github/santa
1
1
Fork 0
mirror of https://github.com/google/santa.git synced 2026-01-15 01:08:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:0.9.19
Branches Tags
github:main github:feature/ancestry
github:2024.9 github:2024.8 github:2024.7 github:2024.6 github:2024.5 github:2024.4 github:2024.3 github:2024.2 github:2024.1 github:2023.10 github:2023.9 github:2023.8 github:2023.7 github:2023.6 github:2023.5 github:2023.4 github:2023.3 github:2023.2 github:2023.1 github:2022.11 github:2022.10 github:2022.9 github:2022.8 github:2022.7 github:2022.6 github:2022.5 github:2022.4 github:2022.3 github:2022.2 github:2022.1 github:2021.8 github:2021.7 github:2021.5 github:2021.3 github:2021.2 github:2021.1 github:1.17 github:1.16 github:1.15 github:1.14 github:1.13 github:1.12 github:1.11 github:1.10 github:1.9 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4 github:1.3 github:1.1 github:1.0.3 github:0.9.33 github:0.9.32 github:0.9.31 github:0.9.31-notarized github:0.9.30 github:0.9.29 github:0.9.28 github:0.9.27 github:0.9.26 github:0.9.25 github:0.9.24 github:0.9.23 github:0.9.22 github:0.9.21 github:0.9.20 github:0.9.19 github:0.9.18 github:0.9.17d0 github:0.9.17 github:0.9.16 github:0.9.15 github:0.9.14 github:0.9.13 github:0.9.12 github:0.9.11 github:0.9.10 github:0.9.9 github:0.9.8 github:0.9.7 github:0.9.6 github:0.9.5 github:0.9.4 github:0.9.3 github:0.9.2 github:0.9.1 github:0.9 github:0.8.9 github:0.8.8 github:0.8.7 github:0.8.6 github:0.8.5 github:0.8.4 github:0.8.3 github:0.8.2 github:0.8.1 github:0.8 github:0.7.1 github:0.7
...
compare: github:0.9.22
Branches Tags
github:main github:feature/ancestry
github:2024.9 github:2024.8 github:2024.7 github:2024.6 github:2024.5 github:2024.4 github:2024.3 github:2024.2 github:2024.1 github:2023.10 github:2023.9 github:2023.8 github:2023.7 github:2023.6 github:2023.5 github:2023.4 github:2023.3 github:2023.2 github:2023.1 github:2022.11 github:2022.10 github:2022.9 github:2022.8 github:2022.7 github:2022.6 github:2022.5 github:2022.4 github:2022.3 github:2022.2 github:2022.1 github:2021.8 github:2021.7 github:2021.5 github:2021.3 github:2021.2 github:2021.1 github:1.17 github:1.16 github:1.15 github:1.14 github:1.13 github:1.12 github:1.11 github:1.10 github:1.9 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4 github:1.3 github:1.1 github:1.0.3 github:0.9.33 github:0.9.32 github:0.9.31 github:0.9.31-notarized github:0.9.30 github:0.9.29 github:0.9.28 github:0.9.27 github:0.9.26 github:0.9.25 github:0.9.24 github:0.9.23 github:0.9.22 github:0.9.21 github:0.9.20 github:0.9.19 github:0.9.18 github:0.9.17d0 github:0.9.17 github:0.9.16 github:0.9.15 github:0.9.14 github:0.9.13 github:0.9.12 github:0.9.11 github:0.9.10 github:0.9.9 github:0.9.8 github:0.9.7 github:0.9.6 github:0.9.5 github:0.9.4 github:0.9.3 github:0.9.2 github:0.9.1 github:0.9 github:0.8.9 github:0.8.8 github:0.8.7 github:0.8.6 github:0.8.5 github:0.8.4 github:0.8.3 github:0.8.2 github:0.8.1 github:0.8 github:0.7.1 github:0.7

34 Commits
0.9.19 ... 0.9.22

Author SHA1 Message Date
Tom Burgin
fc87cde668 config: use KVO (#234) 
* config: atomically update config

* config: add an explanation for sleep usage

* config: use mobileconfig in the getters

* config: cleanup file watcher

* config: spell

* config: clear or reload sync state on sync base url change

* config: Use KVO and Dependent Keys

* config: remove debug log

* config: review updates

* config: update rule sync getter and setter names

* config: get logical
 2018-02-07 13:59:00 -05:00
Tom Burgin
400c413029 config: add option to disable mode change notifications (#235) 
* config: add option to disable mode change notifications

* config: don't do extra work

* config: handle none, default and custom

* config: cleaner
 2018-02-02 12:01:51 -05:00
Tom Burgin
0e6eb45732 santa-driver: add an acknowledge feature to allow timeouts (#220) 
* santa-driver: Add an acknowledge feature to allow timeouts for lost requests

* project: cocoapods 1.3.1 update

* review updates
 2018-01-26 11:33:54 -05:00
Tom Burgin
7ca2028c19 santabs: don't try to lookup nil bundle paths (#233) 2018-01-26 11:33:04 -05:00
Tom Burgin
08144b54a7 docs: updated configuration details (#232) 
* docs: updated configuration details

* config: add example mobileconfig
 2018-01-24 21:07:48 -05:00
Russell Hancox
103137498b santa-driver: Deny execs with names over MAXPATHLEN with appropriate errno (#231) 2018-01-24 14:02:05 -05:00
Tom Burgin
8e57e3709d SNTConfigurator: use mobileconfigs (#222) 
* SNTConfigurator: use mobileconfigs

* use proper key groups

* remove state

* review updates

* review updates

* SNTConfigurator: Revert any out-of-band changes to the sync state file.

* SNTConfigurator move the file watcher to santad only
 2018-01-08 12:56:24 -05:00
nguyen-phillip
bd6bd66946 santactl: Added -h and --help as synonyms for help (#225) 2017-12-05 14:16:04 -08:00
nguyen-phillip
6973dd0ec2 log the events generated by bundle hashing with action=BUNDLE (#207) 
* log the events generated by bundle hashing with action=BUNDLE

* change EventLog to eventLog in SNTDaemonControlController init signature
 2017-12-04 10:03:04 -08:00
Tom Burgin
2e8b08cd9e keep style fixes (#221) 2017-11-28 11:48:12 -05:00
Russell Hancox
edc8f43f42 Style fixes 2017-11-15 20:35:53 -05:00
Russell Hancox
133814cd73 santa-driver: Prevent possible infinite loop if decision requests fail to be retrieved 
When enqueue'ing on the decision data queue, if the queue is full the new message will overwrite the oldest. In this scenario it's possible for that overwritten request to get stuck in an infinite loop - as far as the driver is concerned there's a request pending that the driver should be picking up and responding to but the daemon has never actually received the request. The only way out of this loop is for the file being executed to be written to. This change adds an expiration to pending requests (of 5s) so that if this scenario were to happen the pending request would be removed, breaking out of the inner decision loop to the outer loop where the request is sent to the daemon.

This change also removes a pointless dequeue in the log queue, it was intended to try and help reduce the queue size to get logs flowing again but it doesn't really help.
 2017-11-15 20:35:53 -05:00
Russell Hancox
57213ee31b [santactl] Ensure reachability is released properly 2017-10-26 15:45:28 -04:00
Tom Burgin
b4fa2a394b Update .gitignore (#211) 
Track files in the santa-driver dir
 2017-10-16 15:20:43 -04:00
Tom Burgin
0c39342d53 santad: SNTPolicyProcessor fix nil scope check (#208) 
Fixes `santactl rule --check` returning `Whitelisted (Scope)` incorrectly
 2017-10-06 13:07:48 -04:00
Tom Burgin
1c95e8e25c santad: Stop ignoring CSInfoPlistFailed (#204) 
It is too broad a check for the few false positive events we have seen.
 2017-09-14 12:45:07 -04:00
nguyen-phillip
ff5a92772b sync: start reachability handler to retry to upload blocked event when initial upload fails (#202) 
* sync: start reachability handler to retry to upload blocked event when initial upload fails

* fix indentation

* store related bundle events when server connection fails

* revert SNTBundleEventAction to BOOL

* go back to using SNTBundleEventAction in reply; make sure to send reply to avoid leaks

* fix indentation

* fix indentation
 2017-09-14 12:44:32 -04:00
nguyen-phillip
bc2a17f70f santactl: added filtering to fileinfo command via --filter flag (#201) 
* implemented simple filtering with fileinfo command

* Use regex filters instead of substring matching

* remove unnecessary match variable

* Update SNTCommandFileInfo.m
 2017-09-14 11:21:08 -04:00
nguyen-phillip
f2e909e578 Minor refactor to merge similar methods into one: (#200) 
* Merged similar methods into one:

* SNTSyncdQueue addBundleEvents: and addEvent: became addEvents:isFromBundle:
* SNTSyncdQueue backoffForBundleHash: and backoffForEvent: became backoffForPrimaryHash:
* SNTCommandSyncManager postBundleEventsToSyncServer: and postEventToSyncServer: became postEventsToSyncServer:isFromBundle:

* fix style issue

* simplify condition
 2017-09-08 09:18:13 -04:00
nguyen-phillip
c3385a808c Bundle Notifications (#197) 
* stub code for bundle notifications with new rules info

* get bundle rule count info from each rule, rather than initial FCM message

* Replace string literals with constants

* only update pendingNotifications for whitelist rules

* use pre-existing string constants as dictionary keys

* Remove processed entries from the notifications dictionary after we're done with them.

* fix indentation

* replace kRuleBundleHash with kFileBundleHash

* enforce serial access to the whitelistNotifications dictionary

* clarify comment

* fix queue spelling and better comments
 2017-09-05 15:35:35 -04:00
Tom Burgin
8d480331ff Add Read the Docs to README (#196) 
* Update README.md

* Update README.md
 2017-08-18 13:29:43 -04:00
nguyen-phillip
5216f0989c santactl: Recursive fileinfo command (#191) 
* temporarily gutted SNTCommandFileInfo. Added SNTCommand base class for all
of the SNTCommand* classes to inherit from.  Changed commands so that they
are consistently instantiated before being run, with a common init method.

* Put most of SNTCommandFileInfo functionality back in

* follow symlinks

* added -r and --recursive flags and updated help text

* moved humanReadableFileType to SNTFileInfo

* added back JSON output

* Fixed bundle info. Grab directory color from ENV variable.

* fixed indentation, moved stuff around

* Added SNTCommandFileInfo * back as parameter to property getters so that rule getter
doesn't have to be a special case any more.

* fixed code review issues

* added SNTCommand.h and SNTCommand.m to project

* added SNTCommand.m to build phases

* removed trailing spaces

* fixed tests for SNTCommandFileInfo and added a few more

* fix end-of-line comment spacing to conform to style guide

* Use NSBundle instead of NSWorkspace to determine if path is a bundle.

* added autorelease pool inside recursive search loop to fix bug where file listing
would abruptly stop after so many files with mach header related keys.

* removed directory headers. don't separate entries with newline when printing single key. format output based on max key length.

* an attempt at speeding things up.  also halfway fixed broken cert-index key.

* speedups via caching MOLCodeSignChecker & not using NSMutableString append*

* fix json ouput with cert-index, single key output, & cache SHA values

* reverted back to NSMutableString for building up output, since it seems slightly better
or at least no worse than using an NSMutableArray

* Don't print empty JSON objects

* fixed non-thread-safe JSON commas

* made the print dispatch group a property so it doesn't have to be passed around

* Fixed certIndex indexing bug & better error checking when parsing --cert-index argument

* prevent unsigned int overflow

* fixed logic tests broken by objc_setAssociatedObject with nil SNTFileInfo argument

* send error output to the serial print queue

* NSBundle bundleWithPath: returns an object even for non-bundle directories, so need to also check that there's a valid bundle identifier.

* Added TODO comment and fixed formatting issues

* added cached codeSignChecker property to SNTFileInfo

* rewrote SNTFileInfo's codesignChecker method to include an error reference parameter & removed @synchronized

* Removed caching of SHA values from SNTFileInfo

* use property getter/setter to access codesignCheckerError

* Change nil NSError ** arguments to NULL

* Don't try to create a new codesignChecker if there was previously an error

* Fix NSDirectoryEnumerator memory usage & don't retain self in rule getter.

The NSStrings grabbed from the directory enumerator needed a chance to be freed.

* fixed colon alignment
 2017-08-18 09:56:37 -04:00
Tom Burgin
4238553a2e Docs: Start of Santa Docs (#192) 
* Docs: Start of Santa Docs

* Docs: /exec()/execve()/

* Docs: /sync-server/sync server/

* Docs: review updates
 2017-08-17 16:01:59 -04:00
nguyen-phillip
79662d0dcf santad/SNTEventLog: log original path of translocated apps (#194) 
* log original path of translocated apps

* made handle a local variable & fixed capitalization

* Removed superfluous CFError
 2017-08-17 11:09:46 -04:00
Russell Hancox
ff095bc53d KernelTests: Fix cache performance test 
It was previously calculating CPU use rather than walltime which isn't really what we want to measure.
 2017-08-16 16:13:45 -04:00
Russell Hancox
eefd70b2de santa-driver: Fix race condition by adding CAS op to SantaCache 
Change the signature of the set method in SantaCache so that it takes an
optional previous-value parameter (and a bool indicating that this value
has been provided). If previous-value is provided, set becomes a
compare-and-swap. Also provide 2 overloads for a cleaner interface, one
with and without the previous-value parameter.
 2017-08-16 16:13:45 -04:00
Russell Hancox
9b3eab67a2 santa-driver: Determine root FSID more safely 
Only calculate root FSID during daemon connection. If daemon is running
there must be a root filesystem. Also check return values just in case.

Check vnode_id has been determined in VnodeCallback and SantaDriverClient
methods so that it doesn't need to be checked anywhere else.
 2017-08-16 12:07:44 -04:00
Russell Hancox
54def2deb7 santa-driver: Reverse ClearCache() non_root_only default parameter 2017-08-16 12:07:44 -04:00
Russell Hancox
cd12744726 santad/santactl/santa-driver: Make status command return size of both caches 2017-08-16 12:07:44 -04:00
Russell Hancox
616fd9570f santa-driver: Split cache for root/non-root volume 
Split the kernel-land cache into 2 separate caches, one for the root
volume and one for secondary volumes. When an unmount happens, clear
the non-root cache to ensure no overlap with filesystem IDs.
 2017-08-16 12:07:44 -04:00
Russell Hancox
0544011ee0 [santad] Remove broken check and obsolete TODOs (#190) 2017-08-03 15:14:02 -04:00
nguyen-phillip
51920c7045 santad: modified execution log format to show path & args at end (#189) 
Fixed problem where extremely long path/args obscured other log info.
 2017-08-02 14:27:39 -04:00
Russell Hancox
6f417a1775 common: Remove EventDetailBundleURL key (#187) 
The changes to bundle scanning mean this key isn't really necessary anymore - if a server supports bundles it tells the client during preflight, this in turn causes bundle hashes to be generated and these are used in place of the file hash when generating a detail URL. Keying bundles off the ID and version was never really a good idea anyway.
 2017-08-01 12:16:37 -04:00
Russell Hancox
51034a24c6 SNTXPCConnection: Prevent crash if caller releases instance during resume (#183) 2017-07-18 16:50:32 -04:00
80 changed files with 3605 additions and 1187 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,6 +1,8 @@
.DS_Store
Build
santa-*
!santa-driver
!*.md
Pods
Santa.xcodeproj/xcuserdata
Santa.xcodeproj/project.xcworkspace

83
Docs/deployment/com.google.santa.example.mobileconfig Normal file
View File

@@ -0,0 +1,83 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.santa</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>BannedBlockMessage</key>
<string>This application has been banned</string>
<key>ClientMode</key>
<integer>1</integer>
<key>EnablePageZeroProtection</key>
<false/>
<key>EventDetailText</key>
<string>Open sync server</string>
<key>EventDetailURL</key>
<string>https://sync-server-hostname/blockables/%file_sha%</string>
<key>FileChangesRegex</key>
<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
<key>MachineIDKey</key>
<string>MachineUUID</string>
<key>MachineIDPlist</key>
<string>/Library/Preferences/com.company.machine-mapping.plist</string>
<key>MachineOwnerKey</key>
<string>Owner</string>
<key>MachineOwnerPlist</key>
<string>/Library/Preferences/com.company.machine-mapping.plist</string>
<key>ModeNotificationLockdown</key>
<string>Entering Lockdown mode</string>
<key>ModeNotificationMonitor</key>
<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
<key>MoreInfoURL</key>
<string>https://sync-server-hostname/moreinfo</string>
<key>SyncBaseURL</key>
<string>https://sync-server-hostname/api/santa/</string>
<key>UnknownBlockMessage</key>
<string>This application has been blocked from executing.</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>com.google.santa</string>
<key>PayloadDisplayName</key>
<string>com.google.santa</string>
<key>PayloadIdentifier</key>
<string>com.google.santa</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

176
Docs/deployment/configuration.md Normal file
View File

@@ -0,0 +1,176 @@
# Important
Santa v0.9.21 has moved to using an Apple [Configuration Profile](https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html) to manage the local configuration. The old config file (`/var/db/santa/config.plist`) is no longer used.
# Configuration
Two configuration methods can be used to control Santa: a local configuration profile and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration profile and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
## Local Configuration Profile
| Key | Value Type | Description |
| ----------------------------- | ---------- | ---------------------------------------- |
| ClientMode* | Integer | 1 = MONITOR, 2 = LOCKDOWN, defaults to MONITOR |
| FileChangesRegex* | String | The regex of paths to log file changes. Regexes are specified in ICU format. |
| WhitelistRegex* | String | A regex to whitelist if the binary or certificate scopes did not allow execution. Regexes are specified in ICU format. |
| BlacklistRegex* | String | A regex to blacklist if the binary or certificate scopes did not block an execution. Regexes are specified in ICU format. |
| EnablePageZeroProtection | Bool | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to YES, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in MONITOR mode, **unless** the binary is whitelisted by an explicit rule. |
| MoreInfoURL | String | The URL to open when the user clicks "More Info..." when opening Santa.app. If unset, the button will not be displayed. |
| EventDetailURL | String | See the [EventDetailURL](#eventdetailurl) section below. |
| EventDetailText | String | Related to the above property, this string represents the text to show on the button. |
| UnknownBlockMessage | String | In Lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured a reasonable default is provided. |
| BannedBlockMessage | String | This is the message shown to the user when a binary is blocked because of a rule if that rule doesn't provide a custom message. If this is not configured a reasonable default is provided. |
| ModeNotificationMonitor | String | The notification text to display when the client goes into Monitor mode. Defaults to "Switching into Monitor mode". |
| ModeNotificationLockdown | String | The notification text to display when the client goes into Lockdown mode. Defaults to "Switching into Lockdown mode". |
| SyncBaseURL* | String | The base URL of the sync server. |
| ClientAuthCertificateFile | String | If set, this contains the location of a PKCS#12 certificate to be used for sync authentication. |
| ClientAuthCertificatePassword | String | Contains the password for the PKCS#12 certificate. |
| ClientAuthCertificateCN | String | If set, this is the Common Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
| ClientAuthCertificateIssuerCN | String | If set, this is the Issuer Name of a certificate in the System keychain to be used for sync authentication. The corresponding private key must also be in the keychain. |
| ServerAuthRootsData | Data | If set, this is valid PEM containing one or more certificates to be used to evaluate the server's SSL chain, overriding the list of trusted CAs distributed with the OS. |
| ServerAuthRootsFile | String | The same as the above but is a path to a file on disk containing the PEM data. |
| MachineOwner | String | The machine owner. |
| MachineID | String | The machine ID. |
| MachineOwnerPlist | String | The path to a plist that contains the MachineOwnerKey / value pair. |
| MachineOwnerKey | String | The key to use on MachineOwnerPlist. |
| MachineIDPlist | String | The path to a plist that contains the MachineOwnerKey / value pair. |
| MachineIDKey | String | The key to use on MachineIDPlist. |
*overridable by the sync server: run `santactl status` to check the current running config
##### EventDetailURL
When the user gets a block notification, a button can be displayed which will take them to a web page with more information about that event.
This property contains a kind of format string to be turned into the URL to send them to. The following sequences will be replaced in the final URL:
| Key | Description |
| ------------ | ---------------------------------------- |
| %file_sha% | SHA-256 of the file that was blocked |
| %machine_id% | ID of the machine |
| %username% | The executing user |
| %bundle_id% | Bundle ID of the binary, if applicable |
| %bundle_ver% | Bundle version of the binary, if applicable |
For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
##### Example Configuration Profile
Here is an example of a configuration profile that could be set. It was generated with Tim Sutton's great [mcxToProfile](https://github.com/timsutton/mcxToProfile) tool. A copy is also available [here](com.google.santa.example.mobileconfig).
A few key points to when creating your configuration profile:
* `com.google.santa` needs to be the key inside `PayloadContent`
* The `PayloadScope` needs to be `System`
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.santa</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>BannedBlockMessage</key>
<string>This application has been banned</string>
<key>ClientMode</key>
<integer>1</integer>
<key>EnablePageZeroProtection</key>
<false/>
<key>EventDetailText</key>
<string>Open sync server</string>
<key>EventDetailURL</key>
<string>https://sync-server-hostname/blockables/%file_sha%</string>
<key>FileChangesRegex</key>
<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
<key>MachineIDKey</key>
<string>MachineUUID</string>
<key>MachineIDPlist</key>
<string>/Library/Preferences/com.company.machine-mapping.plist</string>
<key>MachineOwnerKey</key>
<string>Owner</string>
<key>MachineOwnerPlist</key>
<string>/Library/Preferences/com.company.machine-mapping.plist</string>
<key>ModeNotificationLockdown</key>
<string>Entering Lockdown mode</string>
<key>ModeNotificationMonitor</key>
<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
<key>MoreInfoURL</key>
<string>https://sync-server-hostname/moreinfo</string>
<key>SyncBaseURL</key>
<string>https://sync-server-hostname/api/santa/</string>
<key>UnknownBlockMessage</key>
<string>This application has been blocked from executing.</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>com.google.santa</string>
<key>PayloadDisplayName</key>
<string>com.google.santa</string>
<key>PayloadIdentifier</key>
<string>com.google.santa</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
Configuration profiles have a `.mobileconfig` file extension. There are many ways to install configuration profiles:
* Double click them in Finder
* Use the `/usr/bin/profiles` tool
* Use an MDM
## Sync server Provided Configuration
| Key | Value Type | Description |
| ------------------------------ | ---------- | ---------------------------------------- |
| client_mode | String | MONITOR or LOCKDOWN, defaults to MONITOR. |
| clean_sync** | Bool | If set to `True` Santa will clear all local rules and download a fresh copy from the sync-server. Defaults to `False`. |
| batch_size | Integer | The number of rules to download or events to upload per request. Multiple requests will be made if there is more work than can fit in single request. Defaults to 50. |
| upload_logs_url** | String | If set, the endpoint to send Santa's current logs. No default. |
| whitelist_regex | String | Same as the "Local Configuration" WhitelistRegex. No default. |
| blacklist_regex | String | Same as the "Local Configuration" BlacklistRegex. No default. |
| fcm_token* | String | The FCM token used by Santa to listen for FCM messages. Unique for every machine. No default. |
| fcm_full_sync_interval* | Integer | The full sync interval if a fcm_token is set. Defaults to 14400 secs (4 hours). |
| fcm_global_rule_sync_deadline* | Integer | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |
| bundles_enabled* | Bool | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
*Held only in memory. Not persistent upon process restart.
**Performed once per preflight run (if set).

BIN
Docs/details/block.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

141
Docs/details/events.md Normal file
View File

@@ -0,0 +1,141 @@
# Events
Events are a defined set of data, core to how Santa interacts with a sync server. Events are generated when there is a blocked `execve()` while in Lockdown or Monitor mode. Events are also generated in Monitor mode for an `execve()` that was allowed to run, but would have been blocked in Lockdown mode. This allows an admin to roll out Santa to their macOS fleet in Monitor mode but still collect meaningful data. The events collected while in Monitor mode can be used to build a reasonably comprehensive whitelist of signing certificates and binaries before switching the fleet to Lockdown mode.
##### Event Data
Events begin their life as an [SNTStoredEvent](https://github.com/google/santa/blob/master/Source/common/SNTStoredEvent.h) object. The SNTStoredEvent class is just a simple storage class that has properties for all the relevant bits of information. More importantly the class implements the [NSSecureCoding](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) protocol. This allows the objects to be encoded and decoded for storage in the events sqlite3 database on disk and sent over XPC to another process.
Events are temporarily stored in a database until they are uploaded. The format is subject the change; accessing the events database directly will most likely break in future releases. If direct access to the events database is required, raise a [issue on the Santa GitHub](https://github.com/google/santa/issues).
###### JSON
Before an event is uploaded to a sync server, the event data is copied into a JSON blob. Here is an example of Firefox being blocked and sent for upload:
```json
{
"events": [
{
"file_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app/Contents/MacOS",
"file_bundle_version": "5417.6.28",
"parent_name": "launchd",
"logged_in_users": [
"bur"
],
"quarantine_timestamp": 0,
"signing_chain": [
{
"cn": "Developer ID Application: Mozilla Corporation (43AQ936H96)",
"valid_until": 1652123338,
"org": "Mozilla Corporation",
"valid_from": 1494270538,
"ou": "43AQ936H96",
"sha256": "96f18e09d65445985c7df5df74ef152a0bc42e8934175a626180d9700c343e7b"
},
{
"cn": "Developer ID Certification Authority",
"valid_until": 1801519935,
"org": "Apple Inc.",
"valid_from": 1328134335,
"ou": "Apple Certification Authority",
"sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f"
},
{
"cn": "Apple Root CA",
"valid_until": 2054670036,
"org": "Apple Inc.",
"valid_from": 1146001236,
"ou": "Apple Certification Authority",
"sha256": "b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024"
}
],
"file_bundle_name": "Firefox",
"executing_user": "bur",
"ppid": 1,
"file_bundle_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app",
"file_name": "firefox",
"execution_time": 1501691337.059514,
"file_sha256": "dd78f456a0929faf5dcbb6d952992d900bfdf025e1e77af60f0b029f0b85bf09",
"decision": "BLOCK_BINARY",
"file_bundle_id": "org.mozilla.firefox",
"file_bundle_version_string": "54.0.1",
"pid": 49368,
"current_sessions": [
"bur@console",
"bur@ttys000",
"bur@ttys001",
"bur@ttys002",
"bur@ttys003",
"bur@ttys004"
]
}
]
}
```
##### Event Lifecycle
1. santad generates a new event
2. santad compares, or adds if not present, the event's SHA-256 file hash to an in-memory cache with a timeout of 10 min. If an event with an matching hash is present in cache, the event is dropped.
3. santad saves the event to `/var/db/santa/events.db` with a unique ID assigned as the key.
4. santad sends an XPC message to the santactl daemon. The message contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread.
##### Bundle Events
Bundle events are a special type of event that are generated when a sync server supports receiving the associated bundle events, instead of just the original event. For example: `/Applications/Keynote.app/Contents/MacOS/Keynote` is blocked and an event representing the binary is uploaded. A whitelist rule is created for that one binary. Great, you can now run `/Applications/Keynote.app/Contents/MacOS/Keynote`, but what about all the other supporting binaries contained in the bundle? You would have to wait until they are executed until an event would be generated. It is very common for a bundle to contain multiple binaries, as shown here with Keynote.app. Waiting to get a block is not a very good user experience.
```sh
⇒ santactl bundleinfo /Applications/Keynote.app
Hashing time: 1047 ms
9 events found
BundleHash: b475667ab1ab6eddea48bfc2bed76fcef89b8f85ed456c8068351292f7cb4806
BundleID: com.apple.iWork.Keynote
SHA-256: be3aa404ee79c2af863132b93b0eedfdbc34c6e35d4fda2ade6dd637692ead84
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.MovieCompatibilityConverter.xpc/Contents/MacOS/com.apple.iWork.MovieCompatibilityConverter
BundleID: com.apple.iWork.Keynote
SHA-256: 3b2582fd5e7652b653276b3980c248dc973e8082e9d0678c96a08d7d1a8366ba
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.PICTConverter.xpc/Contents/MacOS/com.apple.iWork.PICTConverter
BundleID: com.apple.iWork.Keynote
SHA-256: f1bf3be05d511d7c7f651cf7b130d4977f8d28d0bfcd7c5de4144b95eaab7ad7
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor
BundleID: com.apple.iWork.Keynote
SHA-256: b59bc8548c91088a40d9023abb5d22fa8731b4aa17693fcb5b98c795607d219a
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.BitmapTracer.xpc/Contents/MacOS/com.apple.iWork.BitmapTracer
BundleID: com.apple.iWork.Keynote
SHA-256: 08cb407f541d867f1a63dc3ae44eeedd5181ca06c61df6ef62b5dc7192951a4b
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCUtilities32
BundleID: com.apple.iWork.Keynote
SHA-256: b965ae7be992d1ce818262752d0cf44297a88324a593c67278d78ca4d16fcc39
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor.TCUtilities32
BundleID: com.apple.iWork.Keynote
SHA-256: 59668dc27314f0f6f5daa5f02b564c176f64836c88e2dfe166e90548f47336f1
Path: /Applications/Keynote.app/Contents/MacOS/Keynote
BundleID: com.apple.iWork.Keynote
SHA-256: 7ce324f919b14e14d327004b09f83ca81345fd4438c87ead4b699f89e9485595
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.ExternalResourceValidator.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceValidator
BundleID: com.apple.iWork.Keynote
SHA-256: 6b47f551565d886388eeec5e876b6de9cdd71ef36d43b0762e6ebf02bdd8515d
Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceAccessor
```
Bundle events provide a mechanism to generate and upload events for all the executable Mach-O binaries within a bundle. To enable bundle event generation a configuration must be set in the preflight sync stage on the sync server. Once set the sync server can use bundle events to drive a better user experience.
Bundle events can be differentiated by the existence of these fields:
| Field | Value |
| ------------------------ | ---------------------------------------- |
| decision | BUNDLE_BINARY |
| file_bundle_hash | Super Hash of all binary hashes |
| file_bundle_hash_millis | The time in milliseconds it took to find all of the binaries, hash and produce a super hash |
| file_bundle_binary_count | Number of binaries within the bundle |
To avoid redundant uploads of a bundle event Santa will wait for the sync server to ask for them. The server will respond to event uploads with a request like this:
| Field | Value |
| ---------------------------- | ---------------------------------------- |
| event_upload_bundle_binaries | An array of bundle hashes that the sync server needs to be uploaded |
When santactl receives this type of request, it sends an XPC reply to santad to save all the bundle events to the events.db. It then attempts to upload all the bundle events, purging the successes from the events.db. Any failures will be uploaded during the next full sync.

