santad: only store events if there is a sync server configured (#721)

* santad: only store events if there is a sync server configured

* SNTExecutionControllerTest stub sync server

Co-authored-by: Tom Burgin <bur@chromium.org>

.bazelrc

@@ -1 +1,5 @@
 build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes
+
+build --copt=-Werror
+build --copt=-Wall
+build --copt=-Wno-error=deprecated-declarations

.clang-format

@@ -1,18 +1,18 @@
+Language: ObjC
 BasedOnStyle: Google
-Language: Cpp
-Standard: Cpp11
 
-# Disable ColumnLimit because it causes some very weird line breaks.
-# For ObjC the limit is 100
-# For Cpp  the limit is 80
-ColumnLimit: 0
+IndentWidth: 2
+ObjCBlockIndentWidth: 2
+ContinuationIndentWidth: 2
+
+# For ObjC, the line limit is 100
+ColumnLimit: 100
 
 # Allow short case statements to be on a single line
 AllowShortCaseLabelsOnASingleLine: true
 
-# Ban short loops and functions on a single line
 AllowShortLoopsOnASingleLine: false
-AllowShortFunctionsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
 
 # Allow spaces in NSArray/NSDictionary literals @[ and @{
 SpacesInContainerLiterals: true
@@ -20,3 +20,13 @@ SpacesInContainerLiterals: true
 # For pointers, always put the * next to the variable name.
 DerivePointerAlignment: false
 PointerAlignment: Right
+
+
+---
+Language: Cpp
+Standard: Cpp11
+
+BasedOnStyle: Google
+
+# For C++, the line limit is 80
+ColumnLimit: 80

.github/workflows/check-markdown-links.yml

@@ -0,0 +1,13 @@
+name: Check Markdown links
+
+on: 
+  pull_request:
+    paths:
+      - "**.md"
+
+jobs:
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - uses: gaurav-nelson/github-action-markdown-link-check@v1

.github/workflows/ci.yml

@@ -0,0 +1,126 @@
+name: CI
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  preqs:
+    runs-on: ubuntu-latest
+    outputs:
+      run_build_and_tests: ${{ steps.step1.outputs.run_build_and_tests }}
+      build_driver: ${{ steps.step1.outputs.build_driver }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Check If We Need to Run Build/Test
+        id: step1
+        run: |
+          git remote add mainline https://github.com/google/santa.git
+          git fetch mainline main
+          git diff --name-only mainline/main HEAD > files.txt
+          echo "FILES CHANGED: $(wc -l ./files.txt)\n"
+
+          cat files.txt
+
+          build_driver=0
+          build_and_run_tests=0
+
+          for file in `cat files.txt`; do
+            if [[ $file = Source/* ]]; then
+              build_and_run_test=1;
+              if [[ $file = Source/santa_driver/* || $file = Source/common/* ]]; then
+                 build_driver=1;
+                 break;
+              fi
+            fi
+          done
+
+          if [[ $build_and_run_test != 0 ]]; then
+            echo "NEED TO RUN BUILD AND TESTS"
+            echo "::set-output name=run_build_and_tests::true"
+          else
+            echo "::set-output name=run_build_and_tests::false"
+          fi
+
+          if [[ $build_driver != 0 ]]; then
+            echo "NEED TO BUILD DRIVER"
+            echo "::set-output name=build_driver::true"
+          else
+            echo "::set-output name=build_driver::false"
+          fi
+
+  lint:
+    runs-on: ubuntu-latest
+    needs: [preqs]
+    if: needs.preqs.outputs.run_build_and_tests == 'true'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run linters
+        run: ./Testing/lint.sh
+
+  build_userspace:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-10.15, macos-11]
+    runs-on: ${{ matrix.os }}
+    needs: [preqs]
+    if: needs.preqs.outputs.run_build_and_tests == 'true'
+    steps:
+     - uses: actions/checkout@v2
+     - name: Build Userspace
+       run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=ci
+
+  build_driver:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-10.15, macos-11]
+    runs-on: ${{ matrix.os }}
+    needs: [preqs]
+    if: needs.preqs.outputs.build_driver == 'true'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build Driver
+        run: bazel build --apple_generate_dsym -c opt :release_driver --define=SANTA_BUILD_TYPE=ci
+
+  unit_tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-10.15, macos-11]
+    runs-on: ${{ matrix.os }}
+    needs: [preqs]
+    if: needs.preqs.outputs.run_build_and_tests == 'true'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run All Tests
+        run: bazel test :unit_tests --define=SANTA_BUILD_TYPE=ci
+
+  test_coverage:
+    runs-on: macos-11
+    needs: [preqs]
+    if: needs.preqs.outputs.run_build_and_tests == 'true'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Generate test coverage
+        run: sh ./generate_cov.sh
+      - name: Coveralls
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: ./CoverageData/info.lcov
+          flag-name: Unit
+
+  benchmark:
+    runs-on: macos-11
+    needs: [preqs]
+    if: needs.preqs.outputs.run_build_and_tests == 'true'
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run All Tests
+        run: ./Testing/benchmark.sh

.github/workflows/continuous.yml

@@ -0,0 +1,13 @@
+name: continuous
+on:
+  schedule:
+    - cron: '* 10 * * *' # Every day at 10:00 UTC
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+
+jobs:
+  preqs:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Checks for flaky tests
+        run: bazel test --test_strategy=exclusive --test_output=errors --runs_per_test 50 -t- :unit_tests --define=SANTA_BUILD_TYPE=ci

.gitignore

@@ -1,3 +1,20 @@
 .DS_Store
-default.profraw
+*.profraw
+*.provisionprofile
 bazel-*
+Pods
+Santa.xcodeproj/*
+Santa.xcworkspace/*
+CoverageData/*
+*.tulsiconf-user
+xcuserdata
+tulsigen-*
+*.crt
+*.key
+*.pem
+*.p12
+*.keychain
+*.swp
+compile_commands.json
+.cache/
+.vscode/*

.travis.yml

@@ -1,12 +0,0 @@
----
-language: objective-c
-sudo: false
-
-addons:
-  homebrew:
-    taps: bazelbuild/tap
-    packages: bazelbuild/tap/bazel
-
-script:
- - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug
- - bazel test :unit_tests --show_progress_rate_limit=30.0 --test_output=errors --color=no --verbose_failures --sandbox_debug

BUILD

@@ -1,13 +1,13 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])  # Apache 2.0
-
-exports_files(["LICENSE"])
-
 load("@build_bazel_rules_apple//apple:versioning.bzl", "apple_bundle_version")
 load("//:helper.bzl", "run_command")
 load("//:version.bzl", "SANTA_VERSION")
 
