Tests: Fix un-needed expectation in SNTExecutionControllerTest.allEventUpload (#857)

Ensure KVO works for USB config options.

.bazelrc

@@ -0,0 +1,5 @@
+build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes
+
+build --copt=-Werror
+build --copt=-Wall
+build --copt=-Wno-error=deprecated-declarations

.bazelversion

@@ -0,0 +1 @@
+5.0.0

.clang-format

@@ -1,18 +1,18 @@
+Language: ObjC
 BasedOnStyle: Google
-Language: Cpp
-Standard: Cpp11
 
-# Disable ColumnLimit because it causes some very weird line breaks.
-# For ObjC the limit is 100
-# For Cpp  the limit is 80
-ColumnLimit: 0
+IndentWidth: 2
+ObjCBlockIndentWidth: 2
+ContinuationIndentWidth: 2
+
+# For ObjC, the line limit is 100
+ColumnLimit: 100
 
 # Allow short case statements to be on a single line
 AllowShortCaseLabelsOnASingleLine: true
 
-# Ban short loops and functions on a single line
 AllowShortLoopsOnASingleLine: false
-AllowShortFunctionsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
 
 # Allow spaces in NSArray/NSDictionary literals @[ and @{
 SpacesInContainerLiterals: true
@@ -20,3 +20,13 @@ SpacesInContainerLiterals: true
 # For pointers, always put the * next to the variable name.
 DerivePointerAlignment: false
 PointerAlignment: Right
+
+
+---
+Language: Cpp
+Standard: Cpp11
+
+BasedOnStyle: Google
+
+# For C++, the line limit is 80
+ColumnLimit: 80

.github/workflows/check-markdown-links.yml

@@ -0,0 +1,13 @@
+name: Check Markdown links
+
+on: 
+  pull_request:
+    paths:
+      - "**.md"
+
+jobs:
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - uses: gaurav-nelson/github-action-markdown-link-check@v1

.github/workflows/ci.yml

@@ -0,0 +1,63 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '*'
+    paths:
+      - 'Source/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'Source/**'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run linters
+        run: ./Testing/lint.sh
+
+  build_userspace:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-10.15, macos-11, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+     - uses: actions/checkout@v2
+     - name: Build Userspace
+       run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
+
+  unit_tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-10.15, macos-11, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run All Tests
+        run: bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
+
+  test_coverage:
+    runs-on: macos-11
+    steps:
+      - uses: actions/checkout@v2
+      - name: Generate test coverage
+        run: sh ./generate_cov.sh
+      - name: Coveralls
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: ./bazel-out/_coverage/_coverage_report.dat
+          flag-name: Unit
+
+  benchmark:
+    runs-on: macos-11
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run All Tests
+        run: ./Testing/benchmark.sh

.github/workflows/continuous.yml

@@ -0,0 +1,13 @@
+name: continuous
+on:
+  schedule:
+    - cron: '* 10 * * *' # Every day at 10:00 UTC
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+
+jobs:
+  preqs:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Checks for flaky tests
+        run: bazel test --test_strategy=exclusive --test_output=errors --runs_per_test 50 -t- :unit_tests --define=SANTA_BUILD_TYPE=adhoc

.gitignore

@@ -1,8 +1,20 @@
 .DS_Store
-Build
-santa-*
+*.profraw
+*.provisionprofile
+bazel-*
 Pods
-Santa.xcodeproj/xcuserdata
-Santa.xcodeproj/project.xcworkspace
-Santa.xcworkspace/xcuserdata
-Santa.xcworkspace/xcshareddata
+Santa.xcodeproj/*
+Santa.xcworkspace/*
+CoverageData/*
+*.tulsiconf-user
+xcuserdata
+tulsigen-*
+*.crt
+*.key
+*.pem
+*.p12
+*.keychain
+*.swp
+compile_commands.json
+.cache/
+.vscode/*

.travis.yml

@@ -1,14 +0,0 @@
----
-language: objective-c
-cache:
-  - bundler
-  - cocoapods
-sudo: false
-osx_image: xcode7
-
-before_install:
- - gem install cocoapods xcpretty
- - pod setup >/dev/null
-
-script:
- - xcodebuild -workspace Santa.xcworkspace -scheme All -derivedDataPath build build test CODE_SIGN_IDENTITY='' | xcpretty -sc && exit ${PIPESTATUS[0]}

BUILD

@@ -0,0 +1,206 @@
+load("@build_bazel_rules_apple//apple:versioning.bzl", "apple_bundle_version")
+load("//:helper.bzl", "run_command")
+
+package(default_visibility = ["//:santa_package_group"])
+
+licenses(["notice"])
+
+exports_files(["LICENSE"])
+
+# The version label for mac_* rules.
+apple_bundle_version(
+    name = "version",
+    build_label_pattern = ".*santa_{release}\\.{build}",
+    build_version = "{release}.{build}",
+    capture_groups = {
+        "release": "\\d{4}\\.\\d+",
+        "build": "\\d+",
+    },
+    fallback_build_label = "santa_9999.1.1",
+    short_version_string = "{release}",
+)
+
+# Used to detect release builds
+config_setting(
+    name = "release_build",
+    values = {"define": "SANTA_BUILD_TYPE=release"},
+    visibility = [":santa_package_group"],
+)
+
+# Adhoc signed - provisioning profiles are not used.
+# Used for CI runs and dev builds when SIP is disabled.
+config_setting(
+    name = "adhoc_build",
+    values = {"define": "SANTA_BUILD_TYPE=adhoc"},
+    visibility = [":santa_package_group"],
+)
+
+# Used to detect optimized builds
+config_setting(
+    name = "opt_build",
+    values = {"compilation_mode": "opt"},
+)
+
+package_group(
+    name = "santa_package_group",
+    packages = ["//..."],
+)
+
+################################################################################
+# Loading/Unloading/Reloading
+################################################################################
+run_command(
+    name = "unload",
+    cmd = """
+sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.syncservice.plist 2>/dev/null
+launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
+""",
+)
+
+run_command(
+    name = "load",
+    cmd = """
+sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.syncservice.plist
+launchctl load /Library/LaunchAgents/com.google.santa.plist
+""",
+)
+
+run_command(
+    name = "reload",
+    srcs = [
+        "//Source/santa:Santa",
+    ],
+    cmd = """
+set -e
+
+rm -rf /tmp/bazel_santa_reload
+unzip -d /tmp/bazel_santa_reload \
+    $${BUILD_WORKSPACE_DIRECTORY}/bazel-out/*$(COMPILATION_MODE)*/bin/Source/santa/Santa.zip >/dev/null
+echo "You may be asked for your password for sudo"
+sudo BINARIES=/tmp/bazel_santa_reload CONF=$${BUILD_WORKSPACE_DIRECTORY}/Conf \
+    $${BUILD_WORKSPACE_DIRECTORY}/Conf/install.sh
+rm -rf /tmp/bazel_santa_reload
+echo "Time to stop being naughty"
+""",
+)
+
+################################################################################
+# Release rules - used to create a release tarball
+################################################################################
+genrule(
+    name = "release",
+    srcs = [
+        "//Source/santa:Santa",
+        "Conf/install.sh",
+        "Conf/uninstall.sh",
+        "Conf/com.google.santa.bundleservice.plist",
+        "Conf/com.google.santa.metricservice.plist",
+        "Conf/com.google.santa.syncservice.plist",
+        "Conf/com.google.santad.plist",
+        "Conf/com.google.santa.plist",
+        "Conf/com.google.santa.newsyslog.conf",
+        "Conf/Package/Distribution.xml",
+        "Conf/Package/notarization_tool.sh",
+        "Conf/Package/package_and_sign.sh",
+        "Conf/Package/postinstall",
+        "Conf/Package/preinstall",
+    ],
+    outs = ["santa-release.tar.gz"],
+    cmd = select({
+        "//conditions:default": """
+        echo "ERROR: Trying to create a release tarball without optimization."
+        echo "Please add '-c opt' flag to bazel invocation"
+        """,
+        ":opt_build": """
+      # Extract Santa.zip
+      for SRC in $(SRCS); do
+        if [ "$$(basename $${SRC})" == "Santa.zip" ]; then
+          mkdir -p $(@D)/binaries
+          unzip -q $${SRC} -d $(@D)/binaries >/dev/null
+        fi
+      done
+
+      # Copy config files
+      for SRC in $(SRCS); do
+        if [[ "$$(dirname $${SRC})" == *"Conf"* ]]; then
+          mkdir -p $(@D)/conf
+          cp -H $${SRC} $(@D)/conf/
+        fi
+      done
+
+      # Gather together the dSYMs. Throw an error if no dSYMs were found
+      for SRC in $(SRCS); do
+        case $${SRC} in
+          *santad.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
+            ;;
+          *santactl.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santactl.dSYM
+            ;;
+          *santabundleservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
+            ;;
+          *santametricservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
+            ;;
+          *santasyncservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santasyncservice.dSYM
+            ;;
+          *Santa.app.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
+            ;;
+          *com.google.santa.daemon.systemextension.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
+            ;;
+        esac
+      done
+
+      # Cause a build failure if the dSYMs are missing.
+      if [[ ! -d "$(@D)/dsym" ]]; then
+        echo "dsym dir missing: Did you forget to use --apple_generate_dsym?"
+        echo "This flag is required for the 'release' target."
+        exit 1
+      fi
+
+      # Update all the timestamps to now. Bazel avoids timestamps to allow
+      # builds to be hermetic and cacheable but for releases we want the
+      # timestamps to be more-or-less correct.
+      find $(@D)/{binaries,conf,dsym} -exec touch {} \\;
+
+      # Create final output tar
+      tar -C $(@D) -czpf $(@) binaries dsym conf
+    """,
+    }),
+    heuristic_label_expansion = 0,
+)
+
+test_suite(
+    name = "unit_tests",
+    tests = [
+        "//Source/common:unit_tests",
+        "//Source/santactl:unit_tests",
+        "//Source/santad:unit_tests",
+        "//Source/santametricservice:unit_tests",
+        "//Source/santasyncservice:unit_tests",
+    ],
+)
+
+test_suite(
+    name = "benchmarks",
+    tests = [
+        "//Source/santad:SNTApplicationBenchmark",
+    ],
+)

CONTRIBUTING.md

@@ -1,37 +0,0 @@
-Want to contribute? Great! First, read this page (including the small print at the end).
-
-### Before you contribute
-Before we can use your code, you must sign the
-[Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual)
-(CLA), which you can do online. The CLA is necessary mainly because you own the
-copyright to your changes, even after your contribution becomes part of our
-codebase, so we need your permission to use and distribute your code. We also
-need to be sure of various other things—for instance that you'll tell us if you
-know that your code infringes on other people's patents. You don't have to sign
-the CLA until after you've submitted your code for review and a member has
-approved it, but you must do it before we can put your code into our codebase.
-
-Before you start working on a larger contribution, you should get in touch with
-us first through the [issue tracker](https://github.com/google/santa/issues)
-with your idea so that we can help out and possibly guide you. Coordinating up 
-front makes it much easier to avoid frustration later on.
-
-### Code reviews
-All submissions, including submissions by project members, require review. We
-use GitHub pull requests for this purpose. It's also a good idea to run the
-tests beforehand, which you can do with the following commands:
-
-```sh
-rake tests:logic
-rake tests:kernel  # only necessary if you're changing the kext code
-```
-### Code Style
-
-All code submissions should try to match the surrounding code.  Wherever possible,
-code should adhere to either the
-[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
-or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
-
-### The small print
-Contributions made by corporations are covered by a different agreement than
-the one above, the [Software Grant and Corporate Contributor License Agreement](https://developers.google.com/open-source/cla/corporate).

CONTRIBUTING.md

@@ -0,0 +1 @@
+docs/development/contributing.md

Conf/Package/Distribution.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<installer-gui-script minSpecVersion="1">
+<title>Santa</title>
+<options customize="never" allow-external-scripts="no" hostArchitectures="x86_64,arm64" />
+
+<choices-outline>
+	<line choice="default" />
+</choices-outline>
+
+<choice id="default">
+    <pkg-ref id="com.google.santa"/>
+</choice>
+
+<pkg-ref id="com.google.santa">app.pkg</pkg-ref>
+
+</installer-gui-script>

Conf/Package/Makefile

@@ -1,85 +0,0 @@
-#
-#  Package Makefile for Santa
-#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
-#
-#  Will generate a package based on the latest release. You can replace
-#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
-#
-
-LUGGAGE:=/usr/local/share/luggage/luggage.make
-include ${LUGGAGE}
-
-TITLE:=santa
-REVERSE_DOMAIN:=com.google
-
-# Get latest Release version using the GitHub API. Each release is bound to a
-# git tag, which should always be a semantic version number. The most recent
-# release is always first in the API result.
-PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
-	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
-
-# Get the download URL for the latest Release. Each release should have a
-# tarball named santa-$version.tar.bz2 containing all of the files associated
-# with that release. The tarball layout is:
-#
-#   santa-$version.tar.bz2
-#   +--santa-$version
-#         |-- binaries
-#         |    |-- santa-driver.kext
-#         |    |-- Santa.app
-#         |-- conf
-#         |    |-- install.sh
-#         |    |-- com.google.santad.plist
-#         |    |-- com.google.santagui.plist
-#         |    +-- com.google.santa.asl.conf
-#         +--dsym
-#              |-- santa-driver.kext.dSYM
-#              |-- Santa.app.dSYM
-#              |-- santad.dSYM
-#              +-- santactl.dSYM
-PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
-
-PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
-	pack-applications-Santa.app \
-	pack-Library-LaunchDaemons-com.google.santad.plist \
-	pack-Library-LaunchAgents-com.google.santagui.plist \
-	pack-etc-asl-com.google.santa.asl.conf \
-	pack-script-preinstall \
-	pack-script-postinstall
-
-santa-driver.kext: download
-Santa.app: download
-com.google.santad.plist: download
-com.google.santagui.plist: download
-com.google.santa.asl.conf: download
-
-download:
-	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
-
-	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
-	@rm -rf *.dSYM
-
-pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
-	@sudo mkdir -p ${WORK_D}/private/etc/asl
-	@sudo chown root:wheel ${WORK_D}/private/etc/asl
-	@sudo chmod 755 ${WORK_D}/private/etc/asl
-	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
-
-pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
-	@sudo mkdir -p ${WORK_D}/Library/Extensions
-	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
-
-clean: myclean
-
-myclean:
-	@rm -rf *.dSYM
-	@rm -rf Santa.app
-	@rm -rf santa-driver.kext
-	@rm -f config.plist
-	@rm -f com.google.santa.asl.conf
-	@rm -f com.google.santad.plist
-	@rm -f com.google.santagui.plist
-	@rm -f install.sh
-	@rm -f uninstall.sh

Conf/Package/notarization_tool.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Example NOTARIZATION_TOOL wrapper.
+
+/usr/bin/xcrun altool --notarize-app "${2}" --primary-bundle-id "${4}" \
+  -u "${NOTARIZATION_USERNAME}" -p "${NOTARIZATION_PASSWORD}"

Conf/Package/package_and_sign.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+
+# This script signs all of Santa's components, verifies the signatures,
+# notarizes all of the components, staples them, packages them up, signs the
+# package, notarizes the package, puts the package in a DMG and notarizes the
+# DMG. It also outputs a single release tarball.
+# All of the following environment variables are required.
+
+# RELEASE_ROOT is a required environment variable that points to the root
+# of an extracted release tarball produced with the :release and :release_driver
+# rules in Santa's main BUILD file.
+[[ -n "${RELEASE_ROOT}" ]] || die "RELEASE_ROOT unset"
+
+# SIGNING_IDENTITY, SIGNING_TEAMID and SIGNING_KEYCHAIN are required environment
+# variables specifying the identity and keychain to pass to the codesign tool
+# and the team ID to use for verification.
+[[ -n "${SIGNING_IDENTITY}" ]] || die "SIGNING_IDENTITY unset"
+[[ -n "${SIGNING_TEAMID}" ]] || die "SIGNING_TEAMID unset"
+[[ -n "${SIGNING_KEYCHAIN}" ]] || die "SIGNING_KEYCHAIN unset"
+
+# INSTALLER_SIGNING_IDENTITY and INSTALLER_SIGNING_KEYCHAIN are required
+# environment variables specifying the identity and keychain to use when signing
+# the distribution package.
+[[ -n "${INSTALLER_SIGNING_IDENTITY}" ]] || die "INSTALLER_SIGNING_IDENTITY unset"
+[[ -n "${INSTALLER_SIGNING_KEYCHAIN}" ]] || die "INSTALLER_SIGNING_KEYCHAIN unset"
+
+# NOTARIZATION_TOOL is a required environment variable pointing to a wrapper
+# tool around the tool to use for notarization. The tool must take 2 flags:
+#    --file
+#        - pointing at a zip file containing the artifact to notarize
+#    --primary-bundle-id
+#        - specifying the CFBundleID of the artifact being notarized
+[[ -n "${NOTARIZATION_TOOL}" ]] || die "NOTARIZATION_TOOL unset"
+
+# ARTIFACTS_DIR is a required environment variable pointing at a directory to
+# place the output artifacts in.
+[[ -n "${ARTIFACTS_DIR}" ]] || die "ARTIFACTS_DIR unset"
+
+################################################################################
+
+function die {
+  echo "${@}"
+  exit 2
+}
+
+readonly INPUT_APP="${RELEASE_ROOT}/binaries/Santa.app"
+readonly INPUT_SYSX="${INPUT_APP}/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension"
+readonly INPUT_SANTACTL="${INPUT_APP}/Contents/MacOS/santactl"
+readonly INPUT_SANTABS="${INPUT_APP}/Contents/MacOS/santabundleservice"
+readonly INPUT_SANTAMS="${INPUT_APP}/Contents/MacOS/santametricservice"
+readonly INPUT_SANTASS="${INPUT_APP}/Contents/MacOS/santasyncservice"
+
+readonly RELEASE_NAME="santa-$(/usr/bin/defaults read "${INPUT_APP}/Contents/Info.plist" CFBundleShortVersionString)"
+
+readonly SCRATCH=$(/usr/bin/mktemp -d "${TMPDIR}/santa-"XXXXXX)
+readonly APP_PKG_ROOT="${SCRATCH}/app_pkg_root"
+readonly APP_PKG_SCRIPTS="${SCRATCH}/pkg_scripts"
+readonly ENTITLEMENTS="${SCRATCH}/entitlements"
+
+readonly SCRIPT_PATH="$(/usr/bin/dirname -- ${BASH_SOURCE[0]})"
+
+/bin/mkdir -p "${APP_PKG_ROOT}" "${APP_PKG_SCRIPTS}" "${ENTITLEMENTS}"
+
+readonly DMG_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.dmg"
+readonly TAR_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.tar.gz"
+
+# Sign all of binaries/bundles. Maintain inside-out ordering where necessary
+for ARTIFACT in "${INPUT_SANTACTL}" "${INPUT_SANTABS}" "${INPUT_SANTAMS}" "${INPUT_SANTASS}" "${INPUT_SYSX}" "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+  EN="${ENTITLEMENTS}/${BN}.entitlements"
+
+  echo "extracting ${BN} entitlements"
+  /usr/bin/codesign -d --entitlements "${EN}" "${ARTIFACT}"
+  if [[ -s "${EN}" ]]; then
+    EN="--entitlements ${EN}"
+  else
+    EN=""
+  fi
+
+  echo "codesigning ${BN}"
+  /usr/bin/codesign --sign "${SIGNING_IDENTITY}" --keychain "${SIGNING_KEYCHAIN}" \
+        ${EN} --timestamp --force --generate-entitlement-der \
+        --options library,kill,runtime "${ARTIFACT}"
+done
+
+# Notarize all the bundles
+for ARTIFACT in "${INPUT_SYSX}" "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "zipping ${BN}"
+  /usr/bin/zip -9r "${SCRATCH}/${BN}.zip" "${ARTIFACT}"
+
+  echo "notarizing ${BN}"
+  PBID=$(/usr/bin/defaults read "${ARTIFACT}/Contents/Info.plist" CFBundleIdentifier)
+  "${NOTARIZATION_TOOL}" --file "${SCRATCH}/${BN}.zip" --primary-bundle-id "${PBID}"
+done
+
+# Staple the App.
+for ARTIFACT in "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "stapling ${BN}"
+  /usr/bin/xcrun stapler staple "${ARTIFACT}"
+done
+
+# Ensure _CodeSignature/CodeResources files have 0644 permissions so they can
+# be verified without using sudo.
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type f -name CodeResources -exec chmod 0644 {} \;
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type d -exec chmod 0755 {} \;
+/usr/bin/find "${RELEASE_ROOT}/conf" -type f -name "com.google.santa*" -exec chmod 0644 {} \;
+
+echo "verifying signatures"
+/usr/bin/codesign -vv -R="certificate leaf[subject.OU] = ${SIGNING_TEAMID}" \
+  "${RELEASE_ROOT}/binaries/"* || die "bad signature"
+
+echo "creating fresh release tarball"
+/bin/mkdir -p "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/binaries" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/conf" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/dsym" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/usr/bin/tar -C "${SCRATCH}/tar_root" -czvf "${TAR_PATH}" "${RELEASE_NAME}" || die "failed to create release tarball"
+
+echo "creating app pkg"
+/bin/mkdir -p "${APP_PKG_ROOT}/Applications" \
+  "${APP_PKG_ROOT}/Library/LaunchAgents" \
+  "${APP_PKG_ROOT}/Library/LaunchDaemons" \
+  "${APP_PKG_ROOT}/private/etc/asl" \
+  "${APP_PKG_ROOT}/private/etc/newsyslog.d"
+/bin/cp -vXR "${RELEASE_ROOT}/binaries/Santa.app" "${APP_PKG_ROOT}/Applications/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santad.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.plist" "${APP_PKG_ROOT}/Library/LaunchAgents/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.bundleservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.metricservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.syncservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.asl.conf" "${APP_PKG_ROOT}/private/etc/asl/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.newsyslog.conf" "${APP_PKG_ROOT}/private/etc/newsyslog.d/"
+/bin/cp -vXL "${SCRIPT_PATH}/preinstall" "${APP_PKG_SCRIPTS}/"
+/bin/cp -vXL "${SCRIPT_PATH}/postinstall" "${APP_PKG_SCRIPTS}/"
+/bin/chmod +x "${APP_PKG_SCRIPTS}/"*
+
+# Disable bundle relocation.
+/usr/bin/pkgbuild --analyze --root "${APP_PKG_ROOT}" "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsRelocatable -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsVersionChecked -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleOverwriteAction -string upgrade "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace ChildBundles -json "[]" "${SCRATCH}/component.plist"
+
+# Build app package
+/usr/bin/pkgbuild --identifier "com.google.santa" \
+  --version "$(echo "${RELEASE_NAME}" | cut -d - -f2)" \
+  --root "${APP_PKG_ROOT}" \
+  --component-plist "${SCRATCH}/component.plist" \
+  --scripts "${APP_PKG_SCRIPTS}" \
+  "${SCRATCH}/app.pkg"
+
+# Build signed distribution package
+echo "productbuild pkg"
+/bin/mkdir -p "${SCRATCH}/${RELEASE_NAME}"
+/usr/bin/productbuild \
+  --distribution "${SCRIPT_PATH}/Distribution.xml" \
+  --package-path "${SCRATCH}" \
+  --sign "${INSTALLER_SIGNING_IDENTITY}" --keychain "${INSTALLER_SIGNING_KEYCHAIN}" \
+  "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg"
+
+echo "verifying pkg signature"
+/usr/sbin/pkgutil --check-signature "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "bad pkg signature"
+
+echo "notarizing pkg"
+"${NOTARIZATION_TOOL}" --file "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" \
+    --primary-bundle-id "com.google.santa"
+
+echo "stapling pkg"
+/usr/bin/xcrun stapler staple "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "failed to staple pkg"
+
+echo "wrapping pkg in dmg"
+/usr/bin/hdiutil create -fs HFS+ -format UDZO \
+    -volname "${RELEASE_NAME}" \
+    -ov -imagekey zlib-level=9 \
+    -srcfolder "${SCRATCH}/${RELEASE_NAME}/" "${DMG_PATH}" || die "failed to wrap pkg in dmg"
+
+echo "notarizing dmg"
+"${NOTARIZATION_TOOL}" --file "${DMG_PATH}" --primary-bundle-id "com.google.santa"
+
+echo "stapling dmg"
+/usr/bin/xcrun stapler staple "${DMG_PATH}" || die "failed to staple dmg"

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -9,20 +9,28 @@
 # Restart syslogd to pick up ASL configuration change
 /usr/bin/killall -HUP syslogd
 
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-sleep 1
-
-/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-
-sleep 1
-
 # Create hopefully useful symlink for santactl
 mkdir -p /usr/local/bin
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
+/bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -z "$user" ]] && exit 0
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Remove the kext before com.google.santa.daemon loads if the SystemExtension is already present.
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && rm -rf /Library/Extensions/santa-driver.kext
 
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+# Load com.google.santa.bundleservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+
+# Load com.google.santa.metricservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+# Load com.google.santa.syncservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.syncservice.plist
+
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -6,21 +6,28 @@
 
 [[ $3 != "/" ]] && exit 0
 
-/bin/launchctl remove com.google.santad
+/bin/launchctl remove com.google.santad || true
+/bin/launchctl remove com.google.santa.bundleservice || true
+/bin/launchctl remove com.google.santa.metricservice || true
+/bin/launchctl remove com.google.santa.syncservice || true
 
-sleep 1
+/bin/sleep 1
 
-/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1 || true
 
 # Remove cruft from old Santa versions
-/bin/rm /usr/libexec/santad
-/bin/rm /usr/sbin/santactl
+/bin/rm -f /usr/libexec/santad
+/bin/rm -f /usr/sbin/santactl
 /bin/launchctl remove com.google.santasync
-/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
+/bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
-sleep 1
+/bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/com.google.santa.asl.conf

@@ -1,6 +0,0 @@
-# Copy this file to /etc/asl to log all messages from santa-driver to the log file
-> /var/log/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
-? [= Sender kernel] [S= Message santa-driver:] claim
-? [= Sender kernel] [S= Message santa-driver:] file /var/log/santa.log
-? [= Facility com.google.santa] claim
-? [= Facility com.google.santa] file /var/log/santa.log

Conf/com.google.santa.bundleservice.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.bundleservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santabundleservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.bundleservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
+	<key>ThrottleInterval</key>
+	<integer>0</integer>
+</dict>
+</plist>

Conf/com.google.santa.metricservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.metricservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santametricservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.metricservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/com.google.santa.newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      Z

Conf/com.google.santa.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 				<key>Label</key>
-				<string>com.google.santagui</string>
+				<string>com.google.santa</string>
 				<key>ProgramArguments</key>
 				<array>
 					<string>/Applications/Santa.app/Contents/MacOS/Santa</string>

Conf/com.google.santa.syncservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.syncservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santasyncservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.syncservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<false/>
+</dict>
+</plist>

Conf/com.google.santad.plist

@@ -1,26 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-				<key>Label</key>
-				<string>com.google.santad</string>
-				<key>ProgramArguments</key>
-				<array>
-					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
-					<string>--syslog</string>
-				</array>
-				<key>MachServices</key>
-				<dict>
-					<key>SantaXPCControl</key>
-					<true/>
-				</dict>
-				<key>RunAtLoad</key>
-				<true/>
-				<key>KeepAlive</key>
-				<true />
-				<key>ProcessType</key>
-				<string>Interactive</string>
-				<key>ThrottleInterval</key>
-				<integer>1</integer>
+	<key>Label</key>
+	<string>com.google.santad</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.daemon</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
 </dict>
 </plist>

Conf/config.plist

@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<!-- Minimal Configuration -->
-	<key>ClientMode</key>
-	<integer>1</integer>
-
-	<!--  For documentation of other keys, see the following URL:
-  			https://github.com/google/santa/wiki/Configuration-Keys  -->
-</dict>
-</plist>

Conf/install.sh

@@ -5,55 +5,84 @@ if [[ $EUID -ne 0 ]]; then
   exit 1
 fi
 
-if [[ -d "binaries" ]]; then
-  SOURCE="."
-elif [[ -d "../binaries" ]]; then
-  SOURCE=".."
-else
-  echo "Can't find binaries, run install.sh from inside the conf directory" 1>&2
-  exit 1
+if [[ -z "${BINARIES}" || -z "${CONF}" ]]; then
+  if [[ -d "binaries" ]]; then
+    BINARIES="${PWD}/binaries"
+    CONF="${PWD}/conf"
+  elif [[ -d "../binaries" ]]; then
+    BINARIES="${PWD}/../binaries"
+    CONF="${PWD}/../conf"
+  else
+    echo "Can't find binaries, run install.sh from inside the conf directory" 1>&2
+    exit 1
+  fi
 fi
 
-# Determine if anyone is logged into the GUI
-GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
-
 # Unload santad and scheduled sync job.
 /bin/launchctl remove com.google.santad >/dev/null 2>&1
 
+# Unload bundle service
+/bin/launchctl remove com.google.santa.bundleservice >/dev/null 2>&1
+
+# Unload metric service
+/bin/launchctl remove com.google.santa.metricservice >/dev/null 2>&1
+
+# Unload sync service
+/bin/launchctl remove com.google.santa.syncservice >/dev/null 2>&1
+
 # Unload kext.
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 
+# Determine if anyone is logged into the GUI
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove /Library/LaunchAgents/com.google.santagui.plist
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
 /bin/rm /Library/LaunchDaemons/com.google.santasync.plist >/dev/null 2>&1
 /bin/rm /usr/libexec/santad >/dev/null 2>&1
 /bin/rm /usr/sbin/santactl >/dev/null 2>&1
+/bin/rm -rf /Applications/Santa.app 2>&1
+/bin/rm -rf /Library/Extensions/santa-driver.kext 2>&1
+/bin/rm /etc/asl/com.google.santa.asl.conf
 
