-hoc";
+    } else {
+      return @"Yes";
+    }
+  };
+}
+
+- (SNTAttributeBlock)rule {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    // If we previously were unable to connect, don't try again.
+    if (cmd.daemonUnavailable) return kCommunicationErrorMsg;
+    static dispatch_once_t token;
+    dispatch_once(&token, ^{ [cmd.daemonConn resume]; });
+    __block SNTEventState state;
+    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+    NSError *err;
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&err];
+    [[cmd.daemonConn remoteObjectProxy] decisionForFilePath:fileInfo.path
+                                                 fileSHA256:fileInfo.SHA256
+                                          certificateSHA256:err ? nil : csc.leafCertificate.SHA256
+                                                      reply:^(SNTEventState s) {
+      state = s;
+      dispatch_semaphore_signal(sema);
+    }];
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+      cmd.daemonUnavailable = YES;
+      return kCommunicationErrorMsg;
+    } else {
+      NSMutableString *output =
+          (SNTEventStateAllow & state) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+      switch (state) {
+        case SNTEventStateAllowUnknown:
+        case SNTEventStateBlockUnknown:
+          [output appendString:@" (Unknown)"];
+          break;
+        case SNTEventStateAllowBinary:
+        case SNTEventStateBlockBinary:
+          [output appendString:@" (Binary)"];
+          break;
+        case SNTEventStateAllowCertificate:
+        case SNTEventStateBlockCertificate:
+          [output appendString:@" (Certificate)"];
+          break;
+        case SNTEventStateAllowScope:
+        case SNTEventStateBlockScope:
+          [output appendString:@" (Scope)"];
+          break;
+        default:
+          output = @"None".mutableCopy;
+          break;
+      }
+      if (cmd.prettyOutput) {
+        if ((SNTEventStateAllow & state)) {
+          [output insertString:@"\033[32m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else if ((SNTEventStateBlock & state)) {
+          [output insertString:@"\033[31m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else {
+          [output insertString:@"\033[33m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        }
+      }
+      return output.copy;
+    }
+  };
+}
+
+- (SNTAttributeBlock)signingChain {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
+    if (!csc.certificates.count) return nil;
+    NSMutableArray *certs = [[NSMutableArray alloc] initWithCapacity:csc.certificates.count];
+    for (MOLCertificate *c in csc.certificates) {
+      [certs addObject:@{
+        kSHA256 : c.SHA256 ?: @"null",
+        kSHA1 : c.SHA1 ?: @"null",
+        kCommonName : c.commonName ?: @"null",
+        kOrganization : c.orgName ?: @"null",
+        kOrganizationalUnit : c.orgUnit ?: @"null",
+        kValidFrom : [cmd.dateFormatter stringFromDate:c.validFrom] ?: @"null",
+        kValidUntil : [cmd.dateFormatter stringFromDate:c.validUntil] ?: @"null"
+      }];
+    }
+    return certs;
+  };
+}
+
+- (SNTAttributeBlock)universalSigningChain {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
+    if (csc.certificates.count) return nil;
+    if (!csc.universalSigningInformation) return nil;
+    NSMutableArray *universal = [NSMutableArray array];
+    for (NSDictionary *arch in csc.universalSigningInformation) {
+      [universal addObject:@{ @"arch" : arch.allKeys.firstObject }];
+      int flags = [arch.allValues.firstObject[(__bridge id)kSecCodeInfoFlags] intValue];
+      if (flags & kSecCodeSignatureAdhoc) {
+        [universal addObject:@{ @"ad-hoc" : @YES }];
+        continue;
+      }
+      NSArray *certs = arch.allValues.firstObject[(__bridge id)kSecCodeInfoCertificates];
+      NSArray *chain = [MOLCertificate certificatesFromArray:certs];
+      if (!chain.count) {
+        [universal addObject:@{ @"unsigned" : @YES }];
+        continue;
+      }
+      for (MOLCertificate *c in chain) {
+        [universal addObject:@{
+          kSHA256 : c.SHA256 ?: @"null",
+          kSHA1 : c.SHA1 ?: @"null",
+          kCommonName : c.commonName ?: @"null",
+          kOrganization : c.orgName ?: @"null",
+          kOrganizationalUnit : c.orgUnit ?: @"null",
+          kValidFrom : [cmd.dateFormatter stringFromDate:c.validFrom] ?: @"null",
+          kValidUntil : [cmd.dateFormatter stringFromDate:c.validUntil] ?: @"null"
+        }];
       }
     }
-  } else if (csc.signatureFlags & kSecCodeSignatureAdhoc) {
-    [self printKey:@"Code-signed" value:@"Yes, but ad-hoc"];
-  } else {
-    [self printKey:@"Code-signed" value:@"Yes"];
-  }
+    NSMutableSet *set = [NSMutableSet set];
+    for (NSDictionary *cert in universal) {
+      if (cert[@"arch"]) continue;
+      [set addObject:cert];
+    }
+    return (set.count > 1) ? universal : nil;
+  };
+}
 