+package(default_visibility = ["//:santa_package_group"])
+
+licenses(["notice"])
+
+exports_files(["LICENSE"])
+
 # The version label for mac_* rules.
 apple_bundle_version(
     name = "version",
@@ -15,12 +15,31 @@ apple_bundle_version(
     short_version_string = SANTA_VERSION,
 )
 
+# Used to detect release builds
+config_setting(
+    name = "release_build",
+    values = {"define": "SANTA_BUILD_TYPE=release"},
+    visibility = [":santa_package_group"],
+)
+
+# Used to detect CI builds
+config_setting(
+    name = "ci_build",
+    values = {"define": "SANTA_BUILD_TYPE=ci"},
+    visibility = [":santa_package_group"],
+)
+
 # Used to detect optimized builds
 config_setting(
     name = "opt_build",
     values = {"compilation_mode": "opt"},
 )
 
+package_group(
+    name = "santa_package_group",
+    packages = ["//..."],
+)
+
 ################################################################################
 # Loading/Unloading/Reloading
 ################################################################################
@@ -28,8 +47,10 @@ run_command(
     name = "unload",
     cmd = """
 sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
 sudo kextunload -b com.google.santa-driver 2>/dev/null
-launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null
+launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
 """,
 )
 
@@ -37,19 +58,26 @@ run_command(
     name = "load",
     cmd = """
 sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
-launchctl load /Library/LaunchAgents/com.google.santagui.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+launchctl load /Library/LaunchAgents/com.google.santa.plist
 """,
 )
 
 run_command(
     name = "reload",
-    srcs = ["//Source/santa_driver"],
+    srcs = [
+        "//Source/santa:Santa",
+        "//Source/santa_driver",
+    ],
     cmd = """
 set -e
 
 rm -rf /tmp/bazel_santa_reload
 unzip -d /tmp/bazel_santa_reload \
-    $${BUILD_WORKSPACE_DIRECTORY}/bazel-bin/Source/santa_driver/santa_driver.zip >/dev/null
+    $${BUILD_WORKSPACE_DIRECTORY}/bazel-out/*$(COMPILATION_MODE)*/bin/Source/santa_driver/santa_driver.zip >/dev/null
+unzip -d /tmp/bazel_santa_reload \
+    $${BUILD_WORKSPACE_DIRECTORY}/bazel-out/*$(COMPILATION_MODE)*/bin/Source/santa/Santa.zip >/dev/null
 echo "You may be asked for your password for sudo"
 sudo BINARIES=/tmp/bazel_santa_reload CONF=$${BUILD_WORKSPACE_DIRECTORY}/Conf \
     $${BUILD_WORKSPACE_DIRECTORY}/Conf/install.sh
@@ -64,14 +92,17 @@ echo "Time to stop being naughty"
 genrule(
     name = "release",
     srcs = [
-        "//Source/santa_driver",
+        "//Source/santa:Santa",
         "Conf/install.sh",
         "Conf/uninstall.sh",
+        "Conf/com.google.santa.bundleservice.plist",
+        "Conf/com.google.santa.metricservice.plist",
         "Conf/com.google.santad.plist",
-        "Conf/com.google.santagui.plist",
-        "Conf/com.google.santa.asl.conf",
+        "Conf/com.google.santa.plist",
         "Conf/com.google.santa.newsyslog.conf",
-        "Conf/Package/Makefile",
+        "Conf/Package/Distribution.xml",
+        "Conf/Package/notarization_tool.sh",
+        "Conf/Package/package_and_sign.sh",
         "Conf/Package/postinstall",
         "Conf/Package/preinstall",
     ],
@@ -82,9 +113,9 @@ genrule(
         echo "Please add '-c opt' flag to bazel invocation"
         """,
         ":opt_build": """
-      # Extract santa_driver.zip
+      # Extract Santa.zip
       for SRC in $(SRCS); do
-        if [[ $$(basename $${SRC}) == "santa_driver.zip" ]]; then
+        if [ "$$(basename $${SRC})" == "Santa.zip" ]; then
           mkdir -p $(@D)/binaries
           unzip -q $${SRC} -d $(@D)/binaries >/dev/null
         fi
@@ -92,19 +123,15 @@ genrule(
 
       # Copy config files
       for SRC in $(SRCS); do
-        if [[ "$$(dirname $${SRC})" == *"Conf" ]]; then
+        if [[ "$$(dirname $${SRC})" == *"Conf"* ]]; then
           mkdir -p $(@D)/conf
-          cp $${SRC} $(@D)/conf/
+          cp -H $${SRC} $(@D)/conf/
         fi
       done
 
       # Gather together the dSYMs. Throw an error if no dSYMs were found
       for SRC in $(SRCS); do
         case $${SRC} in
-          *santa-driver.kext.dSYM*Info.plist)
-            mkdir -p $(@D)/dsym
-            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
-            ;;
           *santad.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
@@ -113,14 +140,22 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santactl.dSYM
             ;;
-          *santabs.xpc.dSYM*Info.plist)
+          *santabundleservice.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
-            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabs.xpc.dSYM
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
+            ;;
+          *santametricservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
             ;;
           *Santa.app.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
             ;;
+          *com.google.santa.daemon.systemextension.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
+            ;;
         esac
       done
 
@@ -134,7 +169,7 @@ genrule(
       # Update all the timestamps to now. Bazel avoids timestamps to allow
       # builds to be hermetic and cacheable but for releases we want the
       # timestamps to be more-or-less correct.
-      find $(@D)/{binaries,conf,dsym} -exec touch {} \;
+      find $(@D)/{binaries,conf,dsym} -exec touch {} \\;
 
       # Create final output tar
       tar -C $(@D) -czpf $(@) binaries dsym conf
@@ -143,16 +178,69 @@ genrule(
     heuristic_label_expansion = 0,
 )
 