43
Docs/details/ipc.md Normal file
View File

@@ -0,0 +1,43 @@
# Interprocess Communication (IPC)
Most IPC within Santa is done by way of Apple's [XPC](https://developer.apple.com/documentation/xpc?language=objc). Santa wraps [NSXPCConnection](https://developer.apple.com/documentation/foundation/nsxpcconnection?language=objc) to provide client multiplexing, signature validation of connecting clients and forced connection establishment. This is called SNTXPCConnection.
Communication between santad and santa-driver (KEXT) is done with a [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and IOKit/IOKitLib.h functions.
##### Who starts who?
The santad and Santa (GUI) processes are both started and kept alive by launchd as a LaunchDaemon and a LaunchAgent, respectively. This means santad runs as root and Santa (GUI) runs as the console user.
There can be multiple Santa (GUI) processes running, one per user logged into the GUI (assuming fast-user switching is enabled). While multiple processes might be running, only the one for the user currently logged-in will be connected to santad and receiving notifications.
When using a sync server, the santactl process is started by santad. Before the new process starts, all privileges are dropped. santactl runs as _nobody_.
The santabs process is started by launchd via an XPC service connection from santad. XPC services inherit their initiator's privileges meaning santabs runs as root, which is necessary to ensure it has permission to read all files.
| Process | Parent Process | Running User |
| -------- | -------------- | ------------ |
| santad | launchd | root |
| Santa | launchd | user |
| santactl | santad | nobody |
| santabs | launchd | root |
##### Who communicates with who?
In short, santad has two-way communication with every other process. In addition, Santa and santabs have two-way communication between each other. For other combinations, there is no direct communication.
![Santa IPC](santa_ipc.png)
##### SNTXPCConnection and two way communication
`SNTXPCConnection` enforces a server / client model for XPC connections. This allows for strong signature validation and forced connection establishment. The only problem with this model is the lack of two-way communication. For example, process A can call methods on process B and retrieve a response, but process B cannot call methods on process A.
To accomplish two-way communication, the following approach can be used:
1. Process A creates a server with an anonymous `NSXPCListener`.
2. Process A sends the anonymous `NSXPCListenerEndpoint` to process B over an already established `SNTXPCConnection`.
3. Process B can now communicate directly with process A.
This is a powerful notion. It enables forced connection establishment between both processes, which is critical when reliability is a concern.

30
Docs/details/logs.md Normal file
View File

@@ -0,0 +1,30 @@
# Logs
Santa currently logs to `/var/db/santa/santa.log` by default. All executions and disk mounts are logged here. File operations can also be configured to be logged. See the `FileChangesRegex` key in the [configuration.md](../deployment/configuration.md) document.
To view the logs:
```sh
tail -F /var/db/santa/santa.log
```
The `-F` will continue watching the path even when the current file fills up and rolls over.
##### macOS Unified Logging System (ULS)
Currently all of the most recent releases of Santa are built with the macOS 10.11 SDK. This allows Santa to continue to log to Apple System Logger (ASL) instead of ULS. However, on macOS 10.12+ all of the Kernel logs are sent to ULS. See the KEXT Logging section below for more details.
If you are building Santa yourself and using the macOS 10.12+ SDKs, Santa's logs will be sent to ULS.
Work is currently underway to bypass ASL and ULS altogether, allowing Santa to continue logging to `/var/db/santa/santa.log`. This change will also allow us to add alternative logging formats, like Protocol Buffer or JSON.
##### KEXT Logging
Streaming logs from the santa-driver KEXT does not work properly. Logs are generated but they will likely be garbled or show inaccurate data.
Instead, `show` can be used to view the santa-driver KEXT logs:
```sh
/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
```

53
Docs/details/mode.md Normal file
View File

@@ -0,0 +1,53 @@
# Mode
Santa can run in one of two modes, Lockdown or Monitor. To check the current status run the following command:
```sh
⇒ santactl status
>>> Daemon Info
Mode | Monitor
File Logging | Yes
Watchdog CPU Events | 0 (Peak: 13.59%)
Watchdog RAM Events | 0 (Peak: 31.49MB)
>>> Kernel Info
Root cache count | 107
Non-root cache count | 0
>>> Database Info
Binary Rules | 5
Certificate Rules | 2
Events Pending Upload | 0
>>> Sync Info
Sync Server | https://sync-server-hostname.com
Clean Sync Required | No
Last Successful Full Sync | 2017/08/02 21:44:17 -0400
Last Successful Rule Sync | 2017/08/02 21:44:17 -0400
Push Notifications | Connected
Bundle Scanning | Yes
```
##### Monitor mode
The default mode. Running Santa in Monitor Mode will stop any binaries matching blacklist rules, but will not stop unknown binaries from running. This is a flexible state, allowing virtually zero user interruption but still gives protection against known blacklisted binaries. In addition execution events that would have been blocked in Lockdown mode are generated and can be collected and analyzed by a sync server.
##### Lockdown mode
Running Santa in Lockdown Mode will stop all blacklisted binaries and additionally will prevent all unknown binaries from running. This means that if the binary has no rules or scopes that apply, then it will be blocked.
##### Changing Modes
There are two ways to change the running mode: changing the configuration profile and with a sync server configuration.
###### Change modes with the configuration profile
Set the `ClientMode` in your configuration profile to the integer value `1` for MONITOR or `2` for LOCKDOWN.
```xml
<key>ClientMode</key>
<integer>1</integer>
```
Install your new configuration profile, it will overwrite any old `com.google.santa` profiles you may have already install. See the [configuration](../deployment/configuration.md) document for more details.
###### Change modes with a sync server
The mode is set in the preflight sync stage. Use the key `client_mode` and a value of `MONITOR` or `LOCKDOWN`.

BIN
Docs/details/push.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

104
Docs/details/rules.md Normal file
View File

@@ -0,0 +1,104 @@
# Rules
Rules provide the primary evaluation mechanism for whitelisting and blacklisting binaries with Santa on macOS. There are two types of rules: binary and certificate.
##### Binary Rules
Binary rules use the SHA-256 hash of the entire binary as an identifier. This is the most specific rule in Santa. Even a small change in the binary will alter the SHA-256 hash, invalidating the rule.
##### Certificate Rules
Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule . A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing.
```sh
⇒ santactl fileinfo /Applications/Dropbox.app --key "Signing Chain"
Signing Chain:
1. SHA-256 : 2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2
SHA-1 : 86ec91f726ba9caa09665b2109c49117f0b93134
Common Name : Developer ID Application: Dropbox, Inc.
Organization : Dropbox, Inc.
Organizational Unit : G7HH3F8CAK
Valid From : 2012/06/19 16:10:30 -0400
Valid Until : 2017/06/20 16:10:30 -0400
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 17:12:15 -0500
Valid Until : 2027/02/01 17:12:15 -0500
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 17:40:36 -0400
Valid Until : 2035/02/09 16:40:36 -0500
```
If you wanted to whitelist or blacklist all software signed with this perticular Dropbox signing certificate you would use the leaf SHA-256 fingerprint.
`2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2`
Santa does not evaluate the `Valid From` or `Valid Until` fields, nor does it check the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) for revoked certificates. Adding rules for the certificate chain's intermediates or roots has no effect on binaries signing by a leaf. Santa ignores the chain and is only concerned with the leaf certificate's SHA-256 hash.
##### Rule Evaluation
When a process is trying to `execve()` santad retrieves information on the binary, including a hash of the entire file and the signing chain (if any). The hash and signing leaf certificate are then passed through the [SNTPolicyProcessor](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.h). Rules are evaluated from most specific to least specific. First binary (either whitelist or blacklist), then certificate (either whitelist or blacklist). If no rules are found that apply, scopes are then searched. See the [scopes.md](scopes.md) document for more information on scopes.
You can use the `santactl fileinfo` command to check the status of any given binary on the filesystem.
###### Whitelisted with a Binary Rule
```sh
⇒ santactl fileinfo /Applications/Hex\ Fiend.app --key Rule
Whitelisted (Binary)
```
###### Whitelisted with a Certificate Rule
```sh
⇒ santactl fileinfo /Applications/Safari.app --key Rule
Whitelisted (Certificate)
```
###### Blacklisted with a Binary Rule
```sh
⇒ santactl fileinfo /usr/bin/yes --key Rule
Blacklisted (Binary)
```
###### Blacklisted with a Certificate Rule
```sh
⇒ santactl fileinfo /Applications/Malware.app --key Rule
Blacklisted (Certificate)
```
You can also check arbitrary SHA-256 binary and certificate hashes for rules. The rule verb needs to be run with root privileges.
For checking the SHA-256 hash of `/usr/bin/yes`:
```sh
sudo santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /usr/bin/yes)
Blacklisted (Binary)
```
For checking the SHA-256 hash of `/usr/bin/yes ` signing certificate:
```sh
⇒ sudo santactl rule --check --certificate --sha256 $(santactl fileinfo --cert-index 1 --key SHA-256 /usr/bin/yes)
Whitelisted (Certificate)
```
##### Built-in rules
To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup:
* The signing certificate santad is signed with
* The signing certificate launchd is signed with
By creating these two rules at startup, Santa should never block critical Apple system binaries or other Santa components.

94
Docs/details/santa-driver.md Normal file
View File

@@ -0,0 +1,94 @@
# santa-driver
santa-driver is a macOS [kernel extension](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html) (KEXT) that makes use of the [Kernel Authorization](https://developer.apple.com/library/content/technotes/tn2127/_index.html) (Kauth) KPI. This allows santa-driver to listen for events and either deny or defer the decision of those events. The santa-driver acts as an intermediary layer between Kauth and santad, with some caching to lower the overhead of decision making.
##### Kauth
santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments:
* `const char *scope`
* `kauth_scope_callback_t _callback`_
* `void *contex`
It returns a `kauth_listener_t` that is stored for later use, in Santa's case to stop listening.
###### KAUTH_SCOPE_VNODE
Here is how santa-driver starts listening for `KAUTH_SCOPE_VNODE` events.
```c++
vnode_listener_ = kauth_listen_scope(
KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
```
The function `vnode_scope_callback` is called for every vnode event. There are many types of vnode events, they complete list can be viewed in the kauth.h. There are many types of vnode events, the complete list can be viewed in kauth.h. Santa is only concerned with regular files generating `KAUTH_VNODE_EXECUTE` [1] and `KAUTH_VNODE_WRITE_DATA` events. All non-regular files and unnecessary vnode events are filtered out.
Here is how santa-driver stops listening for `KAUTH_SCOPE_VNODE` events:
```c++
kauth_unlisten_scope(vnode_listener_);
```
[1] `KAUTH_VNODE_EXECUTE` events that do not have the `KAUTH_VNODE_ACCESS` advisory bit set.
###### KAUTH_SCOPE_FILEOP
Santa also listens for file operations, this is mainly used for logging [1] and cache invalidation.
* `KAUTH_FILEOP_DELETE`, `KAUTH_FILEOP_RENAME`, `KAUTH_FILEOP_EXCHANGE` and `KAUTH_FILEOP_LINK` are logged
* `KAUTH_FILEOP_EXEC` is used to log `execve()`s. Since the `KAUTH_VNODE_EXECUTE` is used to allow or deny an `execve()` the process arguments have not been setup yet. Since `KAUTH_FILEOP_EXEC` is triggered after an `execve()` it is used to log the `execve()`.
[1] `KAUTH_FILEOP_CLOSE` is used to invalidate that file's representation in the cache. If a file has changed it needs to be re-evalauted. This is particularly necessary for files that were added to the cache with an action of allow.
##### Driver Interface
santa-driver implements an [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and santad interacts with it through IOKit/IOKitLib.h functions.
[//]: # "TODO(bur, rah) Flesh out the details"
##### Cache
To aid in performance, santa-driver utilizes a caching system to hold the state of all observed `execve()` events.
###### Key
The key is a `uint64_t`. The top 32 bits hold the filesystem ID, while the bottom 32 bits hold the file unique ID. Together we call this the vnode_id.
```c++
uint64_t vnode_id = (((uint64_t)fsid << 32) | fileid);
```
###### Value
The value is a `uint64_t` containing the action necessary, along with the decision timestamp. The action is stored in the top 8 bits. The decision timestamp is stored in the remaining 56 bits.
```c++
santa_action_t action = (santa_action_t)(cache_val >> 56);
uint64_t decision_time = (cache_val & ~(0xFF00000000000000));
```
The possible actions are:
| Actions | Expiry Time | Description |
| ----------------------- | ---------------- | ---------------------------------------- |
| `ACTION_REQUEST_BINARY` | None | Awaiting an allow or deny decision from santad. |
| `ACTION_RESPOND_ALLOW` | None | Allow the `execve()` |
| `ACTION_RESPOND_DENY` | 500 milliseconds | Deny the `execve()`, but re-evalaute after 500 milliseconds. If someone is trying to run a banned binary continually every millisecond for example, only 2 evaluation requests to santad for would occur per second. This mitigates a denial of service type attack on santad. |
###### Invalidation
Besides the expiry time for individual entries, the entire cache will be cleared if any of the following events takes place:
* Addition of a blacklist rule
* Addition of a blacklist regex scope
* Cache fills up. This defaults to `5000` entries for the root volume and `500` for all other mounted volumes.
To view the current kernel cache count see the "Kernel info" section of `santactl status`:
```sh
⇒ santactl status
>>> Kernel Info
Root cache count | 107
Non-root cache count | 0
```

11
Docs/details/santa-gui.md Normal file
View File

@@ -0,0 +1,11 @@
# Santa GUI
The Santa GUI process is pretty simple. It's only job is the display user GUI notifications. There are two types of notifications it can display:
A notification when an `execve()` is blocked.
![Block](block.png)
Notifications when specific rules arrive (when using FCM for push notifications).
![Notification](push.png)

BIN
Docs/details/santa_ipc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

44
Docs/details/santabs.md Normal file
View File

@@ -0,0 +1,44 @@
# santabs
The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.
##### Events
The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.
When there is an `execve()` that is blocked within a bundle, a few actions take place:
1. The highest ancestor bundle in the tree is found
* So `/Applications/DVD Player.app/Contents/MacOS/DVD Player` would be `/Applications/DVD Player.app`
* Or `/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension` would be `/Applications/Safari.app`
2. The ancestor bundle is then searched for Mach-O executables
* For Safari that would currently be 4 binaries
* ```sh
Hashing time: 53 ms
4 events found
BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
BundleID: com.apple.Safari
SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
BundleID: com.apple.Safari
SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
Path: /Applications/Safari.app/Contents/MacOS/Safari
BundleID: com.apple.Safari
SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
Path: /Applications/Safari.app/Contents/Resources/appdiagnose
BundleID: com.apple.Safari
SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
```
3. Events are created for each binary and the bundle hash is calculated
4. These events are sent to the sync server for processing
##### Bundle Hash
The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.

425
Docs/details/santactl.md Normal file
View File

@@ -0,0 +1,425 @@
# santactl
This may be the most complex part of Santa. It does two types of work:
1. It contains all of the code and functionality for syncing with a sync-server.
2. It can be used to view the state and configuration of Santa as a whole. It can also inspect individual files. When running without a sync server it also a supported method of managing the rules database.
The details of santactl's syncing functionality are covered in the syncing.md document. This document will cover the status work that santactl performs.
##### status
To view the status of Santa run `santactl status`
```sh
⇒ santactl status
>>> Daemon Info
Mode | Monitor
File Logging | Yes
Watchdog CPU Events | 0 (Peak: 2.19%)
Watchdog RAM Events | 0 (Peak: 29.45MB)
>>> Kernel Info
Kernel cache count | 123
>>> Database Info
Binary Rules | 321
Certificate Rules | 123
Events Pending Upload | 0
>>> Sync Info
Sync Server | https://sync-server.com/santa/
Clean Sync Required | No
Last Successful Full Sync | 2017/08/10 15:05:32 -0400
Last Successful Rule Sync | 2017/08/10 15:29:21 -0400
Push Notifications | Connected
Bundle Scanning | Yes
```
The status command also has the ability to print JSON output `santactl status --json`
```sh
⇒ santactl status --json
{
"kernel" : {
"cache_count" : 123
},
"daemon" : {
"watchdog_ram_events" : 0,
"watchdog_ram_peak" : 29.44921875,
"watchdog_cpu_events" : 0,
"file_logging" : true,
"mode" : "Monitor",
"watchdog_cpu_peak" : 2.188006666666666
},
"database" : {
"events_pending_upload" : 0,
"certificate_rules" : 123,
"binary_rules" : 321
},
"sync" : {
"last_successful_rule" : "2017\/08\/10 15:29:21 -0400",
"push_notifications" : "Connected",
"bundle_scanning" : true,
"clean_required" : false,
"server" : "https:\/\//sync-server.com\/santa\/",
"last_successful_full" : "2017\/08\/10 15:05:32 -0400"
}
}
```
##### version
To view all of the component versions `santactl version`
```sh
⇒ santactl version
santa-driver | 0.9.19
santad | 0.9.19
santactl | 0.9.19
SantaGUI | 0.9.19
```
Again, a JSON version is available `santactl version --json`
```sh
⇒ santactl version --json
{
"santa-driver" : "0.9.19",
"santad" : "0.9.19",
"SantaGUI" : "0.9.19",
"santactl" : "0.9.19"
}
```
##### fileinfo
The fileinfo verb is very powerful and can be used to tease out just about anything you wish to know about a file, with respect to the domain of Santa.
Here is an example of using `santactl fileinfo ` to inspect the main executable within `/Applications/Hex Fiend.app`.
```sh
⇒ santactl fileinfo /Applications/Hex\ Fiend.app
Path : /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
SHA-256 : efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
SHA-1 : 5585e6fb94eace1bd37da9a0a2f928e992d7c60c
Bundle Name : Hex Fiend
Bundle Version : 170205
Bundle Version Str : 2.5
Download Referrer URL: http://ridiculousfish.com/hexfiend/
Download URL : http://ridiculousfish.com/hexfiend/files/Hex_Fiend_2.5.dmg
Download Timestamp : 2017/06/29 12:52:16 -0400
Download Agent : com.google.Chrome
Type : Executable (x86-64)
Code-signed : Yes
Rule : Whitelisted (Unknown)
Signing Chain:
1. SHA-256 : ba1be5d2d60a43658a0c6ebf61b577e428439b53ef2e0b96ba90285e2c82a1b2
SHA-1 : 8fdbf6d6c22a97c472fb4961b7733ab0d8830ff7
Common Name : Developer ID Application: Kevin Wojniak
Organization : Kevin Wojniak
Organizational Unit : QK92QP33YN
Valid From : 2012/10/30 01:07:40 -0400
Valid Until : 2017/10/31 01:07:40 -0400
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 17:12:15 -0500
Valid Until : 2027/02/01 17:12:15 -0500
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 17:40:36 -0400
Valid Until : 2035/02/09 16:40:36 -0500
```
Any of the desired information can be targeted with the `--key` flag
```sh
⇒ santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256
efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
```
Multiple `--key` flags are allowed
```sh
⇒ santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule
efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
Whitelisted (Unknown)
```
The `--json` flag can also be used at any point
```sh
⇒ santactl fileinfo /Applications/Hex\ Fiend.app --key SHA-256 --key Rule --json
{
"SHA-256" : "efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1",
"Rule" : "Whitelisted (Unknown)"
}
```
Multiple files are also supported as input
```sh
⇒ santactl fileinfo /bin/* --key SHA-256 --key Rule --json
[
{
"SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "9f9b36ec79b9fcaf649e17f2f94c544dd408c2ab630e73d7c62a7a43f1bc7b1d",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "08a09d2d9bade16872acdf5da1c4e9d29582ed985480a9e73fd389e98293c40d",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "48e4b938b363201ec11d06a13d8080c1bd77187d286780259b9304c96edc5324",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "7cbba457df4c02d6a7fb93046fea0e869732c65a2225bee6f2e8ec290d38c57b",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "39e894d1705656451f592884a56bcc76e7ffbb9ed2a8b81d5f2878e1c0e68dbe",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "8555ed4622410aa7b4379041acabf80fe452a90efe3be2697406935ff0d6822e",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "cee3e29089f8919ee904328904a7492995cfa398b027857fbf8b3e601397b308",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "da2cfa9fc2cabd41907f9d0931cea79000a19520fe0b3d73fc40537408730e40",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "73aee02c4761e5501b1fdfa51ccd316bf735017a5cc0a09d5bcc46f4e7112be9",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "3a1c4ca5a038b42b1fbfca6f9bec25d307a8af40afbe9c48b307372fe8167a2f",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "9dc8e1c5b6ec49602dd968eb88286e330220233f7cfa6e73fd37fc983a365084",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "78fd9b8749c2a216ca76ff4541754d4cf5a5e2e8c00710a85c3fdab171486f92",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "c4daaf12bd42adee60549872126e15186c75d89e760f078bfa6a45a861f6400f",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "9dba1cbb01bce47a9610a40cbcbc27704a754e31a889503eb0670c3a25f7ad72",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "a5ae86cd413589d9661fc604349fb153c0d6f5dfa3d9e95e01b8bc5e09bc1da1",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "c4c5517ff40a33006028853a19734d8cda8e2942cb9ba27b8310e07f18677487",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "a944b104742db59204b45f1dae657bd6a845ff2374e1ade3cf9f09cc428154cf",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "09e143cf3b6c4dcc98676cc45543613b83b6527b502d4dacb42b3f6c7036ef5a",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "47cea771e93aff464f1060a6a1a2c3855401e6cd22c3971b2b76fae92e8c33b4",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "5682f15628ae15e5c29aa37f19ec421bbe4aca47734864b6363b73a16f891888",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "83c29a2445d84daf51eebd51668753fb39600a136efc20aba7298a812b44974c",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "cccd818698aa802b116586a773643d0b951067dea8284304acaae62ac97b362b",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "2bf2d10a7529a88d340ce0255da52dbef9873ccb44e46d23af03abf70b8e54ca",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "956f2dc7ba31663dd3a9b70e84e6a2491980165426b90cacd10db4bd010c3353",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "da1a3ae959751b211928f175f6c8987408a976be44690022c92d45ef5a8cb6e5",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "1e51209ae4549a72432ad504341c0731a282b33ba99c5f7f4e2abc9993e09b0a",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "7dff6291a29fdaf97dad64c0671dc5d1ecc42189bc5daf8ca08e2a3ae06aff95",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "5d8e161c21fc1a43374c4cf21be05360dbe2ecea0165fd4725ae7a958f2a0b02",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "83929910d3cd2c401636337fadc747a9a8ea6c174bfd80f1e96b99d877ddfa6e",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "17372eafbe9e920d5715a9cffa59f881ef4ed949785c1e2adf9c067d550dbde6",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "b1834d55b76c65d57cef1219a30331452301e84b6e315f2a17e5b5b295ce1648",
"Rule" : "Whitelisted (Certificate)"
}
]
```
Recursive lookups of an application or directory is a soon to be added feature
```sh
⇒ santactl fileinfo --recursive /Applications/Santa.app --key SHA-256 --key Rule --key Type --json
[
{
"SHA-256" : "c149c10c83abaf6b602401106f098b68d47a1a433ab02455cef2ca8057cf4a82",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
},
{
"SHA-256" : "c339c3e5e04c732ae493dbc4a26d18fccc8bb48cea0cc0762ccd8754ef318a0b",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
},
{
"SHA-256" : "6ee757ab65d7c93e8b6a467b44cd2f0d10b6db7da8b6200e778c3ca279ea5619",
"Type" : "Executable (x86-64)",
"Rule" : "Whitelisted (Certificate)"
},
{
"SHA-256" : "82502191c9484b04d685374f9879a0066069c49b8acae7a04b01d38d07e8eca0",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
},
{
"SHA-256" : "9814019f865a540d3635012a75db932eaefc9a62468750f2294350690430aadf",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
},
{
"SHA-256" : "05a9c9dbbf0a7a30f083e3dccd8db3d96845e0644930977b4e284c65083b89ac",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
},
{
"SHA-256" : "e1db8fdffc5017684f962c51fad059dcaa06ab5d551186aa85711f80b727d23d",
"Type" : "Unknown",
"Rule" : "Whitelisted (Scope)"
}
]
```
##### rule
The rule command is covered in the [rules.md](rules.md) document.
##### sync
The sync command is covered in the [syncing.md](syncing.md) document.
##### Debug Commands
There are a few commands that are not included in the release versions of Santa. They are mainly used during development and only accessible with a debug build of Santa.
##### bundleinfo
This prints info about all of the executable Mach-O files within a bundle. It also prints the calculated bundle hash for that particular bundle. A bundle hash is a notion used by Santa to represent a set of binaries.
```sh
⇒ santactl bundleinfo /Applications/Hex\ Fiend.app
Hashing time: 12 ms
4 events found
BundleHash: 33da3e2d5e2ccbdb9d34fb9753c2c18805e6325853d2fb4eb947915c90113efc
BundleID: com.ridiculousfish.HexFiend
SHA-256: e592a7c65f803675c0b7d55ab7d2a1a2696c9f097a99dc28a4083d7387e53d95
Path: /Applications/Hex Fiend.app/Contents/Library/LaunchServices/com.ridiculousfish.HexFiend.PrivilegedHelper
BundleID: com.ridiculousfish.HexFiend
SHA-256: ce23d39a1a8ff2b42baad5a0204b24b57590bb7ff74c9552b3ba10d9c1517279
Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
BundleID: com.ridiculousfish.HexFiend
SHA-256: efaf88db065beae61615f6f176c11c751555d2bad3c5da6cdad71635896014f1
Path: /Applications/Hex Fiend.app/Contents/MacOS/Hex Fiend
BundleID: com.ridiculousfish.HexFiend
SHA-256: 148d6ae55176b619e5eb9f5000922b3ca4c126206fc5782f925d112027f9db3c
Path: /Applications/Hex Fiend.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
```
See the [santabs.md](santabs.md) document for more information on bundles and bundle hashes.
##### checkcache
This is used to check if a particular file is apart of santa-driver's kernel cache. Mainly for debugging purposes.
```sh
⇒ santactl checkcache /usr/bin/yes
File does not exist in cache
⇒ /usr/bin/yes
y
y
y
y
y
^C
⇒ santactl checkcache /usr/bin/yes
File exists in [whitelist] kernel cache
```
##### flushcache
This can be used to flush santa-driver's kernel cache, as shown here.
```sh
⇒ santactl checkcache /usr/bin/yes
File exists in [whitelist] kernel cache
⇒ sudo santactl flushcache
Cache flush requested
⇒ santactl checkcache /usr/bin/yes
File does not exist in cache
```

23
Docs/details/santad.md Normal file
View File

@@ -0,0 +1,23 @@
# santad
The santad process does the heavy lifting when it comes to making decisions about binary executions. It also handles brokering all of the XPC connections between the various components of Santa. It does all of this with performance being at the forefront.
##### A note on performance
On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes `execve()` at the same time, the CPU and memory usage can spike. All of the `execve()` decisions are made on high priority threads to ensure decisions are posted back to the kernel as soon as possible. A watchdog thread will log warnings when sustained high CPU (>20%) and memory (>250MB) usage by santad is detected.
##### On Launch
The very first thing santad does once it has been launched is to load and connect to santa-driver. Only one connection may be active at any given time.
At this point, santa-driver is loaded and running in the kernel, but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages, it needs to setup a few more things:
* The rule and event databases are initialized
* Connections to Santa (GUI) and santactl sync daemon are established.
* The config file is processed.
santad is now ready to start processing decision and logging messages from santa-driver. The listeners are started and santad sits in a run loop awaiting messages from santa-driver.
##### Running
Messages are read from a shared memory queue (`IODataQueueMemory` ) on a single thread. A callback is invoked for each message. The callback then dispatches all the work of processing a decision message to a concurrent high priority queue. The log messages are dispatched to a low priority queue for processing.