 # Copy new files.
-/bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
-/bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
-mkdir -p /usr/local/bin
-/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+/bin/mkdir -p /var/db/santa
 
-/bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons
-/bin/cp ${SOURCE}/conf/com.google.santagui.plist /Library/LaunchAgents
-/bin/cp ${SOURCE}/conf/com.google.santa.asl.conf /etc/asl/
+/bin/cp -r ${BINARIES}/Santa.app /Applications
+
+/bin/mkdir -p /usr/local/bin
+/bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
+
+/bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
+/bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.metricservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.syncservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Load kext.
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-# Load santad and scheduled sync jobs.
+# Load com.google.santa.daemon
 /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load GUI agent if someone is logged in.
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Load com.google.santa.bundleservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+# Load com.google.santa.syncservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.syncservice.plist
+
+# Load GUI agent if someone is logged in.
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/uninstall.sh

@@ -6,20 +6,34 @@
 
 [ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
 
+# For macOS 10.15+ this will block up to 60 seconds
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && /Applications/Santa.app/Contents/MacOS/Santa --unload-system-extension
+
 /bin/launchctl remove com.google.santad
+# remove helper XPC services
+/bin/launchctl remove com.google.santa.bundleservice
+/bin/launchctl remove com.google.santa.metricservice
+/bin/launchctl remove com.google.santa.syncservice
 sleep 1
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
 # and to clean out the log config, although it won't write after wiping the binary
 /usr/bin/killall -HUP syslogd
 # delete artifacts on-disk
 /bin/rm -rf /Applications/Santa.app
 /bin/rm -rf /Library/Extensions/santa-driver.kext
 /bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchAgents/com.google.santa.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.metricservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.syncservice.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink
+
 #uncomment to remove the config file and all databases, log files
 #/bin/rm -rf /var/db/santa
 #/bin/rm -f /var/log/santa*

Fuzzing/libFuzzer/.gitignore

@@ -0,0 +1,4 @@
+bin
+llvm-*.src
+llvm-*.src.tar.xz
+

Fuzzing/libFuzzer/build.sh

@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+
+LLVM_VERSION='5.0.1'
+LLVM_COMPILERRT_TARBALL_NAME="llvm-${LLVM_VERSION}.src.tar.xz"
+LLVM_COMPILERRT_SRC_FOLDER_NAME=`echo "${LLVM_COMPILERRT_TARBALL_NAME}" | cut -d '.' -f 1-4`
+LLVM_COMPILERRT_TARBALL_URL="http://releases.llvm.org/${LLVM_VERSION}/${LLVM_COMPILERRT_TARBALL_NAME}"
+
+LIBFUZZER_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+LOG_FILE=`mktemp`
+
+main() {
+  echo "libFuzzer build script"
+
+  echo " > Checking dependencies..."
+  checkDependencies || return 1
+
+  echo " > Entering libFuzzer folder..."
+  cd "${LIBFUZZER_FOLDER}" > /dev/null 2>&1
+  if [ $? -ne 0 ] ; then
+    echo "Failed to enter the libFuzzer folder: ${LIBFUZZER_FOLDER}"
+    return 1
+  fi
+
+  if [ ! -f "${LLVM_COMPILERRT_TARBALL_NAME}" ] ; then
+    echo " > Downloading the LLVM tarball..."
+    curl "${LLVM_COMPILERRT_TARBALL_URL}" -o "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to download the LLVM tarball"
+      return 1
+    fi
+  else
+    echo " > An existing LLVM tarball was found"
+  fi
+
+  if [ -d "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" ] ; then
+    echo " > Deleting existing LLVM folder..."
+    rm -rf "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to delete the existing source folder"
+      return 1
+    fi
+  fi
+
+  echo " > Extracting the LLVM tarball..."
+  tar xf "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    rm "${LLVM_COMPILERRT_TARBALL_NAME}" "${LLVM_COMPILERRT_SRC_FOLDER_NAME}"
+    dumpLogFile "Failed to extract the LLVM tarball"
+    return 1
+  fi
+
+  if [ -d "bin" ] ; then
+    echo " > Deleting existing bin folder..."
+    rm -rf "bin" > "${LOG_FILE}" 2>&1
+    if [ $? -ne 0 ] ; then
+      dumpLogFile "Failed to delete the existing bin folder"
+      return 1
+    fi
+  fi
+
+  mkdir "bin" > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    dumpLogFile "Failed to create the bin folder"
+    return 1
+  fi
+
+  echo " > Building libFuzzer..."
+  ( cd "bin" && "../${LLVM_COMPILERRT_SRC_FOLDER_NAME}/lib/Fuzzer/build.sh" ) > "${LOG_FILE}" 2>&1
+  if [ $? -ne 0 ] ; then
+    dumpLogFile "Failed to build the library"
+    return 1
+  fi
+
+  printf "\nFinished building libFuzzer\n"
+  rm "${LOG_FILE}"
+
+  return 0
+}
+
+checkDependencies() {
+  executable_list=( "clang++" "curl" "tar" )
+
+  for executable in "${executable_list[@]}" ; do
+    which "${executable}" > /dev/null 2>&1
+    if [ $? -ne 0 ] ; then
+      echo "The following program was not found: ${executable}"
+      return 1
+    fi
+  done
+
+  return 0
+}
+
+dumpLogFile() {
+  if [ $# -eq 1 ] ; then
+    local message="$1"
+  else
+    local message="An error has occurred"
+  fi
+
+  printf "${message}\n"
+  printf "Log file follows\n===\n"
+  cat "${LOG_FILE}"
+  printf "\n===\n"
+  rm "${LOG_FILE}"
+}
+
+main $@
+exit $?

Fuzzing/santacache/.gitignore

@@ -0,0 +1,3 @@
+santacache.dSYM
+santacache
+

Fuzzing/santacache/src/main.cpp

@@ -0,0 +1,43 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <SantaCache.h>
+
+#include <cstdint>
+#include <iostream>
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data,
+                                      std::size_t size) {
+  static SantaCache<uint64_t, uint64_t> decision_cache(5000, 2);
+
+  std::uint64_t fields[2] = {};
+
+  if (size > 16) {
+    std::cout << "Invalid size! Start with -max_len=16\n";
+    return 1;
+  }
+
+  std::memcpy(fields, data, size);
+
+  decision_cache.set(fields[0], fields[1]);
+  auto returned_value = decision_cache.get(fields[0]);
+
+  if (returned_value != fields[1]) {
+    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value
+              << "\n";
+    return 1;
+  }
+
+  return 0;
+}

Fuzzing/santactl/santactl_fuzzer_seed_corpus/example01

@@ -0,0 +1,16 @@
+{
+  "rules": [
+    {
+      "rule_type": "BINARY",
+      "policy": "BLACKLIST",
+      "sha256": "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda",
+      "custom_msg": "blacklist firefox"
+    },
+    {
+      "rule_type": "CERTIFICATE",
+      "policy": "BLACKLIST",
+      "sha256": "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d",
+      "custom_msg": "blacklist dash app certificate"
+    }
+  ]
+}

Fuzzing/santactl/src/main.mm

@@ -0,0 +1,62 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <cstdint>
+#include <iostream>
+#include <vector>
+
+#include <SNTRule.h>
+#include <SNTSyncConstants.h>
+#include <SNTSyncRuleDownload.h>
+#include <SNTSyncState.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  NSData *buffer = [NSData dataWithBytes:static_cast<const void *>(data) length:size];
+  if (!buffer) {
+    return 0;
+  }
+
+  NSError *error;
+  NSDictionary *response = [NSJSONSerialization JSONObjectWithData:buffer options:0 error:&error];
+  if (!response) {
+    return 0;
+  }
+
+  if (![response isKindOfClass:[NSDictionary class]]) {
+    return 0;
+  }
+
+  if (![response objectForKey:kRules]) {
+    return 0;
+  }
+
+  SNTSyncState *state = [[SNTSyncState alloc] init];
+  if (!state) {
+    return 0;
+  }
+
+  SNTSyncRuleDownload *obj = [[SNTSyncRuleDownload alloc] initWithState:state];
+  if (!obj) {
+    return 0;
+  }
+
+  for (NSDictionary *ruleDict in response[kRules]) {
+    SNTRule *rule = [obj ruleFromDictionary:ruleDict];
+    if (rule) {
+      std::cerr << "Rule: " << [[rule description] UTF8String] << "\n";
+    }
+  }
+
+  return 0;
+}

Fuzzing/santad/santad_databaseRemoveEventsWithIDs_fuzzer_seed_corpus/example01

@@ -0,0 +1 @@
+К'.p▒└G╗М┐║ЙSЮ╝и▌РУерЭxt1iАЫШ9ы*H╩4R"═©$-├Уww╙+Р╝╘[┼иу╧oС┬ОwRpЗя≤х°е

Fuzzing/santad/src/checkCacheForVnodeID.mm

@@ -0,0 +1,58 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <cstdint>
+#include <iostream>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  if (size > 16) {
+    std::cerr << "Invalid buffer size of " << size << " (should be <= 16)" << std::endl;
+
+    return 1;
+  }
+
+  santa_vnode_id_t vnodeID = {};
+  std::memcpy(&vnodeID, data, size);
+
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+
+  [[daemonConn remoteObjectProxy]
+    checkCacheForVnodeID:vnodeID
+               withReply:^(santa_action_t action) {
+                 if (action == ACTION_RESPOND_ALLOW) {
+                   std::cerr << "File exists in [whitelist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == ACTION_RESPOND_DENY) {
+                   std::cerr << "File exists in [blacklist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == ACTION_UNSET) {
+                   std::cerr << "File does not exist in cache" << std::endl;
+                   ;
+                 }
+               }];
+
+  return 0;
+}

Fuzzing/santad/src/databaseRemoveEventsWithIDs.mm

@@ -0,0 +1,51 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <cstdint>
+#include <iostream>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+#pragma pack(push, 1)
+
+#pragma pack(pop)
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  auto *eventId = reinterpret_cast<const std::uint64_t *>(data);
+  std::size_t eventIdCount = size / sizeof(std::uint64_t);
+  if (eventIdCount == 0) {
+    return 0;
+  }
+
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+
+  NSMutableSet *eventIds = [NSMutableSet setWithCapacity:eventIdCount];
+  for (std::size_t i = 0; i < eventIdCount; i++) {
+    auto id = [NSNumber numberWithInteger:eventId[i]];
+    [eventIds addObject:id];
+  }
+
+  [[daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:[eventIds allObjects]];
+  return 0;
+}

Fuzzing/santad/src/databaseRuleAddRules.mm

@@ -0,0 +1,73 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include <cstdint>
+#include <iostream>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "SNTCommandController.h"
+#import "SNTRule.h"
+#import "SNTXPCControlInterface.h"
+
+#pragma pack(push, 1)
+
+struct InputData {
+  std::uint32_t cleanSlate;
+  std::uint32_t state;
+  std::uint32_t type;
+  char hash[33];
+};
+
+#pragma pack(pop)
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+  if (size > sizeof(InputData)) {
+    std::cerr << "Invalid buffer size of " << size << " (should be <= " << sizeof(InputData) << ")"
+              << std::endl;
+
+    return 1;
+  }
+
+  InputData input_data = {};
+  std::memcpy(&input_data, data, size);
+
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.state = (SNTRuleState)input_data.state;
+  newRule.type = (SNTRuleType)input_data.type;
+  newRule.identifier = @(input_data.hash);
+  newRule.customMsg = @"";
+
+  MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
+  daemonConn.invalidationHandler = ^{
+    printf("An error occurred communicating with the daemon, is it running?\n");
+    exit(1);
+  };
+
+  [daemonConn resume];
+  [[daemonConn remoteObjectProxy]
+    databaseRuleAddRules:@[ newRule ]
+              cleanSlate:NO
+                   reply:^(NSError *error) {
+                     if (!error) {
+                       if (newRule.state == SNTRuleStateRemove) {
+                         printf("Removed rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       } else {
+                         printf("Added rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       }
+                     }
+                   }];
+
+  return 0;
+}

Podfile

@@ -1,49 +0,0 @@
-platform :osx, "10.9"
-
-inhibit_all_warnings!
-
-target :Santa do
-  pod 'MOLCertificate'
-  pod 'MOLCodesignChecker'
-end
-
-target :santad do
-  pod 'FMDB'
-  pod 'MOLCertificate'
-  pod 'MOLCodesignChecker'
-end
-
-target :santactl do
-  pod 'FMDB'
-  pod 'MOLAuthenticatingURLSession'
-  pod 'MOLCertificate'
-  pod 'MOLCodesignChecker'
-  pod 'MOLFCMClient'
-end
-
-target :LogicTests do
-  pod 'FMDB'
-  pod 'MOLAuthenticatingURLSession'
-  pod 'MOLCertificate'
-  pod 'MOLCodesignChecker'
-  pod 'OCMock'
-end
-
-post_install do |installer|
-  installer.pods_project.targets.each do |target|
-    target.build_configurations.each do |config|
-      if config.name != 'Release' then
-        break
-      end
-
-      # This is necessary to get FMDB to not NSLog stuff.
-      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
-      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
-
-      # Enable more compiler optimizations.
-      config.build_settings['GCC_OPTIMIZATION_LEVEL'] = 'fast'
-      config.build_settings['LLVM_LTO'] = 'YES'
-    end
-  end
-end
-

Podfile.lock

@@ -1,32 +0,0 @@
-PODS:
-  - FMDB (2.6.2):
-    - FMDB/standard (= 2.6.2)
-  - FMDB/standard (2.6.2)
-  - MOLAuthenticatingURLSession (2.1):
-    - MOLCertificate (~> 1.5)
-  - MOLCertificate (1.5)
-  - MOLCodesignChecker (1.5):
-    - MOLCertificate (~> 1.3)
-  - MOLFCMClient (1.1):
-    - MOLAuthenticatingURLSession (~> 2.1)
-  - OCMock (3.3.1)
-
-DEPENDENCIES:
-  - FMDB
-  - MOLAuthenticatingURLSession
-  - MOLCertificate
-  - MOLCodesignChecker
-  - MOLFCMClient
-  - OCMock
-
-SPEC CHECKSUMS:
-  FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
-  MOLAuthenticatingURLSession: 2f0fd35f641bc857ee1b026021dbd759955adaa3
-  MOLCertificate: c39cae866d24d36fbc78032affff83d401b5384a
-  MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
-  MOLFCMClient: f1684219facbffdb060ff4ab18b1825bcd4c75bc
-  OCMock: f3f61e6eaa16038c30caa5798c5e49d3307b6f22
-
-PODFILE CHECKSUM: b20628b5933f54525daf0dcc5534512b1cb134c8
-
-COCOAPODS: 1.0.1

README.md

@@ -1,169 +1,144 @@
-Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
-=====
+# Santa [![CI](https://github.com/google/santa/actions/workflows/ci.yml/badge.svg)](https://github.com/google/santa/actions/workflows/ci.yml) [![Coverage Status](https://coveralls.io/repos/github/google/santa/badge.svg?branch=main)](https://coveralls.io/github/google/santa?branch=main)
 
 <p align="center">
-<a href="#santa--">
-<img src="./Source/SantaGUI/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
-</a>
+    <img src="https://raw.githubusercontent.com/google/santa/main/Source/santa/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
 </p>
 
-Santa is a binary whitelisting/blacklisting system for macOS. It consists of
-a kernel extension that monitors for executions, a userland daemon that makes
-execution decisions based on the contents of a SQLite database, a GUI agent that
-notifies the user in case of a block decision and a command-line utility for
-managing the system and synchronizing the database with a server.
-
-Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
-and finishing up a security audit.
+Santa is a binary authorization system for macOS. It consists of a system 
+extension that monitors for executions, a daemon that makes execution decisions 
+based on the contents of a local database, a GUI agent that notifies the user in
+case of a block decision and a command-line utility for managing the system and 
+synchronizing the database with a server.
 
 It is named Santa because it keeps track of binaries that are naughty or nice.
 
-Santa is a project of Google's Macintosh Operations Team.
+# Docs
 
-Admin-Related Features
-========
+The Santa docs are stored in the
+[Docs](https://github.com/google/santa/blob/main/docs) directory and published
+at https://santa.dev.
 
-* Multiple modes: In the default MONITOR mode, all binaries except
-those marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only whitelisted binaries are
-allowed to run.
+The docs include deployment options, details on how parts of Santa work and
+instructions for developing Santa itself.
 
-* Event logging: When the kext is loaded, all binary launches are logged.
-When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
+# Get Help
 
-* Certificate-based rules, with override levels: Instead of relying on a binaries hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
-certificate. You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates. A
-binary can only be whitelisted by its certificate if its signature validates
-correctly, but a rule for a binaries fingerprint will override a decision for a
-certificate; i.e. you can whitelist a certificate while blacklisting a binary
-signed with that certificate, or vice-versa.
+If you have questions or otherwise need help getting started,
+the [santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
+great place.
 
-* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature as Managed Client for OS X's (the precursor to configuration profiles, which used the same implementation mechanism) Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and doesn't rely on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
+If you believe you have a bug, feel free to report [an
+issue](https://github.com/google/santa/issues) and we'll respond as soon as we
+can.
 
-* Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct separate cert than other Google apps.
+If you believe you've found a vulnerability, please read the
+[security policy](https://github.com/google/santa/security/policy) for
+disclosure reporting.
+
+# Features
+
+* Multiple modes: In the default MONITOR mode, all binaries except those marked
+  as blocked will be allowed to run, whilst being logged and recorded in
+  the events database. In LOCKDOWN mode, only listed binaries are allowed to
+  run.
+
+* Event logging: When the kext is loaded, all binary launches are logged.  When
+  in either mode, all unknown or denied binaries are stored in the database to
+  enable later aggregation.
+
+* Certificate-based rules, with override levels: Instead of relying on a
+  binary's hash (or 'fingerprint'), executables can be allowed/blocked by their
+  signing certificate. You can therefore allow/block all binaries by a
+  given publisher that were signed with that cert across version updates. A
+  binary can only be allowed by its certificate if its signature validates
+  correctly but a rule for a binary's fingerprint will override a decision for
+  a certificate; i.e. you can allowlist a certificate while blocking a binary
+  signed with that certificate, or vice-versa.
+
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature
+  to that found in Managed Client (the precursor to configuration profiles,
+  which used the same implementation mechanism), Application Launch
+  Restrictions via the mcxalr binary. This implementation carries the added
+  benefit of being configurable via regex, and not relying on LaunchServices.
+  As detailed in the wiki, when evaluating rules this holds the lowest
+  precedence.
+
+* Failsafe cert rules: You cannot put in a deny rule that would block the
+  certificate used to sign launchd, a.k.a. pid 1, and therefore all components
+  used in macOS. The binaries in every OS update (and in some cases entire new
+  versions) are therefore automatically allowed. This does not affect binaries
+  from Apple's App Store, which use various certs that change regularly for
+  common apps. Likewise, you cannot block Santa itself, and Santa uses a
+  distinct separate cert than other Google apps.
+
+* Userland components validate each other: each of the userland components (the
+  daemon, the GUI agent and the command-line utility) communicate with each
+  other using XPC and check that their signing certificates are identical
+  before any communication is accepted.
+
+* Caching: allowed binaries are cached so the processing required to make a
+  request is only done if the binary isn't already cached.
+
+# Intentions and Expectations
 
-Intentions and Expectations
-===========================
 No single system or process will stop *all* attacks, or provide 100% security.
 Santa is written with the intention of helping protect users from themselves.
 People often download malware and trust it, giving the malware credentials, or
 allowing unknown software to exfiltrate more data about your system. As a
 centrally managed component, Santa can help stop the spread of malware among a
-larger fleet of machines. Independently, Santa can aid in analyzing what is
+large fleet of machines. Independently, Santa can aid in analyzing what is
 running on your computer.
 
-Santa is part of a defense-in-depth strategy, and you should continue to protect
-hosts in whatever other ways you see fit.
+Santa is part of a defense-in-depth strategy, and you should continue to
+protect hosts in whatever other ways you see fit.
 
-Get Help
-========
+# Security and Performance-Related Features
 
-If you have questions or otherwise need help getting started, the
-[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
-great place. Please consult the [wiki](https://github.com/google/santa/wiki) and [issues](https://github.com/google/santa/issues) as well.
-
-Security and Performance-Related Features
-============
-* In-kernel caching: whitelisted binaries are cached in the kernel so the
-processing required to make a request is only done if the binary
-isn't already cached.
-
-* Userland components validate each other: each of the userland components (the
-daemon, the GUI agent and the command-line utility) communicate with each other
-using XPC and check that their signing certificates are identical before any
-communication is accepted.
-
-* Kext uses only KPIs: the kernel extension only uses provided kernel
-programming interfaces to do its job. This means that the kext code should
-continue to work across OS versions.
-
-Known Issues
-============
-Santa is not yet a 1.0 and we have some known issues to be aware of:
+# Known Issues
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
-dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or
-libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version 0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were exploited in some versions of macOS. We are working on also protecting against similar avenues of attack.
-
-* Kext communication security: the kext will only accept a connection from a
-single client at a time and said client must be running as root. We haven't yet
-found a good way to ensure the kext only accepts connections from a valid client.
-
-* Database protection: the SQLite database is installed with permissions so that
-only the root user can read/write it. We're considering approaches to secure
-this further.
-
-* Sync client: The `santactl` command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the
-machine and downloads new rules. We're still very heavily working on this
-server (which is AppEngine-based and will be open-sourced in the future), so the
-sync client code is unfinished. It does show the 'API' that we're expecting to
-use so if you'd like to write your own management server, feel free to look at
-how the client currently works (and suggest changes!)
+  dynamic libraries loaded with dlopen, libraries on disk that have been
+  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`.
 
 * Scripts: Santa is currently written to ignore any execution that isn't a
-binary. This is because after weighing the administration cost vs the benefit,
-we found it wasn't worthwhile. Additionally, a number of applications make use
-of temporary generated scripts, which we can't possibly whitelist and not doing
-so would cause problems. We're happy to revisit this (or at least make it an
-option) if it would be useful to others.
+  binary. This is because after weighing the administration cost vs the
+  benefit, we found it wasn't worthwhile. Additionally, a number of
+  applications make use of temporary generated scripts, which we can't possibly
+  allowlist and not doing so would cause problems. We're happy to revisit this
+  (or at least make it an option) if it would be useful to others.
 
-* Documentation: This is currently limited.
+# Sync Servers
 
-* Tests: There aren't enough of them.
+* The `santactl` command-line client includes a flag to synchronize with a
+  management server, which uploads events that have occurred on the machine and
+  downloads new rules. There are several open-source servers you can sync with:
 
-Screenshots
-===========
+    * [Moroz](https://github.com/groob/moroz) - A simple golang server that
+      serves hardcoded rules from simple configuration files.
+    * [Rudolph](https://github.com/airbnb/rudolph) - An AWS-based serverless sync service
+      primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden.
+      Rudolph is designed to be fast, easy-to-use, and cost-efficient.
+    * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A
+      centralized service that pulls data from multiple sources and deploy
+      configurations to multiple services.
+    * [Zercurity](https://github.com/zercurity/zercurity) - A dockerized service
+      for managing and monitoring applications across a large fleet utilizing
+      Santa + Osquery.
 
-A tool like Santa doesn't really lend itself to screenshots, so here's a video instead.
+* Alternatively, `santactl` can configure rules locally (without a sync
+  server).
 
-<p align="center">
-<img src="https://zippy.gfycat.com/MadFatalAmphiuma.gif" alt="Santa Block Video" />
-</p>
+# Screenshots
 
-Building
-========
-Firstly, make sure you're using Xcode 7.3.1 as currently we do not support
-building with Xcode 8.
+A tool like Santa doesn't really lend itself to screenshots, so here's a video
+instead.
 
-```sh
-git clone https://github.com/google/santa
-cd santa
 
-# Build a debug build. This will install any necessary CocoaPods, create the
-# workspace and build, outputting the full log only if an error occurred.
-# If CocoaPods is not installed, you'll be prompted to install it.
-#
-# For other build/install/run options, run rake without any arguments
-rake build:debug
-```
+<p align="center"> <img src="https://thumbs.gfycat.com/MadFatalAmphiuma-small.gif" alt="Santa Block Video" /> </p>
 
-Note: the Xcode project is setup to use any installed "Mac Developer" certificate
-and for security-reasons parts of Santa will not operate properly if not signed.
+# Contributing
+Patches to this project are very much welcome. Please see the
+[CONTRIBUTING](https://santa.dev/development/contributing) doc.
 
-Kext Signing
-============
-Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
-Developer ID certificate with a kernel extension flag. Without it, the only way
-to load an extension is to enable kext-dev-mode or disable SIP, depending on the
-OS version.
-
-There are two possible solutions for this, for distribution purposes:
-
-1) Use a [pre-built, pre-signed version](https://github.com/google/santa/releases)
-of the kext that we supply. Each time changes are made to the kext code we will
-update the pre-built version that you can make use of. This doesn't prevent you
-from making changes to the non-kext parts of Santa and distributing those.
-If you make changes to the kext and make a pull request, we can merge them in
-and distribute a new version of the pre-signed kext.
-
-2) Apply for your own [kext signing certificate](https://developer.apple.com/contact/kext/).
-Apple will only grant this for broad distribution within an organization, they
-won't issue them just for testing purposes.
-
-Contributing
-============
-Patches to this project are very much welcome. Please see the [CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
-file.
-
-Disclaimer
-==========
+# Disclaimer
 This is **not** an official Google product.