-  // Binary rule state
-  __block SNTRule *r;
-  dispatch_group_t group = dispatch_group_create();
-  dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseBinaryRuleForSHA256:sha256 reply:^(SNTRule *rule) {
-    if (rule) r = rule;
-    dispatch_group_leave(group);
-  }];
-  NSString *leafCertSHA = [[csc.certificates firstObject] SHA256];
-  dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseCertificateRuleForSHA256:leafCertSHA
-                                                             reply:^(SNTRule *rule) {
-    if (!r && rule) r = rule;
-    dispatch_group_leave(group);
-  }];
-  if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 1 * NSEC_PER_SEC))) {
-    [self printKey:@"Rule" value:@"Cannot communicate with daemon"];
-  } else {
-    NSString *output;
-    switch (r.state) {
-      case SNTRuleStateWhitelist:
-        output = @"Whitelisted";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[32mWhitelisted\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
-        break;
-      case SNTRuleStateBlacklist:
-      case SNTRuleStateSilentBlacklist:
-        output = @"Blacklisted";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[31mBlacklisted\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
-        break;
-      default:
-        output = @"None";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[33mNone\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
+# pragma mark -
+
+// Entry point for the command.
+- (void)runWithArguments:(NSArray *)arguments {
+  if (!arguments.count) [self printErrorUsageAndExit:@"No arguments"];
+
+  NSArray *filePaths = [self parseArguments:arguments];
+
+  if (!self.outputKeyList || !self.outputKeyList.count) {
+    if (self.certIndex) {
+      self.outputKeyList = [[self class] signingChainKeys];
+    } else {
+      self.outputKeyList = [[self class] fileInfoKeys];
     }
   }
-
-  // Signing chain
-  if (csc.certificates.count) {
-    printf("Signing chain:\n");
-
-    [csc.certificates enumerateObjectsUsingBlock:^(MOLCertificate *c,
-                                                   unsigned long idx,
-                                                   BOOL *stop) {
-      printf("    %2lu. %-20s: %s\n", idx + 1, "SHA-256", [c.SHA256 UTF8String]);
-      printf("        %-20s: %s\n", "SHA-1", [c.SHA1 UTF8String]);
-      printf("        %-20s: %s\n", "Common Name", [c.commonName UTF8String]);
-      printf("        %-20s: %s\n", "Organization", [c.orgName UTF8String]);
-      printf("        %-20s: %s\n", "Organizational Unit", [c.orgUnit UTF8String]);
-      printf("        %-20s: %s\n", "Valid From",
-             [[dateFormatter stringFromDate:c.validFrom] UTF8String]);
-      printf("        %-20s: %s\n", "Valid Until",
-             [[dateFormatter stringFromDate:c.validUntil] UTF8String]);
-      printf("\n");
-    }];
+  // Figure out max field width from list of keys
+  self.maxKeyWidth = 0;
+  for (NSString *key in self.outputKeyList) {
+    if (key.length > self.maxKeyWidth) self.maxKeyWidth = key.length;
   }
 
+  // For consistency, JSON output is always returned as an array of file info objects, regardless of
+  // how many file info objects are being outputted.  So both empty and singleton result sets are
+  // still enclosed in brackets.
+  if (self.jsonOutput) printf("[\n");
+
+  NSFileManager *fm = [NSFileManager defaultManager];
+  NSString *cwd = [fm currentDirectoryPath];
+
+  // Dispatch group for tasks printing to stdout.
+  self.printGroup = dispatch_group_create();
+
+  [filePaths enumerateObjectsWithOptions:NSEnumerationConcurrent
+                              usingBlock:^(NSString *path, NSUInteger idx, BOOL *stop) {
+    NSString *fullPath = [path stringByStandardizingPath];
+    if (path.length && [path characterAtIndex:0] != '/') {
+      fullPath = [cwd stringByAppendingPathComponent:fullPath];
+    }
+    [self recurseAtPath:fullPath];
+  }];
+
+  // Wait for all tasks in print queue to complete.
+  dispatch_group_wait(self.printGroup, DISPATCH_TIME_FOREVER);
+
+  if (self.jsonOutput) printf("\n]\n");  // print closing bracket of JSON output array
+
   exit(0);
 }
 