+genrule(
+    name = "release_driver",
+    srcs = [
+        "//Source/santa_driver",
+    ],
+    outs = ["santa-driver-" + SANTA_VERSION + ".tar.gz"],
+    cmd = select({
+        "//conditions:default": """
+        echo "ERROR: Trying to create a release tarball without optimization."
+        echo "Please add '-c opt' flag to bazel invocation"
+        """,
+        ":opt_build": """
+      # Extract santa_driver.zip
+      for SRC in $(SRCS); do
+        if [ "$$(basename $${SRC})" == "santa_driver.zip" ]; then
+          mkdir -p $(@D)/binaries
+          unzip -q $${SRC} -d $(@D)/binaries >/dev/null
+        fi
+      done
+
+      # Gather together the dSYMs. Throw an error if no dSYMs were found
+      for SRC in $(SRCS); do
+        case $${SRC} in
+          *santa-driver.kext.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
+            ;;
+        esac
+      done
+
+      # Cause a build failure if the dSYMs are missing.
+      if [[ ! -d "$(@D)/dsym" ]]; then
+        echo "dsym dir missing: Did you forget to use --apple_generate_dsym?"
+        echo "This flag is required for the 'release' target."
+        exit 1
+      fi
+
+      # Update all the timestamps to now. Bazel avoids timestamps to allow
+      # builds to be hermetic and cacheable but for releases we want the
+      # timestamps to be more-or-less correct.
+      find $(@D)/{binaries,dsym} -exec touch {} \\;
+
+      # Create final output tar
+      tar -C $(@D) -czpf $(@) binaries dsym
+    """,
+    }),
+    heuristic_label_expansion = 0,
+)
+
 test_suite(
     name = "unit_tests",
     tests = [
-        "//Source/common:SNTFileInfoTest",
-        "//Source/santa_driver:SantaCacheTest",
-        "//Source/santa_driver:SantaPrefixTreeTest",
-        "//Source/santactl:SNTCommandFileInfoTest",
-        "//Source/santactl:SNTCommandSyncTest",
-        "//Source/santad:SNTEventTableTest",
-        "//Source/santad:SNTExecutionControllerTest",
-        "//Source/santad:SNTRuleTableTest",
+        "//Source/common:unit_tests",
+        "//Source/santactl:unit_tests",
+        "//Source/santad:unit_tests",
+        "//Source/santametricservice:unit_tests",
+        "//Source/santasyncservice:unit_tests",
+    ],
+)
+
+test_suite(
+    name = "benchmarks",
+    tests = [
+        "//Source/santad:SNTApplicationBenchmark",
     ],
 )

CONTRIBUTING.md

@@ -1,37 +0,0 @@
-Want to contribute? Great! First, read this page (including the small print at the end).
-
-### Before you contribute
-Before we can use your code, you must sign the
-[Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual)
-(CLA), which you can do online. The CLA is necessary mainly because you own the
-copyright to your changes, even after your contribution becomes part of our
-codebase, so we need your permission to use and distribute your code. We also
-need to be sure of various other things—for instance that you'll tell us if you
-know that your code infringes on other people's patents. You don't have to sign
-the CLA until after you've submitted your code for review and a member has
-approved it, but you must do it before we can put your code into our codebase.
-
-Before you start working on a larger contribution, you should get in touch with
-us first through the [issue tracker](https://github.com/google/santa/issues)
-with your idea so that we can help out and possibly guide you. Coordinating up 
-front makes it much easier to avoid frustration later on.
-
-### Code reviews
-All submissions, including submissions by project members, require review. We
-use GitHub pull requests for this purpose. It's also a good idea to run the
-tests beforehand, which you can do with the following commands:
-
-```sh
-rake tests:logic
-rake tests:kernel  # only necessary if you're changing the kext code
-```
-### Code Style
-
-All code submissions should try to match the surrounding code.  Wherever possible,
-code should adhere to either the
-[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
-or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
-
-### The small print
-Contributions made by corporations are covered by a different agreement than
-the one above, the [Software Grant and Corporate Contributor License Agreement](https://developers.google.com/open-source/cla/corporate).

CONTRIBUTING.md

@@ -0,0 +1 @@
+docs/development/contributing.md

Conf/Package/Distribution.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<installer-gui-script minSpecVersion="1">
+<title>Santa</title>
+<options customize="never" allow-external-scripts="no"/>
+
+<choices-outline>
+	<line choice="default" />
+</choices-outline>
+
+<choice id="default">
+    <pkg-ref id="com.google.santa"/>
+    <pkg-ref id="com.google.santa-driver"/>
+</choice>
+
+<pkg-ref id="com.google.santa">app.pkg</pkg-ref>
+<pkg-ref id="com.google.santa-driver" active="system.compareVersions(my.target.systemVersion.ProductVersion, '10.15') &lt; 0">kext.pkg</pkg-ref>
+
+</installer-gui-script>

Conf/Package/Makefile

@@ -1,95 +0,0 @@
-#
-#  Package Makefile for Santa
-#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
-#
-#  Will generate a package based on the latest release. You can replace
-#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
-#
-
-LUGGAGE:=/usr/local/share/luggage/luggage.make
-include ${LUGGAGE}
-
-TITLE:=santa
-REVERSE_DOMAIN:=com.google
-
-# Get latest Release version using the GitHub API. Each release is bound to a
-# git tag, which should always be a semantic version number. The most recent
-# release is always first in the API result.
-PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
-	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
-
-# Get the download URL for the latest Release. Each release should have a
-# tarball named santa-$version.tar.bz2 containing all of the files associated
-# with that release. The tarball layout is:
-#
-#   santa-$version.tar.bz2
-#   +--santa-$version
-#         |-- binaries
-#         |    |-- santa-driver.kext
-#         |    |-- Santa.app
-#         |-- conf
-#         |    |-- install.sh
-#         |    |-- com.google.santad.plist
-#         |    |-- com.google.santagui.plist
-#         |    +-- com.google.santa.asl.conf
-#         |    +-- com.google.santa.newsyslog.conf
-#         +--dsym
-#              |-- santa-driver.kext.dSYM
-#              |-- Santa.app.dSYM
-#              |-- santad.dSYM
-#              +-- santactl.dSYM
-PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
-
-PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
-	pack-applications-Santa.app \
-	pack-Library-LaunchDaemons-com.google.santad.plist \
-	pack-Library-LaunchAgents-com.google.santagui.plist \
-	pack-etc-asl-com.google.santa.asl.conf \
-	pack-etc-newsyslog.d-com.google.santa.newsyslog.conf \
-	pack-script-preinstall \
-	pack-script-postinstall
-
-santa-driver.kext: download
-Santa.app: download
-com.google.santad.plist: download
-com.google.santagui.plist: download
-com.google.santa.asl.conf: download
-com.google.santa.newsyslog.conf: download
-
-download:
-	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
-
-	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
-	@rm -rf *.dSYM
-
-pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
-	@sudo mkdir -p ${WORK_D}/private/etc/asl
-	@sudo chown root:wheel ${WORK_D}/private/etc/asl
-	@sudo chmod 755 ${WORK_D}/private/etc/asl
-	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
-
-pack-etc-newsyslog.d-com.google.santa.newsyslog.conf: com.google.santa.newsyslog.conf l_private_etc
-	@sudo mkdir -p ${WORK_D}/private/etc/newsyslog.d
-	@sudo chown root:wheel ${WORK_D}/private/etc/newsyslog.d
-	@sudo chmod 755 ${WORK_D}/private/etc/newsyslog.d
-	@sudo install -m 644 -o root -g wheel com.google.santa.newsyslog.conf ${WORK_D}/private/etc/newsyslog.d
-
-pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
-	@sudo mkdir -p ${WORK_D}/Library/Extensions
-	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
-
-clean: myclean
-
-myclean:
-	@rm -rf *.dSYM
-	@rm -rf Santa.app
-	@rm -rf santa-driver.kext
-	@rm -f config.plist
-	@rm -f com.google.santa.asl.conf
-	@rm -f com.google.santa.newsyslog.conf
-	@rm -f com.google.santad.plist
-	@rm -f com.google.santagui.plist
-	@rm -f install.sh
-	@rm -f uninstall.sh

