santad: Stop ignoring CSInfoPlistFailed (#204)

It is too broad a check for the few false positive events we have seen.

.gitignore

@@ -1,8 +1,10 @@
 .DS_Store
 Build
 santa-*
+!*.md
 Pods
 Santa.xcodeproj/xcuserdata
 Santa.xcodeproj/project.xcworkspace
 Santa.xcworkspace/xcuserdata
 Santa.xcworkspace/xcshareddata
+Source/DevelopmentTeam.xcconfig

.travis.yml

@@ -1,6 +1,8 @@
 ---
 language: objective-c
-cache: cocoapods
+cache:
+  - bundler
+  - cocoapods
 sudo: false
 osx_image: xcode7
 

Conf/Package/Makefile

@@ -82,3 +82,4 @@ myclean:
 	@rm -f com.google.santad.plist
 	@rm -f com.google.santagui.plist
 	@rm -f install.sh
+	@rm -f uninstall.sh

Conf/Package/postinstall

@@ -18,7 +18,8 @@ sleep 1
 sleep 1
 
 # Create hopefully useful symlink for santactl
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+mkdir -p /usr/local/bin
+/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
 
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -z "$user" ]] && exit 0

Conf/com.google.santa.asl.conf

@@ -1,6 +1,6 @@
 # Copy this file to /etc/asl to log all messages from santa-driver to the log file
-> /var/log/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
+> /var/db/santa/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
 ? [= Sender kernel] [S= Message santa-driver:] claim
-? [= Sender kernel] [S= Message santa-driver:] file /var/log/santa.log
+? [= Sender kernel] [S= Message santa-driver:] file /var/db/santa/santa.log
 ? [= Facility com.google.santa] claim
-? [= Facility com.google.santa] file /var/log/santa.log
+? [= Facility com.google.santa] file /var/db/santa/santa.log

Conf/install.sh

@@ -36,6 +36,7 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 # Copy new files.
 /bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
 /bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
+mkdir -p /usr/local/bin
 /bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
 
 /bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons

Conf/uninstall.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Uninstalls Santa from the boot volume, clearing up everything but logs/configs.
+# Unloads the kernel extension, services, and deletes component files.
+# If a user is logged in, also unloads the GUI agent.
+
+[ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
+
+/bin/launchctl remove com.google.santad
+sleep 1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+# and to clean out the log config, although it won't write after wiping the binary
+/usr/bin/killall -HUP syslogd
+# delete artifacts on-disk
+/bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
+/bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /usr/local/bin/santactl # just a symlink
+#uncomment to remove the config file and all databases, log files
+#/bin/rm -rf /var/db/santa
+#/bin/rm -f /var/log/santa*
+exit 0

Docs/deployment/configuration.md

@@ -0,0 +1,113 @@
+# Configuration
+
+Two configuration methods can be used to control Santa: local configuration and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
+
+## Local Configuration
+
+| Key                           | Value Type | Description                              |
+| ----------------------------- | ---------- | ---------------------------------------- |
+| ClientMode*                   | Integer    | 1 = MONITOR, 2 = LOCKDOWN, defaults to MONITOR |
+| FileChangesRegex*             | String     | The regex of paths to log file changes. Regexes are specified in ICU format. |
+| WhitelistRegex*               | String     | A regex to whitelist if the binary or certificate scopes did not allow execution.  Regexes are specified in ICU format. |
+| BlacklistRegex*               | String     | A regex to blacklist if the binary or certificate scopes did not block an execution.  Regexes are specified in ICU format. |
+| EnablePageZeroProtection      | Bool       | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to YES, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in MONITOR mode, **unless** the binary is whitelisted by an explicit rule. |
+| MoreInfoURL                   | String     | The URL to open when the user clicks "More Info..." when opening Santa.app.  If unset, the button will not be displayed. |
+| EventDetailURL                | String     | See the [EventDetailURL](#eventdetailurl) section below. |
+| EventDetailText               | String     | Related to the above property, this string represents the text to show on the button. |
+| UnknownBlockMessage           | String     | In Lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured a reasonable default is provided. |
+| BannedBlockMessage            | String     | This is the message shown to the user when a binary is blocked because of a rule if that rule doesn't provide a custom message. If this is not configured a reasonable  default is provided. |
+| ModeNotificationMonitor       | String     | The notification text to display when the client goes into Monitor mode. Defaults to "Switching into Monitor mode". |
+| ModeNotificationLockdown      | String     | The notification text to display when the client goes into Lockdown mode. Defaults to "Switching into Lockdown mode". |
+| SyncBaseURL*                  | String     | The base URL of the sync server.         |
+| ClientAuthCertificateFile     | String     | If set, this contains the location of a PKCS#12 certificate to be used for sync authentication. |
+| ClientAuthCertificatePassword | String     | Contains the password for the PKCS#12 certificate. |
+| ClientAuthCertificateCN       | String     | If set, this is the Common Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ClientAuthCertificateIssuerCN | String     | If set, this is the Issuer Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
+| ServerAuthRootsData           | Data       | If set, this is valid PEM containing one or more certificates to be used to evaluate the server's SSL chain, overriding the list of trusted CAs distributed with the OS. |
+| ServerAuthRootsFile           | String     | The same as the above but is a path to a file on disk containing the PEM data. |
+| MachineOwner                  | String     | The machine owner.                       |
+| MachineID                     | String     | The machine ID.                          |
+| MachineOwnerPlist             | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineOwnerKey               | String     | The key to use on MachineOwnerPlist.     |
+| MachineIDPlist                | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
+| MachineIDKey                  | String     | The key to use on MachineIDPlist.        |
+
+*protected keys: If a sync server is configured, this setting cannot be changed while santad is running as it is assumed the setting will be provided by the sync server.
+
+##### EventDetailURL
+
+When the user gets a block notification, a button can be displayed which will take them to a web page with more information about that event.
+
+This property contains a kind of format string to be turned into the URL to send them to. The following sequences will be replaced in the final URL:
+
+| Key          | Description                              |
+| ------------ | ---------------------------------------- |
+| %file_sha%   | SHA-256 of the file that was blocked     |
+| %machine_id% | ID of the machine                        |
+| %username%   | The executing user                       |
+| %bundle_id%  | Bundle ID of the binary, if applicable   |
+| %bundle_ver% | Bundle version of the binary, if applicable |
+
+For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
+
+##### Example Config
+
+Here is an example of a configuration that could be set.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>BannedBlockMessage</key>
+	<string>This application has been banned</string>
+	<key>ClientMode</key>
+	<integer>1</integer>
+	<key>EnablePageZeroProtection</key>
+	<false/>
+	<key>EventDetailText</key>
+	<string>Open sync server</string>
+	<key>EventDetailURL</key>
+	<string>https://sync-server-hostname/blockables/%file_sha%</string>
+	<key>FileChangesRegex</key>
+	<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+	<key>MachineIDKey</key>
+	<string>MachineUUID</string>
+	<key>MachineIDPlist</key>
+	<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+	<key>MachineOwnerKey</key>
+	<string>Owner</string>
+	<key>MachineOwnerPlist</key>
+	<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+	<key>ModeNotificationLockdown</key>
+	<string>Entering Lockdown mode</string>
+	<key>ModeNotificationMonitor</key>
+	<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+	<key>MoreInfoURL</key>
+	<string>https://sync-server-hostname/moreinfo</string>
+	<key>SyncBaseURL</key>
+	<string>https://sync-server-hostname/api/santa/</string>
+	<key>UnknownBlockMessage</key>
+	<string>This application has been blocked from executing.</string>
+</dict>
+</plist>
+```
+
+## Sync server Provided Configuration
+
+| Key                            | Value Type | Description                              |
+| ------------------------------ | ---------- | ---------------------------------------- |
+| client_mode                    | String     | MONITOR or LOCKDOWN, defaults to MONITOR. |
+| clean_sync**                   | Bool       | If set to `True` Santa will clear all local rules and download a fresh copy from the sync-server. Defaults to `False`. |
+| batch_size                     | Integer    | The number of rules to download or events to upload per request. Multiple requests will be made if there is more work than can fit in single request. Defaults to 50. |
+| upload_logs_url**              | String     | If set, the endpoint to send Santa's current logs. No default. |
+| whitelist_regex                | String     | Same as the "Local Configuration" WhitelistRegex. No default. |
+| blacklist_regex                | String     | Same as the "Local Configuration" BlacklistRegex. No default. |
+| fcm_token*                     | String     | The FCM token used by Santa to listen for FCM messages. Unique for every machine. No default. |
+| fcm_full_sync_interval*        | Integer    | The full sync interval if a fcm_token is set. Defaults to  14400 secs (4 hours). |
+| fcm_global_rule_sync_deadline* | Integer    | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |
+| bundles_enabled*               | Bool       | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
+
+*Held only in memory. Not persistent upon process restart.
+
+**Performed once per preflight run (if set).

Docs/details/events.md

@@ -0,0 +1,141 @@
+# Events
+
+Events are a defined set of data, core to how Santa interacts with a sync server. Events are generated when there is a blocked `execve()` while in Lockdown or Monitor mode. Events are also generated in Monitor mode for an `execve()` that was allowed to run, but would have been blocked in Lockdown mode. This allows an admin to roll out Santa to their macOS fleet in Monitor mode but still collect meaningful data. The events collected while in Monitor mode can be used to build a reasonably comprehensive whitelist of signing certificates and binaries before switching the fleet to Lockdown mode.
+
+##### Event Data
+
+Events begin their life as an [SNTStoredEvent](https://github.com/google/santa/blob/master/Source/common/SNTStoredEvent.h) object. The SNTStoredEvent class is just a simple storage class that has properties for all the relevant bits of information. More importantly the class implements the [NSSecureCoding](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) protocol. This allows the objects to be encoded and decoded for storage in the events sqlite3 database on disk and sent over XPC to another process.
+
+Events are temporarily stored in a database until they are uploaded. The format is subject the change; accessing the events database directly will most likely break in future releases. If direct access to the events database is required, raise a [issue on the Santa GitHub](https://github.com/google/santa/issues).
+
+###### JSON
+
+Before an event is uploaded to a sync server, the event data is copied into a JSON blob. Here is an example of Firefox being blocked and sent for upload:
+
+```json
+{
+  "events": [
+    {
+      "file_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app/Contents/MacOS",
+      "file_bundle_version": "5417.6.28",
+      "parent_name": "launchd",
+      "logged_in_users": [
+        "bur"
+      ],
+      "quarantine_timestamp": 0,
+      "signing_chain": [
+        {
+          "cn": "Developer ID Application: Mozilla Corporation (43AQ936H96)",
+          "valid_until": 1652123338,
+          "org": "Mozilla Corporation",
+          "valid_from": 1494270538,
+          "ou": "43AQ936H96",
+          "sha256": "96f18e09d65445985c7df5df74ef152a0bc42e8934175a626180d9700c343e7b"
+        },
+        {
+          "cn": "Developer ID Certification Authority",
+          "valid_until": 1801519935,
+          "org": "Apple Inc.",
+          "valid_from": 1328134335,
+          "ou": "Apple Certification Authority",
+          "sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f"
+        },
+        {
+          "cn": "Apple Root CA",
+          "valid_until": 2054670036,
+          "org": "Apple Inc.",
+          "valid_from": 1146001236,
+          "ou": "Apple Certification Authority",
+          "sha256": "b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024"
+        }
+      ],
+      "file_bundle_name": "Firefox",
+      "executing_user": "bur",
+      "ppid": 1,
+      "file_bundle_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app",
+      "file_name": "firefox",
+      "execution_time": 1501691337.059514,
+      "file_sha256": "dd78f456a0929faf5dcbb6d952992d900bfdf025e1e77af60f0b029f0b85bf09",
+      "decision": "BLOCK_BINARY",
+      "file_bundle_id": "org.mozilla.firefox",
+      "file_bundle_version_string": "54.0.1",
+      "pid": 49368,
+      "current_sessions": [
+        "bur@console",
+        "bur@ttys000",
+        "bur@ttys001",
+        "bur@ttys002",
+        "bur@ttys003",
+        "bur@ttys004"
+      ]
+    }
+  ]
+}
+```
+
+
+
+##### Event Lifecycle
+
+1. santad generates a new event
+2. santad compares, or adds if not present, the event's SHA-256 file hash to an in-memory cache with a timeout of 10 min. If an event with an matching hash is present in cache, the event is dropped.
+3. santad saves the event to `/var/db/santa/events.db` with a unique ID assigned as the key.
+4. santad sends an XPC message to the santactl daemon. The message contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread.
+
+##### Bundle Events
+
+Bundle events are a special type of event that are generated when a sync server supports receiving the associated bundle events, instead of just the original event. For example: `/Applications/Keynote.app/Contents/MacOS/Keynote` is blocked and an event representing the binary is uploaded. A whitelist rule is created for that one binary. Great, you can now run `/Applications/Keynote.app/Contents/MacOS/Keynote`, but what about all the other supporting binaries contained in the bundle? You would have to wait until they are executed until an event would be generated. It is very common for a bundle to contain multiple binaries, as shown here with Keynote.app. Waiting to get a block is not a very good user experience.
+
+```sh
+⇒  santactl bundleinfo /Applications/Keynote.app
+Hashing time: 1047 ms
+9 events found
+BundleHash: b475667ab1ab6eddea48bfc2bed76fcef89b8f85ed456c8068351292f7cb4806
+BundleID: com.apple.iWork.Keynote
+	SHA-256: be3aa404ee79c2af863132b93b0eedfdbc34c6e35d4fda2ade6dd637692ead84
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.MovieCompatibilityConverter.xpc/Contents/MacOS/com.apple.iWork.MovieCompatibilityConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 3b2582fd5e7652b653276b3980c248dc973e8082e9d0678c96a08d7d1a8366ba
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.PICTConverter.xpc/Contents/MacOS/com.apple.iWork.PICTConverter
+BundleID: com.apple.iWork.Keynote
+	SHA-256: f1bf3be05d511d7c7f651cf7b130d4977f8d28d0bfcd7c5de4144b95eaab7ad7
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b59bc8548c91088a40d9023abb5d22fa8731b4aa17693fcb5b98c795607d219a
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.BitmapTracer.xpc/Contents/MacOS/com.apple.iWork.BitmapTracer
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 08cb407f541d867f1a63dc3ae44eeedd5181ca06c61df6ef62b5dc7192951a4b
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: b965ae7be992d1ce818262752d0cf44297a88324a593c67278d78ca4d16fcc39
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor.TCUtilities32
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 59668dc27314f0f6f5daa5f02b564c176f64836c88e2dfe166e90548f47336f1
+	Path: /Applications/Keynote.app/Contents/MacOS/Keynote
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 7ce324f919b14e14d327004b09f83ca81345fd4438c87ead4b699f89e9485595
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.ExternalResourceValidator.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceValidator
+BundleID: com.apple.iWork.Keynote
+	SHA-256: 6b47f551565d886388eeec5e876b6de9cdd71ef36d43b0762e6ebf02bdd8515d
+	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceAccessor
+```
+
+Bundle events provide a mechanism to generate and upload events for all the executable Mach-O binaries within a bundle. To enable bundle event generation a configuration must be set in the preflight sync stage on the sync server. Once set the sync server can use bundle events to drive a better user experience.
+
+Bundle events can be differentiated by the existence of these fields:
+
+| Field                    | Value                                    |
+| ------------------------ | ---------------------------------------- |
+| decision                 | BUNDLE_BINARY                            |
+| file_bundle_hash         | Super Hash of all binary hashes          |
+| file_bundle_hash_millis  | The time in milliseconds it took to find all of the binaries, hash and produce a super hash |
+| file_bundle_binary_count | Number of binaries within the bundle     |
+
+To avoid redundant uploads of a bundle event Santa will wait for the sync server to ask for them. The server will respond to event uploads with a request like this:
+
+| Field                        | Value                                    |
+| ---------------------------- | ---------------------------------------- |
+| event_upload_bundle_binaries | An array of bundle hashes that the sync server needs to be uploaded |
+
+When santactl receives this type of request, it sends an XPC reply to santad to save all the bundle events to the events.db. It then attempts to upload all the bundle events, purging the successes from the events.db. Any failures will be uploaded during the next full sync.
+

Docs/details/ipc.md

@@ -0,0 +1,43 @@
+# Interprocess Communication (IPC)
+
+Most IPC within Santa is done by way of Apple's [XPC](https://developer.apple.com/documentation/xpc?language=objc). Santa wraps [NSXPCConnection](https://developer.apple.com/documentation/foundation/nsxpcconnection?language=objc) to provide client multiplexing, signature validation of connecting clients and forced connection establishment. This is called SNTXPCConnection.
+
+Communication between santad and santa-driver (KEXT) is done with a [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and IOKit/IOKitLib.h functions.
+
+##### Who starts who?
+
+The santad and Santa (GUI) processes are both started and kept alive by launchd as a LaunchDaemon and a LaunchAgent, respectively. This means santad runs as root and Santa (GUI) runs as the console user. 
+
+There can be multiple Santa (GUI) processes running, one per user logged into the GUI (assuming fast-user switching is enabled). While multiple processes might be running, only the one for the user currently logged-in will be connected to santad and receiving notifications.
+
+When using a sync server, the santactl process is started by santad. Before the new process starts, all privileges are dropped. santactl runs as _nobody_.
+
+The santabs process is started by launchd via an XPC service connection from santad. XPC services inherit their initiator's privileges meaning santabs runs as root, which is necessary to ensure it has permission to read all files.
+
+| Process  | Parent Process | Running User |
+| -------- | -------------- | ------------ |
+| santad   | launchd        | root         |
+| Santa    | launchd        | user         |
+| santactl | santad         | nobody       |
+| santabs  | launchd        | root         |
+
+
+
+##### Who communicates with who?
+
+In short, santad has two-way communication with every other process. In addition, Santa and santabs have two-way communication between each other. For other combinations, there is no direct communication.
+
+![Santa IPC](santa_ipc.png)
+
+##### SNTXPCConnection and two way communication
+
+`SNTXPCConnection` enforces a server / client model for XPC connections. This allows for strong signature validation and forced connection establishment. The only problem with this model is the lack of two-way communication. For example, process A can call methods on process B and retrieve a response, but process B cannot call methods on process A.
+
+To accomplish two-way communication, the following approach can be used:
+
+1. Process A creates a server with an anonymous `NSXPCListener`.
+2. Process A sends the anonymous `NSXPCListenerEndpoint` to process B over an already established `SNTXPCConnection`.
+3. Process B can now communicate directly with process A.
+
+This is a powerful notion. It enables forced connection establishment between both processes, which is critical when reliability is a concern.
+

Docs/details/logs.md

@@ -0,0 +1,30 @@
+# Logs
+
+Santa currently logs to `/var/db/santa/santa.log` by default. All executions and disk mounts are logged here. File operations can also be configured to be logged. See the `FileChangesRegex` key in the [configuration.md](../deployment/configuration.md) document.
+
+To view the logs:
+
+```sh
+tail -F /var/db/santa/santa.log
+```
+
+The `-F` will continue watching the path even when the current file fills up and rolls over.
+
+##### macOS Unified Logging System (ULS)
+
+Currently all of the most recent releases of Santa are built with the macOS 10.11 SDK. This allows Santa to continue to log to Apple System Logger (ASL) instead of ULS. However, on macOS 10.12+ all of the Kernel logs are sent to ULS. See the KEXT Logging section below for more details.
+
+If you are building Santa yourself and using the macOS 10.12+ SDKs, Santa's logs will be sent to ULS.
+
+Work is currently underway to bypass ASL and ULS altogether, allowing Santa to continue logging to `/var/db/santa/santa.log`. This change will also allow us to add alternative logging formats, like Protocol Buffer or JSON.
+
+##### KEXT Logging
+
+Streaming logs from the santa-driver KEXT does not work properly. Logs are generated but they will likely be garbled or show inaccurate data.
+
+Instead, `show` can be used to view the santa-driver KEXT logs:
+
+```sh
+/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
+```
+

Docs/details/mode.md

@@ -0,0 +1,62 @@
+# Mode
+
+Santa can run in one of two modes, Lockdown or Monitor. To check the current status run the following command:
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 13.59%)
+  Watchdog RAM Events       | 0  (Peak: 31.49MB)
+>>> Kernel Info
+  Root cache count          | 107
+  Non-root cache count      | 0
+>>> Database Info
+  Binary Rules              | 5
+  Certificate Rules         | 2
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server-hostname.com
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/02 21:44:17 -0400
+  Last Successful Rule Sync | 2017/08/02 21:44:17 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+##### Monitor mode
+
+The default mode. Running Santa in Monitor Mode will stop any binaries matching blacklist rules, but will not stop unknown binaries from running. This is a flexible state, allowing virtually zero user interruption but still gives protection against known blacklisted binaries. In addition execution events that would have been blocked in Lockdown mode are generated and can be collected and analyzed by a sync server.
+
+##### Lockdown mode
+
+Running Santa in Lockdown Mode will stop all blacklisted binaries and additionally will prevent all unknown binaries from running. This means that if the binary has no rules or scopes that apply, then it will be blocked.
+
+##### Changing Modes
+
+There are two ways to change the running mode: changing the config.plist and with a sync server configuration.
+
+###### Change modes with the config.plist
+
+The `ClientMode` config key is protected while santad is running and will revert any attempt to change it.
+
+Change to Monitor mode:
+
+```sh
+sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
+sudo defaults write /var/db/santa/config.plist ClientMode -int 1
+sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
+```
+
+Change to Lockdown mode:
+
+```sh
+sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
+sudo defaults write /var/db/santa/config.plist ClientMode -int 2
+sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
+```
+
+######Change modes with a sync server
+
+The mode is set in the preflight sync stage. Use the key `client_mode` and a value of `MONITOR` or `LOCKDOWN`.

Docs/details/rules.md

@@ -0,0 +1,104 @@
+# Rules
+
+Rules provide the primary evaluation mechanism for whitelisting and blacklisting binaries with Santa on macOS. There are two types of rules: binary and certificate.
+
+##### Binary Rules
+
+Binary rules use the SHA-256 hash of the entire binary as an identifier. This is the most specific rule in Santa. Even a small change in the binary will alter the SHA-256 hash, invalidating the rule.
+
+##### Certificate Rules
+
+Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule . A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing.
+
+```sh
+⇒  santactl fileinfo /Applications/Dropbox.app --key "Signing Chain"
+Signing Chain:
+     1. SHA-256             : 2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2
+        SHA-1               : 86ec91f726ba9caa09665b2109c49117f0b93134
+        Common Name         : Developer ID Application: Dropbox, Inc.
+        Organization        : Dropbox, Inc.
+        Organizational Unit : G7HH3F8CAK
+        Valid From          : 2012/06/19 16:10:30 -0400
+        Valid Until         : 2017/06/20 16:10:30 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+If you wanted to whitelist or blacklist all software signed with this perticular Dropbox signing certificate you would use the leaf SHA-256 fingerprint.
+
+`2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2`
+
+Santa does not evaluate the `Valid From` or `Valid Until` fields, nor does it check the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) for revoked certificates. Adding rules for the certificate chain's intermediates or roots has no effect on binaries signing by a leaf. Santa ignores the chain and is only concerned with the leaf certificate's SHA-256 hash.
+
+##### Rule Evaluation
+
+When a process is trying to `execve()` santad retrieves information on the binary,  including a hash of the entire file and the signing chain (if any). The hash and signing leaf certificate are then passed through the [SNTPolicyProcessor](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.h). Rules are evaluated from most specific to least specific. First binary (either whitelist or blacklist), then certificate (either whitelist or blacklist). If no rules are found that apply, scopes are then searched. See the [scopes.md](scopes.md) document for more information on scopes.
+
+You can use the `santactl fileinfo` command to check the status of any given binary on the filesystem.
+
+###### Whitelisted with a Binary Rule 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key Rule
+Whitelisted (Binary)
+```
+
+###### Whitelisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Safari.app --key Rule
+Whitelisted (Certificate)
+```
+
+###### Blacklisted with a Binary Rule
+
+```sh
+⇒  santactl fileinfo /usr/bin/yes --key Rule
+Blacklisted (Binary)
+```
+
+###### Blacklisted with a Certificate Rule
+
+```sh
+⇒  santactl fileinfo /Applications/Malware.app --key Rule
+Blacklisted (Certificate)
+```
+
+You can also check arbitrary SHA-256 binary and certificate hashes for rules. The rule verb needs to be run with root privileges.
+
+For checking the SHA-256 hash of `/usr/bin/yes`:
+
+```sh
+sudo santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /usr/bin/yes)
+Blacklisted (Binary)
+```
+
+For checking the SHA-256 hash of `/usr/bin/yes ` signing certificate:
+
+```sh
+⇒  sudo santactl rule --check --certificate --sha256 $(santactl fileinfo --cert-index 1 --key SHA-256 /usr/bin/yes)
+Whitelisted (Certificate)
+```
+
+##### Built-in rules
+
+To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup:
+
+* The signing certificate santad is signed with
+* The signing certificate launchd is signed with
+
+By creating these two rules at startup, Santa should never block critical Apple system binaries or other Santa components.

Docs/details/santa-driver.md

@@ -0,0 +1,94 @@
+# santa-driver
+
+santa-driver is a macOS [kernel extension](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html) (KEXT) that makes use of the [Kernel Authorization](https://developer.apple.com/library/content/technotes/tn2127/_index.html) (Kauth) KPI. This allows santa-driver to listen for events and either deny or defer the decision of those events. The santa-driver acts as an intermediary layer between Kauth and santad, with some caching to lower the overhead of decision making.
+
+##### Kauth
+
+santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments:
+
+* `const char *scope`
+* `kauth_scope_callback_t _callback`_
+* `void *contex`
+
+It returns a `kauth_listener_t` that is stored for later use, in Santa's case to stop listening.
+
+###### KAUTH_SCOPE_VNODE
+
+Here is how santa-driver starts listening for `KAUTH_SCOPE_VNODE` events.
+
+```c++
+vnode_listener_ = kauth_listen_scope(
+    KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
+```
+
+The function `vnode_scope_callback` is called for every vnode event. There are many types of vnode events, they complete list can be viewed in the kauth.h. There are many types of vnode events, the complete list can be viewed in kauth.h. Santa is only concerned with regular files generating `KAUTH_VNODE_EXECUTE` [1] and `KAUTH_VNODE_WRITE_DATA` events. All non-regular files and unnecessary vnode events are filtered out.
+
+Here is how santa-driver stops listening for `KAUTH_SCOPE_VNODE` events:
+
+```c++
+kauth_unlisten_scope(vnode_listener_);
+```
+
+[1] `KAUTH_VNODE_EXECUTE` events that do not have the `KAUTH_VNODE_ACCESS` advisory bit set.
+
+###### KAUTH_SCOPE_FILEOP
+
+Santa also listens for file operations, this is mainly used for logging [1] and cache invalidation. 
+
+* `KAUTH_FILEOP_DELETE`, `KAUTH_FILEOP_RENAME`, `KAUTH_FILEOP_EXCHANGE` and `KAUTH_FILEOP_LINK` are logged
+* `KAUTH_FILEOP_EXEC` is used to log `execve()`s. Since the `KAUTH_VNODE_EXECUTE` is used to allow or deny an `execve()` the process arguments have not been setup yet. Since `KAUTH_FILEOP_EXEC` is triggered after an `execve()` it is used to log the `execve()`.
+
+[1] `KAUTH_FILEOP_CLOSE` is used to invalidate that file's representation in the cache. If a file has changed it needs to be re-evalauted. This is particularly necessary for files that were added to the cache with an action of allow.
+
+##### Driver Interface
+
+santa-driver implements an [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and santad interacts with it through IOKit/IOKitLib.h functions.
+
+[//]: # "TODO(bur, rah) Flesh out the details"
+
+##### Cache
+
+To aid in performance, santa-driver utilizes a caching system to hold the state of all observed `execve()` events.
+
+###### Key
+
+The key is a `uint64_t`. The top 32 bits hold the filesystem ID, while the bottom 32 bits hold the file unique ID. Together we call this the vnode_id.
+
+```c++
+uint64_t vnode_id = (((uint64_t)fsid << 32) | fileid);
+```
+
+###### Value
+
+The value is a `uint64_t` containing the action necessary, along with the decision timestamp. The action is stored in the top 8 bits. The decision timestamp is stored in the remaining 56 bits.
+
+```c++
+santa_action_t action = (santa_action_t)(cache_val >> 56);
+uint64_t decision_time = (cache_val & ~(0xFF00000000000000));
+```
+
+The possible actions are:
+
+| Actions                 | Expiry Time      | Description                              |
+| ----------------------- | ---------------- | ---------------------------------------- |
+| `ACTION_REQUEST_BINARY` | None             | Awaiting an allow or deny decision from santad. |
+| `ACTION_RESPOND_ALLOW`  | None             | Allow the `execve()`                     |
+| `ACTION_RESPOND_DENY`   | 500 milliseconds | Deny the `execve()`, but re-evalaute after 500 milliseconds. If someone is trying to run a banned binary continually every millisecond for example, only 2 evaluation requests to santad for would occur per second. This mitigates a denial of service type attack on santad. |
+
+###### Invalidation
+
+Besides the expiry time for individual entries, the entire cache will be cleared if any of the following events takes place:
+
+* Addition of a blacklist rule
+* Addition of a blacklist regex scope
+* Cache fills up. This defaults to `5000` entries for the root volume and `500` for all other mounted volumes.
+
+To view the current kernel cache count see the "Kernel info" section of `santactl status`:
+
+```sh
+⇒  santactl status
+>>> Kernel Info
+    Root cache count          | 107
+    Non-root cache count      | 0
+```
+

Docs/details/santa-gui.md

@@ -0,0 +1,11 @@
+# Santa GUI
+
+The Santa GUI process is pretty simple. It's only job is the display user GUI notifications. There are two types of notifications it can display:
+
+A notification when an `execve()` is blocked.
+
+![Block](block.png)
+
+Notifications when specific rules arrive (when using FCM for push notifications).
+
+![Notification](push.png)