-+ (void)printKey:(NSString *)key value:(NSString *)value {
-  if (!key || !value) return;
-  printf("%-21s: %s\n", [key UTF8String], [value UTF8String]);
+// Returns YES if we should output colored text.
+- (BOOL)prettyOutput {
+  return isatty(STDOUT_FILENO) && !self.jsonOutput;
 }
 
-+ (NSString *)humanReadableFileType:(SNTFileInfo *)fi {
-  if ([fi isScript]) return @"Script";
-  if ([fi isExecutable]) return @"Executable";
-  if ([fi isDylib]) return @"Dynamic Library";
-  if ([fi isKext]) return @"Kernel Extension";
-  if ([fi isXARArchive]) return @"XAR Archive";
-  if ([fi isDMG]) return @"Disk Image";
-  return @"Unknown";
+// Print out file info for the object at the given path or, if path is a directory and the
+// --recursive flag is set, print out file info for all objects in directory tree.
+- (void)recurseAtPath:(NSString *)path {
+  NSFileManager *fm = [NSFileManager defaultManager];
+  BOOL isDir = NO, isBundle = NO;
+  if (![fm fileExistsAtPath:path isDirectory:&isDir]) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "File does not exist: %s\n", [path UTF8String]);
+    });
+    return;
+  }
+
+  if (isDir) {
+    NSBundle *bundle = [NSBundle bundleWithPath:path];
+    isBundle = bundle && [bundle bundleIdentifier];
+  }
+
+  NSOperationQueue *operationQueue = [[NSOperationQueue alloc] init];
+  operationQueue.qualityOfService = NSQualityOfServiceUserInitiated;
+
+  if (isDir && self.recursive) {
+    NSDirectoryEnumerator *dirEnum = [fm enumeratorAtPath:path];
+    NSString *file = [dirEnum nextObject];
+    while (file) {
+      @autoreleasepool {
+        NSString *filepath = [path stringByAppendingPathComponent:file];
+        BOOL exists = [fm fileExistsAtPath:filepath isDirectory:&isDir];
+        if (!(exists && isDir)) {  // don't display anything for a directory path
+          [operationQueue addOperationWithBlock:^{
+            [self printInfoForFile:filepath];
+          }];
+        }
+        file = [dirEnum nextObject];
+      }
+    }
+  } else if (isDir && !isBundle) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "%s is a directory.  Use the -r flag to search recursively.\n",
+          [path UTF8String]);
+    });
+  } else {
+    [operationQueue addOperationWithBlock:^{
+      [self printInfoForFile:path];
+    }];
+  }
+
+  [operationQueue waitUntilAllOperationsAreFinished];
+}
+
+// Prints out the info for a single (non-directory) file.  Which info is printed is controlled
+// by the keys in self.outputKeyList.
+- (void)printInfoForFile:(NSString *)path {
+  SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:path];
+  if (!fileInfo) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "Invalid or empty file: %s\n", [path UTF8String]);
+    });
+    return;
+  }
+
+  // First build up a dictionary containing all the information we want to print out
+  NSMutableDictionary *outputDict = [NSMutableDictionary dictionary];
+  if (self.certIndex) {
+    // --cert-index flag implicitly means that we want only the signing chain.  So we find the
+    // specified certificate in the signing chain, then print out values for all keys in cert.
+    NSArray *signingChain = self.propertyMap[kSigningChain](self, fileInfo);
+    if (!signingChain || !signingChain.count) return;  // check signing chain isn't empty
+    int index = (self.certIndex == -1) ? (int)signingChain.count - 1 : self.certIndex - 1;
+    if (index < 0 || index >= (int)signingChain.count) return;  // check that index is valid
+    NSDictionary *cert = signingChain[index];
+
+    // Check if we should skip over this item based on outputFilters.
+    for (NSString *key in self.outputFilters) {
+      NSString *value = cert[key];
+      NSRegularExpression *regex = self.outputFilters[key];
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+    }
+
+    // Filter out the info we want now, in case JSON output
+    for (NSString *key in self.outputKeyList) {
+      outputDict[key] = cert[key];
+    }
+  } else {
+    // Check if we should skip over this item based on outputFilters.  We do this before collecting
+    // output info because there's a chance that we can bail out early if a filter doesn't match.
+    // However we also don't want to recompute info, so we save any values that we plan to show.
+    for (NSString *key in self.outputFilters) {
+      NSString *value = self.propertyMap[key](self, fileInfo);
+      NSRegularExpression *regex = self.outputFilters[key];
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+      // If this is a value we want to show, store it in the output dictionary.
+      // This does a linear search on an array, but it's a small array.
+      if ([self.outputKeyList containsObject:key]) {
+        outputDict[key] = value;
+      }
+    }
+
+    // Then fill the outputDict with the rest of the missing values.
+    for (NSString *key in self.outputKeyList) {
+      if (outputDict[key]) continue;  // ignore keys that we've already set due to a filter
+      outputDict[key] = self.propertyMap[key](self, fileInfo);
+    }
+  }
+
+  // If there's nothing in the outputDict, then don't need to print anything.
+  if (!outputDict.count) return;
+
+  // Then display the information in the dictionary.  How we display it depends on
+  // a) do we want JSON output?
+  // b) is there only one key?
+  // c) are we displaying a cert?
+  BOOL singleKey = (self.outputKeyList.count == 1 &&
+                    ![self.outputKeyList.firstObject isEqual:kSigningChain]);
+  NSMutableString *output = [NSMutableString string];
+  if (self.jsonOutput) {
+    [output appendString:[self jsonStringForDictionary:outputDict]];
+  } else {
+    for (NSString *key in self.outputKeyList) {
+      if (![outputDict objectForKey:key]) continue;
+      if ([key isEqual:kSigningChain] || [key isEqual:kUniversalSigningChain]) {
+        [output appendString:[self stringForSigningChain:outputDict[key] key:key]];
+      } else {
+        if (singleKey) {
+          [output appendFormat:@"%@\n", outputDict[key]];
+        } else {
+          [output appendFormat:@"%-*s: %@\n",
+              (int)self.maxKeyWidth, key.UTF8String, outputDict[key]];
+        }
+      }
+    }
+    if (!singleKey) [output appendString:@"\n"];
+  }
+
+  dispatch_group_async(self.printGroup, self.printQueue, ^{
+    if (self.jsonOutput) {  // print commas between JSON entries