27
Docs/details/scopes.md Normal file
View File

@@ -0,0 +1,27 @@
# Scopes
In addition to rules, Santa can whitelist or blacklist based on scopes. Currently, only a few scopes are implemented. They fall into one of two categories: a whitelist scope or blacklist scope. Scopes are evaluated after rules, with blacklist evaluation preceding whitelist.
Scopes are a broader way of whitelisting or blacklisting `execve()`s.
For configuration of scopes see [configuration.md](../deployment/configuration.md).
##### Blacklist Scopes
| Scope | Configurable |
| -------------------- | ------------ |
| Blacklist Path Regex | Yes |
| Missing __PAGEZERO | Yes |
##### Whitelist Scopes
| Scope | Configurable |
| -------------------- | ------------ |
| Whitelist Path Regex | Yes |
| Not a Mach-O | No |
As seen above, Santa will whitelist any non Mach-O binary under a whitelist scope. However, a blacklist regex or binary SHA-256 rule can be used to block non Mach-O `execve()`s since they are evaluated before the whitelist scopes.
##### Regex Caveats
The paths covered by the whitelist and blacklist regex patterns are not tracked. If an `execve()` is allowed initially, then moved into a blacklist directory, Santa has no knowledge of that move. Since santa-driver caches decisions, the recently moved file will continue to be allowed to `execve()` even though it is now within a blacklisted regex path. The cache holds "allow" decisions until invalidated and "deny" decisions for 500 milliseconds. Going from a blacklist path to a whitelist path is not largely affected.

108
Docs/development/building.md Normal file
View File

@@ -0,0 +1,108 @@
# Building
Santa makes use of [rake](https://ruby.github.io/rake/) for building and testing Santa. All of the [releases](https://github.com/google/santa/releases) are made using this same process. Santa's releases are codesigned with Google's KEXT signing certificate. This allows Santa to be loaded with SIP fully enabled.
#### Cloning
Clone the source and change into the directory.
```sh
git clone https://github.com/google/santa
cd santa
```
The above command will default to using the `master` branch. If you wanted to build, run or test a specific version of Santa use this command.
```sh
git checkout <version, i.e. 0.9.19>
```
#### Building
Build a debug version of Santa. This keeps all the debug symbols, adds additional logs and does not optimize the compiled output. For speed sensitive tests make sure to benchmark a release version too.
```sh
rake build:debug
```
Build a release version of Santa.
```sh
rake build:release
```
Both of these just output the binaries that makeup Santa in the default Xcode build location. To actually run what was built, see the next section.
#### Running
On macOS 10.11+ System Integrity Protection (SIP) prevents loading of kernel extensions that are not signed by an Apple KEXT signing certificate. To be able to load and test a non-release version of Santa, SIP will have to be configured to allow non-Apple KEXT signing certificates.
__This is only to be done a machine that is actively developing, unloading and loading kernel extensions.__
1. Boot into Recovery Mode: Reboot and hold down `command+r`
2. From the utilities menu select `Terminal`
3. Disable the KEXT feature of SIP: `csrutil enable --without kext`
4. Reboot
You should now be able to load and run a non-release version of Santa.
Build and run a debug version of Santa.
```sh
rake reload:debug
```
Build and run a release version of Santa.
```sh
rake reload:release
```
#### Debugging
Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… `. Below are the four components of Santa and who to debug the process as.
Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode.
Note: Xcode can attach to santad without interruption, however any breakpoints in the decision making codepath can deadlock the machine. Using lldb directly to attach to santad will deadlock the machine.
| process | user |
| -------- | ---- |
| santad | root |
| Santa* | me |
| santactl | me |
| santabs | root |
Xcode will then wait for the process to start. Issue this command to restart all the Santa processes in debug mode.
*The Santa (GUI) process is the only component of Santa that can be launched and debugged from Xcode directly. All the other components are launched with privileges and/or are scoped to an XPC service that launchd scopes to a hosting bundle. Thus the need for the `Attach to Process by PID or Name…` technique. See the [ipc](../details/ipc.md) document for for details.
```sh
rake reload:debug
```
Now the process is attached in Xcode and you can debug your day away.
#### Tests
Run all the logic / unit tests
```sh
rake tests:logic
```
Run all of santa-driver kernel extension tests
```sh
rake tests:kernel
```
#### Releases
Creates a release build of Santa with a version based of the newest tag. Also saves the dsym files for each component of Santa. This makes debugging and interpreting future crashes or kernel panics much easier.
```sh
rake dist
```

46
Docs/index.md Normal file
View File

@@ -0,0 +1,46 @@
# Welcome to the Santa Docs
Santa is a binary whitelisting / blacklisting system for macOS. Here you will find the documentation for understanding how Santa works, how to deploy it and how to contribute.
#### Introduction
The following documents give an overview of how Santa accomplishes binary whitelisting / blacklisting at the enterprise scale.
- [Binary Whitelisting](introduction/binary-whitelisting-overview.md): How Santa makes allow or deny decisions for any `execve()` taking place.
- [Syncing](introduction/syncing-overview.md): How configuration and whitelist / blacklist rules are applied from a sync server.
#### Deployment
* [Configuration](deployment/configuration.md): The local and sync server configuration options.
#### Development
* [Building Santa](development/building.md): How to build and load Santa for testing on a development machine.
* [Contributing](../CONTRIBUTING.md): How to contribute a bug fix or new feature to Santa.
#### Details
For those who want even more details on how Santa works under the hood, this section is for you.
###### Binaries
There are five main components that make up Santa whose core functionality is described in snippets below. For additional detail on each component, visit their respective pages. These quick descriptions do not encompass all the jobs performed by each component, but do provide a quick look at the basic functionality utilized to achieve the goal of binary whitelisting / blacklisting.
* [santa-driver](details/santa-driver.md): A macOS kernel extension that participates in `execve()` decisions.
* [santad](details/santad.md): A user-land root daemon that makes decisions on behalf of santa-driver requests.
* [santactl](details/santactl.md): A user-land anonymous daemon that communicates with a sync server for configurations and policies. santactl can also be used by a user to manually configure Santa when using the local configuration.
* [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `execve()` is blocked.
* [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them.
###### Concepts
Additional documentation on the concepts that support the operation of the main components:
* [mode](details/mode.md): An operating mode, either Monitor or Lockdown.
* [events](details/events.md): Represents an `execve()` that was blocked, or would have been blocked, depending on the mode.
* [rules](details/rules.md): Represents allow or deny decisions for a given `execve()`. Can either be a binary's SHA-256 hash or a leaf code-signing certificate's SHA-256 hash.
* [scopes](details/scopes.md): The level at which an `execve()` was allowed or denied from taking place.
* [syncing](introduction/syncing-overview.md): How Santa communicates with a TLS server for configuration, rules and event uploading.
* [ipc](details/ipc.md): How all the components of Santa communicate.
duction/syncing-overview.
* [logs](details/logs.md): What and where Santa logs.

31
Docs/introduction/binary-whitelisting-overview.md Normal file
View File

@@ -0,0 +1,31 @@
# Binary Whitelisting Overview
#### Background
The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes the Kernel Authorization (Kauth) KPI. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document.
#### Flow of an execve()
This is a high level overview of the binary whitelisting / blacklisting decision process. For a more detailed account of each part, see the respective documentation. This flow does not cover the logging component of Santa, see the [logs.md](../details/logs.md) documentation for more info.
###### Kernel Space
0. santa-driver registers itself as a `KAUTH_SCOPE_VNODE` listener. This flow follows how santa-driver handles `KAUTH_VNODE_EXECUTE` events.
1. A santa-driver Kauth callback function is executed by the kernel when a process is trying to `execve()`. In most cases, the `execve()` takes place right after a process calls `fork()` to start a new process. This function is running on a kernel thread representing the new process. Information on where to find the executable is provided. This information is known as the `vnode_id`.
2. santa-driver then checks if its cache has an allow or deny entry for the `vnode_id`. If so it returns that decision to the Kauth KPI.
* If Kauth receives a deny, it will stop the `execve()` from taking place.
* If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer.
3. If there is no entry for the `vnode_id` in the cache a few actions occur:
* santa-driver hands off the decision making to santad.
* A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`. This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation.
* If the executing file is written to while any of the threads are waiting for a response the `ACTION_REQUEST_BINARY` entry is removed, forcing the decision-making process to be restarted.
###### User Space
1. santad is listening for decision requests from santa-driver.
* More information is collected about the executable that lives at the `vnode_id`. Since this codepath has a sleeping kernel thread waiting for a decision, extra care is taken to be as performant as possible.
2. santad uses the information it has gathered to make a decision to allow or deny the `execve()`. There are more details on how these decisions are made in the [rules.md](../details/rules.md) and [scopes.md](../details/scopes.md) documents.
3. The decision is posted back to santa-driver.
4. If there was a deny decision, a message is sent to Santa GUI to display a user popup notification.

27
Docs/introduction/syncing-overview.md Normal file
View File

@@ -0,0 +1,27 @@
# Syncing Overview
#### Background
Santa can be run and configured without a sync server. Doing so will enable an admin to configure rules with the `santactl rule` command. Using a sync server will enable an admin to configures rules and multiple other settings from the sync server itself. Santa was designed from the start with a sync server in mind. This allows an admin to easily configure and sync rules across a fleet of macOS systems. This document explains the syncing process.
#### Flow of a full sync
This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events.
0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `execve()` `santactl sync —-daemon`. Before the new process calls `execve()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes.
1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync server to process.
2. The full sync starts. There are a number of stages to a full sync:
1. preflight: The sync server can set various settings for Santa.
2. logupload (optional): The sync server can request that the Santa logs be uploaded to an endpoint.
3. eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
4. ruledownload: Download rules from the sync server.
5. postflight: Updates timestamps for successful syncs.
3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this:
1. The sync server can send down a configuration in the preflight to override the 10min interval. It can be anything greater than 10min.
2. Firebase Cloud Messaging (FCM) can be used. The sync server can send down a configuration in the preflight to have the santactl daemon to start listening for FCM messages. If a connection to FCM is made, the full sync interval drops to a default of 4 hours. This can be further configured by a preflight configuration. The FCM connection allows the sync-sever to talk directly with Santa. This way we can reduce polling the sync server dramatically.
4. Full syncs will continue to take place at their configured interval. If configured FCM messages will continue to be digested and acted upon.
#### santactl XPC interface
When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.

3
Docs/theme/Santa.css Normal file
View File

@@ -0,0 +1,3 @@
.wy-side-nav-search {
background-color: rgb(253, 67, 69);
}

2
Podfile.lock
View File

@@ -29,4 +29,4 @@ SPEC CHECKSUMS:
PODFILE CHECKSUM: acd378b3727c923d912e09812da344f7375c14fe
COCOAPODS: 1.2.1
COCOAPODS: 1.3.1

10
README.md
View File

@@ -1,4 +1,6 @@
Santa [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
Santa
[![Build Status](https://travis-ci.org/google/santa.png?branch=master)](https://travis-ci.org/google/santa)
[![Documentation Status](https://readthedocs.org/projects/santa/badge/?version=latest)](https://santa.readthedocs.io/en/latest/?badge=latest)
=====
<p align="center">
@@ -20,6 +22,10 @@ It is named Santa because it keeps track of binaries that are naughty or nice.
Santa is a project of Google's Macintosh Operations Team.
Docs
========
The Santa docs are stored in the [Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the Docs instance is available here: https://santa.readthedocs.io.
Admin-Related Features
========
@@ -139,6 +145,8 @@ rake build:debug
Note: the Xcode project is setup to use any installed "Mac Developer" certificate
and for security-reasons parts of Santa will not operate properly if not signed.
For more details on building see the [building.md](https://github.com/google/santa/blob/master/Docs/development/building.md) document.
Kext Signing
============
Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided

39
Santa.xcodeproj/project.pbxproj
View File

@@ -149,7 +149,6 @@
0DEA5F7D1CF64EB600704398 /* SNTCommandSyncRuleDownload.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D0A1EC2191998C900B8450F /* SNTCommandSyncRuleDownload.m */; };
0DEFB7C01ACB28B000B92AAE /* SNTCommandSyncConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7BF1ACB28B000B92AAE /* SNTCommandSyncConstants.m */; };
0DEFB7C41ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
0DEFB7C51ACDD80100B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
0DEFB7C61ACDE5F600B92AAE /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
0DEFB7C81ACF0BFE00B92AAE /* SNTFileWatcherTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C71ACF0BFE00B92AAE /* SNTFileWatcherTest.m */; };
0DF395641AB76A7900CBC520 /* NSData+Zlib.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DF395631AB76A7900CBC520 /* NSData+Zlib.m */; };
@@ -157,6 +156,8 @@
168A4E09A2A5E0B7DF8A2F1A /* libPods-santad.a in Frameworks */ = {isa = PBXBuildFile; fileRef = C11A10A5D6E112788769CF70 /* libPods-santad.a */; };
4092327A1A51B66400A04527 /* SNTCommandRule.m in Sources */ = {isa = PBXBuildFile; fileRef = 409232791A51B65D00A04527 /* SNTCommandRule.m */; };
59D56CF2D9C5BD9B7E3CC56D /* libPods-santad-santabs.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 14B98F4051188ECB7D024331 /* libPods-santad-santabs.a */; };
81133DB01F3A76F700917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
81133DB11F3A77C600917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
B352A545B76783D568A6D0C5 /* libPods-Santa.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 90E9D568200AB9B642E06272 /* libPods-Santa.a */; };
C714F8B11D8044D400700EDF /* SNTCommandFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD5FBE1909D64A006B445C /* SNTCommandFileInfo.m */; };
C714F8B21D8044FE00700EDF /* SNTCommandController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */; };
@@ -170,6 +171,8 @@
C76614EC1D142D3C00D150C1 /* SNTCommandCheckCache.m in Sources */ = {isa = PBXBuildFile; fileRef = C76614EB1D142D3C00D150C1 /* SNTCommandCheckCache.m */; };
C776A1071DEE160500A56616 /* SNTCommandSyncManager.m in Sources */ = {isa = PBXBuildFile; fileRef = C776A1061DEE160500A56616 /* SNTCommandSyncManager.m */; };
C78227631E1C3C7D006EB2D6 /* santabs.xpc in CopyFiles */ = {isa = PBXBuildFile; fileRef = C78227541E1C3C58006EB2D6 /* santabs.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
C7943FE92028B855008D4F76 /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
C7943FEA2028C4F7008D4F76 /* SNTFileWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DEFB7C31ACDD80100B92AAE /* SNTFileWatcher.m */; };
C795ED901D80A5BE007CFF42 /* SNTPolicyProcessor.m in Sources */ = {isa = PBXBuildFile; fileRef = C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */; };
C795ED911D80B66B007CFF42 /* SNTPolicyProcessor.m in Sources */ = {isa = PBXBuildFile; fileRef = C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */; };
C79A23581E23F7E80037AFA8 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = C79A23561E23F7E80037AFA8 /* main.m */; };
@@ -427,6 +430,8 @@
670AD2EB5E3572321B058D02 /* Pods-Santa.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.debug.xcconfig"; path = "Pods/Target Support Files/Pods-Santa/Pods-Santa.debug.xcconfig"; sourceTree = "<group>"; };
6C489E087A247B24480DB954 /* Pods-LogicTests.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-LogicTests.debug.xcconfig"; path = "Pods/Target Support Files/Pods-LogicTests/Pods-LogicTests.debug.xcconfig"; sourceTree = "<group>"; };
7D949AA996AEAC326A4F6596 /* libPods-LogicTests.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-LogicTests.a"; sourceTree = BUILT_PRODUCTS_DIR; };
81133DAE1F3A75CE00917FF9 /* SNTCommand.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommand.h; sourceTree = "<group>"; };
81133DAF1F3A75CE00917FF9 /* SNTCommand.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommand.m; sourceTree = "<group>"; };
8EF10E4B8C86CED022C72F1B /* Pods-santactl.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santactl.debug.xcconfig"; path = "Pods/Target Support Files/Pods-santactl/Pods-santactl.debug.xcconfig"; sourceTree = "<group>"; };
90E9D568200AB9B642E06272 /* libPods-Santa.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Santa.a"; sourceTree = BUILT_PRODUCTS_DIR; };
A6A91785C40257CC156B4F05 /* Pods-Santa.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.release.xcconfig"; path = "Pods/Target Support Files/Pods-Santa/Pods-Santa.release.xcconfig"; sourceTree = "<group>"; };
@@ -563,6 +568,8 @@
0D35BDA018FD71CE00921A21 /* santactl */ = {
isa = PBXGroup;
children = (
81133DAE1F3A75CE00917FF9 /* SNTCommand.h */,
81133DAF1F3A75CE00917FF9 /* SNTCommand.m */,
0D35BDAA18FD7CFD00921A21 /* SNTCommandController.h */,
0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */,
0D35BDA118FD71CE00921A21 /* main.m */,
@@ -1215,13 +1222,16 @@
files = (
);
inputPaths = (
"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
"${PODS_ROOT}/Manifest.lock",
);
name = "[CP] Check Pods Manifest.lock";
outputPaths = (
"$(DERIVED_FILE_DIR)/Pods-santad-santabs-checkManifestLockResult.txt",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n";
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
showEnvVarsInLog = 0;
};
2146C1274A8C11B3755A8A67 /* [CP] Check Pods Manifest.lock */ = {
@@ -1230,13 +1240,16 @@
files = (
);
inputPaths = (
"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
"${PODS_ROOT}/Manifest.lock",
);
name = "[CP] Check Pods Manifest.lock";
outputPaths = (
"$(DERIVED_FILE_DIR)/Pods-santad-checkManifestLockResult.txt",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n";
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
showEnvVarsInLog = 0;
};
23869BA352E2C86DEFE62819 /* [CP] Copy Pods Resources */ = {
@@ -1290,13 +1303,16 @@
files = (
);
inputPaths = (
"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
"${PODS_ROOT}/Manifest.lock",
);
name = "[CP] Check Pods Manifest.lock";
outputPaths = (
"$(DERIVED_FILE_DIR)/Pods-LogicTests-checkManifestLockResult.txt",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n";
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
showEnvVarsInLog = 0;
};
B193461D3612BCB47C16E407 /* [CP] Check Pods Manifest.lock */ = {
@@ -1305,13 +1321,16 @@
files = (
);
inputPaths = (
"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
"${PODS_ROOT}/Manifest.lock",
);
name = "[CP] Check Pods Manifest.lock";
outputPaths = (
"$(DERIVED_FILE_DIR)/Pods-Santa-checkManifestLockResult.txt",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n";
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
showEnvVarsInLog = 0;
};
BA20035148DDEF5808B2C7EF /* [CP] Embed Pods Frameworks */ = {
@@ -1352,13 +1371,16 @@
files = (
);
inputPaths = (
"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
"${PODS_ROOT}/Manifest.lock",
);
name = "[CP] Check Pods Manifest.lock";
outputPaths = (
"$(DERIVED_FILE_DIR)/Pods-santactl-checkManifestLockResult.txt",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n";
shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n # print error to STDERR\n echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
showEnvVarsInLog = 0;
};
D49A3AB950AFD99741E9AF89 /* [CP] Embed Pods Frameworks */ = {
@@ -1421,6 +1443,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
81133DB01F3A76F700917FF9 /* SNTCommand.m in Sources */,
C714F8B21D8044FE00700EDF /* SNTCommandController.m in Sources */,
C7DA62F71E241938009BDF2C /* SNTXPCBundleServiceInterface.m in Sources */,
C714F8B11D8044D400700EDF /* SNTCommandFileInfo.m in Sources */,
@@ -1472,6 +1495,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
81133DB11F3A77C600917FF9 /* SNTCommand.m in Sources */,
0DA73CA21934F88D0056D7C4 /* SNTLogging.m in Sources */,
0D35BDB518FD84F600921A21 /* SNTCommandSync.m in Sources */,
0DCD5FBF1909D64A006B445C /* SNTCommandFileInfo.m in Sources */,
@@ -1492,6 +1516,7 @@
C76614EC1D142D3C00D150C1 /* SNTCommandCheckCache.m in Sources */,
0D416401191974F1006A356A /* SNTCommandSyncState.m in Sources */,
0DC5D871192160180078A5C0 /* SNTCommandSyncLogUpload.m in Sources */,
C7943FE92028B855008D4F76 /* SNTFileWatcher.m in Sources */,
0DB77FDA1CD14092004DF060 /* SNTBlockMessage.m in Sources */,
0D35BDA218FD71CE00921A21 /* main.m in Sources */,
0DCD6043190ACCB8006B445C /* SNTFileInfo.m in Sources */,
@@ -1510,6 +1535,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
C7943FEA2028C4F7008D4F76 /* SNTFileWatcher.m in Sources */,
0DCA552718C95928002A7DAE /* SNTXPCConnection.m in Sources */,
0D385DF1180DE51600418BC6 /* SNTAppDelegate.m in Sources */,
0D88680A1AC48A1200B86659 /* SNTSystemInfo.m in Sources */,
@@ -1524,7 +1550,6 @@
0D1B477019A53419008CADD3 /* SNTAboutWindowController.m in Sources */,
0D668E8118D1121700E29A8B /* SNTMessageWindow.m in Sources */,
0DA73CA11934F8100056D7C4 /* SNTLogging.m in Sources */,
0DEFB7C51ACDD80100B92AAE /* SNTFileWatcher.m in Sources */,
C7479F051E53704E0054C1CF /* SNTXPCBundleServiceInterface.m in Sources */,
0D20710E1A7C4A86008B0A9A /* SNTStoredEvent.m in Sources */,
0DE2CE561CA05561002B649A /* SNTAccessibleTextField.m in Sources */,

8
Source/SantaGUI/SNTAppDelegate.m
View File

@@ -16,7 +16,6 @@
#import "SNTAboutWindowController.h"
#import "SNTConfigurator.h"
#import "SNTFileWatcher.h"
#import "SNTNotificationManager.h"
#import "SNTStrengthify.h"
#import "SNTXPCConnection.h"
@@ -24,7 +23,6 @@
@interface SNTAppDelegate ()
@property SNTAboutWindowController *aboutWindowController;
@property SNTFileWatcher *configFileWatcher;
@property SNTNotificationManager *notificationManager;
@property SNTXPCConnection *daemonListener;
@property SNTXPCConnection *bundleListener;
@@ -36,12 +34,6 @@
- (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
[self setupMenu];
self.configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
handler:^(unsigned long data) {
if (! (data & DISPATCH_VNODE_ATTRIB)) [[SNTConfigurator configurator] reloadConfigData];
}];
self.notificationManager = [[SNTNotificationManager alloc] init];
NSNotificationCenter *workspaceNotifications = [[NSWorkspace sharedWorkspace] notificationCenter];

10
Source/SantaGUI/SNTNotificationManager.m
View File

@@ -102,14 +102,16 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
case SNTClientModeMonitor:
un.informativeText = @"Switching into Monitor mode";
customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
customMsg = [SNTBlockMessage stringFromHTML:customMsg];
if (customMsg.length) un.informativeText = customMsg;
if (!customMsg) break;
if (!customMsg.length) return;
un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
break;
case SNTClientModeLockdown:
un.informativeText = @"Switching into Lockdown mode";
customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
customMsg = [SNTBlockMessage stringFromHTML:customMsg];
if (customMsg.length) un.informativeText = customMsg;
if (!customMsg) break;
if (!customMsg.length) return;
un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
break;
default:
return;

15
Source/common/SNTBlockMessage.m
View File

@@ -92,20 +92,7 @@
+ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
SNTConfigurator *config = [SNTConfigurator configurator];
NSString *formatStr, *versionStr;
if (config.eventDetailBundleURL.length && event.fileBundleID) {
formatStr = config.eventDetailBundleURL;
versionStr = event.fileBundleVersion;
if (!versionStr) versionStr = event.fileBundleVersionString;
formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_id%"
withString:event.fileBundleID];
formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_ver%"
withString:versionStr];
} else {
formatStr = config.eventDetailURL;
}
NSString *formatStr = config.eventDetailURL;
if (!formatStr.length) return nil;
if (event.fileSHA256) {

8
Source/common/SNTCommonEnums.h
View File

@@ -72,6 +72,14 @@ typedef NS_ENUM(NSInteger, SNTRuleTableError) {
SNTRuleTableErrorRemoveFailed
};
// This enum type is used to indicate what should be done with the related bundle events that are
// generated when an initiating blocked bundle event occurs.
typedef NS_ENUM(NSInteger, SNTBundleEventAction) {
SNTBundleEventActionDropEvents,
SNTBundleEventActionStoreEvents,
SNTBundleEventActionSendEvents,
};
static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";