Docs/details/santabs.md

@@ -0,0 +1,44 @@
+# santabs
+
+The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.
+
+##### Events
+
+The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.
+
+When there is an `execve()` that is blocked within a bundle, a few actions take place:
+
+1. The highest ancestor bundle in the tree is found
+
+   * So `/Applications/DVD Player.app/Contents/MacOS/DVD Player` would be `/Applications/DVD Player.app`
+   * Or `/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension` would be `/Applications/Safari.app`
+
+2. The ancestor bundle is then searched for Mach-O executables
+
+   * For Safari that would currently be 4 binaries
+
+   * ```sh
+     Hashing time: 53 ms
+     4 events found
+     BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
+     BundleID: com.apple.Safari
+     	SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
+     	Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
+     BundleID: com.apple.Safari
+     	SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
+     	Path: /Applications/Safari.app/Contents/MacOS/Safari
+     BundleID: com.apple.Safari
+     	SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
+     	Path: /Applications/Safari.app/Contents/Resources/appdiagnose
+     BundleID: com.apple.Safari
+     	SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
+     	Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
+     ```
+
+3. Events are created for each binary and the bundle hash is calculated
+
+4. These events are sent to the sync server for processing
+
+##### Bundle Hash
+
+The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.

Docs/details/santactl.md

@@ -0,0 +1,425 @@
+# santactl
+
+This may be the most complex part of Santa. It does two types of work:
+
+1. It contains all of the code and functionality for syncing with a sync-server.
+2. It can be used to view the state and configuration of Santa as a whole. It can also inspect individual files. When running without a sync server it also a supported method of managing the rules database.
+
+The details of santactl's syncing functionality are covered in the syncing.md document. This document will cover the status work that santactl performs.
+
+##### status
+
+To view the status of Santa run `santactl status`
+
+```sh
+⇒  santactl status
+>>> Daemon Info
+  Mode                      | Monitor
+  File Logging              | Yes
+  Watchdog CPU Events       | 0  (Peak: 2.19%)
+  Watchdog RAM Events       | 0  (Peak: 29.45MB)
+>>> Kernel Info
+  Kernel cache count        | 123
+>>> Database Info
+  Binary Rules              | 321
+  Certificate Rules         | 123
+  Events Pending Upload     | 0
+>>> Sync Info
+  Sync Server               | https://sync-server.com/santa/
+  Clean Sync Required       | No
+  Last Successful Full Sync | 2017/08/10 15:05:32 -0400
+  Last Successful Rule Sync | 2017/08/10 15:29:21 -0400
+  Push Notifications        | Connected
+  Bundle Scanning           | Yes
+```
+
+The status command also has the ability to print JSON output `santactl status --json`
+
+```sh
+⇒  santactl status --json
+{
+  "kernel" : {
+    "cache_count" : 123
+  },
+  "daemon" : {
+    "watchdog_ram_events" : 0,
+    "watchdog_ram_peak" : 29.44921875,
+    "watchdog_cpu_events" : 0,
+    "file_logging" : true,
+    "mode" : "Monitor",
+    "watchdog_cpu_peak" : 2.188006666666666
+  },
+  "database" : {
+    "events_pending_upload" : 0,
+    "certificate_rules" : 123,
+    "binary_rules" : 321
+  },
+  "sync" : {
+    "last_successful_rule" : "2017\/08\/10 15:29:21 -0400",
+    "push_notifications" : "Connected",
+    "bundle_scanning" : true,
+    "clean_required" : false,
+    "server" : "https:\/\//sync-server.com\/santa\/",
+    "last_successful_full" : "2017\/08\/10 15:05:32 -0400"
+  }
+}
+```
+
+##### version
+
+To view all of the component versions `santactl version`
+
+```sh
+⇒  santactl version
+santa-driver    | 0.9.19
+santad          | 0.9.19
+santactl        | 0.9.19
+SantaGUI        | 0.9.19
+```
+
+Again, a JSON version is available `santactl version --json`
+
+```sh
+⇒  santactl version --json
+{
+  "santa-driver" : "0.9.19",
+  "santad" : "0.9.19",
+  "SantaGUI" : "0.9.19",
+  "santactl" : "0.9.19"
+}
+```
+
+##### fileinfo
+
+The fileinfo verb is very powerful and can be used to tease out just about anything you wish to know about a file, with respect to the domain of Santa.
+
+Here is an example of using `santactl fileinfo ` to inspect the main executable within `/Applications/Hex Fiend.app`. 
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app
+Path                 : /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+SHA-256              : efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+SHA-1                : 5585e6fb94eace1bd37da9a0a2f928e992d7c60c
+Bundle Name          : Hex Fiend
+Bundle Version       : 170205
+Bundle Version Str   : 2.5
+Download Referrer URL: http://ridiculousfish.com/hexfiend/
+Download URL         : http://ridiculousfish.com/hexfiend/files/Hex_Fiend_2.5.dmg
+Download Timestamp   : 2017/06/29 12:52:16 -0400
+Download Agent       : com.google.Chrome
+Type                 : Executable (x86-64)
+Code-signed          : Yes
+Rule                 : Whitelisted (Unknown)
+Signing Chain:
+     1. SHA-256             : ba1be5d2d60a43658a0c6ebf61b577e428439b53ef2e0b96ba90285e2c82a1b2
+        SHA-1               : 8fdbf6d6c22a97c472fb4961b7733ab0d8830ff7
+        Common Name         : Developer ID Application: Kevin Wojniak
+        Organization        : Kevin Wojniak
+        Organizational Unit : QK92QP33YN
+        Valid From          : 2012/10/30 01:07:40 -0400
+        Valid Until         : 2017/10/31 01:07:40 -0400
+
+     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
+        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
+        Common Name         : Developer ID Certification Authority
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2012/02/01 17:12:15 -0500
+        Valid Until         : 2027/02/01 17:12:15 -0500
+
+     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
+        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
+        Common Name         : Apple Root CA
+        Organization        : Apple Inc.
+        Organizational Unit : Apple Certification Authority
+        Valid From          : 2006/04/25 17:40:36 -0400
+        Valid Until         : 2035/02/09 16:40:36 -0500
+```
+
+Any of the desired information can be targeted with the `--key` flag
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+```
+
+Multiple `--key` flags are allowed
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule
+efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+Whitelisted (Unknown)
+```
+
+The `--json` flag can also be used at any point
+
+```sh
+⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule --json
+{
+  "SHA-256" : "efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1",
+  "Rule" : "Whitelisted (Unknown)"
+}
+```
+
+Multiple files are also supported as input
+
+```sh
+⇒  santactl fileinfo /bin/* --key SHA-256 --key Rule --json
+[
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9f9b36ec79b9fcaf649e17f2f94c544dd408c2ab630e73d7c62a7a43f1bc7b1d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "08a09d2d9bade16872acdf5da1c4e9d29582ed985480a9e73fd389e98293c40d",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "48e4b938b363201ec11d06a13d8080c1bd77187d286780259b9304c96edc5324",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7cbba457df4c02d6a7fb93046fea0e869732c65a2225bee6f2e8ec290d38c57b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "39e894d1705656451f592884a56bcc76e7ffbb9ed2a8b81d5f2878e1c0e68dbe",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "8555ed4622410aa7b4379041acabf80fe452a90efe3be2697406935ff0d6822e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cee3e29089f8919ee904328904a7492995cfa398b027857fbf8b3e601397b308",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da2cfa9fc2cabd41907f9d0931cea79000a19520fe0b3d73fc40537408730e40",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "73aee02c4761e5501b1fdfa51ccd316bf735017a5cc0a09d5bcc46f4e7112be9",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "3a1c4ca5a038b42b1fbfca6f9bec25d307a8af40afbe9c48b307372fe8167a2f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dc8e1c5b6ec49602dd968eb88286e330220233f7cfa6e73fd37fc983a365084",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "78fd9b8749c2a216ca76ff4541754d4cf5a5e2e8c00710a85c3fdab171486f92",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4daaf12bd42adee60549872126e15186c75d89e760f078bfa6a45a861f6400f",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "9dba1cbb01bce47a9610a40cbcbc27704a754e31a889503eb0670c3a25f7ad72",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "c4c5517ff40a33006028853a19734d8cda8e2942cb9ba27b8310e07f18677487",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "a944b104742db59204b45f1dae657bd6a845ff2374e1ade3cf9f09cc428154cf",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "09e143cf3b6c4dcc98676cc45543613b83b6527b502d4dacb42b3f6c7036ef5a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "47cea771e93aff464f1060a6a1a2c3855401e6cd22c3971b2b76fae92e8c33b4",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5682f15628ae15e5c29aa37f19ec421bbe4aca47734864b6363b73a16f891888",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83c29a2445d84daf51eebd51668753fb39600a136efc20aba7298a812b44974c",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "cccd818698aa802b116586a773643d0b951067dea8284304acaae62ac97b362b",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "2bf2d10a7529a88d340ce0255da52dbef9873ccb44e46d23af03abf70b8e54ca",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "956f2dc7ba31663dd3a9b70e84e6a2491980165426b90cacd10db4bd010c3353",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "da1a3ae959751b211928f175f6c8987408a976be44690022c92d45ef5a8cb6e5",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "1e51209ae4549a72432ad504341c0731a282b33ba99c5f7f4e2abc9993e09b0a",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "17372eafbe9e920d5715a9cffa59f881ef4ed949785c1e2adf9c067d550dbde6",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "b1834d55b76c65d57cef1219a30331452301e84b6e315f2a17e5b5b295ce1648",
+  "Rule" : "Whitelisted (Certificate)"
+}
+]
+```
+
+Recursive lookups of an application or directory is a soon to be added feature
+
+```sh
+⇒  santactl fileinfo --recursive /Applications/Santa.app --key SHA-256 --key Rule --key Type --json
+[
+{
+  "SHA-256" : "c149c10c83abaf6b602401106f098b68d47a1a433ab02455cef2ca8057cf4a82",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "c339c3e5e04c732ae493dbc4a26d18fccc8bb48cea0cc0762ccd8754ef318a0b",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "6ee757ab65d7c93e8b6a467b44cd2f0d10b6db7da8b6200e778c3ca279ea5619",
+  "Type" : "Executable (x86-64)",
+  "Rule" : "Whitelisted (Certificate)"
+},
+{
+  "SHA-256" : "82502191c9484b04d685374f9879a0066069c49b8acae7a04b01d38d07e8eca0",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "9814019f865a540d3635012a75db932eaefc9a62468750f2294350690430aadf",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "05a9c9dbbf0a7a30f083e3dccd8db3d96845e0644930977b4e284c65083b89ac",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+},
+{
+  "SHA-256" : "e1db8fdffc5017684f962c51fad059dcaa06ab5d551186aa85711f80b727d23d",
+  "Type" : "Unknown",
+  "Rule" : "Whitelisted (Scope)"
+}
+]
+```
+
+##### rule
+
+The rule command is covered in the [rules.md](rules.md) document.
+
+##### sync
+
+The sync command is covered in the [syncing.md](syncing.md) document.
+
+##### Debug Commands
+
+There are a few commands that are not included in the release versions of Santa. They are mainly used during development and only accessible with a debug build of Santa.
+
+##### bundleinfo
+
+This prints info about all of the executable Mach-O files within a bundle. It also prints the calculated bundle hash for that particular bundle. A bundle hash is a notion used by Santa to represent a set of binaries.
+
+```sh
+⇒  santactl bundleinfo /Applications/Hex\ Fiend.app
+Hashing time: 12 ms
+4 events found
+BundleHash: 33da3e2d5e2ccbdb9d34fb9753c2c18805e6325853d2fb4eb947915c90113efc
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: e592a7c65f803675c0b7d55ab7d2a1a2696c9f097a99dc28a4083d7387e53d95
+	Path: /Applications/Hex Fiend.app/Contents/Library/LaunchServices/com.ridiculousfish.HexFiend.PrivilegedHelper
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: ce23d39a1a8ff2b42baad5a0204b24b57590bb7ff74c9552b3ba10d9c1517279
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
+	Path: /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
+BundleID: com.ridiculousfish.HexFiend
+	SHA-256: 148d6ae55176b619e5eb9f5000922b3ca4c126206fc5782f925d112027f9db3c
+	Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
+```
+
+See the [santabs.md](santabs.md) document for more information on bundles and bundle hashes.
+
+##### checkcache
+
+This is used to check if a particular file is apart of santa-driver's kernel cache. Mainly for debugging purposes.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+⇒  /usr/bin/yes
+y
+y
+y
+y
+y
+^C
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+```
+
+##### flushcache
+
+This can be used to flush santa-driver's kernel cache, as shown here.
+
+```sh
+⇒  santactl checkcache /usr/bin/yes
+File exists in [whitelist] kernel cache
+⇒  sudo santactl flushcache
+Cache flush requested
+⇒  santactl checkcache /usr/bin/yes
+File does not exist in cache
+```

Docs/details/santad.md

@@ -0,0 +1,23 @@
+# santad
+
+The santad process does the heavy lifting when it comes to making decisions about binary executions. It also handles brokering all of the XPC connections between the various components of Santa. It does all of this with performance being at the forefront. 
+
+##### A note on performance
+
+On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes `execve()` at the same time, the CPU and memory usage can spike. All of the `execve()` decisions are made on high priority threads to ensure decisions are posted back to the kernel as soon as possible. A watchdog thread will log warnings when sustained high CPU (>20%) and memory (>250MB) usage by santad is detected.
+
+##### On Launch
+
+The very first thing santad does once it has been launched is to load and connect to santa-driver. Only one connection may be active at any given time.
+
+At this point, santa-driver is loaded and running in the kernel, but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages, it needs to setup a few more things:
+
+* The rule and event databases are initialized
+* Connections to Santa (GUI) and santactl sync daemon are established. 
+* The config file is processed.
+
+santad is now ready to start processing decision and logging messages from santa-driver. The listeners are started and santad sits in a run loop awaiting messages from santa-driver. 
+
+##### Running
+
+Messages are read from a shared memory queue (`IODataQueueMemory` ) on a single thread. A callback is invoked for each message. The callback then dispatches all the work of processing a decision message to a concurrent high priority queue. The log messages are dispatched to a low priority queue for processing.

Docs/details/scopes.md

@@ -0,0 +1,27 @@
+# Scopes
+
+In addition to rules, Santa can whitelist or blacklist based on scopes. Currently, only a few scopes are implemented. They fall into one of two categories: a whitelist scope or blacklist scope. Scopes are evaluated after rules, with blacklist evaluation preceding whitelist.
+
+Scopes are a broader way of whitelisting or blacklisting `execve()`s.
+
+For configuration of scopes see [configuration.md](../deployment/configuration.md).
+
+##### Blacklist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Blacklist Path Regex | Yes          |
+| Missing __PAGEZERO   | Yes          |
+
+##### Whitelist Scopes
+
+| Scope                | Configurable |
+| -------------------- | ------------ |
+| Whitelist Path Regex | Yes          |
+| Not a Mach-O         | No           |
+
+As seen above, Santa will whitelist any non Mach-O binary under a whitelist scope. However, a blacklist regex or binary SHA-256 rule can be used to block non Mach-O `execve()`s since they are evaluated before the whitelist scopes.
+
+##### Regex Caveats
+
+The paths covered by the whitelist and blacklist regex patterns are not tracked. If an `execve()` is allowed initially, then moved into a blacklist directory, Santa has no knowledge of that move. Since santa-driver caches decisions, the recently moved file will continue to be allowed to `execve()` even though it is now within a blacklisted regex path. The cache holds "allow" decisions until invalidated and "deny" decisions for 500 milliseconds. Going from a blacklist path to a whitelist path is not largely affected.

Docs/development/building.md

@@ -0,0 +1,108 @@
+
+
+# Building
+
+Santa makes use of [rake](https://ruby.github.io/rake/) for building and testing Santa. All of the [releases](https://github.com/google/santa/releases) are made using this same process. Santa's releases are codesigned with Google's KEXT signing certificate. This allows Santa to be loaded with SIP fully enabled.
+
+#### Cloning
+
+Clone the source and change into the directory.
+
+```sh
+git clone https://github.com/google/santa
+cd santa
+```
+
+The above command will default to using the `master` branch. If you wanted to build, run or test a specific version of Santa use this command.
+
+```sh
+git checkout <version, i.e. 0.9.19>
+```
+
+#### Building
+
+Build a debug version of Santa. This keeps all the debug symbols, adds additional logs and does not optimize the compiled output. For speed sensitive tests make sure to benchmark a release version too.
+
+```sh
+rake build:debug
+```
+
+Build a release version of Santa.
+
+```sh
+rake build:release
+```
+
+Both of these just output the binaries that makeup Santa in the default Xcode build location. To actually run  what was built, see the next section.
+
+#### Running
+
+On macOS 10.11+ System Integrity Protection (SIP) prevents loading of kernel extensions that are not signed by an Apple KEXT signing certificate. To be able to load and test a non-release version of Santa, SIP will have to be configured to allow non-Apple KEXT signing certificates.
+
+__This is only to be done a machine that is actively developing, unloading and loading kernel extensions.__
+
+1. Boot into Recovery Mode: Reboot and hold down `command+r`
+2. From the utilities menu select `Terminal`
+3. Disable the KEXT feature of SIP: `csrutil enable --without kext`
+4. Reboot
+
+You should now be able to load and run a non-release version of Santa.
+
+Build and run a debug version of Santa.
+
+```sh
+rake reload:debug
+```
+
+Build and run a release version of Santa.
+
+```sh
+rake reload:release
+```
+
+#### Debugging
+
+Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… `. Below are the four components of Santa and who to debug the process as. 
+
+Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode.
+
+Note: Xcode can attach to santad without interruption, however any breakpoints in the decision making codepath can deadlock the machine. Using lldb directly to attach to santad will deadlock the machine.
+
+| process  | user |
+| -------- | ---- |
+| santad   | root |
+| Santa*   | me   |
+| santactl | me   |
+| santabs  | root |
+
+Xcode will then wait for the process to start. Issue this command to restart all the Santa processes in debug mode.
+
+*The Santa (GUI) process is the only component of Santa that can be launched and debugged from Xcode directly. All the other components are launched with privileges and/or are scoped to an XPC service that launchd scopes to a hosting bundle. Thus the need for the `Attach to Process by PID or Name…` technique.  See the [ipc](../details/ipc.md) document for for details.
+
+```sh
+rake reload:debug
+```
+
+Now the process is attached in Xcode and you can debug your day away.
+
+#### Tests
+
+Run all the logic / unit tests
+
+```sh
+rake tests:logic
+```
+
+Run all of santa-driver kernel extension tests
+
+```sh
+rake tests:kernel
+```
+
+#### Releases
+
+Creates a release build of Santa with a version based of the newest tag. Also saves the dsym files for each component of Santa. This makes debugging and interpreting future crashes or kernel panics much easier.
+
+```sh
+rake dist
+```

Docs/index.md

@@ -0,0 +1,46 @@
+# Welcome to the Santa Docs
+
+Santa is a binary whitelisting / blacklisting system for macOS. Here you will find the documentation for understanding how Santa works, how to deploy it and how to contribute.
+
+#### Introduction
+
+The following documents give an overview of how Santa accomplishes binary whitelisting / blacklisting at the enterprise scale.
+
+- [Binary Whitelisting](introduction/binary-whitelisting-overview.md): How Santa makes allow or deny decisions for any `execve()` taking place.
+- [Syncing](introduction/syncing-overview.md): How configuration and whitelist / blacklist rules are applied from a sync server.
+
+#### Deployment
+
+* [Configuration](deployment/configuration.md): The local and sync server configuration options.
+
+#### Development
+
+* [Building Santa](development/building.md): How to build and load Santa for testing on a development machine.
+* [Contributing](../CONTRIBUTING.md): How to contribute a bug fix or new feature to Santa.
+
+#### Details
+
+For those who want even more details on how Santa works under the hood, this section is for you.
+
+###### Binaries
+
+There are five main components that make up Santa whose core functionality is described in snippets below. For additional detail on each component, visit their respective pages. These quick descriptions do not encompass all the jobs performed by each component, but do provide a quick look at the basic functionality utilized to achieve the goal of binary whitelisting / blacklisting.
+
+* [santa-driver](details/santa-driver.md): A macOS kernel extension that participates in `execve()` decisions.
+* [santad](details/santad.md): A user-land root daemon that makes decisions on behalf of santa-driver requests.
+* [santactl](details/santactl.md): A user-land anonymous daemon that communicates with a sync server for configurations and policies. santactl can also be used by a user to manually configure Santa when using the local configuration.
+* [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `execve()` is blocked.
+* [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them. 
+
+###### Concepts
+
+Additional documentation on the concepts that support the operation of the main components:
+
+* [mode](details/mode.md): An operating mode, either Monitor or Lockdown.
+* [events](details/events.md): Represents an `execve()` that was blocked, or would have been blocked, depending on the mode.
+* [rules](details/rules.md): Represents allow or deny decisions for a given `execve()`. Can either be a binary's SHA-256 hash or a leaf code-signing certificate's SHA-256 hash.
+* [scopes](details/scopes.md): The level at which an `execve()` was allowed or denied from taking place.
+* [syncing](introduction/syncing-overview.md): How Santa communicates with a TLS server for configuration, rules and event uploading.
+* [ipc](details/ipc.md): How all the components of Santa communicate.
+  duction/syncing-overview.
+* [logs](details/logs.md): What and where Santa logs.

Docs/introduction/binary-whitelisting-overview.md

@@ -0,0 +1,31 @@
+# Binary Whitelisting Overview
+
+#### Background
+
+The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes the Kernel Authorization (Kauth) KPI. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document.
+
+#### Flow of an execve()
+
+This is a high level overview of the binary whitelisting / blacklisting decision process. For a more detailed account of each part, see the respective documentation. This flow does not cover the logging component of Santa, see the [logs.md](../details/logs.md) documentation for more info.
+
+###### Kernel Space
+
+0. santa-driver registers itself as a `KAUTH_SCOPE_VNODE` listener. This flow follows how santa-driver handles `KAUTH_VNODE_EXECUTE` events.
+1. A santa-driver Kauth callback function is executed by the kernel when a process is trying to `execve()`. In most cases, the `execve()` takes place right after a process calls `fork()` to start a new process. This function is running on a kernel thread representing the new process. Information on where to find the executable is provided. This information is known as the `vnode_id`.
+2. santa-driver then checks if its cache has an allow or deny entry for the `vnode_id`. If so it returns that decision to the Kauth KPI. 
+   * If Kauth receives a deny, it will stop the `execve()` from taking place. 
+   * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer.
+3. If there is no entry for the `vnode_id` in the cache a few actions occur:
+   * santa-driver hands off the decision making to santad.
+   * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`.  This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation.
+   * If the executing file is written to while any of the threads are waiting for a response the `ACTION_REQUEST_BINARY` entry is removed, forcing the decision-making process to be restarted.
+
+###### User Space
+
+1. santad is listening for decision requests from santa-driver.
+   * More information is collected about the executable that lives at the `vnode_id`. Since this codepath has a sleeping kernel thread waiting for a decision, extra care is taken to be as performant as possible.
+2. santad uses the information it has gathered to make a decision to allow or deny the `execve()`. There are more details on how these decisions are made in the [rules.md](../details/rules.md) and [scopes.md](../details/scopes.md) documents.
+3. The decision is posted back to santa-driver.
+4. If there was a deny decision, a message is sent to Santa GUI to display a user popup notification.
+
+

Docs/introduction/syncing-overview.md

@@ -0,0 +1,27 @@
+# Syncing Overview
+
+#### Background
+
+Santa can be run and configured without a sync server. Doing so will enable an admin to configure rules with the `santactl rule` command. Using a sync server will enable an admin to configures rules and multiple other settings from the sync server itself. Santa was designed from the start with a sync server in mind. This allows an admin to easily configure and sync rules across a fleet of macOS systems. This document explains the syncing process.
+
+#### Flow of a full sync
+
+This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events.
+
+0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `execve()` `santactl sync —-daemon`. Before the new process calls `execve()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes.
+1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync server to process.
+2. The full sync starts. There are a number of stages to a full sync:
+   1. preflight: The sync server can set various settings for Santa.
+   2. logupload (optional): The sync server can request that the Santa logs be uploaded to an endpoint.
+   3. eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
+   4. ruledownload: Download rules from the sync server.
+   5. postflight: Updates timestamps for successful syncs.
+3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this:
+   1. The sync server can send down a configuration in the preflight to override the 10min interval. It can be anything greater than 10min.
+   2. Firebase Cloud Messaging (FCM) can be used. The sync server can send down a configuration in the preflight to have the santactl daemon to start listening for FCM messages. If a connection to FCM is made, the full sync interval drops to a default of 4 hours. This can be further configured by a preflight configuration. The FCM connection allows the sync-sever to talk directly with Santa. This way we can reduce polling the sync server dramatically.
+4. Full syncs will continue to take place at their configured interval. If configured FCM messages will continue to be digested and acted upon.
+
+#### santactl XPC interface
+
+When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.
+

Docs/theme/Santa.css

@@ -0,0 +1,3 @@
+.wy-side-nav-search {
+  background-color: rgb(253, 67, 69);
+}

Podfile

@@ -11,6 +11,11 @@ target :santad do
   pod 'FMDB'
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
+  target :santabs do
+    pod 'FMDB'
+    pod 'MOLCertificate'
+    pod 'MOLCodesignChecker'
+  end
 end
 
 target :santactl do
@@ -18,6 +23,7 @@ target :santactl do
   pod 'MOLAuthenticatingURLSession'
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
+  pod 'MOLFCMClient', '~> 1.3'
 end
 
 target :LogicTests do

Podfile.lock

@@ -2,27 +2,31 @@ PODS:
   - FMDB (2.6.2):
     - FMDB/standard (= 2.6.2)
   - FMDB/standard (2.6.2)
-  - MOLAuthenticatingURLSession (1.6):
-    - MOLCertificate (~> 1.3)
+  - MOLAuthenticatingURLSession (2.2):
+    - MOLCertificate (~> 1.5)
   - MOLCertificate (1.5)
   - MOLCodesignChecker (1.5):
     - MOLCertificate (~> 1.3)
-  - OCMock (3.3)
+  - MOLFCMClient (1.3):
+    - MOLAuthenticatingURLSession (~> 2.1)
+  - OCMock (3.4)
 
 DEPENDENCIES:
   - FMDB
   - MOLAuthenticatingURLSession
   - MOLCertificate
   - MOLCodesignChecker
+  - MOLFCMClient (~> 1.3)
   - OCMock
 
 SPEC CHECKSUMS:
   FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
-  MOLAuthenticatingURLSession: f956240458fb24b61e5607d735948dc9babfb4e3
+  MOLAuthenticatingURLSession: 5a5e31eb73248c3e92c79b9a285f031194e8404c
   MOLCertificate: c39cae866d24d36fbc78032affff83d401b5384a
   MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
-  OCMock: d68685bde31f69cb61d518dcb39269080c78b5ed
+  MOLFCMClient: 13d8b42db9d750e772f09cc38fc453922fece09f
+  OCMock: 35ae71d6a8fcc1b59434d561d1520b9dd4f15765
 
-PODFILE CHECKSUM: bc456d69693ca262c781dbbde40529a9474b84b5
+PODFILE CHECKSUM: acd378b3727c923d912e09812da344f7375c14fe
 
-COCOAPODS: 1.0.1
+COCOAPODS: 1.2.1

README.md

@@ -1,4 +1,6 @@
-Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
+Santa
+[![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
+[![Documentation Status](https://readthedocs.org/projects/santa/badge/?version=latest)](https://santa.readthedocs.io/en/latest/?badge=latest)
 =====
 
 <p align="center">
@@ -16,25 +18,57 @@ managing the system and synchronizing the database with a server.
 Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
 and finishing up a security audit.
 
-Santa is named because it keeps track of binaries that are naughty and nice.
+It is named Santa because it keeps track of binaries that are naughty or nice.
 
 Santa is a project of Google's Macintosh Operations Team.
 
-Features
+Docs
+========
+The Santa docs are stored in the [Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the Docs instance is available here: https://santa.readthedocs.io.
+
+Admin-Related Features
 ========
 
-* Multiple modes: MONITOR and LOCKDOWN. In MONITOR mode all binaries except
-those marked as blacklisted will be allowed to run, whilst being logged and
-recorded in the database. In LOCKDOWN mode, only whitelisted binaries are
+* Multiple modes: In the default MONITOR mode, all binaries except
+those marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only whitelisted binaries are
 allowed to run.
 
-* Codesign listing: Binaries can be whitelisted/blacklisted by their signing
-certificate, so you can trust/block all binaries by a given publisher. The
-binary will only be whitelisted by certificate if its signature validates
-correctly. However, a decision for a binary will override a decision for a
-certificate; i.e. you can whitelist a certificate while blacklisting a binary
-signed by that certificate or vice-versa.
+* Event logging: When the kext is loaded, all binary launches are logged.
+When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
+* Certificate-based rules, with override levels: Instead of relying on a binaries hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
+certificate. You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates. A
+binary can only be whitelisted by its certificate if its signature validates
+correctly, but a rule for a binaries fingerprint will override a decision for a
+certificate; i.e. you can whitelist a certificate while blacklisting a binary
+signed with that certificate, or vice-versa.
+
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature as Managed Client for OS X's (the precursor to configuration profiles, which used the same implementation mechanism) Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and doesn't rely on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
+
+* Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct separate cert than other Google apps.
+
+Intentions and Expectations
+===========================
+No single system or process will stop *all* attacks, or provide 100% security.
+Santa is written with the intention of helping protect users from themselves.
+People often download malware and trust it, giving the malware credentials, or
+allowing unknown software to exfiltrate more data about your system. As a
+centrally managed component, Santa can help stop the spread of malware among a
+larger fleet of machines. Independently, Santa can aid in analyzing what is
+running on your computer.
+
+Santa is part of a defense-in-depth strategy, and you should continue to protect
+hosts in whatever other ways you see fit.
+
+Get Help
+========
+
+If you have questions or otherwise need help getting started, the
+[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
+great place. Please consult the [wiki](https://github.com/google/santa/wiki) and [issues](https://github.com/google/santa/issues) as well.
+
+Security and Performance-Related Features
+============
 * In-kernel caching: whitelisted binaries are cached in the kernel so the
 processing required to make a request is only done if the binary
 isn't already cached.
@@ -44,42 +78,17 @@ daemon, the GUI agent and the command-line utility) communicate with each other
 using XPC and check that their signing certificates are identical before any
 communication is accepted.
 
-* Event logging: all executions processed by the userland agent are logged and
-all unknown or denied binaries are also stored in the database for upload to a
-server.
-
 * Kext uses only KPIs: the kernel extension only uses provided kernel
 programming interfaces to do its job. This means that the kext code should
 continue to work across OS versions.
 
-Intentions and Expectations
-===========================
-No single system or process will stop *all* attacks, or provide 100% security.
-Santa is written with the intention of helping protect users from themselves.
-People often download malware and trust it, giving the malware credentials, or
-allowing unknown software to exfiltrate more data about your system. As a
-centrally managed component, Santa can help stop the spread of malware among a
-larger fleet of machines. Additionally, Santa can aid in analyzing what is
-running in your fleet.
-
-Santa is part of a defense-in-depth strategy, and you should continue to protect
-hosts in whatever other ways you see fit.
-
-Get Help
-========
-
-If you have questions or need help getting started, the
-[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is the
-best place to start.
-
 Known Issues
 ============
 Santa is not yet a 1.0 and we have some known issues to be aware of:
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
-dynamic libraries loaded with dlopen, libraries on disk that have been replaced or
-libraries loaded using `DYLD_INSERT_LIBRARIES`. We are working on also protecting
-against these avenues of attack.
+dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or
+libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version 0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were exploited in some versions of macOS. We are working on also protecting against similar avenues of attack.
 
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
@@ -89,9 +98,8 @@ found a good way to ensure the kext only accepts connections from a valid client
 only the root user can read/write it. We're considering approaches to secure
 this further.
 
-* Sync client: the command-line client includes a command to synchronize with a
-management server, including the uploading of events that have occurred on the
-machine and to download new rules. We're still very heavily working on this
+* Sync client: The `santactl` command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the
+machine and downloads new rules. We're still very heavily working on this
 server (which is AppEngine-based and will be open-sourced in the future), so the
 sync client code is unfinished. It does show the 'API' that we're expecting to
 use so if you'd like to write your own management server, feel free to look at
@@ -104,7 +112,7 @@ of temporary generated scripts, which we can't possibly whitelist and not doing
 so would cause problems. We're happy to revisit this (or at least make it an
 option) if it would be useful to others.
 
-* Documentation: There currently isn't any.
+* Documentation: This is currently limited.
 
 * Tests: There aren't enough of them.
 
@@ -119,6 +127,9 @@ A tool like Santa doesn't really lend itself to screenshots, so here's a video i
 
 Building
 ========
+Firstly, make sure you're using Xcode 7.3.1 as currently we do not support
+building with Xcode 8.
+
 ```sh
 git clone https://github.com/google/santa
 cd santa
@@ -134,6 +145,8 @@ rake build:debug
 Note: the Xcode project is setup to use any installed "Mac Developer" certificate
 and for security-reasons parts of Santa will not operate properly if not signed.
 
+For more details on building see the [building.md](https://github.com/google/santa/blob/master/Docs/development/building.md) document.
+
 Kext Signing
 ============
 Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided

Rakefile

@@ -1,3 +1,5 @@
+require 'openssl'
+
 WORKSPACE           = 'Santa.xcworkspace'
 DEFAULT_SCHEME      = 'All'
 OUTPUT_PATH         = 'Build'
@@ -5,6 +7,8 @@ BINARIES            = ['Santa.app', 'santa-driver.kext']
 DSYMS               = ['Santa.app.dSYM', 'santa-driver.kext.dSYM', 'santad.dSYM', 'santactl.dSYM']
 XCPRETTY_DEFAULTS   = '-sc'
 XCODEBUILD_DEFAULTS = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
+DEVTEAM_FILE        = 'Source/DevelopmentTeam.xcconfig'
+DEVTEAM_CERT_CN     = 'Mac Developer'
 $DISABLE_XCPRETTY   = false
 
 task :default do
@@ -44,6 +48,13 @@ task :init do
     puts "xcpretty is not installed. Install with 'sudo gem install xcpretty'"
     $DISABLE_XCPRETTY = true
   end
+  cert_pem = `security find-certificate -p -c '#{DEVTEAM_CERT_CN}'`
+  cert = OpenSSL::X509::Certificate.new cert_pem
+  team_id = cert.subject.to_a.find {|f| f[0] == "OU"}[1]
+  File.open(DEVTEAM_FILE, 'w') { |f|
+    f.puts("// This file is auto-generated. Do not edit manually")
+    f.puts("DEVELOPMENT_TEAM = #{team_id}")
+  }
 end
 
 task :remove_existing do
@@ -55,6 +66,7 @@ desc "Clean"
 task :clean => :init do
   puts "Cleaning"
   FileUtils.rm_rf(OUTPUT_PATH)
+  xcodebuild("-scheme All clean")
 end
 
 # Build
@@ -94,6 +106,7 @@ namespace :install do
     system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
     system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
     system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
+    system '/usr/bin/killall -HUP syslogd'
     Rake::Task['build:build'].invoke(config)
     puts "Installing with configuration: #{config}"
     Rake::Task['remove_existing'].invoke()

Santa.xcodeproj/xcshareddata/xcschemes/santabs.xcscheme

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "0730"
+   version = "1.3">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+               BuildableName = "santabs.xpc"
+               BlueprintName = "santabs"
+               ReferencedContainer = "container:Santa.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <Testables>
+      </Testables>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+            BuildableName = "santabs.xpc"
+            BlueprintName = "santabs"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "C78227531E1C3C58006EB2D6"
+            BuildableName = "santabs.xpc"
+            BlueprintName = "santabs"
+            ReferencedContainer = "container:Santa.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,8 +1,8 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="6254" systemVersion="14E46" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="10117" systemVersion="16D32" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="6254"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="10117"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTAboutWindowController">
@@ -16,7 +16,7 @@
         <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
             <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
             <rect key="contentRect" x="196" y="240" width="480" height="200"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1577"/>
+            <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1417"/>
             <view key="contentView" id="se5-gp-TjO">
                 <rect key="frame" x="0.0" y="0.0" width="480" height="200"/>
                 <autoresizingMask key="autoresizingMask"/>