+      if (self.jsonPreviousEntry) printf(",\n");
+      self.jsonPreviousEntry = YES;
+    }
+    printf("%s", output.UTF8String);
+  });
+}
+
+// Parses the arguments in order to set the property variables:
+//   self.recursive from --recursive or -r
+//   self.json from --json
+//   self.certIndex from --cert-index argument
+//   self.outputKeyList from multiple possible --key arguments
+//   self.outputFilters from multiple possible --filter arguments
+// and returns any non-flag args as path names in an NSArray.
+- (NSArray *)parseArguments:(NSArray<NSString *> *)arguments {
+  NSMutableArray *paths = [NSMutableArray array];
+  NSMutableOrderedSet *keys = [NSMutableOrderedSet orderedSet];
+  NSMutableDictionary *filters = [NSMutableDictionary dictionary];
+  NSUInteger nargs = [arguments count];
+  for (NSUInteger i = 0; i < nargs; i++) {
+    NSString *arg = [arguments objectAtIndex:i];
+    if ([arg caseInsensitiveCompare:@"--json"] == NSOrderedSame) {
+      self.jsonOutput = YES;
+    } else if ([arg caseInsensitiveCompare:@"--cert-index"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab index
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--cert-index requires an argument"];
+      }
+      int index = 0;
+      NSScanner *scanner = [NSScanner scannerWithString:arguments[i]];
+      if (![scanner scanInt:&index] || !scanner.atEnd || index == 0 || index < -1) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid argument for --cert-index\n"
+            @"  --cert-index argument must be one of -1, 1, 2, 3, ...", arguments[i]]];
+      }
+      self.certIndex = index;
+    } else if ([arg caseInsensitiveCompare:@"--key"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab the key
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--key requires an argument"];
+      }
+      [keys addObject:arguments[i]];
+    } else if ([arg caseInsensitiveCompare:@"--filter"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab the filter predicate
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--filter requires an argument"];
+      }
+      // Check that filter predicate has the format "key=regex".
+      NSRange range = [arguments[i] rangeOfString:@"="];
+      if (range.location == NSNotFound || range.location == 0 ||
+          range.location == arguments[i].length - 1) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid filter predicate.\n"
+            @"Filter predicates must be of the form key=regex"
+            @" (with no spaces around \"=\")", arguments[i]]];
+      }
+      NSString *key = [arguments[i] substringToIndex:range.location];
+      NSString *rhs = [arguments[i] substringFromIndex:range.location+1];
+      // Convert right-hand side of '=' into a regular expression object.
+      NSError *error;
+      NSRegularExpression *regex =
+          [NSRegularExpression regularExpressionWithPattern:rhs
+                                                    options:NSRegularExpressionCaseInsensitive
+                                                      error:&error];
+      if (error) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid regular expression in filter argument.\n", rhs]];
+      }
+      filters[key] = regex;
+    } else if ([arg caseInsensitiveCompare:@"--recursive"] == NSOrderedSame ||
+               [arg caseInsensitiveCompare:@"-r"] == NSOrderedSame) {
+      self.recursive = YES;
+    } else {
+      [paths addObject:arg];
+    }
+  }
+
+  // Do some error checking before returning to make sure that specified keys are valid.
+  if (self.certIndex) {
+    NSArray *validKeys = [[self class] signingChainKeys];
+    for (NSString *key in keys) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid key when using --cert-index", key]];
+      }
+    }
+    for (NSString *key in filters) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid filter key when using --cert-index", key]];
+      }
+    }
+  } else {
+    NSArray *validKeys = [[self class] fileInfoKeys];
+    for (NSString *key in keys) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid key", key]];
+      }
+    }
+    for (NSString *key in filters) {
+      if (![validKeys containsObject:key] || [key isEqualToString:kSigningChain]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid filter key", key]];
+      }
+    }
+  }
+
+  if (!paths.count) [self printErrorUsageAndExit:@"\nat least one file-path is needed"];
+
+  self.outputKeyList = [keys array];
+  self.outputFilters = [filters copy];
+  return paths.copy;
+}
+
+- (NSString *)jsonStringForDictionary:(NSDictionary *)dict {
+  NSData *jsonData = [NSJSONSerialization dataWithJSONObject:dict
+                                                     options:NSJSONWritingPrettyPrinted
+                                                       error:NULL];
+  return [[NSString alloc] initWithData:jsonData encoding:NSUTF8StringEncoding];
+}
+
+- (NSString *)stringForSigningChain:(NSArray *)signingChain key:(NSString *)key {
+  if (!signingChain) return @"";
+  NSMutableString *result = [NSMutableString string];
+  [result appendFormat:@"%@:\n", key];
+  int i = 1;
+  NSArray<NSString *> *certKeys = [[self class] signingChainKeys];
+  for (NSDictionary *cert in signingChain) {
+    if ([cert isEqual:[NSNull null]]) continue;
+    if (cert[@"arch"]) {
+      [result appendFormat:@"  %2@\n", [@"Architecture: " stringByAppendingString:cert[@"arch"]]];
+      i = 1;
+      continue;
+    } else if (cert[@"ad-hoc"]) {
+      [result appendFormat:@"    %2d. %-20@\n", i, @"ad-hoc"];
+      continue;
+    } else if (cert[@"unsigned"]) {
+      [result appendFormat:@"    %2d. %-20@\n", i, @"unsigned"];
+      continue;
+    }
+    if (i > 1) [result appendFormat:@"\n"];
+    [result appendString:[self stringForCertificate:cert withKeys:certKeys index:i]];
+    i += 1;
+  }
+  return result.copy;
+}
+
+- (NSString *)stringForCertificate:(NSDictionary *)cert withKeys:(NSArray *)keys index:(int)index {
+  if (!cert) return @"";
+  NSMutableString *result = [NSMutableString string];
+  BOOL firstKey = YES;
+  for (NSString *key in keys) {
+    if (firstKey) {
+      [result appendFormat:@"   %2d. %-20s: %@\n", index, key.UTF8String, cert[key]];
+      firstKey = NO;
+    } else {
+      [result appendFormat:@"       %-20s: %@\n", key.UTF8String, cert[key]];
+    }
+  }
+  return result.copy;
 }
 