53
Source/common/SNTConfigurator.h
View File

@@ -19,27 +19,21 @@
///
/// Singleton that provides an interface for managing configuration values on disk
/// @note This class is designed as a singleton but that is not strictly enforced.
/// @note All properties are KVO compliant.
///
@interface SNTConfigurator : NSObject
/// Default config file path
extern NSString *const kDefaultConfigFilePath;
#pragma mark - Daemon Settings
///
/// The operating mode.
///
@property(nonatomic) SNTClientMode clientMode;
@property(readonly, nonatomic) SNTClientMode clientMode;
///
/// The regex of paths to log file changes for. Regexes are specified in ICU format.
/// Set the operating mode as received from a sync server.
///
/// The regex flags IXSM can be used, though the s (dotalL) and m (multiline) flags are
/// pointless as a path only ever has a single line.
/// If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
///
@property(nonatomic) NSRegularExpression *fileChangesRegex;
- (void)setSyncServerClientMode:(SNTClientMode)newMode;
///
/// The regex of whitelisted paths. Regexes are specified in ICU format.
@@ -48,7 +42,12 @@ extern NSString *const kDefaultConfigFilePath;
/// pointless as a path only ever has a single line.
/// If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
///
@property(nonatomic) NSRegularExpression *whitelistPathRegex;
@property(readonly, nonatomic) NSRegularExpression *whitelistPathRegex;
///
/// Set the regex of whitelisted paths as received from a sync server.
///
- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re;
///
/// The regex of blacklisted paths. Regexes are specified in ICU format.
@@ -57,7 +56,21 @@ extern NSString *const kDefaultConfigFilePath;
/// pointless as a path only ever has a single line.
/// If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
///
@property(nonatomic) NSRegularExpression *blacklistPathRegex;
@property(readonly, nonatomic) NSRegularExpression *blacklistPathRegex;
///
/// Set the regex of blacklisted paths as received from a sync server.
///
- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re;
///
/// The regex of paths to log file changes for. Regexes are specified in ICU format.
///
/// The regex flags IXSM can be used, though the s (dotalL) and m (multiline) flags are
/// pointless as a path only ever has a single line.
/// If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
///
@property(readonly, nonatomic) NSRegularExpression *fileChangesRegex;
///
/// Enable __PAGEZERO protection, defaults to YES
@@ -77,8 +90,6 @@ extern NSString *const kDefaultConfigFilePath;
///
/// When the user gets a block notification, a button can be displayed which will
/// take them to a web page with more information about that event.
/// There are two properties, one for individual binaries and one for binaries that are part
/// of a bundle. If the latter is not set the former will be used.
///
/// This property contains a kind of format string to be turned into the URL to send them to.
/// The following sequences will be replaced in the final URL:
@@ -86,15 +97,12 @@ extern NSString *const kDefaultConfigFilePath;
/// %file_sha% -- SHA-256 of the file that was blocked.
/// %machine_id% -- ID of the machine.
/// %username% -- executing user.
/// %bundle_id% -- bundle id of the binary, if applicable.
/// %bundle_ver% -- bundle version of the binary, if applicable.
///
/// @note: This is not an NSURL because the format-string parsing is done elsewhere.
///
/// If this item isn't set, the Open Event button will not be displayed.
///
@property(readonly, nonatomic) NSString *eventDetailURL;
@property(readonly, nonatomic) NSString *eventDetailBundleURL;
///
/// Related to the above property, this string represents the text to show on the button.
@@ -207,15 +215,8 @@ extern NSString *const kDefaultConfigFilePath;
+ (instancetype)configurator;
///
/// Designated initializer.
/// Clear the sync server configuration from the effective configuration.
///
/// @param filePath The path to the file to use as a backing store.
///
- (instancetype)initWithFilePath:(NSString *)filePath;
///
/// Re-read config data from disk.
///
- (void)reloadConfigData;
- (void)clearSyncState;
@end

647
Source/common/SNTConfigurator.m
View File

@@ -14,47 +14,39 @@
#import "SNTConfigurator.h"
#include <sys/stat.h>
#import "SNTFileWatcher.h"
#import "SNTLogging.h"
#import "SNTStrengthify.h"
#import "SNTSystemInfo.h"
@interface SNTConfigurator ()
@property NSString *configFilePath;
@property NSMutableDictionary *configData;
/// A NSUserDefaults object set to use the com.google.santa suite.
@property(readonly, nonatomic) NSUserDefaults *defaults;
/// Creating NSRegularExpression objects is not fast, so cache them.
@property NSRegularExpression *cachedFileChangesRegex;
@property NSRegularExpression *cachedWhitelistDirRegex;
@property NSRegularExpression *cachedBlacklistDirRegex;
// Keys and expected value types.
@property(readonly, nonatomic) NSDictionary *syncServerKeyTypes;
@property(readonly, nonatomic) NSDictionary *forcedConfigKeyTypes;
/// Array of keys that cannot be changed while santad is running if santad didn't make the change.
@property(readonly) NSArray *protectedKeys;
/// Holds the configurations from a sync server and mobileconfig.
@property NSMutableDictionary *syncState;
@property NSMutableDictionary *configState;
/// Watcher for the sync-state.plist.
@property(nonatomic) SNTFileWatcher *syncStateWatcher;
@end
@implementation SNTConfigurator
/// The hard-coded path to the config file
NSString *const kDefaultConfigFilePath = @"/var/db/santa/config.plist";
/// The hard-coded path to the sync state file.
NSString *const kSyncStateFilePath = @"/var/db/santa/sync-state.plist";
/// The keys in the config file
static NSString *const kClientModeKey = @"ClientMode";
static NSString *const kFileChangesRegexKey = @"FileChangesRegex";
static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection";
static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
static NSString *const kEventDetailURLKey = @"EventDetailURL";
static NSString *const kEventDetailBundleURLKey = @"EventDetailBundleURL";
static NSString *const kEventDetailTextKey = @"EventDetailText";
static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
/// The domain used by mobileconfig.
static NSString *const kMobileConfigDomain = @"com.google.santa";
/// The keys managed by a mobileconfig.
static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
static NSString *const kClientAuthCertificateCNKey = @"ClientAuthCertificateCN";
@@ -64,18 +56,76 @@ static NSString *const kServerAuthRootsFileKey = @"ServerAuthRootsFile";
static NSString *const kMachineOwnerKey = @"MachineOwner";
static NSString *const kMachineIDKey = @"MachineID";
static NSString *const kMachineOwnerPlistFileKey = @"MachineOwnerPlist";
static NSString *const kMachineOwnerPlistKeyKey = @"MachineOwnerKey";
static NSString *const kMachineIDPlistFileKey = @"MachineIDPlist";
static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
- (instancetype)initWithFilePath:(NSString *)filePath {
static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
static NSString *const kEventDetailURLKey = @"EventDetailURL";
static NSString *const kEventDetailTextKey = @"EventDetailText";
static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection";
static NSString *const kFileChangesRegexKey = @"FileChangesRegex";
// The keys managed by a sync server or mobileconfig.
static NSString *const kClientModeKey = @"ClientMode";
static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
// The keys managed by a sync server.
static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
- (instancetype)init {
self = [super init];
if (self) {
_configFilePath = filePath;
[self reloadConfigData];
_syncServerKeyTypes = @{
kClientModeKey : [NSNumber class],
kWhitelistRegexKey : [NSRegularExpression class],
kBlacklistRegexKey : [NSRegularExpression class],
kFullSyncLastSuccess : [NSDate class],
kRuleSyncLastSuccess : [NSDate class],
kSyncCleanRequired : [NSNumber class]
};
_forcedConfigKeyTypes = @{
kClientModeKey : [NSNumber class],
kFileChangesRegexKey : [NSRegularExpression class],
kWhitelistRegexKey : [NSRegularExpression class],
kBlacklistRegexKey : [NSRegularExpression class],
kEnablePageZeroProtectionKey : [NSNumber class],
kMoreInfoURLKey : [NSString class],
kEventDetailURLKey : [NSString class],
kEventDetailTextKey : [NSString class],
kUnknownBlockMessage : [NSString class],
kBannedBlockMessage : [NSString class],
kModeNotificationMonitor : [NSString class],
kModeNotificationLockdown : [NSString class],
kSyncBaseURLKey : [NSString class],
kClientAuthCertificateFileKey : [NSString class],
kClientAuthCertificatePasswordKey : [NSString class],
kClientAuthCertificateCNKey : [NSString class],
kClientAuthCertificateIssuerKey : [NSString class],
kServerAuthRootsDataKey : [NSData class],
kServerAuthRootsFileKey : [NSString class],
kMachineOwnerKey : [NSString class],
kMachineIDKey : [NSString class],
kMachineOwnerPlistFileKey : [NSString class],
kMachineOwnerPlistKeyKey : [NSString class],
kMachineIDPlistFileKey : [NSString class],
kMachineIDPlistKeyKey : [NSString class],
};
_defaults = [NSUserDefaults standardUserDefaults];
[_defaults addSuiteNamed:@"com.google.santa"];
_configState = [self readForcedConfig];
_syncState = [self readSyncStateFromDisk] ?: [NSMutableDictionary dictionary];
[self startWatchingDefaults];
}
return self;
}
@@ -83,314 +133,413 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
#pragma mark Singleton retriever
+ (instancetype)configurator {
static SNTConfigurator *sharedConfigurator = nil;
static SNTConfigurator *sharedConfigurator;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
sharedConfigurator = [[SNTConfigurator alloc] initWithFilePath:kDefaultConfigFilePath];
sharedConfigurator = [[SNTConfigurator alloc] init];
});
return sharedConfigurator;
}
#pragma mark Protected Keys
#pragma mark KVO Dependencies
- (NSArray *)protectedKeys {
return @[ kClientModeKey, kWhitelistRegexKey, kBlacklistRegexKey,
kFileChangesRegexKey, kSyncBaseURLKey ];
+ (NSSet *)keyPathsForValuesAffectingClientMode {
return [NSSet setWithObjects:@"syncState", @"configState", nil];
}
+ (NSSet *)keyPathsForValuesAffectingWhitelistPathRegex {
return [NSSet setWithObjects:@"syncState", @"configState", nil];
}
+ (NSSet *)keyPathsForValuesAffectingBlacklistPathRegex {
return [NSSet setWithObjects:@"syncState", @"configState", nil];
}
+ (NSSet *)keyPathsForValuesAffectingFileChangesRegex {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncBaseURL {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingEnablePageZeroProtection {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingMoreInfoURL {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingEventDetailURL {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingEventDetailText {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingUnknownBlockMessage {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingBannedBlockMessage {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingModeNotificationMonitor {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingModeNotificationLockdown {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateFile {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificatePassword {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateCn {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncClientAuthCertificateIssuer {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncServerAuthRootsData {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingSyncServerAuthRootsFile {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingFullSyncLastSuccess {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingMachineOwner {
return [NSSet setWithObject:@"configState"];
}
+ (NSSet *)keyPathsForValuesAffectingMachineID {
return [NSSet setWithObject:@"configState"];
}
#pragma mark Public Interface
- (SNTClientMode)clientMode {
NSInteger cm = SNTClientModeUnknown;
id mode = self.configData[kClientModeKey];
if ([mode respondsToSelector:@selector(longLongValue)]) {
cm = (NSInteger)[mode longLongValue];
}
SNTClientMode cm = [self.syncState[kClientModeKey] longLongValue];
if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
return (SNTClientMode)cm;
} else {
LOGE(@"Client mode was set to bad value: %ld. Resetting to MONITOR.", cm);
self.clientMode = SNTClientModeMonitor;
return SNTClientModeMonitor;
return cm;
}
cm = [self.configState[kClientModeKey] longLongValue];
if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
return cm;
}
return SNTClientModeMonitor;
}
- (void)setClientMode:(SNTClientMode)newMode {
- (void)setSyncServerClientMode:(SNTClientMode)newMode {
if (newMode == SNTClientModeMonitor || newMode == SNTClientModeLockdown) {
self.configData[kClientModeKey] = @(newMode);
[self saveConfigToDisk];
[self updateSyncStateForKey:kClientModeKey value:@(newMode)];
} else {
LOGW(@"Ignoring request to change client mode to %ld", newMode);
}
}
- (NSRegularExpression *)whitelistPathRegex {
if (!self.cachedWhitelistDirRegex && self.configData[kWhitelistRegexKey]) {
NSString *re = self.configData[kWhitelistRegexKey];
if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
self.cachedWhitelistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
options:0
error:NULL];
}
return self.cachedWhitelistDirRegex;
return self.syncState[kWhitelistRegexKey] ?: self.configState[kWhitelistRegexKey];
}
- (void)setWhitelistPathRegex:(NSRegularExpression *)re {
if (!re) {
[self.configData removeObjectForKey:kWhitelistRegexKey];
} else {
self.configData[kWhitelistRegexKey] = [re pattern];
}
self.cachedWhitelistDirRegex = nil;
[self saveConfigToDisk];
- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re {
[self updateSyncStateForKey:kWhitelistRegexKey value:re];
}
- (NSRegularExpression *)blacklistPathRegex {
if (!self.cachedBlacklistDirRegex && self.configData[kBlacklistRegexKey]) {
NSString *re = self.configData[kBlacklistRegexKey];
if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
self.cachedBlacklistDirRegex = [NSRegularExpression regularExpressionWithPattern:re
options:0
error:NULL];
}
return self.cachedBlacklistDirRegex;
return self.syncState[kBlacklistRegexKey] ?: self.configState[kBlacklistRegexKey];
}
- (void)setBlacklistPathRegex:(NSRegularExpression *)re {
if (!re) {
[self.configData removeObjectForKey:kBlacklistRegexKey];
} else {
self.configData[kBlacklistRegexKey] = [re pattern];
}
self.cachedBlacklistDirRegex = nil;
[self saveConfigToDisk];
- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re {
[self updateSyncStateForKey:kBlacklistRegexKey value:re];
}
- (NSRegularExpression *)fileChangesRegex {
if (!self.cachedFileChangesRegex && self.configData[kFileChangesRegexKey]) {
NSString *re = self.configData[kFileChangesRegexKey];
if (![re hasPrefix:@"^"]) re = [@"^" stringByAppendingString:re];
self.cachedFileChangesRegex = [NSRegularExpression regularExpressionWithPattern:re
options:0
error:NULL];
}
return self.cachedFileChangesRegex;
}
- (void)setFileChangesRegex:(NSRegularExpression *)re {
if (!re) {
[self.configData removeObjectForKey:kFileChangesRegexKey];
} else {
self.configData[kFileChangesRegexKey] = [re pattern];
}
self.cachedFileChangesRegex = nil;
[self saveConfigToDisk];
}
- (BOOL)enablePageZeroProtection {
NSNumber *keyValue = self.configData[kEnablePageZeroProtectionKey];
return keyValue ? [keyValue boolValue] : YES;
}
- (NSURL *)moreInfoURL {
return [NSURL URLWithString:self.configData[kMoreInfoURLKey]];
}
- (NSString *)eventDetailURL {
return self.configData[kEventDetailURLKey];
}
- (NSString *)eventDetailBundleURL {
return self.configData[kEventDetailBundleURLKey];
}
- (NSString *)eventDetailText {
return self.configData[kEventDetailTextKey];
}
- (NSString *)unknownBlockMessage {
return self.configData[kUnknownBlockMessage];
}
- (NSString *)bannedBlockMessage {
return self.configData[kBannedBlockMessage];
}
- (NSString *)modeNotificationMonitor {
return self.configData[kModeNotificationMonitor];
}
- (NSString *)modeNotificationLockdown {
return self.configData[kModeNotificationLockdown];
return self.configState[kFileChangesRegexKey];
}
- (NSURL *)syncBaseURL {
NSString *urlStr = self.configData[kSyncBaseURLKey];
if (urlStr) {
NSURL *url = [NSURL URLWithString:urlStr];
if (!url) LOGW(@"SyncBaseURL is not a valid URL!");
return url;
}
return nil;
NSString *urlString = self.configState[kSyncBaseURLKey];
NSURL *url = [NSURL URLWithString:urlString];
if (urlString && !url) LOGW(@"SyncBaseURL is not a valid URL!");
return url;
}
- (BOOL)enablePageZeroProtection {
NSNumber *number = self.configState[kEnablePageZeroProtectionKey];
return number ? [number boolValue] : YES;
}
- (NSURL *)moreInfoURL {
return [NSURL URLWithString:self.configState[kMoreInfoURLKey]];
}
- (NSString *)eventDetailURL {
return self.configState[kEventDetailURLKey];
}
- (NSString *)eventDetailText {
return self.configState[kEventDetailTextKey];
}
- (NSString *)unknownBlockMessage {
return self.configState[kUnknownBlockMessage];
}
- (NSString *)bannedBlockMessage {
return self.configState[kBannedBlockMessage];
}
- (NSString *)modeNotificationMonitor {
return self.configState[kModeNotificationMonitor];
}
- (NSString *)modeNotificationLockdown {
return self.configState[kModeNotificationLockdown];
}
- (NSString *)syncClientAuthCertificateFile {
return self.configData[kClientAuthCertificateFileKey];
return self.configState[kClientAuthCertificateFileKey];
}
- (NSString *)syncClientAuthCertificatePassword {
return self.configData[kClientAuthCertificatePasswordKey];
return self.configState[kClientAuthCertificatePasswordKey];
}
- (NSString *)syncClientAuthCertificateCn {
return self.configData[kClientAuthCertificateCNKey];
return self.configState[kClientAuthCertificateCNKey];
}
- (NSString *)syncClientAuthCertificateIssuer {
return self.configData[kClientAuthCertificateIssuerKey];
return self.configState[kClientAuthCertificateIssuerKey];
}
- (NSData *)syncServerAuthRootsData {
return self.configData[kServerAuthRootsDataKey];
return self.configState[kServerAuthRootsDataKey];
}
- (NSString *)syncServerAuthRootsFile {
return self.configData[kServerAuthRootsFileKey];
return self.configState[kServerAuthRootsFileKey];
}
- (NSDate *)fullSyncLastSuccess {
return self.configData[kFullSyncLastSuccess];
return self.syncState[kFullSyncLastSuccess];
}
- (void)setFullSyncLastSuccess:(NSDate *)fullSyncLastSuccess {
self.configData[kFullSyncLastSuccess] = fullSyncLastSuccess;
[self saveConfigToDisk];
self.syncState[kFullSyncLastSuccess] = fullSyncLastSuccess;
self.ruleSyncLastSuccess = fullSyncLastSuccess;
}
- (NSDate *)ruleSyncLastSuccess {
return self.configData[kRuleSyncLastSuccess];
return self.syncState[kRuleSyncLastSuccess];
}
- (void)setRuleSyncLastSuccess:(NSDate *)ruleSyncLastSuccess {
self.configData[kRuleSyncLastSuccess] = ruleSyncLastSuccess;
[self saveConfigToDisk];
self.syncState[kRuleSyncLastSuccess] = ruleSyncLastSuccess;
[self saveSyncStateToDisk];
}
- (BOOL)syncCleanRequired {
return [self.configData[kSyncCleanRequired] boolValue];
return [self.syncState[kSyncCleanRequired] boolValue];
}
- (void)setSyncCleanRequired:(BOOL)syncCleanRequired {
self.configData[kSyncCleanRequired] = @(syncCleanRequired);
[self saveConfigToDisk];
self.syncState[kSyncCleanRequired] = @(syncCleanRequired);
[self saveSyncStateToDisk];
}
- (NSString *)machineOwner {
NSString *machineOwner;
NSString *machineOwner = self.configState[kMachineOwnerKey];
if (machineOwner) return machineOwner;
if (self.configData[kMachineOwnerPlistFileKey] && self.configData[kMachineOwnerPlistKeyKey]) {
NSDictionary *plist =
[NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineOwnerPlistFileKey]];
machineOwner = plist[self.configData[kMachineOwnerPlistKeyKey]];
NSString *plistPath = self.configState[kMachineOwnerPlistFileKey];
NSString *plistKey = self.configState[kMachineOwnerPlistKeyKey];
if (plistPath && plistKey) {
NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
machineOwner = [plist[plistKey] isKindOfClass:[NSString class]] ? plist[plistKey] : nil;
}
if (self.configData[kMachineOwnerKey]) {
machineOwner = self.configData[kMachineOwnerKey];
}
if (!machineOwner) machineOwner = @"";
return machineOwner;
return machineOwner ?: @"";
}
- (NSString *)machineID {
NSString *machineId;
NSString *machineId = self.configState[kMachineIDKey];
if (machineId) return machineId;
if (self.configData[kMachineIDPlistFileKey] && self.configData[kMachineIDPlistKeyKey]) {
NSDictionary *plist =
[NSDictionary dictionaryWithContentsOfFile:self.configData[kMachineIDPlistFileKey]];
machineId = plist[self.configData[kMachineIDPlistKeyKey]];
NSString *plistPath = self.configState[kMachineIDPlistFileKey];
NSString *plistKey = self.configState[kMachineIDPlistKeyKey];
if (plistPath && plistKey) {
NSDictionary *plist = [NSDictionary dictionaryWithContentsOfFile:plistPath];
machineId = [plist[plistKey] isKindOfClass:[NSString class]] ? plist[plistKey] : nil;
}
if (self.configData[kMachineIDKey]) {
machineId = self.configData[kMachineIDKey];
}
if ([machineId length] == 0) {
machineId = [SNTSystemInfo hardwareUUID];
}
return machineId;
}
- (void)reloadConfigData {
NSFileManager *fm = [NSFileManager defaultManager];
if (![fm fileExistsAtPath:self.configFilePath]) {
// As soon as saveConfigToDisk is called, reloadConfigData will be called again because
// of the SNTFileWatchers on the config path. No need to use dictionaryWithCapacity: here.
self.configData = [NSMutableDictionary dictionary];
self.configData[kClientModeKey] = @(SNTClientModeMonitor);
[self saveConfigToDisk];
return;
};
NSError *error;
NSData *readData = [NSData dataWithContentsOfFile:self.configFilePath
options:NSDataReadingMappedIfSafe
error:&error];
if (error) {
LOGE(@"Could not read configuration file: %@, replacing.", [error localizedDescription]);
[self saveConfigToDisk];
return;
}
NSMutableDictionary *configData =
[NSPropertyListSerialization propertyListWithData:readData
options:NSPropertyListMutableContainers
format:NULL
error:&error];
if (error) {
LOGE(@"Could not parse configuration file: %@, replacing.", [error localizedDescription]);
[self saveConfigToDisk];
return;
}
if (self.syncBaseURL) {
// Ensure no-one is trying to change protected keys behind our back.
BOOL changed = NO;
if (geteuid() == 0) {
for (NSString *key in self.protectedKeys) {
if (((self.configData[key] && !configData[key]) ||
(!self.configData[key] && configData[key]) ||
(self.configData[key] && ![self.configData[key] isEqual:configData[key]]))) {
if (self.configData[key]) {
configData[key] = self.configData[key];
} else {
[configData removeObjectForKey:key];
}
changed = YES;
LOGI(@"Ignoring changed configuration key: %@", key);
}
}
}
self.configData = configData;
if (changed) [self saveConfigToDisk];
} else {
self.configData = configData;
}
return machineId.length ? machineId : [SNTSystemInfo hardwareUUID];
}
#pragma mark Private
///
/// Saves the current @c self.configData to disk.
/// Update the syncState. Triggers a KVO event for all dependents.
///
- (void)saveConfigToDisk {
- (BOOL)updateSyncStateForKey:(NSString *)key value:(id)value {
NSMutableDictionary *syncState = self.syncState.mutableCopy;
syncState[key] = value;
self.syncState = syncState;
[self saveSyncStateToDisk];
return YES;
}
///
/// Read the saved syncState.
///
- (NSMutableDictionary *)readSyncStateFromDisk {
// Only read the sync state if a sync server is configured.
if (!self.syncBaseURL) return nil;
// Only santad should read this file.
if (geteuid() != 0) return nil;
NSMutableDictionary *syncState =
[NSMutableDictionary dictionaryWithContentsOfFile:kSyncStateFilePath];
for (NSString *key in syncState.allKeys) {
if (self.syncServerKeyTypes[key] == [NSRegularExpression class]) {
NSString *pattern = [syncState[key] isKindOfClass:[NSString class]] ? syncState[key] : nil;
syncState[key] = [self expressionForPattern:pattern];
} else if (![syncState[key] isKindOfClass:self.syncServerKeyTypes[key]]) {
syncState[key] = nil;
continue;
}
}
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
WEAKIFY(self);
self.syncStateWatcher = [[SNTFileWatcher alloc] initWithFilePath:kSyncStateFilePath
handler:^(unsigned long data) {
STRONGIFY(self);
[self syncStateFileChanged:data];
}];
});
return syncState;
}
///
/// Saves the current effective syncState to disk.
///
- (void)saveSyncStateToDisk {
// Only save the sync state if a sync server is configured.
if (!self.syncBaseURL) return;
// Only santad should write to this file.
if (geteuid() != 0) return;
[self.configData writeToFile:self.configFilePath atomically:YES];
// Either remove
NSMutableDictionary *syncState = self.syncState.mutableCopy;
syncState[kWhitelistRegexKey] = [syncState[kWhitelistRegexKey] pattern];
syncState[kBlacklistRegexKey] = [syncState[kBlacklistRegexKey] pattern];
[syncState writeToFile:kSyncStateFilePath atomically:YES];
[[NSFileManager defaultManager] setAttributes:@{ NSFilePosixPermissions : @0644 }
ofItemAtPath:kSyncStateFilePath error:NULL];
}
///
/// Ensure permissions are 0644.
/// Revert any out-of-band changes.
///
- (void)syncStateFileChanged:(unsigned long)data {
if (data & DISPATCH_VNODE_ATTRIB) {
const char *cPath = [kSyncStateFilePath fileSystemRepresentation];
struct stat fileStat;
stat(cPath, &fileStat);
int mask = S_IRWXU | S_IRWXG | S_IRWXO;
int desired = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
if (fileStat.st_uid != 0 || fileStat.st_gid != 0 || (fileStat.st_mode & mask) != desired) {
LOGI(@"Sync state file permissions changed, fixing.");
chown(cPath, 0, 0);
chmod(cPath, desired);
}
} else {
NSDictionary *newSyncState = [self readSyncStateFromDisk];
for (NSString *key in self.syncState) {
if (((self.syncState[key] && !newSyncState[key]) ||
(!self.syncState[key] && newSyncState[key]) ||
(self.syncState[key] && ![self.syncState[key] isEqualTo:newSyncState[key]]))) {
// Ignore sync url and dates
if ([key isEqualToString:kRuleSyncLastSuccess] ||
[key isEqualToString:kFullSyncLastSuccess]) continue;
LOGE(@"Sync state file changed, replacing");
[self saveSyncStateToDisk];
return;
}
}
}
}
- (void)clearSyncState {
self.syncState = [NSMutableDictionary dictionary];
}
#pragma mark Private Defaults Methods
- (NSRegularExpression *)expressionForPattern:(NSString *)pattern {
if (!pattern) return nil;
if (![pattern hasPrefix:@"^"]) pattern = [@"^" stringByAppendingString:pattern];
return [NSRegularExpression regularExpressionWithPattern:pattern options:0 error:NULL];
}
- (NSMutableDictionary *)readForcedConfig {
NSMutableDictionary *forcedConfig = [NSMutableDictionary dictionary];
for (NSString *key in self.forcedConfigKeyTypes) {
id obj = [self forcedConfigValueForKey:key];
forcedConfig[key] = [obj isKindOfClass:self.forcedConfigKeyTypes[key]] ? obj : nil;
// Create the regex objects now
if (self.forcedConfigKeyTypes[key] == [NSRegularExpression class]) {
NSString *pattern = [obj isKindOfClass:[NSString class]] ? obj : nil;
forcedConfig[key] = [self expressionForPattern:pattern];
}
}
return forcedConfig;
}
- (id)forcedConfigValueForKey:(NSString *)key {
id obj = [self.defaults objectForKey:key];
return [self.defaults objectIsForcedForKey:key inDomain:kMobileConfigDomain] ? obj : nil;
}
- (void)startWatchingDefaults {
// Only santad should listen.
if (geteuid() != 0) return;
[[NSNotificationCenter defaultCenter] addObserver:self
selector:@selector(defaultsChanged:)
name:NSUserDefaultsDidChangeNotification
object:nil];
}
- (void)defaultsChanged:(void *)v {
SEL handleChange = @selector(handleChange);
[NSObject cancelPreviousPerformRequestsWithTarget:self selector:handleChange object:nil];
[self performSelector:handleChange withObject:nil afterDelay:5.0f];
}
///
/// Update the configState. Triggers a KVO event for all dependents.
///
- (void)handleChange {
self.configState = [self readForcedConfig];
}
@end

14
Source/common/SNTFileInfo.h
View File

@@ -14,6 +14,8 @@
@import Foundation;
@class MOLCodesignChecker;
///
/// Represents a binary on disk, providing access to details about that binary
/// such as the SHA-1, SHA-256, Info.plist and the Mach-O data.
@@ -123,6 +125,11 @@
///
- (BOOL)isDMG;
///
/// @return NSString describing the kind of file (executable, bundle, script, etc.)
///
- (NSString *)humanReadableFileType;
///
/// @return YES if this file has a bad/missing __PAGEZERO .
///
@@ -205,4 +212,11 @@
///
- (NSUInteger)fileSize;
///
/// @return Returns an instance of MOLCodeSignChecker initialized with the file's binary path.
/// Both the MOLCodesignChecker and any resulting NSError are cached and returned on subsequent
/// calls. You may pass in NULL for the error if you don't care to receive it.
///
- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error;
@end