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,5 +1,5 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="10117" systemVersion="15F34" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="10117" systemVersion="16F73" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <development version="6300" identifier="xcode"/>
@@ -9,6 +9,10 @@
         <customObject id="-2" userLabel="File's Owner" customClass="SNTMessageWindowController">
             <connections>
                 <outlet property="applicationNameLabel" destination="qgf-Jf-cJr" id="1JX-X8-03v"/>
+                <outlet property="bundleHashLabel" destination="xP7-jE-NF8" id="i8B-Gs-2E3"/>
+                <outlet property="bundleHashTitle" destination="MhO-U0-MLR" id="KT0-bK-fpV"/>
+                <outlet property="foundFileCountLabel" destination="LHV-gV-vyf" id="Sr0-T2-xGx"/>
+                <outlet property="hashingIndicator" destination="VyY-Yg-JOe" id="Yq4-tZ-9ep"/>
                 <outlet property="openEventButton" destination="7ua-5a-uSd" id="9s4-ZA-Vlo"/>
                 <outlet property="window" destination="9Bq-yh-54f" id="Uhs-WF-TV9"/>
             </connections>
@@ -17,14 +21,14 @@
         <customObject id="-3" userLabel="Application" customClass="NSObject"/>
         <window title="Santa Blocked Execution" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" oneShot="NO" showsToolbarButton="NO" visibleAtLaunch="NO" animationBehavior="none" id="9Bq-yh-54f" customClass="SNTMessageWindow">
             <windowStyleMask key="styleMask" utility="YES"/>
-            <rect key="contentRect" x="167" y="107" width="497" height="439"/>
+            <rect key="contentRect" x="167" y="107" width="540" height="479"/>
             <rect key="screenRect" x="0.0" y="0.0" width="2560" height="1417"/>
             <view key="contentView" id="Iwq-Lx-rLv">
-                <rect key="frame" x="0.0" y="0.0" width="497" height="439"/>
+                <rect key="frame" x="0.0" y="0.0" width="540" height="479"/>
                 <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
                 <subviews>
                     <button focusRingType="none" verticalHuggingPriority="750" fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="kiB-jZ-69S">
-                        <rect key="frame" x="-6" y="411" width="37" height="32"/>
+                        <rect key="frame" x="16" y="451" width="37" height="32"/>
                         <buttonCell key="cell" type="push" title="Hidden Button" alternateTitle="This button exists so neither of the other two buttons is pre-selected when the dialog opens." bezelStyle="rounded" alignment="center" borderStyle="border" focusRingType="none" transparent="YES" imageScaling="proportionallyDown" inset="2" id="XGa-Sl-F4t">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
@@ -37,7 +41,7 @@
                         </connections>
                     </button>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="t8c-Fx-e5h">
-                        <rect key="frame" x="206" y="368" width="85" height="41"/>
+                        <rect key="frame" x="228" y="408" width="85" height="41"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" refusesFirstResponder="YES" sendsActionOnEndEditing="YES" title="Santa" id="7YA-iB-Zma">
                             <font key="font" metaFont="systemUltraLight" size="34"/>
                             <color key="textColor" red="0.20000000000000001" green="0.20000000000000001" blue="0.20000000000000001" alpha="1" colorSpace="calibratedRGB"/>
@@ -51,7 +55,7 @@
                         </connections>
                     </textField>
                     <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="cD5-Su-lXR" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="22" y="329" width="454" height="17"/>
+                        <rect key="frame" x="43" y="369" width="454" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="450" id="XgJ-EV-tBa"/>
                         </constraints>
@@ -65,58 +69,10 @@
                             <outlet property="nextKeyView" destination="7ua-5a-uSd" id="VC7-bE-uHc"/>
                         </connections>
                     </textField>
-                    <box horizontalHuggingPriority="750" title="Line" boxType="custom" borderType="line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
-                        <rect key="frame" x="146" y="132" width="1" height="167"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
-                        </constraints>
-                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
-                        <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
-                        <font key="titleFont" metaFont="system"/>
-                    </box>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pDa-fA-vnC" userLabel="Label: Application">
-                        <rect key="frame" x="8" y="282" width="120" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="116" id="8mA-zi-Ev7"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Application" id="Hy7-WF-6xW">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                            <userDefinedRuntimeAttributes>
-                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
-                            </userDefinedRuntimeAttributes>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="hidden" keyPath="self.event.fileBundleName" id="r2Q-hh-Uy5">
-                                <dictionary key="options">
-                                    <string key="NSValueTransformerName">NSIsNil</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
-                    <textField toolTip="Application Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="qgf-Jf-cJr" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="282" width="294" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="290" id="Pav-ZA-iAu"/>
-                        </constraints>
-                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Application Name" id="3UG-ca-d1k">
-                            <font key="font" metaFont="systemBold"/>
-                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.fileBundleName" id="enC-Cl-UWt">
-                                <dictionary key="options">
-                                    <string key="NSNullPlaceholder">Unknown</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="d9e-Wv-Y5H" userLabel="Label: Path">
-                        <rect key="frame" x="8" y="257" width="120" height="17"/>
+                        <rect key="frame" x="8" y="297" width="142" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="116" id="Kqd-nX-7df"/>
+                            <constraint firstAttribute="width" constant="138" id="Kqd-nX-7df"/>
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Filename" id="KgY-X1-ESG">
                             <font key="font" metaFont="systemBold"/>
@@ -128,9 +84,9 @@
                         </textFieldCell>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="YNz-ka-cBi" userLabel="Label: Path">
-                        <rect key="frame" x="8" y="232" width="120" height="17"/>
+                        <rect key="frame" x="8" y="272" width="142" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="116" id="3wU-P0-gAC"/>
+                            <constraint firstAttribute="width" constant="138" id="3wU-P0-gAC"/>
                         </constraints>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Path" id="adC-be-Beh">
                             <font key="font" metaFont="systemBold"/>
@@ -141,10 +97,10 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="257" width="294" height="17"/>
+                    <textField toolTip="Binary Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="pc8-G9-4pJ" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="297" width="315" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="xVR-j3-dLw"/>
+                            <constraint firstAttribute="width" constant="311" id="xVR-j3-dLw"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Name" id="E7T-9h-ofr">
                             <font key="font" metaFont="system"/>
@@ -156,7 +112,7 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="lvJ-Rk-UT5" userLabel="Label: Publisher">
-                        <rect key="frame" x="8" y="207" width="120" height="17"/>
+                        <rect key="frame" x="8" y="247" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Publisher" id="yL9-yD-JXX">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -167,9 +123,9 @@
                         </textFieldCell>
                     </textField>
                     <textField toolTip="Publisher" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="C3G-wL-u7w" userLabel="Publisher" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="207" width="294" height="17"/>
+                        <rect key="frame" x="187" y="247" width="315" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="Dem-wH-KHm"/>
+                            <constraint firstAttribute="width" constant="311" id="Dem-wH-KHm"/>
                         </constraints>
                         <textFieldCell key="cell" selectable="YES" allowsUndo="NO" sendsActionOnEndEditing="YES" title="Code signing information" placeholderString="" id="ztA-La-XgT">
                             <font key="font" metaFont="system"/>
@@ -185,7 +141,7 @@
                         </connections>
                     </textField>
                     <button toolTip="Show code signing certificate chain" translatesAutoresizingMaskIntoConstraints="NO" id="cJf-k6-OxS" userLabel="Publisher Certs Button">
-                        <rect key="frame" x="40" y="208" width="15" height="15"/>
+                        <rect key="frame" x="62" y="248" width="15" height="15"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="15" id="QTm-Iv-m5p"/>
                             <constraint firstAttribute="height" constant="15" id="YwG-0s-jop"/>
@@ -207,7 +163,7 @@
                         </connections>
                     </button>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="KEB-eH-x2Y" userLabel="Label: Identifier">
-                        <rect key="frame" x="8" y="182" width="120" height="17"/>
+                        <rect key="frame" x="8" y="222" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Identifier" id="eKN-Ic-5zy">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -217,8 +173,8 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
-                        <rect key="frame" x="165" y="182" width="219" height="17"/>
+                    <textField toolTip="SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="PXc-xv-A28">
+                        <rect key="frame" x="187" y="222" width="219" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="215" id="4hh-R2-86s"/>
                         </constraints>
@@ -234,8 +190,26 @@
                             <binding destination="-2" name="value" keyPath="self.event.fileSHA256" id="9KB-0b-qLV"/>
                         </connections>
                     </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="MhO-U0-MLR" userLabel="Label: Bundle Identifier">
+                        <rect key="frame" x="8" y="197" width="142" height="17"/>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Bundle Identifier" id="LEe-u0-52o">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.needsBundleHash" id="2kb-3z-Kyn">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSNegateBoolean</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="eQb-0a-76J" userLabel="Label: Parent">
-                        <rect key="frame" x="8" y="157" width="120" height="17"/>
+                        <rect key="frame" x="8" y="157" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Parent" id="gze-4A-1w5">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -246,7 +220,7 @@
                         </textFieldCell>
                     </textField>
                     <textField toolTip="Parent Process" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="f1p-GL-O3o" userLabel="Parent" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="157" width="294" height="17"/>
+                        <rect key="frame" x="187" y="157" width="294" height="17"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="290" id="h3Y-mO-38F"/>
                         </constraints>
@@ -269,7 +243,7 @@
                         </connections>
                     </textField>
                     <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="oFj-ol-xpL" userLabel="Label: User">
-                        <rect key="frame" x="8" y="132" width="120" height="17"/>
+                        <rect key="frame" x="8" y="132" width="142" height="17"/>
                         <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="User" id="1ut-uT-hQD">
                             <font key="font" metaFont="systemBold"/>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
@@ -279,26 +253,8 @@
                             </userDefinedRuntimeAttributes>
                         </textFieldCell>
                     </textField>
-                    <textField toolTip="Executing User" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="132" width="294" height="17"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
-                            <font key="font" metaFont="system"/>
-                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
-                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                        <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
-                                <dictionary key="options">
-                                    <string key="NSNullPlaceholder">Unknown</string>
-                                </dictionary>
-                            </binding>
-                        </connections>
-                    </textField>
                     <button verticalHuggingPriority="750" horizontalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="7ua-5a-uSd">
-                        <rect key="frame" x="132" y="33" width="112" height="25"/>
+                        <rect key="frame" x="154" y="33" width="112" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" priority="900" constant="112" id="Pec-Pa-4aZ"/>
                         </constraints>
@@ -315,13 +271,40 @@ DQ
                             <outlet property="nextKeyView" destination="BbV-3h-mmL" id="Xkz-va-iGc"/>
                         </connections>
                     </button>
+                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bDE-Tl-UHg" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="272" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="p1W-f9-KBX"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="H1b-Ui-CYo">
+                            <font key="font" metaFont="system"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.filePath" id="Sry-KY-HDb"/>
+                        </connections>
+                    </textField>
+                    <button translatesAutoresizingMaskIntoConstraints="NO" id="5D8-GP-a4l">
+                        <rect key="frame" x="113" y="80" width="315" height="29"/>
+                        <constraints>
+                            <constraint firstAttribute="height" constant="25" id="KvD-X6-CsO"/>
+                        </constraints>
+                        <buttonCell key="cell" type="check" title="Prevent future notifications for this application for a day" bezelStyle="regularSquare" imagePosition="left" alignment="center" inset="2" id="R5Y-Uc-rEP">
+                            <behavior key="behavior" changeContents="YES" doesNotDimImage="YES" lightByContents="YES"/>
+                            <font key="font" metaFont="smallSystem"/>
+                        </buttonCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.silenceFutureNotifications" id="tEb-2A-sht"/>
+                        </connections>
+                    </button>
                     <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BbV-3h-mmL" userLabel="Dismiss Button">
-                        <rect key="frame" x="256" y="33" width="110" height="25"/>
+                        <rect key="frame" x="278" y="33" width="110" height="25"/>
                         <constraints>
                             <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
                             <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
                         </constraints>
-                        <buttonCell key="cell" type="roundTextured" title="Dismiss" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
+                        <buttonCell key="cell" type="roundTextured" title="Ignore" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
                             <string key="keyEquivalent" base64-UTF8="YES">
@@ -335,61 +318,138 @@ DQ
                             <outlet property="nextKeyView" destination="7ua-5a-uSd" id="4KL-Z2-1op"/>
                         </connections>
                     </button>
-                    <textField toolTip="Binary Path" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="bDE-Tl-UHg" customClass="SNTAccessibleTextField">
-                        <rect key="frame" x="165" y="232" width="294" height="17"/>
+                    <textField toolTip="Executing User" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" translatesAutoresizingMaskIntoConstraints="NO" id="h6f-PY-cc0" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="132" width="294" height="17"/>
                         <constraints>
-                            <constraint firstAttribute="width" constant="290" id="p1W-f9-KBX"/>
+                            <constraint firstAttribute="width" constant="290" id="on6-pj-m2k"/>
                         </constraints>
-                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Binary Path" id="H1b-Ui-CYo">
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" selectable="YES" sendsActionOnEndEditing="YES" title="Executing User" id="HRT-Be-ePf">
                             <font key="font" metaFont="system"/>
                             <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
                             <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
                         </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.event.filePath" id="Sry-KY-HDb"/>
+                            <binding destination="-2" name="value" keyPath="self.event.executingUser" id="IcM-Lt-xTT">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
                         </connections>
                     </textField>
-                    <button translatesAutoresizingMaskIntoConstraints="NO" id="5D8-GP-a4l">
-                        <rect key="frame" x="91" y="80" width="315" height="29"/>
+                    <progressIndicator wantsLayer="YES" canDrawConcurrently="YES" horizontalHuggingPriority="750" verticalHuggingPriority="750" maxValue="1" bezeled="NO" controlSize="small" style="bar" translatesAutoresizingMaskIntoConstraints="NO" id="VyY-Yg-JOe">
+                        <rect key="frame" x="187" y="199" width="217" height="12"/>
                         <constraints>
-                            <constraint firstAttribute="height" constant="25" id="KvD-X6-CsO"/>
+                            <constraint firstAttribute="width" constant="217" id="M22-Dv-KIP"/>
                         </constraints>
-                        <buttonCell key="cell" type="check" title="Prevent future notifications for this application for a day" bezelStyle="regularSquare" imagePosition="left" alignment="center" inset="2" id="R5Y-Uc-rEP">
-                            <behavior key="behavior" changeContents="YES" doesNotDimImage="YES" lightByContents="YES"/>
-                            <font key="font" metaFont="smallSystem"/>
-                        </buttonCell>
+                    </progressIndicator>
+                    <textField toolTip="Bundle SHA-256" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="xP7-jE-NF8">
+                        <rect key="frame" x="187" y="197" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="s7W-o9-2nN"/>
+                        </constraints>
+                        <textFieldCell key="cell" lineBreakMode="charWrapping" selectable="YES" sendsActionOnEndEditing="YES" title="Calculating..." id="yJa-yL-X9a">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
                         <connections>
-                            <binding destination="-2" name="value" keyPath="self.silenceFutureNotifications" id="tEb-2A-sht"/>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleHash" id="CnT-q6-bot"/>
                         </connections>
-                    </button>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="LHV-gV-vyf">
+                        <rect key="frame" x="187" y="182" width="219" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="215" id="LUu-Vd-peN"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="1000 related binaries" id="AVM-vB-hB8">
+                            <font key="font" metaFont="fixedUser" size="11"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                    </textField>
+                    <box horizontalHuggingPriority="750" title="Line" boxType="custom" borderType="line" titlePosition="noTitle" translatesAutoresizingMaskIntoConstraints="NO" id="4Li-ul-zIi">
+                        <rect key="frame" x="168" y="132" width="1" height="207"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="1" id="0o1-Jh-epf"/>
+                        </constraints>
+                        <color key="borderColor" white="0.0" alpha="0.17999999999999999" colorSpace="calibratedWhite"/>
+                        <color key="fillColor" white="0.0" alpha="0.0" colorSpace="calibratedWhite"/>
+                        <font key="titleFont" metaFont="system"/>
+                    </box>
+                    <textField toolTip="Application Name" verticalHuggingPriority="900" horizontalCompressionResistancePriority="250" verticalCompressionResistancePriority="1000" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="qgf-Jf-cJr" customClass="SNTAccessibleTextField">
+                        <rect key="frame" x="187" y="322" width="315" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="311" id="Pav-ZA-iAu"/>
+                        </constraints>
+                        <textFieldCell key="cell" selectable="YES" sendsActionOnEndEditing="YES" alignment="left" title="Application Name" id="3UG-ca-d1k">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" red="0.40000000000000002" green="0.40000000000000002" blue="0.40000000000000002" alpha="1" colorSpace="calibratedRGB"/>
+                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="value" keyPath="self.event.fileBundleName" id="enC-Cl-UWt">
+                                <dictionary key="options">
+                                    <string key="NSNullPlaceholder">Unknown</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
+                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="pDa-fA-vnC" userLabel="Label: Application">
+                        <rect key="frame" x="8" y="322" width="142" height="17"/>
+                        <constraints>
+                            <constraint firstAttribute="width" constant="138" id="8mA-zi-Ev7"/>
+                        </constraints>
+                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" alignment="right" title="Application" id="Hy7-WF-6xW">
+                            <font key="font" metaFont="systemBold"/>
+                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
+                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
+                            <userDefinedRuntimeAttributes>
+                                <userDefinedRuntimeAttribute type="boolean" keyPath="accessibilityElement" value="NO"/>
+                            </userDefinedRuntimeAttributes>
+                        </textFieldCell>
+                        <connections>
+                            <binding destination="-2" name="hidden" keyPath="self.event.fileBundleName" id="r2Q-hh-Uy5">
+                                <dictionary key="options">
+                                    <string key="NSValueTransformerName">NSIsNil</string>
+                                </dictionary>
+                            </binding>
+                        </connections>
+                    </textField>
                 </subviews>
                 <constraints>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="0AD-PS-5V1"/>
                     <constraint firstItem="f1p-GL-O3o" firstAttribute="centerY" secondItem="eQb-0a-76J" secondAttribute="centerY" id="2Aq-1E-Ybz"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" priority="500" constant="193" id="2uo-Cm-Tfp"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="top" secondItem="f1p-GL-O3o" secondAttribute="bottom" constant="8" id="496-VQ-Fx5"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="5Mr-By-PAU"/>
                     <constraint firstItem="pDa-fA-vnC" firstAttribute="centerY" secondItem="qgf-Jf-cJr" secondAttribute="centerY" id="AKX-pe-hEX"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="ALv-0v-szi"/>
-                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="E6D-7P-17g"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="FPe-Rd-G4n"/>
                     <constraint firstItem="cJf-k6-OxS" firstAttribute="centerY" secondItem="C3G-wL-u7w" secondAttribute="centerY" id="FdL-ZZ-Vbe"/>
                     <constraint firstItem="t8c-Fx-e5h" firstAttribute="top" secondItem="Iwq-Lx-rLv" secondAttribute="top" constant="30" id="FuB-GX-0jg"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="bottom" secondItem="4Li-ul-zIi" secondAttribute="bottom" id="G0I-O2-S91"/>
-                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-45" id="GD2-Ka-deo"/>
+                    <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="cJf-k6-OxS" secondAttribute="trailing" constant="-67" id="GD2-Ka-deo"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="GT2-tO-2td"/>
                     <constraint firstItem="h6f-PY-cc0" firstAttribute="centerY" secondItem="oFj-ol-xpL" secondAttribute="centerY" id="GXI-pT-FM1"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="top" secondItem="pDa-fA-vnC" secondAttribute="top" id="Gd4-Nr-n5G"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" constant="8" id="HUT-MI-jsR"/>
                     <constraint firstItem="qgf-Jf-cJr" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="Ht4-Lg-U5N"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="IA0-dy-2be"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="IwX-ja-ZIs"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="top" secondItem="4Li-ul-zIi" secondAttribute="top" priority="500" id="JY4-N1-j8e"/>
                     <constraint firstItem="YNz-ka-cBi" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="KmX-kX-VCN"/>
                     <constraint firstItem="5D8-GP-a4l" firstAttribute="centerX" secondItem="Iwq-Lx-rLv" secondAttribute="centerX" id="LkH-F4-Ncm"/>
-                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" priority="950" constant="30" id="Nsl-zf-poH"/>
+                    <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" priority="950" constant="55" id="Nsl-zf-poH"/>
                     <constraint firstItem="YNz-ka-cBi" firstAttribute="centerY" secondItem="bDE-Tl-UHg" secondAttribute="centerY" id="ObQ-RA-S5V"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="SCl-Ky-VmT"/>
                     <constraint firstItem="d9e-Wv-Y5H" firstAttribute="centerY" secondItem="pc8-G9-4pJ" secondAttribute="centerY" id="SLv-F7-w5k"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="KEB-eH-x2Y" secondAttribute="trailing" constant="20" id="Seb-c0-MUL"/>
                     <constraint firstAttribute="centerX" secondItem="cD5-Su-lXR" secondAttribute="centerX" id="V0a-Py-iEc"/>
+                    <constraint firstItem="LHV-gV-vyf" firstAttribute="top" secondItem="VyY-Yg-JOe" secondAttribute="bottom" id="Vjr-NX-j8V"/>
+                    <constraint firstItem="MhO-U0-MLR" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="Vly-VE-BwU"/>
                     <constraint firstItem="oFj-ol-xpL" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="leading" priority="999" id="Z6G-l9-G4a"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="top" secondItem="bDE-Tl-UHg" secondAttribute="bottom" constant="8" id="ZoS-xV-2WA"/>
                     <constraint firstItem="lvJ-Rk-UT5" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="aMJ-Wb-vRS"/>
@@ -401,22 +461,28 @@ DQ
                     <constraint firstItem="qgf-Jf-cJr" firstAttribute="top" secondItem="cD5-Su-lXR" secondAttribute="bottom" constant="30" id="esg-lX-BAT"/>
                     <constraint firstItem="f1p-GL-O3o" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="fGd-YS-phP"/>
                     <constraint firstAttribute="centerX" secondItem="t8c-Fx-e5h" secondAttribute="centerX" id="h3d-Kc-q88"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="LHV-gV-vyf" secondAttribute="bottom" constant="8" id="h4h-K3-BTd"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="PXc-xv-A28" secondAttribute="bottom" priority="700" constant="8" id="hXw-6Z-lb2"/>
                     <constraint firstItem="BbV-3h-mmL" firstAttribute="leading" secondItem="7ua-5a-uSd" secondAttribute="trailing" constant="12" id="ioO-NJ-Jqo"/>
                     <constraint firstItem="bDE-Tl-UHg" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="jdk-ak-soQ"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="centerY" secondItem="lvJ-Rk-UT5" secondAttribute="centerY" id="jfs-YI-7Ae"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="oFj-ol-xpL" secondAttribute="trailing" constant="20" id="kOG-Cj-hFG"/>
+                    <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="MhO-U0-MLR" secondAttribute="trailing" constant="20" id="ke9-wW-5fr"/>
                     <constraint firstItem="pc8-G9-4pJ" firstAttribute="top" secondItem="qgf-Jf-cJr" secondAttribute="bottom" constant="8" id="lWU-tC-vWg"/>
                     <constraint firstItem="5D8-GP-a4l" firstAttribute="top" secondItem="h6f-PY-cc0" secondAttribute="bottom" constant="25" id="lYd-VZ-lBs"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="18" id="lei-uP-T8m"/>
+                    <constraint firstItem="f1p-GL-O3o" firstAttribute="top" secondItem="xP7-jE-NF8" secondAttribute="bottom" priority="701" constant="8" id="oY4-e7-lsz"/>
                     <constraint firstItem="7ua-5a-uSd" firstAttribute="top" secondItem="5D8-GP-a4l" secondAttribute="bottom" priority="900" constant="25" id="pCX-eX-erN"/>
-                    <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="61" id="phL-j9-rPq"/>
+                    <constraint firstItem="xP7-jE-NF8" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="pdC-x8-Nao"/>
+                    <constraint firstAttribute="centerX" secondItem="7ua-5a-uSd" secondAttribute="centerX" constant="60" id="phL-j9-rPq"/>
                     <constraint firstItem="bDE-Tl-UHg" firstAttribute="top" secondItem="pc8-G9-4pJ" secondAttribute="bottom" constant="8" id="pis-of-f93"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="lvJ-Rk-UT5" secondAttribute="trailing" constant="20" id="qKi-KT-jzJ"/>
                     <constraint firstItem="C3G-wL-u7w" firstAttribute="bottom" secondItem="PXc-xv-A28" secondAttribute="top" constant="-8" id="snd-8T-LjC"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="d9e-Wv-Y5H" secondAttribute="trailing" constant="20" id="stz-Vm-Kxo"/>
                     <constraint firstItem="PXc-xv-A28" firstAttribute="leading" secondItem="4Li-ul-zIi" secondAttribute="trailing" constant="20" id="tAa-1s-xVZ"/>
                     <constraint firstItem="eQb-0a-76J" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="u1y-6V-moc"/>
-                    <constraint firstItem="d9e-Wv-Y5H" firstAttribute="width" secondItem="eQb-0a-76J" secondAttribute="width" id="u4p-1B-x5B"/>
                     <constraint firstAttribute="bottom" secondItem="BbV-3h-mmL" secondAttribute="bottom" constant="35" id="ukF-FH-DE8"/>
+                    <constraint firstItem="VyY-Yg-JOe" firstAttribute="centerY" secondItem="MhO-U0-MLR" secondAttribute="centerY" id="vB8-c5-pfO"/>
                     <constraint firstItem="4Li-ul-zIi" firstAttribute="leading" secondItem="YNz-ka-cBi" secondAttribute="trailing" constant="20" id="vfq-83-tKI"/>
                     <constraint firstItem="pDa-fA-vnC" firstAttribute="leading" secondItem="Iwq-Lx-rLv" secondAttribute="leading" constant="10" id="z6s-ga-iAk"/>
                 </constraints>
@@ -424,8 +490,9 @@ DQ
             <connections>
                 <outlet property="initialFirstResponder" destination="kiB-jZ-69S" id="I96-dS-lq5"/>
             </connections>
-            <point key="canvasLocation" x="302.5" y="304.5"/>
+            <point key="canvasLocation" x="274" y="326.5"/>
         </window>
+        <userDefaultsController representsSharedInstance="YES" id="iXx-cu-WYe"/>
     </objects>
     <resources>
         <image name="NSInfo" width="32" height="32"/>

Source/SantaGUI/Resources/Santa-Prefix.pch

@@ -1,3 +0,0 @@
-#ifdef __OBJC__
-  #import <Cocoa/Cocoa.h>
-#endif

Source/SantaGUI/SNTAboutWindowController.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 @interface SNTAboutWindowController : NSWindowController
 
 @property IBOutlet NSButton *moreInfoButton;

Source/SantaGUI/SNTAccessibleTextField.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 /**
    An NSTextField subclass that provides an accessiblity label equal to:
    (self.toolTip + self.stringValue) where available. It also sets the

Source/SantaGUI/SNTAppDelegate.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 ///
 /// Initiates and manages the connection to santad
 ///

Source/SantaGUI/SNTAppDelegate.m

@@ -26,7 +26,8 @@
 @property SNTAboutWindowController *aboutWindowController;
 @property SNTFileWatcher *configFileWatcher;
 @property SNTNotificationManager *notificationManager;
-@property SNTXPCConnection *listener;
+@property SNTXPCConnection *daemonListener;
+@property SNTXPCConnection *bundleListener;
 @end
 
 @implementation SNTAppDelegate
@@ -49,18 +50,19 @@
                                       object:nil
                                        queue:[NSOperationQueue currentQueue]
                                   usingBlock:^(NSNotification *note) {
-    self.listener.invalidationHandler = nil;
-    [self.listener invalidate];
-    self.listener = nil;
+    self.daemonListener.invalidationHandler = nil;
+    [self.daemonListener invalidate];
+    self.daemonListener = nil;
   }];
   [workspaceNotifications addObserverForName:NSWorkspaceSessionDidBecomeActiveNotification
                                       object:nil
                                        queue:[NSOperationQueue currentQueue]
                                   usingBlock:^(NSNotification *note) {
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
   }];
 
-  [self createConnection];
+  [self createDaemonConnection];
+  [self createBundleConnection];
 }
 
 - (BOOL)applicationShouldHandleReopen:(NSApplication *)sender hasVisibleWindows:(BOOL)flag {
@@ -71,24 +73,24 @@
 
 #pragma mark Connection handling
 
-- (void)createConnection {
+- (void)createDaemonConnection {
   dispatch_semaphore_t sema = dispatch_semaphore_create(0);
 
   WEAKIFY(self);
 
   // Create listener for return connection from daemon.
   NSXPCListener *listener = [NSXPCListener anonymousListener];
-  self.listener = [[SNTXPCConnection alloc] initServerWithListener:listener];
-  self.listener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
-  self.listener.exportedObject = self.notificationManager;
-  self.listener.acceptedHandler = ^{
+  self.daemonListener = [[SNTXPCConnection alloc] initServerWithListener:listener];
+  self.daemonListener.exportedInterface = [SNTXPCNotifierInterface notifierInterface];
+  self.daemonListener.exportedObject = self.notificationManager;
+  self.daemonListener.acceptedHandler = ^{
     dispatch_semaphore_signal(sema);
   };
-  self.listener.invalidationHandler = ^{
+  self.daemonListener.invalidationHandler = ^{
     STRONGIFY(self);
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
   };
-  [self.listener resume];
+  [self.daemonListener resume];
 
   // Tell daemon to connect back to the above listener.
   SNTXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
@@ -97,12 +99,46 @@
 
   // Now wait for the connection to come in.
   if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
-    [self attemptReconnection];
+    [self attemptDaemonReconnection];
   }
 }
 
-- (void)attemptReconnection {
-  [self performSelectorInBackground:@selector(createConnection) withObject:nil];
+- (void)attemptDaemonReconnection {
+  [self performSelectorInBackground:@selector(createDaemonConnection) withObject:nil];
+}
+
+- (void)createBundleConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  WEAKIFY(self);
+
+  // Create listener for return connection from the bundle service.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.bundleListener = [[SNTXPCConnection alloc] initServerWithListener:listener];
+  self.bundleListener.exportedInterface = [SNTXPCNotifierInterface bundleNotifierInterface];
+  self.bundleListener.exportedObject = self.notificationManager;
+  self.bundleListener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
+  };
+  self.bundleListener.invalidationHandler = ^{
+    STRONGIFY(self);
+    [self attemptBundleReconnection];
+  };
+  [self.bundleListener resume];
+
+  // Tell santabs to connect back to the above listener.
+  SNTXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy] setBundleNotificationListener:listener.endpoint];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptBundleReconnection];
+  }
+}
+
+- (void)attemptBundleReconnection {
+  [self performSelectorInBackground:@selector(createBundleConnection) withObject:nil];
 }
 
 #pragma mark Menu Management

Source/SantaGUI/SNTMessageWindow.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 ///
 ///  An NSPanel that can become key/main and can fade in/out.
 ///

Source/SantaGUI/SNTMessageWindowController.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 @class SNTStoredEvent;
 
 @protocol SNTMessageWindowControllerDelegate
@@ -29,6 +31,40 @@
 - (IBAction)closeWindow:(id)sender;
 - (IBAction)showCertInfo:(id)sender;
 
+///  Reference to the "Bundle Hash" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashLabel;
+
+///  Reference to the "Bundle Identifier" label in the XIB. Used to remove if application
+///  doesn't have a bundle hash.
+@property(weak) IBOutlet NSTextField *bundleHashTitle;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSProgressIndicator *hashingIndicator;
+
+///
+/// Is displayed if calculating the bundle hash is taking a bit.
+///
+@property(weak) IBOutlet NSTextField *foundFileCountLabel;
+
+///
+///  Reference to the "Open Event" button in the XIB. Used to either remove the button
+///  if it isn't needed or set its title if it is.
+///
+@property(weak) IBOutlet NSButton *openEventButton;
+
+///
+///  The execution event that this window is for
+///
+@property(readonly) SNTStoredEvent *event;
+
+///
+///  The root progress object. Child nodes are vended to santad to report on work being done.
+///
+@property NSProgress *progress;
+
 ///
 ///  The delegate to inform when the notification is dismissed
 ///

Source/SantaGUI/SNTMessageWindowController.m

@@ -14,7 +14,7 @@
 
 #import "SNTMessageWindowController.h"
 
-#import <SecurityInterface/SFCertificatePanel.h>
+@import SecurityInterface.SFCertificatePanel;
 
 #import "MOLCertificate.h"
 #import "SNTBlockMessage.h"
@@ -24,9 +24,6 @@
 #import "SNTStoredEvent.h"
 
 @interface SNTMessageWindowController ()
-///  The execution event that this window is for
-@property SNTStoredEvent *event;
-
 ///  The custom message to display for this event
 @property(copy) NSString *customMessage;
 
@@ -36,13 +33,9 @@
 ///  An optional message to display with this block.
 @property(readonly, nonatomic) NSAttributedString *attributedCustomMessage;
 
-///  Reference to the "Open Event" button in the XIB. Used to either remove the button
-///  if it isn't needed or set its title if it is.
-@property IBOutlet NSButton *openEventButton;
-
 ///  Reference to the "Application Name" label in the XIB. Used to remove if application
 ///  doesn't have a CFBundleName.
-@property IBOutlet NSTextField *applicationNameLabel;
+@property(weak) IBOutlet NSTextField *applicationNameLabel;
 
 ///  Linked to checkbox in UI to prevent future notifications for this binary.
 @property BOOL silenceFutureNotifications;
@@ -55,10 +48,34 @@
   if (self) {
     _event = event;
     _customMessage = message;
+    _progress = [NSProgress discreteProgressWithTotalUnitCount:1];
+    [_progress addObserver:self
+                forKeyPath:@"fractionCompleted"
+                   options:NSKeyValueObservingOptionNew
+                   context:NULL];
   }
   return self;
 }
 
+- (void)dealloc {
+  [_progress removeObserver:self forKeyPath:@"fractionCompleted"];
+}
+
+- (void)observeValueForKeyPath:(NSString *)keyPath
+                      ofObject:(id)object
+                        change:(NSDictionary *)change
+                       context:(void *)context {
+  if ([keyPath isEqualToString:@"fractionCompleted"]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      NSProgress *progress = object;
+      if (progress.fractionCompleted != 0.0) {
+        self.hashingIndicator.indeterminate = NO;
+      }
+      self.hashingIndicator.doubleValue = progress.fractionCompleted;
+    });
+  }
+}
+
 - (void)loadWindow {
   [super loadWindow];
   [self.window setLevel:NSPopUpMenuWindowLevel];
@@ -73,6 +90,18 @@
     }
   }
 
+  if (!self.event.needsBundleHash) {
+    [self.bundleHashLabel removeFromSuperview];
+    [self.hashingIndicator removeFromSuperview];
+    [self.foundFileCountLabel removeFromSuperview];
+  } else {
+    self.openEventButton.enabled = NO;
+    self.hashingIndicator.indeterminate = YES;
+    [self.hashingIndicator startAnimation:self];
+    self.bundleHashLabel.hidden = YES;
+    self.foundFileCountLabel.stringValue = @"";
+  }
+
   if (!self.event.fileBundleName) {
     [self.applicationNameLabel removeFromSuperview];
   }
@@ -83,6 +112,7 @@
 }
 
 - (IBAction)closeWindow:(id)sender {
+  [self.progress cancel];
   [(SNTMessageWindow *)self.window fadeOut:sender];
 }
 

Source/SantaGUI/SNTNotificationManager.h

@@ -12,12 +12,15 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 #import "SNTMessageWindowController.h"
 #import "SNTXPCNotifierInterface.h"
 
 ///
 ///  Keeps track of pending notifications and ensures only one is presented to the user at a time.
 ///
-@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate, SNTNotifierXPC>
+@interface SNTNotificationManager : NSObject<SNTMessageWindowControllerDelegate,
+                                             SNTNotifierXPC, SNTBundleNotifierXPC>
 
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -18,13 +18,27 @@
 #import "SNTConfigurator.h"
 #import "SNTLogging.h"
 #import "SNTStoredEvent.h"
+#import "SNTStrengthify.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
 
 @interface SNTNotificationManager ()
+
 ///  The currently displayed notification
 @property SNTMessageWindowController *currentWindowController;
 
 ///  The queue of pending notifications
 @property(readonly) NSMutableArray *pendingNotifications;
+
+///  The connection to the bundle service
+@property SNTXPCConnection *bundleServiceConnection;
+
+///  A semaphore to block bundle hashing until a connection is established
+@property dispatch_semaphore_t bundleServiceSema;
+
+// A serial queue for holding hashBundleBinaries requests
+@property dispatch_queue_t hashBundleBinariesQueue;
+
 @end
 
 @implementation SNTNotificationManager
@@ -35,6 +49,9 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   self = [super init];
   if (self) {
     _pendingNotifications = [[NSMutableArray alloc] init];
+    _bundleServiceSema = dispatch_semaphore_create(0);
+    _hashBundleBinariesQueue = dispatch_queue_create("com.google.santagui.hashbundlebinaries",
+                                                     DISPATCH_QUEUE_SERIAL);
   }
   return self;
 }
@@ -48,7 +65,16 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   if ([self.pendingNotifications count]) {
     self.currentWindowController = [self.pendingNotifications firstObject];
     [self.currentWindowController showWindow:self];
+    if (self.currentWindowController.event.needsBundleHash) {
+      dispatch_async(self.hashBundleBinariesQueue, ^{
+        [self hashBundleBinariesForEvent:self.currentWindowController.event];
+      });
+    }
   } else {
+    // Tear down the bundle service
+    self.bundleServiceSema = dispatch_semaphore_create(0);
+    [self.bundleServiceConnection invalidate];
+    self.bundleServiceConnection = nil;
     [NSApp hide:self];
   }
 }
@@ -65,7 +91,7 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   [ud setObject:d forKey:silencedNotificationsKey];
 }
 
-#pragma mark SNTNotifierXPC protocol method
+#pragma mark SNTNotifierXPC protocol methods
 