Rakefile

@@ -1,213 +0,0 @@
-WORKSPACE           = 'Santa.xcworkspace'
-DEFAULT_SCHEME      = 'All'
-OUTPUT_PATH         = 'Build'
-BINARIES            = ['Santa.app', 'santa-driver.kext']
-DSYMS               = ['Santa.app.dSYM', 'santa-driver.kext.dSYM', 'santad.dSYM', 'santactl.dSYM']
-XCPRETTY_DEFAULTS   = '-sc'
-XCODEBUILD_DEFAULTS = "-workspace #{WORKSPACE} -derivedDataPath #{OUTPUT_PATH} -parallelizeTargets"
-$DISABLE_XCPRETTY   = false
-
-task :default do
-  system("rake -sT")
-end
-
-def xcodebuild(opts)
-  command = "xcodebuild #{XCODEBUILD_DEFAULTS} #{opts}"
-  if not $DISABLE_XCPRETTY
-    command << " | xcpretty #{XCPRETTY_DEFAULTS} && exit ${PIPESTATUS[0]}"
-  end
-
-  if system command
-    puts "\e[32mPass\e[0m"
-  else
-    raise "\e[31mFail\e[0m"
-  end
-end
-
-def xcodebuilddir
-  if not $xcode_build_dir
-    output = `xcodebuild #{XCODEBUILD_DEFAULTS} -scheme All -showBuildSettings`
-    if match = output.match(/BUILD_DIR = (.*)/)
-        $xcode_build_dir = match.captures.first
-        puts "Found Xcode build dir #{$xcode_build_dir}"
-    end
-  end
-  $xcode_build_dir
-end
-
-task :init do
-  unless File.exists?(WORKSPACE) and File.exists?('Pods')
-    puts "Pods missing, running 'pod install'"
-    system "pod install" or raise "CocoaPods is not installed. Install with 'sudo gem install cocoapods'"
-  end
-  unless system 'xcpretty -v >/dev/null 2>&1'
-    puts "xcpretty is not installed. Install with 'sudo gem install xcpretty'"
-    $DISABLE_XCPRETTY = true
-  end
-end
-
-task :remove_existing do
-  system 'sudo rm -rf /Library/Extensions/santa-driver.kext'
-  system 'sudo rm -rf /Applications/Santa.app'
-end
-
-desc "Clean"
-task :clean => :init do
-  puts "Cleaning"
-  FileUtils.rm_rf(OUTPUT_PATH)
-  xcodebuild("-scheme All clean")
-end
-
-# Build
-namespace :build do
-  desc "Build: Debug"
-  task :debug do
-    Rake::Task['build:build'].invoke("Debug")
-  end
-
-  desc "Build: Release"
-  task :release do
-    Rake::Task['build:build'].invoke("Release")
-  end
-
-  task :build, [:configuration] => :init do |t, args|
-    config = args[:configuration]
-    puts "Building with configuration: #{config}"
-    xcodebuild("-scheme All -configuration #{config} build")
-  end
-end
-
-
-# Install
-namespace :install do
-  desc "Install: Debug"
-  task :debug do
-    Rake::Task['install:install'].invoke("Debug")
-  end
-
-  desc "Install: Release"
-  task :release do
-    Rake::Task['install:install'].invoke("Release")
-  end
-
-  task :install, [:configuration] do |t, args|
-    config = args[:configuration]
-    system 'sudo cp conf/com.google.santad.plist /Library/LaunchDaemons'
-    system 'sudo cp conf/com.google.santagui.plist /Library/LaunchAgents'
-    system 'sudo cp conf/com.google.santa.asl.conf /etc/asl'
-    Rake::Task['build:build'].invoke(config)
-    puts "Installing with configuration: #{config}"
-    Rake::Task['remove_existing'].invoke()
-    system "sudo cp -r #{xcodebuilddir}/#{config}/santa-driver.kext /Library/Extensions"
-    system "sudo cp -r #{xcodebuilddir}/#{config}/Santa.app /Applications"
-  end
-end
-
-# Dist
-task :dist do
-  desc "Create distribution folder"
-
-  Rake::Task['clean'].invoke()
-  Rake::Task['build:build'].invoke("Release")
-
-  dist_path = "santa-#{`defaults read #{xcodebuilddir}/Release/santa-driver.kext/Contents/Info.plist CFBundleVersion`.strip}"
-
-  FileUtils.rm_rf(dist_path)
-
-  FileUtils.mkdir_p("#{dist_path}/binaries")
-  FileUtils.mkdir_p("#{dist_path}/conf")
-  FileUtils.mkdir_p("#{dist_path}/dsym")
-
-  BINARIES.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/binaries")
-  end
-
-  DSYMS.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/dsym")
-  end
-
-
-  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{dist_path}/conf")}
-
-  puts "Distribution folder #{dist_path} created"
-end
-
-# Tests
-namespace :tests do
-  desc "Tests: Logic"
-  task :logic => [:init] do
-    puts "Running logic tests"
-    xcodebuild("-scheme LogicTests test")
-  end
-
-  desc "Tests: Kernel"
-  task :kernel do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:debug'].invoke()
-    Rake::Task['load_kext'].invoke
-    FileUtils.mkdir_p("/tmp/santa_kerneltests_tmp")
-    begin
-      puts "\033[?25l\033[12h"  # hide cursor
-      puts "Running kernel tests"
-      system "cd /tmp/santa_kerneltests_tmp && sudo #{xcodebuilddir}/Debug/KernelTests"
-    rescue Exception
-    ensure
-      puts "\033[?25h\033[12l\n\n"  # unhide cursor
-      FileUtils.rm_rf("/tmp/santa_kerneltests_tmp")
-      Rake::Task['unload_kext'].execute
-    end
-  end
-end
-
-# Load/Unload
-task :unload_daemon do
-  puts "Unloading daemon"
-  system "sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null"
-end
-
-task :unload_kext do
-  puts "Unloading kernel extension"
-  system "sudo kextunload -b com.google.santa-driver 2>/dev/null"
-end
-
-task :unload_gui do
-  puts "Unloading GUI agent"
-  system "launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
-end
-
-desc "Unload"
-task :unload => [:unload_daemon, :unload_kext, :unload_gui]
-
-task :load_daemon do
-  puts "Loading daemon"
-  system "sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist"
-end
-
-task :load_kext do
-  puts "Loading kernel extension"
-  system "sudo kextload /Library/Extensions/santa-driver.kext"
-end
-
-task :load_gui do
-  puts "Loading GUI agent"
-  system "launchctl load /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null"
-end
-
-desc "Load"
-task :load => [:load_kext, :load_daemon, :load_gui]
-
-namespace :reload do
-  desc "Reload: Debug"
-  task :debug do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:debug'].invoke()
-    Rake::Task['load'].invoke()
-  end
-
-  desc "Reload: Release"
-  task :release do
-    Rake::Task['unload'].invoke()
-    Rake::Task['install:release'].invoke()
-    Rake::Task['load'].invoke()
-  end
-end

SECURITY.md

@@ -0,0 +1,12 @@
+# Reporting a Vulnerability
+
+If you believe you have found a security vulnerability, we would appreciate private disclosure
+so that we can work on a fix before disclosure. Any vulnerabilities reported to us will be 
+disclosed publicly either when a new version with fixes is released or 90 days has passed,
+whichever comes first.
+
+To report vulnerabilities to us privately, please e-mail `santa-team@google.com`.
+If you want to encrypt your e-mail, you can use our GPG key `0x92AFE41DAB49BBB6`
+available on pool.sks-keyservers.net:
+
+`gpg --keyserver pool.sks-keyservers.net --recv-key 0x92AFE41DAB49BBB6`

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,83 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D91BCDC174E8AE600131A7D"
-               BuildableName = "All"
-               BlueprintName = "All"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      codeCoverageEnabled = "YES"
-      enableAddressSanitizer = "YES">
-      <Testables>
-         <TestableReference
-            skipped = "NO">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-               BuildableName = "LogicTests.xctest"
-               BlueprintName = "LogicTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </TestableReference>
-      </Testables>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D91BCDC174E8AE600131A7D"
-            BuildableName = "All"
-            BlueprintName = "All"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,91 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-               BuildableName = "KernelTests"
-               BlueprintName = "KernelTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D0016A1192BCD3C005E7FCD"
-            BuildableName = "KernelTests"
-            BlueprintName = "KernelTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/LogicTests.xcscheme

@@ -1,99 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "NO"
-            buildForArchiving = "NO"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-               BuildableName = "LogicTests.xctest"
-               BlueprintName = "LogicTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-         <TestableReference
-            skipped = "NO">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-               BuildableName = "LogicTests.xctest"
-               BlueprintName = "LogicTests"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </TestableReference>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-            BuildableName = "LogicTests.xctest"
-            BlueprintName = "LogicTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-            BuildableName = "LogicTests.xctest"
-            BlueprintName = "LogicTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D260DAB18B68E12002A0B55"
-            BuildableName = "LogicTests.xctest"
-            BlueprintName = "LogicTests"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,91 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-               BuildableName = "Santa.app"
-               BlueprintName = "Santa"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D385DB5180DE4A900418BC6"
-            BuildableName = "Santa.app"
-            BlueprintName = "Santa"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D91BCB3174E8A7E00131A7D"
-               BuildableName = "santa-driver.kext"
-               BlueprintName = "santa-driver"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-      </Testables>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D91BCB3174E8A7E00131A7D"
-            BuildableName = "santa-driver.kext"
-            BlueprintName = "santa-driver"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,91 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-               BuildableName = "santactl"
-               BlueprintName = "santactl"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D35BD9D18FD71CE00921A21"
-            BuildableName = "santactl"
-            BlueprintName = "santactl"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,92 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "0730"
-   version = "1.3">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-               BuildableName = "santad"
-               BlueprintName = "santad"
-               ReferencedContainer = "container:Santa.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
-      <Testables>
-      </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      debugAsWhichUser = "root"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-      <AdditionalOptions>
-      </AdditionalOptions>
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <BuildableProductRunnable
-         runnableDebuggingMode = "0">
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "0D9A7F3C1759330400035EB5"
-            BuildableName = "santad"
-            BlueprintName = "santad"
-            ReferencedContainer = "container:Santa.xcodeproj">
-         </BuildableReference>
-      </BuildableProductRunnable>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>

Santa.xcworkspace/contents.xcworkspacedata

@@ -1 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?><Workspace version='1.0'><FileRef location='group:Santa.xcodeproj'/><FileRef location='group:Pods/Pods.xcodeproj'/></Workspace>

Source/SantaGUI/Resources/Santa-Prefix.pch

@@ -1,3 +0,0 @@
-#ifdef __OBJC__
-  #import <Cocoa/Cocoa.h>
-#endif

Source/SantaGUI/SNTNotificationManager.m

@@ -1,146 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTNotificationManager.h"
-
-#import "SNTBlockMessage.h"
-#import "SNTConfigurator.h"
-#import "SNTLogging.h"
-#import "SNTStoredEvent.h"
-
-@interface SNTNotificationManager ()
-///  The currently displayed notification
-@property SNTMessageWindowController *currentWindowController;
-
-///  The queue of pending notifications
-@property(readonly) NSMutableArray *pendingNotifications;
-@end
-
-@implementation SNTNotificationManager
-
-static NSString * const silencedNotificationsKey = @"SilencedNotifications";
-
-- (instancetype)init {
-  self = [super init];
-  if (self) {
-    _pendingNotifications = [[NSMutableArray alloc] init];
-  }
-  return self;
-}
-
-- (void)windowDidCloseSilenceHash:(NSString *)hash {
-  if (hash) [self updateSilenceDate:[NSDate date] forHash:hash];
-
-  [self.pendingNotifications removeObject:self.currentWindowController];
-  self.currentWindowController = nil;
-
-  if ([self.pendingNotifications count]) {
-    self.currentWindowController = [self.pendingNotifications firstObject];
-    [self.currentWindowController showWindow:self];
-  } else {
-    [NSApp hide:self];
-  }
-}
-
-- (void)updateSilenceDate:(NSDate *)date forHash:(NSString *)hash {
-  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
-  NSMutableDictionary *d = [[ud objectForKey:silencedNotificationsKey] mutableCopy];
-  if (!d) d = [NSMutableDictionary dictionary];
-  if (date) {
-    d[hash] = date;
-  } else {
-    [d removeObjectForKey:hash];
-  }
-  [ud setObject:d forKey:silencedNotificationsKey];
-}
-
-#pragma mark SNTNotifierXPC protocol method
-
-- (void)postClientModeNotification:(SNTClientMode)clientmode {
-  NSUserNotification *un = [[NSUserNotification alloc] init];
-  un.title = @"Santa";
-  un.hasActionButton = NO;
-  NSString *customMsg;
-  switch (clientmode) {
-    case SNTClientModeMonitor:
-      un.informativeText = @"Switching into Monitor mode";
-      customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
-      customMsg = [SNTBlockMessage stringFromHTML:customMsg];
-      if (customMsg.length) un.informativeText = customMsg;
-      break;
-    case SNTClientModeLockdown:
-      un.informativeText = @"Switching into Lockdown mode";
-      customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
-      customMsg = [SNTBlockMessage stringFromHTML:customMsg];
-      if (customMsg.length) un.informativeText = customMsg;
-      break;
-    default:
-      return;
-  }
-  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
-}
-
-- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
-  // See if this binary is already in the list of pending notifications.
-  NSPredicate *predicate =
-      [NSPredicate predicateWithFormat:@"event.fileSHA256==%@", event.fileSHA256];
-  if ([[self.pendingNotifications filteredArrayUsingPredicate:predicate] count]) return;
-
-  // See if this binary is silenced.
-  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
-  NSDate *silenceDate = [ud objectForKey:silencedNotificationsKey][event.fileSHA256];
-  if ([silenceDate isKindOfClass:[NSDate class]]) {
-    NSDate *oneDayAgo = [NSDate dateWithTimeIntervalSinceNow:-86400];
-    if ([silenceDate compare:[NSDate date]] == NSOrderedDescending) {
-      LOGI(@"Notification silence: date is in the future, ignoring");
-      [self updateSilenceDate:nil forHash:event.fileSHA256];
-    } else if ([silenceDate compare:oneDayAgo] == NSOrderedAscending) {
-      LOGI(@"Notification silence: date is more than one day ago, ignoring");
-      [self updateSilenceDate:nil forHash:event.fileSHA256];
-    } else {
-      LOGI(@"Notification silence: dropping notification for %@", event.fileSHA256);
-      return;
-    }
-  }
-
-  if (!event) {
-    LOGI(@"Error: Missing event object in message received from daemon!");
-    return;
-  }
-
-  // Notifications arrive on a background thread but UI updates must happen on the main thread.
-  // This includes making windows.
-  dispatch_async(dispatch_get_main_queue(), ^{
-    SNTMessageWindowController *pendingMsg =
-        [[SNTMessageWindowController alloc] initWithEvent:event andMessage:message];
-    pendingMsg.delegate = self;
-    [self.pendingNotifications addObject:pendingMsg];
-
-    // If a notification isn't currently being displayed, display the incoming one.
-    if (!self.currentWindowController) {
-      self.currentWindowController = pendingMsg;
-      [pendingMsg showWindow:nil];
-    }
-  });
-}
-
-- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
-  NSUserNotification *un = [[NSUserNotification alloc] init];
-  un.title = @"Santa";
-  un.hasActionButton = NO;
-  un.informativeText = message ?: @"Requested application can now be run";
-  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
-}
-
-@end

Source/common/BUILD

@@ -0,0 +1,310 @@
+load("//:helper.bzl", "santa_unit_test")
+load("@rules_proto_grpc//objc:defs.bzl", "objc_proto_library")
+
+package(
+    default_visibility = ["//:santa_package_group"],
+)
+
+licenses(["notice"])
+
+proto_library(
+    name = "santa_proto",
+    srcs = ["santa.proto"],
+    deps = [
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:timestamp_proto",
+    ],
+)
+
+objc_proto_library(
+    name = "santa_objc_proto",
+    copts = ["-fno-objc-arc"],
+    non_arc_srcs = ["Santa.pbobjc.m"],
+    protos = [":santa_proto"],
+)
+
+cc_library(
+    name = "SantaCache",
+    hdrs = ["SantaCache.h"],
+    deps = ["//Source/common:SNTCommon"],
+)
+
+santa_unit_test(
+    name = "SantaCacheTest",
+    srcs = [
+        "SantaCache.h",
+        "SantaCacheTest.mm",
+    ],
+    deps = ["//Source/common:SNTCommon"],
+)
+
+objc_library(
+    name = "SNTBlockMessage",
+    srcs = ["SNTBlockMessage.m"],
+    hdrs = ["SNTBlockMessage.h"],
+    deps = [
+        ":SNTConfigurator",
+        ":SNTLogging",
+        ":SNTStoredEvent",
+        ":SNTSystemInfo",
+    ],
+)
+
+objc_library(
+    name = "SNTBlockMessage_SantaGUI",
+    srcs = ["SNTBlockMessage.m"],
+    hdrs = ["SNTBlockMessage.h"],
+    defines = ["SANTAGUI"],
+    deps = [
+        ":SNTConfigurator",
+        ":SNTDeviceEvent",
+        ":SNTLogging",
+        ":SNTStoredEvent",
+        ":SNTSystemInfo",
+    ],
+)
+
+objc_library(
+    name = "SNTCachedDecision",
+    srcs = ["SNTCachedDecision.m"],
+    hdrs = ["SNTCachedDecision.h"],
+    deps = [
+        ":SNTCommon",
+        ":SNTCommonEnums",
+    ],
+)
+
+objc_library(
+    name = "SNTDeviceEvent",
+    srcs = ["SNTDeviceEvent.m"],
+    hdrs = ["SNTDeviceEvent.h"],
+    deps = [
+        ":SNTCommonEnums",
+    ],
+)
+
+objc_library(
+    name = "SNTAllowlistInfo",
+    srcs = ["SNTAllowlistInfo.m"],
+    hdrs = ["SNTAllowlistInfo.h"],
+)
+
+objc_library(
+    name = "SNTCommonEnums",
+    hdrs = ["SNTCommonEnums.h"],
+)
+
+objc_library(
+    name = "SNTConfigurator",
+    srcs = ["SNTConfigurator.m"],
+    hdrs = ["SNTConfigurator.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTRule",
+        ":SNTStrengthify",
+        ":SNTSystemInfo",
+    ],
+)
+
+objc_library(
+    name = "SNTDropRootPrivs",
+    srcs = ["SNTDropRootPrivs.m"],
+    hdrs = ["SNTDropRootPrivs.h"],
+)
+
+objc_library(
+    name = "SNTFileInfo",
+    srcs = ["SNTFileInfo.m"],
+    hdrs = ["SNTFileInfo.h"],
+    deps = [
+        "@FMDB",
+        "@MOLCodesignChecker",
+    ],
+)
+
+cc_library(
+    name = "SNTCommon",
+    hdrs = ["SNTCommon.h"],
+    defines = [
+        "TARGET_OS_OSX",
+        "TARGET_OS_MAC",
+    ],
+)
+
+objc_library(
+    name = "SNTLogging",
+    srcs = ["SNTLogging.m"],
+    hdrs = ["SNTLogging.h"],
+    deps = [":SNTConfigurator"],
+)
+
+cc_library(
+    name = "SNTPrefixTree",
+    srcs = ["SNTPrefixTree.cc"],
+    hdrs = ["SNTPrefixTree.h"],
+    copts = ["-std=c++11"],
+    deps = [":SNTLogging"],
+)
+
+objc_library(
+    name = "SNTRule",
+    srcs = ["SNTRule.m"],
+    hdrs = ["SNTRule.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTSyncConstants",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTRuleTest",
+    srcs = ["SNTRuleTest.m"],
+    deps = [":SNTRule"],
+)
+
+objc_library(
+    name = "SNTStoredEvent",
+    srcs = ["SNTStoredEvent.m"],
+    hdrs = ["SNTStoredEvent.h"],
+    deps = [
+        ":SNTCommonEnums",
+        "@MOLCertificate",
+    ],
+)
+
+cc_library(
+    name = "SNTStrengthify",
+    hdrs = ["SNTStrengthify.h"],
+)
+
+objc_library(
+    name = "SNTSyncConstants",
+    srcs = ["SNTSyncConstants.m"],
+    hdrs = ["SNTSyncConstants.h"],
+)
+
+objc_library(
+    name = "SNTSystemInfo",
+    srcs = ["SNTSystemInfo.m"],
+    hdrs = ["SNTSystemInfo.h"],
+    sdk_frameworks = ["IOKit"],
+)
+
+objc_library(
+    name = "SNTXPCBundleServiceInterface",
+    srcs = ["SNTXPCBundleServiceInterface.m"],
+    hdrs = ["SNTXPCBundleServiceInterface.h"],
+    deps = [
+        ":SNTStoredEvent",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCMetricServiceInterface",
+    srcs = ["SNTXPCMetricServiceInterface.m"],
+    hdrs = ["SNTXPCMetricServiceInterface.h"],
+    deps = [
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCControlInterface",
+    srcs = ["SNTXPCControlInterface.m"],
+    hdrs = ["SNTXPCControlInterface.h"],
+    defines = select({
+        "//:adhoc_build": ["SANTAADHOC"],
+        "//conditions:default": None,
+    }),
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTConfigurator",
+        ":SNTRule",
+        ":SNTStoredEvent",
+        ":SNTXPCUnprivilegedControlInterface",
+        "@MOLCodesignChecker",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCNotifierInterface",
+    srcs = ["SNTXPCNotifierInterface.m"],
+    hdrs = ["SNTXPCNotifierInterface.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTXPCBundleServiceInterface",
+    ],
+)
+
+objc_library(
+    name = "SNTMetricSet",
+    srcs = ["SNTMetricSet.m"],
+    hdrs = ["SNTMetricSet.h"],
+    deps = [":SNTCommonEnums"],
+)
+
+objc_library(
+    name = "SNTXPCSyncServiceInterface",
+    srcs = ["SNTXPCSyncServiceInterface.m"],
+    hdrs = ["SNTXPCSyncServiceInterface.h"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTStoredEvent",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCUnprivilegedControlInterface",
+    srcs = ["SNTXPCUnprivilegedControlInterface.m"],
+    hdrs = ["SNTXPCUnprivilegedControlInterface.h"],
+    deps = [
+        ":SNTCommon",
+        ":SNTCommonEnums",
+        ":SNTRule",
+        ":SNTStoredEvent",
+        ":SNTXPCBundleServiceInterface",
+        "@MOLCertificate",
+        "@MOLXPCConnection",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTFileInfoTest",
+    srcs = ["SNTFileInfoTest.m"],
+    resources = [
+        "testdata/32bitplist",
+        "testdata/bad_pagezero",
+        "testdata/missing_pagezero",
+    ],
+    structured_resources = glob([
+        "testdata/BundleExample.app/**",
+        "testdata/DirectoryBundle/**",
+    ]),
+    deps = [":SNTFileInfo"],
+)
+
+santa_unit_test(
+    name = "SNTPrefixTreeTest",
+    srcs = ["SNTPrefixTreeTest.mm"],
+    deps = [":SNTPrefixTree"],
+)
+
+santa_unit_test(
+    name = "SNTMetricSetTest",
+    srcs = ["SNTMetricSetTest.m"],
+    deps = [":SNTMetricSet"],
+)
+
+test_suite(
+    name = "unit_tests",
+    tests = [
+        ":SNTFileInfoTest",
+        ":SNTMetricSetTest",
+        ":SNTPrefixTreeTest",
+        ":SantaCacheTest",
+    ],
+    visibility = ["//:santa_package_group"],
+)

Source/common/SNTAllowlistInfo.h

@@ -0,0 +1,32 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+///
+///  Store information about new allowlist rules for later logging.
+///
+@interface SNTAllowlistInfo : NSObject
+
+@property pid_t pid;
+@property int pidversion;
+@property NSString *targetPath;
+@property NSString *sha256;
+
+- (instancetype)initWithPid:(pid_t)pid
+                 pidversion:(int)pidver
+                 targetPath:(NSString*)targetPath
+                     sha256:(NSString*)hash;
+
+@end

Source/common/SNTAllowlistInfo.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2021 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,14 +12,21 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTAppDelegate.h"
+#import "Source/common/SNTAllowlistInfo.h"
 
-int main(int argc, const char *argv[]) {
-  @autoreleasepool {
-    NSApplication *app = [NSApplication sharedApplication];
-    SNTAppDelegate *delegate = [[SNTAppDelegate alloc] init];
-    [app setDelegate:delegate];
-    [app finishLaunching];
-    [app run];
+@implementation SNTAllowlistInfo
+
+- (instancetype)initWithPid:(pid_t)pid
+                 pidversion:(int)pidver
+                 targetPath:(NSString *)targetPath
+                     sha256:(NSString *)hash {
+  self = [super init];
+  if (self) {
+    _pid = pid;
+    _pidversion = pidver;
+    _targetPath = targetPath;
+    _sha256 = hash;
   }
+  return self;
 }
+@end

Source/common/SNTBlockMessage.h

@@ -12,18 +12,29 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#ifdef SANTAGUI
+#import <Cocoa/Cocoa.h>
+#else
+#import <Foundation/Foundation.h>
+#endif
+
 @class SNTStoredEvent;
 
 @interface SNTBlockMessage : NSObject
 
 ///
 ///  Return a message suitable for presenting to the user.
-///  Uses either the configured message depending on the event type or a custom message
-///  if the rule that blocked this file included one.
 ///
 ///  In SantaGUI this will return an NSAttributedString with links and formatting included
 ///  while for santad all HTML will be properly stripped.
 ///
++ (NSAttributedString *)formatMessage:(NSString *)message;
+
+///
+///  Uses either the configured message depending on the event type or a custom message
+///  if the rule that blocked this file included one, formatted using
+///  +[SNTBlockMessage formatMessage].
+///
 + (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
                                          customMessage:(NSString *)customMessage;
 

Source/common/SNTBlockMessage.m

@@ -12,26 +12,57 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTBlockMessage.h"
+#import "Source/common/SNTBlockMessage.h"
 
-#import "SNTConfigurator.h"
-#import "SNTLogging.h"
-#import "SNTStoredEvent.h"
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTLogging.h"
+#import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
 
 @implementation SNTBlockMessage
 
-+ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
-                                         customMessage:(NSString *)customMessage {
-  NSString *htmlHeader = @"<html><head><style>"
-      @"body {"
-      @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
-      @"  font-size: 13px;"
-      @"  color: #666;"
-      @"  text-align: center;"
-      @"}"
-      @"</style></head><body>";
++ (NSAttributedString *)formatMessage:(NSString *)message {
+  NSString *htmlHeader =
+    @"<html><head><style>"
+    @"body {"
+    @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
+    @"  font-size: 13px;"
+    @"  color: %@;"
+    @"  text-align: center;"
+    @"}"
+
+    // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
+    @"@media (prefers-color-scheme: dark) {"
+    @"  body {"
+    @"    color: #ddd;"
+    @"  }"
+    @"}"
+    @"</style></head><body>";
+
+  // Support Dark Mode. Note, the returned NSAttributedString is static and does not update when
+  // the OS switches modes.
+  NSString *mode = [NSUserDefaults.standardUserDefaults stringForKey:@"AppleInterfaceStyle"];
+  BOOL dark = [mode isEqualToString:@"Dark"];
+  htmlHeader = [NSString stringWithFormat:htmlHeader, dark ? @"#ddd" : @"#333"];
+
   NSString *htmlFooter = @"</body></html>";
 
+  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
+
+#ifdef SANTAGUI
+  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
+  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
+#else
+  NSString *strippedHTML = [self stringFromHTML:fullHTML];
+  if (!strippedHTML) {
+    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
+  }
+  return [[NSAttributedString alloc] initWithString:strippedHTML];
+#endif
+}
+
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage {
   NSString *message;
   if (customMessage.length) {
     message = customMessage;
@@ -48,19 +79,7 @@
                 @"because it has been deemed malicious.";
     }
   }
-
-  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
-
-#ifdef NSAppKitVersionNumber10_0
-  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
-  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
-#else
-  NSString *strippedHTML = [self stringFromHTML:fullHTML];
-  if (!strippedHTML) {
-    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
-  }
-  return [[NSAttributedString alloc] initWithString:strippedHTML];
-#endif
+  return [SNTBlockMessage formatMessage:message];
 }
 
 + (NSString *)stringFromHTML:(NSString *)html {
@@ -75,13 +94,14 @@
 
   // Strip any HTML tags out of the message. Also remove any content inside <style> tags and
   // replace <br> elements with a newline.
-  NSString *stripXslt = @"<?xml version='1.0' encoding='utf-8'?>"
-      @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
-      @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
-      @"<xsl:output method='text'/>"
-      @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
-      @"<xsl:template match='style'/>"
-      @"</xsl:stylesheet>";
+  NSString *stripXslt =
+    @"<?xml version='1.0' encoding='utf-8'?>"
+    @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
+    @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
+    @"<xsl:output method='text'/>"
+    @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
+    @"<xsl:template match='style'/>"
+    @"</xsl:stylesheet>";
   NSData *data = [xml objectByApplyingXSLTString:stripXslt arguments:NULL error:&error];
   if (error || ![data isKindOfClass:[NSData class]]) {
     return html;
@@ -92,25 +112,23 @@
 + (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
-  NSString *formatStr, *versionStr;
-  if (config.eventDetailBundleURL.length && event.fileBundleID) {
-    formatStr = config.eventDetailBundleURL;
-    versionStr = event.fileBundleVersion;
-    if (!versionStr) versionStr = event.fileBundleVersionString;
-
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_id%"
-                                                     withString:event.fileBundleID];
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_ver%"
-                                                     withString:versionStr];
-  } else {
-    formatStr = config.eventDetailURL;
-  }
-
+  NSString *hostname = [SNTSystemInfo longHostname];
+  NSString *uuid = [SNTSystemInfo hardwareUUID];
+  NSString *serial = [SNTSystemInfo serialNumber];
+  NSString *formatStr = config.eventDetailURL;
   if (!formatStr.length) return nil;
 
   if (event.fileSHA256) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+    // This key is deprecated, use %file_identifier% or %bundle_or_file_identifier%
+    formatStr =
+      [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                           withString:event.fileBundleHash ?: event.fileSHA256];
+
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_identifier%"
                                                      withString:event.fileSHA256];
+    formatStr =
+      [formatStr stringByReplacingOccurrencesOfString:@"%bundle_or_file_identifier%"
+                                           withString:event.fileBundleHash ?: event.fileSHA256];
   }
   if (event.executingUser) {
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
@@ -120,6 +138,15 @@
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
                                                      withString:config.machineID];
   }
+  if (hostname.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%" withString:hostname];
+  }
+  if (uuid.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%" withString:uuid];
+  }
+  if (serial.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%" withString:serial];
+  }
 
   return [NSURL URLWithString:formatStr];
 }

Source/common/SNTCachedDecision.h

@@ -12,19 +12,28 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommonEnums.h"
+#import <Foundation/Foundation.h>
+
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTCommon.h"
+
+@class MOLCertificate;
 
 ///
 ///  Store information about executions from decision making for later logging.
 ///
 @interface SNTCachedDecision : NSObject
 
-@property uint64_t vnodeId;
+@property santa_vnode_id_t vnodeId;
 @property SNTEventState decision;
 @property NSString *decisionExtra;
 @property NSString *sha256;
+
 @property NSString *certSHA256;
 @property NSString *certCommonName;
+@property NSArray<MOLCertificate *> *certChain;
+@property NSString *teamID;
+
 @property NSString *quarantineURL;
 
 @property NSString *customMsg;

Source/common/SNTCachedDecision.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCachedDecision.h"
+#import "Source/common/SNTCachedDecision.h"
 
 @implementation SNTCachedDecision
 @end

Source/common/SNTCommon.h

@@ -13,46 +13,19 @@
 ///    limitations under the License.
 