 @end

Source/santactl/Commands/SNTCommandFlushCache.m

@@ -12,13 +12,17 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 #import "SNTLogging.h"
-#import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandFlushCache : NSObject<SNTCommand>
+@interface SNTCommandFlushCache : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandFlushCache
@@ -44,8 +48,8 @@ REGISTER_COMMAND_NAME(@"flushcache")
           @"Returns 0 if successful, 1 otherwise");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  [[daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
+- (void)runWithArguments:(NSArray *)arguments {
+  [[self.daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
     if (success) {
       LOGI(@"Cache flush requested");
       exit(0);

Source/santactl/Commands/SNTCommandRule.m

@@ -12,21 +12,23 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
-#include "SNTLogging.h"
+#import <MOLCertificate/MOLCertificate.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <MOLXPCConnection/MOLXPCConnection.h>
 
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
 #import "SNTConfigurator.h"
 #import "SNTDropRootPrivs.h"
 #import "SNTFileInfo.h"
+#include "SNTLogging.h"
 #import "SNTRule.h"
-#import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandRule : NSObject<SNTCommand>
-@property SNTXPCConnection *daemonConn;
+@interface SNTCommandRule : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandRule
@@ -42,7 +44,7 @@ REGISTER_COMMAND_NAME(@"rule")
 }
 