 - (void)postClientModeNotification:(SNTClientMode)clientmode {
   NSUserNotification *un = [[NSUserNotification alloc] init];
@@ -131,6 +157,115 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
     if (!self.currentWindowController) {
       self.currentWindowController = pendingMsg;
       [pendingMsg showWindow:nil];
+      if (self.currentWindowController.event.needsBundleHash) {
+        dispatch_async(self.hashBundleBinariesQueue, ^{
+          [self hashBundleBinariesForEvent:self.currentWindowController.event];
+        });
+      }
+    }
+  });
+}
+
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  un.informativeText = message ?: @"Requested application can now be run";
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
+
+#pragma mark SNTBundleNotifierXPC protocol methods
+
+- (void)updateCountsForEvent:(SNTStoredEvent *)event
+                 binaryCount:(uint64_t)binaryCount
+                   fileCount:(uint64_t)fileCount
+                 hashedCount:(uint64_t)hashedCount {
+  if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+    dispatch_async(dispatch_get_main_queue(), ^{
+      self.currentWindowController.foundFileCountLabel.stringValue =
+          [NSString stringWithFormat:@"%llu binaries / %llu %@",
+               binaryCount, hashedCount ?: fileCount, hashedCount ? @"hashed" : @"files"];
+    });
+  }
+}
+
+- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener {
+  SNTXPCConnection *c = [[SNTXPCConnection alloc] initClientWithListener:listener];
+  c.remoteInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  [c resume];
+  self.bundleServiceConnection = c;
+
+  WEAKIFY(self);
+  self.bundleServiceConnection.invalidationHandler = ^{
+    STRONGIFY(self);
+    if (self.currentWindowController) {
+      [self updateBlockNotification:self.currentWindowController.event withBundleHash:nil];
+    }
+  };
+
+  dispatch_semaphore_signal(self.bundleServiceSema);
+}
+
+#pragma mark SNTBundleNotifierXPC helper methods
+
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event {
+  self.currentWindowController.foundFileCountLabel.stringValue = @"Searching for files...";
+
+  // Wait a max of 6 secs for the bundle service. Should the bundle service fall over, it will
+  // reconnect within 5 secs. Otherwise abandon bundle hashing and display the blockable event.
+  if (dispatch_semaphore_wait(self.bundleServiceSema,
+                              dispatch_time(DISPATCH_TIME_NOW, 6 * NSEC_PER_SEC))) {
+    [self updateBlockNotification:event withBundleHash:nil];
+    return;
+  }
+
+  // Let all future requests flow, until the connection is terminated and we go back to waiting.
+  dispatch_semaphore_signal(self.bundleServiceSema);
+
+  // NSProgress becomes current for this thread. XPC messages vend a child node to the receiver.
+  [self.currentWindowController.progress becomeCurrentWithPendingUnitCount:100];
+
+  // Start hashing. Progress is reported to the root NSProgress (currentWindowController.progress).
+  [[self.bundleServiceConnection remoteObjectProxy]
+      hashBundleBinariesForEvent:event
+                           reply:^(NSString *bh, NSArray<SNTStoredEvent *> *events, NSNumber *ms) {
+    // Revert to displaying the blockable event if we fail to calculate the bundle hash
+    if (!bh) return [self updateBlockNotification:event withBundleHash:nil];
+
+    event.fileBundleHash = bh;
+    event.fileBundleBinaryCount = @(events.count);
+    event.fileBundleHashMilliseconds = ms;
+    event.fileBundleExecutableRelPath = [events.firstObject fileBundleExecutableRelPath];
+    for (SNTStoredEvent *se in events) {
+      se.fileBundleHash = bh;
+      se.fileBundleBinaryCount = @(events.count);
+      se.fileBundleHashMilliseconds = ms;
+    }
+
+    // Send the results to santad. It will decide if they need to be synced.
+    SNTXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+    [daemonConn resume];
+    [[daemonConn remoteObjectProxy] syncBundleEvent:event relatedEvents:events];
+
+    // Update the UI with the bundle hash. Also make the openEventButton available.
+    [self updateBlockNotification:event withBundleHash:bh];
+  }];
+  [self.currentWindowController.progress resignCurrent];
+}
+
+- (void)updateBlockNotification:(SNTStoredEvent *)event withBundleHash:(NSString *)bundleHash {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    if ([self.currentWindowController.event.idx isEqual:event.idx]) {
+      if (bundleHash) {
+        [self.currentWindowController.bundleHashLabel setHidden:NO];
+      } else {
+        [self.currentWindowController.bundleHashLabel removeFromSuperview];
+        [self.currentWindowController.bundleHashTitle removeFromSuperview];
+      }
+      self.currentWindowController.event.fileBundleHash = bundleHash;
+      [self.currentWindowController.foundFileCountLabel removeFromSuperview];
+      [self.currentWindowController.hashingIndicator setHidden:YES];
+      [self.currentWindowController.openEventButton setEnabled:YES];
     }
   });
 }

Source/SantaGUI/main.m

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Cocoa;
+
 #import "SNTAppDelegate.h"
 
 int main(int argc, const char *argv[]) {

Source/common/SNTBlockMessage.h

@@ -12,6 +12,12 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#ifdef SANTAGUI
+@import Cocoa;
+#else
+@import Foundation;
+#endif
+
 @class SNTStoredEvent;
 
 @interface SNTBlockMessage : NSObject

Source/common/SNTBlockMessage.m

@@ -92,18 +92,13 @@
 + (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
-  NSString *formatStr;
-  if (config.eventDetailBundleURL && event.fileBundleID) {
-    formatStr = config.eventDetailBundleURL;
-  } else {
-    formatStr = config.eventDetailURL;
-  }
-
+  NSString *formatStr = config.eventDetailURL;
   if (!formatStr.length) return nil;
 
   if (event.fileSHA256) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                                     withString:event.fileSHA256];
+    formatStr =
+        [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                             withString:event.fileBundleHash ?: event.fileSHA256];
   }
   if (event.executingUser) {
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
@@ -113,14 +108,6 @@
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
                                                      withString:config.machineID];
   }
-  if (event.fileBundleID) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_id%"
-                                                     withString:event.fileBundleID];
-  }
-  if (event.fileBundleVersionString) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_ver%"
-                                                     withString:event.fileBundleVersionString];
-  }
 
   return [NSURL URLWithString:formatStr];
 }

Source/common/SNTCommonEnums.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 ///
 ///  These enums are used in various places throughout the Santa client code.
 ///  The integer values are also stored in the database and so shouldn't be changed.
@@ -41,19 +43,25 @@ typedef NS_ENUM(NSInteger, SNTClientMode) {
 };
 
 typedef NS_ENUM(NSInteger, SNTEventState) {
-  SNTEventStateUnknown,
+  // Bits 0-15 bits store non-decision types
+  SNTEventStateUnknown = 0,
+  SNTEventStateBundleBinary = 1,
 
-  SNTEventStateAllowUnknown = 1,
-  SNTEventStateAllowBinary = 2,
-  SNTEventStateAllowCertificate = 3,
-  SNTEventStateAllowScope = 4,
+  // Bits 16-23 store deny decision types
+  SNTEventStateBlockUnknown = 1 << 16,
+  SNTEventStateBlockBinary = 1 << 17,
+  SNTEventStateBlockCertificate = 1 << 18,
+  SNTEventStateBlockScope = 1 << 19,
 
-  SNTEventStateBlockUnknown = 5,
-  SNTEventStateBlockBinary = 6,
-  SNTEventStateBlockCertificate = 7,
-  SNTEventStateBlockScope = 8,
+  // Bits 24-31 store allow decision types
+  SNTEventStateAllowUnknown = 1 << 24,
+  SNTEventStateAllowBinary = 1 << 25,
+  SNTEventStateAllowCertificate = 1 << 26,
+  SNTEventStateAllowScope = 1 << 27,
 
-  SNTEventStateBundleBinary = 9,
+  // Block and Allow masks
+  SNTEventStateBlock = 0xFF << 16,
+  SNTEventStateAllow = 0xFF << 24
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleTableError) {
@@ -64,6 +72,14 @@ typedef NS_ENUM(NSInteger, SNTRuleTableError) {
   SNTRuleTableErrorRemoveFailed
 };
 
+// This enum type is used to indicate what should be done with the related bundle events that are
+// generated when an initiating blocked bundle event occurs.
+typedef NS_ENUM(NSInteger, SNTBundleEventAction) {
+  SNTBundleEventActionDropEvents,
+  SNTBundleEventActionStoreEvents,
+  SNTBundleEventActionSendEvents,
+};
+
 static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
 static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
 static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";

Source/common/SNTConfigurator.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommonEnums.h"
 
 ///
@@ -75,8 +77,6 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 ///  When the user gets a block notification, a button can be displayed which will
 ///  take them to a web page with more information about that event.
-///  There are two properties, one for individual binaries and one for binaries that are part
-///  of a bundle. If the latter is not set the former will be used.
 ///
 ///  This property contains a kind of format string to be turned into the URL to send them to.
 ///  The following sequences will be replaced in the final URL:
@@ -84,15 +84,12 @@ extern NSString *const kDefaultConfigFilePath;
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
-///  %bundle_id%   -- bundle id of the binary, if applicable.
-///  %bundle_ver%  -- bundle version of the binary, if applicable.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
 @property(readonly, nonatomic) NSString *eventDetailURL;
-@property(readonly, nonatomic) NSString *eventDetailBundleURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
@@ -131,21 +128,20 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSURL *syncBaseURL;
 
-///
-///  If YES, mid-execution event uploads are skipped.
-///  This property is never stored on disk.
-///
-@property BOOL syncBackOff;
-
 ///
 ///  The machine owner.
 ///
 @property(readonly, nonatomic) NSString *machineOwner;
 
 ///
-///  The last date of successful sync.
+///  The last date of a successful full sync.
 ///
-@property(nonatomic) NSDate *syncLastSuccess;
+@property(nonatomic) NSDate *fullSyncLastSuccess;
+
+///
+///  The last date of a successful rule sync.
+///
+@property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
 ///  If YES a clean sync is required.
@@ -157,6 +153,12 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSString *machineID;
 
+///
+///  If YES, enables bundle detection for blocked events. This property is not stored on disk.
+///  Its value is set by a sync server that supports bundles. Defaults to NO.
+///
+@property BOOL bundlesEnabled;
+
 #pragma mark Server Auth Settings
 
 ///

Source/common/SNTConfigurator.m

@@ -44,7 +44,6 @@ static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection
 
 static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
 static NSString *const kEventDetailURLKey = @"EventDetailURL";
-static NSString *const kEventDetailBundleURLKey = @"EventDetailBundleURL";
 static NSString *const kEventDetailTextKey = @"EventDetailText";
 static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
 static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
@@ -52,7 +51,8 @@ static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
 static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
 
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
-static NSString *const kSyncLastSuccess = @"SyncLastSuccess";
+static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
+static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
 static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
@@ -100,12 +100,18 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
-  NSInteger cm = [self.configData[kClientModeKey] longValue];
+  NSInteger cm = SNTClientModeUnknown;
+
+  id mode = self.configData[kClientModeKey];
+  if ([mode respondsToSelector:@selector(longLongValue)]) {
+    cm = (NSInteger)[mode longLongValue];
+  }
+
   if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
     return (SNTClientMode)cm;
   } else {
     LOGE(@"Client mode was set to bad value: %ld. Resetting to MONITOR.", cm);
-    self.configData[kClientModeKey] = @(SNTClientModeMonitor);
+    self.clientMode = SNTClientModeMonitor;
     return SNTClientModeMonitor;
   }
 }
@@ -195,10 +201,6 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kEventDetailURLKey];
 }
 
-- (NSString *)eventDetailBundleURL {
-  return self.configData[kEventDetailBundleURLKey];
-}
-
 - (NSString *)eventDetailText {
   return self.configData[kEventDetailTextKey];
 }
@@ -253,12 +255,22 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kServerAuthRootsFileKey];
 }
 
-- (NSDate *)syncLastSuccess {
-  return self.configData[kSyncLastSuccess];
+- (NSDate *)fullSyncLastSuccess {
+  return self.configData[kFullSyncLastSuccess];
 }
 
-- (void)setSyncLastSuccess:(NSDate *)syncLastSuccess {
-  self.configData[kSyncLastSuccess] = syncLastSuccess;
+- (void)setFullSyncLastSuccess:(NSDate *)fullSyncLastSuccess {
+  self.configData[kFullSyncLastSuccess] = fullSyncLastSuccess;
+  [self saveConfigToDisk];
+  self.ruleSyncLastSuccess = fullSyncLastSuccess;
+}
+
+- (NSDate *)ruleSyncLastSuccess {
+  return self.configData[kRuleSyncLastSuccess];
+}
+
+- (void)setRuleSyncLastSuccess:(NSDate *)ruleSyncLastSuccess {
+  self.configData[kRuleSyncLastSuccess] = ruleSyncLastSuccess;
   [self saveConfigToDisk];
 }
 
@@ -311,7 +323,14 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 
 - (void)reloadConfigData {
   NSFileManager *fm = [NSFileManager defaultManager];
-  if (![fm fileExistsAtPath:self.configFilePath]) return;
+  if (![fm fileExistsAtPath:self.configFilePath]) {
+    // As soon as saveConfigToDisk is called, reloadConfigData will be called again because
+    // of the SNTFileWatchers on the config path. No need to use dictionaryWithCapacity: here.
+    self.configData = [NSMutableDictionary dictionary];
+    self.configData[kClientModeKey] = @(SNTClientModeMonitor);
+    [self saveConfigToDisk];
+    return;
+  };
 
   NSError *error;
   NSData *readData = [NSData dataWithContentsOfFile:self.configFilePath

Source/common/SNTDropRootPrivs.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 ///
 ///  Simple function to check and drop root privileges.
 ///

Source/common/SNTFileInfo.h

@@ -12,6 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+@class MOLCodesignChecker;
+
 ///
 ///  Represents a binary on disk, providing access to details about that binary
 ///  such as the SHA-1, SHA-256, Info.plist and the Mach-O data.
@@ -36,6 +40,18 @@
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
+
+///
+///  Initializer for already resolved paths.
+///
+///  @param path The path of the file this instance is to represent. The path will
+///      not be converted and will be used as is. If the path is not a regular file this method will
+///      return nil and fill in an error.
+///  @param error If an error occurred and nil is returned, this will be a pointer to an NSError
+///      describing the problem.
+///
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error;
+
 ///
 ///  @return Path of this file.
 ///
@@ -84,6 +100,11 @@
 ///
 - (BOOL)isDylib;
 
+///
+///  @return YES if this file is a bundle executable (QuickLook/Spotlight plugin, etc.)
+///
+- (BOOL)isBundle;
+
 ///
 ///  @return YES if this file is a kernel extension.
 ///
@@ -104,11 +125,31 @@
 ///
 - (BOOL)isDMG;
 
+///
+///  @return NSString describing the kind of file (executable, bundle, script, etc.)
+///
+- (NSString *)humanReadableFileType;
+
 ///
 ///  @return YES if this file has a bad/missing __PAGEZERO .
 ///
 - (BOOL)isMissingPageZero;
 
+///
+///  If set to YES, the bundle* and infoPlist methods will search for and use the highest NSBundle
+///  found in the tree. Defaults to NO, which uses the first found bundle, if any.
+///
+///  @example:
+///      An SNTFileInfo object that represents
+///        /Applications/Photos.app/Contents/XPCServices/com.apple.Photos.librarychooserservice.xpc
+///      useAncestorBundle is set to YES
+///        /Applications/Photos.app will be used to get data backing all the bundle methods
+///
+///  @note: The NSBundle object backing the bundle* and infoPlist methods is cached once found.
+///         Setting the useAncestorBundle propery will clear this cache and force a re-search.
+///
+@property(nonatomic) BOOL useAncestorBundle;
+
 ///
 ///  @return An NSBundle if this file is part of a bundle.
 ///
@@ -171,4 +212,11 @@
 ///
 - (NSUInteger)fileSize;
 
+///
+///  @return Returns an instance of MOLCodeSignChecker initialized with the file's binary path.
+///  Both the MOLCodesignChecker and any resulting NSError are cached and returned on subsequent
+///  calls.  You may pass in NULL for the error if you don't care to receive it.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error;
+
 @end

Source/common/SNTFileInfo.m

@@ -15,6 +15,7 @@
 #import "SNTFileInfo.h"
 
 #import <CommonCrypto/CommonDigest.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 
 #include <mach-o/loader.h>
 #include <mach-o/swap.h>
@@ -53,29 +54,51 @@
 @property NSDictionary *infoDict;
 @property NSDictionary *quarantineDict;
 @property NSDictionary *cachedHeaders;
+@property MOLCodesignChecker *cachedCodesignChecker;
+@property(nonatomic) NSError *codesignCheckerError;
 @end
 
 @implementation SNTFileInfo
 
 extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
-- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error {
   self = [super init];
   if (self) {
-    NSBundle *bndl;
-    _path = [self resolvePath:path bundle:&bndl];
-    _bundleRef = bndl;
-    if (_path.length == 0) {
+    _path = path;
+    if (!_path.length) {
       if (error) {
-        NSString *errStr = @"Unable to resolve empty path";
-        if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+        NSString *errStr = @"Unable to use empty path";
         *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
-                                     code:260
+                                     code:270
                                  userInfo:@{NSLocalizedDescriptionKey : errStr}];
       }
       return nil;
     }
 
+    struct stat fileStat;
+    lstat(_path.UTF8String, &fileStat);
+    if (!((S_IFMT & fileStat.st_mode) == S_IFREG)) {
+      if (error) {
+        NSString *errStr = [NSString stringWithFormat:@"Non regular file: %s", strerror(errno)];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:290
+                                 userInfo:@{NSLocalizedDescriptionKey : errStr}];
+      }
+      return nil;
+    }
+
+    _fileSize = fileStat.st_size;
+
+    if (_fileSize == 0) return nil;
+
+    if (fileStat.st_uid != 0) {
+      struct passwd *pwd = getpwuid(fileStat.st_uid);
+      if (pwd) {
+        _fileOwnerHomeDir = @(pwd->pw_dir);
+      }
+    }
+
     int fd = open([_path UTF8String], O_RDONLY | O_CLOEXEC);
     if (fd < 0) {
       if (error) {
@@ -87,24 +110,29 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return nil;
     }
     _fileHandle = [[NSFileHandle alloc] initWithFileDescriptor:fd closeOnDealloc:YES];
-
-    struct stat fileStat;
-    fstat(_fileHandle.fileDescriptor, &fileStat);
-    _fileSize = fileStat.st_size;
-
-    if (_fileSize == 0) return nil;
-
-    if (fileStat.st_uid != 0) {
-      struct passwd *pwd = getpwuid(fileStat.st_uid);
-      if (pwd) {
-        _fileOwnerHomeDir = @(pwd->pw_dir);
-      }
-    }
   }
 
   return self;
 }
 
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+  NSBundle *bndl;
+  NSString *resolvedPath = [self resolvePath:path bundle:&bndl];
+  if (!resolvedPath.length) {
+    if (error) {
+      NSString *errStr = @"Unable to resolve empty path";
+      if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+      *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                   code:260
+                               userInfo:@{NSLocalizedDescriptionKey : errStr}];
+    }
+    return nil;
+  }
+  self = [self initWithResolvedPath:resolvedPath error:error];
+  if (self && bndl) _bundleRef = bndl;
+  return self;
+}
+
 - (instancetype)initWithPath:(NSString *)path {
   return [self initWithPath:path error:NULL];
 }
@@ -196,22 +224,26 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.machHeaders allKeys];
 }
 
-- (BOOL)isExecutable {
+- (uint32_t)machFileType {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_EXECUTE) return YES;
-  return NO;
+  if (mach_header) return mach_header->filetype;
+  return -1;
+}
+
+- (BOOL)isExecutable {
+  return [self machFileType] == MH_EXECUTE;
 }
 
 - (BOOL)isDylib {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_DYLIB) return YES;
-  return NO;
+  return [self machFileType] == MH_DYLIB;
+}
+
+- (BOOL)isBundle {
+  return [self machFileType] == MH_BUNDLE;
 }
 
 - (BOOL)isKext {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_KEXT_BUNDLE) return YES;
-  return NO;
+  return [self machFileType] == MH_KEXT_BUNDLE;
 }
 
 - (BOOL)isMachO {
@@ -233,11 +265,23 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (BOOL)isDMG {
+  if (self.fileSize < 512) return NO;
   NSUInteger last512 = self.fileSize - 512;
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(last512, 4)] bytes];
   return (magic && memcmp("koly", magic, 4) == 0);
 }
 
+- (NSString *)humanReadableFileType {
+  if ([self isExecutable]) return @"Executable";
+  if ([self isDylib]) return @"Dynamic Library";
+  if ([self isBundle]) return @"Bundle/Plugin";
+  if ([self isKext]) return @"Kernel Extension";
+  if ([self isScript]) return @"Script";
+  if ([self isXARArchive]) return @"XAR Archive";
+  if ([self isDMG]) return @"Disk Image";
+  return @"Unknown";
+}
+
 #pragma mark Page Zero
 
 - (BOOL)isMissingPageZero {
@@ -276,34 +320,34 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///
 ///  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
 ///  bundle but provides no way to get an NSBundle object when only the executablePath is known.
-///  Also a bundle can contain multiple binaries within the MacOS folder and we want any of these
+///  Also a bundle can contain multiple binaries within its subdirectories and we want any of these
 ///  to count as being part of the bundle.
 ///
-///  This method relies on executable bundles being laid out as follows:
+///  This method walks up the path until a bundle is found, if any.
 ///
-/// @code
-/// Bundle.app/
-///    Contents/
-///       MacOS/
-///         executable
-/// @endcode
-///
-///  If @c self.path is the full path to @c executable above, this method would return an
-///  NSBundle reference for Bundle.app.
+///  @param ancestor YES this will return the highest NSBundle found in the tree. No will return the
+///                  the lowest.
 ///
+-(NSBundle *)findBundleWithAncestor:(BOOL)ancestor {
+  NSBundle *bundle;
+  NSMutableArray *pathComponents = [[self.path pathComponents] mutableCopy];
+
+  // Ignore the root path "/", for some reason this is considered a bundle.
+  while (pathComponents.count > 1) {
+    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
+    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
+      bundle = bndl;
+      if (!ancestor) break;
+    }
+    [pathComponents removeLastObject];
+  }
+  return bundle;
+}
+
 - (NSBundle *)bundle {
   if (!self.bundleRef) {
-    self.bundleRef = (NSBundle *)[NSNull null];
-
-    // Check that the full path is at least 4-levels deep:
-    // e.g: /Calendar.app/Contents/MacOS/Calendar
-    NSArray *pathComponents = [self.path pathComponents];
-    NSUInteger pathComponentsCount = pathComponents.count;
-    if (pathComponentsCount < 4) return nil;
-
-    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, pathComponentsCount - 3)];
-    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
+    self.bundleRef =
+        [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
   }
   return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
@@ -312,6 +356,14 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.bundle bundlePath];
 }
 
+- (void)setUseAncestorBundle:(BOOL)useAncestorBundle {
+  if (self.useAncestorBundle != useAncestorBundle) {
+    self.bundleRef = nil;
+    self.infoDict = nil;
+  }
+  _useAncestorBundle = useAncestorBundle;
+}
+
 - (NSDictionary *)infoPlist {
   if (!self.infoDict) {
     NSDictionary *d = [self embeddedPlist];
@@ -397,7 +449,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *fatHeader = [self safeSubdataWithRange:range];
     struct fat_header *fh = (struct fat_header *)[fatHeader bytes];
 
-    if (fatHeader && (fh->magic == FAT_MAGIC || fh->magic == FAT_CIGAM)) {
+    if (fatHeader && (fh->magic == FAT_CIGAM || fh->magic == FAT_MAGIC)) {
       int nfat_arch = OSSwapBigToHostInt32(fh->nfat_arch);
       range = NSMakeRange(sizeof(struct fat_header), sizeof(struct fat_arch) * nfat_arch);
       NSMutableData *fatArchs = [[self safeSubdataWithRange:range] mutableCopy];
@@ -518,8 +570,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *d = [self.fileHandle readDataOfLength:range.length];
     if (d.length != range.length) return nil;
     return d;
-  }
-  @catch (NSException *e) {
+  } @catch (NSException *e) {
     return nil;
   }
 }
@@ -530,7 +581,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///  is not the one who downloaded the file.
 ///
 - (NSDictionary *)quarantineData {
-  if (!self.quarantineDict && self.fileOwnerHomeDir) {
+  if (!self.quarantineDict && self.fileOwnerHomeDir && NSURLQuarantinePropertiesKey) {
     self.quarantineDict = (NSDictionary *)[NSNull null];
 
     NSURL *url = [NSURL fileURLWithPath:self.path];
@@ -634,7 +685,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   BOOL directory;
   if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
     return nil;
-  } else if (directory) {
+  } else if (directory && ![path isEqualToString:@"/"]) {
     NSBundle *bndl = [NSBundle bundleWithPath:path];
     if (bundle) *bundle = bndl;
     return [bndl executablePath];
@@ -643,4 +694,18 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   }
 }
 
+///
+///  Cache and return a MOLCodeSignChecker for the given file.  If there was an error creating the
+///  code sign checker it will be returned in the passed-in error parameter.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error {
+  if (!self.cachedCodesignChecker && !self.codesignCheckerError) {
+    NSError *e;
+    self.cachedCodesignChecker = [[MOLCodesignChecker alloc] initWithBinaryPath:self.path error:&e];
+    self.codesignCheckerError = e;
+  }
+  if (error) *error = self.codesignCheckerError;
+  return self.cachedCodesignChecker;
+}
+
 @end

Source/common/SNTFileWatcher.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 ///
 ///  Simple file watching class using dispatch sources. Will automatically
 ///  reload the watch if the file is deleted and continue watching for

Source/common/SNTFileWatcher.m

@@ -18,7 +18,7 @@
 
 @interface SNTFileWatcher ()
 @property NSString *filePath;
-@property(strong) void (^handler)(unsigned long);
+@property(copy) void (^handler)(unsigned long);
 
 @property dispatch_source_t source;
 @end
@@ -52,7 +52,8 @@
 
   dispatch_async(queue, ^{
     int fd = -1;
-    while ((fd = open([self.filePath fileSystemRepresentation], O_EVTONLY | O_CLOEXEC)) < 0) {
+    const char *filePath = [self.filePath fileSystemRepresentation];
+    while ((fd = open(filePath, O_EVTONLY | O_CLOEXEC)) < 0) {
       usleep(200000);  // wait 200ms
     }
     self.source = dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
@@ -76,9 +77,7 @@
     });
 
     dispatch_source_set_cancel_handler(self.source, ^{
-      STRONGIFY(self);
-      int fd = (int)dispatch_source_get_handle(self.source);
-      if (fd > 0) close(fd);
+      close(fd);
     });
 
     dispatch_resume(self.source);
@@ -87,13 +86,7 @@
 
 - (void)stopWatchingFile {
   if (!self.source) return;
-
-  int fd = (int)dispatch_source_get_handle(self.source);
   dispatch_source_set_event_handler_f(self.source, NULL);
-  dispatch_source_set_cancel_handler(self.source, ^{
-    close(fd);
-  });
-
   dispatch_source_cancel(self.source);
   self.source = nil;
 }

Source/common/SNTKernelCommon.h

@@ -28,6 +28,10 @@
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
 
+// Branch prediction
+#define likely(x)   __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
 // List of methods supported by the driver.
 enum SantaDriverMethods {
   kSantaUserClientOpen,

Source/common/SNTLogging.h

@@ -24,16 +24,18 @@
 #include <IOKit/IOLib.h>
 
 #ifdef DEBUG
-#define LOGD(...) IOLog("D santa-driver: " __VA_ARGS__); IOLog("\n")
+#define LOGD(format, ...) IOLog("D santa-driver: " format "\n", ##__VA_ARGS__);
 #else  // DEBUG
-#define LOGD(...)
+#define LOGD(format, ...)
 #endif  // DEBUG
-#define LOGI(...) IOLog("I santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGW(...) IOLog("W santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGE(...) IOLog("E santa-driver: " __VA_ARGS__); IOLog("\n")
+#define LOGI(format, ...) IOLog("I santa-driver: " format "\n", ##__VA_ARGS__);
+#define LOGW(format, ...) IOLog("W santa-driver: " format "\n", ##__VA_ARGS__);
+#define LOGE(format, ...) IOLog("E santa-driver: " format "\n", ##__VA_ARGS__);
 
 #else  // KERNEL
 
+@import Foundation;
+
 typedef enum : NSUInteger {
   LOG_LEVEL_ERROR,
   LOG_LEVEL_WARN,

Source/common/SNTRule.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommonEnums.h"
 
 ///

Source/common/SNTStoredEvent.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommonEnums.h"
 
 ///
@@ -20,7 +22,7 @@
 @interface SNTStoredEvent : NSObject<NSSecureCoding>
 
 ///
-///  An index for this event, empty unless the event came from the database.
+///  An index for this event, randomly generated during initialization.
 ///
 @property NSNumber *idx;
 
@@ -34,6 +36,28 @@
 ///
 @property NSString *filePath;
 
+///
+///  Set to YES if the event is a part of a bundle. When an event is passed to SantaGUI this propery
+///  will be used as an indicator to to kick off bundle hashing as necessary. Default value is NO.
+///
+@property BOOL needsBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the calculated hash of all the nested
+///  executables within the bundle.
+///
+@property NSString *fileBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the time in ms it took to hash the bundle.
+///
+@property NSNumber *fileBundleHashMilliseconds;
+
+///
+///  If the executed file was part of a bundle, this is the total count of related mach-o binaries.
+///
+@property NSNumber *fileBundleBinaryCount;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleDisplayName, if it exists
 ///  or the CFBundleName if not.
@@ -45,6 +69,11 @@
 ///
 @property NSString *fileBundlePath;
 
+///
+///  The relative path to the bundle's main executable.
+///
+@property NSString *fileBundleExecutableRelPath;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleID.
 ///

Source/common/SNTStoredEvent.m

@@ -33,8 +33,13 @@
   ENCODE(self.fileSHA256, @"fileSHA256");
   ENCODE(self.filePath, @"filePath");
 
+  ENCODE(@(self.needsBundleHash), @"needsBundleHash");
+  ENCODE(self.fileBundleHash, @"fileBundleHash");
+  ENCODE(self.fileBundleHashMilliseconds, @"fileBundleHashMilliseconds");
+  ENCODE(self.fileBundleBinaryCount, @"fileBundleBinaryCount");
   ENCODE(self.fileBundleName, @"fileBundleName");
   ENCODE(self.fileBundlePath, @"fileBundlePath");
+  ENCODE(self.fileBundleExecutableRelPath, @"fileBundleExecutableRelPath");
   ENCODE(self.fileBundleID, @"fileBundleID");
   ENCODE(self.fileBundleVersion, @"fileBundleVersion");
   ENCODE(self.fileBundleVersionString, @"fileBundleVersionString");
@@ -57,6 +62,14 @@
   ENCODE(self.quarantineAgentBundleID, @"quarantineAgentBundleID");
 }
 
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _idx = @(arc4random());
+  }
+  return self;
+}
+
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
@@ -64,8 +77,13 @@
     _fileSHA256 = DECODE(NSString, @"fileSHA256");
     _filePath = DECODE(NSString, @"filePath");
 
+    _needsBundleHash = [DECODE(NSNumber, @"needsBundleHash") boolValue];
+    _fileBundleHash = DECODE(NSString, @"fileBundleHash");
+    _fileBundleHashMilliseconds = DECODE(NSNumber, @"fileBundleHashMilliseconds");
+    _fileBundleBinaryCount = DECODE(NSNumber, @"fileBundleBinaryCount");
     _fileBundleName = DECODE(NSString, @"fileBundleName");
     _fileBundlePath = DECODE(NSString, @"fileBundlePath");
+    _fileBundleExecutableRelPath = DECODE(NSString, @"fileBundleExecutableRelPath");
     _fileBundleID = DECODE(NSString, @"fileBundleID");
     _fileBundleVersion = DECODE(NSString, @"fileBundleVersion");
     _fileBundleVersionString = DECODE(NSString, @"fileBundleVersionString");

Source/common/SNTSystemInfo.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 ///
 ///  Simple class for fetching system information
 ///

Source/common/SNTXPCBundleServiceInterface.h

@@ -0,0 +1,57 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@import Foundation;
+
+@class SNTStoredEvent;
+
+///  A block that takes the calculated bundle hash, associated events and hashing time in ms.
+typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNumber *);
+
+///  Protocol implemented by santabs and utilized by SantaGUI for bundle hashing
+@protocol SNTBundleServiceXPC
+
+///
+///  @param listener The listener to connect back to the SantaGUI.
+///
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+
+///
+///  Hash a bundle for an event. The SNTBundleHashBlock will be called with nil parameters if a
+///  failure or cancellation occurs.
+///
+///  @param event The event that includes the fileBundlePath to be hashed. This method will
+///      attempt to to find and use the ancestor bundle as a starting point.
+///  @param reply A SNTBundleHashBlock to be executed upon completion or cancellation.
+///
+///  @note If there is a current NSProgress when called this method will report back its progress.
+///
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
+
+@end
+
+@interface SNTXPCBundleServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTBundleServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning.
+///
++ (NSXPCInterface *)bundleServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceId;
+
+@end

Source/common/SNTXPCBundleServiceInterface.m

@@ -0,0 +1,36 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTXPCBundleServiceInterface.h"
+
+#import "SNTStoredEvent.h"
+
+@implementation SNTXPCBundleServiceInterface
+
++ (NSXPCInterface *)bundleServiceInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleServiceXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(hashBundleBinariesForEvent:reply:)
+      argumentIndex:1
+            ofReply:YES];
+
+  return r;
+}
+
++ (NSString *)serviceId {
+  return @"com.google.santabs";
+}
+
+@end

Source/common/SNTXPCConnection.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 /**
   A wrapper around NSXPCListener and NSXPCConnection to provide client multiplexing, signature
   validation of connecting clients and forced connection establishment.
@@ -63,13 +65,20 @@
 - (nullable instancetype)initServerWithName:(nonnull NSString *)name;
 
 /**
-  Initializer a new client to a service exported by a LaunchDaemon.
+  Initialize a new client to a service exported by a LaunchDaemon.
 
   @param name MachService name
   @param privileged Use YES if the server is running as root.
 */
 - (nullable instancetype)initClientWithName:(nonnull NSString *)name privileged:(BOOL)privileged;
 
+/**
+  Initialize a new client to a service within a bundle.
+
+  @param name service name
+*/
+- (nullable instancetype)initClientWithServiceName:(nonnull NSString *)name;
+
 /**
   Initialize a new client with a listener endpoint sent from another process.
 