 ///
-/// Common defines between kernel <-> userspace
+/// Common defines between daemon <-> client
 ///
 
+#ifndef SANTA__COMMON__COMMON_H
+#define SANTA__COMMON__COMMON_H
+
+#include <stdint.h>
 #include <sys/param.h>
 
-#ifndef SANTA__COMMON__KERNELCOMMON_H
-#define SANTA__COMMON__KERNELCOMMON_H
-
-// Defines the lengths of paths and Vnode IDs passed around.
-#define MAX_VNODE_ID_STR 21  // digits in UINT64_MAX + 1 for NULL-terminator
-
-// Defines the name of the userclient class and the driver bundle ID.
-#define USERCLIENT_CLASS "com_google_SantaDriver"
-#define USERCLIENT_ID "com.google.santa-driver"
-
 // Branch prediction
-#define likely(x)   __builtin_expect(!!(x), 1)
+#define likely(x) __builtin_expect(!!(x), 1)
 #define unlikely(x) __builtin_expect(!!(x), 0)
 
-// List of methods supported by the driver.
-enum SantaDriverMethods {
-  kSantaUserClientOpen,
-  kSantaUserClientAllowBinary,
-  kSantaUserClientDenyBinary,
-  kSantaUserClientClearCache,
-  kSantaUserClientCacheCount,
-  kSantaUserClientCheckCache,
-
-  // Any methods supported by the driver should be added above this line to
-  // ensure this remains the count of methods.
-  kSantaUserClientNMethods,
-};
-
-typedef enum {
-  QUEUETYPE_DECISION,
-  QUEUETYPE_LOG
-} santa_queuetype_t;
-
-// Enum defining actions that can be passed down the IODataQueue and in
-// response methods.
 typedef enum {
   ACTION_UNSET = 0,
 
@@ -63,6 +36,12 @@ typedef enum {
   // RESPONSES
   ACTION_RESPOND_ALLOW = 20,
   ACTION_RESPOND_DENY = 21,
+  ACTION_RESPOND_TOOLONG = 22,
+  ACTION_RESPOND_ACK = 23,
+  ACTION_RESPOND_ALLOW_COMPILER = 24,
+  // The following response is stored only in the kernel decision cache.
+  // It is removed by SNTCompilerController
+  ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE = 25,
 
   // NOTIFY
   ACTION_NOTIFY_EXEC = 30,
@@ -71,29 +50,53 @@ typedef enum {
   ACTION_NOTIFY_LINK = 33,
   ACTION_NOTIFY_EXCHANGE = 34,
   ACTION_NOTIFY_DELETE = 35,
+  ACTION_NOTIFY_WHITELIST = 36,
+  ACTION_NOTIFY_FORK = 37,
+  ACTION_NOTIFY_EXIT = 38,
 
   // ERROR
   ACTION_ERROR = 99,
 } santa_action_t;
 
-#define RESPONSE_VALID(x) \
-  (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY)
+#define RESPONSE_VALID(x)                                   \
+  (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY || \
+   x == ACTION_RESPOND_ALLOW_COMPILER ||                    \
+   x == ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE)
+
+// Struct to manage vnode IDs
+typedef struct santa_vnode_id_t {
+  uint64_t fsid;
+  uint64_t fileid;
+
+#ifdef __cplusplus
+  bool operator==(const santa_vnode_id_t &rhs) const {
+    return fsid == rhs.fsid && fileid == rhs.fileid;
+  }
+#endif
+} santa_vnode_id_t;
 
-// Message struct that is sent down the IODataQueue.
 typedef struct {
   santa_action_t action;
-  uint64_t vnode_id;
+  santa_vnode_id_t vnode_id;
   uid_t uid;
   gid_t gid;
   pid_t pid;
+  int pidversion;
   pid_t ppid;
   char path[MAXPATHLEN];
   char newpath[MAXPATHLEN];
+  char ttypath[MAXPATHLEN];
   // For file events, this is the process name.
   // For exec requests, this is the parent process name.
   // While process names can technically be 4*MAXPATHLEN, that never
   // actually happens, so only take MAXPATHLEN and throw away any excess.
   char pname[MAXPATHLEN];
+
+  // This points to a copy of the original ES message.
+  void *es_message;
+
+  // This points to an NSArray of the process arguments.
+  void *args_array;
 } santa_message_t;
 
-#endif  // SANTA__COMMON__KERNELCOMMON_H
+#endif  // SANTA__COMMON__COMMON_H

Source/common/SNTCommonEnums.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  These enums are used in various places throughout the Santa client code.
 ///  The integer values are also stored in the database and so shouldn't be changed.
@@ -22,15 +24,19 @@ typedef NS_ENUM(NSInteger, SNTRuleType) {
 
   SNTRuleTypeBinary = 1,
   SNTRuleTypeCertificate = 2,
+  SNTRuleTypeTeamID = 3,
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleState) {
   SNTRuleStateUnknown,
 
-  SNTRuleStateWhitelist = 1,
-  SNTRuleStateBlacklist = 2,
-  SNTRuleStateSilentBlacklist = 3,
+  SNTRuleStateAllow = 1,
+  SNTRuleStateBlock = 2,
+  SNTRuleStateSilentBlock = 3,
   SNTRuleStateRemove = 4,
+
+  SNTRuleStateAllowCompiler = 5,
+  SNTRuleStateAllowTransitive = 6,
 };
 
 typedef NS_ENUM(NSInteger, SNTClientMode) {
@@ -50,12 +56,17 @@ typedef NS_ENUM(NSInteger, SNTEventState) {
   SNTEventStateBlockBinary = 1 << 17,
   SNTEventStateBlockCertificate = 1 << 18,
   SNTEventStateBlockScope = 1 << 19,
+  SNTEventStateBlockTeamID = 1 << 20,
 
   // Bits 24-31 store allow decision types
   SNTEventStateAllowUnknown = 1 << 24,
   SNTEventStateAllowBinary = 1 << 25,
   SNTEventStateAllowCertificate = 1 << 26,
   SNTEventStateAllowScope = 1 << 27,
+  SNTEventStateAllowCompiler = 1 << 28,
+  SNTEventStateAllowTransitive = 1 << 29,
+  SNTEventStateAllowPendingTransitive = 1 << 30,
+  SNTEventStateAllowTeamID = 1 << 31,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFF << 16,
@@ -66,10 +77,48 @@ typedef NS_ENUM(NSInteger, SNTRuleTableError) {
   SNTRuleTableErrorEmptyRuleArray,
   SNTRuleTableErrorInsertOrReplaceFailed,
   SNTRuleTableErrorInvalidRule,
-  SNTRuleTableErrorMissingRequiredRule,
   SNTRuleTableErrorRemoveFailed
 };
 
-static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
-static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
-static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";
+// This enum type is used to indicate what should be done with the related bundle events that are
+// generated when an initiating blocked bundle event occurs.
+typedef NS_ENUM(NSInteger, SNTBundleEventAction) {
+  SNTBundleEventActionDropEvents,
+  SNTBundleEventActionStoreEvents,
+  SNTBundleEventActionSendEvents,
+};
+
+// Indicates where to store event logs.
+typedef NS_ENUM(NSInteger, SNTEventLogType) {
+  SNTEventLogTypeSyslog,
+  SNTEventLogTypeFilelog,
+  SNTEventLogTypeProtobuf,
+  SNTEventLogTypeNull,
+};
+
+// The return status of a sync.
+typedef NS_ENUM(NSInteger, SNTSyncStatusType) {
+  SNTSyncStatusTypeSuccess,
+  SNTSyncStatusTypePreflightFailed,
+  SNTSyncStatusTypeEventUploadFailed,
+  SNTSyncStatusTypeRuleDownloadFailed,
+  SNTSyncStatusTypePostflightFailed,
+  SNTSyncStatusTypeTooManySyncsInProgress,
+  SNTSyncStatusTypeMissingSyncBaseURL,
+  SNTSyncStatusTypeMissingMachineID,
+  SNTSyncStatusTypeDaemonTimeout,
+  SNTSyncStatusTypeSyncStarted,
+  SNTSyncStatusTypeUnknown,
+};
+
+typedef NS_ENUM(NSInteger, SNTMetricFormatType) {
+  SNTMetricFormatTypeUnknown,
+  SNTMetricFormatTypeRawJSON,
+  SNTMetricFormatTypeMonarchJSON,
+};
+
+static const char *kSantaDPath =
+  "/Applications/Santa.app/Contents/Library/SystemExtensions/"
+  "com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon";
+static const char *kSantaCtlPath = "/Applications/Santa.app/Contents/MacOS/santactl";
+static const char *kSantaAppPath = "/Applications/Santa.app";

Source/common/SNTConfigurator.h

@@ -12,23 +12,95 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommonEnums.h"
+#import <Foundation/Foundation.h>
+
+#import "Source/common/SNTCommonEnums.h"
+
+@class SNTRule;
 
 ///
 ///  Singleton that provides an interface for managing configuration values on disk
 ///  @note This class is designed as a singleton but that is not strictly enforced.
+///  @note All properties are KVO compliant.
 ///
 @interface SNTConfigurator : NSObject
 
-///  Default config file path
-extern NSString *const kDefaultConfigFilePath;
-
 #pragma mark - Daemon Settings
 
 ///
-///  The operating mode.
+///  The operating mode. Defaults to MONITOR.
 ///
-@property(nonatomic) SNTClientMode clientMode;
+@property(readonly, nonatomic) SNTClientMode clientMode;
+
+///
+///  Set the operating mode as received from a sync server.
+///
+- (void)setSyncServerClientMode:(SNTClientMode)newMode;
+
+///
+///  Enable Fail Close mode. Defaults to NO.
+///  This controls Santa's behavior when a failure occurs, such as an
+///  inability to read a file. By default, to prevent bugs or misconfiguration
+///  from rendering a machine inoperable Santa will fail open and allow
+///  execution. With this setting enabled, Santa will fail closed if the client
+///  is in LOCKDOWN mode, offering a higher level of security but with a higher
+///  potential for causing problems.
+///
+@property(readonly, nonatomic) BOOL failClosed;
+
+///
+///  A set of static rules that should always apply. These can be used as a
+///  fallback set of rules for management tools that should always be allowed to
+///  run even if a sync server does something unexpected. It can also be used
+///  as the sole source of rules, distributed with an MDM.
+///
+///  The value of this key should be an array containing dictionaries. Each
+///  dictionary should contain the same keys used for syncing, e.g:
+///
+///  <key>StaticRules</key>
+///  <array>
+///    <dict>
+///      <key>identifier</key>
+///      <string>binary sha256, certificate sha256, team ID</string>
+///      <key>rule_type</key>
+///      <string>BINARY</string>  (one of BINARY, CERTIFICATE or TEAMID)
+///      <key>policy</key>
+///      <string>BLOCKLIST</string>  (one of ALLOWLIST, ALLOWLIST_COMPILER, BLOCKLIST, SILENT_BLOCKLIST)
+///    </dict>
+///  </array>
+///
+///  The return of this property is a dictionary where the keys are the
+///  identifiers of each rule, with the SNTRule as a value
+///
+@property(readonly, nonatomic) NSDictionary<NSString *, SNTRule *> *staticRules;
+
+///
+///  The regex of allowed paths. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
+///  pointless as a path only ever has a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(readonly, nonatomic) NSRegularExpression *allowedPathRegex;
+
+///
+///  Set the regex of allowed paths as received from a sync server.
+///
+- (void)setSyncServerAllowedPathRegex:(NSRegularExpression *)re;
+
+///
+///  The regex of blocked paths. Regexes are specified in ICU format.
+///
+///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
+///  pointless as a path only ever has a single line.
+///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///
+@property(readonly, nonatomic) NSRegularExpression *blockedPathRegex;
+
+///
+///  Set the regex of blocked paths as received from a sync server.
+///
+- (void)setSyncServerBlockedPathRegex:(NSRegularExpression *)re;
 
 ///
 ///  The regex of paths to log file changes for. Regexes are specified in ICU format.
@@ -37,25 +109,58 @@ extern NSString *const kDefaultConfigFilePath;
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(nonatomic) NSRegularExpression *fileChangesRegex;
+@property(readonly, nonatomic) NSRegularExpression *fileChangesRegex;
 
 ///
-///  The regex of whitelisted paths. Regexes are specified in ICU format.
+///  A list of ignore prefixes which are checked in-kernel.
+///  This is more performant than FileChangesRegex when ignoring whole directory trees.
 ///
-///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
-///  pointless as a path only ever has a single line.
-///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///  For example adding a prefix of "/private/tmp/" will turn off file change log generation
+///  in-kernel for that entire tree. Since they are ignored by the kernel, they never reach santad
+///  and are not seen by the fileChangesRegex. Note the trailing "/", without it any file or
+///  directory starting with "/private/tmp" would be ignored.
 ///
-@property(nonatomic) NSRegularExpression *whitelistPathRegex;
-
+///  By default "/." and "/dev/" are added.
 ///
-///  The regex of blacklisted paths. Regexes are specified in ICU format.
+///  Memory in the kernel is precious. A total of MAXPATHLEN (1024) nodes are allowed.
+///  Using all 1024 nodes will result in santa-driver allocating ~2MB of wired memory.
+///  An ASCII character uses 1 node. An UTF-8 encoded Unicode character uses 1-4 nodes.
+///  Prefixes are added to the running config in-order, one by one. The prefix will be ignored if
+///  (the running config's current size) + (the prefix's size) totals up to more than 1024 nodes.
+///  The running config is stored in a prefix tree.
+///  Prefixes that share prefixes are effectively de-duped; their shared node sized components only
+///  take up 1 node. For example these 3 prefixes all have a common prefix of "/private/".
+///  They will only take up 21 nodes instead of 39.
 ///
-///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
-///  pointless as a path only ever has a single line.
-///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
+///  "/private/tmp/"
+///  "/private/var/"
+///  "/private/new/"
 ///
-@property(nonatomic) NSRegularExpression *blacklistPathRegex;
+///                                                              -> [t] -> [m] -> [p] -> [/]
+///
+///  [/] -> [p] -> [r] -> [i] -> [v] -> [a] -> [t] -> [e] -> [/] -> [v] -> [a] -> [r] -> [/]
+///
+///                                                              -> [n] -> [e] -> [w] -> [/]
+///
+///  Prefixes with Unicode characters work similarly. Assuming a UTF-8 encoding these two prefixes
+///  are actually the same for the first 3 nodes. They take up 7 nodes instead of 10.
+///
+///  "/🤘"
+///  "/🖖"
+///
+///                          -> [0xa4] -> [0x98]
+///
+///  [/] -> [0xf0] -> [0x9f]
+///
+///                          -> [0x96] -> [0x96]
+///
+///  To disable file change logging completely add "/".
+///  TODO(bur): Make this default if no FileChangesRegex is set.
+///
+///  Filters are only applied on santad startup.
+///  TODO(bur): Support add / remove of filters while santad is running.
+///
+@property(readonly, nonatomic) NSArray *fileChangesPrefixFilters;
 
 ///
 ///  Enable __PAGEZERO protection, defaults to YES
@@ -64,8 +169,98 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) BOOL enablePageZeroProtection;
 
+///
+///  Enable bad signature protection, defaults to NO.
+///  When enabled, a binary that is signed but has a bad signature (cert revoked, binary
+///  tampered with, etc.) will be blocked regardless of client-mode unless a binary allowlist
+///  rule exists.
+///
+@property(readonly, nonatomic) BOOL enableBadSignatureProtection;
+
+///
+///  Defines how event logs are stored. Options are:
+///    SNTEventLogTypeSyslog "syslog": Sent to ASL or ULS (if built with the 10.12 SDK or later).
+///    SNTEventLogTypeFilelog "file": Sent to a file on disk. Use eventLogPath to specify a path.
+///    SNTEventLogTypeNull "null": Logs nothing
+///    SNTEventLogTypeProtobuf "protobuf": (BETA) Sent to a file on disk, using maildir format. Use
+///      mailDirectory to specify a path. Use mailDirectoryFileSizeThresholdKB,
+///      mailDirectorySizeThresholdMB and mailDirectoryEventMaxFlushTimeSec to configure
+///      additional maildir format settings.
+///    Defaults to SNTEventLogTypeFilelog.
+///    For mobileconfigs use EventLogType as the key and syslog or filelog strings as the value.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) SNTEventLogType eventLogType;
+
+///
+///  If eventLogType is set to Filelog, eventLogPath will provide the path to save logs.
+///  Defaults to /var/db/santa/santa.log.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSString *eventLogPath;
+
+///
+///  If eventLogType is set to protobuf, mailDirectory will provide the base path used for
+///  saving logs using the maildir format.
+///  Defaults to /var/db/santa/mail.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSString *mailDirectory;
+
+///
+///  If eventLogType is set to protobuf, mailDirectoryFileSizeThresholdKB sets the per-file size
+///  limit for files saved in the mailDirectory.
+///  Defaults to 100.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSUInteger mailDirectoryFileSizeThresholdKB;
+
+///
+///  If eventLogType is set to protobuf, mailDirectorySizeThresholdMB sets the total size
+///  limit for all files saved in the mailDirectory.
+///  Defaults to 500.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSUInteger mailDirectorySizeThresholdMB;
+
+///
+///  If eventLogType is set to protobuf, mailDirectoryEventMaxFlushTimeSec sets the maximum amount
+///  of time an event will be stored in memory before being written to disk.
+///  Defaults to 5.0.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) float mailDirectoryEventMaxFlushTimeSec;
+
+///
+/// Enabling this appends the Santa machine ID to the end of each log line. If nothing
+/// has been overriden, this is the host's UUID.
+/// Defaults to NO.
+///
+@property(readonly, nonatomic) BOOL enableMachineIDDecoration;
+
+///
+///  Use an internal cache for decisions instead of relying on the caching
+///  mechanism built-in to the EndpointSecurity framework. This may increase
+///  performance, particularly when Santa is run alongside other system
+///  extensions.
+///  Has no effect if the system extension is not being used. Defaults to NO.
+///
+@property(readonly, nonatomic) BOOL enableSysxCache;
+
 #pragma mark - GUI Settings
 
+///
+/// The text to display when opening Santa.app.
+/// If unset, the default text will be displayed.
+///
+@property(readonly, nonatomic) NSString *aboutText;
+
 ///
 ///  The URL to open when the user clicks "More Info..." when opening Santa.app.
 ///  If unset, the button will not be displayed.
@@ -75,8 +270,6 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 ///  When the user gets a block notification, a button can be displayed which will
 ///  take them to a web page with more information about that event.
-///  There are two properties, one for individual binaries and one for binaries that are part
-///  of a bundle. If the latter is not set the former will be used.
 ///
 ///  This property contains a kind of format string to be turned into the URL to send them to.
 ///  The following sequences will be replaced in the final URL:
@@ -84,15 +277,15 @@ extern NSString *const kDefaultConfigFilePath;
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
-///  %bundle_id%   -- bundle id of the binary, if applicable.
-///  %bundle_ver%  -- bundle version of the binary, if applicable.
+///  %serial%      -- System's serial number.
+///  %uuid%        -- System's UUID.
+///  %hostname%    -- System's full hostname.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
 @property(readonly, nonatomic) NSString *eventDetailURL;
-@property(readonly, nonatomic) NSString *eventDetailBundleURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
@@ -112,6 +305,20 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSString *bannedBlockMessage;
 
+///
+/// This is the message shown to the user when a USB storage device's mount is denied
+/// from the BlockUSB configuration setting. If not configured, a reasonable
+/// default is provided.
+///
+@property(readonly, nonatomic) NSString *bannedUSBBlockMessage;
+
+///
+/// This is the message shown to the user when a USB storage device's mount is forcibly
+/// remounted to a different set of permissions from the BlockUSB and RemountUSBMode
+/// configuration settings. If not configured, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *remountUSBBlockMessage;
+
 ///
 ///  The notification text to display when the client goes into MONITOR mode.
 ///  Defaults to "Switching into Monitor mode"
@@ -132,10 +339,12 @@ extern NSString *const kDefaultConfigFilePath;
 @property(readonly, nonatomic) NSURL *syncBaseURL;
 
 ///
-///  If YES, mid-execution event uploads are skipped.
-///  This property is never stored on disk.
+///  Proxy settings for syncing.
+///  This dictionary is passed directly to NSURLSession. The allowed keys
+///  are loosely documented at
+///  https://developer.apple.com/documentation/cfnetwork/global_proxy_settings_constants.
 ///
-@property BOOL syncBackOff;
+@property(readonly, nonatomic) NSDictionary *syncProxyConfig;
 
 ///
 ///  The machine owner.
@@ -143,20 +352,57 @@ extern NSString *const kDefaultConfigFilePath;
 @property(readonly, nonatomic) NSString *machineOwner;
 
 ///
-///  The last date of successful sync.
+///  The last date of a successful full sync.
 ///
-@property(nonatomic) NSDate *syncLastSuccess;
+@property(nonatomic) NSDate *fullSyncLastSuccess;
+
+///
+///  The last date of a successful rule sync.
+///
+@property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
 ///  If YES a clean sync is required.
 ///
 @property(nonatomic) BOOL syncCleanRequired;
 
+///
+/// USB Mount Blocking. Defaults to false.
+///
+@property(nonatomic) BOOL blockUSBMount;
+
+///
+/// Comma-seperated `$ mount -o` arguments used for forced remounting of USB devices. Default
+/// to fully allow/deny without remounting if unset.
+///
+@property(nonatomic) NSArray<NSString *> *remountUSBMode;
+
+///
+/// When `blockUSBMount` is set, this is the message shown to the user when a device is blocked
+/// If this message is not configured, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *usbBlockMessage;
+
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
 ///
 @property(readonly, nonatomic) NSString *machineID;
 
+///
+///  If YES, enables bundle detection for blocked events. This property is not stored on disk.
+///  Its value is set by a sync server that supports bundles. Defaults to NO.
+///
+@property BOOL enableBundles;
+
+#pragma mark Transitive Allowlist Settings
+
+///
+///  If YES, binaries marked with SNTRuleStateAllowCompiler rules are allowed to transitively
+///  allow any executables that they produce.  If NO, SNTRuleStateAllowCompiler rules are
+///  interpreted as if they were simply SNTRuleStateAllow rules.  Defaults to NO.
+///
+@property BOOL enableTransitiveRules;
+
 #pragma mark Server Auth Settings
 
 ///
@@ -194,21 +440,106 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSString *syncClientAuthCertificateIssuer;
 
+///
+///  If true, syncs will upload events when a clean sync is requested. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableCleanSyncEventUpload;
+
+///
+///  If true, events will be uploaded for all executions, even those that are allowed.
+///  Use with caution, this generates a lot of events. Defaults to false.
+///
+@property(nonatomic) BOOL enableAllEventUpload;
+
+///
+///  If true, events will *not* be uploaded for ALLOW_UNKNOWN events for clients in Monitor mode.
+///
+@property(nonatomic) BOOL disableUnknownEventUpload;
+
+///
+///  If true, forks and exits will be logged. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableForkAndExitLogging;
+
+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only
+///  applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
+///
+///  If true, debug logging will be enabled for all Santa components. Defaults to false.
+///  Passing --debug as an executable argument will enable debug logging for that specific
+///  component.
+///
+@property(readonly, nonatomic) BOOL enableDebugLogging;
+
+///
+///  If true, compressed requests from "santactl sync" will set "Content-Encoding" to "zlib"
+///  instead of the new default "deflate". If syncing with Upvote deployed at commit 0b4477d
+///  or below, set this option to true.
+///  Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableBackwardsCompatibleContentEncoding;
+
+///
+///  Contains the FCM project name.
+///
+@property(readonly, nonatomic) NSString *fcmProject;
+
+///
+///  Contains the FCM project entity.
+///
+@property(readonly, nonatomic) NSString *fcmEntity;
+
+///
+///  Contains the FCM project API key.
+///
+@property(readonly, nonatomic) NSString *fcmAPIKey;
+
+///
+///  True if fcmProject, fcmEntity and fcmAPIKey are all set. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL fcmEnabled;
+
+///
+/// True if metricsFormat and metricsURL are set. False otherwise.
+///
+@property(readonly, nonatomic) BOOL exportMetrics;
+
+///
+/// Format to export Metrics as.
+///
+@property(readonly, nonatomic) SNTMetricFormatType metricFormat;
+
+///
+/// URL describing where metrics are exported, defaults to nil.
+///
+@property(readonly, nonatomic) NSURL *metricURL;
+
+///
+/// Extra Metric Labels to add to the metrics payloads.
+///
+@property(readonly, nonatomic) NSDictionary *extraMetricLabels;
+
+///
+/// Duration in seconds of how often the metrics should be exported.
+///
+@property(readonly, nonatomic) NSUInteger metricExportInterval;
+
+///
+/// Duration in seconds for metrics export timeout. Defaults to 30;
+///
+@property(readonly, nonatomic) NSUInteger metricExportTimeout;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///
 + (instancetype)configurator;
 
 ///
-///  Designated initializer.
+///  Clear the sync server configuration from the effective configuration.
 ///
-///  @param filePath The path to the file to use as a backing store.
-///
-- (instancetype)initWithFilePath:(NSString *)filePath;
-
-///
-///  Re-read config data from disk.
-///
-- (void)reloadConfigData;
+- (void)clearSyncState;
 
 @end

Source/common/SNTDeviceEvent.h

@@ -0,0 +1,27 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+@interface SNTDeviceEvent : NSObject <NSSecureCoding>
+
+- (instancetype)initWithOnName:(NSString *)mntonname fromName:(NSString *)mntfromname;
+
+@property NSString *mntonname;
+@property NSString *mntfromname;
+@property NSArray<NSString *> *remountArgs;
+
+- (NSString *)readableRemountArgs;
+
+@end

Source/common/SNTDeviceEvent.m

@@ -0,0 +1,63 @@
+#import "Source/common/SNTDeviceEvent.h"
+
+@implementation SNTDeviceEvent
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
+#define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
+#define DECODEARRAY(cls, key)                                                             \
+  [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
+                          forKey:key]
+
+- (instancetype)initWithOnName:(NSString *)mntonname fromName:(NSString *)mntfromname {
+  self = [super init];
+  if (self) {
+    _mntonname = mntonname;
+    _mntfromname = mntfromname;
+  }
+  return self;
+}
+
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
+
+- (void)encodeWithCoder:(NSCoder *)coder {
+  ENCODE(self.mntonname, @"mntonname");
+  ENCODE(self.mntfromname, @"mntfromname");
+  ENCODE(self.remountArgs, @"remountArgs");
+}
+
+- (instancetype)initWithCoder:(NSCoder *)decoder {
+  self = [super init];
+  if (self) {
+    _mntonname = DECODE(NSString, @"mntonname");
+    _mntfromname = DECODE(NSString, @"mntfromname");
+    _remountArgs = DECODEARRAY(NSString, @"remountArgs");
+  }
+  return self;
+}
+- (NSString *)description {
+  return [NSString stringWithFormat:@"SNTDeviceEvent '%@' -> '%@' (with permissions: [%@]",
+                                    self.mntfromname, self.mntonname,
+                                    [self.remountArgs componentsJoinedByString:@", "]];
+}
+
+- (NSString *)readableRemountArgs {
+  NSMutableArray<NSString *> *readable = [NSMutableArray array];
+  for (NSString *arg in self.remountArgs) {
+    if ([arg isEqualToString:@"rdonly"]) {
+      [readable addObject:@"read-only"];
+    } else if ([arg isEqualToString:@"noexec"]) {
+      [readable addObject:@"block executables"];
+    } else {
+      [readable addObject:arg];
+    }
+  }
+  return [readable componentsJoinedByString:@", "];
+}
+
+@end

Source/common/SNTDropRootPrivs.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  Simple function to check and drop root privileges.
 ///

Source/common/SNTDropRootPrivs.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTDropRootPrivs.h"
+#import "Source/common/SNTDropRootPrivs.h"
 
 BOOL DropRootPrivileges() {
   if (getuid() == 0 || geteuid() == 0 || getgid() == 0 || getegid() == 0) {

Source/common/SNTFileInfo.h

@@ -12,6 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
+@class MOLCodesignChecker;
+
 ///
 ///  Represents a binary on disk, providing access to details about that binary
 ///  such as the SHA-1, SHA-256, Info.plist and the Mach-O data.
@@ -36,6 +40,17 @@
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
+///
+///  Initializer for already resolved paths.
+///
+///  @param path The path of the file this instance is to represent. The path will
+///      not be converted and will be used as is. If the path is not a regular file this method will
+///      return nil and fill in an error.
+///  @param error If an error occurred and nil is returned, this will be a pointer to an NSError
+///      describing the problem.
+///
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error;
+
 ///
 ///  @return Path of this file.
 ///
@@ -109,11 +124,31 @@
 ///
 - (BOOL)isDMG;
 
+///
+///  @return NSString describing the kind of file (executable, bundle, script, etc.)
+///
+- (NSString *)humanReadableFileType;
+
 ///
 ///  @return YES if this file has a bad/missing __PAGEZERO .
 ///
 - (BOOL)isMissingPageZero;
 
+///
+///  If set to YES, the bundle* and infoPlist methods will search for and use the highest NSBundle
+///  found in the tree. Defaults to NO, which uses the first found bundle, if any.
+///
+///  @example:
+///      An SNTFileInfo object that represents
+///        /Applications/Photos.app/Contents/XPCServices/com.apple.Photos.librarychooserservice.xpc
+///      useAncestorBundle is set to YES
+///        /Applications/Photos.app will be used to get data backing all the bundle methods
+///
+///  @note: The NSBundle object backing the bundle* and infoPlist methods is cached once found.
+///         Setting the useAncestorBundle propery will clear this cache and force a re-search.
+///
+@property(nonatomic) BOOL useAncestorBundle;
+
 ///
 ///  @return An NSBundle if this file is part of a bundle.
 ///
@@ -176,4 +211,16 @@
 ///
 - (NSUInteger)fileSize;
 
+///
+///  @return The underlying file handle.
+///
+@property(readonly) NSFileHandle *fileHandle;
+
+///
+///  @return Returns an instance of MOLCodeSignChecker initialized with the file's binary path.
+///  Both the MOLCodesignChecker and any resulting NSError are cached and returned on subsequent
+///  calls.  You may pass in NULL for the error if you don't care to receive it.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error;
+
 @end

Source/common/SNTFileInfo.m

@@ -12,18 +12,19 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTFileInfo.h"
+#import "Source/common/SNTFileInfo.h"
 
 #import <CommonCrypto/CommonDigest.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <fmdb/FMDB.h>
 
+#include <mach-o/arch.h>
 #include <mach-o/loader.h>
 #include <mach-o/swap.h>
 #include <pwd.h>
 #include <sys/stat.h>
 #include <sys/xattr.h>
 
-#import <FMDB/FMDB.h>
-
 // Simple class to hold the data of a mach_header and the offset within the file
 // in which that header was found.
 @interface MachHeaderWithOffset : NSObject
@@ -53,29 +54,51 @@
 @property NSDictionary *infoDict;
 @property NSDictionary *quarantineDict;
 @property NSDictionary *cachedHeaders;
+@property MOLCodesignChecker *cachedCodesignChecker;
+@property(nonatomic) NSError *codesignCheckerError;
 @end
 
 @implementation SNTFileInfo
 
 extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
-- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+- (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error {
   self = [super init];
   if (self) {
-    NSBundle *bndl;
-    _path = [self resolvePath:path bundle:&bndl];
-    _bundleRef = bndl;
-    if (_path.length == 0) {
+    _path = path;
+    if (!_path.length) {
       if (error) {
-        NSString *errStr = @"Unable to resolve empty path";
-        if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+        NSString *errStr = @"Unable to use empty path";
         *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
-                                     code:260
+                                     code:270
                                  userInfo:@{NSLocalizedDescriptionKey : errStr}];
       }
       return nil;
     }
 
