Bump MOLAuthenticatingURLSession version (#384)

dyld is also authorized by santad and a bad cache eviction plus trustd/ocspd not running can result in deadlock.

Fixes #375, probably.

.bazelrc

@@ -1 +1,2 @@
 build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes
+build --host_force_python=PY2

.travis.yml

@@ -1,4 +1,6 @@
 ---
+os: osx
+osx_image: xcode10.2
 language: objective-c
 sudo: false
 

README.md

@@ -22,7 +22,7 @@ Santa is a project of Google's Macintosh Operations Team.
 # Docs
 
 The Santa docs are stored in the
-[Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the
+[Docs](https://github.com/google/santa/blob/master/docs) directory. A Read the
 Docs instance is available here: https://santa.readthedocs.io.
 
 The docs include deployment options, details on how parts of Santa work and

Source/SantaGUI/SNTNotificationManager.m

@@ -193,6 +193,10 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
 }
 
 - (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener {
+  // Ensure any existing listener is invalidated.
+  self.bundleServiceConnection.invalidationHandler = nil;
+  [self.bundleServiceConnection invalidate];
+  
   MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithListener:listener];
   c.remoteInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
   [c resume];
@@ -204,8 +208,6 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
     if (self.currentWindowController) {
       [self updateBlockNotification:self.currentWindowController.event withBundleHash:nil];
     }
-    self.bundleServiceConnection.invalidationHandler = nil;
-    [self.bundleServiceConnection invalidate];
   };
 
   dispatch_semaphore_signal(self.bundleServiceSema);

Source/santa_driver/BUILD

@@ -52,16 +52,23 @@ santa_unit_test(
     deps = ["//Source/common:SNTKernelCommon"],
 )
 
+cc_library(
+    name = "SantaPrefixTree_userland_lib",
+    srcs = ["SantaPrefixTree.cc"],
+    hdrs = ["SantaPrefixTree.h"],
+    copts = ["-std=c++1z"],
+    visibility = ["//visibility:public"],
+)
+
 santa_unit_test(
     name = "SantaPrefixTreeTest",
-    srcs = [
-        "SantaPrefixTree.cc",
-        "SantaPrefixTree.h",
-        "SantaPrefixTreeTest.mm",
-    ],
+    srcs = ["SantaPrefixTreeTest.mm"],
     copts = ["-std=c++1z"],
     minimum_os_version = "10.12",
-    deps = ["//Source/common:SNTKernelCommon"],
+    deps = [
+        ":SantaPrefixTree_userland_lib",
+        "//Source/common:SNTKernelCommon"
+    ],
 )
 
 # Full santa-driver.kext containing all Santa components

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -330,6 +330,8 @@ REGISTER_COMMAND_NAME(@"fileinfo")
           if ([error.domain isEqualToString:@"com.google.molcodesignchecker"]) {
             return @"Yes, but signing is not consistent for all architectures";
           }
+        case CSSMERR_TP_CERT_REVOKED:
+          return @"Yes, but the signing certificate was revoked";
         default: {
           return [NSString stringWithFormat:@"Yes, but failed to validate (%ld)", error.code];
         }
@@ -595,12 +597,17 @@ REGISTER_COMMAND_NAME(@"fileinfo")
     NSDictionary *cert = signingChain[index];
 
     // Check if we should skip over this item based on outputFilters.
+    BOOL filterMatch = self.outputFilters.count == 0;
     for (NSString *key in self.outputFilters) {
-      NSString *value = cert[key];
+      NSString *value = cert[key] ?: @"";
       NSRegularExpression *regex = self.outputFilters[key];
-      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) continue;
+      filterMatch = YES;
+      break;
     }
 