Source/common/SNTXPCConnection.m

@@ -95,6 +95,17 @@
   return self;
 }
 
+- (instancetype)initClientWithServiceName:(NSString *)name {
+  self = [super init];
+  if (self) {
+    _currentConnection = [[NSXPCConnection alloc] initWithServiceName:name];
+    if (!_currentConnection) return nil;
+    _validationInterface =
+        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
+  }
+  return self;
+}
+
 - (instancetype)init {
   [self doesNotRecognizeSelector:_cmd];
   return nil;
@@ -113,8 +124,10 @@
     // send a message to the listener to finish establishing the connection
     dispatch_semaphore_t sema = dispatch_semaphore_create(0);
     self.currentConnection.remoteObjectInterface = self.validationInterface;
-    self.currentConnection.interruptionHandler = self.invalidationHandler;
-    self.currentConnection.invalidationHandler = self.invalidationHandler;
+    self.currentConnection.interruptionHandler = self.currentConnection.invalidationHandler = ^{
+      STRONGIFY(self);
+      if (self.invalidationHandler) self.invalidationHandler();
+    };
     [self.currentConnection resume];
     [[self.currentConnection remoteObjectProxy] connectWithReply:^{
       STRONGIFY(self);
@@ -126,6 +139,12 @@
       if (self.acceptedHandler) self.acceptedHandler();
     }];
     if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC))) {
+      // This is unusual - as we're not inside a block - but necessary in case the caller sets an
+      // invalidation handler that causes this instance to be released (which is a reasonable
+      // approach). If establishing a connection fails, the invalidation handler will be called
+      // and then shortly after this bit of code will run causing a crash.
+      STRONGIFY(self);
+
       // Connection was not established in a reasonable time, invalidate.
       self.currentConnection.remoteObjectInterface = nil;  // ensure clients don't try to use it.
       [self.currentConnection invalidate];

Source/common/SNTXPCControlInterface.h

@@ -12,8 +12,14 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import <MOLCertificate/MOLCertificate.h>
+
+#import "SNTCachedDecision.h"
 #import "SNTCommonEnums.h"
 #import "SNTKernelCommon.h"
+#import "SNTXPCBundleServiceInterface.h"
 
 @class SNTRule;
 @class SNTStoredEvent;
@@ -27,7 +33,7 @@
 ///
 ///  Kernel ops
 ///
-- (void)cacheCount:(void (^)(int64_t))reply;
+- (void)cacheCounts:(void (^)(uint64_t rootCache, uint64_t nonRootCache))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
 - (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply;
 
@@ -38,13 +44,28 @@
 - (void)databaseRuleAddRules:(NSArray *)rules
                   cleanSlate:(BOOL)cleanSlate
                        reply:(void (^)(NSError *error))reply;
-
 - (void)databaseEventCount:(void (^)(int64_t count))reply;
-- (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
-- (void)databaseBinaryRuleForSHA256:(NSString *)sha256 reply:(void (^)(SNTRule *))reply;
-- (void)databaseCertificateRuleForSHA256:(NSString *)sha256 reply:(void (^)(SNTRule *))reply;
+- (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
+                  certificateSHA256:(NSString *)certificateSHA256
+                              reply:(void (^)(SNTRule *))reply;
+///
+///  Decision ops
+///
+
+///
+///  @param filePath A Path to the file, can be nil.
+///  @param fileSHA256 The pre-calculated SHA256 hash for the file, can be nil. If nil the hash will
+///                    be calculated by this method from the filePath.
+///  @param certificateSHA256 A SHA256 hash of the signing certificate, can be nil.
+///  @note If fileInfo and signingCertificate are both passed in, the most specific rule will be
+///        returned. Binary rules take precedence over cert rules.
+///
+- (void)decisionForFilePath:(NSString *)filePath
+                 fileSHA256:(NSString *)fileSHA256
+          certificateSHA256:(NSString *)certificateSHA256
+                      reply:(void (^)(SNTEventState))reply;
 
 ///
 ///  Config ops
@@ -54,16 +75,32 @@
 - (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply;
 - (void)xsrfToken:(void (^)(NSString *))reply;
 - (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
-- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
 - (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
 - (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;
+- (void)bundlesEnabled:(void (^)(BOOL))reply;
+- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)())reply;
 
 ///
 ///  GUI Ops
 ///
 - (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+
+///
+///  Syncd Ops
+///
+- (void)setSyncdListener:(NSXPCListenerEndpoint *)listener;
+- (void)pushNotifications:(void (^)(BOOL))reply;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)())reply;
+
+///
+///  Bundle Ops
+///
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
+- (void)syncBundleEvent:(SNTStoredEvent *)event relatedEvents:(NSArray<SNTStoredEvent *> *)events;
 
 @end
 

Source/common/SNTXPCControlInterface.m

@@ -37,6 +37,16 @@
       argumentIndex:0
             ofReply:NO];
 
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(hashBundleBinariesForEvent:reply:)
+      argumentIndex:1
+            ofReply:YES];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(syncBundleEvent:relatedEvents:)
+      argumentIndex:1
+            ofReply:NO];
+
   return r;
 }
 

Source/common/SNTXPCNotifierInterface.h

@@ -12,7 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommonEnums.h"
+#import "SNTXPCBundleServiceInterface.h"
 
 @class SNTStoredEvent;
 
@@ -20,6 +23,17 @@
 @protocol SNTNotifierXPC
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message;
 - (void)postClientModeNotification:(SNTClientMode)clientmode;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message;
+@end
+
+/// Protocol implemented by SantaGUI and utilized by santabs
+@protocol SNTBundleNotifierXPC
+- (void)updateCountsForEvent:(SNTStoredEvent *)event
+                 binaryCount:(uint64_t)binaryCount
+                   fileCount:(uint64_t)fileCount
+                 hashedCount:(uint64_t)hashedCount;
+
+- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener;
 @end
 
 @interface SNTXPCNotifierInterface : NSObject
@@ -30,4 +44,10 @@
 ///
 + (NSXPCInterface *)notifierInterface;
 
+///
+///  @return an initialized NSXPCInterface for the SNTBundleNotifierXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)bundleNotifierInterface;
+
 @end

Source/common/SNTXPCNotifierInterface.m

@@ -20,4 +20,8 @@
   return [NSXPCInterface interfaceWithProtocol:@protocol(SNTNotifierXPC)];
 }
 
++ (NSXPCInterface *)bundleNotifierInterface {
+  return [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleNotifierXPC)];
+}
+
 @end

Source/common/SNTXPCSyncdInterface.h

@@ -0,0 +1,37 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@import Foundation;
+
+#import "SNTCommonEnums.h"
+
+@class SNTStoredEvent;
+
+/// Protocol implemented by santactl and utilized by santad
+@protocol SNTSyncdXPC
+- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle;
+- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
+                              reply:(void (^)(SNTBundleEventAction))reply;
+- (void)isFCMListening:(void (^)(BOOL))reply;
+@end
+
+@interface SNTXPCSyncdInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTSyncdXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)syncdInterface;
+
+@end

Source/common/SNTXPCSyncdInterface.m

@@ -0,0 +1,32 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTXPCSyncdInterface.h"
+
+#import "SNTStoredEvent.h"
+
+@implementation SNTXPCSyncdInterface
+
++ (NSXPCInterface *)syncdInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncdXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+        forSelector:@selector(postEventsToSyncServer:isFromBundle:)
+      argumentIndex:0
+            ofReply:NO];
+
+  return r;
+}
+
+@end

Source/santa-driver/SantaCache.h

@@ -22,9 +22,6 @@
 
 #include "SNTKernelCommon.h"
 
-#define likely(x)   __builtin_expect((x), 1)
-#define unlikely(x) __builtin_expect((x), 0)
-
 #ifdef KERNEL
 #include <IOKit/IOLib.h>
 #else // KERNEL
@@ -91,8 +88,9 @@ template<class T> class SantaCache {
     struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
     while (entry != nullptr) {
       if (entry->key == key) {
+        T val = entry->value;
         unlock(bucket);
-        return entry->value;
+        return val;
       }
       entry = entry->next;
     }
@@ -103,12 +101,19 @@ template<class T> class SantaCache {
   /**
     Set an element in the cache.
 
-    @note If the cache is full when this is called, this will empty the cache before
-    inserting the new value.
+    @note If the cache is full when this is called, this will
+          empty the cache before inserting the new value.
 
-    @return if an existing value was replaced, the previous value, otherwise zero_
+    @param key, The key
+    @param value, The value with parameterized type
+    @param previous_value, If the has_prev_value parameter is true the new
+        value will only be set if this parameter is equal to the provided value.
+        This allows set to become a CAS operation.
+    @param has_prev_value, Pass true if previous_value should be used.
+
+    @return the previous value (which may be zero_)
   */
-  T set(uint64_t key, T value) {
+  T set(uint64_t key, T value, T previous_value, bool has_prev_value) {
     struct bucket *bucket = &buckets_[hash(key)];
     lock(bucket);
     struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
@@ -116,6 +121,12 @@ template<class T> class SantaCache {
     while (entry != nullptr) {
       if (entry->key == key) {
         T existing_value = entry->value;
+
+        if (has_prev_value && previous_value != existing_value) {
+          unlock(bucket);
+          return existing_value;
+        }
+
         entry->value = value;
 
         if (value == zero_) {
@@ -136,13 +147,15 @@ template<class T> class SantaCache {
     }
 
     // If value is zero_, we're clearing but there's nothing to clear
-    // so we don't need to do anything else.
-    if (value == zero_) {
+    // so we don't need to do anything else. Alternatively, if has_prev_value
+    // is true and is not zero_ we don't want to set a value.
+    if (value == zero_ || (has_prev_value && previous_value != zero_)) {
       unlock(bucket);
       return zero_;
     }
 
-    // Check that adding this new item won't take the cache over its maximum size.
+    // Check that adding this new item won't take the cache
+    // over its maximum size.
     if (count_ + 1 > max_size_) {
       unlock(bucket);
       lock(&clear_bucket_);
@@ -154,9 +167,10 @@ template<class T> class SantaCache {
       unlock(&clear_bucket_);
     }
 
-    // Allocate a new entry, set the key and value, then set the next pointer as the current
-    // first entry in the bucket then make this new entry the first in the bucket.
-    struct entry *new_entry = (struct entry *)IOMallocAligned(sizeof(struct entry), 2);
+    // Allocate a new entry, set the key and value, then put this new entry at
+    // the head of this bucket's linked list.
+    struct entry *new_entry = (struct entry *)IOMallocAligned(
+        sizeof(struct entry), 2);
     new_entry->key = key;
     new_entry->value = value;
     new_entry->next = (struct entry *)((uintptr_t)bucket->head - 1);
@@ -167,6 +181,20 @@ template<class T> class SantaCache {
     return zero_;
   }
 
+  /**
+    Overload to allow setting without providing a previous value
+  */
+  T set(uint64_t key, T value) {
+    return set(key, value, {}, false);
+  }
+
+  /**
+    Overload to allow setting while providing a previous value
+  */
+  T set(uint64_t key, T value, T previous_value) {
+    return set(key, value, previous_value, true);
+  }
+
   /**
     An alias for `set(key, zero_)`
   */
@@ -249,7 +277,7 @@ template<class T> class SantaCache {
   /**
     Holder for a 'zero' entry for the current type
   */
-  T zero_ = {};
+  const T zero_ = {};
 
   /**
     Special bucket used when automatically clearing due to size

Source/santa-driver/SantaDecisionManager.cc

@@ -29,7 +29,8 @@ bool SantaDecisionManager::init() {
   decision_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
   log_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
 
-  decision_cache_ = new SantaCache<uint64_t>(10000, 2);
+  root_decision_cache_ = new SantaCache<uint64_t>(5000, 2);
+  non_root_decision_cache_ = new SantaCache<uint64_t>(500, 2);
   vnode_pid_map_ = new SantaCache<uint64_t>(2000, 5);
 
   decision_dataqueue_ = IOSharedDataQueue::withEntries(
@@ -41,12 +42,17 @@ bool SantaDecisionManager::init() {
   if (!log_dataqueue_) return kIOReturnNoMemory;
 
   client_pid_ = 0;
+  root_fsid_ = 0;
+
+  ts_ = { .tv_sec = kRequestLoopSleepMilliseconds / 1000,
+          .tv_nsec = kRequestLoopSleepMilliseconds % 1000 * 1000000 };
 
   return true;
 }
 
 void SantaDecisionManager::free() {
-  delete decision_cache_;
+  delete root_decision_cache_;
+  delete non_root_decision_cache_;
   delete vnode_pid_map_;
 
   if (decision_dataqueue_lock_) {
@@ -87,6 +93,17 @@ void SantaDecisionManager::ConnectClient(pid_t pid) {
 
   client_pid_ = pid;
 
+  // Determine root fsid
+  vfs_context_t ctx = vfs_context_create(NULL);
+  if (ctx) {
+    vnode_t root = vfs_rootvnode();
+    if (root) {
+      root_fsid_ = GetVnodeIDForVnode(ctx, root) >> 32;
+      vnode_put(root);
+    }
+    vfs_context_rele(ctx);
+  }
+
   // Any decisions made while the daemon wasn't
   // connected should be cleared
   ClearCache();
@@ -162,7 +179,8 @@ kern_return_t SantaDecisionManager::StartListener() {
   if (!vnode_listener_) return kIOReturnInternalError;
 
   fileop_listener_ = kauth_listen_scope(
-      KAUTH_SCOPE_FILEOP, fileop_scope_callback, reinterpret_cast<void *>(this));
+      KAUTH_SCOPE_FILEOP, fileop_scope_callback,
+      reinterpret_cast<void *>(this));
   if (!fileop_listener_) return kIOReturnInternalError;
 
   LOGD("Listeners started.");
@@ -192,28 +210,58 @@ kern_return_t SantaDecisionManager::StopListener() {
 
 #pragma mark Cache Management
 
+/**
+  Return the correct cache for a given identifier.
+
+  @param identifier The identifier
+  @return SantaCache* The cache to use
+*/
+SantaCache<uint64_t>* SantaDecisionManager::CacheForIdentifier(
+    const uint64_t identifier) {
+  return (identifier >> 32 == root_fsid_) ?
+    root_decision_cache_ : non_root_decision_cache_;
+}
+
 void SantaDecisionManager::AddToCache(
     uint64_t identifier, santa_action_t decision, uint64_t microsecs) {
   // Decision is stored in upper 8 bits, timestamp in remaining 56.
   uint64_t val = ((uint64_t)decision << 56) | (microsecs & 0xFFFFFFFFFFFFFF);
 
-  // If a previous entry was not found and the new entry is not `REQUEST_BINARY`, remove the
-  // existing entry. This is to prevent adding an ALLOW to the cache after a write has occurred.
-  if (decision_cache_->set(identifier, val) == 0 && decision != ACTION_REQUEST_BINARY) {
-    decision_cache_->remove(identifier);
+  auto decision_cache = CacheForIdentifier(identifier);
+
+  switch (decision) {
+    case ACTION_REQUEST_BINARY:
+      decision_cache->set(identifier, val, 0);
+      break;
+    case ACTION_RESPOND_ALLOW:
+    case ACTION_RESPOND_DENY:
+      decision_cache->set(
+          identifier, val, ((uint64_t)ACTION_REQUEST_BINARY << 56));
+      break;
+    default:
+      break;
   }
+
+  wakeup((void *)identifier);
 }
 
 void SantaDecisionManager::RemoveFromCache(uint64_t identifier) {
-  decision_cache_->remove(identifier);
+  CacheForIdentifier(identifier)->remove(identifier);
+  if (unlikely(!identifier)) return;
+  wakeup((void *)identifier);
 }
 
-uint64_t SantaDecisionManager::CacheCount() const {
-  return decision_cache_->count();
+uint64_t SantaDecisionManager::RootCacheCount() const {
+  return root_decision_cache_->count();
 }
 
-void SantaDecisionManager::ClearCache() {
-  decision_cache_->clear();
+uint64_t SantaDecisionManager::NonRootCacheCount() const {
+  return non_root_decision_cache_->count();
+}
+
+void SantaDecisionManager::ClearCache(bool non_root_only) {
+  if (!non_root_only) root_decision_cache_->clear();
+  non_root_decision_cache_->clear();
 }
 
 #pragma mark Decision Fetching
@@ -222,7 +270,9 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
   auto result = ACTION_UNSET;
   uint64_t decision_time = 0;
 
-  uint64_t cache_val = decision_cache_->get(identifier);
+  auto decision_cache = CacheForIdentifier(identifier);
+
+  uint64_t cache_val = decision_cache->get(identifier);
   if (cache_val == 0) return result;
 
   // Decision is stored in upper 8 bits, timestamp in remaining 56.
@@ -231,14 +281,9 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
 
   if (RESPONSE_VALID(result)) {
     if (result == ACTION_RESPOND_DENY) {
-      auto diff_time = GetCurrentUptime();
-      if ((kMaxDenyCacheTimeMilliseconds * 1000) > diff_time) {
-        diff_time = 0;
-      } else {
-        diff_time -= (kMaxDenyCacheTimeMilliseconds * 1000);
-      }
-      if (decision_time < diff_time) {
-        decision_cache_->remove(identifier);
+      auto expiry_time = decision_time + (kMaxDenyCacheTimeMilliseconds * 1000);
+      if (expiry_time < GetCurrentUptime()) {
+        decision_cache->remove(identifier);
         return ACTION_UNSET;
       }
     }
@@ -247,30 +292,32 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
   return result;
 }
 
-santa_action_t SantaDecisionManager::GetFromDaemon(santa_message_t *message, uint64_t identifier) {
+santa_action_t SantaDecisionManager::GetFromDaemon(
+    santa_message_t *message, uint64_t identifier) {
   auto return_action = ACTION_UNSET;
 
+#ifdef DEBUG
+  clock_sec_t secs = 0;
+  clock_usec_t microsecs = 0;
+  clock_get_system_microtime(&secs, &microsecs);
+  uint64_t uptime = (secs * 1000000) + microsecs;
+#endif
+
   // Wait for the daemon to respond or die.
   do {
-    // Add pending request to cache, to be replaced by daemon with actual response
+    // Add pending request to cache, to be replaced
+    // by daemon with actual response.
     AddToCache(identifier, ACTION_REQUEST_BINARY, 0);
 
-    // Send request to daemon...
+    // Send request to daemon.
     if (!PostToDecisionQueue(message)) {
-      OSIncrementAtomic(&failed_decision_queue_requests_);
-      if (failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
-        LOGE("Failed to queue more than %d requests, killing daemon",
-             kMaxDecisionQueueFailures);
-        proc_signal(client_pid_, SIGKILL);
-        client_pid_ = 0;
-      }
       LOGE("Failed to queue request for %s.", message->path);
       RemoveFromCache(identifier);
       return ACTION_ERROR;
     }
 
     do {
-      IOSleep(kRequestLoopSleepMilliseconds);
+      msleep((void *)message->vnode_id, NULL, 0, "", &ts_);
       return_action = GetFromCache(identifier);
     } while (return_action == ACTION_REQUEST_BINARY && ClientConnected());
   } while (!RESPONSE_VALID(return_action) && ClientConnected());
@@ -283,21 +330,38 @@ santa_action_t SantaDecisionManager::GetFromDaemon(santa_message_t *message, uin
     return ACTION_ERROR;
   }
 
+#ifdef DEBUG
+  clock_get_system_microtime(&secs, &microsecs);
+  LOGD("Decision time: %4lldms (%s)",
+       (((secs * 1000000) + microsecs) - uptime) / 1000, message->path);
+#endif
+
   return return_action;
 }
 
 santa_action_t SantaDecisionManager::FetchDecision(
     const kauth_cred_t cred,
     const vnode_t vp,
-    const uint64_t vnode_id,
-    const char *vnode_id_str) {
-  if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
+    const uint64_t vnode_id) {
+  while (true) {
+    if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
 
-  // Check to see if item is in cache
-  auto return_action = GetFromCache(vnode_id);
+    // Check to see if item is in cache
+    auto return_action = GetFromCache(vnode_id);
 
-  // If item was in cache return it.
-  if (RESPONSE_VALID(return_action)) return return_action;
+    // If item was in cache with a valid response, return it.
+    // If item is in cache but hasn't received a response yet, sleep for a bit.
+    // If item is not in cache, break out of loop to send request to daemon.
+    if (RESPONSE_VALID(return_action)) {
+      return return_action;
+    } else if (return_action == ACTION_REQUEST_BINARY) {
+      // This thread will now sleep for kRequestLoopSleepMilliseconds (1s) or
+      // until AddToCache is called, indicating a response has arrived.
+      msleep((void *)vnode_id, NULL, 0, "", &ts_);
+    } else {
+      break;
+    }
+  }
 
   // Get path
   char path[MAXPATHLEN];
@@ -311,7 +375,7 @@ santa_action_t SantaDecisionManager::FetchDecision(
   message->action = ACTION_REQUEST_BINARY;
   message->vnode_id = vnode_id;
   proc_name(message->ppid, message->pname, sizeof(message->pname));
-  return_action = GetFromDaemon(message, vnode_id);
+  auto return_action = GetFromDaemon(message, vnode_id);
   delete message;
   return return_action;
 }
@@ -321,6 +385,14 @@ santa_action_t SantaDecisionManager::FetchDecision(
 bool SantaDecisionManager::PostToDecisionQueue(santa_message_t *message) {
   lck_mtx_lock(decision_dataqueue_lock_);
   auto kr = decision_dataqueue_->enqueue(message, sizeof(santa_message_t));
+  if (!kr) {
+    if (++failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
+      LOGE("Failed to queue more than %d decision requests, killing daemon",
+           kMaxDecisionQueueFailures);
+      proc_signal(client_pid_, SIGKILL);
+      client_pid_ = 0;
+    }
+  }
   lck_mtx_unlock(decision_dataqueue_lock_);
   return kr;
 }
@@ -329,7 +401,7 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
   lck_mtx_lock(log_dataqueue_lock_);
   auto kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   if (!kr) {
-    if (OSCompareAndSwap(0, 1, &failed_log_queue_requests_)) {
+    if (failed_log_queue_requests_++ == 0) {
       LOGW("Dropping log queue messages");
     }
     // If enqueue failed, pop an item off the queue and try again.
@@ -337,7 +409,9 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
     log_dataqueue_->dequeue(0, &dataSize);
     kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   } else {
-    OSCompareAndSwap(1, 0, &failed_log_queue_requests_);
+    if (failed_log_queue_requests_ > 0) {
+      failed_log_queue_requests_--;
+    }
   }
   lck_mtx_unlock(log_dataqueue_lock_);
   return kr;
@@ -359,16 +433,12 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
                                         const vfs_context_t ctx,
                                         const vnode_t vp,
                                         int *errno) {
-  // Only operate on regular files (not directories, symlinks, etc.).
-  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
-
-  // Get ID for the vnode and convert it to a string.
+  // Get ID for the vnode
   auto vnode_id = GetVnodeIDForVnode(ctx, vp);
-  char vnode_str[MAX_VNODE_ID_STR];
-  snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
+  if (!vnode_id) return KAUTH_RESULT_DEFER;
 
   // Fetch decision
-  auto returnedAction = FetchDecision(cred, vp, vnode_id, vnode_str);
+  auto returnedAction = FetchDecision(cred, vp, vnode_id);
 
   // If file has dirty blocks, remove from cache and deny. This would usually
   // be the case if a file has been written to and flushed but not yet
@@ -404,14 +474,14 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
 void SantaDecisionManager::FileOpCallback(
     const kauth_action_t action, const vnode_t vp,
     const char *path, const char *new_path) {
+  if (!ClientConnected() || proc_selfpid() == client_pid_) return;
+
   if (vp) {
     auto context = vfs_context_create(nullptr);
     auto vnode_id = GetVnodeIDForVnode(context, vp);
     vfs_context_rele(context);
 
     if (action == KAUTH_FILEOP_CLOSE) {
-      char vnode_id_str[MAX_VNODE_ID_STR];
-      snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
       RemoveFromCache(vnode_id);
     } else if (action == KAUTH_FILEOP_EXEC) {
       auto message = NewMessage(nullptr);
@@ -432,9 +502,7 @@ void SantaDecisionManager::FileOpCallback(
 
   // Filter out modifications to locations that are definitely
   // not useful or made by santad.
-  if (proc_selfpid() != client_pid_ &&
-      !strprefix(path, "/.") &&
-      !strprefix(path, "/dev")) {
+  if (!strprefix(path, "/.") && !strprefix(path, "/dev")) {
     auto message = NewMessage(nullptr);
     strlcpy(message->path, path, sizeof(message->path));
     if (new_path) strlcpy(message->newpath, new_path, sizeof(message->newpath));
@@ -474,6 +542,11 @@ extern "C" int fileop_scope_callback(
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
+  if (unlikely(sdm == nullptr)) {
+    LOGE("fileop_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
   vnode_t vp = nullptr;
   char *path = nullptr;
   char *new_path = nullptr;
@@ -505,24 +578,28 @@ extern "C" int fileop_scope_callback(
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  if (action & KAUTH_VNODE_ACCESS || idata == nullptr) {
-    return KAUTH_RESULT_DEFER;
-  }
-
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
-  if (action & KAUTH_VNODE_EXECUTE) {
+  if (unlikely(sdm == nullptr)) {
+    LOGE("vnode_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
+  vnode_t vp = reinterpret_cast<vnode_t>(arg1);
+
+  // We only care about regular files.
+  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
+
+  if ((action & KAUTH_VNODE_EXECUTE) && !(action & KAUTH_VNODE_ACCESS)) {
     sdm->IncrementListenerInvocations();
     int result = sdm->VnodeCallback(credential,
                                     reinterpret_cast<vfs_context_t>(arg0),
-                                    reinterpret_cast<vnode_t>(arg1),
+                                    vp,
                                     reinterpret_cast<int *>(arg3));
     sdm->DecrementListenerInvocations();
     return result;
   } else if (action & KAUTH_VNODE_WRITE_DATA) {
-    vnode_t vp = reinterpret_cast<vnode_t>(arg1);
-    if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
     sdm->IncrementListenerInvocations();
     char path[MAXPATHLEN];
     int pathlen = MAXPATHLEN;

Source/santa-driver/SantaDecisionManager.h

@@ -52,8 +52,8 @@ class SantaDecisionManager : public OSObject {
   IOMemoryDescriptor *GetDecisionMemoryDescriptor() const;
 
   /**
-   Called by SantaDriverClient during connection to provide the shared
-   dataqueue memory to the client for the logging queue.
+    Called by SantaDriverClient during connection to provide the shared
+    dataqueue memory to the client for the logging queue.
   */
   IOMemoryDescriptor *GetLogMemoryDescriptor() const;
 
@@ -96,10 +96,11 @@ class SantaDecisionManager : public OSObject {
   void RemoveFromCache(uint64_t identifier);
 
   /// Returns the number of entries in the cache.
-  uint64_t CacheCount() const;
+  uint64_t RootCacheCount() const;
+  uint64_t NonRootCacheCount() const;
 
-  /// Clears the cache.
-  void ClearCache();
+  /// Clears the cache(s). If non_root_only is true, only the non-root cache is cleared.
+  void ClearCache(bool non_root_only = false);
 
   /// Increments the count of active callbacks pending.
   void IncrementListenerInvocations();
@@ -129,12 +130,12 @@ class SantaDecisionManager : public OSObject {
   void FileOpCallback(kauth_action_t action, const vnode_t vp,
                       const char *path, const char *new_path);
 
- protected:
+ private:
   /**
-    While waiting for a response from the daemon, this is the number of
+    While waiting for a response from the daemon, this is the maximum number of
     milliseconds to sleep for before checking the cache for a response.
   */
-  static const uint32_t kRequestLoopSleepMilliseconds = 10;
+  static const uint32_t kRequestLoopSleepMilliseconds = 1000;
 
   /// The maximum number of milliseconds a cached deny message should be considered valid.
   static const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
@@ -149,7 +150,7 @@ class SantaDecisionManager : public OSObject {
   static const uint32_t kMaxDecisionQueueEvents = 512;
 
   /// The maximum number of messages can be kept in the logging data queue at any time.
-  static const uint32_t kMaxLogQueueEvents = 1024;
+  static const uint32_t kMaxLogQueueEvents = 2048;
 
   /**
     Fetches a response from the daemon. Handles both daemon death
@@ -170,10 +171,10 @@ class SantaDecisionManager : public OSObject {
     @param cred The credential for this request.
     @param vp The Vnode for this request.
     @param vnode_id The ID for this vnode.
-    @param vnode_id_str A string representation of the above ID.
+    @return santa_action_t The response for this request
   */
   santa_action_t FetchDecision(
-      const kauth_cred_t cred, const vnode_t vp, const uint64_t vnode_id, const char *vnode_id_str);
+      const kauth_cred_t cred, const vnode_t vp, const uint64_t vnode_id);
 
   /**
     Posts the requested message to the decision data queue.
@@ -243,10 +244,22 @@ class SantaDecisionManager : public OSObject {
     return (uint64_t)((sec * 1000000) + usec);
   }
 
- private:
-  SantaCache<uint64_t> *decision_cache_;
+  SantaCache<uint64_t> *root_decision_cache_;
+  SantaCache<uint64_t> *non_root_decision_cache_;
   SantaCache<uint64_t> *vnode_pid_map_;
 
+  /**
+    Return the correct cache for a given identifier.
+
+    @param identifier The identifier
+    @return SantaCache* The cache to use
+  */
+  SantaCache<uint64_t>* CacheForIdentifier(const uint64_t identifier);
+
+  // This is the file system ID of the root filesystem,
+  // used to determine which cache to use for requests
+  uint32_t root_fsid_;
+
   lck_grp_t *sdm_lock_grp_;
   lck_grp_attr_t *sdm_lock_grp_attr_;
   lck_attr_t *sdm_lock_attr_;
@@ -256,8 +269,8 @@ class SantaDecisionManager : public OSObject {
 
   IOSharedDataQueue *decision_dataqueue_;
   IOSharedDataQueue *log_dataqueue_;
-  int32_t failed_decision_queue_requests_;
-  int32_t failed_log_queue_requests_;
+  uint32_t failed_decision_queue_requests_;
+  uint32_t failed_log_queue_requests_;
 
   int32_t listener_invocations_;
 
@@ -265,6 +278,8 @@ class SantaDecisionManager : public OSObject {
 
   kauth_listener_t vnode_listener_;
   kauth_listener_t fileop_listener_;
+
+  struct timespec ts_;
 };
 
 /**

Source/santa-driver/SantaDriverClient.cc

@@ -110,97 +110,80 @@ IOReturn SantaDriverClient::clientMemoryForType(
 
 #pragma mark Callable Methods
 
-IOReturn SantaDriverClient::open() {
-  if (isInactive()) return kIOReturnNotAttached;
+IOReturn SantaDriverClient::open(
+    OSObject *target,
+    void *reference,
+    IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  if (!myProvider->open(this)) {
+  if (me->isInactive()) return kIOReturnNotAttached;
+  if (!me->myProvider->open(me)) {
     LOGW("A second client tried to connect.");
     return kIOReturnExclusiveAccess;
   }
 
+  LOGI("Client connected.");
+
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_open(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->open();
-}
+IOReturn SantaDriverClient::allow_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  if (!vnode_id) return kIOReturnInvalid;
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ALLOW);
 
-IOReturn SantaDriverClient::allow_binary(const uint64_t vnode_id) {
-  decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ALLOW);
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_allow_binary(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::deny_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->allow_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
+  const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  if (!vnode_id) return kIOReturnInvalid;
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_DENY);
 
-IOReturn SantaDriverClient::deny_binary(const uint64_t vnode_id) {
-  decisionManager->AddToCache(vnode_id, ACTION_RESPOND_DENY);
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_deny_binary(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::clear_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->deny_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
+  const bool non_root_only = static_cast<const bool>(arguments->scalarInput[0]);
+  me->decisionManager->ClearCache(non_root_only);
 
-IOReturn SantaDriverClient::clear_cache() {
-  decisionManager->ClearCache();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_clear_cache(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->clear_cache();
-}
+IOReturn SantaDriverClient::cache_count(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-IOReturn SantaDriverClient::cache_count(uint64_t *output) {
-  *output = decisionManager->CacheCount();
+  arguments->scalarOutput[0] = me->decisionManager->RootCacheCount();
+  arguments->scalarOutput[1] = me->decisionManager->NonRootCacheCount();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_cache_count(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->cache_count(&(arguments->scalarOutput[0]));
-}
+IOReturn SantaDriverClient::check_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  const uint64_t input = static_cast<const uint64_t>(arguments->scalarInput[0]);
+  arguments->scalarOutput[0] = me->decisionManager->GetFromCache(input);
 
-IOReturn SantaDriverClient::check_cache(uint64_t vnode_id, uint64_t *output) {
-  *output = decisionManager->GetFromCache(vnode_id);
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_check_cache(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->check_cache(reinterpret_cast<uint64_t>(*arguments->scalarInput),
-                             &(arguments->scalarOutput[0]));
-}
-
 #pragma mark Method Resolution
 
 IOReturn SantaDriverClient::externalMethod(
@@ -212,67 +195,22 @@ IOReturn SantaDriverClient::externalMethod(
   ///  Array of methods callable by clients. The order of these must match the
   ///  order of the items in SantaDriverMethods in SNTKernelCommon.h
   static IOExternalMethodDispatch sMethods[kSantaUserClientNMethods] = {
-    {
-      reinterpret_cast<IOExternalMethodAction>(&SantaDriverClient::static_open),
-      0,  // input scalar
-      0,  // input struct
-      0,  // output scalar
-      0   // output struct
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_allow_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_deny_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_clear_cache),
-      0,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_cache_count),
-      0,
-      0,
-      1,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_check_cache),
-      1,
-      0,
-      1,
-      0
-    }
+    // Function ptr, input scalar count, input struct size, output scalar count, output struct size
+    { &SantaDriverClient::open, 0, 0, 0, 0 },
+    { &SantaDriverClient::allow_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::deny_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::clear_cache, 1, 0, 0, 0 },
+    { &SantaDriverClient::cache_count, 0, 0, 2, 0 },
+    { &SantaDriverClient::check_cache, 1, 0, 1, 0 }
   };
 
-  if (selector < static_cast<UInt32>(kSantaUserClientNMethods)) {
-    dispatch = &(sMethods[selector]);
-    if (!target) target = this;
-  } else {
+  if (selector > static_cast<UInt32>(kSantaUserClientNMethods)) {
     return kIOReturnBadArgument;
   }
 
-  return super::externalMethod(selector,
-                               arguments,
-                               dispatch,
-                               target,
-                               reference);
+  dispatch = &(sMethods[selector]);
+  if (!target) target = this;
+  return super::externalMethod(selector, arguments, dispatch, target, reference);
 }
 
 #undef super

Source/santa-driver/SantaDriverClient.h

@@ -72,52 +72,33 @@ class com_google_SantaDriverClient : public IOUserClient {
 
   ///
   ///  The userpsace callable methods are below. Each method corresponds
-  ///  to an entry in SantaDriverMethods. Each method has a static version
-  ///  which just calls the method on the provided target.
+  ///  to an entry in SantaDriverMethods.
   ///
 
   ///  Called during client connection.
-  IOReturn open();
-  static IOReturn static_open(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn open(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to allow a binary.
-  IOReturn allow_binary(uint64_t vnode_id);
-  static IOReturn static_allow_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn allow_binary(
+      OSObject *target, void *reference,IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to deny a binary.
-  IOReturn deny_binary(uint64_t vnode_id);
-  static IOReturn static_deny_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn deny_binary(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to empty the cache.
-  IOReturn clear_cache();
-  static IOReturn static_clear_cache(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn clear_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to find out how many items are in the cache
-  IOReturn cache_count(uint64_t *output);
-  static IOReturn static_cache_count(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn cache_count(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to find out the status of a vnode_id in the cache.
   ///  Output will be a santa_action_t.
-  IOReturn check_cache(uint64_t vnode_id, uint64_t *output);
-  static IOReturn static_check_cache(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn check_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
  private:
   com_google_SantaDriver *myProvider;

Source/santabs/Resources/santabs-Info.plist

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>santabs</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>XPC!</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>XPCService</key>
+	<dict>
+		<key>ServiceType</key>
+		<string>Application</string>
+	</dict>
+</dict>
+</plist>

Source/santabs/SNTBundleService.h

@@ -0,0 +1,20 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@import Foundation;
+
+#import "SNTXPCBundleServiceInterface.h"
+
+@interface SNTBundleService : NSObject<SNTBundleServiceXPC>
+@end