+    struct stat fileStat;
+    lstat(_path.UTF8String, &fileStat);
+    if (!((S_IFMT & fileStat.st_mode) == S_IFREG)) {
+      if (error) {
+        NSString *errStr = [NSString stringWithFormat:@"Non regular file: %s", strerror(errno)];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:290
+                                 userInfo:@{NSLocalizedDescriptionKey : errStr}];
+      }
+      return nil;
+    }
+
+    _fileSize = fileStat.st_size;
+
+    if (_fileSize == 0) return nil;
+
+    if (fileStat.st_uid != 0) {
+      struct passwd *pwd = getpwuid(fileStat.st_uid);
+      if (pwd) {
+        _fileOwnerHomeDir = @(pwd->pw_dir);
+      }
+    }
+
     int fd = open([_path UTF8String], O_RDONLY | O_CLOEXEC);
     if (fd < 0) {
       if (error) {
@@ -87,24 +110,29 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return nil;
     }
     _fileHandle = [[NSFileHandle alloc] initWithFileDescriptor:fd closeOnDealloc:YES];
-
-    struct stat fileStat;
-    fstat(_fileHandle.fileDescriptor, &fileStat);
-    _fileSize = fileStat.st_size;
-
-    if (_fileSize == 0) return nil;
-
-    if (fileStat.st_uid != 0) {
-      struct passwd *pwd = getpwuid(fileStat.st_uid);
-      if (pwd) {
-        _fileOwnerHomeDir = @(pwd->pw_dir);
-      }
-    }
   }
 
   return self;
 }
 
+- (instancetype)initWithPath:(NSString *)path error:(NSError **)error {
+  NSBundle *bndl;
+  NSString *resolvedPath = [self resolvePath:path bundle:&bndl];
+  if (!resolvedPath.length) {
+    if (error) {
+      NSString *errStr = @"Unable to resolve empty path";
+      if (path) errStr = [@"Unable to resolve path: " stringByAppendingString:path];
+      *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                   code:260
+                               userInfo:@{NSLocalizedDescriptionKey : errStr}];
+    }
+    return nil;
+  }
+  self = [self initWithResolvedPath:resolvedPath error:error];
+  if (self && bndl) _bundleRef = bndl;
+  return self;
+}
+
 - (instancetype)initWithPath:(NSString *)path {
   return [self initWithPath:path error:NULL];
 }
@@ -114,67 +142,68 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (void)hashSHA1:(NSString **)sha1 SHA256:(NSString **)sha256 {
   const int MAX_CHUNK_SIZE = 256 * 1024;  // 256 KB
   const size_t chunkSize = _fileSize > MAX_CHUNK_SIZE ? MAX_CHUNK_SIZE : _fileSize;
-  char chunk[chunkSize];
+  char *chunk = malloc(chunkSize);
 
-  CC_SHA1_CTX c1;
-  CC_SHA256_CTX c256;
+  @try {
+    CC_SHA1_CTX c1;
+    CC_SHA256_CTX c256;
 
-  if (sha1) CC_SHA1_Init(&c1);
-  if (sha256) CC_SHA256_Init(&c256);
+    if (sha1) CC_SHA1_Init(&c1);
+    if (sha256) CC_SHA256_Init(&c256);
 
-  int fd = self.fileHandle.fileDescriptor;
+    int fd = self.fileHandle.fileDescriptor;
 
-  fcntl(fd, F_RDAHEAD, 1);
-  struct radvisory radv;
-  radv.ra_offset = 0;
-  const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
-  radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
-  fcntl(fd, F_RDADVISE, &radv);
-  ssize_t bytesRead;
+    fcntl(fd, F_RDAHEAD, 1);
+    struct radvisory radv;
+    radv.ra_offset = 0;
+    const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
+    radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
+    fcntl(fd, F_RDADVISE, &radv);
+    ssize_t bytesRead;
 
-  for (uint64_t offset = 0; offset < _fileSize;) {
-    bytesRead = pread(fd, chunk, chunkSize, offset);
-    if (bytesRead > 0) {
-      if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
-      if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
-      offset += bytesRead;
-    } else if (bytesRead == -1 && errno == EINTR) {
-      continue;
-    } else {
-      return;
+    for (uint64_t offset = 0; offset < _fileSize;) {
+      bytesRead = pread(fd, chunk, chunkSize, offset);
+      if (bytesRead > 0) {
+        if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
+        if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
+        offset += bytesRead;
+      } else if (bytesRead == -1 && errno == EINTR) {
+        continue;
+      } else {
+        return;
+      }
     }
-  }
 
-  // We turn off Read Ahead that we turned on
-  fcntl(fd, F_RDAHEAD, 0);
-  if (sha1) {
-    unsigned char digest[CC_SHA1_DIGEST_LENGTH];
-    CC_SHA1_Final(digest, &c1);
-    NSString *const SHA1FormatString =
+    // We turn off Read Ahead that we turned on
+    fcntl(fd, F_RDAHEAD, 0);
+    if (sha1) {
+      unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+      CC_SHA1_Final(digest, &c1);
+      NSString *const SHA1FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
-    *sha1 = [[NSString alloc]
-        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
+      *sha1 = [[NSString alloc]
+        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
                        digest[17], digest[18], digest[19]];
-  }
-  if (sha256) {
-    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256_Final(digest, &c256);
-    NSString *const SHA256FormatString =
+    }
+    if (sha256) {
+      unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+      CC_SHA256_Final(digest, &c256);
+      NSString *const SHA256FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
          "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
 
-    *sha256 = [[NSString alloc]
-        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
-                       digest[17], digest[18], digest[19], digest[20],
-                       digest[21], digest[22], digest[23], digest[24],
-                       digest[25], digest[26], digest[27], digest[28],
+      *sha256 = [[NSString alloc]
+        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19], digest[20], digest[21], digest[22],
+                       digest[23], digest[24], digest[25], digest[26], digest[27], digest[28],
                        digest[29], digest[30], digest[31]];
+    }
+  } @finally {
+    free(chunk);
   }
 }
 
@@ -237,24 +266,37 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (BOOL)isDMG {
+  if (self.fileSize < 512) return NO;
   NSUInteger last512 = self.fileSize - 512;
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(last512, 4)] bytes];
   return (magic && memcmp("koly", magic, 4) == 0);
 }
 
+- (NSString *)humanReadableFileType {
+  if ([self isExecutable]) return @"Executable";
+  if ([self isDylib]) return @"Dynamic Library";
+  if ([self isBundle]) return @"Bundle/Plugin";
+  if ([self isKext]) return @"Kernel Extension";
+  if ([self isScript]) return @"Script";
+  if ([self isXARArchive]) return @"XAR Archive";
+  if ([self isDMG]) return @"Disk Image";
+  return @"Unknown";
+}
+
 #pragma mark Page Zero
 
 - (BOOL)isMissingPageZero {
   // This method only checks i386 arch because the kernel enforces this for other archs
   // See bsd/kern/mach_loader.c, search for enforce_hard_pagezero.
-  MachHeaderWithOffset *x86Header = self.machHeaders[[self nameForCPUType:CPU_TYPE_X86]];
+  MachHeaderWithOffset *x86Header =
+    self.machHeaders[[self nameForCPUType:CPU_TYPE_X86 cpuSubType:CPU_SUBTYPE_I386_ALL]];
   if (!x86Header) return NO;
 
   struct mach_header *mh = (struct mach_header *)[x86Header.data bytes];
   if (mh->filetype != MH_EXECUTE) return NO;
 
-  NSRange range = NSMakeRange(x86Header.offset + sizeof(struct mach_header),
-                              sizeof(struct segment_command));
+  NSRange range =
+    NSMakeRange(x86Header.offset + sizeof(struct mach_header), sizeof(struct segment_command));
   NSData *lcData = [self safeSubdataWithRange:range];
   if (!lcData) return NO;
 
@@ -264,9 +306,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   struct load_command *lc = (struct load_command *)[lcData bytes];
   if (lc->cmd == LC_SEGMENT) {
     struct segment_command *segment = (struct segment_command *)lc;
-    if (segment->vmaddr == 0 && segment->vmsize != 0 &&
-        segment->initprot == 0 && segment->maxprot == 0 &&
-        strcmp("__PAGEZERO", segment->segname) == 0) {
+    if (segment->vmaddr == 0 && segment->vmsize != 0 && segment->initprot == 0 &&
+        segment->maxprot == 0 && strcmp("__PAGEZERO", segment->segname) == 0) {
       return NO;
     }
   }
@@ -275,39 +316,62 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
 #pragma mark Bundle Information
 
+///
+///  Directories with a "Contents/Info.plist" entry can be mistaken as a bundle. To be considered an
+///  ancestor, the bundle must have a valid extension.
+///
+- (NSSet *)allowedAncestorExtensions {
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [NSSet setWithArray:@[
+      @"app",
+      @"bundle",
+      @"framework",
+      @"kext",
+      @"xctest",
+      @"xpc",
+    ]];
+  });
+  return set;
+}
+
 ///
 ///  Try and determine the bundle that the represented executable is contained within, if any.
 ///
 ///  Rationale: An NSBundle has a method executablePath for discovering the main binary within a
 ///  bundle but provides no way to get an NSBundle object when only the executablePath is known.
-///  Also a bundle can contain multiple binaries within the MacOS folder and we want any of these
+///  Also a bundle can contain multiple binaries within its subdirectories and we want any of these
 ///  to count as being part of the bundle.
 ///
-///  This method relies on executable bundles being laid out as follows:
+///  This method walks up the path until a bundle is found, if any.
 ///
-/// @code
-/// Bundle.app/
-///    Contents/
-///       MacOS/
-///         executable
-/// @endcode
-///
-///  If @c self.path is the full path to @c executable above, this method would return an
-///  NSBundle reference for Bundle.app.
+///  @param ancestor YES this will return the highest NSBundle, with a valid extension, found in the
+///                  tree. NO will return the the lowest NSBundle, without validating the extension.
 ///
+- (NSBundle *)findBundleWithAncestor:(BOOL)ancestor {
+  NSBundle *bundle;
+  NSMutableArray *pathComponents = [[self.path pathComponents] mutableCopy];
+
+  // Ignore the root path "/", for some reason this is considered a bundle.
+  while (pathComponents.count > 1) {
+    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
+    if ([bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
+      if ((!ancestor && bndl.bundlePath.pathExtension.length) ||
+          [[self allowedAncestorExtensions] containsObject:bndl.bundlePath.pathExtension]) {
+        bundle = bndl;
+      }
+      if (!ancestor) break;
+    }
+    [pathComponents removeLastObject];
+  }
+  return bundle;
+}
+
 - (NSBundle *)bundle {
   if (!self.bundleRef) {
-    self.bundleRef = (NSBundle *)[NSNull null];
-
-    // Check that the full path is at least 4-levels deep:
-    // e.g: /Calendar.app/Contents/MacOS/Calendar
-    NSArray *pathComponents = [self.path pathComponents];
-    NSUInteger pathComponentsCount = pathComponents.count;
-    if (pathComponentsCount < 4) return nil;
-
-    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, pathComponentsCount - 3)];
-    NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
-    if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
+    self.bundleRef =
+      [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
   }
   return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
@@ -316,6 +380,14 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.bundle bundlePath];
 }
 
+- (void)setUseAncestorBundle:(BOOL)useAncestorBundle {
+  if (self.useAncestorBundle != useAncestorBundle) {
+    self.bundleRef = nil;
+    self.infoDict = nil;
+  }
+  _useAncestorBundle = useAncestorBundle;
+}
+
 - (NSDictionary *)infoPlist {
   if (!self.infoDict) {
     NSDictionary *d = [self embeddedPlist];
@@ -340,8 +412,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (NSString *)bundleName {
-  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description] ?:
-         [[self.infoPlist objectForKey:@"CFBundleName"] description];
+  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description]
+           ?: [[self.infoPlist objectForKey:@"CFBundleName"] description];
 }
 
 - (NSString *)bundleVersion {
@@ -390,12 +462,12 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
   NSMutableDictionary *machHeaders = [NSMutableDictionary dictionary];
 
-  NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0,
-                                                                                          4096)]];
+  NSData *machHeader =
+    [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0, 4096)]];
   if (machHeader) {
     struct mach_header *mh = (struct mach_header *)[machHeader bytes];
     MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader offset:0];
-    machHeaders[[self nameForCPUType:mh->cputype]] = mhwo;
+    machHeaders[[self nameForCPUType:mh->cputype cpuSubType:mh->cpusubtype]] = mhwo;
   } else {
     NSRange range = NSMakeRange(0, sizeof(struct fat_header));
     NSData *fatHeader = [self safeSubdataWithRange:range];
@@ -411,11 +483,12 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
           int offset = OSSwapBigToHostInt32(fat_arch[i].offset);
           int size = OSSwapBigToHostInt32(fat_arch[i].size);
           int cputype = OSSwapBigToHostInt(fat_arch[i].cputype);
+          int cpusubtype = OSSwapBigToHostInt(fat_arch[i].cpusubtype);
 
           range = NSMakeRange(offset, size);
           NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:range]];
           if (machHeader) {
-            NSString *key = [self nameForCPUType:cputype];
+            NSString *key = [self nameForCPUType:cputype cpuSubType:cpusubtype];
             MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader
                                                                              offset:offset];
             machHeaders[key] = mhwo;
@@ -473,24 +546,51 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   for (uint32_t i = 0; i < ncmds; ++i) {
     NSData *cmdData = [self safeSubdataWithRange:NSMakeRange(offset, sz_segment)];
     if (!cmdData) return nil;
-    struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
-    if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
-      if (memcmp(lc->segname, "__TEXT", 6) == 0) {
+
+    if (is64) {
+      struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT_64 && memcmp(lc->segname, "__TEXT", 6) == 0) {
         nsects = lc->nsects;
         offset += sz_segment;
         break;
       }
+      offset += lc->cmdsize;
+    } else {
+      struct segment_command *lc = (struct segment_command *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT && memcmp(lc->segname, "__TEXT", 6) == 0) {
+        nsects = lc->nsects;
+        offset += sz_segment;
+        break;
+      }
+      offset += lc->cmdsize;
     }
-    offset += lc->cmdsize;
   }
 
   // Loop through the sections in the __TEXT segment looking for an __info_plist section.
   for (uint32_t i = 0; i < nsects; ++i) {
     NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
     if (!sectData) return nil;
-    struct section_64 *sect = (struct section_64 *)[sectData bytes];
-    if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
-      NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
+    uint64_t sectoffset, sectsize = 0;
+    BOOL found = NO;
+    if (is64) {
+      struct section_64 *sect = (struct section_64 *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    } else {
+      struct section *sect = (struct section *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    }
+
+    if (found) {
+      NSData *plistData =
+        [self safeSubdataWithRange:NSMakeRange(mhwo.offset + sectoffset, sectsize)];
       if (!plistData) return nil;
       NSDictionary *plist;
       plist = [NSPropertyListSerialization propertyListWithData:plistData
@@ -522,8 +622,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *d = [self.fileHandle readDataOfLength:range.length];
     if (d.length != range.length) return nil;
     return d;
-  }
-  @catch (NSException *e) {
+  } @catch (NSException *e) {
     return nil;
   }
 }
@@ -563,9 +662,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
         }
 
         NSURL *dbPath = [NSURL fileURLWithPathComponents:@[
-          fileOwnerHomeDir,
-          @"Library",
-          @"Preferences",
+          fileOwnerHomeDir, @"Library", @"Preferences",
           @"com.apple.LaunchServices.QuarantineEventsV2"
         ]];
         FMDatabase *db = [FMDatabase databaseWithPath:[dbPath absoluteString]];
@@ -584,7 +681,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
             quarantineDict[@"LSQuarantineDataURL"] = [NSURL URLWithString:dataURLString];
             quarantineDict[@"LSQuarantineOriginURL"] = [NSURL URLWithString:originURLString];
             quarantineDict[@"LSQuarantineTimestamp"] =
-                [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
+              [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
 
             self.quarantineDict = quarantineDict;
           }
@@ -600,20 +697,15 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///
 ///  Return a human-readable string for a cpu_type_t.
 ///
-- (NSString *)nameForCPUType:(cpu_type_t)cpuType {
-  switch (cpuType) {
-    case CPU_TYPE_X86:
-      return @"i386";
-    case CPU_TYPE_X86_64:
-      return @"x86-64";
-    case CPU_TYPE_POWERPC:
-      return @"ppc";
-    case CPU_TYPE_POWERPC64:
-      return @"ppc64";
-    default:
-      return @"unknown";
+- (NSString *)nameForCPUType:(cpu_type_t)cpuType cpuSubType:(cpu_subtype_t)cpuSubType {
+  const NXArchInfo *archInfo = NXGetArchInfoFromCpuType(cpuType, cpuSubType);
+  NSString *arch;
+  if (archInfo && archInfo->name) {
+    arch = @(archInfo->name);
+  } else {
+    arch = [NSString stringWithFormat:@"%i:%i", cpuType, cpuSubType];
   }
-  return nil;
+  return arch;
 }
 
 ///
@@ -638,7 +730,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   BOOL directory;
   if (![[NSFileManager defaultManager] fileExistsAtPath:path isDirectory:&directory]) {
     return nil;
-  } else if (directory) {
+  } else if (directory && ![path isEqualToString:@"/"]) {
     NSBundle *bndl = [NSBundle bundleWithPath:path];
     if (bundle) *bundle = bndl;
     return [bndl executablePath];
@@ -647,4 +739,18 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   }
 }
 
+///
+///  Cache and return a MOLCodeSignChecker for the given file.  If there was an error creating the
+///  code sign checker it will be returned in the passed-in error parameter.
+///
+- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error {
+  if (!self.cachedCodesignChecker && !self.codesignCheckerError) {
+    NSError *e;
+    self.cachedCodesignChecker = [[MOLCodesignChecker alloc] initWithBinaryPath:self.path error:&e];
+    self.codesignCheckerError = e;
+  }
+  if (error) *error = self.codesignCheckerError;
+  return self.cachedCodesignChecker;
+}
+
 @end

Source/common/SNTFileInfoTest.m

@@ -0,0 +1,243 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTFileInfo.h"
+
+@interface SNTFileInfoTest : XCTestCase
+@end
+
+@implementation SNTFileInfoTest
+
+- (NSString *)directoryBundle {
+  NSString *rp = [[NSBundle bundleForClass:[self class]] resourcePath];
+  return [rp stringByAppendingPathComponent:@"testdata/DirectoryBundle"];
+}
+
+- (NSString *)bundleExample {
+  NSString *rp = [[NSBundle bundleForClass:[self class]] resourcePath];
+  return [rp stringByAppendingPathComponent:@"testdata/BundleExample.app"];
+}
+
+- (void)testPathStandardizing {
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/Applications/Safari.app"];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
+
+  sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../../../../../../../bin/ls"];
+  XCTAssertEqualObjects(sut.path, @"/bin/ls");
+
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/sbin/DirectoryService"];
+  XCTAssertEqualObjects(sut.path, @"/usr/libexec/dspluginhelperd");
+}
+
+- (void)testSHA1 {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+
+  XCTAssertNotNil(sut.SHA1);
+  XCTAssertEqual(sut.SHA1.length, 40);
+  XCTAssertEqualObjects(sut.SHA1, @"3a865bf47b4ceba20496e0e66e39e4cfa101ffe6");
+}
+
+- (void)testSHA256 {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+
+  XCTAssertNotNil(sut.SHA256);
+  XCTAssertEqual(sut.SHA256.length, 64);
+  XCTAssertEqualObjects(sut.SHA256,
+                        @"5e089b65a1e7a4696d84a34510710b6993d1de21250c41daaec63d9981083eba");
+}
+
+- (void)testExecutable {
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/sbin/launchd"];
+
+  XCTAssertTrue(sut.isMachO);
+  XCTAssertTrue(sut.isExecutable);
+
+  XCTAssertFalse(sut.isDylib);
+  XCTAssertFalse(sut.isKext);
+  XCTAssertFalse(sut.isScript);
+}
+
+- (void)testPageZero {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"missing_pagezero"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertTrue(sut.isMissingPageZero);
+
+  path = [[NSBundle bundleForClass:[self class]] pathForResource:@"bad_pagezero" ofType:@""];
+  sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertTrue(sut.isMissingPageZero);
+
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/sbin/bless"];
+  XCTAssertFalse(sut.isMissingPageZero);
+}
+
+- (void)testKext {
+  SNTFileInfo *sut = [[SNTFileInfo alloc]
+    initWithPath:@"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];
+
+  XCTAssertTrue(sut.isMachO);
+  XCTAssertTrue(sut.isKext);
+
+  XCTAssertFalse(sut.isDylib);
+  XCTAssertFalse(sut.isExecutable);
+  XCTAssertFalse(sut.isFat);
+  XCTAssertFalse(sut.isScript);
+}
+
+- (void)testDylibs {
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/lib/system/libsystem_platform.dylib"];
+
+  XCTAssertTrue(sut.isMachO);
+  XCTAssertTrue(sut.isDylib);
+  XCTAssertTrue(sut.isFat);
+
+  XCTAssertFalse(sut.isKext);
+  XCTAssertFalse(sut.isExecutable);
+  XCTAssertFalse(sut.isScript);
+}
+
+- (void)testScript {
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/h2ph"];
+
+  XCTAssertTrue(sut.isScript);
+
+  XCTAssertFalse(sut.isDylib);
+  XCTAssertFalse(sut.isExecutable);
+  XCTAssertFalse(sut.isFat);
+  XCTAssertFalse(sut.isKext);
+  XCTAssertFalse(sut.isMachO);
+}
+
+- (void)testBundle {
+  NSString *path = [self bundleExample];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.BundleExample");
+  XCTAssertEqualObjects([sut bundleName], @"BundleExample");
+  XCTAssertEqualObjects([sut bundleVersion], @"1");
+  XCTAssertEqualObjects([sut bundleShortVersionString], @"1.0");
+  XCTAssertEqualObjects([sut bundlePath], path);
+}
+
+- (void)testAncestorBundle {
+  NSString *path = [self bundleExample];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  sut.useAncestorBundle = YES;
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.UnitTest.SNTFileInfoTest");
+  XCTAssertNotNil([sut bundleVersion]);
+  XCTAssertNotNil([sut bundleShortVersionString]);
+
+  NSString *ancestorBundlePath = path;
+  for (int i = 0; i < 4; i++) {
+    ancestorBundlePath = [ancestorBundlePath stringByDeletingLastPathComponent];
+  }
+  XCTAssertEqualObjects([sut bundlePath], ancestorBundlePath);
+}
+
+- (void)testBundleIsAncestor {
+  NSString *path = [NSBundle bundleForClass:[self class]].bundlePath;
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  sut.useAncestorBundle = YES;
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.UnitTest.SNTFileInfoTest");
+  XCTAssertNotNil([sut bundleVersion]);
+  XCTAssertNotNil([sut bundleShortVersionString]);
+  XCTAssertEqualObjects([sut bundlePath], path);
+}
+
+- (void)testDirectoryBundleIsNotAncestor {
+  NSString *path = [self directoryBundle];
+  NSString *directoryBundle = @"/tmp/DirectoryBundle";
+  NSFileManager *fm = [NSFileManager defaultManager];
+  [fm removeItemAtPath:directoryBundle error:NULL];
+  [fm copyItemAtPath:path toPath:directoryBundle error:NULL];
+  path = [directoryBundle stringByAppendingString:@"/Contents/Resources/BundleExample.app"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  sut.useAncestorBundle = YES;
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.BundleExample");
+  XCTAssertEqualObjects([sut bundleName], @"BundleExample");
+  XCTAssertEqualObjects([sut bundleVersion], @"1");
+  XCTAssertEqualObjects([sut bundleShortVersionString], @"1.0");
+  XCTAssertEqualObjects([sut bundlePath], path);
+}
+
+- (void)testBundleCacheReset {
+  NSString *path = [self bundleExample];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.BundleExample");
+  XCTAssertEqualObjects([sut bundleName], @"BundleExample");
+  XCTAssertEqualObjects([sut bundleVersion], @"1");
+  XCTAssertEqualObjects([sut bundleShortVersionString], @"1.0");
+  XCTAssertEqualObjects([sut bundlePath], path);
+
+  sut.useAncestorBundle = YES;
+
+  XCTAssertNotNil([sut bundle]);
+
+  XCTAssertEqualObjects([sut bundleIdentifier], @"com.google.santa.UnitTest.SNTFileInfoTest");
+  XCTAssertNotNil([sut bundleVersion]);
+  XCTAssertNotNil([sut bundleShortVersionString]);
+
+  NSString *ancestorBundlePath = path;
+  for (int i = 0; i < 4; i++) {
+    ancestorBundlePath = [ancestorBundlePath stringByDeletingLastPathComponent];
+  }
+  XCTAssertEqualObjects([sut bundlePath], ancestorBundlePath);
+}
+
+- (void)testNonBundle {
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/yes"];
+
+  XCTAssertNil([sut bundle]);
+
+  sut.useAncestorBundle = YES;
+
+  XCTAssertNil([sut bundle]);
+}
+
+- (void)testEmbeddedInfoPlist {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"32bitplist"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertNotNil([sut infoPlist]);
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleShortVersionString"], @"1.0");
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleIdentifier"], @"com.google.i386plist");
+
+  // csreq is installed on all machines with Xcode installed. If you're running these tests,
+  // it should be available..
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/csreq"];
+  XCTAssertNotNil([sut infoPlist]);
+}
+
+@end

Source/common/SNTFileWatcher.h

@@ -1,33 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-///
-///  Simple file watching class using dispatch sources. Will automatically
-///  reload the watch if the file is deleted and continue watching for
-///  events until deallocated.
-///
-@interface SNTFileWatcher : NSObject
-
-///
-///  Designated initializer
-///  Initializes the watcher and begins watching for modifications.
-///
-///  @param filePath the file to watch.
-///  @param handler the handler to call when changes happen. The argument to the block is the
-///      type of change that happened as a bitmask to be compared with DISPATCH_VNODE_* constants.
-///
-- (nonnull instancetype)initWithFilePath:(nonnull NSString *)filePath
-                                 handler:(nonnull void (^)(unsigned long))handler;
-
-@end

Source/common/SNTFileWatcher.m

@@ -1,93 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTFileWatcher.h"
-
-#import "SNTStrengthify.h"
-
-@interface SNTFileWatcher ()
-@property NSString *filePath;
-@property(strong) void (^handler)(unsigned long);
-
-@property dispatch_source_t source;
-@end
-
-@implementation SNTFileWatcher
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-- (instancetype)initWithFilePath:(nonnull NSString *)filePath
-                         handler:(nonnull void (^)(unsigned long))handler {
-  self = [super init];
-  if (self) {
-    _filePath = filePath;
-    _handler = handler;
-    [self startWatchingFile];
-  }
-  return self;
-}
-
-- (void)dealloc {
-  [self stopWatchingFile];
-}
-
-- (void)startWatchingFile {
-  dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
-  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_RENAME |
-              DISPATCH_VNODE_WRITE | DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_ATTRIB);
-
-  dispatch_async(queue, ^{
-    int fd = -1;
-    while ((fd = open([self.filePath fileSystemRepresentation], O_EVTONLY | O_CLOEXEC)) < 0) {
-      usleep(200000);  // wait 200ms
-    }
-    self.source = dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
-
-    WEAKIFY(self);
-
-    dispatch_source_set_event_handler(self.source, ^{
-      STRONGIFY(self);
-      unsigned long data = dispatch_source_get_data(self.source);
-      self.handler(data);
-      if (data & DISPATCH_VNODE_DELETE || data & DISPATCH_VNODE_RENAME) {
-        [self stopWatchingFile];
-        [self startWatchingFile];
-      }
-      sleep(2);
-    });
-
-    dispatch_source_set_registration_handler(self.source, ^{
-      STRONGIFY(self);
-      self.handler(0);
-    });
-
-    dispatch_source_set_cancel_handler(self.source, ^{
-      close(fd);
-    });
-
-    dispatch_resume(self.source);
-  });
-}
-
-- (void)stopWatchingFile {
-  if (!self.source) return;
-  dispatch_source_set_event_handler_f(self.source, NULL);
-  dispatch_source_cancel(self.source);
-  self.source = nil;
-}
-
-@end

Source/common/SNTLogging.h

@@ -13,26 +13,17 @@
 ///    limitations under the License.
 