+    if (!filterMatch) return;
+
     // Filter out the info we want now, in case JSON output
     for (NSString *key in self.outputKeyList) {
       outputDict[key] = cert[key];
@@ -609,17 +616,22 @@ REGISTER_COMMAND_NAME(@"fileinfo")
     // Check if we should skip over this item based on outputFilters.  We do this before collecting
     // output info because there's a chance that we can bail out early if a filter doesn't match.
     // However we also don't want to recompute info, so we save any values that we plan to show.
+    BOOL filterMatch = self.outputFilters.count == 0;
     for (NSString *key in self.outputFilters) {
-      NSString *value = self.propertyMap[key](self, fileInfo);
+      NSString *value = self.propertyMap[key](self, fileInfo) ?: @"";
       NSRegularExpression *regex = self.outputFilters[key];
-      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) return;
+      if (![regex firstMatchInString:value options:0 range:NSMakeRange(0, value.length)]) continue;
       // If this is a value we want to show, store it in the output dictionary.
       // This does a linear search on an array, but it's a small array.
-      if ([self.outputKeyList containsObject:key]) {
+      if (value.length && [self.outputKeyList containsObject:key]) {
         outputDict[key] = value;
       }
+      filterMatch = YES;
+      break;
     }
 
+    if (!filterMatch) return;
+
     // Then fill the outputDict with the rest of the missing values.
     for (NSString *key in self.outputKeyList) {
       if (outputDict[key]) continue;  // ignore keys that we've already set due to a filter

Source/santad/DataLayer/SNTRuleTable.m

@@ -41,7 +41,8 @@ static const NSUInteger kTransitiveRuleExpirationSeconds = 6 * 30 * 24 * 3600;
 
 - (NSArray *)criticalSystemBinaryPaths {
   return @[
-    @"/usr/libexec/trustd", @"/usr/sbin/securityd", @"/usr/libexec/xpcproxy", @"/usr/sbin/ocspd"
+    @"/usr/libexec/trustd", @"/usr/sbin/securityd", @"/usr/libexec/xpcproxy",
+    @"/usr/sbin/ocspd", @"/usr/lib/dyld"
   ];
 }
 

Source/santad/SNTSyncdQueue.m

@@ -55,7 +55,7 @@
   [self dispatchBlockOnSyncdQueue:^{
     [self.syncdConnection.remoteObjectProxy
         postBundleEventToSyncServer:event reply:^(SNTBundleEventAction action) {
-      // Remove the backoff entry for the inital block event. The same event will be included in
+      // Remove the backoff entry for the initial block event. The same event will be included in
       // the related events synced using addEvents:isFromBundle:.
       if (action == SNTBundleEventActionSendEvents) {
         [self.uploadBackoff removeObjectForKey:event.fileBundleHash];

WORKSPACE

@@ -8,7 +8,7 @@ load("@bazel_tools//tools/build_defs/repo:git.bzl",
 git_repository(
     name = "build_bazel_rules_apple",
     remote = "https://github.com/bazelbuild/rules_apple.git",
-    commit = "46611296946be1eb0fe2e7e46b8b26b4662606b3",
+    tag = "0.17.2",
 )
 
 load("@build_bazel_rules_apple//apple:repositories.bzl", "apple_rules_dependencies")
@@ -19,19 +19,19 @@ apple_rules_dependencies()
 git_repository(
     name = "MOLAuthenticatingURLSession",
     remote = "https://github.com/google/macops-molauthenticatingurlsession.git",
-    tag = "v2.5",
+    tag = "v2.8",
 )
 
 git_repository(
     name = "MOLCertificate",
     remote = "https://github.com/google/macops-molcertificate.git",
-    tag = "v2.0",
+    tag = "v2.1",
 )
 
 git_repository(
     name = "MOLCodesignChecker",
     remote = "https://github.com/google/macops-molcodesignchecker.git",
-    tag = "v2.0",
+    tag = "v2.2",
 )
 
 git_repository(

docs/CNAME

@@ -0,0 +1 @@
+santa.dev

docs/_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-cayman

mkdocs.yml

@@ -1,7 +1,7 @@
 site_name: Santa
 theme: readthedocs
 
-docs_dir: Docs
+docs_dir: docs
 extra_css:
 - theme/Santa.css