Source/santabs/SNTBundleService.m

@@ -0,0 +1,303 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTBundleService.h"
+
+#import <CommonCrypto/CommonDigest.h>
+#import <pthread/pthread.h>
+
+#import "MOLCertificate.h"
+#import "MOLCodesignChecker.h"
+#import "SNTFileInfo.h"
+#import "SNTStoredEvent.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCNotifierInterface.h"
+
+@interface SNTBundleService ()
+@property SNTXPCConnection *notifierConnection;
+@property SNTXPCConnection *listener;
+@property(nonatomic) dispatch_queue_t queue;
+@end
+
+@implementation SNTBundleService
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
+  }
+  return self;
+}
+
+#pragma mark Connection handling
+
+// Create a listener for SantaGUI to connect
+- (void)createConnection {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  // Create listener for return connection from SantaGUI.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.listener = [[SNTXPCConnection alloc] initServerWithListener:listener];
+  self.listener.exportedInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  self.listener.exportedObject = self;
+  self.listener.acceptedHandler = ^{
+    dispatch_semaphore_signal(sema);
+  };
+
+  // Exit when SantaGUI is done with us.
+  self.listener.invalidationHandler = ^{
+    exit(0);
+  };
+
+  [self.listener resume];
+
+  // Tell SantaGUI to connect back to the above listener.
+  [[self.notifierConnection remoteObjectProxy] setBundleServiceListener:listener.endpoint];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self attemptReconnection];
+  }
+}
+
+- (void)attemptReconnection {
+  [self performSelectorInBackground:@selector(createConnection) withObject:nil];
+}
+
+#pragma mark SNTBundleServiceXPC Methods
+
+// Connect to the SantaGUI
+- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener {
+  SNTXPCConnection *c = [[SNTXPCConnection alloc] initClientWithListener:listener];
+  c.remoteInterface = [SNTXPCNotifierInterface bundleNotifierInterface];
+  [c resume];
+  self.notifierConnection = c;
+  dispatch_async(self.queue, ^{
+    [self createConnection];
+  });
+}
+
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event
+                             reply:(SNTBundleHashBlock)reply {
+  NSProgress *progress =
+      [NSProgress currentProgress] ? [NSProgress progressWithTotalUnitCount:100] : nil;
+
+  NSDate *startTime = [NSDate date];
+
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  dispatch_async(self.queue, ^{
+    // Use the highest bundle we can find. Save and reuse the bundle infomation when creating
+    // the related binary events.
+    SNTFileInfo *b = [[SNTFileInfo alloc] initWithPath:event.fileBundlePath];
+    b.useAncestorBundle = YES;
+    event.fileBundlePath = b.bundlePath;
+    event.fileBundleID = b.bundleIdentifier;
+    event.fileBundleName = b.bundleName;
+    event.fileBundleVersion = b.bundleVersion;
+    event.fileBundleVersionString = b.bundleShortVersionString;
+
+    // For most apps this should be "Contents/MacOS/AppName"
+    if (b.bundle.executablePath.length > b.bundlePath.length) {
+      event.fileBundleExecutableRelPath =
+          [b.bundle.executablePath substringFromIndex:b.bundlePath.length + 1];
+    }
+
+    NSDictionary *relatedEvents = [self findRelatedBinaries:event progress:progress];
+    NSString *bundleHash = [self calculateBundleHashFromSHA256Hashes:relatedEvents.allKeys
+                                                            progress:progress];
+
+    NSNumber *ms = [NSNumber numberWithDouble:[startTime timeIntervalSinceNow] * -1000.0];
+
+    reply(bundleHash, relatedEvents.allValues, ms);
+    dispatch_semaphore_signal(sema);
+  });
+
+  // Master timeout of 10 min. Don't block the calling thread. NSProgress updates will be coming
+  // in over this thread.
+  dispatch_async(self.queue, ^{
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 600 * NSEC_PER_SEC))) {
+      [progress cancel];
+    }
+  });
+}
+
+#pragma mark Internal Methods
+
+/**
+  Find binaries within a bundle given the bundle's event. It will run until a timeout occurs,
+  or until the NSProgress is cancelled. Search is done within the bundle concurrently.
+
+  @param event The SNTStoredEvent to begin searching.
+  @return An NSDictionary object with keys of fileSHA256 and values of SNTStoredEvent objects.
+*/
+- (NSDictionary *)findRelatedBinaries:(SNTStoredEvent *)event progress:(NSProgress *)progress {
+  // Find all files and folders within the fileBundlePath
+  NSFileManager *fm = [NSFileManager defaultManager];
+  NSArray *subpaths = [fm subpathsOfDirectoryAtPath:event.fileBundlePath error:NULL];
+
+  // This array is used to store pointers to executable SNTFileInfo objects. There will be one block
+  // dispatched per file in dirEnum. These blocks will write pointers to this array concurrently.
+  // No locks are used since every file has a slot.
+  //
+  // Xcode.app has roughly 500k files, 8bytes per pointer is ~4MB for this array. This size to space
+  // ratio seems appropriate as Xcode.app is in the upper bounds of bundle size.
+  __block void **fis = calloc(subpaths.count, sizeof(void *));
+
+  // Counts used as additional progress information in SantaGUI
+  __block volatile int64_t binaryCount = 0;
+  __block volatile int64_t sentBinaryCount = 0;
+
+  // Account for 80% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:80];
+    p = [NSProgress progressWithTotalUnitCount:subpaths.count * 100];
+  }
+
+  // Dispatch a block for every file in dirEnum.
+  dispatch_apply(subpaths.count, self.queue, ^(size_t i) {
+    @autoreleasepool {
+      if (progress.isCancelled) return;
+
+      dispatch_sync(dispatch_get_main_queue(), ^{
+        p.completedUnitCount++;
+        if (progress && ((i % 500) == 0 || binaryCount > sentBinaryCount)) {
+          sentBinaryCount = binaryCount;
+          [[self.notifierConnection remoteObjectProxy] updateCountsForEvent:event
+                                                                binaryCount:binaryCount
+                                                                  fileCount:i
+                                                                hashedCount:0];
+        }
+      });
+
+      NSString *subpath = subpaths[i];
+
+      NSString *file =
+          [event.fileBundlePath stringByAppendingPathComponent:subpath].stringByStandardizingPath;
+      SNTFileInfo *fi = [[SNTFileInfo alloc] initWithResolvedPath:file error:NULL];
+      if (!fi.isExecutable) return;
+
+      fis[i] = (__bridge_retained void *)fi;
+      OSAtomicIncrement64Barrier(&binaryCount);
+    }
+  });
+
+  [progress resignCurrent];
+
+  NSMutableArray *fileInfos = [NSMutableArray arrayWithCapacity:binaryCount];
+  for (NSUInteger i = 0; i < subpaths.count; i++) {
+    if (fis[i]) [fileInfos addObject:(__bridge_transfer SNTFileInfo *)fis[i]];
+  }
+
+  free(fis);
+
+  return [self generateEventsFromBinaries:fileInfos blockingEvent:event progress:progress];
+}
+
+- (NSDictionary *)generateEventsFromBinaries:(NSArray *)fis
+                               blockingEvent:(SNTStoredEvent *)event
+                                    progress:(NSProgress *)progress {
+  if (progress.isCancelled) return nil;
+
+  NSMutableDictionary *relatedEvents = [NSMutableDictionary dictionaryWithCapacity:fis.count];
+
+  // Account for 15% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:15];
+    p = [NSProgress progressWithTotalUnitCount:fis.count * 100];
+  }
+
+  dispatch_apply(fis.count, self.queue, ^(size_t i) {
+    @autoreleasepool {
+      if (progress.isCancelled) return;
+
+      SNTFileInfo *fi = fis[i];
+
+      SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+      se.filePath = fi.path;
+      se.fileSHA256 = fi.SHA256;
+      se.occurrenceDate = [NSDate distantFuture];
+      se.decision = SNTEventStateBundleBinary;
+
+      se.fileBundlePath = event.fileBundlePath;
+      se.fileBundleExecutableRelPath = event.fileBundleExecutableRelPath;
+      se.fileBundleID = event.fileBundleID;
+      se.fileBundleName = event.fileBundleName;
+      se.fileBundleVersion = event.fileBundleVersion;
+      se.fileBundleVersionString = event.fileBundleVersionString;
+
+      MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
+      se.signingChain = cs.certificates;
+
+      dispatch_sync(dispatch_get_main_queue(), ^{
+        relatedEvents[se.fileSHA256] = se;
+        p.completedUnitCount++;
+        if (progress) {
+          [[self.notifierConnection remoteObjectProxy] updateCountsForEvent:event
+                                                                binaryCount:fis.count
+                                                                  fileCount:0
+                                                                hashedCount:i];
+        }
+      });
+    }
+  });
+
+  [progress resignCurrent];
+
+  return relatedEvents;
+}
+
+- (NSString *)calculateBundleHashFromSHA256Hashes:(NSArray *)hashes
+                                         progress:(NSProgress *)progress {
+  if (!hashes.count) return nil;
+
+  // Account for 5% of the work
+  NSProgress *p;
+  if (progress) {
+    [progress becomeCurrentWithPendingUnitCount:5];
+    p = [NSProgress progressWithTotalUnitCount:5 * 100];
+  }
+
+  NSMutableArray *sortedHashes = [hashes mutableCopy];
+  [sortedHashes sortUsingSelector:@selector(localizedCaseInsensitiveCompare:)];
+  NSString *sha256Hashes = [sortedHashes componentsJoinedByString:@""];
+
+  CC_SHA256_CTX c256;
+  CC_SHA256_Init(&c256);
+  CC_SHA256_Update(&c256, (const void *)sha256Hashes.UTF8String, (CC_LONG)sha256Hashes.length);
+  unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256_Final(digest, &c256);
+
+  NSString *const SHA256FormatString =
+    @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+    "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
+
+  NSString *sha256 = [[NSString alloc] initWithFormat:SHA256FormatString,
+      digest[0], digest[1], digest[2], digest[3],
+      digest[4], digest[5], digest[6], digest[7],
+      digest[8], digest[9], digest[10], digest[11],
+      digest[12], digest[13], digest[14], digest[15],
+      digest[16], digest[17], digest[18], digest[19],
+      digest[20], digest[21], digest[22], digest[23],
+      digest[24], digest[25], digest[26], digest[27],
+      digest[28], digest[29], digest[30], digest[31]];
+
+  p.completedUnitCount++;
+  [progress resignCurrent];
+  return sha256;
+}
+
+@end

Source/santabs/main.m

@@ -0,0 +1,27 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@import Foundation;
+
+#import "SNTBundleService.h"
+#import "SNTXPCBundleServiceInterface.h"
+#import "SNTXPCConnection.h"
+
+int main(int argc, const char *argv[]) {
+  SNTXPCConnection *c =
+      [[SNTXPCConnection alloc] initServerWithListener:[NSXPCListener serviceListener]];
+  c.exportedInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
+  c.exportedObject = [[SNTBundleService alloc] init];
+  [c resume];
+}

Source/santactl/Commands/SNTCommandBundleInfo.m

@@ -0,0 +1,79 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommand.h"
+#import "SNTCommandController.h"
+
+#import "SNTFileInfo.h"
+#import "SNTLogging.h"
+#import "SNTStoredEvent.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+@interface SNTCommandBundleInfo : SNTCommand<SNTCommandProtocol>
+@end
+
+@implementation SNTCommandBundleInfo
+
+#ifdef DEBUG
+REGISTER_COMMAND_NAME(@"bundleinfo")
+#endif
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return YES;
+}
+
++ (NSString *)shortHelpText {
+  return @"Searches a bundle for binaries";
+}
+
++ (NSString *)longHelpText {
+  return @"Searches a bundle for binaries";
+}
+
+- (void)runWithArguments:(NSArray *)arguments {
+  NSError *error;
+  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:arguments.firstObject error:&error];
+  if (!fi) {
+    printf("%s\n", error.description.UTF8String);
+    exit(1);
+  } else if (!fi.bundle) {
+    printf("Not a bundle\n");
+    exit(2);
+  }
+
+  SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+  se.fileBundlePath = fi.bundlePath;
+
+  [[self.daemonConn remoteObjectProxy]
+      hashBundleBinariesForEvent:se
+                           reply:^(NSString *hash, NSArray<SNTStoredEvent *> *events,
+                                   NSNumber *time) {
+    printf("Hashing time: %llu ms\n", time.unsignedLongLongValue);
+    printf("%lu events found\n", events.count);
+    printf("BundleHash: %s\n", hash.UTF8String);
+
+    for (SNTStoredEvent *event in events) {
+      printf("BundleID: %s \n\tSHA-256: %s \n\tPath: %s\n",
+             event.fileBundleID.UTF8String, event.fileSHA256.UTF8String, event.filePath.UTF8String);
+    }
+    exit(0);
+  }];
+}
+
+@end

Source/santactl/Commands/SNTCommandCheckCache.m

@@ -12,6 +12,9 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
 #import "SNTLogging.h"
@@ -20,7 +23,7 @@
 
 #include <sys/stat.h>
 
-@interface SNTCommandCheckCache : NSObject<SNTCommand>
+@interface SNTCommandCheckCache : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandCheckCache
@@ -46,9 +49,10 @@ REGISTER_COMMAND_NAME(@"checkcache")
           @"Returns 0 if successful, 1 otherwise");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   uint64_t vnodeID = [self vnodeIDForFile:arguments.firstObject];
-  [[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID withReply:^(santa_action_t action) {
+  [[self.daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
+                                                  withReply:^(santa_action_t action) {
     if (action == ACTION_RESPOND_ALLOW) {
       LOGI(@"File exists in [whitelist] kernel cache");
       exit(0);
@@ -62,7 +66,7 @@ REGISTER_COMMAND_NAME(@"checkcache")
   }];
 }
 
-+ (uint64_t)vnodeIDForFile:(NSString *)path {
+- (uint64_t)vnodeIDForFile:(NSString *)path {
   struct stat fstat = {};
   stat(path.fileSystemRepresentation, &fstat);
   return (((uint64_t)fstat.st_dev << 32) | fstat.st_ino);

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -12,24 +12,125 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
-#include "SNTLogging.h"
+#import <objc/runtime.h>
+#import <MOLCertificate/MOLCertificate.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
+#import "SNTCachedDecision.h"
 #import "SNTFileInfo.h"
+#import "SNTLogging.h"
 #import "SNTRule.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandFileInfo : NSObject<SNTCommand>
+// file info keys
+static NSString *const kPath = @"Path";
+static NSString *const kBundleName = @"Bundle Name";
+static NSString *const kBundleVersion = @"Bundle Version";
+static NSString *const kBundleVersionStr = @"Bundle Version Str";
+static NSString *const kDownloadReferrerURL = @"Download Referrer URL";
+static NSString *const kDownloadURL = @"Download URL";
+static NSString *const kDownloadTimestamp = @"Download Timestamp";
+static NSString *const kDownloadAgent = @"Download Agent";
+static NSString *const kType = @"Type";
+static NSString *const kPageZero = @"Page Zero";
+static NSString *const kCodeSigned = @"Code-signed";
+static NSString *const kRule = @"Rule";
+static NSString *const kSigningChain = @"Signing Chain";
+
+// signing chain keys
+static NSString *const kCommonName = @"Common Name";
+static NSString *const kOrganization = @"Organization";
+static NSString *const kOrganizationalUnit = @"Organizational Unit";
+static NSString *const kValidFrom = @"Valid From";
+static NSString *const kValidUntil = @"Valid Until";
+
+// shared file info & signing chain keys
+static NSString *const kSHA256 = @"SHA-256";
+static NSString *const kSHA1 = @"SHA-1";
+
+// Message displayed when daemon communication fails
+static NSString *const kCommunicationErrorMsg = @"Could not communicate with daemon";
+
+// Used by longHelpText to display a list of valid keys passed in as an array.
+NSString *formattedStringForKeyArray(NSArray<NSString *> *array) {
+  NSMutableString *result = [[NSMutableString alloc] init];
+  for (NSString *key in array) {
+    [result appendString:[NSString stringWithFormat:@"                       \"%@\"\n", key]];
+  }
+  return result;
+}
+
+@interface SNTCommandFileInfo : SNTCommand<SNTCommandProtocol>
+
+// Properties set from commandline flags
+@property(nonatomic) BOOL recursive;
+@property(nonatomic) BOOL jsonOutput;
+@property(nonatomic) int certIndex;  // 0 means no cert-index specified
+@property(nonatomic, copy) NSArray<NSString *> *outputKeyList;
+@property(nonatomic, copy) NSDictionary<NSString *, NSRegularExpression *> *outputFilters;
+
+// Flag indicating when to use TTY colors
+@property(readonly, nonatomic) BOOL prettyOutput;
+
+// Flag needed when printing JSON for multiple files to get commas right
+@property(nonatomic) BOOL jsonPreviousEntry;
+
+// Flag used to avoid multiple attempts to connect to daemon
+@property(nonatomic) BOOL daemonUnavailable;
+
+// Common date formatter
+@property(nonatomic) NSDateFormatter *dateFormatter;
+
+// Maximum length of output key name, used for formatting
+@property(nonatomic) NSUInteger maxKeyWidth;
+
+// Valid key lists
+@property(readonly, nonatomic) NSArray<NSString *> *fileInfoKeys;
+@property(readonly, nonatomic) NSArray<NSString *> *signingChainKeys;
+
+// Block type to be used with propertyMap values.  The first SNTCommandFileInfo parameter
+// is really required only for the the rule property getter which needs access to the daemon
+// connection, but downloadTimestamp & signingChain also use it for a shared date formatter.
+typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *, SNTFileInfo *);
+
+// on read generated properties
+@property(readonly, copy, nonatomic) SNTAttributeBlock path;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha256;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha1;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleName;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleVersion;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleShortVersionString;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadReferrerURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadTimestamp;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadAgent;
+@property(readonly, copy, nonatomic) SNTAttributeBlock type;
+@property(readonly, copy, nonatomic) SNTAttributeBlock pageZero;
+@property(readonly, copy, nonatomic) SNTAttributeBlock codeSigned;
+@property(readonly, copy, nonatomic) SNTAttributeBlock rule;
+@property(readonly, copy, nonatomic) SNTAttributeBlock signingChain;
+
+// Mapping between property string keys and SNTAttributeBlocks
+@property(nonatomic) NSDictionary<NSString *, SNTAttributeBlock> *propertyMap;
+
+// Serial queue and dispatch group used for printing output
+@property(nonatomic) dispatch_queue_t printQueue;
+@property(nonatomic) dispatch_group_t printGroup;
+
 @end
 
 @implementation SNTCommandFileInfo
 
 REGISTER_COMMAND_NAME(@"fileinfo")
 
+#pragma mark SNTCommand protocol methods
+
 + (BOOL)requiresRoot {
   return NO;
 }
@@ -43,190 +144,618 @@ REGISTER_COMMAND_NAME(@"fileinfo")
 }
 
 + (NSString *)longHelpText {
-  return (@"The details provided will be the same ones Santa uses to make a decision\n"
+  return [NSString stringWithFormat:
+          @"The details provided will be the same ones Santa uses to make a decision\n"
           @"about executables. This includes SHA-256, SHA-1, code signing information and\n"
-          @"the type of file.");
+          @"the type of file."
+          @"\n"
+          @"Usage: santactl fileinfo [options] [file-paths]\n"
+          @"    --recursive (-r): Search directories recursively.\n"
+          @"    --json: Output in JSON format.\n"
+          @"    --key: Search and return this one piece of information.\n"
+          @"           You may specify multiple keys by repeating this flag.\n"
+          @"           Valid Keys:\n"
+          @"%@\n"
+          @"           Valid keys when using --cert-index:\n"
+          @"%@\n"
+          @"    --cert-index: Supply an integer corresponding to a certificate of the\n"
+          @"                  signing chain to show info only for that certificate.\n"
+          @"                     1 for the leaf certificate\n"
+          @"                    -1 for the root certificate\n"
+          @"                     2 and up for the intermediates / root\n"
+          @"\n"
+          @"    --filter: Use predicates of the form 'key=regex' to filter out which files\n"
+          @"              are displayed. Valid keys are the same as for --key. Value is a\n"
+          @"              case-insensitive regular expression which must match anywhere in\n"
+          @"              the keyed property value for the file's info to be displayed.\n"
+          @"              You may specify multiple filters by repeating this flag.\n"
+          @"\n"
+          @"Examples: santactl fileinfo --cert-index 1 --key SHA-256 --json /usr/bin/yes\n"
+          @"          santactl fileinfo --key SHA-256 --json /usr/bin/yes\n"
+          @"          santactl fileinfo /usr/bin/yes /bin/*\n"
+          @"          santactl fileinfo /usr/bin -r --key Path --key SHA-256 --key Rule\n"
+          @"          santactl fileinfo /usr/bin/* --filter Type=Script --filter Path=zip",
+          formattedStringForKeyArray(self.fileInfoKeys),
+          formattedStringForKeyArray(self.signingChainKeys)];
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  NSString *filePath = [arguments firstObject];
++ (NSArray<NSString *> *)fileInfoKeys {
+  return @[ kPath, kSHA256, kSHA1, kBundleName, kBundleVersion, kBundleVersionStr,
+            kDownloadReferrerURL, kDownloadURL, kDownloadTimestamp, kDownloadAgent,
+            kType, kPageZero, kCodeSigned, kRule, kSigningChain ];
+}
 
-  if (!filePath) {
-    printf("Missing file path\n");
-    exit(1);
++ (NSArray<NSString *> *)signingChainKeys {
+  return @[ kSHA256, kSHA1, kCommonName, kOrganization, kOrganizationalUnit, kValidFrom,
+            kValidUntil ];
+}
+
+- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn {
+  self = [super initWithDaemonConnection:daemonConn];
+  if (self) {
+    _dateFormatter = [[NSDateFormatter alloc] init];
+    _dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+
+    _propertyMap = @{ kPath : self.path,
+                      kSHA256 : self.sha256,
+                      kSHA1 : self.sha1,
+                      kBundleName : self.bundleName,
+                      kBundleVersion : self.bundleVersion,
+                      kBundleVersionStr : self.bundleVersionStr,
+                      kDownloadReferrerURL : self.downloadReferrerURL,
+                      kDownloadURL : self.downloadURL,
+                      kDownloadTimestamp : self.downloadTimestamp,
+                      kDownloadAgent : self.downloadAgent,
+                      kType : self.type,
+                      kPageZero : self.pageZero,
+                      kCodeSigned : self.codeSigned,
+                      kRule : self.rule,
+                      kSigningChain : self.signingChain };
+
+    _printQueue = dispatch_queue_create("com.google.santactl.print_queue", DISPATCH_QUEUE_SERIAL);
   }
+  return self;
+}
 
-  SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
-  if (!fileInfo) {
-    printf("Invalid or empty file\n");
-    exit(1);
-  }
+#pragma mark property getters
 
-  NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
-  dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+- (SNTAttributeBlock)path {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.path;
+  };
+}
 
-  if (isatty(STDOUT_FILENO)) printf("Hashing...");
-  NSString *sha1, *sha256;
-  [fileInfo hashSHA1:&sha1 SHA256:&sha256];
-  if (isatty(STDOUT_FILENO)) printf("\r");
+- (SNTAttributeBlock)sha256 {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.SHA256;
+  };
+}
 
-  [self printKey:@"Path" value:fileInfo.path];
-  [self printKey:@"SHA-256" value:sha256];
-  [self printKey:@"SHA-1" value:sha1];
+- (SNTAttributeBlock)sha1 {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.SHA1;
+  };
+}
 
-  if (fileInfo.bundlePath) {
-    [self printKey:@"Bundle Name" value:fileInfo.bundleName];
-    [self printKey:@"Bundle Version" value:fileInfo.bundleVersion];
-    [self printKey:@"Bundle Version Str" value:fileInfo.bundleShortVersionString];
-  }
+- (SNTAttributeBlock)bundleName {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleName;
+  };
+}
 
-  if (fileInfo.quarantineDataURL) {
-    [self printKey:@"Download Referer URL" value:fileInfo.quarantineRefererURL];
-    [self printKey:@"Download URL" value:fileInfo.quarantineDataURL];
-    [self printKey:@"Download Timestamp"
-             value:[dateFormatter stringFromDate:fileInfo.quarantineTimestamp]];
-    [self printKey:@"Download Agent" value:fileInfo.quarantineAgentBundleID];
-  }
+- (SNTAttributeBlock)bundleVersion {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleVersion;
+  };
+}
 
-  NSArray *archs = [fileInfo architectures];
-  if (archs.count == 0) {
-    [self printKey:@"Type" value:[self humanReadableFileType:fileInfo]];
-    exit(0);
-  }
+- (SNTAttributeBlock)bundleVersionStr {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.bundleShortVersionString;
+  };
+}
 
-  NSString *s = [NSString stringWithFormat:@"%@ (%@)",
-                                           [self humanReadableFileType:fileInfo],
-                                           [archs componentsJoinedByString:@", "]];
-  [self printKey:@"Type" value:s];
+- (SNTAttributeBlock)downloadReferrerURL {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineRefererURL;
+  };
+}
 
-  if ([fileInfo isMissingPageZero]) {
-    [self printKey:@"Page Zero" value:@"__PAGEZERO segment missing/bad!"];
-  }
+- (SNTAttributeBlock)downloadURL {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineDataURL;
+  };
+}
 
-  // Code signature state
-  NSError *error;
-  MOLCodesignChecker *csc = [[MOLCodesignChecker alloc] initWithBinaryPath:filePath error:&error];
-  if (error) {
-    switch (error.code) {
-      case errSecCSUnsigned:
-        [self printKey:@"Code-signed" value:@"No"];
-        break;
-      case errSecCSSignatureFailed:
-      case errSecCSStaticCodeChanged:
-      case errSecCSSignatureNotVerifiable:
-      case errSecCSSignatureUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but code/signature changed/unverifiable"];
-        break;
-      case errSecCSResourceDirectoryFailed:
-      case errSecCSResourceNotSupported:
-      case errSecCSResourceRulesInvalid:
-      case errSecCSResourcesInvalid:
-      case errSecCSResourcesNotFound:
-      case errSecCSResourcesNotSealed:
-        [self printKey:@"Code-signed" value:@"Yes, but resources invalid"];
-        break;
-      case errSecCSReqFailed:
-      case errSecCSReqInvalid:
-      case errSecCSReqUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but failed requirement validation"];
-        break;
-      case errSecCSInfoPlistFailed:
-        [self printKey:@"Code-signed" value:@"Yes, but can't validate as Info.plist is missing"];
-        break;
-      default: {
-        NSString *val = [NSString stringWithFormat:@"Yes, but failed to validate (%ld)",
-                            error.code];
-        [self printKey:@"Code-signed" value:val];
-        break;
+- (SNTAttributeBlock)downloadTimestamp {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return [cmd.dateFormatter stringFromDate:fileInfo.quarantineTimestamp];
+  };
+}
+
+- (SNTAttributeBlock)downloadAgent {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    return fileInfo.quarantineAgentBundleID;
+  };
+}
+
+- (SNTAttributeBlock)type {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    NSArray *archs = [fileInfo architectures];
+    if (archs.count == 0) {
+      return [fileInfo humanReadableFileType];
+    }
+    return [NSString stringWithFormat:@"%@ (%@)",
+        [fileInfo humanReadableFileType], [archs componentsJoinedByString:@", "]];
+  };
+}
+
+- (SNTAttributeBlock)pageZero {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    if ([fileInfo isMissingPageZero]) {
+      return @"__PAGEZERO segment missing/bad!";
+    }
+    return nil;
+  };
+}
+
+- (SNTAttributeBlock)codeSigned {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    NSError *error;
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&error];
+    if (error) {
+      switch (error.code) {
+        case errSecCSUnsigned:
+          return @"No";
+        case errSecCSSignatureFailed:
+        case errSecCSStaticCodeChanged:
+        case errSecCSSignatureNotVerifiable:
+        case errSecCSSignatureUnsupported:
+          return @"Yes, but code/signature changed/unverifiable";
+        case errSecCSResourceDirectoryFailed:
+        case errSecCSResourceNotSupported:
+        case errSecCSResourceRulesInvalid:
+        case errSecCSResourcesInvalid:
+        case errSecCSResourcesNotFound:
+        case errSecCSResourcesNotSealed:
+          return @"Yes, but resources invalid";
+        case errSecCSReqFailed:
+        case errSecCSReqInvalid:
+        case errSecCSReqUnsupported:
+          return @"Yes, but failed requirement validation";
+        case errSecCSInfoPlistFailed:
+          return @"Yes, but can't validate as Info.plist is missing";
+        default: {
+          return [NSString stringWithFormat:@"Yes, but failed to validate (%ld)", error.code];
+        }
       }
+    } else if (csc.signatureFlags & kSecCodeSignatureAdhoc) {
+      return @"Yes, but ad-hoc";
+    } else {
+      return @"Yes";
     }
-  } else if (csc.signatureFlags & kSecCodeSignatureAdhoc) {
-    [self printKey:@"Code-signed" value:@"Yes, but ad-hoc"];
-  } else {
-    [self printKey:@"Code-signed" value:@"Yes"];
-  }
+  };
+}
 
-  // Binary rule state
-  __block SNTRule *r;
-  dispatch_group_t group = dispatch_group_create();
-  [daemonConn resume];
-  dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseBinaryRuleForSHA256:sha256 reply:^(SNTRule *rule) {
-    if (rule) r = rule;
-    dispatch_group_leave(group);
-  }];
-  NSString *leafCertSHA = [[csc.certificates firstObject] SHA256];
-  dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseCertificateRuleForSHA256:leafCertSHA
-                                                             reply:^(SNTRule *rule) {
-    if (!r && rule) r = rule;
-    dispatch_group_leave(group);
-  }];
-  if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
-    [self printKey:@"Rule" value:@"Cannot communicate with daemon"];
-  } else {
-    NSString *output;
-    switch (r.state) {
-      case SNTRuleStateWhitelist:
-        output = @"Whitelisted";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[32mWhitelisted\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
-        break;
-      case SNTRuleStateBlacklist:
-      case SNTRuleStateSilentBlacklist:
-        output = @"Blacklisted";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[31mBlacklisted\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
-        break;
-      default:
-        output = @"None";
-        if (isatty(STDOUT_FILENO)) {
-          output = @"\033[33mNone\033[0m";
-        }
-        [self printKey:@"Rule" value:output];
-    }
-  }
-
-  // Signing chain
-  if (csc.certificates.count) {
-    printf("Signing chain:\n");
-
-    [csc.certificates enumerateObjectsUsingBlock:^(MOLCertificate *c,
-                                                   unsigned long idx,
-                                                   BOOL *stop) {
-      printf("    %2lu. %-20s: %s\n", idx + 1, "SHA-256", [c.SHA256 UTF8String]);
-      printf("        %-20s: %s\n", "SHA-1", [c.SHA1 UTF8String]);
-      printf("        %-20s: %s\n", "Common Name", [c.commonName UTF8String]);
-      printf("        %-20s: %s\n", "Organization", [c.orgName UTF8String]);
-      printf("        %-20s: %s\n", "Organizational Unit", [c.orgUnit UTF8String]);
-      printf("        %-20s: %s\n", "Valid From",
-             [[dateFormatter stringFromDate:c.validFrom] UTF8String]);
-      printf("        %-20s: %s\n", "Valid Until",
-             [[dateFormatter stringFromDate:c.validUntil] UTF8String]);
-      printf("\n");
+- (SNTAttributeBlock)rule {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    // If we previously were unable to connect, don't try again.
+    if (cmd.daemonUnavailable) return kCommunicationErrorMsg;
+    static dispatch_once_t token;
+    dispatch_once(&token, ^{ [cmd.daemonConn resume]; });
+    __block SNTEventState state;
+    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
+    [[cmd.daemonConn remoteObjectProxy] decisionForFilePath:fileInfo.path
+                                                 fileSHA256:fileInfo.SHA256
+                                          certificateSHA256:csc.leafCertificate.SHA256
+                                                      reply:^(SNTEventState s) {
+      state = s;
+      dispatch_semaphore_signal(sema);
     }];
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+      cmd.daemonUnavailable = YES;
+      return kCommunicationErrorMsg;
+    } else {
+      NSMutableString *output =
+          (SNTEventStateAllow & state) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+      switch (state) {
+        case SNTEventStateAllowUnknown:
+        case SNTEventStateBlockUnknown:
+          [output appendString:@" (Unknown)"];
+          break;
+        case SNTEventStateAllowBinary:
+        case SNTEventStateBlockBinary:
+          [output appendString:@" (Binary)"];
+          break;
+        case SNTEventStateAllowCertificate:
+        case SNTEventStateBlockCertificate:
+          [output appendString:@" (Certificate)"];
+          break;
+        case SNTEventStateAllowScope:
+        case SNTEventStateBlockScope:
+          [output appendString:@" (Scope)"];
+          break;
+        default:
+          output = @"None".mutableCopy;
+          break;
+      }
+      if (cmd.prettyOutput) {
+        if ((SNTEventStateAllow & state)) {
+          [output insertString:@"\033[32m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else if ((SNTEventStateBlock & state)) {
+          [output insertString:@"\033[31m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else {
+          [output insertString:@"\033[33m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        }
+      }
+      return output.copy;
+    }
+  };
+}
+
+- (SNTAttributeBlock)signingChain {
+  return ^id (SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
+    if (!csc.certificates.count) return nil;
+    NSMutableArray *certs = [[NSMutableArray alloc] initWithCapacity:csc.certificates.count];
+    for (MOLCertificate *c in csc.certificates) {
+      [certs addObject:@{
+        kSHA256 : c.SHA256 ?: @"null",
+        kSHA1 : c.SHA1 ?: @"null",
+        kCommonName : c.commonName ?: @"null",
+        kOrganization : c.orgName ?: @"null",
+        kOrganizationalUnit : c.orgUnit ?: @"null",
+        kValidFrom : [cmd.dateFormatter stringFromDate:c.validFrom] ?: @"null",
+        kValidUntil : [cmd.dateFormatter stringFromDate:c.validUntil] ?: @"null"
+      }];
+    }
+    return certs;
+  };
+}
+
+# pragma mark -
+
+// Entry point for the command.
+- (void)runWithArguments:(NSArray *)arguments {
+  if (!arguments.count) [self printErrorUsageAndExit:@"No arguments"];
+
+  NSArray *filePaths = [self parseArguments:arguments];
+
+  if (!self.outputKeyList || !self.outputKeyList.count) {
+    if (self.certIndex) {
+      self.outputKeyList = [[self class] signingChainKeys];
+    } else {
+      self.outputKeyList = [[self class] fileInfoKeys];
+    }
   }
+  // Figure out max field width from list of keys
+  self.maxKeyWidth = 0;
+  for (NSString *key in self.outputKeyList) {
+    if (key.length > self.maxKeyWidth) self.maxKeyWidth = key.length;
+  }
+
+  // For consistency, JSON output is always returned as an array of file info objects, regardless of
+  // how many file info objects are being outputted.  So both empty and singleton result sets are
+  // still enclosed in brackets.
+  if (self.jsonOutput) printf("[\n");
+
+  NSFileManager *fm = [NSFileManager defaultManager];
+  NSString *cwd = [fm currentDirectoryPath];
+
+  // Dispatch group for tasks printing to stdout.
+  self.printGroup = dispatch_group_create();
+
+  [filePaths enumerateObjectsWithOptions:NSEnumerationConcurrent
+                              usingBlock:^(NSString *path, NSUInteger idx, BOOL *stop) {
+    NSString *fullPath = [path stringByStandardizingPath];
+    if (path.length && [path characterAtIndex:0] != '/') {
+      fullPath = [cwd stringByAppendingPathComponent:fullPath];
+    }
+    [self recurseAtPath:fullPath];
+  }];
+
+  // Wait for all tasks in print queue to complete.
+  dispatch_group_wait(self.printGroup, DISPATCH_TIME_FOREVER);
+
+  if (self.jsonOutput) printf("\n]\n");  // print closing bracket of JSON output array
 
   exit(0);
 }
 
-+ (void)printKey:(NSString *)key value:(NSString *)value {
-  if (!key || !value) return;
-  printf("%-21s: %s\n", [key UTF8String], [value UTF8String]);
+// Returns YES if we should output colored text.
+- (BOOL)prettyOutput {
+  return isatty(STDOUT_FILENO) && !self.jsonOutput;
 }
 