Conf/Package/notarization_tool.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Example NOTARIZATION_TOOL wrapper.
+
+/usr/bin/xcrun altool --notarize-app "${2}" --primary-bundle-id "${4}" \
+  -u "${NOTARIZATION_USERNAME}" -p "${NOTARIZATION_PASSWORD}"

Conf/Package/package_and_sign.sh

@@ -0,0 +1,201 @@
+#!/bin/bash
+
+# This script signs all of Santa's components, verifies the signatures,
+# notarizes all of the components, staples them, packages them up, signs the
+# package, notarizes the package, puts the package in a DMG and notarizes the
+# DMG. It also outputs a single release tarball.
+# All of the following environment variables are required.
+
+# RELEASE_ROOT is a required environment variable that points to the root
+# of an extracted release tarball produced with the :release and :release_driver
+# rules in Santa's main BUILD file.
+[[ -n "${RELEASE_ROOT}" ]] || die "RELEASE_ROOT unset"
+
+# SIGNING_IDENTITY, SIGNING_TEAMID and SIGNING_KEYCHAIN are required environment
+# variables specifying the identity and keychain to pass to the codesign tool
+# and the team ID to use for verification.
+[[ -n "${SIGNING_IDENTITY}" ]] || die "SIGNING_IDENTITY unset"
+[[ -n "${SIGNING_TEAMID}" ]] || die "SIGNING_TEAMID unset"
+[[ -n "${SIGNING_KEYCHAIN}" ]] || die "SIGNING_KEYCHAIN unset"
+
+# INSTALLER_SIGNING_IDENTITY and INSTALLER_SIGNING_KEYCHAIN are required
+# environment variables specifying the identity and keychain to use when signing
+# the distribution package.
+[[ -n "${INSTALLER_SIGNING_IDENTITY}" ]] || die "INSTALLER_SIGNING_IDENTITY unset"
+[[ -n "${INSTALLER_SIGNING_KEYCHAIN}" ]] || die "INSTALLER_SIGNING_KEYCHAIN unset"
+
+# NOTARIZATION_TOOL is a required environment variable pointing to a wrapper
+# tool around the tool to use for notarization. The tool must take 2 flags:
+#    --file
+#        - pointing at a zip file containing the artifact to notarize
+#    --primary-bundle-id
+#        - specifying the CFBundleID of the artifact being notarized
+[[ -n "${NOTARIZATION_TOOL}" ]] || die "NOTARIZATION_TOOL unset"
+
+# ARTIFACTS_DIR is a required environment variable pointing at a directory to
+# place the output artifacts in.
+[[ -n "${ARTIFACTS_DIR}" ]] || die "ARTIFACTS_DIR unset"
+
+################################################################################
+
+function die {
+  echo "${@}"
+  exit 2
+}
+
+readonly INPUT_APP="${RELEASE_ROOT}/binaries/Santa.app"
+readonly INPUT_KEXT="${RELEASE_ROOT}/binaries/santa-driver.kext"
+readonly INPUT_SYSX="${INPUT_APP}/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension"
+readonly INPUT_SANTACTL="${INPUT_APP}/Contents/MacOS/santactl"
+readonly INPUT_SANTABS="${INPUT_APP}/Contents/MacOS/santabundleservice"
+readonly INPUT_SANTAMS="${INPUT_APP}/Contents/MacOS/santametricservice"
+
+readonly RELEASE_NAME="santa-$(/usr/bin/defaults read "${INPUT_APP}/Contents/Info.plist" CFBundleVersion)"
+
+readonly SCRATCH=$(/usr/bin/mktemp -d "${TMPDIR}/santa-"XXXXXX)
+readonly APP_PKG_ROOT="${SCRATCH}/app_pkg_root"
+readonly KEXT_PKG_ROOT="${SCRATCH}/kext_pkg_root"
+readonly APP_PKG_SCRIPTS="${SCRATCH}/pkg_scripts"
+readonly ENTITLEMENTS="${SCRATCH}/entitlements"
+
+readonly SCRIPT_PATH="$(/usr/bin/dirname -- ${BASH_SOURCE[0]})"
+
+/bin/mkdir -p "${APP_PKG_ROOT}" "${KEXT_PKG_ROOT}" "${APP_PKG_SCRIPTS}" "${ENTITLEMENTS}"
+
+readonly DMG_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.dmg"
+readonly TAR_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.tar.gz"
+
+# Sign all of binaries/bundles. Maintain inside-out ordering where necessary
+for ARTIFACT in "${INPUT_SANTACTL}" "${INPUT_SANTABS}" "${INPUT_SANTAMS}" "${INPUT_SYSX}" "${INPUT_APP}" "${INPUT_KEXT}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+  EN="${ENTITLEMENTS}/${BN}.entitlements"
+
+  echo "extracting ${BN} entitlements"
+  /usr/bin/codesign -d --entitlements "${EN}" "${ARTIFACT}"
+  if [[ -s "${EN}" ]]; then
+    EN="--entitlements ${EN}"
+  else
+    EN=""
+  fi
+
+  echo "codesigning ${BN}"
+  /usr/bin/codesign --sign "${SIGNING_IDENTITY}" --keychain "${SIGNING_KEYCHAIN}" \
+        ${EN} --timestamp --force --generate-entitlement-der \
+        --options library,kill,runtime "${ARTIFACT}"
+done
+
+# Notarize all the bundles
+for ARTIFACT in "${INPUT_SYSX}" "${INPUT_APP}" "${INPUT_KEXT}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "zipping ${BN}"
+  /usr/bin/zip -9r "${SCRATCH}/${BN}.zip" "${ARTIFACT}"
+
+  echo "notarizing ${BN}"
+  PBID=$(/usr/bin/defaults read "${ARTIFACT}/Contents/Info.plist" CFBundleIdentifier)
+  "${NOTARIZATION_TOOL}" --file "${SCRATCH}/${BN}.zip" --primary-bundle-id "${PBID}"
+done
+
+# Staple the App and Kext.
+for ARTIFACT in "${INPUT_APP}" "${INPUT_KEXT}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "stapling ${BN}"
+  /usr/bin/xcrun stapler staple "${ARTIFACT}"
+done
+