32
Source/common/SNTFileInfo.m
View File

@@ -15,6 +15,7 @@
#import "SNTFileInfo.h"
#import <CommonCrypto/CommonDigest.h>
#import <MOLCodesignChecker/MOLCodesignChecker.h>
#include <mach-o/loader.h>
#include <mach-o/swap.h>
@@ -53,6 +54,8 @@
@property NSDictionary *infoDict;
@property NSDictionary *quarantineDict;
@property NSDictionary *cachedHeaders;
@property MOLCodesignChecker *cachedCodesignChecker;
@property(nonatomic) NSError *codesignCheckerError;
@end
@implementation SNTFileInfo
@@ -262,11 +265,23 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
}
- (BOOL)isDMG {
if (self.fileSize < 512) return NO;
NSUInteger last512 = self.fileSize - 512;
const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(last512, 4)] bytes];
return (magic && memcmp("koly", magic, 4) == 0);
}
- (NSString *)humanReadableFileType {
if ([self isExecutable]) return @"Executable";
if ([self isDylib]) return @"Dynamic Library";
if ([self isBundle]) return @"Bundle/Plugin";
if ([self isKext]) return @"Kernel Extension";
if ([self isScript]) return @"Script";
if ([self isXARArchive]) return @"XAR Archive";
if ([self isDMG]) return @"Disk Image";
return @"Unknown";
}
#pragma mark Page Zero
- (BOOL)isMissingPageZero {
@@ -555,8 +570,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
NSData *d = [self.fileHandle readDataOfLength:range.length];
if (d.length != range.length) return nil;
return d;
}
@catch (NSException *e) {
} @catch (NSException *e) {
return nil;
}
}
@@ -680,4 +694,18 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
}
}
///
/// Cache and return a MOLCodeSignChecker for the given file. If there was an error creating the
/// code sign checker it will be returned in the passed-in error parameter.
///
- (MOLCodesignChecker *)codesignCheckerWithError:(NSError **)error {
if (!self.cachedCodesignChecker && !self.codesignCheckerError) {
NSError *e;
self.cachedCodesignChecker = [[MOLCodesignChecker alloc] initWithBinaryPath:self.path error:&e];
self.codesignCheckerError = e;
}
if (error) *error = self.codesignCheckerError;
return self.cachedCodesignChecker;
}
@end

5
Source/common/SNTKernelCommon.h
View File

@@ -37,6 +37,7 @@ enum SantaDriverMethods {
kSantaUserClientOpen,
kSantaUserClientAllowBinary,
kSantaUserClientDenyBinary,
kSantaUserClientAcknowledgeBinary,
kSantaUserClientClearCache,
kSantaUserClientCacheCount,
kSantaUserClientCheckCache,
@@ -63,7 +64,9 @@ typedef enum {
// RESPONSES
ACTION_RESPOND_ALLOW = 20,
ACTION_RESPOND_DENY = 21,
ACTION_RESPOND_TOOLONG = 22,
ACTION_RESPOND_ACK = 23,
// NOTIFY
ACTION_NOTIFY_EXEC = 30,
ACTION_NOTIFY_WRITE = 31,

10
Source/common/SNTLogging.h
View File

@@ -24,13 +24,13 @@
#include <IOKit/IOLib.h>
#ifdef DEBUG
#define LOGD(...) IOLog("D santa-driver: " __VA_ARGS__); IOLog("\n")
#define LOGD(format, ...) IOLog("D santa-driver: " format "\n", ##__VA_ARGS__);
#else // DEBUG
#define LOGD(...)
#define LOGD(format, ...)
#endif // DEBUG
#define LOGI(...) IOLog("I santa-driver: " __VA_ARGS__); IOLog("\n")
#define LOGW(...) IOLog("W santa-driver: " __VA_ARGS__); IOLog("\n")
#define LOGE(...) IOLog("E santa-driver: " __VA_ARGS__); IOLog("\n")
#define LOGI(format, ...) IOLog("I santa-driver: " format "\n", ##__VA_ARGS__);
#define LOGW(format, ...) IOLog("W santa-driver: " format "\n", ##__VA_ARGS__);
#define LOGE(format, ...) IOLog("E santa-driver: " format "\n", ##__VA_ARGS__);
#else // KERNEL

6
Source/common/SNTXPCConnection.m
View File

@@ -139,6 +139,12 @@
if (self.acceptedHandler) self.acceptedHandler();
}];
if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC))) {
// This is unusual - as we're not inside a block - but necessary in case the caller sets an
// invalidation handler that causes this instance to be released (which is a reasonable
// approach). If establishing a connection fails, the invalidation handler will be called
// and then shortly after this bit of code will run causing a crash.
STRONGIFY(self);
// Connection was not established in a reasonable time, invalidate.
self.currentConnection.remoteObjectInterface = nil; // ensure clients don't try to use it.
[self.currentConnection invalidate];

7
Source/common/SNTXPCControlInterface.h
View File

@@ -33,7 +33,7 @@
///
/// Kernel ops
///
- (void)cacheCount:(void (^)(int64_t))reply;
- (void)cacheCounts:(void (^)(uint64_t rootCache, uint64_t nonRootCache))reply;
- (void)flushCache:(void (^)(BOOL))reply;
- (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply;
@@ -75,8 +75,11 @@
- (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply;
- (void)xsrfToken:(void (^)(NSString *))reply;
- (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
- (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
- (void)fullSyncLastSuccess:(void (^)(NSDate *))reply;
- (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
- (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply;
- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
- (void)syncCleanRequired:(void (^)(BOOL))reply;
- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;

6
Source/common/SNTXPCSyncdInterface.h
View File

@@ -20,9 +20,9 @@
/// Protocol implemented by santactl and utilized by santad
@protocol SNTSyncdXPC
- (void)postEventToSyncServer:(SNTStoredEvent *)event;
- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event reply:(void (^)(BOOL))reply;
- (void)postBundleEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events;
- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle;
- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
reply:(void (^)(SNTBundleEventAction))reply;
- (void)isFCMListening:(void (^)(BOOL))reply;
@end

2
Source/common/SNTXPCSyncdInterface.m
View File

@@ -22,7 +22,7 @@
NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncdXPC)];
[r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
forSelector:@selector(postBundleEventsToSyncServer:)
forSelector:@selector(postEventsToSyncServer:isFromBundle:)
argumentIndex:0
ofReply:NO];

52
Source/santa-driver/SantaCache.h
View File

@@ -101,12 +101,19 @@ template<class T> class SantaCache {
/**
Set an element in the cache.
@note If the cache is full when this is called, this will empty the cache before
inserting the new value.
@note If the cache is full when this is called, this will
empty the cache before inserting the new value.
@return if an existing value was replaced, the previous value, otherwise zero_
@param key, The key
@param value, The value with parameterized type
@param previous_value, If the has_prev_value parameter is true the new
value will only be set if this parameter is equal to the provided value.
This allows set to become a CAS operation.
@param has_prev_value, Pass true if previous_value should be used.
@return the previous value (which may be zero_)
*/
T set(uint64_t key, T value) {
T set(uint64_t key, T value, T previous_value, bool has_prev_value) {
struct bucket *bucket = &buckets_[hash(key)];
lock(bucket);
struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
@@ -114,6 +121,12 @@ template<class T> class SantaCache {
while (entry != nullptr) {
if (entry->key == key) {
T existing_value = entry->value;
if (has_prev_value && previous_value != existing_value) {
unlock(bucket);
return existing_value;
}
entry->value = value;
if (value == zero_) {
@@ -134,13 +147,15 @@ template<class T> class SantaCache {
}
// If value is zero_, we're clearing but there's nothing to clear
// so we don't need to do anything else.
if (value == zero_) {
// so we don't need to do anything else. Alternatively, if has_prev_value
// is true and is not zero_ we don't want to set a value.
if (value == zero_ || (has_prev_value && previous_value != zero_)) {
unlock(bucket);
return zero_;
}
// Check that adding this new item won't take the cache over its maximum size.
// Check that adding this new item won't take the cache
// over its maximum size.
if (count_ + 1 > max_size_) {
unlock(bucket);
lock(&clear_bucket_);
@@ -152,9 +167,10 @@ template<class T> class SantaCache {
unlock(&clear_bucket_);
}
// Allocate a new entry, set the key and value, then set the next pointer as the current
// first entry in the bucket then make this new entry the first in the bucket.
struct entry *new_entry = (struct entry *)IOMallocAligned(sizeof(struct entry), 2);
// Allocate a new entry, set the key and value, then put this new entry at
// the head of this bucket's linked list.
struct entry *new_entry = (struct entry *)IOMallocAligned(
sizeof(struct entry), 2);
new_entry->key = key;
new_entry->value = value;
new_entry->next = (struct entry *)((uintptr_t)bucket->head - 1);
@@ -165,6 +181,20 @@ template<class T> class SantaCache {
return zero_;
}
/**
Overload to allow setting without providing a previous value
*/
T set(uint64_t key, T value) {
return set(key, value, {}, false);
}
/**
Overload to allow setting while providing a previous value
*/
T set(uint64_t key, T value, T previous_value) {
return set(key, value, previous_value, true);
}
/**
An alias for `set(key, zero_)`
*/
@@ -247,7 +277,7 @@ template<class T> class SantaCache {
/**
Holder for a 'zero' entry for the current type
*/
const T zero_ = T();
const T zero_ = {};
/**
Special bucket used when automatically clearing due to size

107
Source/santa-driver/SantaDecisionManager.cc
View File

@@ -29,7 +29,8 @@ bool SantaDecisionManager::init() {
decision_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
log_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
decision_cache_ = new SantaCache<uint64_t>(10000, 2);
root_decision_cache_ = new SantaCache<uint64_t>(5000, 2);
non_root_decision_cache_ = new SantaCache<uint64_t>(500, 2);
vnode_pid_map_ = new SantaCache<uint64_t>(2000, 5);
decision_dataqueue_ = IOSharedDataQueue::withEntries(
@@ -41,6 +42,7 @@ bool SantaDecisionManager::init() {
if (!log_dataqueue_) return kIOReturnNoMemory;
client_pid_ = 0;
root_fsid_ = 0;
ts_ = { .tv_sec = kRequestLoopSleepMilliseconds / 1000,
.tv_nsec = kRequestLoopSleepMilliseconds % 1000 * 1000000 };
@@ -49,7 +51,8 @@ bool SantaDecisionManager::init() {
}
void SantaDecisionManager::free() {
delete decision_cache_;
delete root_decision_cache_;
delete non_root_decision_cache_;
delete vnode_pid_map_;
if (decision_dataqueue_lock_) {
@@ -90,6 +93,17 @@ void SantaDecisionManager::ConnectClient(pid_t pid) {
client_pid_ = pid;
// Determine root fsid
vfs_context_t ctx = vfs_context_create(NULL);
if (ctx) {
vnode_t root = vfs_rootvnode();
if (root) {
root_fsid_ = GetVnodeIDForVnode(ctx, root) >> 32;
vnode_put(root);
}
vfs_context_rele(ctx);
}
// Any decisions made while the daemon wasn't
// connected should be cleared
ClearCache();
@@ -165,7 +179,8 @@ kern_return_t SantaDecisionManager::StartListener() {
if (!vnode_listener_) return kIOReturnInternalError;
fileop_listener_ = kauth_listen_scope(
KAUTH_SCOPE_FILEOP, fileop_scope_callback, reinterpret_cast<void *>(this));
KAUTH_SCOPE_FILEOP, fileop_scope_callback,
reinterpret_cast<void *>(this));
if (!fileop_listener_) return kIOReturnInternalError;
LOGD("Listeners started.");
@@ -195,33 +210,63 @@ kern_return_t SantaDecisionManager::StopListener() {
#pragma mark Cache Management
/**
Return the correct cache for a given identifier.
@param identifier The identifier
@return SantaCache* The cache to use
*/
SantaCache<uint64_t>* SantaDecisionManager::CacheForIdentifier(
const uint64_t identifier) {
return (identifier >> 32 == root_fsid_) ?
root_decision_cache_ : non_root_decision_cache_;
}
void SantaDecisionManager::AddToCache(
uint64_t identifier, santa_action_t decision, uint64_t microsecs) {
// Decision is stored in upper 8 bits, timestamp in remaining 56.
uint64_t val = ((uint64_t)decision << 56) | (microsecs & 0xFFFFFFFFFFFFFF);
// If a previous entry was not found and the new entry is not `REQUEST_BINARY`, remove the
// existing entry. This is to prevent adding an ALLOW to the cache after a write has occurred.
if (decision_cache_->set(identifier, val) == 0 && decision != ACTION_REQUEST_BINARY) {
decision_cache_->remove(identifier);
auto decision_cache = CacheForIdentifier(identifier);
switch (decision) {
case ACTION_REQUEST_BINARY:
decision_cache->set(identifier, val, 0);
break;
case ACTION_RESPOND_ACK:
decision_cache->set(identifier, val, ((uint64_t)ACTION_REQUEST_BINARY << 56));
break;
case ACTION_RESPOND_ALLOW:
case ACTION_RESPOND_DENY:
// TODO(bur): Avoid calling set() twice, finding and locking buckets is fast, but not free.
if (decision_cache->set(identifier, val, ((uint64_t)ACTION_REQUEST_BINARY << 56))) {
decision_cache->set(identifier, val, ((uint64_t)ACTION_RESPOND_ACK << 56));
}
break;
default:
break;
}
if (unlikely(!identifier)) return;
wakeup((void *)identifier);
}
void SantaDecisionManager::RemoveFromCache(uint64_t identifier) {
decision_cache_->remove(identifier);
CacheForIdentifier(identifier)->remove(identifier);
if (unlikely(!identifier)) return;
wakeup((void *)identifier);
}
uint64_t SantaDecisionManager::CacheCount() const {
return decision_cache_->count();
uint64_t SantaDecisionManager::RootCacheCount() const {
return root_decision_cache_->count();
}
void SantaDecisionManager::ClearCache() {
decision_cache_->clear();
uint64_t SantaDecisionManager::NonRootCacheCount() const {
return non_root_decision_cache_->count();
}
void SantaDecisionManager::ClearCache(bool non_root_only) {
if (!non_root_only) root_decision_cache_->clear();
non_root_decision_cache_->clear();
}
#pragma mark Decision Fetching
@@ -230,7 +275,9 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
auto result = ACTION_UNSET;
uint64_t decision_time = 0;
uint64_t cache_val = decision_cache_->get(identifier);
auto decision_cache = CacheForIdentifier(identifier);
uint64_t cache_val = decision_cache->get(identifier);
if (cache_val == 0) return result;
// Decision is stored in upper 8 bits, timestamp in remaining 56.
@@ -241,7 +288,7 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
if (result == ACTION_RESPOND_DENY) {
auto expiry_time = decision_time + (kMaxDenyCacheTimeMilliseconds * 1000);
if (expiry_time < GetCurrentUptime()) {
decision_cache_->remove(identifier);
decision_cache->remove(identifier);
return ACTION_UNSET;
}
}
@@ -250,7 +297,8 @@ santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
return result;
}
santa_action_t SantaDecisionManager::GetFromDaemon(santa_message_t *message, uint64_t identifier) {
santa_action_t SantaDecisionManager::GetFromDaemon(
santa_message_t *message, uint64_t identifier) {
auto return_action = ACTION_UNSET;
#ifdef DEBUG
@@ -262,20 +310,27 @@ santa_action_t SantaDecisionManager::GetFromDaemon(santa_message_t *message, uin
// Wait for the daemon to respond or die.
do {
// Add pending request to cache, to be replaced by daemon with actual response
// Add pending request to cache, to be replaced
// by daemon with actual response.
AddToCache(identifier, ACTION_REQUEST_BINARY, 0);
// Send request to daemon...
// Send request to daemon.
if (!PostToDecisionQueue(message)) {
LOGE("Failed to queue request for %s.", message->path);
RemoveFromCache(identifier);
return ACTION_ERROR;
}
// Check the cache every kRequestLoopSleepMilliseconds. Break this loop and send the request
// again if kRequestCacheChecks is reached. Don't break the loop if the daemon is working on the
// request, indicated with ACTION_RESPOND_ACK.
auto cache_check_count = 0;
do {
msleep((void *)message->vnode_id, NULL, 0, "", &ts_);
return_action = GetFromCache(identifier);
} while (return_action == ACTION_REQUEST_BINARY && ClientConnected());
} while (ClientConnected() &&
((return_action == ACTION_REQUEST_BINARY && ++cache_check_count < kRequestCacheChecks)
|| (return_action == ACTION_RESPOND_ACK)));
} while (!RESPONSE_VALID(return_action) && ClientConnected());
// If response is still not valid, the daemon exited
@@ -310,7 +365,9 @@ santa_action_t SantaDecisionManager::FetchDecision(
// If item is not in cache, break out of loop to send request to daemon.
if (RESPONSE_VALID(return_action)) {
return return_action;
} else if (return_action == ACTION_REQUEST_BINARY) {
} else if (return_action == ACTION_REQUEST_BINARY || return_action == ACTION_RESPOND_ACK) {
// This thread will now sleep for kRequestLoopSleepMilliseconds (1s) or
// until AddToCache is called, indicating a response has arrived.
msleep((void *)vnode_id, NULL, 0, "", &ts_);
} else {
break;
@@ -320,8 +377,10 @@ santa_action_t SantaDecisionManager::FetchDecision(
// Get path
char path[MAXPATHLEN];
int name_len = MAXPATHLEN;
if (vn_getpath(vp, path, &name_len) != 0) {
path[0] = '\0';
path[MAXPATHLEN - 1] = 0;
if (vn_getpath(vp, path, &name_len) == ENOSPC) {
return ACTION_RESPOND_TOOLONG;
}
auto message = NewMessage(cred);
@@ -389,6 +448,7 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
int *errno) {
// Get ID for the vnode
auto vnode_id = GetVnodeIDForVnode(ctx, vp);
if (!vnode_id) return KAUTH_RESULT_DEFER;
// Fetch decision
auto returnedAction = FetchDecision(cred, vp, vnode_id);
@@ -416,6 +476,9 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
case ACTION_RESPOND_DENY:
*errno = EPERM;
return KAUTH_RESULT_DENY;
case ACTION_RESPOND_TOOLONG:
*errno = ENAMETOOLONG;
return KAUTH_RESULT_DENY;
default:
// NOTE: Any unknown response or error condition causes us to fail open.
// Whilst from a security perspective this is bad, it's important that

62
Source/santa-driver/SantaDecisionManager.h
View File

@@ -79,8 +79,9 @@ class SantaDecisionManager : public OSObject {
kern_return_t StartListener();
/**
Stops the kauth listeners. After stopping new callback requests, waits until all
current invocations have finished before clearing the cache and returning.
Stops the kauth listeners. After stopping new callback requests, waits
until all current invocations have finished before clearing the cache and
returning.
*/
kern_return_t StopListener();
@@ -89,17 +90,24 @@ class SantaDecisionManager : public OSObject {
const santa_action_t decision,
const uint64_t microsecs = GetCurrentUptime());
/// Fetches a response from the cache, first checking to see if the entry has expired.
/**
Fetches a response from the cache, first checking to see if the entry
has expired.
*/
santa_action_t GetFromCache(uint64_t identifier);
/// Checks to see if a given identifier is in the cache and removes it.
void RemoveFromCache(uint64_t identifier);
/// Returns the number of entries in the cache.
uint64_t CacheCount() const;
uint64_t RootCacheCount() const;
uint64_t NonRootCacheCount() const;
/// Clears the cache.
void ClearCache();
/**
Clears the cache(s). If non_root_only is true, only the non-root cache
is cleared.
*/
void ClearCache(bool non_root_only = false);
/// Increments the count of active callbacks pending.
void IncrementListenerInvocations();
@@ -129,14 +137,23 @@ class SantaDecisionManager : public OSObject {
void FileOpCallback(kauth_action_t action, const vnode_t vp,
const char *path, const char *new_path);
protected:
private:
/**
While waiting for a response from the daemon, this is the maximum number of
milliseconds to sleep for before checking the cache for a response.
*/
static const uint32_t kRequestLoopSleepMilliseconds = 1000;
/// The maximum number of milliseconds a cached deny message should be considered valid.
/**
While waiting for a response from the daemon, this is the maximum number cache checks before
re-sending the request.
*/
static const uint32_t kRequestCacheChecks = 5;
/**
The maximum number of milliseconds a cached deny message should be
considered valid.
*/
static const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
/// Maximum number of entries in the in-kernel cache.
@@ -145,10 +162,16 @@ class SantaDecisionManager : public OSObject {
/// Maximum number of PostToDecisionQueue failures to allow.
static const uint32_t kMaxDecisionQueueFailures = 10;
/// The maximum number of messages can be kept in the decision data queue at any time.
/**
The maximum number of messages that can be kept in the decision data queue
at any time.
*/
static const uint32_t kMaxDecisionQueueEvents = 512;
/// The maximum number of messages can be kept in the logging data queue at any time.
/**
The maximum number of messages that can be kept in the logging data queue
at any time.
*/
static const uint32_t kMaxLogQueueEvents = 2048;
/**
@@ -198,7 +221,8 @@ class SantaDecisionManager : public OSObject {
@param vp The Vnode to get the ID for
@return uint64_t The Vnode ID as a 64-bit unsigned int.
*/
static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp) {
static inline uint64_t GetVnodeIDForVnode(
const vfs_context_t ctx, const vnode_t vp) {
struct vnode_attr vap;
VATTR_INIT(&vap);
VATTR_WANTED(&vap, va_fsid);
@@ -243,10 +267,22 @@ class SantaDecisionManager : public OSObject {
return (uint64_t)((sec * 1000000) + usec);
}
private:
SantaCache<uint64_t> *decision_cache_;
SantaCache<uint64_t> *root_decision_cache_;
SantaCache<uint64_t> *non_root_decision_cache_;
SantaCache<uint64_t> *vnode_pid_map_;
/**
Return the correct cache for a given identifier.
@param identifier The identifier
@return SantaCache* The cache to use
*/
SantaCache<uint64_t>* CacheForIdentifier(const uint64_t identifier);
// This is the file system ID of the root filesystem,
// used to determine which cache to use for requests
uint32_t root_fsid_;
lck_grp_t *sdm_lock_grp_;
lck_grp_attr_t *sdm_lock_grp_attr_;
lck_attr_t *sdm_lock_attr_;

31
Source/santa-driver/SantaDriverClient.cc
View File

@@ -133,7 +133,8 @@ IOReturn SantaDriverClient::allow_binary(
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
const uint64_t vnode_id = static_cast<const uint64_t>(*arguments->scalarInput);
const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
if (!vnode_id) return kIOReturnInvalid;
me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ALLOW);
return kIOReturnSuccess;
@@ -144,18 +145,32 @@ IOReturn SantaDriverClient::deny_binary(
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
const uint64_t vnode_id = static_cast<const uint64_t>(*arguments->scalarInput);
const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
if (!vnode_id) return kIOReturnInvalid;
me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_DENY);
return kIOReturnSuccess;
}
IOReturn SantaDriverClient::acknowledge_binary(
OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
const uint64_t vnode_id = static_cast<const uint64_t>(arguments->scalarInput[0]);
if (!vnode_id) return kIOReturnInvalid;
me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ACK, 0);
return kIOReturnSuccess;
}
IOReturn SantaDriverClient::clear_cache(
OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
me->decisionManager->ClearCache();
const bool non_root_only = static_cast<const bool>(arguments->scalarInput[0]);
me->decisionManager->ClearCache(non_root_only);
return kIOReturnSuccess;
}
@@ -165,7 +180,8 @@ IOReturn SantaDriverClient::cache_count(
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
arguments->scalarOutput[0] = me->decisionManager->CacheCount();
arguments->scalarOutput[0] = me->decisionManager->RootCacheCount();
arguments->scalarOutput[1] = me->decisionManager->NonRootCacheCount();
return kIOReturnSuccess;
}
@@ -174,7 +190,7 @@ IOReturn SantaDriverClient::check_cache(
SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
if (!me) return kIOReturnBadArgument;
uint64_t input = *arguments->scalarInput;
const uint64_t input = static_cast<const uint64_t>(arguments->scalarInput[0]);
arguments->scalarOutput[0] = me->decisionManager->GetFromCache(input);
return kIOReturnSuccess;
@@ -195,8 +211,9 @@ IOReturn SantaDriverClient::externalMethod(
{ &SantaDriverClient::open, 0, 0, 0, 0 },
{ &SantaDriverClient::allow_binary, 1, 0, 0, 0 },
{ &SantaDriverClient::deny_binary, 1, 0, 0, 0 },
{ &SantaDriverClient::clear_cache, 0, 0, 0, 0 },
{ &SantaDriverClient::cache_count, 0, 0, 1, 0 },
{ &SantaDriverClient::acknowledge_binary, 1, 0, 0, 0 },
{ &SantaDriverClient::clear_cache, 1, 0, 0, 0 },
{ &SantaDriverClient::cache_count, 0, 0, 2, 0 },
{ &SantaDriverClient::check_cache, 1, 0, 1, 0 }
};

5
Source/santa-driver/SantaDriverClient.h
View File

@@ -87,6 +87,11 @@ class com_google_SantaDriverClient : public IOUserClient {
static IOReturn deny_binary(
OSObject *target, void *reference, IOExternalMethodArguments *arguments);
/// The daemon calls this to acknowledge a binary request. This is used for large binaries that
/// may take a while to reach a decision.
static IOReturn acknowledge_binary(
OSObject *target, void *reference, IOExternalMethodArguments *arguments);
/// The daemon calls this to empty the cache.
static IOReturn clear_cache(
OSObject *target, void *reference, IOExternalMethodArguments *arguments);

15
Source/santabs/SNTBundleService.m
View File

@@ -98,11 +98,20 @@
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
dispatch_async(self.queue, ^{
// Use the highest bundle we can find. Save and reuse the bundle infomation when creating
// the related binary events.
// Use the highest bundle we can find.
SNTFileInfo *b = [[SNTFileInfo alloc] initWithPath:event.fileBundlePath];
b.useAncestorBundle = YES;
event.fileBundlePath = b.bundlePath;
// If path to the bundle is unavailable, stop. SantaGUI will revert to
// using the offending blockable.
if (!event.fileBundlePath) {
reply(nil, nil, 0);
dispatch_semaphore_signal(sema);
return;
}
// Reuse the bundle infomation when creating the related binary events.
event.fileBundleID = b.bundleIdentifier;
event.fileBundleName = b.bundleName;
event.fileBundleVersion = b.bundleVersion;
@@ -239,7 +248,7 @@
se.fileBundleVersion = event.fileBundleVersion;
se.fileBundleVersionString = event.fileBundleVersionString;
MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:se.filePath];
MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
se.signingChain = cs.certificates;
dispatch_sync(dispatch_get_main_queue(), ^{

14
Source/santactl/Commands/SNTCommandBundleInfo.m
View File

@@ -12,6 +12,7 @@
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTFileInfo.h"
@@ -20,7 +21,7 @@
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
@interface SNTCommandBundleInfo : NSObject<SNTCommand>
@interface SNTCommandBundleInfo : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandBundleInfo
@@ -45,7 +46,7 @@ REGISTER_COMMAND_NAME(@"bundleinfo")
return @"Searches a bundle for binaries";
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
NSError *error;
SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:arguments.firstObject error:&error];
if (!fi) {
@@ -59,11 +60,10 @@ REGISTER_COMMAND_NAME(@"bundleinfo")
SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
se.fileBundlePath = fi.bundlePath;
[[daemonConn remoteObjectProxy] hashBundleBinariesForEvent:se
reply:^(NSString *hash,
NSArray<SNTStoredEvent *> *events,
NSNumber *time) {
[[self.daemonConn remoteObjectProxy]
hashBundleBinariesForEvent:se
reply:^(NSString *hash, NSArray<SNTStoredEvent *> *events,
NSNumber *time) {
printf("Hashing time: %llu ms\n", time.unsignedLongLongValue);
printf("%lu events found\n", events.count);
printf("BundleHash: %s\n", hash.UTF8String);

10
Source/santactl/Commands/SNTCommandCheckCache.m
View File

@@ -14,6 +14,7 @@
@import Foundation;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTLogging.h"
@@ -22,7 +23,7 @@
#include <sys/stat.h>
@interface SNTCommandCheckCache : NSObject<SNTCommand>
@interface SNTCommandCheckCache : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandCheckCache
@@ -48,9 +49,10 @@ REGISTER_COMMAND_NAME(@"checkcache")
@"Returns 0 if successful, 1 otherwise");
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
uint64_t vnodeID = [self vnodeIDForFile:arguments.firstObject];
[[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID withReply:^(santa_action_t action) {
[[self.daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
withReply:^(santa_action_t action) {
if (action == ACTION_RESPOND_ALLOW) {
LOGI(@"File exists in [whitelist] kernel cache");
exit(0);
@@ -64,7 +66,7 @@ REGISTER_COMMAND_NAME(@"checkcache")
}];
}
+ (uint64_t)vnodeIDForFile:(NSString *)path {
- (uint64_t)vnodeIDForFile:(NSString *)path {
struct stat fstat = {};
stat(path.fileSystemRepresentation, &fstat);
return (((uint64_t)fstat.st_dev << 32) | fstat.st_ino);