 + (NSString *)shortHelpText {
-  return @"Manually add/remove rules.";
+  return @"Manually add/remove/check rules.";
 }
 
 + (NSString *)longHelpText {
@@ -52,26 +54,23 @@ REGISTER_COMMAND_NAME(@"rule")
           @"    --blacklist: add to blacklist\n"
           @"    --silent-blacklist: add to silent blacklist\n"
           @"    --remove: remove existing rule\n"
+          @"    --check: check for an existing rule\n"
           @"\n"
           @"  One of:\n"
           @"    --path {path}: path of binary/bundle to add/remove.\n"
           @"                   Will add the hash of the file currently at that path.\n"
-          @"    --sha256 {sha256}: hash to add/remove\n"
+          @"                   Does not work with --check. Use the fileinfo verb to check.\n"
+          @"                   the rule state of a file.\n"
+          @"    --sha256 {sha256}: hash to add/remove/check\n"
           @"\n"
           @"  Optionally:\n"
-          @"    --certificate: add certificate rule instead of binary\n"
+          @"    --certificate: add or check a certificate sha256 rule instead of binary\n"
           @"    --message {message}: custom message\n");
 }
 
-+ (void)printErrorUsageAndExit:(NSString *)error {
-  printf("%s\n\n", [error UTF8String]);
-  printf("%s\n", [[self longHelpText] UTF8String]);
-  exit(1);
-}
-
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   SNTConfigurator *config = [SNTConfigurator configurator];
-  if ([config syncBaseURL] != nil) {
+  if ([config syncBaseURL] && ![arguments containsObject:@"--check"]) {
     printf("SyncBaseURL is set, rules are managed centrally.\n");
     exit(1);
   }
@@ -81,6 +80,7 @@ REGISTER_COMMAND_NAME(@"rule")
   newRule.type = SNTRuleTypeBinary;
 
   NSString *path;
+  BOOL check = NO;
 
   // Parse arguments
   for (NSUInteger i = 0; i < arguments.count; ++i) {
@@ -94,6 +94,8 @@ REGISTER_COMMAND_NAME(@"rule")
       newRule.state = SNTRuleStateSilentBlacklist;
     } else if ([arg caseInsensitiveCompare:@"--remove"] == NSOrderedSame) {
       newRule.state = SNTRuleStateRemove;
+    } else if ([arg caseInsensitiveCompare:@"--check"] == NSOrderedSame) {
+      check = YES;
     } else if ([arg caseInsensitiveCompare:@"--certificate"] == NSOrderedSame) {
       newRule.type = SNTRuleTypeCertificate;
     } else if ([arg caseInsensitiveCompare:@"--path"] == NSOrderedSame) {
@@ -119,12 +121,21 @@ REGISTER_COMMAND_NAME(@"rule")
     }
   }
 
+  if (check) {
+    if (!newRule.shasum) return [self printErrorUsageAndExit:@"--check requires --sha256"];
+    return [self printStateOfRule:newRule daemonConnection:self.daemonConn];
+  }
+
   if (path) {
     SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:path];
+    if (!fi.path) {
+      [self printErrorUsageAndExit:@"Provided path was not a plain file"];
+    }
+
     if (newRule.type == SNTRuleTypeBinary) {
       newRule.shasum = fi.SHA256;
     } else if (newRule.type == SNTRuleTypeCertificate) {
-      MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.path];
+      MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
       newRule.shasum = cs.leafCertificate.SHA256;
     }
   }
@@ -135,9 +146,9 @@ REGISTER_COMMAND_NAME(@"rule")
     [self printErrorUsageAndExit:@"Either SHA-256 or path to file must be specified"];
   }
 
-  [[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
-                                            cleanSlate:NO
-                                                 reply:^(NSError *error) {
+  [[self.daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
+                                                 cleanSlate:NO
+                                                      reply:^(NSError *error) {
     if (error) {
       printf("Failed to modify rules: %s", [error.localizedDescription UTF8String]);
       LOGD(@"Failure reason: %@", error.localizedFailureReason);
@@ -153,4 +164,58 @@ REGISTER_COMMAND_NAME(@"rule")
   }];
 }
 