 ///
-/// Logging definitions, for both kernel and user space.
+/// Logging definitions
 ///
 
 #ifndef SANTA__COMMON__LOGGING_H
 #define SANTA__COMMON__LOGGING_H
 
-#ifdef KERNEL
+#ifdef __cplusplus
+extern "C" {
+#endif
 
-#include <IOKit/IOLib.h>
-
-#ifdef DEBUG
-#define LOGD(...) IOLog("D santa-driver: " __VA_ARGS__); IOLog("\n")
-#else  // DEBUG
-#define LOGD(...)
-#endif  // DEBUG
-#define LOGI(...) IOLog("I santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGW(...) IOLog("W santa-driver: " __VA_ARGS__); IOLog("\n")
-#define LOGE(...) IOLog("E santa-driver: " __VA_ARGS__); IOLog("\n")
-
-#else  // KERNEL
+#import <Foundation/Foundation.h>
 
 typedef enum : NSUInteger {
   LOG_LEVEL_ERROR,
@@ -50,7 +41,7 @@ typedef enum : NSUInteger {
 ///  @param ... the arguments to format.
 ///
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
-    __attribute__((format(__NSString__, 3, 4)));
+  __attribute__((format(__NSString__, 3, 4)));
 
 /// Simple logging macros
 #define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__)
@@ -58,6 +49,11 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
 #define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__)
 #define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__)
 
-#endif  // KERNEL
+/// Get the logging level for this process.
+LogLevel EffectiveLogLevel();
+
+#ifdef __cplusplus
+}  // extern C
+#endif
 
 #endif  // SANTA__COMMON__LOGGING_H

Source/common/SNTLogging.m

@@ -12,43 +12,53 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTLogging.h"
+#import "Source/common/SNTLogging.h"
+
+#import "Source/common/SNTConfigurator.h"
 
 #import <asl.h>
 #import <pthread.h>
 
-#ifdef DEBUG
-static LogLevel logLevel = LOG_LEVEL_DEBUG;
-#else
-static LogLevel logLevel = LOG_LEVEL_INFO;  // default to info
-#endif
-
 void syslogClientDestructor(void *arg) {
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
   asl_close((aslclient)arg);
+#pragma clang diagnostic pop
+}
+
+LogLevel EffectiveLogLevel() {
+#ifdef DEBUG
+  static LogLevel logLevel = LOG_LEVEL_DEBUG;
+#else
+  static LogLevel logLevel = LOG_LEVEL_INFO;  // default to info
+#endif
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    if ([SNTConfigurator configurator].enableDebugLogging) {
+      logLevel = LOG_LEVEL_DEBUG;
+    }
+  });
+  return logLevel;
 }
 
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   static BOOL useSyslog = NO;
-  static const char *binaryName;
+  static NSString *binaryName;
   static dispatch_once_t pred;
   static pthread_key_t syslogKey = 0;
 
   dispatch_once(&pred, ^{
-    binaryName = [[[NSProcessInfo processInfo] processName] UTF8String];
-
-    // If debug logging is enabled, the process must be restarted.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
-      logLevel = LOG_LEVEL_DEBUG;
-    }
+    binaryName = [[NSProcessInfo processInfo] processName];
 
     // If requested, redirect output to syslog.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"]) {
+    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"] ||
+        [binaryName isEqualToString:@"com.google.santa.daemon"]) {
       useSyslog = YES;
       pthread_key_create(&syslogKey, syslogClientDestructor);
     }
   });
 
-  if (logLevel < level) return;
+  if (EffectiveLogLevel() < level) return;
 
   va_list args;
   va_start(args, format);
@@ -58,8 +68,11 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   if (useSyslog) {
     aslclient client = (aslclient)pthread_getspecific(syslogKey);
     if (client == NULL) {
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
       client = asl_open(NULL, "com.google.santa", 0);
       asl_set_filter(client, ASL_FILTER_MASK_UPTO(ASL_LEVEL_DEBUG));
+#pragma clang diagnostic pop
       pthread_setspecific(syslogKey, client);
     }
 
@@ -76,15 +89,21 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
       case LOG_LEVEL_INFO:
         levelName = "I";
-        syslogLevel = ASL_LEVEL_INFO;
+        syslogLevel = ASL_LEVEL_NOTICE;  // Maps to ULS Default
         break;
       case LOG_LEVEL_DEBUG:
         levelName = "D";
-        syslogLevel = ASL_LEVEL_DEBUG;
+        // Log debug messages at the same ASL level as INFO.
+        // While it would make sense to use DEBUG, watching debug-level logs
+        // in Console means enabling all debug logs, which is absurdly noisy.
+        syslogLevel = ASL_LEVEL_NOTICE;
         break;
     }
 
-    asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName, [s UTF8String]);
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+    asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName.UTF8String, s.UTF8String);
+#pragma clang diagnostic pop
   } else {
     [s appendString:@"\n"];
     size_t len = [s lengthOfBytesUsingEncoding:NSUTF8StringEncoding];

Source/common/SNTMetricSet.h

@@ -0,0 +1,202 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import "SNTCommonEnums.h"
+
+/**
+ * Provides an abstraction for various metric systems that will be exported to
+ * monitoring systems via the MetricService. This is used to store internal
+ * counters and metrics that can be exported to an external monitoring system.
+ *
+ * `SNTMetricSet` for storing and creating metrics and counters. This is
+ *   the externally visible interface
+ *   class.
+ *
+ *  Metric classes:
+ *   * `SNTMetric` to store metric values broken down by "field" dimensions.
+ *   * subclasses of `SNTMetric` with suitable setters:
+ *     * `SNTMetricCounter`
+ *     * `SNTMetricGaugeInt64`
+ *     * `SNTMetricGaugeDouble`
+ *     * `SNTMetricString`
+ *     * `SNTMetricBool`
+ */
+
+NS_ASSUME_NONNULL_BEGIN
+
+typedef NS_ENUM(NSInteger, SNTMetricType) {
+  SNTMetricTypeUnknown = 0,
+  SNTMetricTypeConstantBool = 1,
+  SNTMetricTypeConstantString = 2,
+  SNTMetricTypeConstantInt64 = 3,
+  SNTMetricTypeConstantDouble = 4,
+  SNTMetricTypeGaugeBool = 5,
+  SNTMetricTypeGaugeString = 6,
+  SNTMetricTypeGaugeInt64 = 7,
+  SNTMetricTypeGaugeDouble = 8,
+  SNTMetricTypeCounter = 9,
+};
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType);
+
+@interface SNTMetric : NSObject
+- (NSDictionary *)export;
+@end
+
+@interface SNTMetricCounter : SNTMetric
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricInt64Gauge : SNTMetric
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricDoubleGauge : SNTMetric
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricStringGauge : SNTMetric
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricBooleanGauge : SNTMetric
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+/**
+ * A registry of metrics with associated fields.
+ */
+@interface SNTMetricSet : NSObject
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username;
+
+/* Returns a counter with the given name, field names and help
+ *  text, registered with the MetricSet.
+ *
+ * @param name The counter name, for example @"/proc/cpu".
+ * @param fieldNames The counter's field names, for example @[@"result"].
+ * @param helpText The counter's help description.
+ * @return A counter with the given specification registered with this root.
+ *   The returned counter might have been created earlier with the same
+ *   specification.
+ * @throw NSInternalInconsistencyException When trying to register a second
+ *   counter with the same name but a different schema as an existing one
+ */
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)text;
+
+/**
+ * Returns a shared global instance with default root labels and metrics registered.
+ */
++ (instancetype)sharedInstance;
+
+/**
+ * Resets all the metrics in this set. Intended only for testing.
+ */
+- (void)reset;
+
+/**
+ *  Add a root label to the MetricSet.
+ */
+- (void)addRootLabel:(NSString *)label value:(NSString *)value;
+
+/**
+ * Remove a root label from the MetricSet.
+ */
+- (void)removeRootLabel:(NSString *)labelName;
+
+/**
+ * Returns a int64 gauge metric with the given Streamz name and help text,
+ * registered with this MetricSet.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText;
+
+/**
+ * Returns a double gauge metric with the given name and help text,
+ * registered with this root.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a string gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/santa/mode".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a boolean gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText;
+
+/** Creates a constant metric with a string value and no fields. */
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantBooleanWithName:(NSString *)name helpText:(NSString *)helpText value:(BOOL)value;
+
+/** Register a callback to get executed just before each export. */
+- (void)registerCallback:(void (^)(void))callback;
+
+/** Export creates an NSDictionary of the state of the metrics */
+- (NSDictionary *)export;
+@end
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format);
+
+/** Normalizes dates in an exported dictionary to be ISO8601 timestamp strings in
+ *  UTC time.
+ */
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics);
+
+NS_ASSUME_NONNULL_END

Source/common/SNTMetricSet.m

@@ -0,0 +1,676 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTMetricSet.h"
+#import "SNTCommonEnums.h"
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType) {
+  NSString *typeStr;
+  switch (metricType) {
+    case SNTMetricTypeConstantBool: typeStr = @"SNTMetricTypeConstantBool"; break;
+    case SNTMetricTypeConstantString: typeStr = @"SNTMetricTypeConstantString"; break;
+    case SNTMetricTypeConstantInt64: typeStr = @"SNTMetricTypeConstantInt64"; break;
+    case SNTMetricTypeConstantDouble: typeStr = @"SNTMetricTypeConstantDouble"; break;
+    case SNTMetricTypeGaugeBool: typeStr = @"SNTMetricTypeGaugeBool"; break;
+    case SNTMetricTypeGaugeString: typeStr = @"SNTMetricTypeGaugeString"; break;
+    case SNTMetricTypeGaugeInt64: typeStr = @"SNTMetricTypeGaugeInt64"; break;
+    case SNTMetricTypeGaugeDouble: typeStr = @"SNTMetricTypeGaugeDouble"; break;
+    case SNTMetricTypeCounter: typeStr = @"SNTMetricTypeCounter"; break;
+    default: typeStr = [NSString stringWithFormat:@"SNTMetricTypeUnknown %ld", metricType]; break;
+  }
+  return typeStr;
+}
+
+/**
+ *  SNTMetricValue encapsulates the value of a metric along with the creation
+ *  and update timestamps. It is thread-safe and has a separate field for each
+ *  metric type.
+ *
+ *  It is intended to only be used by SNTMetrics;
+ */
+@interface SNTMetricValue : NSObject
+/** Increment the counter by the step value, updating timestamps appropriately. */
+- (void)addInt64:(long long)step;
+
+/** Set the Int64 value. */
+- (void)setInt64:(long long)value;
+
+/** Set the double value. */
+- (void)setDouble:(double)value;
+
+/** Set the string value. */
+- (void)setString:(NSString *)value;
+
+/** Set the BOOL string value. */
+- (void)setBool:(BOOL)value;
+
+/**
+ * Clears the last update timestamp.
+ *
+ * This makes the metric value always emit the current timestamp as last update timestamp.
+ */
+- (void)clearLastUpdateTimestamp;
+
+/** Getters */
+- (long long)getInt64Value;
+- (double)getDoubleValue;
+- (NSString *)getStringValue;
+@end
+
+@implementation SNTMetricValue {
+  /** The int64 value for the SNTMetricValue, if set. */
+  long long _int64Value;
+
+  /** The double value for the SNTMetricValue, if set. */
+  double _doubleValue;
+
+  /** The string value for the SNTMetricValue, if set. */
+  NSString *_stringValue;
+
+  /** The boolean value for the SNTMetricValue, if set. */
+  BOOL _boolValue;
+
+  /** The first time this cell got created in the current process. */
+  NSDate *_creationTime;
+
+  /** The last time that the counter value was changed. */
+  NSDate *_lastUpdate;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _creationTime = [NSDate date];
+    _lastUpdate = _creationTime;
+  }
+  return self;
+}
+
+- (void)addInt64:(long long)step {
+  @synchronized(self) {
+    _int64Value += step;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (void)setInt64:(long long)value {
+  @synchronized(self) {
+    _int64Value = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (long long)getInt64Value {
+  @synchronized(self) {
+    return _int64Value;
+  }
+}
+
+- (void)setDouble:(double)value {
+  @synchronized(self) {
+    _doubleValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (double)getDoubleValue {
+  @synchronized(self) {
+    return _doubleValue;
+  }
+}
+
+- (void)setString:(NSString *)value {
+  @synchronized(self) {
+    _stringValue = [value copy];
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (NSString *)getStringValue {
+  @synchronized(self) {
+    return [_stringValue copy];
+  }
+}
+
+- (void)setBool:(BOOL)value {
+  @synchronized(self) {
+    _boolValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (BOOL)getBoolValue {
+  @synchronized(self) {
+    return _boolValue;
+  }
+}
+
+- (void)clearLastUpdateTimestamp {
+  @synchronized(self) {
+    _lastUpdate = nil;
+  }
+}
+
+- (NSDate *)getLastUpdatedTimestamp {
+  NSDate *updated = nil;
+  @synchronized(self) {
+    updated = [_lastUpdate copy];
+  }
+  return updated;
+}
+
+- (NSDate *)getCreatedTimestamp {
+  NSDate *created = nil;
+  @synchronized(self) {
+    created = [_creationTime copy];
+  }
+  return created;
+}
+@end
+
+@implementation SNTMetric {
+ @private
+  /** Fully qualified metric name e.g. /ops/security/santa. */
+  NSString *_name;
+  /** A help text for the metric to be exported to be exported. **/
+  NSString *_help;
+
+  /** Sorted list of the fieldNames **/
+  NSArray<NSString *> *_fieldNames;
+  /** Mapping of field values to actual metric values (e.g. metric /proc/cpu_usage @"mode"=@"user"
+   * -> 0.89 */
+  NSMutableDictionary<NSArray<NSString *> *, SNTMetricValue *> *_metricsForFieldValues;
+  /** the type of metric this is e.g. counter, gauge etc. **/
+  SNTMetricType _type;
+}
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)help
+                        type:(SNTMetricType)type {
+  self = [super init];
+  if (self) {
+    _name = [name copy];
+    _help = [help copy];
+    _fieldNames = [fieldNames copy];
+    _metricsForFieldValues = [[NSMutableDictionary alloc] init];
+    _type = type;
+  }
+  return self;
+}
+
+- (NSString *)name {
+  return _name;
+}
+
+- (BOOL)hasSameSchemaAsMetric:(SNTMetric *)other {
+  if (![other isKindOfClass:[self class]]) {
+    return NO;
+  }
+  return [_name isEqualToString:other->_name] && [_help isEqualToString:other->_help] &&
+         [_fieldNames isEqualTo:other->_fieldNames] && _type == other->_type;
+}
+
+/** Retrieves the SNTMetricValue for a given field value.
+   Creates a new SNTMetricValue if none is present. */
+- (SNTMetricValue *)metricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  NSParameterAssert(fieldValues.count == _fieldNames.count);
+  SNTMetricValue *metricValue = nil;
+  @synchronized(self) {
+    metricValue = _metricsForFieldValues[fieldValues];
+
+    if (!metricValue) {
+      // Deep copy to prevent mutations to the keys we store in the dictionary.
+      fieldValues = [fieldValues copy];
+      metricValue = [[SNTMetricValue alloc] init];
+      _metricsForFieldValues[fieldValues] = metricValue;
+    }
+  }
+
+  return metricValue;
+}
+
+- (NSDictionary *)encodeMetricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = _metricsForFieldValues[fieldValues];
+
+  NSMutableDictionary *fieldDict = [[NSMutableDictionary alloc] init];
+
+  fieldDict[@"created"] = [metricValue getCreatedTimestamp];
+  fieldDict[@"last_updated"] = [metricValue getLastUpdatedTimestamp];
+  fieldDict[@"value"] = [fieldValues componentsJoinedByString:@","];
+
+  switch (_type) {
+    case SNTMetricTypeConstantBool:
+    case SNTMetricTypeGaugeBool:
+      fieldDict[@"data"] = [NSNumber numberWithBool:[metricValue getBoolValue]];
+      break;
+    case SNTMetricTypeConstantInt64:
+    case SNTMetricTypeCounter:
+    case SNTMetricTypeGaugeInt64:
+      fieldDict[@"data"] = [NSNumber numberWithLongLong:[metricValue getInt64Value]];
+      break;
+    case SNTMetricTypeConstantDouble:
+    case SNTMetricTypeGaugeDouble:
+      fieldDict[@"data"] = [NSNumber numberWithDouble:[metricValue getDoubleValue]];
+      break;
+    case SNTMetricTypeConstantString:
+    case SNTMetricTypeGaugeString: fieldDict[@"data"] = [metricValue getStringValue]; break;
+    default: break;
+  }
+  return fieldDict;
+}
+
+- (NSDictionary *)export {
+  NSMutableDictionary *metricDict = [NSMutableDictionary dictionaryWithCapacity:_fieldNames.count];
+  metricDict[@"type"] = [NSNumber numberWithInt:(int)_type];
+  metricDict[@"fields"] = [[NSMutableDictionary alloc] init];
+  metricDict[@"description"] = [_help copy];
+
+  if (_fieldNames.count == 0) {
+    metricDict[@"fields"][@""] = @[ [self encodeMetricValueForFieldValues:@[]] ];
+  } else {
+    for (NSString *fieldName in _fieldNames) {
+      NSMutableArray *fieldVals = [[NSMutableArray alloc] init];
+
+      for (NSArray<NSString *> *fieldValues in _metricsForFieldValues) {
+        [fieldVals addObject:[self encodeMetricValueForFieldValues:fieldValues]];
+      }
+
+      metricDict[@"fields"][fieldName] = fieldVals;
+    }
+  }
+  return metricDict;
+}
+@end
+
+@implementation SNTMetricCounter
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeCounter];
+}
+
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return;
+  }
+  [metricValue addInt64:step];
+}
+
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues {
+  [self incrementBy:1 forFieldValues:fieldValues];
+}
+
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricInt64Gauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeInt64];
+}
+
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setInt64:value];
+}
+
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricDoubleGauge
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeDouble];
+}
+
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setDouble:value];
+}
+
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getDoubleValue];
+}
+@end
+
+@implementation SNTMetricStringGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeString];
+}
+
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setString:value];
+}
+
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return nil;
+  }
+
+  return [metricValue getStringValue];
+}
+@end
+
+@implementation SNTMetricBooleanGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeBool];
+}
+
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setBool:value];
+}
+
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return false;
+  }
+
+  return [metricValue getBoolValue];
+}
+@end
+
+/**
+ *  SNTMetricSet is the top level container for all metrics and metrics value
+ *  its is abstracted from specific implementations but is close to Google's
+ *  Monarch and Prometheus formats.
+ */
+@implementation SNTMetricSet {
+ @private
+  /** Labels that are used to identify the entity to that all metrics apply to. */
+  NSMutableDictionary<NSString *, NSString *> *_rootLabels;
+  /** Registered metrics keyed by name */
+  NSMutableDictionary<NSString *, SNTMetric *> *_metrics;
+
+  /** Callbacks to update metric values before exporting metrics */
+  NSMutableArray<void (^)(void)> *_callbacks;
+}
+
++ (instancetype)sharedInstance {
+  static SNTMetricSet *sharedMetrics;
+  static dispatch_once_t onceToken;
+
+  dispatch_once(&onceToken, ^{
+    sharedMetrics = [[SNTMetricSet alloc] init];
+  });
+
+  return sharedMetrics;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+  }
+  return self;
+}
+
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+
+    _rootLabels[@"hostname"] = [hostname copy];
+    _rootLabels[@"username"] = [username copy];
+  }
+
+  return self;
+}
+
+- (void)reset {
+  _metrics = [[NSMutableDictionary alloc] init];
+}
+
+- (void)addRootLabel:(NSString *)label value:(NSString *)value {
+  @synchronized(self) {
+    _rootLabels[label] = value;
+  }
+}
+
+- (void)removeRootLabel:(NSString *)label {
+  @synchronized(self) {
+    [_rootLabels removeObjectForKey:label];
+  }
+}
+
+- (SNTMetric *)registerMetric:(nonnull SNTMetric *)metric {
+  @synchronized(self) {
+    SNTMetric *oldMetric = _metrics[[metric name]];
+    if ([oldMetric hasSameSchemaAsMetric:metric]) {
+      return oldMetric;
+    }
+    NSAssert(!oldMetric, @"metric registered twice: %@", metric.name);
+    _metrics[metric.name] = metric;
+  }
+  return metric;
+}
+
+- (void)registerCallback:(void (^)(void))callback {
+  @synchronized(self) {
+    [_callbacks addObject:callback];
+  }
+}
+
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)helpText {
+  SNTMetricCounter *c = [[SNTMetricCounter alloc] initWithName:name
+                                                    fieldNames:fieldNames
+                                                      helpText:helpText];
+  return (SNTMetricCounter *)[self registerMetric:c];
+}
+
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText {
+  SNTMetricInt64Gauge *g = [[SNTMetricInt64Gauge alloc] initWithName:name
+                                                          fieldNames:fieldNames
+                                                            helpText:helpText];
+  return (SNTMetricInt64Gauge *)[self registerMetric:g];
+}
+
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricDoubleGauge *g = [[SNTMetricDoubleGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricDoubleGauge *)[self registerMetric:g];
+}
+
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricStringGauge *s = [[SNTMetricStringGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricStringGauge *)[self registerMetric:s];
+}
+
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText {
+  SNTMetricBooleanGauge *b = [[SNTMetricBooleanGauge alloc] initWithName:name
+                                                              fieldNames:fieldNames
+                                                                helpText:helpText];
+
+  return (SNTMetricBooleanGauge *)[self registerMetric:b];
+}
+
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantString];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setString:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantInt64];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setInt64:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantBooleanWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(BOOL)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantBool];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setBool:value];
+  [self registerMetric:metric];
+}
+
+/** Export current state of the SNTMetricSet as an NSDictionary. */
+- (NSDictionary *)export {
+  NSDictionary *exported = nil;
+
+  // Invoke callbacks to ensure metrics are up to date.
+  for (void (^cb)(void) in _callbacks) {
+    cb();
+  }
+
+  @synchronized(self) {
+    NSMutableDictionary *exportDict = [[NSMutableDictionary alloc] init];
+    exportDict[@"root_labels"] = [_rootLabels copy];
+    exportDict[@"metrics"] = [[NSMutableDictionary alloc] init];
+
+    // TODO(markowsky) Sort the metrics so we always get the same output.
+    for (NSString *metricName in _metrics) {
+      exportDict[@"metrics"][metricName] = [_metrics[metricName] export];
+    }
+
+    exported = [NSDictionary dictionaryWithDictionary:exportDict];
+  }
+  return exported;
+}
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format) {
+  switch (format) {
+    case SNTMetricFormatTypeRawJSON: return @"rawjson";
+    case SNTMetricFormatTypeMonarchJSON: return @"monarchjson";
+    default: return @"Unknown Metric Format";
+  }
+}
+
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics) {
+  NSMutableDictionary *mutableMetrics = [metrics mutableCopy];
+
+  id formatter;
+
+  if (@available(macOS 10.13, *)) {
+    NSISO8601DateFormatter *isoFormatter = [[NSISO8601DateFormatter alloc] init];
+
+    isoFormatter.formatOptions =
+      NSISO8601DateFormatWithInternetDateTime | NSISO8601DateFormatWithFractionalSeconds;
+    formatter = isoFormatter;
+  } else {
+    NSDateFormatter *localFormatter = [[NSDateFormatter alloc] init];
+    [localFormatter setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"];
+    [localFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
+    formatter = localFormatter;
+  }
+
+  for (NSString *metricName in mutableMetrics[@"metrics"]) {
+    NSMutableDictionary *metric = mutableMetrics[@"metrics"][metricName];
+
+    for (NSString *field in metric[@"fields"]) {
+      NSMutableArray<NSMutableDictionary *> *values = metric[@"fields"][field];
+
+      [values enumerateObjectsUsingBlock:^(id object, NSUInteger index, BOOL *stop) {
+        values[index][@"created"] = [formatter stringFromDate:values[index][@"created"]];
+        values[index][@"last_updated"] = [formatter stringFromDate:values[index][@"last_updated"]];
+      }];
+    }
+  }
+
+  return mutableMetrics;
+}
+
+@end

Source/common/SNTMetricSetTest.m

@@ -0,0 +1,675 @@
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTMetricSet.h"
+
+@interface SNTMetricCounterTest : XCTestCase
+@end
+
+@interface SNTMetricGaugeInt64Test : XCTestCase
+@end
+
+@interface SNTMetricDoubleGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricBooleanGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricStringGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricSetTest : XCTestCase
+@end
+
+@interface SNTMetricSetHelperFunctionsTest : XCTestCase
+@end
+
+// Stub out NSDate's date method
+@implementation NSDate (custom)
+
++ (instancetype)date {
+  NSDateFormatter *formatter = NSDateFormatter.new;
+  [formatter setDateFormat:@"yyyy-MM-dd HH:mm:ssZZZ"];
+  return [formatter dateFromString:@"2021-08-05 13:00:10+0000"];
+}
+
+@end
+
+@implementation SNTMetricCounterTest
+- (void)testSimpleCounter {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c, @"Expected returned SNTMetricCounter to not be nil");
+  [c incrementForFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(1, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremented by 1");
+  [c incrementBy:3 forFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(4, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremented by 3");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c);
+  [c incrementForFieldValues:@[ @"certificate" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+    @"description" : @"Count of exec events broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"certificate",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:1]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([c export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *a = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  SNTMetricCounter *b = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  XCTAssertEqual(a, b, @"Unexpected new counter returned.");
+}
+@end
+
+@implementation SNTMetricBooleanGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  XCTAssertTrue([b getBoolValueForFieldValues:@[]]);
+  [b set:false forFieldValues:@[]];
+  XCTAssertFalse([b getBoolValueForFieldValues:@[]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeBool],
+    @"description" : @"Is the daemon connected.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithBool:true]
+      } ]
+    }
+  };
+
+  NSDictionary *output = [b export];
+  XCTAssertEqualObjects(output, expected);
+}
+
+- (void)testAddingBooleanWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *a = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  XCTAssertEqual(a, b, @"Unexpected new boolean gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricGaugeInt64Test
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  // Increase the gauge
+  [g set:500 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(500, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Decrease after increase
+  [g set:100 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(100, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Increase after decrease
+  [g set:750 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(750, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // TODO: export the tree to JSON and confirm the structure is correct.
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+    @"description" : @"Count of rules broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"binary",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:250]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *a = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  SNTMetricInt64Gauge *b = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricDoubleGaugeTest
+
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.45, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+
+  // Increase the gauge
+  [g set:(double)0.90 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.90, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Decrease after increase
+  [g set:0.71 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.71, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Increase after decrease
+  [g set:0.75 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.75, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  [g set:(double)0.90 forFieldValues:@[ @"system" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeDouble],
+    @"description" : @"CPU time consumed by this process.",
+    @"fields" : @{
+      @"mode" : @[
+        @{
+          @"value" : @"user",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.45]
+        },
+        @{
+          @"value" : @"system",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.90]
+        }
+      ]
+    }
+  };
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *a = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricDoubleGauge *b = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+@end
+
+@implementation SNTMetricStringGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+  XCTAssertEqualObjects([s getStringValueForFieldValues:@[]], @"testValue");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeString],
+    @"description" : @"String description of the mode.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : @"testValue"
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([s export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *a = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricStringGauge *b = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricSetTest
+- (void)testRootLabels {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addRootLabel:@"hostname" value:@"localhost"];
+
+  NSDictionary *expected = @{@"root_labels" : @{@"hostname" : @"localhost"}, @"metrics" : @{}};
+
+  XCTAssertEqualObjects(expected, [metricSet export]);
+
+  // ensure that adding a rootLabel with the same name overwrites.
+  expected = @{@"root_labels" : @{@"hostname" : @"localhost2"}, @"metrics" : @{}};
+  [metricSet addRootLabel:@"hostname" value:@"localhost2"];
+
+  XCTAssertEqualObjects(expected, [metricSet export],
+                        @"failed to overwrite rootLabel with second call to addRootLabel");
+
+  // ensure that removing a rootLabelWorks
+  expected = @{@"root_labels" : @{}, @"metrics" : @{}};
+  [metricSet removeRootLabel:@"hostname"];
+}
+
+- (void)testDoubleRegisteringIncompatibleMetricsFails {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c = [metricSet counterWithName:@"/foo/bar"
+                                        fieldNames:@[ @"field" ]
+                                          helpText:@"lorem ipsum"];
+
+  XCTAssertNotNil(c);
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"incompatible" ]
+                                    helpText:@"A little help text"],
+                  @"Should raise error for incompatible field names");
+
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"result" ]
+                                    helpText:@"INCOMPATIBLE"],
+                  @"Should raise error for incompatible help text");
+}
+
+- (void)testRegisterCallback {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  // Register a callback metric which increments by one before export
+  SNTMetricInt64Gauge *gauge = [metricSet int64GaugeWithName:@"/foo/bar"
+                                                  fieldNames:@[]
+                                                    helpText:@"Number of callbacks done"];
+  __block int count = 0;
+  [metricSet registerCallback:^(void) {
+    count++;
+    [gauge set:count forFieldValues:@[]];
+  }];
+
+  // ensure the callback is called.
+  [metricSet export];
+
+  XCTAssertEqual([gauge getGaugeValueForFieldValues:@[]], 1);
+}
+
+- (void)testAddConstantBool {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantBooleanWithName:@"/tautology"
+                               helpText:@"The first rule of tautology club is the first rule"
+                                  value:YES];
+
+  NSDictionary *expected = @{
+    @"/tautology" : @{
+      @"description" : @"The first rule of tautology club is the first rule",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithBool:true]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantString {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Build label for the binary"
+                                 value:@"20210806.0.1"];
+
+  NSDictionary *expected = @{
+    @"/build/label" : @{
+      @"description" : @"Build label for the binary",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : @"20210806.0.1"
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantInt {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantIntegerWithName:@"/deep/thought/answer"
+                               helpText:@"Life, the universe, and everything"
+                                  value:42];
+
+  NSDictionary *expected = @{
+    @"/deep/thought/answer" : @{
+      @"description" : @"Life, the universe, and everything",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithLongLong:42]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] initWithHostname:@"testHost"
+                                                          username:@"testUser"];
+
+  // Add constants
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Software version running."
+                                 value:@"20210809.0.1"];
+  [metricSet addConstantBooleanWithName:@"/santa/using_endpoint_security_framework"
+                               helpText:@"Is santad using the endpoint security framework."
+                                  value:TRUE];
+  [metricSet
+    addConstantIntegerWithName:@"/proc/birth_timestamp"
+                      helpText:@"Start time of this santad instance, in microseconds since epoch"
+                         value:(long long)(0x12345668910)];
+  // Add Metrics
+  SNTMetricCounter *c = [metricSet counterWithName:@"/santa/events"
+                                        fieldNames:@[ @"rule_type" ]
+                                          helpText:@"Count of events on the host"];
+
+  [c incrementForFieldValues:@[ @"binary" ]];
+  [c incrementBy:2 forFieldValues:@[ @"certificate" ]];
+
+  SNTMetricInt64Gauge *g = [metricSet int64GaugeWithName:@"/santa/rules"
+                                              fieldNames:@[ @"rule_type" ]
+                                                helpText:@"Number of rules."];
+
+  [g set:1 forFieldValues:@[ @"binary" ]];
+  [g set:3 forFieldValues:@[ @"certificate" ]];
+
+  // Add Metrics with callback
+  SNTMetricInt64Gauge *virtualMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/virtual_size"
+                       fieldNames:@[]
+                         helpText:@"The virtual memory size of this process."];
+
+  SNTMetricInt64Gauge *residentMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/resident_size"
+                       fieldNames:@[]
+                         helpText:@"The resident set size of this process."];
+
+  [metricSet registerCallback:^(void) {
+    [virtualMemoryGauge set:987654321 forFieldValues:@[]];
+    [residentMemoryGauge set:123456789 forFieldValues:@[]];
+  }];
+
+  NSDictionary *expected = @{
+    @"root_labels" : @{@"hostname" : @"testHost", @"username" : @"testUser"},
+    @"metrics" : @{
+      @"/build/label" : @{
+        @"description" : @"Software version running.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : @"20210809.0.1"
+          } ]
+        }
+      },
+      @"/santa/events" : @{
+        @"description" : @"Count of events on the host",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:2],
+            },
+          ],
+        },
+      },
+      @"/santa/rules" : @{
+        @"description" : @"Number of rules.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:3],
+            }
+          ]
+        },
+      },
+      @"/santa/using_endpoint_security_framework" : @{
+        @"description" : @"Is santad using the endpoint security framework.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithBool:YES]
+          } ]
+        }
+      },
+      @"/proc/birth_timestamp" : @{
+        @"description" : @"Start time of this santad instance, in microseconds since epoch",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithLong:1250999830800]
+          } ]
+        },
+      },
+      @"/proc/memory/virtual_size" : @{
+        @"description" : @"The virtual memory size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:987654321]
+          } ]
+        }
+      },
+      @"/proc/memory/resident_size" : @{
+        @"description" : @"The resident set size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:123456789]
+          } ]
+        },
+      },
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export], expected);
+}
+@end
+
+@implementation SNTMetricSetHelperFunctionsTest
+- (void)testMakeMetricString {
+  NSArray<NSDictionary *> *tests = @[
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeUnknown],
+      @"expected" : @"SNTMetricTypeUnknown 0"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantBool],
+      @"expected" : @"SNTMetricTypeConstantBool"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantString],
+      @"expected" : @"SNTMetricTypeConstantString"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantInt64],
+      @"expected" : @"SNTMetricTypeConstantInt64"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantDouble],
+      @"expected" : @"SNTMetricTypeConstantDouble"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeBool],
+      @"expected" : @"SNTMetricTypeGaugeBool"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeString],
+      @"expected" : @"SNTMetricTypeGaugeString"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeInt64],
+      @"expected" : @"SNTMetricTypeGaugeInt64"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeDouble],
+      @"expected" : @"SNTMetricTypeGaugeDouble"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeCounter],
+      @"expected" : @"SNTMetricTypeCounter"
+    }
+  ];
+
+  for (NSDictionary *test in tests) {
+    NSString *output = SNTMetricMakeStringFromMetricType([test[@"input"] integerValue]);
+    XCTAssertEqualObjects(test[@"expected"], output, @"expected %@ got %@", test[@"expected"],
+                          output);
+  }
+}
+@end