+# Ensure _CodeSignature/CodeResources files have 0644 permissions so they can
+# be verified without using sudo.
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type f -name CodeResources -exec chmod 0644 {} \;
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type d -exec chmod 0755 {} \;
+/usr/bin/find "${RELEASE_ROOT}/conf" -type f -name "com.google.santa*" -exec chmod 0644 {} \;
+
+echo "verifying signatures"
+/usr/bin/codesign -vv -R="certificate leaf[subject.OU] = ${SIGNING_TEAMID}" \
+  "${RELEASE_ROOT}/binaries/"* || die "bad signature"
+
+echo "creating fresh release tarball"
+/bin/mkdir -p "${RELEASE_ROOT}/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/binaries" "${RELEASE_ROOT}/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/conf" "${RELEASE_ROOT}/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/dsym" "${RELEASE_ROOT}/${RELEASE_NAME}"
+/usr/bin/tar -C "${RELEASE_ROOT}" -czvf "${TAR_PATH}" "${RELEASE_NAME}" || die "failed to create release tarball"
+
+echo "creating app pkg"
+/bin/mkdir -p "${APP_PKG_ROOT}/Applications" \
+  "${APP_PKG_ROOT}/Library/LaunchAgents" \
+  "${APP_PKG_ROOT}/Library/LaunchDaemons" \
+  "${APP_PKG_ROOT}/private/etc/asl" \
+  "${APP_PKG_ROOT}/private/etc/newsyslog.d"
+/bin/cp -vXR "${RELEASE_ROOT}/binaries/Santa.app" "${APP_PKG_ROOT}/Applications/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santad.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.plist" "${APP_PKG_ROOT}/Library/LaunchAgents/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.bundleservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.metricservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.asl.conf" "${APP_PKG_ROOT}/private/etc/asl/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.newsyslog.conf" "${APP_PKG_ROOT}/private/etc/newsyslog.d/"
+/bin/cp -vXL "${SCRIPT_PATH}/preinstall" "${APP_PKG_SCRIPTS}/"
+/bin/cp -vXL "${SCRIPT_PATH}/postinstall" "${APP_PKG_SCRIPTS}/"
+/bin/chmod +x "${APP_PKG_SCRIPTS}/"*
+
+# Disable bundle relocation.
+/usr/bin/pkgbuild --analyze --root "${APP_PKG_ROOT}" "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsRelocatable -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsVersionChecked -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleOverwriteAction -string upgrade "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace ChildBundles -json "[]" "${SCRATCH}/component.plist"
+
+# Build app package
+/usr/bin/pkgbuild --identifier "com.google.santa" \
+  --version "$(echo "${RELEASE_NAME}" | cut -d - -f2)" \
+  --root "${APP_PKG_ROOT}" \
+  --component-plist "${SCRATCH}/component.plist" \
+  --scripts "${APP_PKG_SCRIPTS}" \
+  "${SCRATCH}/app.pkg"
+
+echo "creating kext pkg"
+/bin/mkdir -p "${KEXT_PKG_ROOT}/Library/Extensions"
+/bin/cp -vXR "${RELEASE_ROOT}/binaries/santa-driver.kext" "${KEXT_PKG_ROOT}/Library/Extensions/"
+/usr/bin/pkgbuild --analyze --root "${KEXT_PKG_ROOT}" "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsRelocatable -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsVersionChecked -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleOverwriteAction -string upgrade "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace ChildBundles -json "[]" "${SCRATCH}/component.plist"
+
+# Build kext package
+/usr/bin/pkgbuild --identifier "com.google.santa-driver" \
+  --version "$(echo "${RELEASE_NAME}" | cut -d - -f2)" \
+  --root "${KEXT_PKG_ROOT}" \
+  --component-plist "${SCRATCH}/component.plist" \
+  "${SCRATCH}/kext.pkg"
+
+# Build signed distribution package
+echo "productbuild pkg"
+/bin/mkdir -p "${SCRATCH}/${RELEASE_NAME}"
+/usr/bin/productbuild \
+  --distribution "${SCRIPT_PATH}/Distribution.xml" \
+  --package-path "${SCRATCH}" \
+  --sign "${INSTALLER_SIGNING_IDENTITY}" --keychain "${INSTALLER_SIGNING_KEYCHAIN}" \
+  "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg"
+
+echo "verifying pkg signature"
+/usr/sbin/pkgutil --check-signature "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "bad pkg signature"
+
+echo "notarizing pkg"
+"${NOTARIZATION_TOOL}" --file "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" \
+    --primary-bundle-id "com.google.santa"
+
+echo "stapling pkg"
+/usr/bin/xcrun stapler staple "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "failed to staple pkg"
+
+echo "wrapping pkg in dmg"
+/usr/bin/hdiutil create -fs HFS+ -format UDZO \
+    -volname "${RELEASE_NAME}" \
+    -ov -imagekey zlib-level=9 \
+    -srcfolder "${SCRATCH}/${RELEASE_NAME}/" "${DMG_PATH}" || die "failed to wrap pkg in dmg"
+
+echo "notarizing dmg"
+"${NOTARIZATION_TOOL}" --file "${DMG_PATH}" --primary-bundle-id "com.google.santa"
+
+echo "stapling dmg"
+/usr/bin/xcrun stapler staple "${DMG_PATH}" || die "failed to staple dmg"

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -9,20 +9,26 @@
 # Restart syslogd to pick up ASL configuration change
 /usr/bin/killall -HUP syslogd
 