836
Source/santactl/Commands/SNTCommandFileInfo.m
View File

File diff suppressed because it is too large Load Diff

7
Source/santactl/Commands/SNTCommandFlushCache.m
View File

@@ -14,13 +14,14 @@
@import Foundation;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTLogging.h"
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
@interface SNTCommandFlushCache : NSObject<SNTCommand>
@interface SNTCommandFlushCache : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandFlushCache
@@ -46,8 +47,8 @@ REGISTER_COMMAND_NAME(@"flushcache")
@"Returns 0 if successful, 1 otherwise");
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
[[daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
- (void)runWithArguments:(NSArray *)arguments {
[[self.daemonConn remoteObjectProxy] flushCache:^(BOOL success) {
if (success) {
LOGI(@"Cache flush requested");
exit(0);

27
Source/santactl/Commands/SNTCommandRule.m
View File

@@ -14,21 +14,20 @@
@import Foundation;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#include "SNTLogging.h"
#import "MOLCertificate.h"
#import "MOLCodesignChecker.h"
#import "SNTConfigurator.h"
#import "SNTDropRootPrivs.h"
#import "SNTFileInfo.h"
#include "SNTLogging.h"
#import "SNTRule.h"
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
@interface SNTCommandRule : NSObject<SNTCommand>
@property SNTXPCConnection *daemonConn;
@interface SNTCommandRule : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandRule
@@ -68,13 +67,7 @@ REGISTER_COMMAND_NAME(@"rule")
@" --message {message}: custom message\n");
}
+ (void)printErrorUsageAndExit:(NSString *)error {
printf("%s\n\n", [error UTF8String]);
printf("%s\n", [[self longHelpText] UTF8String]);
exit(1);
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
SNTConfigurator *config = [SNTConfigurator configurator];
if ([config syncBaseURL] && ![arguments containsObject:@"--check"]) {
printf("SyncBaseURL is set, rules are managed centrally.\n");
@@ -129,7 +122,7 @@ REGISTER_COMMAND_NAME(@"rule")
if (check) {
if (!newRule.shasum) return [self printErrorUsageAndExit:@"--check requires --sha256"];
return [self printStateOfRule:newRule daemonConnection:daemonConn];
return [self printStateOfRule:newRule daemonConnection:self.daemonConn];
}
if (path) {
@@ -141,7 +134,7 @@ REGISTER_COMMAND_NAME(@"rule")
if (newRule.type == SNTRuleTypeBinary) {
newRule.shasum = fi.SHA256;
} else if (newRule.type == SNTRuleTypeCertificate) {
MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.path];
MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
newRule.shasum = cs.leafCertificate.SHA256;
}
}
@@ -152,9 +145,9 @@ REGISTER_COMMAND_NAME(@"rule")
[self printErrorUsageAndExit:@"Either SHA-256 or path to file must be specified"];
}
[[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
cleanSlate:NO
reply:^(NSError *error) {
[[self.daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
cleanSlate:NO
reply:^(NSError *error) {
if (error) {
printf("Failed to modify rules: %s", [error.localizedDescription UTF8String]);
LOGD(@"Failure reason: %@", error.localizedFailureReason);
@@ -170,7 +163,7 @@ REGISTER_COMMAND_NAME(@"rule")
}];
}
+ (void)printStateOfRule:(SNTRule *)rule daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)printStateOfRule:(SNTRule *)rule daemonConnection:(SNTXPCConnection *)daemonConn {
NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.shasum : nil;
NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.shasum : nil;
dispatch_group_t group = dispatch_group_create();

78
Source/santactl/Commands/SNTCommandStatus.m
View File

@@ -14,13 +14,14 @@
@import Foundation;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTConfigurator.h"
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
@interface SNTCommandStatus : NSObject<SNTCommand>
@interface SNTCommandStatus : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandStatus
@@ -44,7 +45,7 @@ REGISTER_COMMAND_NAME(@"status")
@" Use --json to output in JSON format");
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
dispatch_group_t group = dispatch_group_create();
// Daemon status
@@ -52,7 +53,7 @@ REGISTER_COMMAND_NAME(@"status")
__block uint64_t cpuEvents, ramEvents;
__block double cpuPeak, ramPeak;
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
[[self.daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
switch (cm) {
case SNTClientModeMonitor:
clientMode = @"Monitor";
@@ -67,8 +68,8 @@ REGISTER_COMMAND_NAME(@"status")
dispatch_group_leave(group);
}];
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
double wd_cpuPeak, double wd_ramPeak) {
[[self.daemonConn remoteObjectProxy] watchdogInfo:^(uint64_t wd_cpuEvents, uint64_t wd_ramEvents,
double wd_cpuPeak, double wd_ramPeak) {
cpuEvents = wd_cpuEvents;
cpuPeak = wd_cpuPeak;
ramEvents = wd_ramEvents;
@@ -79,42 +80,54 @@ REGISTER_COMMAND_NAME(@"status")
BOOL fileLogging = ([[SNTConfigurator configurator] fileChangesRegex] != nil);
// Kext status
__block int64_t cacheCount = -1;
__block uint64_t rootCacheCount = -1, nonRootCacheCount = -1;
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] cacheCount:^(int64_t count) {
cacheCount = count;
[[self.daemonConn remoteObjectProxy] cacheCounts:^(uint64_t rootCache, uint64_t nonRootCache) {
rootCacheCount = rootCache;
nonRootCacheCount = nonRootCache;
dispatch_group_leave(group);
}];
// Database counts
__block int64_t eventCount = -1, binaryRuleCount = -1, certRuleCount = -1;
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
[[self.daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
binaryRuleCount = binary;
certRuleCount = certificate;
dispatch_group_leave(group);
}];
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
[[self.daemonConn remoteObjectProxy] databaseEventCount:^(int64_t count) {
eventCount = count;
dispatch_group_leave(group);
}];
// Sync status
NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
NSDate *lastSyncSuccess = [[SNTConfigurator configurator] fullSyncLastSuccess];
NSString *lastSyncSuccessStr = [dateFormatter stringFromDate:lastSyncSuccess] ?: @"Never";
NSDate *lastRuleSyncSuccess = [[SNTConfigurator configurator] ruleSyncLastSuccess];
NSString *lastRuleSyncSuccessStr =
[dateFormatter stringFromDate:lastRuleSyncSuccess] ?: lastSyncSuccessStr;
BOOL syncCleanReqd = [[SNTConfigurator configurator] syncCleanRequired];
__block NSDate *fullSyncLastSuccess;
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy] fullSyncLastSuccess:^(NSDate *date) {
fullSyncLastSuccess = date;
dispatch_group_leave(group);
}];
__block NSDate *ruleSyncLastSuccess;
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy] ruleSyncLastSuccess:^(NSDate *date) {
ruleSyncLastSuccess = date;
dispatch_group_leave(group);
}];
__block BOOL syncCleanReqd = NO;
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy] syncCleanRequired:^(BOOL clean) {
syncCleanReqd = clean;
dispatch_group_leave(group);
}];
__block BOOL pushNotifications = NO;
if ([[SNTConfigurator configurator] syncBaseURL]) {
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] pushNotifications:^(BOOL response) {
[[self.daemonConn remoteObjectProxy] pushNotifications:^(BOOL response) {
pushNotifications = response;
dispatch_group_leave(group);
}];
@@ -123,7 +136,7 @@ REGISTER_COMMAND_NAME(@"status")
__block BOOL bundlesEnabled = NO;
if ([[SNTConfigurator configurator] syncBaseURL]) {
dispatch_group_enter(group);
[[daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) {
[[self.daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) {
bundlesEnabled = response;
dispatch_group_leave(group);
}];
@@ -134,6 +147,15 @@ REGISTER_COMMAND_NAME(@"status")
fprintf(stderr, "Failed to retrieve some stats from daemon\n\n");
}
// Format dates
NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
NSString *fullSyncLastSuccessStr = [dateFormatter stringFromDate:fullSyncLastSuccess] ?: @"Never";
NSString *ruleSyncLastSuccessStr =
[dateFormatter stringFromDate:ruleSyncLastSuccess] ?: fullSyncLastSuccessStr;
NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
if ([arguments containsObject:@"--json"]) {
NSDictionary *stats = @{
@"daemon" : @{
@@ -145,7 +167,8 @@ REGISTER_COMMAND_NAME(@"status")
@"watchdog_ram_peak" : @(ramPeak),
},
@"kernel" : @{
@"cache_count" : @(cacheCount),
@"root_cache_count" : @(rootCacheCount),
@"non_root_cache_count": @(nonRootCacheCount),
},
@"database" : @{
@"binary_rules" : @(binaryRuleCount),
@@ -155,8 +178,8 @@ REGISTER_COMMAND_NAME(@"status")
@"sync" : @{
@"server" : syncURLStr ?: @"null",
@"clean_required" : @(syncCleanReqd),
@"last_successful_full" : lastSyncSuccessStr ?: @"null",
@"last_successful_rule" : lastRuleSyncSuccessStr ?: @"null",
@"last_successful_full" : fullSyncLastSuccessStr ?: @"null",
@"last_successful_rule" : ruleSyncLastSuccessStr ?: @"null",
@"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected",
@"bundle_scanning" : @(bundlesEnabled)
},
@@ -173,7 +196,8 @@ REGISTER_COMMAND_NAME(@"status")
printf(" %-25s | %lld (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
printf(" %-25s | %lld (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
printf(">>> Kernel Info\n");
printf(" %-25s | %lld\n", "Kernel cache count", cacheCount);
printf(" %-25s | %lld\n", "Root cache count", rootCacheCount);
printf(" %-25s | %lld\n", "Non-root cache count", nonRootCacheCount);
printf(">>> Database Info\n");
printf(" %-25s | %lld\n", "Binary Rules", binaryRuleCount);
printf(" %-25s | %lld\n", "Certificate Rules", certRuleCount);
@@ -183,8 +207,8 @@ REGISTER_COMMAND_NAME(@"status")
printf(">>> Sync Info\n");
printf(" %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);
printf(" %-25s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
printf(" %-25s | %s\n", "Last Successful Full Sync", [lastSyncSuccessStr UTF8String]);
printf(" %-25s | %s\n", "Last Successful Rule Sync", [lastRuleSyncSuccessStr UTF8String]);
printf(" %-25s | %s\n", "Last Successful Full Sync", [fullSyncLastSuccessStr UTF8String]);
printf(" %-25s | %s\n", "Last Successful Rule Sync", [ruleSyncLastSuccessStr UTF8String]);
printf(" %-25s | %s\n", "Push Notifications",
(pushNotifications ? "Connected" : "Disconnected"));
printf(" %-25s | %s\n", "Bundle Scanning", (bundlesEnabled ? "Yes" : "No"));

18
Source/santactl/Commands/SNTCommandVersion.m
View File

@@ -13,17 +13,17 @@
/// limitations under the License.
@import Foundation;
#import "SNTCommandController.h"
@import IOKit.kext;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTCommonEnums.h"
#import "SNTFileInfo.h"
#import "SNTKernelCommon.h"
#import "SNTXPCConnection.h"
@interface SNTCommandVersion : NSObject<SNTCommand>
@interface SNTCommandVersion : SNTCommand<SNTCommandProtocol>
@end
@implementation SNTCommandVersion
@@ -47,7 +47,7 @@ REGISTER_COMMAND_NAME(@"version")
@" Use --json to output in JSON format.");
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
if ([arguments containsObject:@"--json"]) {
NSDictionary *versions = @{
@"santa-driver" : [self santaKextVersion],
@@ -70,7 +70,7 @@ REGISTER_COMMAND_NAME(@"version")
exit(0);
}
+ (NSString *)santaKextVersion {
- (NSString *)santaKextVersion {
NSDictionary *loadedKexts = CFBridgingRelease(
KextManagerCopyLoadedKextInfo((__bridge CFArrayRef) @[ @(USERCLIENT_ID) ],
(__bridge CFArrayRef) @[ @"CFBundleVersion" ]));
@@ -87,18 +87,18 @@ REGISTER_COMMAND_NAME(@"version")
return @"not found";
}
+ (NSString *)santadVersion {
- (NSString *)santadVersion {
SNTFileInfo *daemonInfo = [[SNTFileInfo alloc] initWithPath:@(kSantaDPath)];
return daemonInfo.bundleVersion;
}
+ (NSString *)santaAppVersion {
- (NSString *)santaAppVersion {
SNTFileInfo *guiInfo =
[[SNTFileInfo alloc] initWithPath:@"/Applications/Santa.app/Contents/MacOS/Santa"];
return guiInfo.bundleVersion;
}
+ (NSString *)santactlVersion {
- (NSString *)santactlVersion {
return [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
}

16
Source/santactl/Commands/sync/SNTCommandSync.m
View File

@@ -14,6 +14,7 @@
@import Foundation;
#import "SNTCommand.h"
#import "SNTCommandController.h"
#import "SNTCommandSyncManager.h"
@@ -23,7 +24,7 @@
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
@interface SNTCommandSync : NSObject<SNTCommand>
@interface SNTCommandSync : SNTCommand<SNTCommandProtocol>
@property SNTXPCConnection *listener;
@property SNTCommandSyncManager *syncManager;
@end
@@ -54,7 +55,7 @@ REGISTER_COMMAND_NAME(@"sync")
@" clean sync from the server.");
}
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
- (void)runWithArguments:(NSArray *)arguments {
// Ensure we have no privileges
if (!DropRootPrivileges()) {
LOGE(@"Failed to drop root privileges. Exiting.");
@@ -66,11 +67,10 @@ REGISTER_COMMAND_NAME(@"sync")
exit(1);
}
SNTCommandSync *s = [[self alloc] init];
[daemonConn resume];
[self.daemonConn resume];
BOOL daemon = [arguments containsObject:@"--daemon"];
s.syncManager = [[SNTCommandSyncManager alloc] initWithDaemonConnection:daemonConn
isDaemon:daemon];
self.syncManager = [[SNTCommandSyncManager alloc] initWithDaemonConnection:self.daemonConn
isDaemon:daemon];
// Dropping root privileges to the 'nobody' user causes the default NSURLCache to throw
// sandbox errors, which are benign but annoying. This line disables the cache entirely.
@@ -78,8 +78,8 @@ REGISTER_COMMAND_NAME(@"sync")
diskCapacity:0
diskPath:nil]];
if (!s.syncManager.daemon) return [s.syncManager fullSync];
[s syncdWithDaemonConnection:daemonConn];
if (!self.syncManager.daemon) return [self.syncManager fullSync];
[self syncdWithDaemonConnection:self.daemonConn];
}
#pragma mark daemon methods

137
Source/santactl/Commands/sync/SNTCommandSyncManager.m
View File

@@ -27,6 +27,7 @@
#import "SNTCommandSyncPreflight.h"
#import "SNTCommandSyncRuleDownload.h"
#import "SNTCommandSyncState.h"
#import "SNTCommonEnums.h"
#import "SNTLogging.h"
#import "SNTStoredEvent.h"
#import "SNTStrengthify.h"
@@ -47,7 +48,14 @@ static NSString *const kFCMTargetHostIDKey = @"target_host_id";
@property(nonatomic) dispatch_source_t ruleSyncTimer;
@property(nonatomic) NSCache *dispatchLock;
@property(nonatomic) NSCache *ruleSyncCache;
// whitelistNotifications dictionary stores info from FCM messages. The binary/bundle hash is used
// as a key mapping to values that are themselves dictionaries. These dictionary values contain the
// name of the binary/bundle and a count of associated binary rules.
@property(nonatomic) NSMutableDictionary *whitelistNotifications;
// whitelistNotificationQueue is used to serialize access to the whitelistNotifications dictionary.
@property(nonatomic) NSOperationQueue *whitelistNotificationQueue;
@property NSUInteger FCMFullSyncInterval;
@property NSUInteger FCMGlobalRuleSyncDeadline;
@@ -100,7 +108,8 @@ static void reachabilityHandler(
[self lockAction:kRuleSync];
SNTCommandSyncState *syncState = [self createSyncState];
syncState.targetedRuleSync = self.targetedRuleSync;
syncState.ruleSyncCache = self.ruleSyncCache;
syncState.whitelistNotifications = self.whitelistNotifications;
syncState.whitelistNotificationQueue = self.whitelistNotificationQueue;
SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
if ([p sync]) {
LOGD(@"Rule download complete");
@@ -111,7 +120,9 @@ static void reachabilityHandler(
[self unlockAction:kRuleSync];
}];
_dispatchLock = [[NSCache alloc] init];
_ruleSyncCache = [[NSCache alloc] init];
_whitelistNotifications = [NSMutableDictionary dictionary];
_whitelistNotificationQueue = [[NSOperationQueue alloc] init];
_whitelistNotificationQueue.maxConcurrentOperationCount = 1; // make this a serial queue
_eventBatchSize = kDefaultEventBatchSize;
_FCMFullSyncInterval = kDefaultFCMFullSyncInterval;
@@ -120,43 +131,49 @@ static void reachabilityHandler(
return self;
}
- (void)dealloc {
// Ensure reachability is always stopped
[self stopReachability];
}
#pragma mark SNTSyncdXPC protocol methods
- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event reply:(void (^)(BOOL))reply {
- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle {
SNTCommandSyncState *syncState = [self createSyncState];
if (isFromBundle) syncState.eventBatchSize = self.eventBatchSize;
SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
if (events && [p uploadEvents:events]) {
LOGD(@"Events upload complete");
} else {
LOGE(@"Events upload failed. Will retry again once %@ is reachable",
[[SNTConfigurator configurator] syncBaseURL].absoluteString);
[self startReachability];
}
}
- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
reply:(void (^)(SNTBundleEventAction))reply {
if (!event) {
reply(SNTBundleEventActionDropEvents);
return;
}
SNTCommandSyncState *syncState = [self createSyncState];
SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
if (event && [p uploadEvents:@[event]]) {
BOOL needsRelatedEvents = [syncState.bundleBinaryRequests containsObject:event.fileBundleHash];
reply(needsRelatedEvents);
if (needsRelatedEvents) {
if ([p uploadEvents:@[event]]) {
if ([syncState.bundleBinaryRequests containsObject:event.fileBundleHash]) {
reply(SNTBundleEventActionSendEvents);
LOGD(@"Needs related events");
} else {
reply(SNTBundleEventActionDropEvents);
LOGD(@"Bundle event upload complete");
}
} else {
reply(NO);
LOGE(@"Bundle event upload failed");
}
}
- (void)postBundleEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events {
SNTCommandSyncState *syncState = [self createSyncState];
syncState.eventBatchSize = self.eventBatchSize;
SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
if (events && [p uploadEvents:events]) {
LOGD(@"Bundle events upload complete");
} else {
LOGE(@"Bundle events upload failed");
}
}
- (void)postEventToSyncServer:(SNTStoredEvent *)event {
SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc]
initWithState:[self createSyncState]];
if (event && [p uploadEvents:@[event]]) {
LOGD(@"Event upload complete");
} else {
LOGE(@"Event upload failed");
// Related bundle events will be stored and eventually synced, whether the server actually
// wanted them or not. If they weren't needed the server will simply ignore them.
reply(SNTBundleEventActionStoreEvents);
LOGE(@"Bundle event upload failed. Will retry again once %@ is reachable",
[[SNTConfigurator configurator] syncBaseURL].absoluteString);
[self startReachability];
}
}
@@ -195,11 +212,11 @@ static void reachabilityHandler(
self.FCMClient = nil;
[self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kDefaultFullSyncInterval];
};
self.FCMClient.loggingBlock = ^(NSString *log) {
LOGD(@"%@", log);
};
[self.FCMClient connect];
}
@@ -217,12 +234,19 @@ static void reachabilityHandler(
return;
}
// Store the file name and hash in a cache. When the rule is actually added, use the cache
// to build a user notification.
// We assume that the incoming FCM message contains name of binary/bundle and a hash. Rule count
// info for bundles will be sent out later with the rules themselves. If the message is related
// to a bundle, the hash is a bundle hash, otherwise it is just a hash for a single binary.
// For later use, we store a mapping of bundle/binary hash to a dictionary containing the
// binary/bundle name so we can send out relevant notifications once the rules are actually
// downloaded & added to local database. We use a dictionary value so that we can later add a
// count field when we start downloading the rules and receive the count information.
NSString *fileHash = message[kFCMFileHashKey];
NSString *fileName = message[kFCMFileNameKey];
if (fileName && fileHash) {
[self.ruleSyncCache setObject:fileName forKey:fileHash];
[self.whitelistNotificationQueue addOperationWithBlock:^{
self.whitelistNotifications[fileHash] = @{ kFileName : fileName }.mutableCopy;
}];
}
LOGD(@"Push notification action: %@ received", action);
@@ -464,7 +488,7 @@ static void reachabilityHandler(
} else if ([config syncClientAuthCertificateIssuer]) {
authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
}
syncState.session = [authURLSession session];
syncState.daemonConn = self.daemonConn;
syncState.daemon = self.daemon;
@@ -497,27 +521,32 @@ static void reachabilityHandler(
// Start listening for network state changes on a background thread
- (void)startReachability {
if (_reachability) return;
const char *nodename = [[SNTConfigurator configurator] syncBaseURL].host.UTF8String;
_reachability = SCNetworkReachabilityCreateWithName(kCFAllocatorDefault, nodename);
SCNetworkReachabilityContext context = {
.info = (__bridge void *)self
};
if (SCNetworkReachabilitySetCallback(_reachability, reachabilityHandler, &context)) {
SCNetworkReachabilitySetDispatchQueue(
_reachability, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
} else {
[self stopReachability];
}
dispatch_async(dispatch_get_main_queue(), ^{
if (_reachability) return;
const char *nodename = [[SNTConfigurator configurator] syncBaseURL].host.UTF8String;
_reachability = SCNetworkReachabilityCreateWithName(kCFAllocatorDefault, nodename);
SCNetworkReachabilityContext context = {
.info = (__bridge_retained void *)self,
.release = (void (*)(const void *))CFBridgingRelease,
};
if (SCNetworkReachabilitySetCallback(_reachability, reachabilityHandler, &context)) {
SCNetworkReachabilitySetDispatchQueue(_reachability,
dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
} else {
[self stopReachability];
}
});
}
// Stop listening for network state changes
- (void)stopReachability {
if (_reachability) {
SCNetworkReachabilitySetDispatchQueue(_reachability, NULL);
if (_reachability) CFRelease(_reachability);
_reachability = NULL;
}
dispatch_async(dispatch_get_main_queue(), ^{
if (_reachability) {
SCNetworkReachabilitySetDispatchQueue(_reachability, NULL);
if (_reachability) CFRelease(_reachability);
_reachability = NULL;
}
});
}
@end

2
Source/santactl/Commands/sync/SNTCommandSyncPostflight.m
View File

@@ -63,7 +63,7 @@
// Update last sync success
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy] setSyncLastSuccess:[NSDate date] reply:replyBlock];
[[self.daemonConn remoteObjectProxy] setFullSyncLastSuccess:[NSDate date] reply:replyBlock];
// Wait for dispatch group
dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));

10
Source/santactl/Commands/sync/SNTCommandSyncPreflight.m
View File

@@ -60,11 +60,17 @@
dispatch_group_leave(group);
}];
__block BOOL syncClean = NO;
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy] syncCleanRequired:^(BOOL clean) {
syncClean = clean;
dispatch_group_leave(group);
}];
dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC));
// If user requested it or we've never had a successful sync, try from a clean slate.
if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--clean"] ||
[[SNTConfigurator configurator] syncCleanRequired]) {
if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--clean"] || syncClean) {
LOGD(@"Clean sync requested by user");
requestDict[kRequestCleanSync] = @YES;
}

132
Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m
View File

@@ -30,30 +30,16 @@
}
- (BOOL)sync {
self.syncState.downloadedRules = [NSMutableArray array];
return [self ruleDownloadWithCursor:nil];
}
- (BOOL)ruleDownloadWithCursor:(NSString *)cursor {
NSDictionary *requestDict = (cursor ? @{kCursor : cursor} : @{});
NSDictionary *resp = [self performRequest:[self requestWithDictionary:requestDict]];
if (!resp) return NO;
for (NSDictionary *rule in resp[kRules]) {
SNTRule *r = [self ruleFromDictionary:rule];
if (r) [self.syncState.downloadedRules addObject:r];
}
if (resp[kCursor]) {
return [self ruleDownloadWithCursor:resp[kCursor]];
}
if (!self.syncState.downloadedRules.count) return YES;
// Grab the new rules from server
NSArray<SNTRule *> *newRules = [self downloadNewRulesFromServer];
if (!newRules) return NO; // encountered a problem with the download
if (!newRules.count) return YES; // successfully completed request, but no new rules
// Tell santad to add the new rules to the database.
// Wait until finished or until 5 minutes pass.
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
__block NSError *error;
[[self.daemonConn remoteObjectProxy] databaseRuleAddRules:self.syncState.downloadedRules
[[self.daemonConn remoteObjectProxy] databaseRuleAddRules:newRules
cleanSlate:self.syncState.cleanSync
reply:^(NSError *e) {
error = e;
@@ -67,29 +53,74 @@
return NO;
}
// Tell santad to record a successful rules sync and wait for it to finish.
sema = dispatch_semaphore_create(0);
[[self.daemonConn remoteObjectProxy] setRuleSyncLastSuccess:[NSDate date] reply:^{
dispatch_semaphore_signal(sema);
}];
dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
LOGI(@"Added %lu rules", self.syncState.downloadedRules.count);
LOGI(@"Added %lu rules", newRules.count);
if (self.syncState.targetedRuleSync) {
for (SNTRule *r in self.syncState.downloadedRules) {
NSString *fileName = [[self.syncState.ruleSyncCache objectForKey:r.shasum] copy];
[self.syncState.ruleSyncCache removeObjectForKey:r.shasum];
if (fileName.length) {
NSString *message = [NSString stringWithFormat:@"%@ can now be run", fileName];
[[self.daemonConn remoteObjectProxy]
postRuleSyncNotificationWithCustomMessage:message reply:^{}];
}
}
}
// Send out push notifications about any newly whitelisted binaries
// that had been previously blocked by santad.
[self.syncState.whitelistNotificationQueue addOperationWithBlock:^{
[self announceUnblockingRules:newRules];
}];
return YES;
}
// Downloads new rules from server and converts them into SNTRule.
// Returns an array of all converted rules, or nil if there was a server problem.
// Note that rules from the server are filtered. We only keep those whose rule_type
// is either BINARY or CERTIFICATE. PACKAGE rules are dropped.
- (NSArray<SNTRule *> *)downloadNewRulesFromServer {
NSMutableArray<SNTRule *> *newRules = [NSMutableArray array];
NSString *cursor = nil;
do {
NSDictionary *requestDict = cursor ? @{kCursor : cursor} : @{};
NSDictionary *response = [self performRequest:[self requestWithDictionary:requestDict]];
if (!response) return nil;
for (NSDictionary *ruleDict in response[kRules]) {
SNTRule *rule = [self ruleFromDictionary:ruleDict];
if (rule) [newRules addObject:rule];
}
cursor = response[kCursor];
} while (cursor);
return newRules;
}
// Send out push notifications for whitelisted bundles/binaries whose rule download was preceded by
// an associated announcing FCM message.
- (void)announceUnblockingRules:(NSArray<SNTRule *> *)newRules {
if (!self.syncState.targetedRuleSync) return;
NSMutableArray *processed = [NSMutableArray array];
for (NSString *key in self.syncState.whitelistNotifications) {
// Each notifier object is a dictionary with name and count keys. If the count has been
// decremented to zero, then this means that we have downloaded all of the rules associated with
// this SHA256 hash (which might be a bundle hash or a binary hash), in which case we are OK to
// show a notification that the named bundle/binary can be run.
NSDictionary *notifier = self.syncState.whitelistNotifications[key];
NSNumber *remaining = notifier[kFileBundleBinaryCount];
if (remaining && [remaining intValue] == 0) {
[processed addObject:key];
NSString *message = [NSString stringWithFormat:@"%@ can now be run", notifier[kFileName]];
[[self.daemonConn remoteObjectProxy]
postRuleSyncNotificationWithCustomMessage:message reply:^{}];
}
}
// Remove all entries from whitelistNotifications dictionary that had zero count.
[self.syncState.whitelistNotifications removeObjectsForKeys:processed];
}
// Converts rule information downloaded from the server into a SNTRule. Because any information
// not recorded by SNTRule is thrown away here, this method is also responsible for dealing with
// the extra bundle rule information (bundle_hash & rule_count).
- (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
if (![dict isKindOfClass:[NSDictionary class]]) return nil;
@@ -124,6 +155,41 @@
newRule.customMsg = customMsg;
}
// Check rule for extra notification related info.
if (newRule.state == SNTRuleStateWhitelist) {
// primaryHash is the bundle hash if there was a bundle hash included in the rule, otherwise
// it is simply the binary hash.
NSString *primaryHash = dict[kFileBundleHash];
if (primaryHash.length != 64) {
primaryHash = newRule.shasum;
}
// As we read in rules, we update the "remaining count" information stored in
// whitelistNotifications. This count represents the number of rules associated with the primary
// hash that still need to be downloaded and added.
[self.syncState.whitelistNotificationQueue addOperationWithBlock:^{
NSMutableDictionary *notifier = self.syncState.whitelistNotifications[primaryHash];
if (notifier) {
NSNumber *ruleCount = dict[kFileBundleBinaryCount];
NSNumber *remaining = notifier[kFileBundleBinaryCount];
if (remaining) { // bundle rule with existing count
// If the primary hash already has an associated count field, just decrement it.
notifier[kFileBundleBinaryCount] = @([remaining intValue] - 1);
} else if (ruleCount) { // bundle rule seen for first time
// Downloaded rules including count information are associated with bundles.
// The first time we see a rule for a given bundle hash, add a count field with an
// initial value equal to the number of associated rules, then decrement this value by 1
// to account for the rule that we've just downloaded.
notifier[kFileBundleBinaryCount] = @([ruleCount intValue] - 1);
} else { // non-bundle binary rule
// Downloaded rule had no count information, meaning it is a singleton non-bundle rule.
// Therefore there are no more rules associated with this hash to download.
notifier[kFileBundleBinaryCount] = @0;
}
}
}];
}
return newRule;
}