+- (void)printStateOfRule:(SNTRule *)rule daemonConnection:(MOLXPCConnection *)daemonConn {
+  NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.shasum : nil;
+  NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.shasum : nil;
+  dispatch_group_t group = dispatch_group_create();
+  dispatch_group_enter(group);
+  __block NSMutableString *output;
+  [[daemonConn remoteObjectProxy] decisionForFilePath:nil
+                                           fileSHA256:fileSHA256
+                                    certificateSHA256:certificateSHA256
+                                                reply:^(SNTEventState s) {
+    output = (SNTEventStateAllow & s) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+    switch (s) {
+      case SNTEventStateAllowUnknown:
+      case SNTEventStateBlockUnknown:
+        [output appendString:@" (Unknown)"];
+        break;
+      case SNTEventStateAllowBinary:
+      case SNTEventStateBlockBinary:
+        [output appendString:@" (Binary)"];
+        break;
+      case SNTEventStateAllowCertificate:
+      case SNTEventStateBlockCertificate:
+        [output appendString:@" (Certificate)"];
+        break;
+      case SNTEventStateAllowScope:
+      case SNTEventStateBlockScope:
+        [output appendString:@" (Scope)"];
+        break;
+      default:
+        output = @"None".mutableCopy;
+        break;
+    }
+    if (isatty(STDOUT_FILENO)) {
+      if ((SNTEventStateAllow & s)) {
+        [output insertString:@"\033[32m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else if ((SNTEventStateBlock & s)) {
+        [output insertString:@"\033[31m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else {
+        [output insertString:@"\033[33m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      }
+    }
+    dispatch_group_leave(group);
+  }];
+  if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    printf("Cannot communicate with daemon");
+    exit(1);
+  }
+  printf("%s\n", output.UTF8String);
+  exit(0);
+}
+
 @end

Source/santactl/Commands/SNTCommandStatus.m

@@ -12,13 +12,17 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 #import "SNTConfigurator.h"
-#import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandStatus : NSObject<SNTCommand>
+@interface SNTCommandStatus : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandStatus
@@ -42,7 +46,7 @@ REGISTER_COMMAND_NAME(@"status")
           @"  Use --json to output in JSON format");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   dispatch_group_t group = dispatch_group_create();
 
   // Daemon status
@@ -50,7 +54,7 @@ REGISTER_COMMAND_NAME(@"status")
   __block uint64_t cpuEvents, ramEvents;
   __block double cpuPeak, ramPeak;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
+  [[self.daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
     switch (cm) {
       case SNTClientModeMonitor:
         clientMode = @"Monitor";
@@ -65,8 +69,8 @@ REGISTER_COMMAND_NAME(@"status")
     dispatch_group_leave(group);
   }];
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
-                                                 double wd_cpuPeak, double wd_ramPeak) {
+  [[self.daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
+                                                      double wd_cpuPeak, double wd_ramPeak) {
     cpuEvents = wd_cpuEvents;
     cpuPeak = wd_cpuPeak;
     ramEvents = wd_ramEvents;
@@ -77,44 +81,86 @@ REGISTER_COMMAND_NAME(@"status")
   BOOL fileLogging = ([[SNTConfigurator configurator] fileChangesRegex] != nil);
 
   // Kext status
-  __block int64_t cacheCount = -1;
+  __block uint64_t rootCacheCount = -1, nonRootCacheCount = -1;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] cacheCount:^(int64_t count) {
-    cacheCount = count;
+  [[self.daemonConn remoteObjectProxy] cacheCounts:^(uint64_t rootCache, uint64_t nonRootCache) {
+    rootCacheCount = rootCache;
+    nonRootCacheCount = nonRootCache;
     dispatch_group_leave(group);
   }];
 
   // Database counts
   __block int64_t eventCount = -1, binaryRuleCount = -1, certRuleCount = -1;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
+  [[self.daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
     binaryRuleCount = binary;
     certRuleCount = certificate;
     dispatch_group_leave(group);
   }];
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
+  [[self.daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
     eventCount = count;
     dispatch_group_leave(group);
   }];
 
   // Sync status
-  NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
-  NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
-  dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
-  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] syncLastSuccess];
-  NSString *lastSyncSuccessStr = [dateFormatter stringFromDate:lastSyncSuccess] ?: @"Never";
-  BOOL syncCleanReqd = [[SNTConfigurator configurator] syncCleanRequired];
+  __block NSDate *fullSyncLastSuccess;
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] fullSyncLastSuccess:^(NSDate *date) {
+    fullSyncLastSuccess = date;
+    dispatch_group_leave(group);
+  }];
+
+  __block NSDate *ruleSyncLastSuccess;
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] ruleSyncLastSuccess:^(NSDate *date) {
+    ruleSyncLastSuccess = date;
+    dispatch_group_leave(group);
+  }];
+
+  __block BOOL syncCleanReqd = NO;
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] syncCleanRequired:^(BOOL clean) {
+    syncCleanReqd = clean;
+    dispatch_group_leave(group);
+  }];
+
+  __block BOOL pushNotifications = NO;
+  if ([[SNTConfigurator configurator] syncBaseURL]) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] pushNotifications:^(BOOL response) {
+      pushNotifications = response;
+      dispatch_group_leave(group);
+    }];
+  }
+
+  __block BOOL bundlesEnabled = NO;
+  if ([[SNTConfigurator configurator] syncBaseURL]) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) {
+      bundlesEnabled = response;
+      dispatch_group_leave(group);
+    }];
+  }
 
