santactl status: add last successful rule sync date (#139)

* santactl status: add last successful rule sync date

Source/common/SNTConfigurator.h

@@ -143,9 +143,14 @@ extern NSString *const kDefaultConfigFilePath;
 @property(readonly, nonatomic) NSString *machineOwner;
 
 ///
-///  The last date of successful sync.
+///  The last date of a successful full sync.
 ///
-@property(nonatomic) NSDate *syncLastSuccess;
+@property(nonatomic) NSDate *fullSyncLastSuccess;
+
+///
+///  The last date of a successful rule sync.
+///
+@property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
 ///  If YES a clean sync is required.

Source/common/SNTConfigurator.m

@@ -52,7 +52,8 @@ static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
 static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
 
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
-static NSString *const kSyncLastSuccess = @"SyncLastSuccess";
+static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
+static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
 static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
@@ -259,12 +260,22 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kServerAuthRootsFileKey];
 }
 
-- (NSDate *)syncLastSuccess {
-  return self.configData[kSyncLastSuccess];
+- (NSDate *)fullSyncLastSuccess {
+  return self.configData[kFullSyncLastSuccess];
 }
 
-- (void)setSyncLastSuccess:(NSDate *)syncLastSuccess {
-  self.configData[kSyncLastSuccess] = syncLastSuccess;
+- (void)setFullSyncLastSuccess:(NSDate *)fullSyncLastSuccess {
+  self.configData[kFullSyncLastSuccess] = fullSyncLastSuccess;
+  [self saveConfigToDisk];
+  self.ruleSyncLastSuccess = fullSyncLastSuccess;
+}
+
+- (NSDate *)ruleSyncLastSuccess {
+  return self.configData[kRuleSyncLastSuccess];
+}
+
+- (void)setRuleSyncLastSuccess:(NSDate *)ruleSyncLastSuccess {
+  self.configData[kRuleSyncLastSuccess] = ruleSyncLastSuccess;
   [self saveConfigToDisk];
 }
 

Source/common/SNTXPCControlInterface.h

@@ -73,6 +73,7 @@
 - (void)xsrfToken:(void (^)(NSString *))reply;
 - (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
 - (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
 - (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;

Source/santactl/Commands/SNTCommandStatus.m

@@ -102,8 +102,11 @@ REGISTER_COMMAND_NAME(@"status")
   NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
   NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
   dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
-  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] syncLastSuccess];
+  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] fullSyncLastSuccess];
   NSString *lastSyncSuccessStr = [dateFormatter stringFromDate:lastSyncSuccess] ?: @"Never";
+  NSDate *lastRuleSyncSuccess = [[SNTConfigurator configurator] ruleSyncLastSuccess];
+  NSString *lastRuleSyncSuccessStr =
+      [dateFormatter stringFromDate:lastRuleSyncSuccess] ?: lastSyncSuccessStr;
   BOOL syncCleanReqd = [[SNTConfigurator configurator] syncCleanRequired];
   __block BOOL pushNotifications;
   dispatch_group_enter(group);
@@ -138,8 +141,9 @@ REGISTER_COMMAND_NAME(@"status")
       @"sync" : @{
         @"server" : syncURLStr ?: @"null",
         @"clean_required" : @(syncCleanReqd),
-        @"last_successful" : lastSyncSuccessStr ?: @"null",
-        @"push_notifications" : pushNotifications ? @"true" : @"false"
+        @"last_successful_full" : lastSyncSuccessStr ?: @"null",
+        @"last_successful_rule" : lastRuleSyncSuccessStr ?: @"null",
+        @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected"
       },
     };
     NSData *statsData = [NSJSONSerialization dataWithJSONObject:stats
@@ -149,23 +153,25 @@ REGISTER_COMMAND_NAME(@"status")
     printf("%s\n", [statsStr UTF8String]);
   } else {
     printf(">>> Daemon Info\n");
-    printf("  %-22s | %s\n", "Mode", [clientMode UTF8String]);
-    printf("  %-22s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
-    printf("  %-22s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
-    printf("  %-22s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
+    printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
+    printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
+    printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
+    printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
     printf(">>> Kernel Info\n");
-    printf("  %-22s | %lld\n", "Kernel cache count", cacheCount);
+    printf("  %-25s | %lld\n", "Kernel cache count", cacheCount);
     printf(">>> Database Info\n");
-    printf("  %-22s | %lld\n", "Binary Rules", binaryRuleCount);
-    printf("  %-22s | %lld\n", "Certificate Rules", certRuleCount);
-    printf("  %-22s | %lld\n", "Events Pending Upload", eventCount);
+    printf("  %-25s | %lld\n", "Binary Rules", binaryRuleCount);
+    printf("  %-25s | %lld\n", "Certificate Rules", certRuleCount);
+    printf("  %-25s | %lld\n", "Events Pending Upload", eventCount);
 