2
Source/santactl/Commands/sync/SNTCommandSyncStage.m
View File

@@ -77,6 +77,8 @@
return req;
}
// Returns nil when there is a server connection issue. For other errors, such as
// an empty response or an unparseable response, an empty dictionary is returned.
- (NSDictionary *)performRequest:(NSURLRequest *)request timeout:(NSTimeInterval)timeout {
NSHTTPURLResponse *response;
NSError *error;

8
Source/santactl/Commands/sync/SNTCommandSyncState.h
View File

@@ -65,9 +65,6 @@
/// Array of bundle IDs to find binaries for.
@property NSArray *bundleBinaryRequests;
/// Rules downloaded from server.
@property NSMutableArray *downloadedRules;
/// Returns YES if the santactl session is running as a daemon, returns NO otherwise.
@property BOOL daemon;
@@ -75,6 +72,9 @@
@property BOOL targetedRuleSync;
/// Reference to the sync manager's ruleSyncCache. Used to lookup binary names for notifications.
@property(weak) NSCache *ruleSyncCache;
@property(weak) NSMutableDictionary *whitelistNotifications;
/// Reference to the serial operation queue used for accessing whitelistNotifications.
@property(weak) NSOperationQueue *whitelistNotificationQueue;
@end

68
Source/santactl/SNTCommand.h Normal file
View File

@@ -0,0 +1,68 @@
/// Copyright 2017 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
@import Foundation;
@class SNTXPCConnection;
@protocol SNTCommandProtocol
///
/// @return YES if command requires root.
///
+ (BOOL)requiresRoot;
///
/// @return YES if command requires connection to santad.
///
+ (BOOL)requiresDaemonConn;
///
/// A small summary of the command, to be printed with the list of available commands
///
+ (NSString *)shortHelpText;
///
/// A longer description of the command when the user runs <tt>santactl help x</tt>
///
+ (NSString *)longHelpText;
@end
@protocol SNTCommandRunProtocol
///
/// Called when the user is running the command
/// @param arguments an array of arguments passed in
/// @param daemonConn connection to santad. Will be nil if connection failed or
/// if @c requiresDaemonConn is @c NO
///
/// @note This method (or one of the methods it calls) is responsible for calling exit().
///
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn;
@end
@interface SNTCommand : NSObject<SNTCommandRunProtocol>
@property(nonatomic,readonly) SNTXPCConnection *daemonConn;
/// Designated initializer
- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn;
- (void)runWithArguments:(NSArray *)arguments;
- (void)printErrorUsageAndExit:(NSString *)error;
@end

43
Source/santactl/SNTCommand.m Normal file
View File

@@ -0,0 +1,43 @@
/// Copyright 2017 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import "SNTCommand.h"
@implementation SNTCommand
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
id cmd = [[self alloc] initWithDaemonConnection:daemonConn];
[cmd runWithArguments:arguments];
}
- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn {
self = [super init];
if (self) {
_daemonConn = daemonConn;
}
return self;
}
- (void)runWithArguments:(NSArray *)arguments {
// This method must be overridden.
[self doesNotRecognizeSelector:_cmd];
}
- (void)printErrorUsageAndExit:(NSString *)error {
fprintf(stderr, "%s\n\n", [error UTF8String]);
fprintf(stderr, "%s\n", [[[self class] longHelpText] UTF8String]);
exit(1);
}
@end

40
Source/santactl/SNTCommandController.h
View File

@@ -14,44 +14,10 @@
@import Foundation;
#import "SNTCommand.h"
@class SNTXPCConnection;
///
/// Protocol that each command must adhere to.
///
@protocol SNTCommand<NSObject>
///
/// @return YES if command requires root.
///
+ (BOOL)requiresRoot;
///
/// @return YES if command requires connection to santad.
///
+ (BOOL)requiresDaemonConn;
///
/// A small summary of the command, to be printed with the list of available commands
///
+ (NSString *)shortHelpText;
///
/// A longer description of the command when the user runs <tt>santactl help x</tt>
///
+ (NSString *)longHelpText;
///
/// Called when the user is running the command
/// @param arguments an array of arguments passed in
/// @param daemonConn connection to santad. Will be nil if connection failed or
/// if @c requiresDaemonConn is @c NO
///
/// @note This method (or one of the methods it calls) is responsible for calling exit().
///
+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn;
@end
///
/// Responsible for maintaining the list of available commands by name, printing their help text
/// when requested and launching them when requested. All of the methods in this class are
@@ -64,7 +30,7 @@
/// Register a new command with the specified name. Do not use this directly, use the
/// @c REGISTER_COMMAND_NAME macro instead.
///
+ (void)registerCommand:(Class<SNTCommand>)command named:(NSString *)name;
+ (void)registerCommand:(Class<SNTCommandProtocol>)command named:(NSString *)name;
///
/// @return a usage string listing all of the available commands

11
Source/santactl/SNTCommandController.m
View File

@@ -24,7 +24,8 @@
/// Value is the Class
static NSMutableDictionary *registeredCommands;
+ (void)registerCommand:(Class<SNTCommand>)command named:(NSString *)name {
+ (void)registerCommand:(Class<SNTCommandProtocol, SNTCommandRunProtocol>)command
named:(NSString *)name {
if (!registeredCommands) {
registeredCommands = [NSMutableDictionary dictionary];
}
@@ -43,9 +44,9 @@ static NSMutableDictionary *registeredCommands;
for (NSString *cmdName in
[[registeredCommands allKeys] sortedArrayUsingSelector:@selector(caseInsensitiveCompare:)]) {
Class<SNTCommand> cmd = registeredCommands[cmdName];
Class<SNTCommandProtocol> command = registeredCommands[cmdName];
[helpText appendFormat:@"\t%*s - %@\n", longestCommandName,
[cmdName UTF8String], [cmd shortHelpText]];
[cmdName UTF8String], [command shortHelpText]];
}
[helpText appendFormat:@"\nSee 'santactl help <command>' to read about a specific subcommand."];
@@ -53,7 +54,7 @@ static NSMutableDictionary *registeredCommands;
}
+ (NSString *)helpForCommandWithName:(NSString *)commandName {
Class<SNTCommand> command = registeredCommands[commandName];
Class<SNTCommandProtocol> command = registeredCommands[commandName];
if (command) {
NSString *shortHelp = [command shortHelpText];
NSString *longHelp = [command longHelpText];
@@ -86,7 +87,7 @@ static NSMutableDictionary *registeredCommands;
}
+ (void)runCommandWithName:(NSString *)commandName arguments:(NSArray *)arguments {
Class<SNTCommand> command = registeredCommands[commandName];
Class<SNTCommandProtocol, SNTCommandRunProtocol> command = registeredCommands[commandName];
if ([command requiresRoot] && getuid() != 0) {
printf("The command '%s' requires root privileges.\n", [commandName UTF8String]);

4
Source/santactl/main.m
View File

@@ -53,7 +53,9 @@ int main(int argc, const char *argv[]) {
}
[arguments removeObjectAtIndex:0];
if ([commandName isEqualToString:@"help"]) {
if ([commandName isEqualToString:@"help"] ||
[commandName isEqualToString:@"-h"] ||
[commandName isEqualToString:@"--help"]) {
if ([arguments count]) {
// User wants help for specific command
commandName = [arguments firstObject];

175
Source/santad/SNTApplication.m
View File

@@ -16,9 +16,6 @@
@import DiskArbitration;
#include <sys/stat.h>
#include <sys/types.h>
#import "SNTCommonEnums.h"
#import "SNTConfigurator.h"
#import "SNTDaemonControlController.h"
@@ -28,21 +25,22 @@
#import "SNTEventLog.h"
#import "SNTEventTable.h"
#import "SNTExecutionController.h"
#import "SNTFileWatcher.h"
#import "SNTLogging.h"
#import "SNTNotificationQueue.h"
#import "SNTRuleTable.h"
#import "SNTSyncdQueue.h"
#import "SNTXPCConnection.h"
#import "SNTXPCControlInterface.h"
#import "SNTXPCNotifierInterface.h"
@interface SNTApplication ()
@property DASessionRef diskArbSession;
@property SNTDriverManager *driverManager;
@property SNTEventLog *eventLog;
@property SNTExecutionController *execController;
@property SNTFileWatcher *configFileWatcher;
@property SNTXPCConnection *controlConnection;
@property SNTNotificationQueue *notQueue;
@property pid_t syncdPID;
@end
@implementation SNTApplication
@@ -70,19 +68,41 @@
return nil;
}
SNTNotificationQueue *notQueue = [[SNTNotificationQueue alloc] init];
_eventLog = [[SNTEventLog alloc] init];
self.notQueue = [[SNTNotificationQueue alloc] init];
SNTSyncdQueue *syncdQueue = [[SNTSyncdQueue alloc] init];
// Restart santactl if it goes down
syncdQueue.invalidationHandler = ^{
[self startSyncd];
};
// Listen for actionable config changes.
NSKeyValueObservingOptions bits = (NSKeyValueObservingOptionNew | NSKeyValueObservingOptionOld);
[[SNTConfigurator configurator] addObserver:self
forKeyPath:@"clientMode"
options:bits
context:NULL];
[[SNTConfigurator configurator] addObserver:self
forKeyPath:@"syncBaseURL"
options:bits
context:NULL];
[[SNTConfigurator configurator] addObserver:self
forKeyPath:@"whitelistPathRegex"
options:bits
context:NULL];
[[SNTConfigurator configurator] addObserver:self
forKeyPath:@"blacklistPathRegex"
options:bits
context:NULL];
// Establish XPC listener for Santa and santactl connections
SNTDaemonControlController *dc = [[SNTDaemonControlController alloc] init];
dc.driverManager = _driverManager;
dc.notQueue = notQueue;
dc.syncdQueue = syncdQueue;
SNTDaemonControlController *dc =
[[SNTDaemonControlController alloc] initWithDriverManager:_driverManager
notificationQueue:self.notQueue
syncdQueue:syncdQueue
eventLog:_eventLog];
_controlConnection =
[[SNTXPCConnection alloc] initServerWithName:[SNTXPCControlInterface serviceId]];
@@ -90,52 +110,11 @@
_controlConnection.exportedObject = dc;
[_controlConnection resume];
__block SNTClientMode origMode = [[SNTConfigurator configurator] clientMode];
__block NSURL *origSyncURL = [[SNTConfigurator configurator] syncBaseURL];
_configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
handler:^(unsigned long data) {
if (data & DISPATCH_VNODE_ATTRIB) {
const char *cPath = [kDefaultConfigFilePath fileSystemRepresentation];
struct stat fileStat;
stat(cPath, &fileStat);
int mask = S_IRWXU | S_IRWXG | S_IRWXO;
int desired = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
if (fileStat.st_uid != 0 || fileStat.st_gid != 0 || (fileStat.st_mode & mask) != desired) {
LOGD(@"Config file permissions changed, fixing.");
chown(cPath, 0, 0);
chmod(cPath, desired);
}
} else {
LOGD(@"Config file changed, reloading.");
[[SNTConfigurator configurator] reloadConfigData];
// Flush cache if client just went into lockdown.
SNTClientMode newMode = [[SNTConfigurator configurator] clientMode];
if (origMode != newMode) {
origMode = newMode;
if (newMode == SNTClientModeLockdown) {
LOGI(@"Changed client mode, flushing cache.");
[self.driverManager flushCache];
}
}
// Start santactl if the syncBaseURL changed from nil --> somthing
NSURL *syncURL = [[SNTConfigurator configurator] syncBaseURL];
if (!origSyncURL && syncURL) {
origSyncURL = syncURL;
LOGI(@"SyncBaseURL added, starting santactl.");
[self startSyncd];
}
}
}];
_eventLog = [[SNTEventLog alloc] init];
// Initialize the binary checker object
_execController = [[SNTExecutionController alloc] initWithDriverManager:_driverManager
ruleTable:ruleTable
eventTable:eventTable
notifierQueue:notQueue
notifierQueue:self.notQueue
syncdQueue:syncdQueue
eventLog:_eventLog];
// Start up santactl as a daemon if a sync server exists.
@@ -147,18 +126,6 @@
return self;
}
- (void)startSyncd {
if (![[SNTConfigurator configurator] syncBaseURL]) return;
if (fork() == 0) {
// Ensure we have no privileges
if (!DropRootPrivileges()) {
_exit(EPERM);
}
_exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "--daemon", "--syslog", NULL));
}
}
- (void)start {
LOGI(@"Connected to driver, activating.");
@@ -253,20 +220,98 @@
void diskAppearedCallback(DADiskRef disk, void *context) {
SNTApplication *app = (__bridge SNTApplication *)context;
NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
if (![props[@"DAVolumeMountable"] boolValue]) return;
[app.eventLog logDiskAppeared:props];
}
void diskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *context) {
SNTApplication *app = (__bridge SNTApplication *)context;
NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
if (![props[@"DAVolumeMountable"] boolValue]) return;
if (props[@"DAVolumePath"]) [app.eventLog logDiskAppeared:props];
}
void diskDisappearedCallback(DADiskRef disk, void *context) {
SNTApplication *app = (__bridge SNTApplication *)context;
NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
if (![props[@"DAVolumeMountable"] boolValue]) return;
[app.eventLog logDiskDisappeared:props];
[app.driverManager flushCacheNonRootOnly:YES];
}
- (void)startSyncd {
if (![[SNTConfigurator configurator] syncBaseURL]) return;
[self stopSyncd];
self.syncdPID = fork();
if (self.syncdPID == -1) {
LOGI(@"Failed to fork");
self.syncdPID = 0;
} else if (self.syncdPID == 0) {
// Ensure we have no privileges
if (!DropRootPrivileges()) {
_exit(EPERM);
}
_exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "--daemon", "--syslog", NULL));
}
LOGI(@"santactl started with pid: %i", self.syncdPID);
}
- (void)stopSyncd {
if (!self.syncdPID) return;
int ret = kill(self.syncdPID, SIGKILL);
LOGD(@"kill(%i, 9) = %i", self.syncdPID, ret);
self.syncdPID = 0;
}
- (void)observeValueForKeyPath:(NSString *)keyPath
ofObject:(id)object
change:(NSDictionary<NSString *,id> *)change
context:(void *)context {
if ([keyPath isEqualToString:@"clientMode"]) {
SNTClientMode new =
[change[@"new"] isKindOfClass:[NSNumber class]] ? [change[@"new"] longLongValue] : 0;
SNTClientMode old =
[change[@"old"] isKindOfClass:[NSNumber class]] ? [change[@"old"] longLongValue] : 0;
if (new != old) [self clientModeDidChange:new];
} else if ([keyPath isEqualToString:@"syncBaseURL"]) {
NSURL *new = [change[@"new"] isKindOfClass:[NSURL class]] ? change[@"new"] : nil;
NSURL *old = [change[@"old"] isKindOfClass:[NSURL class]] ? change[@"old"] : nil;
if (!new && !old) return;
if (![new.absoluteString isEqualToString:old.absoluteString]) [self syncBaseURLDidChange:new];
} else if ([keyPath isEqualToString:@"whitelistPathRegex"] ||
[keyPath isEqualToString:@"blacklistPathRegex"]) {
NSRegularExpression *new =
[change[@"new"] isKindOfClass:[NSRegularExpression class]] ? change[@"new"] : nil;
NSRegularExpression *old =
[change[@"old"] isKindOfClass:[NSRegularExpression class]] ? change[@"old"] : nil;
if (!new && !old) return;
if (![new.pattern isEqualToString:old.pattern]) {
LOGI(@"Changed [white|black]list regex, flushing cache");
[self.driverManager flushCacheNonRootOnly:NO];
}
}
}
- (void)clientModeDidChange:(SNTClientMode)clientMode {
if (clientMode == SNTClientModeLockdown) {
LOGI(@"Changed client mode, flushing cache.");
[self.driverManager flushCacheNonRootOnly:NO];
}
[[self.notQueue.notifierConnection remoteObjectProxy] postClientModeNotification:clientMode];
}
- (void)syncBaseURLDidChange:(NSURL *)syncBaseURL {
if (syncBaseURL) {
LOGI(@"Starting santactl with new SyncBaseURL: %@", syncBaseURL);
[self startSyncd];
} else {
LOGI(@"SyncBaseURL removed, killing santactl pid: %i", self.syncdPID);
[self stopSyncd];
[[SNTConfigurator configurator] clearSyncState];
}
}
@end

9
Source/santad/SNTDaemonControlController.h
View File

@@ -17,6 +17,7 @@
#import "SNTXPCControlInterface.h"
@class SNTDriverManager;
@class SNTEventLog;
@class SNTNotificationQueue;
@class SNTSyncdQueue;
@@ -25,8 +26,8 @@
///
@interface SNTDaemonControlController : NSObject<SNTDaemonControlXPC>
@property SNTDriverManager *driverManager;
@property SNTNotificationQueue *notQueue;
@property SNTSyncdQueue *syncdQueue;
- (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager
notificationQueue:(SNTNotificationQueue *)notQueue
syncdQueue:(SNTSyncdQueue *)syncdQueue
eventLog:(SNTEventLog *)eventLog;
@end

70
Source/santad/SNTDaemonControlController.m
View File

@@ -15,9 +15,11 @@
#import "SNTDaemonControlController.h"
#import "SNTCachedDecision.h"
#import "SNTCommonEnums.h"
#import "SNTConfigurator.h"
#import "SNTDatabaseController.h"
#import "SNTDriverManager.h"
#import "SNTEventLog.h"
#import "SNTEventTable.h"
#import "SNTLogging.h"
#import "SNTNotificationQueue.h"
@@ -41,28 +43,39 @@ double watchdogRAMPeak = 0;
@interface SNTDaemonControlController ()
@property NSString *_syncXsrfToken;
@property SNTPolicyProcessor *policyProcessor;
@property SNTEventLog *eventLog;
@property SNTDriverManager *driverManager;
@property SNTNotificationQueue *notQueue;
@property SNTSyncdQueue *syncdQueue;
@end
@implementation SNTDaemonControlController
- (instancetype)init {
- (instancetype)initWithDriverManager:(SNTDriverManager *)driverManager
notificationQueue:(SNTNotificationQueue *)notQueue
syncdQueue:(SNTSyncdQueue *)syncdQueue
eventLog:(SNTEventLog *)eventLog {
self = [super init];
if (self) {
_policyProcessor = [[SNTPolicyProcessor alloc] initWithRuleTable:
[SNTDatabaseController ruleTable]];
_driverManager = driverManager;
_notQueue = notQueue;
_syncdQueue = syncdQueue;
_eventLog = eventLog;
}
return self;
}
#pragma mark Kernel ops
- (void)cacheCount:(void (^)(int64_t))reply {
int64_t count = [self.driverManager cacheCount];
reply(count);
- (void)cacheCounts:(void (^)(uint64_t, uint64_t))reply {
NSArray<NSNumber *> *counts = [self.driverManager cacheCounts];
reply([counts[0] unsignedLongLongValue], [counts[1] unsignedLongLongValue]);
}
- (void)flushCache:(void (^)(BOOL))reply {
reply([self.driverManager flushCache]);
reply([self.driverManager flushCacheNonRootOnly:NO]);
}
- (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply {
@@ -86,7 +99,7 @@ double watchdogRAMPeak = 0;
NSPredicate *p = [NSPredicate predicateWithFormat:@"SELF.state != %d", SNTRuleStateWhitelist];
if ([rules filteredArrayUsingPredicate:p].count || cleanSlate) {
LOGI(@"Received non-whitelist rule, flushing cache");
[self.driverManager flushCache];
[self.driverManager flushCacheNonRootOnly:NO];
}
reply(error);
@@ -133,10 +146,7 @@ double watchdogRAMPeak = 0;
}
- (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply {
if ([[SNTConfigurator configurator] clientMode] != mode) {
[[SNTConfigurator configurator] setClientMode:mode];
[[self.notQueue.notifierConnection remoteObjectProxy] postClientModeNotification:mode];
}
[[SNTConfigurator configurator] setSyncServerClientMode:mode];
reply();
}
@@ -149,16 +159,28 @@ double watchdogRAMPeak = 0;
reply();
}
- (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply {
- (void)fullSyncLastSuccess:(void (^)(NSDate *))reply {
reply([[SNTConfigurator configurator] fullSyncLastSuccess]);
}
- (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)())reply {
[[SNTConfigurator configurator] setFullSyncLastSuccess:date];
reply();
}
- (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply {
reply([[SNTConfigurator configurator] ruleSyncLastSuccess]);
}
- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply {
[[SNTConfigurator configurator] setRuleSyncLastSuccess:date];
reply();
}
- (void)syncCleanRequired:(void (^)(BOOL))reply {
reply([[SNTConfigurator configurator] syncCleanRequired]);
}
- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply {
[[SNTConfigurator configurator] setSyncCleanRequired:cleanReqd];
reply();
@@ -168,9 +190,7 @@ double watchdogRAMPeak = 0;
NSRegularExpression *re = [NSRegularExpression regularExpressionWithPattern:pattern
options:0
error:NULL];
[[SNTConfigurator configurator] setWhitelistPathRegex:re];
LOGI(@"Received new whitelist regex, flushing cache");
[self.driverManager flushCache];
[[SNTConfigurator configurator] setSyncServerWhitelistPathRegex:re];
reply();
}
@@ -178,9 +198,7 @@ double watchdogRAMPeak = 0;
NSRegularExpression *re = [NSRegularExpression regularExpressionWithPattern:pattern
options:0
error:NULL];
[[SNTConfigurator configurator] setBlacklistPathRegex:re];
LOGI(@"Received new blacklist regex, flushing cache");
[self.driverManager flushCache];
[[SNTConfigurator configurator] setSyncServerBlacklistPathRegex:re];
reply();
}
@@ -280,15 +298,25 @@ double watchdogRAMPeak = 0;
// Add the updated event.
[eventTable addStoredEvent:event];
// Log all of the generated bundle events.
[self.eventLog logBundleHashingEvents:events];
WEAKIFY(self);
// Sync the updated event. If the sync server needs the related events, add them to the eventTable
// and upload them too.
[self.syncdQueue addBundleEvent:event reply:^(BOOL needRelatedEvents) {
[self.syncdQueue addBundleEvent:event reply:^(SNTBundleEventAction action) {
STRONGIFY(self);
if (needRelatedEvents) {
[eventTable addStoredEvents:events];
[self.syncdQueue addBundleEvents:events];
switch(action) {
case SNTBundleEventActionDropEvents:
break;
case SNTBundleEventActionStoreEvents:
[eventTable addStoredEvents:events];
break;
case SNTBundleEventActionSendEvents:
[eventTable addStoredEvents:events];
[self.syncdQueue addEvents:events isFromBundle:YES];
break;
}
}];
}

8
Source/santad/SNTDriverManager.h
View File

@@ -48,18 +48,18 @@
- (kern_return_t)postToKernelAction:(santa_action_t)action forVnodeID:(uint64_t)vnodeId;
///
/// Get the number of binaries in the kernel's cache.
/// Get the number of binaries in the kernel's caches.
///
- (uint64_t)cacheCount;
- (NSArray<NSNumber *> *)cacheCounts;
///
/// Flush the kernel's binary cache.
///
- (BOOL)flushCache;
- (BOOL)flushCacheNonRootOnly:(BOOL)nonRootOnly;
///
/// Check the kernel cache for a VnodeID
///
-(santa_action_t)checkCache:(uint64_t)vnodeID;
- (santa_action_t)checkCache:(uint64_t)vnodeID;
@end

27
Source/santad/SNTDriverManager.m
View File

@@ -162,27 +162,40 @@ static const int MAX_DELAY = 15;
1,
0,
0);
case ACTION_RESPOND_ACK:
return IOConnectCallScalarMethod(_connection,
kSantaUserClientAcknowledgeBinary,
&vnodeId,
1,
0,
0);
default:
return KERN_INVALID_ARGUMENT;
}
}
- (uint64_t)cacheCount {
uint32_t input_count = 1;
uint64_t cache_count = 0;
- (NSArray<NSNumber *> *)cacheCounts {
uint32_t input_count = 2;
uint64_t cache_counts[2] = {0, 0};
IOConnectCallScalarMethod(_connection,
kSantaUserClientCacheCount,
0,
0,
&cache_count,
cache_counts,
&input_count);
return cache_count;
return @[ @(cache_counts[0]), @(cache_counts[1]) ];
}
- (BOOL)flushCache {
- (BOOL)flushCacheNonRootOnly:(BOOL)nonRootOnly {
const uint64_t nonRoot = nonRootOnly;
return IOConnectCallScalarMethod(_connection,
kSantaUserClientClearCache, 0, 0, 0, 0) == KERN_SUCCESS;
kSantaUserClientClearCache,
&nonRoot,
1,
0,
0) == KERN_SUCCESS;
}
- (santa_action_t)checkCache:(uint64_t)vnodeID {

2
Source/santad/SNTEventLog.h
View File

@@ -17,6 +17,7 @@
#import "SNTKernelCommon.h"
@class SNTCachedDecision;
@class SNTStoredEvent;
///
/// Logs execution and file write events to syslog
@@ -32,4 +33,5 @@
- (void)logDeniedExecution:(SNTCachedDecision *)cd withMessage:(santa_message_t)message;
- (void)logAllowedExecution:(santa_message_t)message;
- (void)logBundleHashingEvents:(NSArray<SNTStoredEvent *> *)events;
@end