   // Wait a maximum of 5s for stats collected from daemon to arrive.
   if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
     fprintf(stderr, "Failed to retrieve some stats from daemon\n\n");
   }
 
+  // Format dates
+  NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
+  dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+  NSString *fullSyncLastSuccessStr = [dateFormatter stringFromDate:fullSyncLastSuccess] ?: @"Never";
+  NSString *ruleSyncLastSuccessStr =
+      [dateFormatter stringFromDate:ruleSyncLastSuccess] ?: fullSyncLastSuccessStr;
+
+  NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
+
   if ([arguments containsObject:@"--json"]) {
     NSDictionary *stats = @{
       @"daemon" : @{
-        @"mode" : clientMode,
+        @"mode" : clientMode ?: @"null",
         @"file_logging" : @(fileLogging),
         @"watchdog_cpu_events" : @(cpuEvents),
         @"watchdog_ram_events" : @(ramEvents),
@@ -122,7 +168,8 @@ REGISTER_COMMAND_NAME(@"status")
         @"watchdog_ram_peak" : @(ramPeak),
       },
       @"kernel" : @{
-        @"cache_count" : @(cacheCount),
+        @"root_cache_count" : @(rootCacheCount),
+        @"non_root_cache_count": @(nonRootCacheCount),
       },
       @"database" : @{
         @"binary_rules" : @(binaryRuleCount),
@@ -130,9 +177,12 @@ REGISTER_COMMAND_NAME(@"status")
         @"events_pending_upload" : @(eventCount),
       },
       @"sync" : @{
-        @"server" : syncURLStr,
+        @"server" : syncURLStr ?: @"null",
         @"clean_required" : @(syncCleanReqd),
-        @"last_successful" : lastSyncSuccessStr
+        @"last_successful_full" : fullSyncLastSuccessStr ?: @"null",
+        @"last_successful_rule" : ruleSyncLastSuccessStr ?: @"null",
+        @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected",
+        @"bundle_scanning" : @(bundlesEnabled)
       },
     };
     NSData *statsData = [NSJSONSerialization dataWithJSONObject:stats
@@ -142,22 +192,27 @@ REGISTER_COMMAND_NAME(@"status")
     printf("%s\n", [statsStr UTF8String]);
   } else {
     printf(">>> Daemon Info\n");
-    printf("  %-22s | %s\n", "Mode", [clientMode UTF8String]);
-    printf("  %-22s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
-    printf("  %-22s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
-    printf("  %-22s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
+    printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
+    printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
+    printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
+    printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
     printf(">>> Kernel Info\n");
-    printf("  %-22s | %lld\n", "Kernel cache count", cacheCount);
+    printf("  %-25s | %lld\n", "Root cache count", rootCacheCount);
+    printf("  %-25s | %lld\n", "Non-root cache count", nonRootCacheCount);
     printf(">>> Database Info\n");
-    printf("  %-22s | %lld\n", "Binary Rules", binaryRuleCount);
-    printf("  %-22s | %lld\n", "Certificate Rules", certRuleCount);
-    printf("  %-22s | %lld\n", "Events Pending Upload", eventCount);
+    printf("  %-25s | %lld\n", "Binary Rules", binaryRuleCount);
+    printf("  %-25s | %lld\n", "Certificate Rules", certRuleCount);
+    printf("  %-25s | %lld\n", "Events Pending Upload", eventCount);
 
     if (syncURLStr) {
       printf(">>> Sync Info\n");
-      printf("  %-22s | %s\n", "Sync Server", [syncURLStr UTF8String]);
-      printf("  %-22s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
-      printf("  %-22s | %s\n", "Last Successful Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);
+      printf("  %-25s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Last Successful Full Sync", [fullSyncLastSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Last Successful Rule Sync", [ruleSyncLastSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Push Notifications",
+             (pushNotifications ? "Connected" : "Disconnected"));
+      printf("  %-25s | %s\n", "Bundle Scanning", (bundlesEnabled ? "Yes" : "No"));
     }
   }