Source/common/SNTPrefixTree.cc

@@ -0,0 +1,227 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#include "Source/common/SNTPrefixTree.h"
+
+#include <string.h>
+
+#include <mutex>
+
+#define LOGD(format, ...)  // NOP
+#define LOGE(format, ...)  // NOP
+
+#define lck_rw_lock_shared(l) pthread_rwlock_rdlock(&l)
+#define lck_rw_unlock_shared(l) pthread_rwlock_unlock(&l)
+#define lck_rw_lock_exclusive(l) pthread_rwlock_wrlock(&l)
+#define lck_rw_unlock_exclusive(l) pthread_rwlock_unlock(&l)
+
+#define lck_rw_lock_shared_to_exclusive(l) \
+  ({                                       \
+    pthread_rwlock_unlock(&l);             \
+    false;                                 \
+  })
+#define lck_rw_lock_exclusive_to_shared(l) \
+  ({                                       \
+    pthread_rwlock_unlock(&l);             \
+    pthread_rwlock_rdlock(&l);             \
+  })
+
+#define lck_mtx_lock(l) l->lock()
+#define lck_mtx_unlock(l) l->unlock()
+
+SNTPrefixTree::SNTPrefixTree(uint32_t max_nodes) {
+  root_ = new SantaPrefixNode();
+  node_count_ = 0;
+  max_nodes_ = max_nodes;
+
+  pthread_rwlock_init(&spt_lock_, nullptr);
+  spt_add_lock_ = new std::mutex;
+}
+
+IOReturn SNTPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
+  // Serialize requests to AddPrefix. Otherwise one AddPrefix thread could
+  // overwrite whole branches of another. HasPrefix is still free to read the
+  // tree, until AddPrefix needs to modify it.
+  lck_mtx_lock(spt_add_lock_);
+
+  // Don't allow an empty prefix.
+  if (prefix[0] == '\0') return kIOReturnBadArgument;
+
+  LOGD("Trying to add prefix: %s", prefix);
+
+  // Enforce max tree depth.
+  size_t len = strnlen(prefix, max_nodes_);
+
+  // Grab a shared lock until a new branch is required.
+  lck_rw_lock_shared(spt_lock_);
+
+  SantaPrefixNode *node = root_;
+  for (size_t i = 0; i < len; ++i) {
+    // If there is a node in the path that is considered a prefix, stop adding.
+    // For our purposes we only care about the shortest path that matches.
+    if (node->isPrefix) break;
+
+    // Only process a byte at a time.
+    uint8_t value = (uint8_t)prefix[i];
+
+    // Create the child if it does not exist.
+    if (!node->children[value]) {
+      // Upgrade the shared lock.
+      // If the upgrade fails, the shared lock is released.
+      if (!lck_rw_lock_shared_to_exclusive(spt_lock_)) {
+        // Grab a new exclusive lock.
+        lck_rw_lock_exclusive(spt_lock_);
+      }
+
+      // Is there enough room for the rest of the prefix?
+      if ((node_count_ + (len - i)) > max_nodes_) {
+        LOGE("Prefix tree is full, can not add: %s", prefix);
+
+        if (node_count) *node_count = node_count_;
+        lck_rw_unlock_exclusive(spt_lock_);
+        lck_mtx_unlock(spt_add_lock_);
+        return kIOReturnNoResources;
+      }
+
+      // Create the rest of the prefix.
+      while (i < len) {
+        value = (uint8_t)prefix[i++];
+
+        SantaPrefixNode *new_node = new SantaPrefixNode();
+        node->children[value] = new_node;
+        ++node_count_;
+
+        node = new_node;
+      }
+
+      // This is the end, mark the node as a prefix.
+      LOGD("Added prefix: %s", prefix);
+
+      node->isPrefix = true;
+
+      // Downgrade the exclusive lock
+      lck_rw_lock_exclusive_to_shared(spt_lock_);
+    } else if (i + 1 == len) {
+      // If the child does exist and it is the end...
+      // Set the new, higher prefix and prune the now dead nodes.
+
+      if (!lck_rw_lock_shared_to_exclusive(spt_lock_)) {
+        lck_rw_lock_exclusive(spt_lock_);
+      }
+
+      PruneNode(node->children[value]);
+
+      SantaPrefixNode *new_node = new SantaPrefixNode();
+      new_node->isPrefix = true;
+
+      node->children[value] = new_node;
+      ++node_count_;
+
+      LOGD("Added prefix: %s", prefix);
+
+      lck_rw_lock_exclusive_to_shared(spt_lock_);
+    }
+
+    // Get ready for the next iteration.
+    node = node->children[value];
+  }
+
+  if (node_count) *node_count = node_count_;
+
+  lck_rw_unlock_shared(spt_lock_);
+  lck_mtx_unlock(spt_add_lock_);
+
+  return kIOReturnSuccess;
+}
+
+bool SNTPrefixTree::HasPrefix(const char *string) {
+  lck_rw_lock_shared(spt_lock_);
+
+  auto found = false;
+
+  SantaPrefixNode *node = root_;
+
+  // A well formed tree will always break this loop. Even if string doesn't
+  // terminate.
+  const char *p = string;
+  while (*p) {
+    // Only process a byte at a time.
+    node = node->children[(uint8_t)*p++];
+
+    // If it doesn't exist in the tree, no match.
+    if (!node) break;
+
+    // If it does exist, is it a prefix?
+    if (node->isPrefix) {
+      found = true;
+      break;
+    }
+  }
+
+  lck_rw_unlock_shared(spt_lock_);
+
+  return found;
+}
+
+void SNTPrefixTree::Reset() {
+  lck_rw_lock_exclusive(spt_lock_);
+
+  PruneNode(root_);
+  root_ = new SantaPrefixNode();
+  node_count_ = 0;
+
+  lck_rw_unlock_exclusive(spt_lock_);
+}
+
+void SNTPrefixTree::PruneNode(SantaPrefixNode *target) {
+  if (!target) return;
+
+  // For deep trees, a recursive approach will generate too many stack frames.
+  // Make a "stack" and walk the tree.
+  auto stack = new SantaPrefixNode *[node_count_ + 1];
+  if (!stack) {
+    LOGE("Unable to prune tree!");
+
+    return;
+  }
+  auto count = 0;
+
+  // Seed the "stack" with a starting node.
+  stack[count++] = target;
+
+  // Start at the target node and walk the tree to find and delete all the
+  // sub-nodes.
+  while (count) {
+    auto node = stack[--count];
+
+    for (int i = 0; i < 256; ++i) {
+      if (!node->children[i]) continue;
+      stack[count++] = node->children[i];
+    }
+
+    delete node;
+    --node_count_;
+  }
+
+  delete[] stack;
+}
+
+SNTPrefixTree::~SNTPrefixTree() {
+  lck_rw_lock_exclusive(spt_lock_);
+  PruneNode(root_);
+  root_ = nullptr;
+  lck_rw_unlock_exclusive(spt_lock_);
+
+  pthread_rwlock_destroy(&spt_lock_);
+}

Source/common/SNTPrefixTree.h

@@ -0,0 +1,91 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#ifndef SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H
+#define SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H
+
+#include <IOKit/IOReturn.h>
+#include <sys/param.h>
+
+// Support for unit testing.
+#include <pthread.h>
+#include <stdint.h>
+
+#include <mutex>
+
+///
+///  SantaPrefixTree is a simple prefix tree implementation.
+///  Operations are thread safe.
+///
+class SNTPrefixTree {
+ public:
+  // Add a prefix to the tree.
+  // Optionally pass node_count to get the number of nodes after the add.
+  IOReturn AddPrefix(const char *, uint64_t *node_count = nullptr);
+
+  // Check if the tree has a prefix for string.
+  bool HasPrefix(const char *string);
+
+  // Reset the tree.
+  void Reset();
+
+  SNTPrefixTree(uint32_t max_nodes = kDefaultMaxNodes);
+  ~SNTPrefixTree();
+
+ private:
+  ///
+  ///  SantaPrefixNode is a wrapper class that represents one byte.
+  ///  1 node can represent a whole ASCII character.
+  ///  For example a pointer to the 'A' node will be stored at children[0x41].
+  ///  It takes 1-4 nodes to represent a UTF-8 encoded Unicode character.
+  ///
+  ///  The path for "/🤘" would look like this:
+  ///      children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4]
+  ///      -> children[0x98]
+  ///
+  ///  The path for "/dev" is:
+  ///      children[0x2f] -> children[0x64] -> children[0x65] -> children[0x76]
+  ///
+  ///  Lookups of children are O(1).
+  ///
+  ///  Having the nodes represented by a smaller width, such as a nibble (1/2
+  ///  byte), would drastically decrease the memory footprint but would double
+  ///  required dereferences.
+  ///
+  ///  TODO(bur): Potentially convert this into a full on radix tree.
+  ///
+  class SantaPrefixNode {
+   public:
+    bool isPrefix;
+    SantaPrefixNode *children[256];
+  };
+
+  // PruneNode will remove the passed in node from the tree.
+  // The passed in node and all subnodes will be deleted.
+  // It is the caller's responsibility to reset the pointer to this node (held
+  // by the parent). If the tree is in use grab the exclusive lock.
+  void PruneNode(SantaPrefixNode *);
+
+  SantaPrefixNode *root_;
+
+  // Each node takes up ~2k, assuming MAXPATHLEN is 1024 max out at ~2MB.
+  static const uint32_t kDefaultMaxNodes = MAXPATHLEN;
+  uint32_t max_nodes_;
+  uint32_t node_count_;
+
+  pthread_rwlock_t spt_lock_;
+  std::mutex *spt_add_lock_;
+};
+
+#endif /* SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H */

Source/common/SNTPrefixTreeTest.mm

@@ -0,0 +1,73 @@
+/// Copyright 2018 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#include "Source/common/SNTPrefixTree.h"
+
+@interface SNTPrefixTreeTest : XCTestCase
+@end
+
+@implementation SNTPrefixTreeTest
+
+- (void)testAddAndHas {
+  auto t = SNTPrefixTree();
+  XCTAssertFalse(t.HasPrefix("/private/var/tmp/file1"));
+  t.AddPrefix("/private/var/tmp/");
+  XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
+}
+
+- (void)testReset {
+  auto t = SNTPrefixTree();
+  t.AddPrefix("/private/var/tmp/");
+  XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
+  t.Reset();
+  XCTAssertFalse(t.HasPrefix("/private/var/tmp/file1"));
+}
+
+- (void)testThreading {
+  uint32_t count = 4096;
+  auto t = new SNTPrefixTree(count * (uint32_t)[NSUUID UUID].UUIDString.length);
+
+  NSMutableArray *UUIDs = [NSMutableArray arrayWithCapacity:count];
+  for (int i = 0; i < count; ++i) {
+    [UUIDs addObject:[NSUUID UUID].UUIDString];
+  }
+
+  __block BOOL stop = NO;
+
+  // Create a bunch of background noise.
+  dispatch_async(dispatch_get_global_queue(0, 0), ^{
+    for (uint64_t i = 0; i < UINT64_MAX; ++i) {
+      dispatch_async(dispatch_get_global_queue(0, 0), ^{
+        t->HasPrefix([UUIDs[i % count] UTF8String]);
+      });
+      if (stop) return;
+    }
+  });
+
+  // Fill up the tree.
+  dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
+    XCTAssertEqual(t->AddPrefix([UUIDs[i] UTF8String]), kIOReturnSuccess);
+  });
+
+  // Make sure every leaf byte is found.
+  dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
+    XCTAssertTrue(t->HasPrefix([UUIDs[i] UTF8String]));
+  });
+
+  stop = YES;
+}
+
+@end

Source/common/SNTRule.h

@@ -12,17 +12,19 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommonEnums.h"
+#import <Foundation/Foundation.h>
+
+#import "Source/common/SNTCommonEnums.h"
 
 ///
 ///  Represents a Rule.
 ///
-@interface SNTRule : NSObject<NSSecureCoding>
+@interface SNTRule : NSObject <NSSecureCoding>
 
 ///
 ///  The hash of the object this rule is for
 ///
-@property(copy) NSString *shasum;
+@property(copy) NSString *identifier;
 
 ///
 ///  The state of this rule
@@ -39,12 +41,37 @@
 ///
 @property(copy) NSString *customMsg;
 
+///
+///  The time when this rule was last retrieved from the rules database, if rule is transitive.
+///  Stored as number of seconds since 00:00:00 UTC on 1 January 2001.
+///
+@property(readonly) NSUInteger timestamp;
+
 ///
 ///  Designated initializer.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                         state:(SNTRuleState)state
+                          type:(SNTRuleType)type
+                     customMsg:(NSString *)customMsg
+                     timestamp:(NSUInteger)timestamp;
+
+///
+///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.
+///
+- (instancetype)initWithIdentifier:(NSString *)identifier
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg;
 
+///
+///  Initialize with a dictionary received from a sync server.
+///
+- (instancetype)initWithDictionary:(NSDictionary *)dict;
+
+///
+///  Sets timestamp of rule to the current time.
+///
+- (void)resetTimestamp;
+
 @end

Source/common/SNTRule.m

@@ -12,27 +12,103 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTRule.h"
+#import "Source/common/SNTRule.h"
+#import "Source/common/SNTSyncConstants.h"
+
+@interface SNTRule ()
+@property(readwrite) NSUInteger timestamp;
+@end
 
 @implementation SNTRule
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg {
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg
+                         timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
-    _shasum = shasum;
+    _identifier = identifier;
     _state = state;
     _type = type;
     _customMsg = customMsg;
+    _timestamp = timestamp;
+  }
+  return self;
+}
+
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg {
+  self = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg timestamp:0];
+  // Initialize timestamp to current time if rule is transitive.
+  if (self && state == SNTRuleStateAllowTransitive) {
+    [self resetTimestamp];
+  }
+  return self;
+}
+
+// Converts rule information downloaded from the server into a SNTRule.  Because any information
+// not recorded by SNTRule is thrown away here, this method is also responsible for dealing with
+// the extra bundle rule information (bundle_hash & rule_count).
+- (instancetype)initWithDictionary:(NSDictionary *)dict {
+  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
+
+  self = [super init];
+  if (self) {
+    _identifier = dict[kRuleIdentifier];
+    if (![_identifier isKindOfClass:[NSString class]] || !_identifier.length) {
+      _identifier = dict[kRuleSHA256];
+    }
+    if (![_identifier isKindOfClass:[NSString class]] || !_identifier.length) return nil;
+
+    NSString *policyString = dict[kRulePolicy];
+    if (![policyString isKindOfClass:[NSString class]]) return nil;
+    if ([policyString isEqual:kRulePolicyAllowlist] ||
+        [policyString isEqual:kRulePolicyAllowlistDeprecated]) {
+      _state = SNTRuleStateAllow;
+    } else if ([policyString isEqual:kRulePolicyAllowlistCompiler] ||
+               [policyString isEqual:kRulePolicyAllowlistCompilerDeprecated]) {
+      _state = SNTRuleStateAllowCompiler;
+    } else if ([policyString isEqual:kRulePolicyBlocklist] ||
+               [policyString isEqual:kRulePolicyBlocklistDeprecated]) {
+      _state = SNTRuleStateBlock;
+    } else if ([policyString isEqual:kRulePolicySilentBlocklist] ||
+               [policyString isEqual:kRulePolicySilentBlocklistDeprecated]) {
+      _state = SNTRuleStateSilentBlock;
+    } else if ([policyString isEqual:kRulePolicyRemove]) {
+      _state = SNTRuleStateRemove;
+    } else {
+      return nil;
+    }
+
+    NSString *ruleTypeString = dict[kRuleType];
+    if (![ruleTypeString isKindOfClass:[NSString class]]) return nil;
+    if ([ruleTypeString isEqual:kRuleTypeBinary]) {
+      _type = SNTRuleTypeBinary;
+    } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
+      _type = SNTRuleTypeCertificate;
+    } else if ([ruleTypeString isEqual:kRuleTypeTeamID]) {
+      _type = SNTRuleTypeTeamID;
+    } else {
+      return nil;
+    }
+
+    NSString *customMsg = dict[kRuleCustomMsg];
+    if ([customMsg isKindOfClass:[NSString class]] && customMsg.length) {
+      _customMsg = customMsg;
+    }
   }
   return self;
 }
 
 #pragma mark NSSecureCoding
 
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
 
 + (BOOL)supportsSecureCoding {
@@ -40,45 +116,55 @@
 }
 
 - (void)encodeWithCoder:(NSCoder *)coder {
-  ENCODE(self.shasum, @"shasum");
+  ENCODE(self.identifier, @"identifier");
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
+  ENCODE(@(self.timestamp), @"timestamp");
 }
 
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
-    _shasum = DECODE(NSString, @"shasum");
+    _identifier = DECODE(NSString, @"identifier");
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
+    _timestamp = [DECODE(NSNumber, @"timestamp") unsignedIntegerValue];
   }
   return self;
 }
 
 #undef DECODE
 #undef ENCODE
+#pragma clang diagnostic pop
 
 - (BOOL)isEqual:(id)other {
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTRule class]]) return NO;
   SNTRule *o = other;
-  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+  return ([self.identifier isEqual:o.identifier] && self.state == o.state && self.type == o.type);
 }
 
 - (NSUInteger)hash {
   NSUInteger prime = 31;
   NSUInteger result = 1;
-  result = prime * result + [self.shasum hash];
+  result = prime * result + [self.identifier hash];
   result = prime * result + self.state;
   result = prime * result + self.type;
   return result;
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld",
-                                    self.shasum, self.state, self.type];
+  return [NSString
+    stringWithFormat:@"SNTRule: Identifier: %@, State: %ld, Type: %ld, Timestamp: %lu",
+                     self.identifier, self.state, self.type, (unsigned long)self.timestamp];
+}
+
+#pragma mark Last-access Timestamp
+
+- (void)resetTimestamp {
+  self.timestamp = (NSUInteger)[[NSDate date] timeIntervalSinceReferenceDate];
 }
 
 @end

Source/common/SNTRuleTest.m

@@ -0,0 +1,116 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTRule.h"
+
+@interface SNTRuleTest : XCTestCase
+@end
+
+@implementation SNTRuleTest
+
+- (void)testInitWithDictionaryValid {
+  SNTRule *sut;
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"some-sort-of-identifier",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeBinary);
+  XCTAssertEqual(sut.state, SNTRuleStateAllow);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"sha256" : @"some-sort-of-identifier",
+    @"policy" : @"BLOCKLIST",
+    @"rule_type" : @"CERTIFICATE",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeCertificate);
+  XCTAssertEqual(sut.state, SNTRuleStateBlock);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"some-sort-of-identifier",
+    @"policy" : @"SILENT_BLOCKLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateSilentBlock);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"some-sort-of-identifier",
+    @"policy" : @"ALLOWLIST_COMPILER",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeBinary);
+  XCTAssertEqual(sut.state, SNTRuleStateAllowCompiler);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"some-sort-of-identifier",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateRemove);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"some-sort-of-identifier",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+    @"custom_msg" : @"A custom block message",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateAllow);
+  XCTAssertEqualObjects(sut.customMsg, @"A custom block message");
+}
+
+- (void)testInitWithDictionaryInvalid {
+  SNTRule *sut;
+
+  sut = [[SNTRule alloc] initWithDictionary:@{}];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"an-identifier",
+  }];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"an-identifier",
+    @"policy" : @"OTHERPOLICY",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"an-identifier",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"OTHER_RULE_TYPE",
+  }];
+  XCTAssertNil(sut);
+}
+
+@end

Source/common/SNTStoredEvent.h

@@ -12,12 +12,14 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommonEnums.h"
+#import <Foundation/Foundation.h>
+
+#import "Source/common/SNTCommonEnums.h"
 
 ///
 ///  Represents an event stored in the database.
 ///
-@interface SNTStoredEvent : NSObject<NSSecureCoding>
+@interface SNTStoredEvent : NSObject <NSSecureCoding>
 
 ///
 ///  An index for this event, randomly generated during initialization.
@@ -34,6 +36,28 @@
 ///
 @property NSString *filePath;
 
+///
+///  Set to YES if the event is a part of a bundle. When an event is passed to SantaGUI this propery
+///  will be used as an indicator to to kick off bundle hashing as necessary. Default value is NO.
+///
+@property BOOL needsBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the calculated hash of all the nested
+///  executables within the bundle.
+///
+@property NSString *fileBundleHash;
+
+///
+///  If the executed file was part of a bundle, this is the time in ms it took to hash the bundle.
+///
+@property NSNumber *fileBundleHashMilliseconds;
+
+///
+///  If the executed file was part of a bundle, this is the total count of related mach-o binaries.
+///
+@property NSNumber *fileBundleBinaryCount;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleDisplayName, if it exists
 ///  or the CFBundleName if not.
@@ -45,6 +69,11 @@
 ///
 @property NSString *fileBundlePath;
 
+///
+///  The relative path to the bundle's main executable.
+///
+@property NSString *fileBundleExecutableRelPath;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleID.
 ///
@@ -66,6 +95,12 @@
 ///
 @property NSArray *signingChain;
 
+
+///
+/// If the executed file was signed, this is the Team ID if present in the signature information.
+///
+@property NSString *teamID;
+
 ///
 ///  The user who executed the binary.
 ///

Source/common/SNTStoredEvent.m

@@ -12,17 +12,21 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTStoredEvent.h"
+#import "Source/common/SNTStoredEvent.h"
 
-#import "MOLCertificate.h"
+#import <MOLCertificate/MOLCertificate.h>
 
 @implementation SNTStoredEvent
 
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
-#define DECODEARRAY(cls, key) \
-    [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
-                            forKey:key]
+#define DECODEARRAY(cls, key)                                                             \
+  [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
+                          forKey:key]
 
 + (BOOL)supportsSecureCoding {
   return YES;
@@ -33,13 +37,19 @@
   ENCODE(self.fileSHA256, @"fileSHA256");
   ENCODE(self.filePath, @"filePath");
 
+  ENCODE(@(self.needsBundleHash), @"needsBundleHash");
+  ENCODE(self.fileBundleHash, @"fileBundleHash");
+  ENCODE(self.fileBundleHashMilliseconds, @"fileBundleHashMilliseconds");
+  ENCODE(self.fileBundleBinaryCount, @"fileBundleBinaryCount");
   ENCODE(self.fileBundleName, @"fileBundleName");
   ENCODE(self.fileBundlePath, @"fileBundlePath");
+  ENCODE(self.fileBundleExecutableRelPath, @"fileBundleExecutableRelPath");
   ENCODE(self.fileBundleID, @"fileBundleID");
   ENCODE(self.fileBundleVersion, @"fileBundleVersion");
   ENCODE(self.fileBundleVersionString, @"fileBundleVersionString");
 
   ENCODE(self.signingChain, @"signingChain");
+  ENCODE(self.teamID, @"teamID");
 
   ENCODE(self.executingUser, @"executingUser");
   ENCODE(self.occurrenceDate, @"occurrenceDate");
@@ -72,13 +82,19 @@
     _fileSHA256 = DECODE(NSString, @"fileSHA256");
     _filePath = DECODE(NSString, @"filePath");
 
+    _needsBundleHash = [DECODE(NSNumber, @"needsBundleHash") boolValue];
+    _fileBundleHash = DECODE(NSString, @"fileBundleHash");
+    _fileBundleHashMilliseconds = DECODE(NSNumber, @"fileBundleHashMilliseconds");
+    _fileBundleBinaryCount = DECODE(NSNumber, @"fileBundleBinaryCount");
     _fileBundleName = DECODE(NSString, @"fileBundleName");
     _fileBundlePath = DECODE(NSString, @"fileBundlePath");
+    _fileBundleExecutableRelPath = DECODE(NSString, @"fileBundleExecutableRelPath");
     _fileBundleID = DECODE(NSString, @"fileBundleID");
     _fileBundleVersion = DECODE(NSString, @"fileBundleVersion");
     _fileBundleVersionString = DECODE(NSString, @"fileBundleVersionString");
 
     _signingChain = DECODEARRAY(MOLCertificate, @"signingChain");
+    _teamID = DECODE(NSString, @"teamID");
 
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");
@@ -116,7 +132,9 @@
 
 - (NSString *)description {
   return
-      [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
+    [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
+#pragma clang diagnostic pop
+
 @end

Source/common/SNTStrengthify.h

@@ -12,11 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#define STRONGIFY(var) \
-  _Pragma("clang diagnostic push") \
-  _Pragma("clang diagnostic ignored \"-Wshadow\"") \
-  __strong __typeof(var) var = (Weak_##var); \
+#define STRONGIFY(var)                                 \
+  _Pragma("clang diagnostic push")                     \
+      _Pragma("clang diagnostic ignored \"-Wshadow\"") \
+          __strong __typeof(var) var = (Weak_##var);   \
   _Pragma("clang diagnostic pop")
 
-#define WEAKIFY(var) \
-  __weak __typeof(var) Weak_##var = (var);
+#define WEAKIFY(var) __weak __typeof(var) Weak_##var = (var);