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-sleep 1
-
-/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-
-sleep 1
-
 # Create hopefully useful symlink for santactl
 mkdir -p /usr/local/bin
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
+/bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -z "$user" ]] && exit 0
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Remove the kext before com.google.santa.daemon loads if the SystemExtension is already present.
+# This prevents Santa from dueling itself if the "EnableSystemExtension" config is set to false.
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && rm -rf /Library/Extensions/santa-driver.kext
 
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+# Load com.google.santa.bundleservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+
+# Load com.google.santa.metricservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -6,22 +6,27 @@
 
 [[ $3 != "/" ]] && exit 0
 
-/bin/launchctl remove com.google.santad
+/bin/launchctl remove com.google.santad || true
+/bin/launchctl remove com.google.santa.bundleservice || true
+/bin/launchctl remove com.google.santa.metricservice || true
 
-sleep 1
+/bin/sleep 1
 
-/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1 || true
 
 # Remove cruft from old Santa versions
-/bin/rm /usr/libexec/santad
-/bin/rm /usr/sbin/santactl
+/bin/rm -f /usr/libexec/santad
+/bin/rm -f /usr/sbin/santactl
 /bin/launchctl remove com.google.santasync
-/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
 /bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
-sleep 1
+/bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/com.google.santa.asl.conf

@@ -1,6 +0,0 @@
-# Copy this file to /etc/asl to log all messages from santa-driver to the log file
-> /var/db/santa/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
-? [= Sender kernel] [S= Message santa-driver:] claim
-? [= Sender kernel] [S= Message santa-driver:] file /var/db/santa/santa.log
-? [= Facility com.google.santa] claim
-? [= Facility com.google.santa] file /var/db/santa/santa.log

Conf/com.google.santa.bundleservice.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.bundleservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santabundleservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.bundleservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
+	<key>ThrottleInterval</key>
+	<integer>0</integer>
+</dict>
+</plist>

Conf/com.google.santa.metricservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.metricservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santametricservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.metricservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/com.google.santa.newsyslog.conf

@@ -1,2 +1,2 @@
 # logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
-/var/db/santa/santa.log   root:wheel          644    10    25000     *      NZ
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      Z

Conf/com.google.santa.plist

@@ -3,10 +3,10 @@
 <plist version="1.0">
 <dict>
 				<key>Label</key>
-				<string>com.google.santagui</string>
+				<string>com.google.santa</string>
 				<key>ProgramArguments</key>
 				<array>
-					<string>/Library/Extensions/santa-driver.kext/Contents/Resources/Santa.app/Contents/MacOS/Santa</string>
+					<string>/Applications/Santa.app/Contents/MacOS/Santa</string>
 					<string>--syslog</string>
 				</array>
 				<key>RunAtLoad</key>

Conf/com.google.santa.syncservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.syncservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santasyncservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.syncservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/com.google.santad.plist

@@ -1,24 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-				<key>Label</key>
-				<string>com.google.santad</string>
-				<key>ProgramArguments</key>
-				<array>
-					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
-					<string>--syslog</string>
-				</array>
-				<key>MachServices</key>
-				<dict>
-					<key>SantaXPCControl</key>
-					<true/>
-				</dict>
-				<key>RunAtLoad</key>
-				<true/>
-				<key>KeepAlive</key>
-				<true />
-				<key>ProcessType</key>
-				<string>Interactive</string>
+	<key>Label</key>
+	<string>com.google.santad</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.daemon</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
 </dict>
 </plist>

Conf/install.sh

@@ -21,6 +21,12 @@ fi
 # Unload santad and scheduled sync job.
 /bin/launchctl remove com.google.santad >/dev/null 2>&1
 
+# Unload bundle service
+/bin/launchctl remove com.google.santa.bundleservice >/dev/null 2>&1
+
+# Unload metric service
+/bin/launchctl remove com.google.santa.metricservice >/dev/null 2>&1
+
 # Unload kext.
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 
@@ -28,8 +34,10 @@ fi
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
@@ -38,33 +46,40 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm /usr/sbin/santactl >/dev/null 2>&1
 /bin/rm -rf /Applications/Santa.app 2>&1
 /bin/rm -rf /Library/Extensions/santa-driver.kext 2>&1
+/bin/rm /etc/asl/com.google.santa.asl.conf
 
 # Copy new files.
-/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
+/bin/mkdir -p /var/db/santa
+
+/bin/cp -r ${BINARIES}/Santa.app /Applications
+
+# Only copy the kext if the SystemExtension is not present.
+# This prevents Santa from dueling itself if the "EnableSystemExtension" config is set to false.
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 || /bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions && /usr/sbin/kextcache -update-volume / -bundle-id com.google.santa-driver
+
 /bin/mkdir -p /usr/local/bin
-/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
-
-if [ ! -d /var/db/santa ] ; then
-  /bin/mkdir /var/db/santa
-fi
+/bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
 
+/bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
+/bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.metricservice.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
-/bin/cp ${CONF}/com.google.santagui.plist /Library/LaunchAgents
-/bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Load kext.
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-# Load santad and scheduled sync jobs.
+# Load com.google.santa.daemon
 /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load GUI agent if someone is logged in.
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} \
-  /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Load com.google.santa.bundleservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+# Load GUI agent if someone is logged in.
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/uninstall.sh

@@ -6,18 +6,25 @@
 
 [ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
 
+# For macOS 10.15+ this will block up to 60 seconds
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && /Applications/Santa.app/Contents/MacOS/Santa --unload-system-extension
+
 /bin/launchctl remove com.google.santad
 sleep 1
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
 # and to clean out the log config, although it won't write after wiping the binary
 /usr/bin/killall -HUP syslogd
 # delete artifacts on-disk
 /bin/rm -rf /Applications/Santa.app
 /bin/rm -rf /Library/Extensions/santa-driver.kext
 /bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchAgents/com.google.santa.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.metricservice.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
 /bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink

Docs/details/events.md

@@ -1,141 +0,0 @@
-# Events
-
-Events are a defined set of data, core to how Santa interacts with a sync server. Events are generated when there is a blocked `execve()` while in Lockdown or Monitor mode. Events are also generated in Monitor mode for an `execve()` that was allowed to run, but would have been blocked in Lockdown mode. This allows an admin to roll out Santa to their macOS fleet in Monitor mode but still collect meaningful data. The events collected while in Monitor mode can be used to build a reasonably comprehensive whitelist of signing certificates and binaries before switching the fleet to Lockdown mode.
-
-##### Event Data
-
-Events begin their life as an [SNTStoredEvent](https://github.com/google/santa/blob/master/Source/common/SNTStoredEvent.h) object. The SNTStoredEvent class is just a simple storage class that has properties for all the relevant bits of information. More importantly the class implements the [NSSecureCoding](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) protocol. This allows the objects to be encoded and decoded for storage in the events sqlite3 database on disk and sent over XPC to another process.
-
-Events are temporarily stored in a database until they are uploaded. The format is subject the change; accessing the events database directly will most likely break in future releases. If direct access to the events database is required, raise a [issue on the Santa GitHub](https://github.com/google/santa/issues).
-
-###### JSON
-
-Before an event is uploaded to a sync server, the event data is copied into a JSON blob. Here is an example of Firefox being blocked and sent for upload:
-
-```json
-{
-  "events": [
-    {
-      "file_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app/Contents/MacOS",
-      "file_bundle_version": "5417.6.28",
-      "parent_name": "launchd",
-      "logged_in_users": [
-        "bur"
-      ],
-      "quarantine_timestamp": 0,
-      "signing_chain": [
-        {
-          "cn": "Developer ID Application: Mozilla Corporation (43AQ936H96)",
-          "valid_until": 1652123338,
-          "org": "Mozilla Corporation",
-          "valid_from": 1494270538,
-          "ou": "43AQ936H96",
-          "sha256": "96f18e09d65445985c7df5df74ef152a0bc42e8934175a626180d9700c343e7b"
-        },
-        {
-          "cn": "Developer ID Certification Authority",
-          "valid_until": 1801519935,
-          "org": "Apple Inc.",
-          "valid_from": 1328134335,
-          "ou": "Apple Certification Authority",
-          "sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f"
-        },
-        {
-          "cn": "Apple Root CA",
-          "valid_until": 2054670036,
-          "org": "Apple Inc.",
-          "valid_from": 1146001236,
-          "ou": "Apple Certification Authority",
-          "sha256": "b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024"
-        }
-      ],
-      "file_bundle_name": "Firefox",
-      "executing_user": "bur",
-      "ppid": 1,
-      "file_bundle_path": "/var/folders/l5/pd9rhsp54s79_9_qcy746_tw00b_4p/T/AppTranslocation/254C1357-7461-457B-B734-A0FDAF0F26D9/d/Firefox.app",
-      "file_name": "firefox",
-      "execution_time": 1501691337.059514,
-      "file_sha256": "dd78f456a0929faf5dcbb6d952992d900bfdf025e1e77af60f0b029f0b85bf09",
-      "decision": "BLOCK_BINARY",
-      "file_bundle_id": "org.mozilla.firefox",
-      "file_bundle_version_string": "54.0.1",
-      "pid": 49368,
-      "current_sessions": [
-        "bur@console",
-        "bur@ttys000",
-        "bur@ttys001",
-        "bur@ttys002",
-        "bur@ttys003",
-        "bur@ttys004"
-      ]
-    }
-  ]
-}
-```
-
-
-
-##### Event Lifecycle
-
-1. santad generates a new event
-2. santad compares, or adds if not present, the event's SHA-256 file hash to an in-memory cache with a timeout of 10 min. If an event with an matching hash is present in cache, the event is dropped.
-3. santad saves the event to `/var/db/santa/events.db` with a unique ID assigned as the key.
-4. santad sends an XPC message to the santactl daemon. The message contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread.
-
-##### Bundle Events
-
-Bundle events are a special type of event that are generated when a sync server supports receiving the associated bundle events, instead of just the original event. For example: `/Applications/Keynote.app/Contents/MacOS/Keynote` is blocked and an event representing the binary is uploaded. A whitelist rule is created for that one binary. Great, you can now run `/Applications/Keynote.app/Contents/MacOS/Keynote`, but what about all the other supporting binaries contained in the bundle? You would have to wait until they are executed until an event would be generated. It is very common for a bundle to contain multiple binaries, as shown here with Keynote.app. Waiting to get a block is not a very good user experience.
-
-```sh
-⇒  santactl bundleinfo /Applications/Keynote.app
-Hashing time: 1047 ms
-9 events found
-BundleHash: b475667ab1ab6eddea48bfc2bed76fcef89b8f85ed456c8068351292f7cb4806
-BundleID: com.apple.iWork.Keynote
-	SHA-256: be3aa404ee79c2af863132b93b0eedfdbc34c6e35d4fda2ade6dd637692ead84
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.MovieCompatibilityConverter.xpc/Contents/MacOS/com.apple.iWork.MovieCompatibilityConverter
-BundleID: com.apple.iWork.Keynote
-	SHA-256: 3b2582fd5e7652b653276b3980c248dc973e8082e9d0678c96a08d7d1a8366ba
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.PICTConverter.xpc/Contents/MacOS/com.apple.iWork.PICTConverter
-BundleID: com.apple.iWork.Keynote
-	SHA-256: f1bf3be05d511d7c7f651cf7b130d4977f8d28d0bfcd7c5de4144b95eaab7ad7
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor
-BundleID: com.apple.iWork.Keynote
-	SHA-256: b59bc8548c91088a40d9023abb5d22fa8731b4aa17693fcb5b98c795607d219a
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.BitmapTracer.xpc/Contents/MacOS/com.apple.iWork.BitmapTracer
-BundleID: com.apple.iWork.Keynote
-	SHA-256: 08cb407f541d867f1a63dc3ae44eeedd5181ca06c61df6ef62b5dc7192951a4b
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCUtilities32
-BundleID: com.apple.iWork.Keynote
-	SHA-256: b965ae7be992d1ce818262752d0cf44297a88324a593c67278d78ca4d16fcc39
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.xpc/Contents/XPCServices/com.apple.iWork.TCMovieExtractor.TCUtilities32.xpc/Contents/MacOS/com.apple.iWork.TCMovieExtractor.TCUtilities32
-BundleID: com.apple.iWork.Keynote
-	SHA-256: 59668dc27314f0f6f5daa5f02b564c176f64836c88e2dfe166e90548f47336f1
-	Path: /Applications/Keynote.app/Contents/MacOS/Keynote
-BundleID: com.apple.iWork.Keynote
-	SHA-256: 7ce324f919b14e14d327004b09f83ca81345fd4438c87ead4b699f89e9485595
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/XPCServices/com.apple.iWork.ExternalResourceValidator.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceValidator
-BundleID: com.apple.iWork.Keynote
-	SHA-256: 6b47f551565d886388eeec5e876b6de9cdd71ef36d43b0762e6ebf02bdd8515d
-	Path: /Applications/Keynote.app/Contents/XPCServices/com.apple.iWork.ExternalResourceAccessor.xpc/Contents/MacOS/com.apple.iWork.ExternalResourceAccessor
-```
-
-Bundle events provide a mechanism to generate and upload events for all the executable Mach-O binaries within a bundle. To enable bundle event generation a configuration must be set in the preflight sync stage on the sync server. Once set the sync server can use bundle events to drive a better user experience.
-
-Bundle events can be differentiated by the existence of these fields:
-
-| Field                    | Value                                    |
-| ------------------------ | ---------------------------------------- |
-| decision                 | BUNDLE_BINARY                            |
-| file_bundle_hash         | Super Hash of all binary hashes          |
-| file_bundle_hash_millis  | The time in milliseconds it took to find all of the binaries, hash and produce a super hash |
-| file_bundle_binary_count | Number of binaries within the bundle     |
-
-To avoid redundant uploads of a bundle event Santa will wait for the sync server to ask for them. The server will respond to event uploads with a request like this:
-
-| Field                        | Value                                    |
-| ---------------------------- | ---------------------------------------- |
-| event_upload_bundle_binaries | An array of bundle hashes that the sync server needs to be uploaded |
-
-When santactl receives this type of request, it sends an XPC reply to santad to save all the bundle events to the events.db. It then attempts to upload all the bundle events, purging the successes from the events.db. Any failures will be uploaded during the next full sync.
-