     if (syncURLStr) {
       printf(">>> Sync Info\n");
-      printf("  %-22s | %s\n", "Sync Server", [syncURLStr UTF8String]);
-      printf("  %-22s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
-      printf("  %-22s | %s\n", "Last Successful Sync", [lastSyncSuccessStr UTF8String]);
-      printf("  %-22s | %s\n", "Push Notifications", (pushNotifications ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);
+      printf("  %-25s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Last Successful Full Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Last Successful Rule Sync", [lastRuleSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Push Notifications",
+             (pushNotifications ? "Connected" : "Disconnected"));
     }
   }
 

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -14,6 +14,8 @@
 
 #import "SNTCommandSyncManager.h"
 
+#import <SystemConfiguration/SystemConfiguration.h>
+
 #import <MOLAuthenticatingURLSession.h>
 #import <MOLFCMClient/MOLFCMClient.h>
 
@@ -36,7 +38,9 @@ const uint64_t kFullSyncInterval = 600;
 const uint64_t kFullSyncFCMInterval = 14400;
 const uint64_t kGlobalRuleSyncLeeway = 600;
 
-@interface SNTCommandSyncManager ()
+@interface SNTCommandSyncManager () {
+  SCNetworkReachabilityRef _reachability;
+}
 @property(nonatomic) dispatch_source_t fullSyncTimer;
 @property(nonatomic) dispatch_source_t ruleSyncTimer;
 @property(nonatomic) NSCache *dispatchLock;
@@ -44,8 +48,20 @@ const uint64_t kGlobalRuleSyncLeeway = 600;
 @property MOLFCMClient *FCMClient;
 @property(nonatomic) SNTXPCConnection *daemonConn;
 @property BOOL targetedRuleSync;
+@property(nonatomic) BOOL reachable;
 @end
 
+// Called when the network state changes
+static void reachabilityHandler(
+    SCNetworkReachabilityRef target, SCNetworkReachabilityFlags flags, void *info) {
+  SNTCommandSyncManager *commandSyncManager = (__bridge SNTCommandSyncManager *)info;
+  // Only call the setter when there is a change. This will filter out the redundant calls to this
+  // callback whenever the network interface states change.
+  if (commandSyncManager.reachable != (flags & kSCNetworkReachabilityFlagsReachable)) {
+    commandSyncManager.reachable = (flags & kSCNetworkReachabilityFlagsReachable);
+  }
+}
+
 @implementation SNTCommandSyncManager
 
 #pragma mark init
@@ -246,6 +262,9 @@ const uint64_t kGlobalRuleSyncLeeway = 600;
   if ([p sync]) {
     LOGD(@"Preflight complete");
 
+    // Clean up reachability if it was started for a non-network error
+    [self stopReachability];
+
     // Start listening for push notifications with a full sync every kFullSyncFCMInterval or
     // revert to full syncing every kFullSyncInterval.
     if (syncState.daemon && syncState.FCMToken) {
@@ -263,8 +282,13 @@ const uint64_t kGlobalRuleSyncLeeway = 600;
       return [self eventUploadWithSyncState:syncState];
     }
   } else {
-    LOGE(@"Preflight failed, aborting run");
-    if (!syncState.daemon) exit(1);
+    if (!syncState.daemon) {
+      LOGE(@"Preflight failed, aborting run");
+      exit(1);
+    }
+    LOGE(@"Preflight failed, will try again once %@ is reachable",
+         [[SNTConfigurator configurator] syncBaseURL].absoluteString);
+    [self startReachability];
   }
 }
 