Source/common/SNTSyncConstants.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 extern NSString *const kXSRFToken;
 
 extern NSString *const kSerialNumber;
@@ -19,6 +21,7 @@ extern NSString *const kHostname;
 extern NSString *const kSantaVer;
 extern NSString *const kOSVer;
 extern NSString *const kOSBuild;
+extern NSString *const kModelIdentifier;
 extern NSString *const kPrimaryUser;
 extern NSString *const kRequestCleanSync;
 extern NSString *const kBatchSize;
@@ -26,12 +29,29 @@ extern NSString *const kUploadLogsURL;
 extern NSString *const kClientMode;
 extern NSString *const kClientModeMonitor;
 extern NSString *const kClientModeLockdown;
+extern NSString *const kBlockUSBMount;
+extern NSString *const kRemountUSBMode;
 extern NSString *const kCleanSync;
-extern NSString *const kWhitelistRegex;
-extern NSString *const kBlacklistRegex;
+extern NSString *const kAllowedPathRegex;
+extern NSString *const kAllowedPathRegexDeprecated;
+extern NSString *const kBlockedPathRegex;
+extern NSString *const kBlockedPathRegexDeprecated;
 extern NSString *const kBinaryRuleCount;
 extern NSString *const kCertificateRuleCount;
+extern NSString *const kCompilerRuleCount;
+extern NSString *const kTransitiveRuleCount;
+extern NSString *const kTeamIDRuleCount;
+extern NSString *const kFullSyncInterval;
 extern NSString *const kFCMToken;
+extern NSString *const kFCMFullSyncInterval;
+extern NSString *const kFCMGlobalRuleSyncDeadline;
+extern NSString *const kEnableBundles;
+extern NSString *const kEnableBundlesDeprecated;
+extern NSString *const kEnableTransitiveRules;
+extern NSString *const kEnableTransitiveRulesDeprecated;
+extern NSString *const kEnableTransitiveRulesSuperDeprecated;
+extern NSString *const kEnableAllEventUpload;
+extern NSString *const kDisableUnknownEventUpload;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;
@@ -44,19 +64,25 @@ extern NSString *const kDecisionAllowUnknown;
 extern NSString *const kDecisionAllowBinary;
 extern NSString *const kDecisionAllowCertificate;
 extern NSString *const kDecisionAllowScope;
+extern NSString *const kDecisionAllowTeamID;
 extern NSString *const kDecisionBlockUnknown;
 extern NSString *const kDecisionBlockBinary;
 extern NSString *const kDecisionBlockCertificate;
 extern NSString *const kDecisionBlockScope;
+extern NSString *const kDecisionBlockTeamID;
 extern NSString *const kDecisionUnknown;
 extern NSString *const kDecisionBundleBinary;
 extern NSString *const kLoggedInUsers;
 extern NSString *const kCurrentSessions;
 extern NSString *const kFileBundleID;
 extern NSString *const kFileBundlePath;
+extern NSString *const kFileBundleExecutableRelPath;
 extern NSString *const kFileBundleName;
 extern NSString *const kFileBundleVersion;
 extern NSString *const kFileBundleShortVersionString;
+extern NSString *const kFileBundleHash;
+extern NSString *const kFileBundleHashMilliseconds;
+extern NSString *const kFileBundleBinaryCount;
 extern NSString *const kPID;
 extern NSString *const kPPID;
 extern NSString *const kParentName;
@@ -67,24 +93,30 @@ extern NSString *const kCertOrg;
 extern NSString *const kCertOU;
 extern NSString *const kCertValidFrom;
 extern NSString *const kCertValidUntil;
+extern NSString *const kTeamID;
 extern NSString *const kQuarantineDataURL;
 extern NSString *const kQuarantineRefererURL;
 extern NSString *const kQuarantineTimestamp;
 extern NSString *const kQuarantineAgentBundleID;
 extern NSString *const kEventUploadBundleBinaries;
 
-extern NSString *const kLogUploadField;
-
 extern NSString *const kRules;
 extern NSString *const kRuleSHA256;
+extern NSString *const kRuleIdentifier;
 extern NSString *const kRulePolicy;
-extern NSString *const kRulePolicyWhitelist;
-extern NSString *const kRulePolicyBlacklist;
-extern NSString *const kRulePolicySilentBlacklist;
+extern NSString *const kRulePolicyAllowlist;
+extern NSString *const kRulePolicyAllowlistDeprecated;
+extern NSString *const kRulePolicyAllowlistCompiler;
+extern NSString *const kRulePolicyAllowlistCompilerDeprecated;
+extern NSString *const kRulePolicyBlocklist;
+extern NSString *const kRulePolicyBlocklistDeprecated;
+extern NSString *const kRulePolicySilentBlocklist;
+extern NSString *const kRulePolicySilentBlocklistDeprecated;
 extern NSString *const kRulePolicyRemove;
 extern NSString *const kRuleType;
 extern NSString *const kRuleTypeBinary;
 extern NSString *const kRuleTypeCertificate;
+extern NSString *const kRuleTypeTeamID;
 extern NSString *const kRuleCustomMsg;
 extern NSString *const kCursor;
 
@@ -94,3 +126,16 @@ extern NSString *const kFullSync;
 extern NSString *const kRuleSync;
 extern NSString *const kConfigSync;
 extern NSString *const kLogSync;
+
+extern const NSUInteger kDefaultEventBatchSize;
+
+///
+///  kDefaultFullSyncInterval
+///  kDefaultFCMFullSyncInterval
+///  kDefaultFCMGlobalRuleSyncDeadline
+///
+///  Are represented in seconds
+///
+extern const NSUInteger kDefaultFullSyncInterval;
+extern const NSUInteger kDefaultPushNotificationsFullSyncInterval;
+extern const NSUInteger kDefaultPushNotificationsGlobalRuleSyncDeadline;

Source/common/SNTSyncConstants.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommandSyncConstants.h"
+#import "Source/common/SNTSyncConstants.h"
 
 NSString *const kXSRFToken = @"X-XSRF-TOKEN";
 
@@ -21,19 +21,38 @@ NSString *const kHostname = @"hostname";
 NSString *const kSantaVer = @"santa_version";
 NSString *const kOSVer = @"os_version";
 NSString *const kOSBuild = @"os_build";
+NSString *const kModelIdentifier = @"model_identifier";
 NSString *const kPrimaryUser = @"primary_user";
 NSString *const kRequestCleanSync = @"request_clean_sync";
 NSString *const kBatchSize = @"batch_size";
 NSString *const kUploadLogsURL = @"upload_logs_url";
 NSString *const kClientMode = @"client_mode";
+NSString *const kBlockUSBMount = @"block_usb_mount";
+NSString *const kRemountUSBMode = @"remount_usb_mode";
 NSString *const kClientModeMonitor = @"MONITOR";
 NSString *const kClientModeLockdown = @"LOCKDOWN";
 NSString *const kCleanSync = @"clean_sync";
-NSString *const kWhitelistRegex = @"whitelist_regex";
-NSString *const kBlacklistRegex = @"blacklist_regex";
+NSString *const kAllowedPathRegex = @"allowed_path_regex";
+NSString *const kAllowedPathRegexDeprecated = @"whitelist_regex";
+NSString *const kBlockedPathRegex = @"blocked_path_regex";
+NSString *const kBlockedPathRegexDeprecated = @"blacklist_regex";
 NSString *const kBinaryRuleCount = @"binary_rule_count";
 NSString *const kCertificateRuleCount = @"certificate_rule_count";
+NSString *const kCompilerRuleCount = @"compiler_rule_count";
+NSString *const kTransitiveRuleCount = @"transitive_rule_count";
+NSString *const kTeamIDRuleCount = @"teamid_rule_count";
+NSString *const kFullSyncInterval = @"full_sync_interval";
 NSString *const kFCMToken = @"fcm_token";
+NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
+NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";
+
+NSString *const kEnableBundles = @"enable_bundles";
+NSString *const kEnableBundlesDeprecated = @"bundles_enabled";
+NSString *const kEnableTransitiveRules = @"enable_transitive_rules";
+NSString *const kEnableTransitiveRulesDeprecated = @"enabled_transitive_whitelisting";
+NSString *const kEnableTransitiveRulesSuperDeprecated = @"transitive_whitelisting_enabled";
+NSString *const kEnableAllEventUpload = @"enable_all_event_upload";
+NSString *const kDisableUnknownEventUpload = @"disable_unknown_event_upload";
 
 NSString *const kEvents = @"events";
 NSString *const kFileSHA256 = @"file_sha256";
@@ -46,19 +65,25 @@ NSString *const kDecisionAllowUnknown = @"ALLOW_UNKNOWN";
 NSString *const kDecisionAllowBinary = @"ALLOW_BINARY";
 NSString *const kDecisionAllowCertificate = @"ALLOW_CERTIFICATE";
 NSString *const kDecisionAllowScope = @"ALLOW_SCOPE";
+NSString *const kDecisionAllowTeamID = @"ALLOW_TEAMID";
 NSString *const kDecisionBlockUnknown = @"BLOCK_UNKNOWN";
 NSString *const kDecisionBlockBinary = @"BLOCK_BINARY";
 NSString *const kDecisionBlockCertificate = @"BLOCK_CERTIFICATE";
 NSString *const kDecisionBlockScope = @"BLOCK_SCOPE";
+NSString *const kDecisionBlockTeamID = @"BLOCK_TEAMID";
 NSString *const kDecisionUnknown = @"UNKNOWN";
 NSString *const kDecisionBundleBinary = @"BUNDLE_BINARY";
 NSString *const kLoggedInUsers = @"logged_in_users";
 NSString *const kCurrentSessions = @"current_sessions";
 NSString *const kFileBundleID = @"file_bundle_id";
 NSString *const kFileBundlePath = @"file_bundle_path";
+NSString *const kFileBundleExecutableRelPath = @"file_bundle_executable_rel_path";
 NSString *const kFileBundleName = @"file_bundle_name";
 NSString *const kFileBundleVersion = @"file_bundle_version";
 NSString *const kFileBundleShortVersionString = @"file_bundle_version_string";
+NSString *const kFileBundleHash = @"file_bundle_hash";
+NSString *const kFileBundleHashMilliseconds = @"file_bundle_hash_millis";
+NSString *const kFileBundleBinaryCount = @"file_bundle_binary_count";
 NSString *const kPID = @"pid";
 NSString *const kPPID = @"ppid";
 NSString *const kParentName = @"parent_name";
@@ -69,24 +94,30 @@ NSString *const kCertOrg = @"org";
 NSString *const kCertOU = @"ou";
 NSString *const kCertValidFrom = @"valid_from";
 NSString *const kCertValidUntil = @"valid_until";
+NSString *const kTeamID = @"team_id";
 NSString *const kQuarantineDataURL = @"quarantine_data_url";
 NSString *const kQuarantineRefererURL = @"quarantine_referer_url";
 NSString *const kQuarantineTimestamp = @"quarantine_timestamp";
 NSString *const kQuarantineAgentBundleID = @"quarantine_agent_bundle_id";
 NSString *const kEventUploadBundleBinaries = @"event_upload_bundle_binaries";
 
-NSString *const kLogUploadField = @"files";
-
 NSString *const kRules = @"rules";
 NSString *const kRuleSHA256 = @"sha256";
+NSString *const kRuleIdentifier = @"identifier";
 NSString *const kRulePolicy = @"policy";
-NSString *const kRulePolicyWhitelist = @"WHITELIST";
-NSString *const kRulePolicyBlacklist = @"BLACKLIST";
-NSString *const kRulePolicySilentBlacklist = @"SILENT_BLACKLIST";
+NSString *const kRulePolicyAllowlist = @"ALLOWLIST";
+NSString *const kRulePolicyAllowlistDeprecated = @"WHITELIST";
+NSString *const kRulePolicyAllowlistCompiler = @"ALLOWLIST_COMPILER";
+NSString *const kRulePolicyAllowlistCompilerDeprecated = @"WHITELIST_COMPILER";
+NSString *const kRulePolicyBlocklist = @"BLOCKLIST";
+NSString *const kRulePolicyBlocklistDeprecated = @"BLACKLIST";
+NSString *const kRulePolicySilentBlocklist = @"SILENT_BLOCKLIST";
+NSString *const kRulePolicySilentBlocklistDeprecated = @"SILENT_BLACKLIST";
 NSString *const kRulePolicyRemove = @"REMOVE";
 NSString *const kRuleType = @"rule_type";
 NSString *const kRuleTypeBinary = @"BINARY";
 NSString *const kRuleTypeCertificate = @"CERTIFICATE";
+NSString *const kRuleTypeTeamID = @"TEAMID";
 NSString *const kRuleCustomMsg = @"custom_msg";
 NSString *const kCursor = @"cursor";
 
@@ -96,3 +127,8 @@ NSString *const kFullSync = @"full_sync";
 NSString *const kRuleSync = @"rule_sync";
 NSString *const kConfigSync = @"config_sync";
 NSString *const kLogSync = @"log_sync";
+
+const NSUInteger kDefaultEventBatchSize = 50;
+const NSUInteger kDefaultFullSyncInterval = 600;
+const NSUInteger kDefaultPushNotificationsFullSyncInterval = 14400;
+const NSUInteger kDefaultPushNotificationsGlobalRuleSyncDeadline = 600;

Source/common/SNTSystemInfo.h

@@ -12,6 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <Foundation/Foundation.h>
+
 ///
 ///  Simple class for fetching system information
 ///
@@ -47,4 +49,9 @@
 ///
 + (NSString *)longHostname;
 
+///
+///  @return Model Identifier
+///
++ (NSString *)modelIdentifier;
+
 @end

Source/common/SNTSystemInfo.m

@@ -12,17 +12,18 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTSystemInfo.h"
+#import "Source/common/SNTSystemInfo.h"
+#include <sys/sysctl.h>
 
 @implementation SNTSystemInfo
 
 + (NSString *)serialNumber {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
   NSString *serial = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -30,12 +31,12 @@
 }
 
 + (NSString *)hardwareUUID {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
   NSString *uuid = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -60,11 +61,18 @@
   return @(hostname);
 }
 
++ (NSString *)modelIdentifier {
+  char model[32];
+  size_t len = 32;
+  sysctlbyname("hw.model", model, &len, NULL, 0);
+  return @(model);
+}
+
 #pragma mark - Internal
 
 + (NSDictionary *)_systemVersionDictionary {
-  return [NSDictionary
-      dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
+  return
+    [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
 }
 
 @end

Source/common/SNTXPCBundleServiceInterface.h

@@ -0,0 +1,71 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+@class SNTStoredEvent;
+
+///  A block that takes the calculated bundle hash, associated events and hashing time in ms.
+typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNumber *);
+
+///  Protocol implemented by santabs and utilized by SantaGUI for bundle hashing
+@protocol SNTBundleServiceXPC
+
+///
+///  @param listener The listener to connect back to the SantaGUI.
+///
+- (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
+
+///
+///  Hash a bundle for an event. The SNTBundleHashBlock will be called with nil parameters if a
+///  failure or cancellation occurs.
+///
+///  @param event The event that includes the fileBundlePath to be hashed. This method will
+///      attempt to to find and use the ancestor bundle as a starting point.
+///  @param reply A SNTBundleHashBlock to be executed upon completion or cancellation.
+///
+///  @note If there is a current NSProgress when called this method will report back its progress.
+///
+- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
+
+///
+///  santabundleservice is launched on demand by launchd, call spindown to let santabundleservice
+///  know you are done with it.
+///
+- (void)spindown;
+
+@end
+
+@interface SNTXPCBundleServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTBundleServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning.
+///
++ (NSXPCInterface *)bundleServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santabundleservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
+
+@end

Source/common/SNTXPCBundleServiceInterface.m

@@ -0,0 +1,43 @@
+/// Copyright 2017 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTXPCBundleServiceInterface.h"
+
+#import "Source/common/SNTStoredEvent.h"
+
+@implementation SNTXPCBundleServiceInterface
+
++ (NSXPCInterface *)bundleServiceInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleServiceXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+      forSelector:@selector(hashBundleBinariesForEvent:reply:)
+    argumentIndex:1
+          ofReply:YES];
+
+  return r;
+}
+
++ (NSString *)serviceID {
+  return @"com.google.santa.bundleservice";
+}
+
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
+                                                          privileged:YES];
+  c.remoteInterface = [self bundleServiceInterface];
+  return c;
+}
+
+@end

Source/common/SNTXPCConnection.h

@@ -1,126 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-/**
-  A wrapper around NSXPCListener and NSXPCConnection to provide client multiplexing, signature
-  validation of connecting clients and forced connection establishment.
-
-  Example server started by @c launchd where the @c launchd job has a @c MachServices key:
-
-  @code
-   SNTXPCConnection *conn = [[SNTXPCConnection alloc] initServerWithName:@"MyServer"];
-   conn.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyServerProtocol)];
-   conn.exportedObject = myObject;
-   [conn resume];
-  @endcode
-
-  Example client, connecting to above server:
-
-  @code
-   SNTXPCConnection *conn = [[SNTXPCConnection alloc] initClientWithName:"MyServer"
-                                                             withOptions:0];
-   conn.remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyServerProtocol)];
-   conn.invalidationHandler = ^{ NSLog(@"Connection invalidated") };
-   [conn resume];
-  @endcode
-
-  The client can send a message to the server with:
-
-  @code
-   [conn.remoteObjectProxy selectorInRemoteInterface];
-  @endcode
-
-  One advantage of the way that SNTXPCConnection works over using NSXPCConnection directly is that
-  from the client-side once the resume method has finished, the connection is either valid or the
-  invalidation handler will be called. Ordinarily, the connection doesn't actually get made until
-  the first message is sent across it.
-
-  @note messages are always delivered on a background thread!
-*/
-@interface SNTXPCConnection : NSObject<NSXPCListenerDelegate>
-
-/**
-  Initialize a new server with a given listener, provided by `[NSXPCListener anonymousListener]`.
-*/
-- (nullable instancetype)initServerWithListener:(nonnull NSXPCListener *)listener;
-
-/**
-  Initializer for the 'server' side of the connection, started by launchd.
-
-  @param name MachService name, must match the MachServices key in the launchd.plist
-*/
-- (nullable instancetype)initServerWithName:(nonnull NSString *)name;
-
-/**
-  Initializer a new client to a service exported by a LaunchDaemon.
-
-  @param name MachService name
-  @param privileged Use YES if the server is running as root.
-*/
-- (nullable instancetype)initClientWithName:(nonnull NSString *)name privileged:(BOOL)privileged;
-
-/**
-  Initialize a new client with a listener endpoint sent from another process.
-
-  @param listener An NSXPCListenerEndpoint to connect to.
-*/
-- (nullable instancetype)initClientWithListener:(nonnull NSXPCListenerEndpoint *)listener;
-
-/**
-  Call when the properties of the object have been set-up and you're ready for connections.
-
-  For clients, this call can take up to 2s to complete for connection to finish establishing though
-  in basically all cases it will actually complete in a few milliseconds.
-*/
-- (void)resume;
-
-/**
-  Invalidate the connection(s). This must be done before the object can be released.
-*/
-- (void)invalidate;
-
-/**
-  The interface the remote object should conform to. (client)
-*/
-@property(retain, nullable) NSXPCInterface *remoteInterface;
-
-/**
-  A proxy to the object at the other end of the connection. (client)
-
-  @note If the connection to the server failed, this will be nil, so you can safely send messages
-  and rely on the invalidationHandler for handling the failure.
-*/
-@property(readonly, nonatomic, nullable) id remoteObjectProxy;
-
-/**
-  The interface this object exports. (server)
-*/
-@property(retain, nullable) NSXPCInterface *exportedInterface;
-
-/**
-  The object that responds to messages from the other end. (server)
-*/
-@property(retain, nullable) id exportedObject;
-
-/**
-  A block to run when a/the connection is accepted and fully established.
-*/
-@property(copy, nullable) void (^acceptedHandler)(void);
-
-/**
-  A block to run when a/the connection is invalidated/interrupted/rejected.
-*/
-@property(copy, nullable) void (^invalidationHandler)(void);
-
-@end

Source/common/SNTXPCConnection.m

@@ -1,191 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTXPCConnection.h"
-
-#import "MOLCodesignChecker.h"
-
-#import "SNTStrengthify.h"
-
-/**
-  Protocol used during connection establishment, @see SNTXPCConnectionInterface
-*/
-@protocol SNTXPCConnectionProtocol
-- (void)connectWithReply:(void (^)())reply;
-@end
-
-/**
-  Recipient object used during connection establishment. Each incoming connection
-  has one of these objects created which accept the message in the protocol
-  and call the block provided during creation before replying.
-
-  This allows the server to reset the connection's exported interface and
-  object to the correct values after the client has sent the establishment message.
-*/
-@interface SNTXPCConnectionInterface : NSObject<SNTXPCConnectionProtocol>
-@property(strong) void (^block)(void);
-@end
-
-@implementation SNTXPCConnectionInterface
-- (void)connectWithReply:(void (^)())reply {
-  if (self.block) self.block();
-  reply();
-}
-@end
-
-@interface SNTXPCConnection ()
-@property NSXPCInterface *validationInterface;
-
-/// The XPC listener (server only).
-@property NSXPCListener *listenerObject;
-
-/// The current connection object (client only).
-@property NSXPCConnection *currentConnection;
-@end
-
-@implementation SNTXPCConnection
-
-#pragma mark Initializers
-
-- (instancetype)initServerWithListener:(NSXPCListener *)listener {
-  self = [super init];
-  if (self) {
-    _listenerObject = listener;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)initServerWithName:(NSString *)name {
-  return [self initServerWithListener:[[NSXPCListener alloc] initWithMachServiceName:name]];
-}
-
-- (instancetype)initClientWithListener:(NSXPCListenerEndpoint *)listener {
-  self = [super init];
-  if (self) {
-    _currentConnection = [[NSXPCConnection alloc] initWithListenerEndpoint:listener];
-    if (!_currentConnection) return nil;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)initClientWithName:(NSString *)name privileged:(BOOL)privileged {
-  self = [super init];
-  if (self) {
-    NSXPCConnectionOptions options = (privileged ? NSXPCConnectionPrivileged : 0);
-    _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name options:options];
-    if (!_currentConnection) return nil;
-    _validationInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
-  }
-  return self;
-}
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-#pragma mark Connection set-up
-
-- (void)resume {
-  if (self.listenerObject) {
-    self.listenerObject.delegate = self;
-    [self.listenerObject resume];
-  } else {
-    WEAKIFY(self);
-
-    // Set-up the connection with the remote interface set to the validation interface,
-    // send a message to the listener to finish establishing the connection
-    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-    self.currentConnection.remoteObjectInterface = self.validationInterface;
-    self.currentConnection.interruptionHandler = self.invalidationHandler;
-    self.currentConnection.invalidationHandler = self.invalidationHandler;
-    [self.currentConnection resume];
-    [[self.currentConnection remoteObjectProxy] connectWithReply:^{
-      STRONGIFY(self);
-      // The connection is now established
-      [self.currentConnection suspend];
-      self.currentConnection.remoteObjectInterface = self.remoteInterface;
-      [self.currentConnection resume];
-      dispatch_semaphore_signal(sema);
-      if (self.acceptedHandler) self.acceptedHandler();
-    }];
-    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC))) {
-      // Connection was not established in a reasonable time, invalidate.
-      self.currentConnection.remoteObjectInterface = nil;  // ensure clients don't try to use it.
-      [self.currentConnection invalidate];
-    }
-  }
-}
-
-- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)connection {
-  pid_t pid = connection.processIdentifier;
-  MOLCodesignChecker *otherCS = [[MOLCodesignChecker alloc] initWithPID:pid];
-  if (![otherCS signingInformationMatches:[[MOLCodesignChecker alloc] initWithSelf]]) {
-    return NO;
-  }
-
-  // The client passed the code signature check, now we need to resume the listener and
-  // return YES so that the client can send the connectWithReply message. Once the client does
-  // we reset the connection's exportedInterface and exportedObject.
-  SNTXPCConnectionInterface *ci = [[SNTXPCConnectionInterface alloc] init];
-  WEAKIFY(self);
-  WEAKIFY(connection);
-  ci.block = ^{
-    STRONGIFY(self)
-    STRONGIFY(connection);
-    [connection suspend];
-    connection.invalidationHandler = connection.interruptionHandler = ^{
-      if (self.invalidationHandler) self.invalidationHandler();
-    };
-    connection.exportedInterface = self.exportedInterface;
-    connection.exportedObject = self.exportedObject;
-    [connection resume];
-
-    // The connection is now established.
-    if (self.acceptedHandler) self.acceptedHandler();
-  };
-  connection.exportedInterface = self.validationInterface;
-  connection.exportedObject = ci;
-  [connection resume];
-
-  return YES;
-}
-
-- (id)remoteObjectProxy {
-  if (self.currentConnection.remoteObjectInterface &&
-      self.currentConnection.remoteObjectInterface != self.validationInterface) {
-    return [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *error) {
-      [self.currentConnection invalidate];
-    }];
-  }
-  return nil;
-}
-
-#pragma mark Connection tear-down
-
-- (void)invalidate {
-  if (self.currentConnection) {
-    [self.currentConnection invalidate];
-    self.currentConnection = nil;
-  } else if (self.listenerObject) {
-    [self.listenerObject invalidate];
-  }
-}
-
-@end

Source/common/SNTXPCControlInterface.h

@@ -12,83 +12,51 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import <MOLCertificate/MOLCertificate.h>
-
-#import "SNTCachedDecision.h"
-#import "SNTCommonEnums.h"
-#import "SNTKernelCommon.h"
-
-@class SNTRule;
-@class SNTStoredEvent;
-@class SNTXPCConnection;
+#import "Source/common/SNTXPCUnprivilegedControlInterface.h"
 
 ///
-///  Protocol implemented by santad and utilized by santactl
+///  Protocol implemented by santad and utilized by santactl (privileged operations)
 ///
-@protocol SNTDaemonControlXPC
+@protocol SNTDaemonControlXPC <SNTUnprivilegedDaemonControlXPC>
 
 ///
-///  Kernel ops
+///  Cache ops
 ///
-- (void)cacheCount:(void (^)(int64_t))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
-- (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply;
 
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply;
 - (void)databaseRuleAddRules:(NSArray *)rules
                   cleanSlate:(BOOL)cleanSlate
                        reply:(void (^)(NSError *error))reply;
-- (void)databaseEventCount:(void (^)(int64_t count))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
 - (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
                   certificateSHA256:(NSString *)certificateSHA256
+                             teamID:(NSString *)teamID
                               reply:(void (^)(SNTRule *))reply;
-///
-///  Decision ops
-///
-
-///
-///  @param filePath A Path to the file, can be nil.
-///  @param fileSHA256 The pre-calculated SHA256 hash for the file, can be nil. If nil the hash will
-///                    be calculated by this method from the filePath.
-///  @param signingCertificate A MOLCertificate object, can be nil.
-///  @note If fileInfo and signingCertificate are both passed in, the most specific rule will be
-///        returned. Binary rules take precedence over cert rules.
-///
-- (void)decisionForFilePath:(NSString *)filePath
-                 fileSHA256:(NSString *)fileSHA256
-         signingCertificate:(MOLCertificate *)signingCertificate
-                      reply:(void (^)(SNTEventState))reply;
 
 ///
 ///  Config ops
 ///
-- (void)watchdogInfo:(void (^)(uint64_t, uint64_t, double, double))reply;
-- (void)clientMode:(void (^)(SNTClientMode))reply;
-- (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply;
-- (void)xsrfToken:(void (^)(NSString *))reply;
-- (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
-- (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
-- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
-- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
-- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;
-
-///
-///  GUI Ops
-///
-- (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
+- (void)setClientMode:(SNTClientMode)mode reply:(void (^)(void))reply;
+- (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
+- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
+- (void)setAllowedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockUSBMount:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setRemountUSBMode:(NSArray *)remountUSBMode reply:(void (^)(void))reply;
+- (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
+- (void)setEnableTransitiveRules:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setEnableAllEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setDisableUnknownEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
 
 ///
 ///  Syncd Ops
 ///
-- (void)setSyncdListener:(NSXPCListenerEndpoint *)listener;
-- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
-- (void)pushNotifications:(void (^)(BOOL))reply;
-- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)())reply;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)(void))reply;
 
 @end
 
@@ -97,18 +65,23 @@
 ///
 ///  Returns the MachService ID for this service.
 ///
-+ (NSString *)serviceId;
++ (NSString *)serviceID;
 
 ///
-///  Returns an initialized NSXPCInterface for the SNTDaemonControlXPC protocol.
+///  Returns the SystemExtension ID for this service.
+///
++ (NSString *)systemExtensionID;
+
+///
+///  Returns an initialized NSXPCInterface for the SNTUnprivilegedDaemonControlXPC protocol.
 ///  Ensures any methods that accept custom classes as arguments are set-up before returning
 ///
 + (NSXPCInterface *)controlInterface;
 
 ///
-///  Retrieve a pre-configured SNTXPCConnection for communicating with santad.
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santad.
 ///  Connections just needs any handlers set and then can be resumed and used.
 ///
-+ (SNTXPCConnection *)configuredConnection;
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCControlInterface.m

@@ -12,36 +12,58 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTXPCControlInterface.h"
+#import "Source/common/SNTXPCControlInterface.h"
 
-#import "SNTRule.h"
-#import "SNTStoredEvent.h"
-#import "SNTXPCConnection.h"
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTRule.h"
+#import "Source/common/SNTStoredEvent.h"
+
+NSString *const kBundleID = @"com.google.santa.daemon";
 
 @implementation SNTXPCControlInterface
 
-+ (NSString *)serviceId {
-  return @"SantaXPCControl";
++ (NSString *)serviceID {
+#ifdef SANTAADHOC
+  // The mach service for an adhoc signed ES sysx uses the "endpoint-security" prefix instead of
+  // the teamid. In Santa's case it will be endpoint-security.com.google.santa.daemon.xpc.
+  return [NSString stringWithFormat:@"endpoint-security.%@.xpc", kBundleID];
+#else
+  MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf];
+  // "teamid.com.google.santa.daemon.xpc"
+  NSString *t = cs.signingInformation[@"teamid"];
+  return [NSString stringWithFormat:@"%@.%@.xpc", t, kBundleID];
+#endif
+}
+
++ (NSString *)systemExtensionID {
+  return kBundleID;
+}
+
++ (void)initializeControlInterface:(NSXPCInterface *)r {
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+      forSelector:@selector(databaseEventsPending:)
+    argumentIndex:0
+          ofReply:YES];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
+      forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
+    argumentIndex:0
+          ofReply:NO];
 }
 
 + (NSXPCInterface *)controlInterface {
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTDaemonControlXPC)];
-
-  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(databaseEventsPending:)
-      argumentIndex:0
-            ofReply:YES];
-
-  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
-        forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
-      argumentIndex:0
-            ofReply:NO];
+  [self initializeControlInterface:r];
 
   return r;
 }
 
-+ (SNTXPCConnection *)configuredConnection {
-  SNTXPCConnection *c = [[SNTXPCConnection alloc] initClientWithName:[self serviceId]
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
                                                           privileged:YES];
   c.remoteInterface = [self controlInterface];
   return c;