83
Source/santad/SNTEventLog.m
View File

@@ -14,6 +14,7 @@
#import "SNTEventLog.h"
#include <dlfcn.h>
#include <grp.h>
#include <libproc.h>
#include <pwd.h>
@@ -26,6 +27,7 @@
#import "SNTFileInfo.h"
#import "SNTKernelCommon.h"
#import "SNTLogging.h"
#import "SNTStoredEvent.h"
@interface SNTEventLog ()
@property NSMutableDictionary<NSNumber *, SNTCachedDecision *> *detailStore;
@@ -181,11 +183,7 @@
[outLog appendFormat:@"|explain=%@", cd.decisionExtra];
}
[outLog appendFormat:@"|sha256=%@|path=%@", cd.sha256, [self sanitizeString:@(message.path)]];
if (logArgs) {
[self addArgsForPid:message.pid toString:outLog];
}
[outLog appendFormat:@"|sha256=%@", cd.sha256];
if (cd.certSHA256) {
[outLog appendFormat:@"|cert_sha256=%@|cert_cn=%@", cd.certSHA256,
@@ -206,18 +204,26 @@
mode = @"U"; break;
}
[outLog appendFormat:@"|pid=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@",
[outLog appendFormat:@"|pid=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@|path=%@",
message.pid, message.ppid,
message.uid, [self nameForUID:message.uid],
message.gid, [self nameForGID:message.gid],
mode];
mode, [self sanitizeString:@(message.path)]];
// Check for app translocation by GateKeeper, and log original path if the case.
NSString *originalPath = [self originalPathForTranslocation:message];
if (originalPath) {
[outLog appendFormat:@"|origpath=%@", [self sanitizeString:originalPath]];
}
if (logArgs) {
[self addArgsForPid:message.pid toString:outLog];
}
LOGI(@"%@", outLog);
}
- (void)logDiskAppeared:(NSDictionary *)diskProperties {
if (![diskProperties[@"DAVolumeMountable"] boolValue]) return;
NSString *dmgPath = @"";
NSString *serial = @"";
if ([diskProperties[@"DADeviceModel"] isEqual:@"Disk Image"]) {
@@ -252,14 +258,24 @@
}
- (void)logDiskDisappeared:(NSDictionary *)diskProperties {
if (![diskProperties[@"DAVolumeMountable"] boolValue]) return;
LOGI(@"action=DISKDISAPPEAR|mount=%@|volume=%@|bsdname=%@",
[diskProperties[@"DAVolumePath"] path] ?: @"",
diskProperties[@"DAVolumeName"] ?: @"",
diskProperties[@"DAMediaBSDName"]);
}
- (void)logBundleHashingEvents:(NSArray<SNTStoredEvent *> *)events {
for (SNTStoredEvent *event in events) {
LOGI(@"action=BUNDLE|sha256=%@|bundlehash=%@|bundlename=%@|bundleid=%@|bundlepath=%@|path=%@",
event.fileSHA256,
event.fileBundleHash,
event.fileBundleName,
event.fileBundleID,
event.fileBundlePath,
event.filePath);
}
}
#pragma mark Helpers
/**
@@ -501,4 +517,49 @@
return serial;
}
/**
Uses the executable path, uid, and gid from a given santa_message_t to determine if the path
has been translocated by GateKeeper and if so, returns the original path of the executable. This
requires macOS 10.12 or higher. We use dlopen to access the functions we need in
Security.framework so that we can still build against the 10.11 SDK. If the path has not been
translocated or if running on macOS prior to 10.12, this method returns nil.
*/
- (NSString *)originalPathForTranslocation:(santa_message_t)message {
// The first time this function is called, we attempt to find the addresses of
// SecTranslocateIsTranslocatedURL and SecTranslocateCreateOriginalPathForURL inside of the
// Security.framework library. If we were successful, handle will be non-NULL and is never
// closed.
static Boolean (*IsTranslocatedURL)(CFURLRef, bool *, CFErrorRef *) = NULL;
static CFURLRef __nullable (*CreateOriginalPathForURL)(CFURLRef, CFErrorRef *) = NULL;
static dispatch_once_t token;
dispatch_once(&token, ^{
void *handle = dlopen("/System/Library/Frameworks/Security.framework/Security", RTLD_LAZY);
if (handle) {
IsTranslocatedURL = dlsym(handle, "SecTranslocateIsTranslocatedURL");
CreateOriginalPathForURL = dlsym(handle, "SecTranslocateCreateOriginalPathForURL");
if (!IsTranslocatedURL || !CreateOriginalPathForURL) {
IsTranslocatedURL = NULL;
CreateOriginalPathForURL = NULL;
dlclose(handle);
}
}
});
// If we couldn't open the library or find the functions we need, don't do anything.
if (!IsTranslocatedURL || !CreateOriginalPathForURL) return nil;
// Determine if the executable URL has been translocated or not.
CFURLRef cfExecURL = (__bridge CFURLRef)[NSURL fileURLWithPath:@(message.path)];
bool isTranslocated = false;
if (!IsTranslocatedURL(cfExecURL, &isTranslocated, NULL) || !isTranslocated) return nil;
// SecTranslocateCreateOriginalPathForURL requires that our uid be the same as the user who
// launched the executable. So we temporarily drop from root down to this uid, then reset.
pthread_setugid_np(message.uid, message.gid);
NSURL *origURL = CFBridgingRelease(CreateOriginalPathForURL(cfExecURL, NULL));
pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE);
return [origURL path]; // this will be nil if there was an error
}
@end

24
Source/santad/SNTExecutionController.m
View File

@@ -38,6 +38,12 @@
#import "SNTStoredEvent.h"
#import "SNTSyncdQueue.h"
// A binary is considered large at ~30MB. Large binaries take longer to hash and consequently
// longer to post a decision back to santa-driver. When a binary is considered large santad will
// let santa-driver know it has received its request and is working on a decision. This allows
// santa-driver to relax; it does not have to worry about resending the request due to a timeout.
static size_t kLargeBinarySize = 30 * 1024 * 1024;
@interface SNTExecutionController ()
@property SNTDriverManager *driverManager;
@property SNTEventLog *eventLog;
@@ -102,15 +108,19 @@
return;
}
// If the binary is large let santa-driver know we received the request and we are working on it.
if (binInfo.fileSize > kLargeBinarySize) {
LOGD(@"%@ is larger than %zu. Letting santa-driver know we are working on it.",
binInfo.path, kLargeBinarySize);
[_driverManager postToKernelAction:ACTION_RESPOND_ACK forVnodeID:message.vnode_id];
}
// Get codesigning info about the file.
NSError *csError;
MOLCodesignChecker *csInfo = [[MOLCodesignChecker alloc] initWithBinaryPath:binInfo.path
error:&csError];
// We specifically ignore CSInfoPlistFailed (-67030) as it sometimes appears spuriously
// when trying to validate a binary separately from its bundle.
if (csError && csError.code != errSecCSInfoPlistFailed) {
csInfo = nil;
}
// Ignore codesigning if there are any errors with the signature.
if (csError) csInfo = nil;
// Actually make the decision.
SNTCachedDecision *cd = [self.policyProcessor decisionForFileInfo:binInfo
@@ -178,7 +188,7 @@
[_eventLog logDeniedExecution:cd withMessage:message];
if ([[SNTConfigurator configurator] bundlesEnabled] && binInfo.bundle) {
// If the binary is apart of a bundle, find and hash all the related binaries in the bundle.
// If the binary is part of a bundle, find and hash all the related binaries in the bundle.
// Let the GUI know hashing is needed. Once the hashing is complete the GUI will send a
// message to santad to perform the upload logic for bundles.
// See syncBundleEvent:relatedEvents: for more info.
@@ -187,7 +197,7 @@
// So the server has something to show the user straight away, initiate an event
// upload for the blocked binary rather than waiting for the next sync.
dispatch_async(_eventQueue, ^{
[_syncdQueue addEvent:se];
[_syncdQueue addEvents:@[se] isFromBundle:NO];
});
}

10
Source/santad/SNTPolicyProcessor.m
View File

@@ -132,16 +132,16 @@
/// @return @c YES if file is in scope, @c NO otherwise.
///
- (NSString *)fileIsScopeWhitelisted:(SNTFileInfo *)fi {
if (!fi) return nil;
// Determine if file is within a whitelisted path
NSRegularExpression *re = [[SNTConfigurator configurator] whitelistPathRegex];
if ([re numberOfMatchesInString:fi.path options:0 range:NSMakeRange(0, fi.path.length)]) {
return @"Whitelist Regex";
}
// If file is not a Mach-O file, we're not interested unless it's part of an install package.
// TODO(rah): Consider adding an option to check all scripts.
// TODO(rah): Consider adding an option to disable package script checks.
if (!fi.isMachO && ![fi.path hasPrefix:@"/private/tmp/PKInstallSandbox."]) {
// If file is not a Mach-O file, we're not interested.
if (!fi.isMachO) {
return @"Not a Mach-O";
}
@@ -149,6 +149,8 @@
}
- (NSString *)fileIsScopeBlacklisted:(SNTFileInfo *)fi {
if (!fi) return nil;
NSRegularExpression *re = [[SNTConfigurator configurator] blacklistPathRegex];
if ([re numberOfMatchesInString:fi.path options:0 range:NSMakeRange(0, fi.path.length)]) {
return @"Blacklist Regex";

7
Source/santad/SNTSyncdQueue.h
View File

@@ -14,6 +14,8 @@
@import Foundation;
#import "SNTCommonEnums.h"
@class SNTStoredEvent;
@class SNTXPCConnection;
@@ -23,9 +25,8 @@
@property(copy) void (^invalidationHandler)();
@property(copy) void (^acceptedHandler)();
- (void)addEvent:(SNTStoredEvent *)event;
- (void)addBundleEvents:(NSArray<SNTStoredEvent *> *)events;
- (void)addBundleEvent:(SNTStoredEvent *)event reply:(void (^)(BOOL))reply;
- (void)addEvents:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle;
- (void)addBundleEvent:(SNTStoredEvent *)event reply:(void (^)(SNTBundleEventAction))reply;
- (void)startSyncingEvents;
- (void)stopSyncingEvents;

55
Source/santad/SNTSyncdQueue.m
View File

@@ -38,33 +38,32 @@
return self;
}
- (void)addBundleEvents:(NSArray<SNTStoredEvent *> *)events {
if (![self backoffForBundleHash:events.firstObject.fileBundleHash]) return;
- (void)addEvents:(NSArray<SNTStoredEvent *> *)events isFromBundle:(BOOL)isFromBundle {
if (!events.count) return;
SNTStoredEvent *first = events.firstObject;
NSString *hash = isFromBundle ? first.fileBundleHash : first.fileSHA256;
if (![self backoffForPrimaryHash:hash]) return;
[self dispatchBlockOnSyncdQueue:^{
[self.syncdConnection.remoteObjectProxy postBundleEventsToSyncServer:events];
[self.syncdConnection.remoteObjectProxy postEventsToSyncServer:events
isFromBundle:isFromBundle];
}];
}
- (void)addBundleEvent:(SNTStoredEvent *)event reply:(void (^)(BOOL))reply {
if (![self backoffForBundleHash:event.fileBundleHash]) return;
- (void)addBundleEvent:(SNTStoredEvent *)event reply:(void (^)(SNTBundleEventAction))reply {
if (![self backoffForPrimaryHash:event.fileBundleHash]) return;
[self dispatchBlockOnSyncdQueue:^{
[self.syncdConnection.remoteObjectProxy postBundleEventToSyncServer:event
reply:^(BOOL needRelatedEvents) {
// Remove the backoff entry for the inital block event. The same event will be included in the
// related events synced using addBundleEvents:.
if (needRelatedEvents) [self.uploadBackoff removeObjectForKey:event.fileBundleHash];
reply(needRelatedEvents);
[self.syncdConnection.remoteObjectProxy
postBundleEventToSyncServer:event reply:^(SNTBundleEventAction action) {
// Remove the backoff entry for the inital block event. The same event will be included in
// the related events synced using addEvents:isFromBundle:.
if (action == SNTBundleEventActionSendEvents) {
[self.uploadBackoff removeObjectForKey:event.fileBundleHash];
}
reply(action);
}];
}];
}
- (void)addEvent:(SNTStoredEvent *)event {
if (![self backoffForEvent:event]) return;
[self dispatchBlockOnSyncdQueue:^{
[self.syncdConnection.remoteObjectProxy postEventToSyncServer:event];
}];
}
- (void)startSyncingEvents {
dispatch_semaphore_signal(self.sema);
}
@@ -87,23 +86,13 @@
});
}
// The event upload is skipped if an event upload has been initiated for it in the
// last 10 minutes.
- (BOOL)backoffForEvent:(SNTStoredEvent *)event {
NSDate *backoff = [self.uploadBackoff objectForKey:event.fileSHA256];
// The event upload is skipped if an event has been initiated for it in the last 10 minutes.
// The passed-in hash is fileBundleHash for a bundle event, or fileSHA256 for a normal event.
- (BOOL)backoffForPrimaryHash:(NSString *)hash {
NSDate *backoff = [self.uploadBackoff objectForKey:hash];
NSDate *now = [NSDate date];
if (([now timeIntervalSince1970] - [backoff timeIntervalSince1970]) < 600) return NO;
[self.uploadBackoff setObject:now forKey:event.fileSHA256];
return YES;
}
// The bundle event upload is skipped if a bundle event has been initiated for it in the
// last 10 minutes.
- (BOOL)backoffForBundleHash:(NSString *)bundleHash {
NSDate *backoff = [self.uploadBackoff objectForKey:bundleHash];
NSDate *now = [NSDate date];
if (([now timeIntervalSince1970] - [backoff timeIntervalSince1970]) < 600) return NO;
[self.uploadBackoff setObject:now forKey:bundleHash];
[self.uploadBackoff setObject:now forKey:hash];
return YES;
}

50
Tests/KernelTests/main.mm
View File

@@ -99,12 +99,16 @@
IOConnectCallScalarMethod(self.connection, kSantaUserClientAllowBinary, &vnodeid, 1, 0, 0);
} else if (action == ACTION_RESPOND_DENY) {
IOConnectCallScalarMethod(self.connection, kSantaUserClientDenyBinary, &vnodeid, 1, 0, 0);
} else if (action == ACTION_RESPOND_ACK) {
IOConnectCallScalarMethod(self.connection, kSantaUserClientAcknowledgeBinary,
&vnodeid, 1, 0, 0);
}
}
/// Call in-kernel function: |kSantaUserClientClearCache|
- (void)flushCache {
IOConnectCallScalarMethod(self.connection, kSantaUserClientClearCache, 0, 0, 0, 0);
uint64_t nonRootOnly = 0;
IOConnectCallScalarMethod(self.connection, kSantaUserClientClearCache, &nonRootOnly, 1, 0, 0);
}
#pragma mark - Connection Tests
@@ -238,6 +242,18 @@
} else if (strncmp("/bin/cat", vdata.path, strlen("/bin/cat")) == 0) {
[self postToKernelAction:ACTION_RESPOND_ALLOW forVnodeID:vdata.vnode_id];
self.timesSeenCat++;
} else if (strncmp("/usr/bin/cal", vdata.path, strlen("/usr/bin/cal")) == 0) {
static int count = 0;
if (count++) TFAILINFO("Large binary should not re-request");
[self postToKernelAction:ACTION_RESPOND_ACK forVnodeID:vdata.vnode_id];
for (int i = 0; i < 15; ++i) {
printf("\033[s"); // save cursor position
printf("%i/15", i);
sleep(1);
printf("\033[u"); // restore cursor position
}
printf("\033[K\033[u"); // clear line, restore cursor position
[self postToKernelAction:ACTION_RESPOND_ALLOW forVnodeID:vdata.vnode_id];
} else if (strncmp("/bin/ln", vdata.path, strlen("/bin/ln")) == 0) {
[self postToKernelAction:ACTION_RESPOND_ALLOW forVnodeID:vdata.vnode_id];
@@ -512,17 +528,20 @@
TSTART("Test cache performance");
// Execute echo 100 times, saving the time taken for each run
std::vector<std::clock_t> times;
std::vector<double> times;
for (int i = 0; i < 100; ++i) {
printf("\033[s"); // save cursor position
printf("%d/%d", i + 1, 100);
auto start = std::clock();
NSTask *t = [[NSTask alloc] init];
t.launchPath = @"/bin/echo";
t.standardOutput = [NSPipe pipe];
auto start = std::chrono::steady_clock::now();
[t launch];
[t waitUntilExit];
if (i > 5) times.push_back(std::clock() - start);
auto end = std::chrono::steady_clock::now();
auto duration = std::chrono::duration_cast<std::chrono::milliseconds>(end - start).count();
if (i > 5) times.push_back(duration);
printf("\033[u"); // restore cursor position
}
@@ -541,15 +560,29 @@
std::for_each(times.begin(), times.end(), [&](const double d) {
accum += (d - mean) * (d - mean);
});
double stdev = sqrt(accum / (times.size()-1));
double stdev = sqrt(accum / (times.size() - 1));
if (mean > 1000 || stdev > 150) {
TFAILINFO("μ: %-3.2f σ: %-3.2f", mean, stdev);
if (mean > 80 || stdev > 10) {
TFAILINFO("ms: %-3.2f σ: %-3.2f", mean, stdev);
} else {
TPASSINFO("μ: %-3.2f σ: %-3.2f", mean, stdev);
TPASSINFO("ms: %-3.2f σ: %-3.2f", mean, stdev);
}
}
- (void)testLargeBinary {
TSTART("Handles large binary");
@try {
NSTask *testexec = [self taskWithPath:@"/usr/bin/cal"];
[testexec launch];
[testexec waitUntilExit];
} @catch (NSException *e) {
TFAILINFO("Failed to launch");
}
TPASS();
}
#pragma mark - Main
- (void)runTests {
@@ -576,6 +609,7 @@
printf("\n-> Performance tests:\033[m\n");
[self testCachePerformance];
[self testLargeBinary];
[self handlesLotsOfBinaries];
printf("\nAll tests passed.\n\n");

138
Tests/LogicTests/SNTCommandFileInfoTest.m
View File

@@ -17,28 +17,29 @@
#import <OCMock/OCMock.h>
#import "MOLCodesignChecker.h"
#import "SNTFileInfo.h"
#import "SNTXPCConnection.h"
@interface SNTCommandFileInfo : NSObject
typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
@property(nonatomic) NSMutableDictionary *propertyMap;
typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *, SNTFileInfo *);
@property(nonatomic) BOOL recursive;
@property(nonatomic) BOOL jsonOutput;
@property(nonatomic) NSNumber *certIndex;
@property(nonatomic, copy) NSArray<NSString *> *outputKeyList;
@property(nonatomic) NSDictionary<NSString *, SNTAttributeBlock> *propertyMap;
+ (NSArray *)fileInfoKeys;
+ (NSArray *)signingChainKeys;
- (SNTAttributeBlock)codeSigned;
- (instancetype)initWithFilePath:(NSString *)filePath
daemonConnection:(SNTXPCConnection *)daemonConn;
+ (void)parseArguments:(NSArray *)args
forKey:(NSString **)key
certIndex:(NSNumber **)certIndex
jsonOutput:(BOOL *)jsonOutput
filePaths:(NSArray **)filePaths;
- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn;
- (NSArray *)parseArguments:(NSArray *)arguments;
@end
@interface SNTCommandFileInfoTest : XCTestCase
@property SNTCommandFileInfo *cfi;
@property SNTFileInfo *fileInfo;
@property id cscMock;
@end
@@ -48,13 +49,15 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
- (void)setUp {
[super setUp];
self.cfi = [[SNTCommandFileInfo alloc] initWithFilePath:nil daemonConnection:nil];
self.cfi = [[SNTCommandFileInfo alloc] initWithDaemonConnection:nil];
self.fileInfo = [[SNTFileInfo alloc] initWithResolvedPath:@"/usr/bin/yes" error:nil];
self.cscMock = OCMClassMock([MOLCodesignChecker class]);
OCMStub([self.cscMock alloc]).andReturn(self.cscMock);
}
- (void)tearDown {
self.cfi = nil;
self.fileInfo = nil;
[self.cscMock stopMocking];
self.cscMock = nil;
@@ -62,55 +65,39 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
}
- (void)testParseArgumentsKey {
NSString *key;
NSNumber *certIndex;
BOOL jsonOutput = NO;
NSArray *filePaths;
[SNTCommandFileInfo parseArguments:@[ @"--key", @"SHA-256", @"/usr/bin/yes" ]
forKey:&key
certIndex:&certIndex
jsonOutput:&jsonOutput
filePaths:&filePaths];
XCTAssertEqualObjects(key, @"SHA-256");
NSArray *filePaths = [self.cfi parseArguments:@[ @"--key", @"SHA-256", @"/usr/bin/yes" ]];
XCTAssertTrue([self.cfi.outputKeyList containsObject:@"SHA-256"]);
XCTAssertTrue([filePaths containsObject:@"/usr/bin/yes"]);
}
- (void)testParseArgumentsCertIndex {
NSString *key;
NSNumber *certIndex;
BOOL jsonOutput = NO;
NSArray *filePaths;
[SNTCommandFileInfo parseArguments:@[ @"--cert-index", @"1", @"/usr/bin/yes" ]
forKey:&key
certIndex:&certIndex
jsonOutput:&jsonOutput
filePaths:&filePaths];
XCTAssertEqualObjects(certIndex, @(1));
NSArray *filePaths = [self.cfi parseArguments:@[ @"--cert-index", @"1", @"/usr/bin/yes" ]];
XCTAssertEqualObjects(self.cfi.certIndex, @(1));
XCTAssertTrue([filePaths containsObject:@"/usr/bin/yes"]);
}
- (void)testParseArgumentsJSON {
NSString *key;
NSNumber *certIndex;
BOOL jsonOutput = NO;
NSArray *filePaths;
[SNTCommandFileInfo parseArguments:@[ @"--json", @"/usr/bin/yes" ]
forKey:&key
certIndex:&certIndex
jsonOutput:&jsonOutput
filePaths:&filePaths];
XCTAssertTrue(jsonOutput);
- (void)testParseArgumentsJSONFalse {
NSArray *filePaths = [self.cfi parseArguments:@[ @"/usr/bin/yes" ]];
XCTAssertFalse(self.cfi.jsonOutput);
XCTAssertTrue([filePaths containsObject:@"/usr/bin/yes"]);
}
- (void)testParseArgumentsJSONFalseWithPath {
NSArray *filePaths = [self.cfi parseArguments:@[ @"/usr/bin/yes", @"json" ]];
XCTAssertFalse(self.cfi.jsonOutput);
XCTAssertTrue([filePaths containsObject:@"json"]);
}
- (void)testParseArgumentsJSONTrue {
NSArray *filePaths = [self.cfi parseArguments:@[ @"--json", @"/usr/bin/yes" ]];
XCTAssertTrue(self.cfi.jsonOutput);
XCTAssertTrue([filePaths containsObject:@"/usr/bin/yes"]);
}
- (void)testParseArgumentsFilePaths {
NSString *key;
NSNumber *certIndex;
BOOL jsonOutput = NO;
NSArray *filePaths;
NSArray *args = @[ @"/usr/bin/yes", @"/bin/mv", @"--key", @"SHA-256", @"/bin/ls", @"--json",
@"/bin/rm", @"--cert-index", @"1", @"/bin/cp"];
[SNTCommandFileInfo parseArguments:args
forKey:&key
certIndex:&certIndex
jsonOutput:&jsonOutput
filePaths:&filePaths];
@"/bin/rm", @"--cert-index", @"1", @"/bin/cp" ];
NSArray *filePaths = [self.cfi parseArguments:args];
XCTAssertEqual(filePaths.count, 5);
XCTAssertTrue([filePaths containsObject:@"/usr/bin/yes"]);
XCTAssertTrue([filePaths containsObject:@"/bin/mv"]);
@@ -119,22 +106,25 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
XCTAssertTrue([filePaths containsObject:@"/bin/cp"]);
}
- (void)testParseArgumentsFilePathSameAsKey {
NSArray *filePaths = [self.cfi parseArguments:@[ @"--key", @"Rule", @"Rule"]];
XCTAssertTrue([self.cfi.outputKeyList containsObject:@"Rule"]);
XCTAssertEqual(filePaths.count, 1);
XCTAssertTrue([filePaths containsObject:@"Rule"]);
}
- (void)testKeysAlignWithPropertyMap {
NSArray *mapKeys = self.cfi.propertyMap.allKeys;
NSArray *keys = [SNTCommandFileInfo fileInfoKeys];
[keys enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
XCTAssertTrue([mapKeys containsObject:obj]);
}];
[mapKeys enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
XCTAssertTrue([keys containsObject:obj]);
}];
NSArray *fileInfokeys = [SNTCommandFileInfo fileInfoKeys];
for (NSString *key in fileInfokeys) XCTAssertTrue([mapKeys containsObject:key]);
for (NSString *key in mapKeys) XCTAssertTrue([fileInfokeys containsObject:key]);
}
- (void)testCodeSignedNo {
NSError *err = [NSError errorWithDomain:@"" code:errSecCSUnsigned userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), @"No");
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), @"No");
}
- (void)testCodeSignedSignatureFailed {
@@ -142,7 +132,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSSignatureFailed userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedStaticCodeChanged {
@@ -150,7 +140,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSStaticCodeChanged userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedSignatureNotVerifiable {
@@ -158,7 +148,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSSignatureNotVerifiable userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedSignatureUnsupported {
@@ -166,7 +156,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSSignatureUnsupported userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourceDirectoryFailed {
@@ -174,7 +164,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourceDirectoryFailed userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourceNotSupported {
@@ -182,7 +172,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourceNotSupported userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourceRulesInvalid {
@@ -190,7 +180,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourceRulesInvalid userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourcesInvalid {
@@ -198,7 +188,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourcesInvalid userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourcesNotFound {
@@ -206,7 +196,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourcesNotFound userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedResourcesNotSealed {
@@ -214,7 +204,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSResourcesNotSealed userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedReqFailed {
@@ -222,7 +212,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSReqFailed userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedReqInvalid {
@@ -230,7 +220,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSReqInvalid userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedReqUnsupported {
@@ -238,7 +228,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSReqUnsupported userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedInfoPlistFailed {
@@ -246,7 +236,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSInfoPlistFailed userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
- (void)testCodeSignedDefault {
@@ -254,7 +244,7 @@ typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
NSError *err = [NSError errorWithDomain:@"" code:999 userInfo:nil];
OCMStub([self.cscMock initWithBinaryPath:OCMOCK_ANY
error:[OCMArg setTo:err]]).andReturn(self.cscMock);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi), expected);
XCTAssertEqualObjects(self.cfi.codeSigned(self.cfi, self.fileInfo), expected);
}
@end

2
Tests/LogicTests/SNTEventTableTest.m
View File

@@ -43,7 +43,7 @@
- (SNTStoredEvent *)createTestEvent {
SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/false"];
MOLCodesignChecker *csInfo = [[MOLCodesignChecker alloc] initWithBinaryPath:@"/usr/bin/false"];
MOLCodesignChecker *csInfo = [binInfo codesignCheckerWithError:NULL];
SNTStoredEvent *event;
event = [[SNTStoredEvent alloc] init];
event.idx = @(arc4random());

23
Tests/LogicTests/SantaCacheTest.mm
View File

@@ -150,4 +150,27 @@
delete sut;
}
- (void)testCompareAndSwap {
auto sut = new SantaCache<uint64_t>(100, 2);
sut->set(1, 42);
sut->set(1, 666, 1);
sut->set(1, 666, 0);
XCTAssertEqual(sut->get(1), 42);
sut->set(1, 0);
XCTAssertEqual(sut->get(1), 0);
sut->set(1, 42, 1);
XCTAssertEqual(sut->get(1), 0);
sut->set(1, 42, 0);
XCTAssertEqual(sut->get(1), 42);
sut->set(1, 0, 666);
XCTAssertEqual(sut->get(1), 42);
sut->set(1, 0, 42);
XCTAssertEqual(sut->get(1), 0);
}
@end

29
mkdocs.yml Normal file
View File

@@ -0,0 +1,29 @@
site_name: Santa
theme: readthedocs
docs_dir: Docs
extra_css:
- theme/Santa.css
pages:
- Introduction:
- Welcome to Santa: index.md
- Binary Whitelisting Overview: introduction/binary-whitelisting-overview.md
- Syncing Overview: introduction/syncing-overview.md
- Deployment:
- Configuration: deployment/configuration.md
- Development:
- Building: development/building.md
- Details:
- santa-driver: details/santa-driver.md
- santad: details/santad.md
- santactl: details/santactl.md
- santabs: details/santabs.md
- santa-gui: details/santa-gui.md
- mode: details/mode.md
- events: details/events.md
- rules: details/rules.md
- scopes: details/scopes.md
- syncing: introduction/syncing-overview.md
- ipc: details/ipc.md
- logs: details/logs.md