@@ -413,4 +437,39 @@ const uint64_t kGlobalRuleSyncLeeway = 600;
   return ([self.dispatchLock objectForKey:action] == nil);
 }
 
+#pragma mark reachability methods
+
+- (void)setReachable:(BOOL)reachable {
+  _reachable = reachable;
+  if (reachable) {
+    [self stopReachability];
+    [self fullSync];
+  }
+}
+
+// Start listening for network state changes on a background thread
+- (void)startReachability {
+  if (_reachability) return;
+  const char *nodename = [[SNTConfigurator configurator] syncBaseURL].absoluteString.UTF8String;
+  _reachability = SCNetworkReachabilityCreateWithName(kCFAllocatorDefault, nodename);
+  SCNetworkReachabilityContext context = {
+    .info = (__bridge void *)self
+  };
+  if (SCNetworkReachabilitySetCallback(_reachability, reachabilityHandler, &context)) {
+    SCNetworkReachabilitySetDispatchQueue(
+        _reachability, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+  } else {
+    [self stopReachability];
+  }
+}
+
+// Stop listening for network state changes
+- (void)stopReachability {
+  if (_reachability) {
+    SCNetworkReachabilitySetDispatchQueue(_reachability, NULL);
+    CFRelease(_reachability);
+    _reachability = NULL;
+  }
+}
+
 @end

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

@@ -67,18 +67,24 @@
     return NO;
   }
 
+  sema = dispatch_semaphore_create(0);
+  [[self.daemonConn remoteObjectProxy] setRuleSyncLastSuccess:[NSDate date] reply:^{
+    dispatch_semaphore_signal(sema);
+  }];
+  dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
+
   LOGI(@"Added %lu rules", self.syncState.downloadedRules.count);
 
   if (self.syncState.targetedRuleSync) {
-    NSString *fileName;
     for (SNTRule *r in self.syncState.downloadedRules) {
-      fileName = [[self.syncState.ruleSyncCache objectForKey:r.shasum] copy];
+      NSString *fileName = [[self.syncState.ruleSyncCache objectForKey:r.shasum] copy];
       [self.syncState.ruleSyncCache removeObjectForKey:r.shasum];
-      if (fileName) break;
+      if (fileName) {
+        NSString *message = [NSString stringWithFormat:@"%@ can now be run", fileName];
+        [[self.daemonConn remoteObjectProxy]
+            postRuleSyncNotificationWithCustomMessage:message reply:^{}];
+      }
     }
-    NSString *message = fileName ? [NSString stringWithFormat:@"%@ can now be run", fileName] : nil;
-    [[self.daemonConn remoteObjectProxy]
-        postRuleSyncNotificationWithCustomMessage:message reply:^{}];
   }
 
   return YES;

Source/santad/SNTDaemonControlController.m

@@ -143,7 +143,12 @@ double watchdogRAMPeak = 0;
 }
 
 - (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply {
-  [[SNTConfigurator configurator] setSyncLastSuccess:date];
+  [[SNTConfigurator configurator] setFullSyncLastSuccess:date];
+  reply();
+}
+
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply {
+  [[SNTConfigurator configurator] setRuleSyncLastSuccess:date];
   reply();
 }
 
@@ -184,10 +189,13 @@ double watchdogRAMPeak = 0;
 #pragma mark syncd Ops
 
 - (void)setSyncdListener:(NSXPCListenerEndpoint *)listener {
+  // Only allow one active syncd connection
+  if (self.syncdQueue.syncdConnection) return;
   SNTXPCConnection *c = [[SNTXPCConnection alloc] initClientWithListener:listener];
   c.remoteInterface = [SNTXPCSyncdInterface syncdInterface];
   c.invalidationHandler = ^{
     [self.syncdQueue stopSyncingEvents];
+    self.syncdQueue.syncdConnection = nil;
     self.syncdQueue.invalidationHandler();
   };
   c.acceptedHandler = ^{