-+ (NSString *)humanReadableFileType:(SNTFileInfo *)fi {
-  if ([fi isScript]) return @"Script";
-  if ([fi isExecutable]) return @"Executable";
-  if ([fi isDylib]) return @"Dynamic Library";
-  if ([fi isKext]) return @"Kernel Extension";
-  if ([fi isXARArchive]) return @"XAR Archive";
-  if ([fi isDMG]) return @"Disk Image";
-  return @"Unknown";
+// Print out file info for the object at the given path or, if path is a directory and the
+// --recursive flag is set, print out file info for all objects in directory tree.
+- (void)recurseAtPath:(NSString *)path {
+  NSFileManager *fm = [NSFileManager defaultManager];
+  BOOL isDir = NO, isBundle = NO;
+  if (![fm fileExistsAtPath:path isDirectory:&isDir]) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "File does not exist: %s\n", [path UTF8String]);
+    });
+    return;
+  }
+
+  if (isDir) {
+    NSBundle *bundle = [NSBundle bundleWithPath:path];
+    isBundle = bundle && [bundle bundleIdentifier];
+  }
+
+  NSOperationQueue *operationQueue = [[NSOperationQueue alloc] init];
+  operationQueue.qualityOfService = NSQualityOfServiceUserInitiated;
+
+  if (isDir && self.recursive) {
+    NSDirectoryEnumerator *dirEnum = [fm enumeratorAtPath:path];
+    NSString *file = [dirEnum nextObject];
+    while (file) {
+      @autoreleasepool {
+        NSString *filepath = [path stringByAppendingPathComponent:file];
+        BOOL exists = [fm fileExistsAtPath:filepath isDirectory:&isDir];
+        if (!(exists && isDir)) {  // don't display anything for a directory path
+          [operationQueue addOperationWithBlock:^{
+            [self printInfoForFile:filepath];
+          }];
+        }
+        file = [dirEnum nextObject];
+      }
+    }
+  } else if (isDir && !isBundle) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "%s is a directory.  Use the -r flag to search recursively.\n",
+          [path UTF8String]);
+    });
+  } else {
+    [operationQueue addOperationWithBlock:^{
+      [self printInfoForFile:path];
+    }];
+  }
+
+  [operationQueue waitUntilAllOperationsAreFinished];
+}
+
+// Prints out the info for a single (non-directory) file.  Which info is printed is controlled
+// by the keys in self.outputKeyList.
+- (void)printInfoForFile:(NSString *)path {
+  SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:path];
+  if (!fileInfo) {
+    dispatch_group_async(self.printGroup, self.printQueue, ^{
+      fprintf(stderr, "Invalid or empty file: %s\n", [path UTF8String]);
+    });
+    return;
+  }
+
+  // First build up a dictionary containing all the information we want to print out
+  NSMutableDictionary *outputDict = [NSMutableDictionary dictionary];
+  if (self.certIndex) {
+    // --cert-index flag implicitly means that we want only the signing chain.  So we find the
+    // specified certificate in the signing chain, then print out values for all keys in cert.
+    NSArray *signingChain = self.propertyMap[kSigningChain](self, fileInfo);
+    if (!signingChain || !signingChain.count) return;  // check signing chain isn't empty
+    int index = (self.certIndex == -1) ? (int)signingChain.count - 1 : self.certIndex - 1;
+    if (index < 0 || index >= (int)signingChain.count) return;  // check that index is valid
+    NSDictionary *cert = signingChain[index];
+
+    // Check if we should skip over this item based on outputFilters.
+    for (NSString *key in self.outputFilters) {
+      NSString *value = cert[key];
+      NSRegularExpression *regex = self.outputFilters[key];
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+    }
+
+    // Filter out the info we want now, in case JSON output
+    for (NSString *key in self.outputKeyList) {
+      outputDict[key] = cert[key];
+    }
+  } else {
+    // Check if we should skip over this item based on outputFilters.  We do this before collecting
+    // output info because there's a chance that we can bail out early if a filter doesn't match.
+    // However we also don't want to recompute info, so we save any values that we plan to show.
+    for (NSString *key in self.outputFilters) {
+      NSString *value = self.propertyMap[key](self, fileInfo);
+      NSRegularExpression *regex = self.outputFilters[key];
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+      // If this is a value we want to show, store it in the output dictionary.
+      // This does a linear search on an array, but it's a small array.
+      if ([self.outputKeyList containsObject:key]) {
+        outputDict[key] = value;
+      }
+    }
+
+    // Then fill the outputDict with the rest of the missing values.
+    for (NSString *key in self.outputKeyList) {
+      if (outputDict[key]) continue;  // ignore keys that we've already set due to a filter
+      outputDict[key] = self.propertyMap[key](self, fileInfo);
+    }
+  }
+
+  // If there's nothing in the outputDict, then don't need to print anything.
+  if (!outputDict.count) return;
+
+  // Then display the information in the dictionary.  How we display it depends on
+  // a) do we want JSON output?
+  // b) is there only one key?
+  // c) are we displaying a cert?
+  BOOL singleKey = (self.outputKeyList.count == 1 &&
+                    ![self.outputKeyList.firstObject isEqual:kSigningChain]);
+  NSMutableString *output = [NSMutableString string];
+  if (self.jsonOutput) {
+    [output appendString:[self jsonStringForDictionary:outputDict]];
+  } else {
+    for (NSString *key in self.outputKeyList) {
+      if (![outputDict objectForKey:key]) continue;
+      if ([key isEqual:kSigningChain]) {
+        [output appendString:[self stringForSigningChain:outputDict[key]]];
+      } else {
+        if (singleKey) {
+          [output appendFormat:@"%@\n", outputDict[key]];
+        } else {
+          [output appendFormat:@"%-*s: %@\n",
+              (int)self.maxKeyWidth, key.UTF8String, outputDict[key]];
+        }
+      }
+    }
+    if (!singleKey) [output appendString:@"\n"];
+  }
+
+  dispatch_group_async(self.printGroup, self.printQueue, ^{
+    if (self.jsonOutput) {  // print commas between JSON entries
+      if (self.jsonPreviousEntry) printf(",\n");
+      self.jsonPreviousEntry = YES;
+    }
+    printf("%s", output.UTF8String);
+  });
+}
+
+// Parses the arguments in order to set the property variables:
+//   self.recursive from --recursive or -r
+//   self.json from --json
+//   self.certIndex from --cert-index argument
+//   self.outputKeyList from multiple possible --key arguments
+//   self.outputFilters from multiple possible --filter arguments
+// and returns any non-flag args as path names in an NSArray.
+- (NSArray *)parseArguments:(NSArray<NSString *> *)arguments {
+  NSMutableArray *paths = [NSMutableArray array];
+  NSMutableOrderedSet *keys = [NSMutableOrderedSet orderedSet];
+  NSMutableDictionary *filters = [NSMutableDictionary dictionary];
+  NSUInteger nargs = [arguments count];
+  for (NSUInteger i = 0; i < nargs; i++) {
+    NSString *arg = [arguments objectAtIndex:i];
+    if ([arg caseInsensitiveCompare:@"--json"] == NSOrderedSame) {
+      self.jsonOutput = YES;
+    } else if ([arg caseInsensitiveCompare:@"--cert-index"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab index
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--cert-index requires an argument"];
+      }
+      int index = 0;
+      NSScanner *scanner = [NSScanner scannerWithString:arguments[i]];
+      if (![scanner scanInt:&index] || !scanner.atEnd || index == 0 || index < -1) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid argument for --cert-index\n"
+            @"  --cert-index argument must be one of -1, 1, 2, 3, ...", arguments[i]]];
+      }
+      self.certIndex = index;
+    } else if ([arg caseInsensitiveCompare:@"--key"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab the key
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--key requires an argument"];
+      }
+      [keys addObject:arguments[i]];
+    } else if ([arg caseInsensitiveCompare:@"--filter"] == NSOrderedSame) {
+      i += 1;  // advance to next argument and grab the filter predicate
+      if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--filter requires an argument"];
+      }
+      // Check that filter predicate has the format "key=regex".
+      NSRange range = [arguments[i] rangeOfString:@"="];
+      if (range.location == NSNotFound || range.location == 0 ||
+          range.location == arguments[i].length - 1) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid filter predicate.\n"
+            @"Filter predicates must be of the form key=regex"
+            @" (with no spaces around \"=\")", arguments[i]]];
+      }
+      NSString *key = [arguments[i] substringToIndex:range.location];
+      NSString *rhs = [arguments[i] substringFromIndex:range.location+1];
+      // Convert right-hand side of '=' into a regular expression object.
+      NSError *error;
+      NSRegularExpression *regex =
+          [NSRegularExpression regularExpressionWithPattern:rhs
+                                                    options:NSRegularExpressionCaseInsensitive
+                                                      error:&error];
+      if (error) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid regular expression in filter argument.\n", rhs]];
+      }
+      filters[key] = regex;
+    } else if ([arg caseInsensitiveCompare:@"--recursive"] == NSOrderedSame ||
+               [arg caseInsensitiveCompare:@"-r"] == NSOrderedSame) {
+      self.recursive = YES;
+    } else {
+      [paths addObject:arg];
+    }
+  }
+
+  // Do some error checking before returning to make sure that specified keys are valid.
+  if (self.certIndex) {
+    NSArray *validKeys = [[self class] signingChainKeys];
+    for (NSString *key in keys) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid key when using --cert-index", key]];
+      }
+    }
+    for (NSString *key in filters) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:[NSString stringWithFormat:
+            @"\n\"%@\" is an invalid filter key when using --cert-index", key]];
+      }
+    }
+  } else {
+    NSArray *validKeys = [[self class] fileInfoKeys];
+    for (NSString *key in keys) {
+      if (![validKeys containsObject:key]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid key", key]];
+      }
+    }
+    for (NSString *key in filters) {
+      if (![validKeys containsObject:key] || [key isEqualToString:kSigningChain]) {
+        [self printErrorUsageAndExit:
+            [NSString stringWithFormat:@"\n\"%@\" is an invalid filter key", key]];
+      }
+    }
+  }
+
+  if (!paths.count) [self printErrorUsageAndExit:@"\nat least one file-path is needed"];
+
+  self.outputKeyList = [keys array];
+  self.outputFilters = [filters copy];
+  return paths.copy;
+}
+
+- (NSString *)jsonStringForDictionary:(NSDictionary *)dict {
+  NSData *jsonData = [NSJSONSerialization dataWithJSONObject:dict
+                                                     options:NSJSONWritingPrettyPrinted
+                                                       error:NULL];
+  return [[NSString alloc] initWithData:jsonData encoding:NSUTF8StringEncoding];
+}
+
+- (NSString *)stringForSigningChain:(NSArray *)signingChain {
+  if (!signingChain) return @"";
+  NSMutableString *result = [NSMutableString string];
+  [result appendFormat:@"%@:\n", kSigningChain];
+  int i = 1;
+  NSArray<NSString *> *certKeys = [[self class] signingChainKeys];
+  for (NSDictionary *cert in signingChain) {
+    if ([cert isEqual:[NSNull null]]) continue;
+    if (i > 1) [result appendFormat:@"\n"];
+    [result appendString:[self stringForCertificate:cert withKeys:certKeys index:i]];
+    i += 1;
+  }
+  return result.copy;
+}
+
+- (NSString *)stringForCertificate:(NSDictionary *)cert withKeys:(NSArray *)keys index:(int)index {
+  if (!cert) return @"";
+  NSMutableString *result = [NSMutableString string];
+  BOOL firstKey = YES;
+  for (NSString *key in keys) {
+    if (firstKey) {
+      [result appendFormat:@"    %2d. %-20s: %@\n", index, key.UTF8String, cert[key]];
+      firstKey = NO;
+    } else {
+      [result appendFormat:@"        %-20s: %@\n", key.UTF8String, cert[key]];
+    }
+  }
+  return result.copy;
 }
 
 @end

Source/santactl/Commands/SNTCommandFlushCache.m

@@ -12,13 +12,16 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
 #import "SNTLogging.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandFlushCache : NSObject<SNTCommand>
+@interface SNTCommandFlushCache : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandFlushCache
@@ -44,8 +47,8 @@ REGISTER_COMMAND_NAME(@"flushcache")
           @"Returns 0 if successful, 1 otherwise");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  [[daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
+- (void)runWithArguments:(NSArray *)arguments {
+  [[self.daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
     if (success) {
       LOGI(@"Cache flush requested");
       exit(0);

Source/santactl/Commands/SNTCommandRule.m

@@ -12,21 +12,22 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommandController.h"
+@import Foundation;
 
-#include "SNTLogging.h"
+#import "SNTCommand.h"
+#import "SNTCommandController.h"
 
 #import "MOLCertificate.h"
 #import "MOLCodesignChecker.h"
 #import "SNTConfigurator.h"
 #import "SNTDropRootPrivs.h"
 #import "SNTFileInfo.h"
+#include "SNTLogging.h"
 #import "SNTRule.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandRule : NSObject<SNTCommand>
-@property SNTXPCConnection *daemonConn;
+@interface SNTCommandRule : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandRule
@@ -42,7 +43,7 @@ REGISTER_COMMAND_NAME(@"rule")
 }
 
 + (NSString *)shortHelpText {
-  return @"Manually add/remove rules.";
+  return @"Manually add/remove/check rules.";
 }
 
 + (NSString *)longHelpText {
@@ -52,26 +53,23 @@ REGISTER_COMMAND_NAME(@"rule")
           @"    --blacklist: add to blacklist\n"
           @"    --silent-blacklist: add to silent blacklist\n"
           @"    --remove: remove existing rule\n"
+          @"    --check: check for an existing rule\n"
           @"\n"
           @"  One of:\n"
           @"    --path {path}: path of binary/bundle to add/remove.\n"
           @"                   Will add the hash of the file currently at that path.\n"
-          @"    --sha256 {sha256}: hash to add/remove\n"
+          @"                   Does not work with --check. Use the fileinfo verb to check.\n"
+          @"                   the rule state of a file.\n"
+          @"    --sha256 {sha256}: hash to add/remove/check\n"
           @"\n"
           @"  Optionally:\n"
-          @"    --certificate: add certificate rule instead of binary\n"
+          @"    --certificate: add or check a certificate sha256 rule instead of binary\n"
           @"    --message {message}: custom message\n");
 }
 
-+ (void)printErrorUsageAndExit:(NSString *)error {
-  printf("%s\n\n", [error UTF8String]);
-  printf("%s\n", [[self longHelpText] UTF8String]);
-  exit(1);
-}
-
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   SNTConfigurator *config = [SNTConfigurator configurator];
-  if ([config syncBaseURL] != nil) {
+  if ([config syncBaseURL] && ![arguments containsObject:@"--check"]) {
     printf("SyncBaseURL is set, rules are managed centrally.\n");
     exit(1);
   }
@@ -81,6 +79,7 @@ REGISTER_COMMAND_NAME(@"rule")
   newRule.type = SNTRuleTypeBinary;
 
   NSString *path;
+  BOOL check = NO;
 
   // Parse arguments
   for (NSUInteger i = 0; i < arguments.count; ++i) {
@@ -94,6 +93,8 @@ REGISTER_COMMAND_NAME(@"rule")
       newRule.state = SNTRuleStateSilentBlacklist;
     } else if ([arg caseInsensitiveCompare:@"--remove"] == NSOrderedSame) {
       newRule.state = SNTRuleStateRemove;
+    } else if ([arg caseInsensitiveCompare:@"--check"] == NSOrderedSame) {
+      check = YES;
     } else if ([arg caseInsensitiveCompare:@"--certificate"] == NSOrderedSame) {
       newRule.type = SNTRuleTypeCertificate;
     } else if ([arg caseInsensitiveCompare:@"--path"] == NSOrderedSame) {
@@ -119,12 +120,21 @@ REGISTER_COMMAND_NAME(@"rule")
     }
   }
 
+  if (check) {
+    if (!newRule.shasum) return [self printErrorUsageAndExit:@"--check requires --sha256"];
+    return [self printStateOfRule:newRule daemonConnection:self.daemonConn];
+  }
+
   if (path) {
     SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:path];
+    if (!fi.path) {
+      [self printErrorUsageAndExit:@"Provided path was not a plain file"];
+    }
+
     if (newRule.type == SNTRuleTypeBinary) {
       newRule.shasum = fi.SHA256;
     } else if (newRule.type == SNTRuleTypeCertificate) {
-      MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.path];
+      MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
       newRule.shasum = cs.leafCertificate.SHA256;
     }
   }
@@ -135,9 +145,9 @@ REGISTER_COMMAND_NAME(@"rule")
     [self printErrorUsageAndExit:@"Either SHA-256 or path to file must be specified"];
   }
 
-  [[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
-                                            cleanSlate:NO
-                                                 reply:^(NSError *error) {
+  [[self.daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
+                                                 cleanSlate:NO
+                                                      reply:^(NSError *error) {
     if (error) {
       printf("Failed to modify rules: %s", [error.localizedDescription UTF8String]);
       LOGD(@"Failure reason: %@", error.localizedFailureReason);
@@ -153,4 +163,58 @@ REGISTER_COMMAND_NAME(@"rule")
   }];
 }
 
+- (void)printStateOfRule:(SNTRule *)rule daemonConnection:(SNTXPCConnection *)daemonConn {
+  NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.shasum : nil;
+  NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.shasum : nil;
+  dispatch_group_t group = dispatch_group_create();
+  dispatch_group_enter(group);
+  __block NSMutableString *output;
+  [[daemonConn remoteObjectProxy] decisionForFilePath:nil
+                                           fileSHA256:fileSHA256
+                                    certificateSHA256:certificateSHA256
+                                                reply:^(SNTEventState s) {
+    output = (SNTEventStateAllow & s) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+    switch (s) {
+      case SNTEventStateAllowUnknown:
+      case SNTEventStateBlockUnknown:
+        [output appendString:@" (Unknown)"];
+        break;
+      case SNTEventStateAllowBinary:
+      case SNTEventStateBlockBinary:
+        [output appendString:@" (Binary)"];
+        break;
+      case SNTEventStateAllowCertificate:
+      case SNTEventStateBlockCertificate:
+        [output appendString:@" (Certificate)"];
+        break;
+      case SNTEventStateAllowScope:
+      case SNTEventStateBlockScope:
+        [output appendString:@" (Scope)"];
+        break;
+      default:
+        output = @"None".mutableCopy;
+        break;
+    }
+    if (isatty(STDOUT_FILENO)) {
+      if ((SNTEventStateAllow & s)) {
+        [output insertString:@"\033[32m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else if ((SNTEventStateBlock & s)) {
+        [output insertString:@"\033[31m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else {
+        [output insertString:@"\033[33m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      }
+    }
+    dispatch_group_leave(group);
+  }];
+  if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    printf("Cannot communicate with daemon");
+    exit(1);
+  }
+  printf("%s\n", output.UTF8String);
+  exit(0);
+}
+
 @end

Source/santactl/Commands/SNTCommandStatus.m

@@ -12,13 +12,16 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
 #import "SNTConfigurator.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandStatus : NSObject<SNTCommand>
+@interface SNTCommandStatus : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandStatus
@@ -42,7 +45,7 @@ REGISTER_COMMAND_NAME(@"status")
           @"  Use --json to output in JSON format");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   dispatch_group_t group = dispatch_group_create();
 
   // Daemon status
@@ -50,7 +53,7 @@ REGISTER_COMMAND_NAME(@"status")
   __block uint64_t cpuEvents, ramEvents;
   __block double cpuPeak, ramPeak;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
+  [[self.daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
     switch (cm) {
       case SNTClientModeMonitor:
         clientMode = @"Monitor";
@@ -65,8 +68,8 @@ REGISTER_COMMAND_NAME(@"status")
     dispatch_group_leave(group);
   }];
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
-                                                 double wd_cpuPeak, double wd_ramPeak) {
+  [[self.daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
+                                                      double wd_cpuPeak, double wd_ramPeak) {
     cpuEvents = wd_cpuEvents;
     cpuPeak = wd_cpuPeak;
     ramEvents = wd_ramEvents;
@@ -77,23 +80,24 @@ REGISTER_COMMAND_NAME(@"status")
   BOOL fileLogging = ([[SNTConfigurator configurator] fileChangesRegex] != nil);
 
   // Kext status
-  __block int64_t cacheCount = -1;
+  __block uint64_t rootCacheCount = -1, nonRootCacheCount = -1;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] cacheCount:^(int64_t count) {
-    cacheCount = count;
+  [[self.daemonConn remoteObjectProxy] cacheCounts:^(uint64_t rootCache, uint64_t nonRootCache) {
+    rootCacheCount = rootCache;
+    nonRootCacheCount = nonRootCache;
     dispatch_group_leave(group);
   }];
 
   // Database counts
   __block int64_t eventCount = -1, binaryRuleCount = -1, certRuleCount = -1;
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
+  [[self.daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
     binaryRuleCount = binary;
     certRuleCount = certificate;
     dispatch_group_leave(group);
   }];
   dispatch_group_enter(group);
-  [[daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
+  [[self.daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
     eventCount = count;
     dispatch_group_leave(group);
   }];
@@ -102,10 +106,31 @@ REGISTER_COMMAND_NAME(@"status")
   NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
   NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
   dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
-  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] syncLastSuccess];
+  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] fullSyncLastSuccess];
   NSString *lastSyncSuccessStr = [dateFormatter stringFromDate:lastSyncSuccess] ?: @"Never";
+  NSDate *lastRuleSyncSuccess = [[SNTConfigurator configurator] ruleSyncLastSuccess];
+  NSString *lastRuleSyncSuccessStr =
+      [dateFormatter stringFromDate:lastRuleSyncSuccess] ?: lastSyncSuccessStr;
   BOOL syncCleanReqd = [[SNTConfigurator configurator] syncCleanRequired];
 
+  __block BOOL pushNotifications = NO;
+  if ([[SNTConfigurator configurator] syncBaseURL]) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] pushNotifications:^(BOOL response) {
+      pushNotifications = response;
+      dispatch_group_leave(group);
+    }];
+  }
+
+  __block BOOL bundlesEnabled = NO;
+  if ([[SNTConfigurator configurator] syncBaseURL]) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) {
+      bundlesEnabled = response;
+      dispatch_group_leave(group);
+    }];
+  }
+
   // Wait a maximum of 5s for stats collected from daemon to arrive.
   if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
     fprintf(stderr, "Failed to retrieve some stats from daemon\n\n");
@@ -114,7 +139,7 @@ REGISTER_COMMAND_NAME(@"status")
   if ([arguments containsObject:@"--json"]) {
     NSDictionary *stats = @{
       @"daemon" : @{
-        @"mode" : clientMode,
+        @"mode" : clientMode ?: @"null",
         @"file_logging" : @(fileLogging),
         @"watchdog_cpu_events" : @(cpuEvents),
         @"watchdog_ram_events" : @(ramEvents),
@@ -122,7 +147,8 @@ REGISTER_COMMAND_NAME(@"status")
         @"watchdog_ram_peak" : @(ramPeak),
       },
       @"kernel" : @{
-        @"cache_count" : @(cacheCount),
+        @"root_cache_count" : @(rootCacheCount),
+        @"non_root_cache_count": @(nonRootCacheCount),
       },
       @"database" : @{
         @"binary_rules" : @(binaryRuleCount),
@@ -130,9 +156,12 @@ REGISTER_COMMAND_NAME(@"status")
         @"events_pending_upload" : @(eventCount),
       },
       @"sync" : @{
-        @"server" : syncURLStr,
+        @"server" : syncURLStr ?: @"null",
         @"clean_required" : @(syncCleanReqd),
-        @"last_successful" : lastSyncSuccessStr
+        @"last_successful_full" : lastSyncSuccessStr ?: @"null",
+        @"last_successful_rule" : lastRuleSyncSuccessStr ?: @"null",
+        @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected",
+        @"bundle_scanning" : @(bundlesEnabled)
       },
     };
     NSData *statsData = [NSJSONSerialization dataWithJSONObject:stats
@@ -142,22 +171,27 @@ REGISTER_COMMAND_NAME(@"status")
     printf("%s\n", [statsStr UTF8String]);
   } else {
     printf(">>> Daemon Info\n");
-    printf("  %-22s | %s\n", "Mode", [clientMode UTF8String]);
-    printf("  %-22s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
-    printf("  %-22s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
-    printf("  %-22s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
+    printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
+    printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
+    printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
+    printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
     printf(">>> Kernel Info\n");
-    printf("  %-22s | %lld\n", "Kernel cache count", cacheCount);
+    printf("  %-25s | %lld\n", "Root cache count", rootCacheCount);
+    printf("  %-25s | %lld\n", "Non-root cache count", nonRootCacheCount);
     printf(">>> Database Info\n");
-    printf("  %-22s | %lld\n", "Binary Rules", binaryRuleCount);
-    printf("  %-22s | %lld\n", "Certificate Rules", certRuleCount);
-    printf("  %-22s | %lld\n", "Events Pending Upload", eventCount);
+    printf("  %-25s | %lld\n", "Binary Rules", binaryRuleCount);
+    printf("  %-25s | %lld\n", "Certificate Rules", certRuleCount);
+    printf("  %-25s | %lld\n", "Events Pending Upload", eventCount);
 
     if (syncURLStr) {
       printf(">>> Sync Info\n");
-      printf("  %-22s | %s\n", "Sync Server", [syncURLStr UTF8String]);
-      printf("  %-22s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
-      printf("  %-22s | %s\n", "Last Successful Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);
+      printf("  %-25s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Last Successful Full Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Last Successful Rule Sync", [lastRuleSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Push Notifications",
+             (pushNotifications ? "Connected" : "Disconnected"));
+      printf("  %-25s | %s\n", "Bundle Scanning", (bundlesEnabled ? "Yes" : "No"));
     }
   }
 

Source/santactl/Commands/SNTCommandVersion.m

@@ -12,16 +12,18 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommandController.h"
+@import Foundation;
+@import IOKit.kext;
 
-#include <IOKit/kext/KextManager.h>
+#import "SNTCommand.h"
+#import "SNTCommandController.h"
 
 #import "SNTCommonEnums.h"
 #import "SNTFileInfo.h"
 #import "SNTKernelCommon.h"
 #import "SNTXPCConnection.h"
 
-@interface SNTCommandVersion : NSObject<SNTCommand>
+@interface SNTCommandVersion : SNTCommand<SNTCommandProtocol>
 @end
 
 @implementation SNTCommandVersion
@@ -45,7 +47,7 @@ REGISTER_COMMAND_NAME(@"version")
           @"  Use --json to output in JSON format.");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   if ([arguments containsObject:@"--json"]) {
     NSDictionary *versions = @{
       @"santa-driver" : [self santaKextVersion],
@@ -68,7 +70,7 @@ REGISTER_COMMAND_NAME(@"version")
   exit(0);
 }
 
-+ (NSString *)santaKextVersion {
+- (NSString *)santaKextVersion {
   NSDictionary *loadedKexts = CFBridgingRelease(
       KextManagerCopyLoadedKextInfo((__bridge CFArrayRef) @[ @(USERCLIENT_ID) ],
                                     (__bridge CFArrayRef) @[ @"CFBundleVersion" ]));
@@ -85,18 +87,18 @@ REGISTER_COMMAND_NAME(@"version")
   return @"not found";
 }
 
-+ (NSString *)santadVersion {
+- (NSString *)santadVersion {
   SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@(kSantaDPath)];
   return daemonInfo.bundleVersion;
 }
 
-+ (NSString *)santaAppVersion {
+- (NSString *)santaAppVersion {
   SNTFileInfo *guiInfo =
       [[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
   return guiInfo.bundleVersion;
 }
 
-+ (NSString *)santactlVersion {
+- (NSString *)santactlVersion {
   return [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
 }
 

Source/santactl/Commands/sync/NSData+Zlib.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 /// Category on NSData providing the option of getting zlib or gzip compressed data.
 @interface NSData (Zlib)
 

Source/santactl/Commands/sync/SNTCommandSync.m

@@ -12,36 +12,35 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
+#import "SNTCommand.h"
 #import "SNTCommandController.h"
 
-#import <MOLAuthenticatingURLSession.h>
-
-#import "SNTCommandSyncEventUpload.h"
-#import "SNTCommandSyncLogUpload.h"
-#import "SNTCommandSyncPostflight.h"
-#import "SNTCommandSyncPreflight.h"
-#import "SNTCommandSyncRuleDownload.h"
-#import "SNTCommandSyncState.h"
+#import "SNTCommandSyncManager.h"
 #import "SNTConfigurator.h"
 #import "SNTDropRootPrivs.h"
 #import "SNTLogging.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
-@interface SNTCommandSync : NSObject<SNTCommand>
-@property SNTCommandSyncState *syncState;
+@interface SNTCommandSync : SNTCommand<SNTCommandProtocol>
+@property SNTXPCConnection *listener;
+@property SNTCommandSyncManager *syncManager;
 @end
 
 @implementation SNTCommandSync
 
 REGISTER_COMMAND_NAME(@"sync")
 
+#pragma mark SNTCommand protocol methods
+
 + (BOOL)requiresRoot {
   return NO;
 }
 
 + (BOOL)requiresDaemonConn {
-  return YES;
+  return NO;
 }
 
 + (NSString *)shortHelpText {
@@ -56,43 +55,22 @@ REGISTER_COMMAND_NAME(@"sync")
           @"           clean sync from the server.");
 }
 
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+- (void)runWithArguments:(NSArray *)arguments {
   // Ensure we have no privileges
   if (!DropRootPrivileges()) {
     LOGE(@"Failed to drop root privileges. Exiting.");
     exit(1);
   }
 
-  SNTConfigurator *config = [SNTConfigurator configurator];
-
-  SNTCommandSync *s = [[self alloc] init];
-
-  // Gather some data needed during some sync stages
-  s.syncState = [[SNTCommandSyncState alloc] init];
-
-  s.syncState.syncBaseURL = config.syncBaseURL;
-  if (s.syncState.syncBaseURL.absoluteString.length == 0) {
-    LOGE(@"Missing SyncBaseURL. Can't sync without it.");
-    exit(1);
-  } else if (![s.syncState.syncBaseURL.scheme isEqual:@"https"]) {
-    LOGW(@"SyncBaseURL is not over HTTPS!");
-  }
-
-  s.syncState.machineID = config.machineID;
-  if (s.syncState.machineID.length == 0) {
-    LOGE(@"Missing Machine ID. Can't sync without it.");
+  if (![[SNTConfigurator configurator] syncBaseURL]) {
+    LOGE(@"Missing SyncBaseURL. Exiting.");
     exit(1);
   }
 
-  s.syncState.machineOwner = config.machineOwner;
-  if (s.syncState.machineOwner.length == 0) {
-    s.syncState.machineOwner = @"";
-    LOGW(@"Missing Machine Owner.");
-  }
-
-  [[daemonConn remoteObjectProxy] xsrfToken:^(NSString *token) {
-    s.syncState.xsrfToken = token;
-  }];
+  [self.daemonConn resume];
+  BOOL daemon = [arguments containsObject:@"--daemon"];
+  self.syncManager = [[SNTCommandSyncManager alloc] initWithDaemonConnection:self.daemonConn
+                                                                    isDaemon:daemon];
 
   // Dropping root privileges to the 'nobody' user causes the default NSURLCache to throw
   // sandbox errors, which are benign but annoying. This line disables the cache entirely.
@@ -100,138 +78,40 @@ REGISTER_COMMAND_NAME(@"sync")
                                                               diskCapacity:0
                                                                   diskPath:nil]];
 
+  if (!self.syncManager.daemon) return [self.syncManager fullSync];
+  [self syncdWithDaemonConnection:self.daemonConn];
+}
 
-  MOLAuthenticatingURLSession *authURLSession = [[MOLAuthenticatingURLSession alloc] init];
-  authURLSession.userAgent = @"santactl-sync/";
-  NSString *santactlVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
-  if (santactlVersion) {
-    authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
-  }
-  authURLSession.refusesRedirects = YES;
-  authURLSession.serverHostname = s.syncState.syncBaseURL.host;
-  authURLSession.loggingBlock = ^(NSString *line) {
-    LOGD(@"%@", line);
+#pragma mark daemon methods
+
+- (void)syncdWithDaemonConnection:(SNTXPCConnection *)daemonConn {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  // Create listener for return connection from daemon.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.listener = [[SNTXPCConnection alloc] initServerWithListener:listener];
+  self.listener.exportedInterface = [SNTXPCSyncdInterface syncdInterface];
+  self.listener.exportedObject = self.syncManager;
+  self.listener.acceptedHandler = ^{
+    LOGD(@"santad <--> santactl connections established");
+    dispatch_semaphore_signal(sema);
   };
-
-  // Configure server auth
-  if ([config syncServerAuthRootsFile]) {
-    authURLSession.serverRootsPemFile = [config syncServerAuthRootsFile];
-  } else if ([config syncServerAuthRootsData]) {
-    authURLSession.serverRootsPemData = [config syncServerAuthRootsData];
-  }
-
-  // Configure client auth
-  if ([config syncClientAuthCertificateFile]) {
-    authURLSession.clientCertFile = [config syncClientAuthCertificateFile];
-    authURLSession.clientCertPassword = [config syncClientAuthCertificatePassword];
-  } else if ([config syncClientAuthCertificateCn]) {
-    authURLSession.clientCertCommonName = [config syncClientAuthCertificateCn];
-  } else if ([config syncClientAuthCertificateIssuer]) {
-    authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
-  }
-
-  s.syncState.session = [authURLSession session];
-  s.syncState.daemonConn = daemonConn;
-
-  if ([arguments containsObject:@"singleevent"]) {
-    NSUInteger idx = [arguments indexOfObject:@"singleevent"] + 1;
-    if (idx >= arguments.count) {
-      LOGI(@"singleevent takes an argument");
-      exit(1);
-    }
-
-    NSString *obj = arguments[idx];
-    if (obj.length != 64) {
-      LOGI(@"singleevent passed without SHA-256 as next argument");
-      exit(1);
-    }
-    return [s eventUploadSingleEvent:obj];
-  } else {
-    return [s preflight];
-  }
-}
-
-- (void)preflight {
-  SNTCommandSyncPreflight *p = [[SNTCommandSyncPreflight alloc] initWithState:self.syncState];
-  if ([p sync]) {
-    LOGD(@"Preflight complete");
-    if (self.syncState.uploadLogURL) {
-      return [self logUpload];
-    } else {
-      return [self eventUpload];
-    }
-  } else {
-    LOGE(@"Preflight failed, aborting run");
-    exit(1);
-  }
-}
-
-- (void)logUpload {
-  SNTCommandSyncLogUpload *p = [[SNTCommandSyncLogUpload alloc] initWithState:self.syncState];
-  if ([p sync]) {
-    LOGD(@"Log upload complete");
-  } else {
-    LOGE(@"Log upload failed, continuing anyway");
-  }
-  return [self eventUpload];
-}
-
-- (void)eventUpload {
-  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:self.syncState];
-  if ([p sync]) {
-    LOGD(@"Event upload complete");
-    return [self ruleDownload];
-  } else {
-    LOGE(@"Event upload failed, aborting run");
-    exit(1);
-  }
-}
-
-- (void)eventUploadSingleEvent:(NSString *)sha256 {
-  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:self.syncState];
-  if ([p syncSingleEventWithSHA256:sha256]) {
-    LOGD(@"Event upload complete");
+  self.listener.invalidationHandler = ^{
+    // If santad is unloaded kill santactl
+    LOGD(@"exiting");
     exit(0);
-  } else {
-    LOGE(@"Event upload failed");
-    exit(1);
-  }
-}
+  };
+  [self.listener resume];
 
-- (void)ruleDownload {
-  SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:self.syncState];
-  if ([p sync]) {
-    LOGD(@"Rule download complete");
-    if (self.syncState.bundleBinaryRequests.count) {
-      return [self eventUploadBundleBinaries];
-    }
-    return [self postflight];
-  } else {
-    LOGE(@"Rule download failed, aborting run");
-    exit(1);
-  }
-}
+  // Tell daemon to connect back to the above listener.
+  [[daemonConn remoteObjectProxy] setSyncdListener:listener.endpoint];
 
-- (void)eventUploadBundleBinaries {
-  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:self.syncState];
-  if ([p syncBundleEvents]) {
-    LOGD(@"Event Upload bundle binaries complete");
-  } else {
-    LOGW(@"Event Upload bundle binary search failed");
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self performSelectorInBackground:@selector(syncdWithDaemonConnection:) withObject:daemonConn];
   }
-  return [self postflight];
-}
 
-- (void)postflight {
-  SNTCommandSyncPostflight *p = [[SNTCommandSyncPostflight alloc] initWithState:self.syncState];
-  if ([p sync]) {
-    LOGD(@"Postflight complete");
-    LOGI(@"Sync completed successfully");
-    exit(0);
-  } else {
-    LOGE(@"Postflight failed");
-    exit(1);
-  }
+  [self.syncManager fullSyncSecondsFromNow:15];
 }
 
 @end

Source/santactl/Commands/sync/SNTCommandSyncConstants.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 extern NSString *const kXSRFToken;
 
 extern NSString *const kSerialNumber;
@@ -31,6 +33,10 @@ extern NSString *const kWhitelistRegex;
 extern NSString *const kBlacklistRegex;
 extern NSString *const kBinaryRuleCount;
 extern NSString *const kCertificateRuleCount;
+extern NSString *const kFCMToken;
+extern NSString *const kFCMFullSyncInterval;
+extern NSString *const kFCMGlobalRuleSyncDeadline;
+extern NSString *const kBundlesEnabled;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;
@@ -53,9 +59,13 @@ extern NSString *const kLoggedInUsers;
 extern NSString *const kCurrentSessions;
 extern NSString *const kFileBundleID;
 extern NSString *const kFileBundlePath;
+extern NSString *const kFileBundleExecutableRelPath;
 extern NSString *const kFileBundleName;
 extern NSString *const kFileBundleVersion;
 extern NSString *const kFileBundleShortVersionString;
+extern NSString *const kFileBundleHash;
+extern NSString *const kFileBundleHashMilliseconds;
+extern NSString *const kFileBundleBinaryCount;
 extern NSString *const kPID;
 extern NSString *const kPPID;
 extern NSString *const kParentName;
@@ -88,3 +98,22 @@ extern NSString *const kRuleCustomMsg;
 extern NSString *const kCursor;
 
 extern NSString *const kBackoffInterval;
+
+extern NSString *const kFullSync;
+extern NSString *const kRuleSync;
+extern NSString *const kConfigSync;
+extern NSString *const kLogSync;
+
+extern const NSUInteger kDefaultEventBatchSize;
+
+///
+///  kDefaultFullSyncInterval
+///  kDefaultFCMFullSyncInterval
+///  kDefaultFCMGlobalRuleSyncDeadline
+///
+///  Are represented in seconds
+///
+extern const NSUInteger kDefaultFullSyncInterval;
+extern const NSUInteger kDefaultFCMFullSyncInterval;
+extern const NSUInteger kDefaultFCMGlobalRuleSyncDeadline;
+

Source/santactl/Commands/sync/SNTCommandSyncConstants.m

@@ -33,6 +33,10 @@ NSString *const kWhitelistRegex = @"whitelist_regex";
 NSString *const kBlacklistRegex = @"blacklist_regex";
 NSString *const kBinaryRuleCount = @"binary_rule_count";
 NSString *const kCertificateRuleCount = @"certificate_rule_count";
+NSString *const kFCMToken = @"fcm_token";
+NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
+NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";
+NSString *const kBundlesEnabled = @"bundles_enabled";
 
 NSString *const kEvents = @"events";
 NSString *const kFileSHA256 = @"file_sha256";
@@ -55,9 +59,13 @@ NSString *const kLoggedInUsers = @"logged_in_users";
 NSString *const kCurrentSessions = @"current_sessions";
 NSString *const kFileBundleID = @"file_bundle_id";
 NSString *const kFileBundlePath = @"file_bundle_path";
+NSString *const kFileBundleExecutableRelPath = @"file_bundle_executable_rel_path";
 NSString *const kFileBundleName = @"file_bundle_name";
 NSString *const kFileBundleVersion = @"file_bundle_version";
 NSString *const kFileBundleShortVersionString = @"file_bundle_version_string";
+NSString *const kFileBundleHash = @"file_bundle_hash";
+NSString *const kFileBundleHashMilliseconds = @"file_bundle_hash_millis";
+NSString *const kFileBundleBinaryCount = @"file_bundle_binary_count";
 NSString *const kPID = @"pid";
 NSString *const kPPID = @"ppid";
 NSString *const kParentName = @"parent_name";
@@ -90,3 +98,13 @@ NSString *const kRuleCustomMsg = @"custom_msg";
 NSString *const kCursor = @"cursor";
 
 NSString *const kBackoffInterval = @"backoff";
+
+NSString *const kFullSync = @"full_sync";
+NSString *const kRuleSync = @"rule_sync";
+NSString *const kConfigSync = @"config_sync";
+NSString *const kLogSync = @"log_sync";
+
+const NSUInteger kDefaultEventBatchSize = 50;
+const NSUInteger kDefaultFullSyncInterval = 600;
+const NSUInteger kDefaultFCMFullSyncInterval = 14400;
+const NSUInteger kDefaultFCMGlobalRuleSyncDeadline = 600;

Source/santactl/Commands/sync/SNTCommandSyncEventUpload.h

@@ -12,12 +12,12 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommandSyncStage.h"
 
 @interface SNTCommandSyncEventUpload : SNTCommandSyncStage
 
-- (BOOL)syncSingleEventWithSHA256:(NSString *)sha256;
-
-- (BOOL)syncBundleEvents;
+- (BOOL)uploadEvents:(NSArray *)events;
 
 @end

Source/santactl/Commands/sync/SNTCommandSyncEventUpload.m

@@ -44,45 +44,26 @@
   return (dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER) == 0);
 }
 
-- (BOOL)syncSingleEventWithSHA256:(NSString *)sha256 {
-  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-  [[self.daemonConn remoteObjectProxy] databaseEventForSHA256:sha256 reply:^(SNTStoredEvent *e) {
-    if (e) {
-      [self uploadEvents:@[ e ]];
-    }
-    dispatch_semaphore_signal(sema);
-  }];
-  return (dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER) == 0);
-}
-
-- (BOOL)syncBundleEvents {
-  NSMutableArray *newEvents = [NSMutableArray array];
-  for (NSString *bundlePath in self.syncState.bundleBinaryRequests) {
-    [newEvents addObjectsFromArray:[self findRelatedBinaries:bundlePath]];
-  }
-  return [self uploadEvents:newEvents];
-}
-
 - (BOOL)uploadEvents:(NSArray *)events {
   NSMutableArray *uploadEvents = [[NSMutableArray alloc] init];
 
-  NSMutableDictionary *eventIds = [NSMutableDictionary dictionaryWithCapacity:events.count];
+  NSMutableSet *eventIds = [NSMutableSet setWithCapacity:events.count];
   for (SNTStoredEvent *event in events) {
     [uploadEvents addObject:[self dictionaryForEvent:event]];
-    eventIds[event.idx] = @YES;
+    if (event.idx) [eventIds addObject:event.idx];
     if (uploadEvents.count >= self.syncState.eventBatchSize) break;
   }
 
   NSDictionary *r = [self performRequest:[self requestWithDictionary:@{ kEvents: uploadEvents }]];
   if (!r) return NO;
 
-  // Keep track of bundle search requests
+  // A list of bundle hashes that require their related binary events to be uploaded.		
   self.syncState.bundleBinaryRequests = r[kEventUploadBundleBinaries];
 
   LOGI(@"Uploaded %lu events", uploadEvents.count);
 
   // Remove event IDs. For Bundle Events the ID is 0 so nothing happens.
-  [[self.daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:[eventIds allKeys]];
+  [[self.daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:[eventIds allObjects]];
 
   // See if there are any events remaining to upload
   if (uploadEvents.count < events.count) {
@@ -119,15 +100,22 @@
       ADDKEY(newEvent, kDecision, kDecisionBlockCertificate);
       break;
     case SNTEventStateBlockScope: ADDKEY(newEvent, kDecision, kDecisionBlockScope); break;
-    case SNTEventStateBundleBinary: ADDKEY(newEvent, kDecision, kDecisionBundleBinary); break;
+    case SNTEventStateBundleBinary:
+      ADDKEY(newEvent, kDecision, kDecisionBundleBinary);
+      [newEvent removeObjectForKey:kExecutionTime];
+      break;
     default: ADDKEY(newEvent, kDecision, kDecisionUnknown);
   }
 
   ADDKEY(newEvent, kFileBundleID, event.fileBundleID);
   ADDKEY(newEvent, kFileBundlePath, event.fileBundlePath);
+  ADDKEY(newEvent, kFileBundleExecutableRelPath, event.fileBundleExecutableRelPath);
   ADDKEY(newEvent, kFileBundleName, event.fileBundleName);
   ADDKEY(newEvent, kFileBundleVersion, event.fileBundleVersion);
   ADDKEY(newEvent, kFileBundleShortVersionString, event.fileBundleVersionString);
+  ADDKEY(newEvent, kFileBundleHash, event.fileBundleHash);
+  ADDKEY(newEvent, kFileBundleHashMilliseconds, event.fileBundleHashMilliseconds);
+  ADDKEY(newEvent, kFileBundleBinaryCount, event.fileBundleBinaryCount);
 
   ADDKEY(newEvent, kPID, event.pid);
   ADDKEY(newEvent, kPPID, event.ppid);
@@ -158,65 +146,4 @@
 #undef ADDKEY
 }
 
-// Find binaries within a bundle given the bundle's path
-// Searches for 10 minutes, creating new events.
-- (NSArray *)findRelatedBinaries:(NSString *)path {
-  SNTFileInfo *requestedPath = [[SNTFileInfo alloc] initWithPath:path];
-
-  // Prevent processing the same bundle twice.
-  static NSMutableDictionary *previouslyProcessedBundles;
-  static dispatch_once_t onceToken;
-  dispatch_once(&onceToken, ^{
-    previouslyProcessedBundles = [NSMutableDictionary dictionary];
-  });
-  if (previouslyProcessedBundles[requestedPath.bundleIdentifier]) return nil;
-  previouslyProcessedBundles[requestedPath.bundleIdentifier] = @YES;
-
-  NSMutableArray *relatedEvents = [NSMutableArray array];
-
-  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-  __block BOOL shouldCancel = NO;
-  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
-    NSDirectoryEnumerator *dirEnum = [[NSFileManager defaultManager] enumeratorAtPath:path];
-    NSString *file;
-
-    while (file = [dirEnum nextObject]) {
-      @autoreleasepool {
-        if (shouldCancel) break;
-        if ([dirEnum fileAttributes][NSFileType] != NSFileTypeRegular) continue;
-
-        file = [path stringByAppendingPathComponent:file];
-
-        SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:file];
-        if (fi.isExecutable) {
-          SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
-          se.filePath = fi.path;
-          se.fileSHA256 = fi.SHA256;
-          se.decision = SNTEventStateBundleBinary;
-          se.fileBundleID = fi.bundleIdentifier;
-          se.fileBundleName = fi.bundleName;
-          se.fileBundlePath = fi.bundlePath;
-          se.fileBundleVersion = fi.bundleVersion;
-          se.fileBundleVersionString = fi.bundleShortVersionString;
-
-          MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:se.filePath];
-          se.signingChain = cs.certificates;
-
-          [relatedEvents addObject:[self dictionaryForEvent:se]];
-        }
-      }
-    }
-
-    dispatch_semaphore_signal(sema);
-  });
-
-  // Give the search up to 10m per bundle to run.
-  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 600))) {
-    shouldCancel = YES;
-    LOGD(@"Timed out while searching for related events at path %@", path);
-  }
-
-  return relatedEvents;
-}
-
 @end

Source/santactl/Commands/sync/SNTCommandSyncLogUpload.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommandSyncStage.h"
 
 @interface SNTCommandSyncLogUpload : SNTCommandSyncStage

Source/santactl/Commands/sync/SNTCommandSyncManager.h

@@ -0,0 +1,55 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@import Foundation;
+
+#import "SNTXPCSyncdInterface.h"
+
+@class SNTXPCConnection;
+
+///
+///  Handles push notifications and periodic syncing with a sync server.
+///
+@interface SNTCommandSyncManager : NSObject<SNTSyncdXPC>
+
+@property(readonly, nonatomic) BOOL daemon;
+
+///
+///  Use the designated initializer initWithDaemonConnection:isDaemon:
+///
+- (instancetype)init NS_UNAVAILABLE;
+
+///
+///  Designated initializer.
+///
+///  @param daemonConn A connection to santad.
+///  @param daemon Set to YES if periodic syncing should occur.
+///                Set to NO if a single sync should be performed. NO is default.
+///
+- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn
+                                isDaemon:(BOOL)daemon NS_DESIGNATED_INITIALIZER;
+
+///
+///  Perform a full sync immediately. Non-blocking.
+///  If a full sync is already running new requests will be dropped.
+///
+- (void)fullSync;
+
+///
+///  Perform a full sync seconds from now. Non-blocking.
+///  If a full sync is already running new requests will be dropped.
+///
+- (void)fullSyncSecondsFromNow:(uint64_t)seconds;
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -0,0 +1,546 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncManager.h"
+
+@import SystemConfiguration;
+
+#import <MOLAuthenticatingURLSession.h>
+#import <MOLFCMClient/MOLFCMClient.h>
+
+#import "SNTConfigurator.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncEventUpload.h"
+#import "SNTCommandSyncLogUpload.h"
+#import "SNTCommandSyncPostflight.h"
+#import "SNTCommandSyncPreflight.h"
+#import "SNTCommandSyncRuleDownload.h"
+#import "SNTCommandSyncState.h"
+#import "SNTCommonEnums.h"
+#import "SNTLogging.h"
+#import "SNTStoredEvent.h"
+#import "SNTStrengthify.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+#import "SNTXPCSyncdInterface.h"
+
+static NSString *const kFCMActionKey = @"action";
+static NSString *const kFCMFileHashKey = @"file_hash";
+static NSString *const kFCMFileNameKey = @"file_name";
+static NSString *const kFCMTargetHostIDKey = @"target_host_id";
+
+@interface SNTCommandSyncManager () {
+  SCNetworkReachabilityRef _reachability;
+}
+
+@property(nonatomic) dispatch_source_t fullSyncTimer;
+@property(nonatomic) dispatch_source_t ruleSyncTimer;
+
+@property(nonatomic) NSCache *dispatchLock;
+
+// whitelistNotifications dictionary stores info from FCM messages.  The binary/bundle hash is used
+// as a key mapping to values that are themselves dictionaries.  These dictionary values contain the
+// name of the binary/bundle and a count of associated binary rules.
+@property(nonatomic) NSMutableDictionary *whitelistNotifications;
+
+// whitelistNotificationQueue is used to serialize access to the whitelistNotifications dictionary.
+@property(nonatomic) NSOperationQueue *whitelistNotificationQueue;
+
+@property NSUInteger FCMFullSyncInterval;
+@property NSUInteger FCMGlobalRuleSyncDeadline;
+@property NSUInteger eventBatchSize;
+
+@property MOLFCMClient *FCMClient;
+
+@property(nonatomic) SNTXPCConnection *daemonConn;
+
+@property BOOL targetedRuleSync;
+
+@property(nonatomic) BOOL reachable;
+
+@end
+
+// Called when the network state changes
+static void reachabilityHandler(
+    SCNetworkReachabilityRef target, SCNetworkReachabilityFlags flags, void *info) {
+  // Put this check and set on the main thread to ensure serial access.
+  dispatch_async(dispatch_get_main_queue(), ^{
+    SNTCommandSyncManager *commandSyncManager = (__bridge SNTCommandSyncManager *)info;
+    // Only call the setter when there is a change. This will filter out the redundant calls to this
+    // callback whenever the network interface states change.
+    if (commandSyncManager.reachable != (flags & kSCNetworkReachabilityFlagsReachable)) {
+      commandSyncManager.reachable = (flags & kSCNetworkReachabilityFlagsReachable);
+    }
+  });
+}
+
+@implementation SNTCommandSyncManager
+
+#pragma mark init
+
+- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn isDaemon:(BOOL)daemon {
+  self = [super init];
+  if (self) {
+    _daemonConn = daemonConn;
+    _daemon = daemon;
+    _fullSyncTimer = [self createSyncTimerWithBlock:^{
+      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:self.FCMFullSyncInterval];
+      if (![[SNTConfigurator configurator] syncBaseURL]) return;
+      [self lockAction:kFullSync];
+      [self preflight];
+      [self unlockAction:kFullSync];
+    }];
+    _ruleSyncTimer = [self createSyncTimerWithBlock:^{
+      dispatch_source_set_timer(self.ruleSyncTimer,
+                                DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, 0);
+      if (![[SNTConfigurator configurator] syncBaseURL]) return;
+      [self lockAction:kRuleSync];
+      SNTCommandSyncState *syncState = [self createSyncState];
+      syncState.targetedRuleSync = self.targetedRuleSync;
+      syncState.whitelistNotifications = self.whitelistNotifications;
+      syncState.whitelistNotificationQueue = self.whitelistNotificationQueue;
+      SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
+      if ([p sync]) {
+        LOGD(@"Rule download complete");
+      } else {
+        LOGE(@"Rule download failed");
+      }
+      self.targetedRuleSync = NO;
+      [self unlockAction:kRuleSync];
+    }];
+    _dispatchLock = [[NSCache alloc] init];
+    _whitelistNotifications = [NSMutableDictionary dictionary];
+    _whitelistNotificationQueue = [[NSOperationQueue alloc] init];
+    _whitelistNotificationQueue.maxConcurrentOperationCount = 1;  // make this a serial queue
+
+    _eventBatchSize = kDefaultEventBatchSize;
+    _FCMFullSyncInterval = kDefaultFCMFullSyncInterval;
+    _FCMGlobalRuleSyncDeadline = kDefaultFCMGlobalRuleSyncDeadline;
+  }
+  return self;
+}
+
+#pragma mark SNTSyncdXPC protocol methods
+
+- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle {
+  SNTCommandSyncState *syncState = [self createSyncState];
+  if (isFromBundle) syncState.eventBatchSize = self.eventBatchSize;
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
+  if (events && [p uploadEvents:events]) {
+    LOGD(@"Events upload complete");
+  } else {
+    LOGE(@"Events upload failed.  Will retry again once %@ is reachable",
+        [[SNTConfigurator configurator] syncBaseURL].absoluteString);
+    [self startReachability];
+  }
+}
+
+- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
+                              reply:(void (^)(SNTBundleEventAction))reply {
+  if (!event) {
+    reply(SNTBundleEventActionDropEvents);
+    return;
+  }
+  SNTCommandSyncState *syncState = [self createSyncState];
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
+  if ([p uploadEvents:@[event]]) {
+    if ([syncState.bundleBinaryRequests containsObject:event.fileBundleHash]) {
+      reply(SNTBundleEventActionSendEvents);
+      LOGD(@"Needs related events");
+    } else {
+      reply(SNTBundleEventActionDropEvents);
+      LOGD(@"Bundle event upload complete");
+    }
+  } else {
+    // Related bundle events will be stored and eventually synced, whether the server actually
+    // wanted them or not.  If they weren't needed the server will simply ignore them.
+    reply(SNTBundleEventActionStoreEvents);
+    LOGE(@"Bundle event upload failed.  Will retry again once %@ is reachable",
+        [[SNTConfigurator configurator] syncBaseURL].absoluteString);
+    [self startReachability];
+  }
+}
+
+- (void)isFCMListening:(void (^)(BOOL))reply {
+  reply((self.FCMClient.FCMToken != nil));
+}
+
+#pragma mark push notification methods
+
+- (void)listenForPushNotificationsWithSyncState:(SNTCommandSyncState *)syncState {
+  if ([self.FCMClient.FCMToken isEqualToString:syncState.FCMToken]) {
+    LOGD(@"Continue with the current FCMToken");
+    return;
+  }
+
+  LOGD(@"Start listening for push notifications");
+
+  WEAKIFY(self);
+
+  [self.FCMClient disconnect];
+  NSString *machineID = syncState.machineID;
+  self.FCMClient = [[MOLFCMClient alloc] initWithFCMToken:syncState.FCMToken
+                                     sessionConfiguration:syncState.session.configuration.copy
+                                           messageHandler:^(NSDictionary *message) {
+    if (!message || [message isEqual:@{}]) return;
+      STRONGIFY(self);
+      LOGD(@"%@", message);
+      [self.FCMClient acknowledgeMessage:message];
+      [self processFCMMessage:message withMachineID:machineID];
+  }];
+
+  self.FCMClient.connectionErrorHandler = ^(NSError *error) {
+    STRONGIFY(self);
+    LOGE(@"FCM connection error: %@", error);
+    [self.FCMClient disconnect];
+    self.FCMClient = nil;
+    [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kDefaultFullSyncInterval];
+  };
+
+  self.FCMClient.loggingBlock = ^(NSString *log) {
+    LOGD(@"%@", log);
+  };
+
+  [self.FCMClient connect];
+}
+
+- (void)processFCMMessage:(NSDictionary *)FCMmessage withMachineID:(NSString *)machineID {
+  NSDictionary *message = [self messageFromMessageData:[self messageDataFromFCMmessage:FCMmessage]];
+
+  if (!message) {
+    LOGD(@"Push notification message is not in the expected format...dropping message");
+    return;
+  }
+
+  NSString *action = message[kFCMActionKey];
+  if (!action) {
+    LOGD(@"Push notification message contains no action");
+    return;
+  }
+
+  // We assume that the incoming FCM message contains name of binary/bundle and a hash.  Rule count
+  // info for bundles will be sent out later with the rules themselves.  If the message is related
+  // to a bundle, the hash is a bundle hash, otherwise it is just a hash for a single binary.
+  // For later use, we store a mapping of bundle/binary hash to a dictionary containing the
+  // binary/bundle name so we can send out relevant notifications once the rules are actually
+  // downloaded & added to local database.  We use a dictionary value so that we can later add a
+  // count field when we start downloading the rules and receive the count information.
+  NSString *fileHash = message[kFCMFileHashKey];
+  NSString *fileName = message[kFCMFileNameKey];
+  if (fileName && fileHash) {
+    [self.whitelistNotificationQueue addOperationWithBlock:^{
+      self.whitelistNotifications[fileHash] = @{ kFileName : fileName }.mutableCopy;
+    }];
+  }
+
+  LOGD(@"Push notification action: %@ received", action);
+
+  if ([action isEqualToString:kFullSync]) {
+    [self fullSync];
+  } else if ([action isEqualToString:kRuleSync]) {
+    NSString *targetHostID = message[kFCMTargetHostIDKey];
+    if (targetHostID && [targetHostID caseInsensitiveCompare:machineID] == NSOrderedSame) {
+      LOGD(@"Targeted rule_sync for host_id: %@", targetHostID);
+      self.targetedRuleSync = YES;
+      [self ruleSync];
+    } else {
+      uint32_t delaySeconds = arc4random_uniform((uint32_t)self.FCMGlobalRuleSyncDeadline);
+      LOGD(@"Global rule_sync, staggering: %u second delay", delaySeconds);
+      [self ruleSyncSecondsFromNow:delaySeconds];
+    }
+  } else if ([action isEqualToString:kConfigSync]) {
+    [self fullSync];
+  } else if ([action isEqualToString:kLogSync]) {
+    [self fullSync];
+  } else {
+    LOGD(@"Unrecognised action: %@", action);
+  }
+}
+
+- (NSData *)messageDataFromFCMmessage:(NSDictionary *)FCMmessage {
+  if (![FCMmessage[@"data"] isKindOfClass:[NSDictionary class]]) return nil;
+  if (![FCMmessage[@"data"][@"blob"] isKindOfClass:[NSString class]]) return nil;
+  return [FCMmessage[@"data"][@"blob"] dataUsingEncoding:NSUTF8StringEncoding];
+}
+
+- (NSDictionary *)messageFromMessageData:(NSData *)messageData {
+  NSError *error;
+  NSDictionary *rawMessage = [NSJSONSerialization JSONObjectWithData:messageData
+                                                             options:0
+                                                               error:&error];
+  if (!rawMessage) {
+    LOGD(@"Unable to parse push notification message data: %@", error);
+    return nil;
+  }
+
+  // Create a new message dropping unexpected values
+  NSArray *allowedKeys = @[ kFCMActionKey, kFCMFileHashKey, kFCMFileNameKey, kFCMTargetHostIDKey ];
+  NSMutableDictionary *message = [NSMutableDictionary dictionaryWithCapacity:allowedKeys.count];
+  for (NSString *key in allowedKeys) {
+    if ([rawMessage[key] isKindOfClass:[NSString class]] && [rawMessage[key] length]) {
+      message[key] = rawMessage[key];
+    }
+  }
+  return message.count ? [message copy] : nil;
+}
+
+#pragma mark sync timer control
+
+- (void)fullSync {
+  [self fullSyncSecondsFromNow:0];
+}
+
+- (void)fullSyncSecondsFromNow:(uint64_t)seconds {
+  if (![self checkLockAction:kFullSync]) {
+    LOGD(@"%@ in progress, dropping reschedule request", kFullSync);
+    return;
+  }
+  [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:seconds];
+}
+
+- (void)ruleSync {
+  [self ruleSyncSecondsFromNow:0];
+}
+
+- (void)ruleSyncSecondsFromNow:(uint64_t)seconds {
+  if (![self checkLockAction:kRuleSync]) {
+    LOGD(@"%@ in progress, dropping reschedule request", kRuleSync);
+    return;
+  }
+  [self rescheduleTimerQueue:self.ruleSyncTimer secondsFromNow:seconds];
+}
+
+- (void)rescheduleTimerQueue:(dispatch_source_t)timerQueue secondsFromNow:(uint64_t)seconds {
+  uint64_t interval = seconds * NSEC_PER_SEC;
+  uint64_t leeway = (seconds * 0.5) * NSEC_PER_SEC;
+  dispatch_source_set_timer(timerQueue, dispatch_walltime(NULL, interval), interval, leeway);
+}
+
+#pragma mark syncing chain
+
+- (void)preflight {
+  SNTCommandSyncState *syncState = [self createSyncState];
+  SNTCommandSyncPreflight *p = [[SNTCommandSyncPreflight alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Preflight complete");
+
+    // Clean up reachability if it was started for a non-network error
+    [self stopReachability];
+
+    self.eventBatchSize = syncState.eventBatchSize;
+
+    // Start listening for push notifications with a full sync every FCMFullSyncInterval
+    if (syncState.daemon && syncState.FCMToken) {
+      self.FCMFullSyncInterval = syncState.FCMFullSyncInterval;
+      self.FCMGlobalRuleSyncDeadline = syncState.FCMGlobalRuleSyncDeadline;
+      [self listenForPushNotificationsWithSyncState:syncState];
+    } else if (syncState.daemon) {
+      LOGD(@"FCMToken not provided. Sync every %lu min.", kDefaultFullSyncInterval / 60);
+      [self.FCMClient disconnect];
+      self.FCMClient = nil;
+      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kDefaultFullSyncInterval];
+    }
+
+    if (syncState.uploadLogURL) {
+      return [self logUploadWithSyncState:syncState];
+    } else {
+      return [self eventUploadWithSyncState:syncState];
+    }
+  } else {
+    if (!syncState.daemon) {
+      LOGE(@"Preflight failed, aborting run");
+      exit(1);
+    }
+    LOGE(@"Preflight failed, will try again once %@ is reachable",
+         [[SNTConfigurator configurator] syncBaseURL].absoluteString);
+    [self startReachability];
+  }
+}
+
+- (void)logUploadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncLogUpload *p = [[SNTCommandSyncLogUpload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Log upload complete");
+  } else {
+    LOGE(@"Log upload failed, continuing anyway");
+  }
+  return [self eventUploadWithSyncState:syncState];
+}
+
+- (void)eventUploadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Event upload complete");
+    return [self ruleDownloadWithSyncState:syncState];
+  } else {
+    LOGE(@"Event upload failed, aborting run");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+- (void)ruleDownloadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Rule download complete");
+    return [self postflightWithSyncState:syncState];
+  } else {
+    LOGE(@"Rule download failed, aborting run");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+- (void)postflightWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncPostflight *p = [[SNTCommandSyncPostflight alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Postflight complete");
+    LOGI(@"Sync completed successfully");
+    if (!syncState.daemon) exit(0);
+  } else {
+    LOGE(@"Postflight failed");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+#pragma mark internal helpers
+
+- (dispatch_source_t)createSyncTimerWithBlock:(void (^)())block {
+  dispatch_source_t timerQueue = dispatch_source_create(
+      DISPATCH_SOURCE_TYPE_TIMER, 0, 0,
+      dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+  dispatch_source_set_event_handler(timerQueue, block);
+  dispatch_resume(timerQueue);
+  return timerQueue;
+}
+
+- (SNTCommandSyncState *)createSyncState {
+  // Gather some data needed during some sync stages
+  SNTCommandSyncState *syncState = [[SNTCommandSyncState alloc] init];
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  syncState.syncBaseURL = config.syncBaseURL;
+  if (syncState.syncBaseURL.absoluteString.length == 0) {
+    LOGE(@"Missing SyncBaseURL. Can't sync without it.");
+    if (!syncState.daemon) exit(1);
+  } else if (![syncState.syncBaseURL.scheme isEqual:@"https"]) {
+    LOGW(@"SyncBaseURL is not over HTTPS!");
+  }
+
+  syncState.machineID = config.machineID;
+  if (syncState.machineID.length == 0) {
+    LOGE(@"Missing Machine ID. Can't sync without it.");
+    if (!syncState.daemon) exit(1);
+  }
+
+  syncState.machineOwner = config.machineOwner;
+  if (syncState.machineOwner.length == 0) {
+    syncState.machineOwner = @"";
+    LOGW(@"Missing Machine Owner.");
+  }
+
+  dispatch_group_t group = dispatch_group_create();
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] xsrfToken:^(NSString *token) {
+    syncState.xsrfToken = token;
+    dispatch_group_leave(group);
+  }];
+
+  MOLAuthenticatingURLSession *authURLSession = [[MOLAuthenticatingURLSession alloc] init];
+  authURLSession.userAgent = @"santactl-sync/";
+  NSString *santactlVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
+  if (santactlVersion) {
+    authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
+  }
+  authURLSession.refusesRedirects = YES;
+  authURLSession.serverHostname = syncState.syncBaseURL.host;
+  authURLSession.loggingBlock = ^(NSString *line) {
+    LOGD(@"%@", line);
+  };
+
+  // Configure server auth
+  if ([config syncServerAuthRootsFile]) {
+    authURLSession.serverRootsPemFile = [config syncServerAuthRootsFile];
+  } else if ([config syncServerAuthRootsData]) {
+    authURLSession.serverRootsPemData = [config syncServerAuthRootsData];
+  }
+
+  // Configure client auth
+  if ([config syncClientAuthCertificateFile]) {
+    authURLSession.clientCertFile = [config syncClientAuthCertificateFile];
+    authURLSession.clientCertPassword = [config syncClientAuthCertificatePassword];
+  } else if ([config syncClientAuthCertificateCn]) {
+    authURLSession.clientCertCommonName = [config syncClientAuthCertificateCn];
+  } else if ([config syncClientAuthCertificateIssuer]) {
+    authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
+  }
+
+  syncState.session = [authURLSession session];
+  syncState.daemonConn = self.daemonConn;
+  syncState.daemon = self.daemon;
+
+  dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
+  return syncState;
+}
+
+- (void)lockAction:(NSString *)action {
+  [self.dispatchLock setObject:@YES forKey:action];
+}
+
+- (void)unlockAction:(NSString *)action {
+  [self.dispatchLock removeObjectForKey:action];
+}
+
+- (BOOL)checkLockAction:(NSString *)action {
+  return ([self.dispatchLock objectForKey:action] == nil);
+}
+
+#pragma mark reachability methods
+
+- (void)setReachable:(BOOL)reachable {
+  _reachable = reachable;
+  if (reachable) {
+    [self stopReachability];
+    [self fullSync];
+  }
+}
+
+// Start listening for network state changes on a background thread
+- (void)startReachability {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    if (_reachability) return;
+    const char *nodename = [[SNTConfigurator configurator] syncBaseURL].host.UTF8String;
+    _reachability = SCNetworkReachabilityCreateWithName(kCFAllocatorDefault, nodename);
+    SCNetworkReachabilityContext context = {
+      .info = (__bridge void *)self
+    };
+    if (SCNetworkReachabilitySetCallback(_reachability, reachabilityHandler, &context)) {
+      SCNetworkReachabilitySetDispatchQueue(_reachability,
+          dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+    } else {
+      [self stopReachability];
+    }
+  });
+}
+
+// Stop listening for network state changes
+- (void)stopReachability {
+  dispatch_async(dispatch_get_main_queue(), ^{
+    if (_reachability) {
+      SCNetworkReachabilitySetDispatchQueue(_reachability, NULL);
+      if (_reachability) CFRelease(_reachability);
+      _reachability = NULL;
+    }
+  });
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncPostflight.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommandSyncStage.h"
 
 @interface SNTCommandSyncPostflight : SNTCommandSyncStage

Source/santactl/Commands/sync/SNTCommandSyncPostflight.m

@@ -29,7 +29,7 @@
 }
 
 - (BOOL)sync {
-  NSDictionary *r = [self performRequest:[self requestWithDictionary:nil]];
+  [self performRequest:[self requestWithDictionary:nil]];
 
   dispatch_group_t group = dispatch_group_create();
   void (^replyBlock)() = ^{
@@ -43,14 +43,6 @@
                                                  reply:replyBlock];
   }
 
-  // Update backoff interval
-  NSString *backoffInterval = r[kBackoffInterval];
-  if (backoffInterval) {
-    dispatch_group_enter(group);
-    [[self.daemonConn remoteObjectProxy] setNextSyncInterval:[backoffInterval intValue]
-                                                       reply:replyBlock];
-  }
-
   // Remove clean sync flag if we did a clean sync
   if (self.syncState.cleanSync) {
     dispatch_group_enter(group);

Source/santactl/Commands/sync/SNTCommandSyncPreflight.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+@import Foundation;
+
 #import "SNTCommandSyncStage.h"
 
 @interface SNTCommandSyncPreflight : SNTCommandSyncStage