Docs/details/ipc.md

@@ -1,43 +0,0 @@
-# Interprocess Communication (IPC)
-
-Most IPC within Santa is done by way of Apple's [XPC](https://developer.apple.com/documentation/xpc?language=objc). Santa wraps [NSXPCConnection](https://developer.apple.com/documentation/foundation/nsxpcconnection?language=objc) to provide client multiplexing, signature validation of connecting clients and forced connection establishment. This is called SNTXPCConnection.
-
-Communication between santad and santa-driver (KEXT) is done with a [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and IOKit/IOKitLib.h functions.
-
-##### Who starts who?
-
-The santad and Santa (GUI) processes are both started and kept alive by launchd as a LaunchDaemon and a LaunchAgent, respectively. This means santad runs as root and Santa (GUI) runs as the console user. 
-
-There can be multiple Santa (GUI) processes running, one per user logged into the GUI (assuming fast-user switching is enabled). While multiple processes might be running, only the one for the user currently logged-in will be connected to santad and receiving notifications.
-
-When using a sync server, the santactl process is started by santad. Before the new process starts, all privileges are dropped. santactl runs as _nobody_.
-
-The santabs process is started by launchd via an XPC service connection from santad. XPC services inherit their initiator's privileges meaning santabs runs as root, which is necessary to ensure it has permission to read all files.
-
-| Process  | Parent Process | Running User |
-| -------- | -------------- | ------------ |
-| santad   | launchd        | root         |
-| Santa    | launchd        | user         |
-| santactl | santad         | nobody       |
-| santabs  | launchd        | root         |
-
-
-
-##### Who communicates with who?
-
-In short, santad has two-way communication with every other process. In addition, Santa and santabs have two-way communication between each other. For other combinations, there is no direct communication.
-
-![Santa IPC](santa_ipc.png)
-
-##### SNTXPCConnection and two way communication
-
-`SNTXPCConnection` enforces a server / client model for XPC connections. This allows for strong signature validation and forced connection establishment. The only problem with this model is the lack of two-way communication. For example, process A can call methods on process B and retrieve a response, but process B cannot call methods on process A.
-
-To accomplish two-way communication, the following approach can be used:
-
-1. Process A creates a server with an anonymous `NSXPCListener`.
-2. Process A sends the anonymous `NSXPCListenerEndpoint` to process B over an already established `SNTXPCConnection`.
-3. Process B can now communicate directly with process A.
-
-This is a powerful notion. It enables forced connection establishment between both processes, which is critical when reliability is a concern.
-

Docs/details/logs.md

@@ -1,30 +0,0 @@
-# Logs
-
-Santa currently logs to `/var/db/santa/santa.log` by default. All executions and disk mounts are logged here. File operations can also be configured to be logged. See the `FileChangesRegex` key in the [configuration.md](../deployment/configuration.md) document.
-
-To view the logs:
-
-```sh
-tail -F /var/db/santa/santa.log
-```
-
-The `-F` will continue watching the path even when the current file fills up and rolls over.
-
-##### macOS Unified Logging System (ULS)
-
-Currently all of the most recent releases of Santa are built with the macOS 10.11 SDK. This allows Santa to continue to log to Apple System Logger (ASL) instead of ULS. However, on macOS 10.12+ all of the Kernel logs are sent to ULS. See the KEXT Logging section below for more details.
-
-If you are building Santa yourself and using the macOS 10.12+ SDKs, Santa's logs will be sent to ULS.
-
-Work is currently underway to bypass ASL and ULS altogether, allowing Santa to continue logging to `/var/db/santa/santa.log`. This change will also allow us to add alternative logging formats, like Protocol Buffer or JSON.
-
-##### KEXT Logging
-
-Streaming logs from the santa-driver KEXT does not work properly. Logs are generated but they will likely be garbled or show inaccurate data.
-
-Instead, `show` can be used to view the santa-driver KEXT logs:
-
-```sh
-/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
-```
-

Docs/details/rules.md

@@ -1,104 +0,0 @@
-# Rules
-
-Rules provide the primary evaluation mechanism for whitelisting and blacklisting binaries with Santa on macOS. There are two types of rules: binary and certificate.
-
-##### Binary Rules
-
-Binary rules use the SHA-256 hash of the entire binary as an identifier. This is the most specific rule in Santa. Even a small change in the binary will alter the SHA-256 hash, invalidating the rule.
-
-##### Certificate Rules
-
-Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule. A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing.
-
-```sh
-⇒  santactl fileinfo /Applications/Dropbox.app --key "Signing Chain"
-Signing Chain:
-     1. SHA-256             : 2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2
-        SHA-1               : 86ec91f726ba9caa09665b2109c49117f0b93134
-        Common Name         : Developer ID Application: Dropbox, Inc.
-        Organization        : Dropbox, Inc.
-        Organizational Unit : G7HH3F8CAK
-        Valid From          : 2012/06/19 16:10:30 -0400
-        Valid Until         : 2017/06/20 16:10:30 -0400
-
-     2. SHA-256             : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
-        SHA-1               : 3b166c3b7dc4b751c9fe2afab9135641e388e186
-        Common Name         : Developer ID Certification Authority
-        Organization        : Apple Inc.
-        Organizational Unit : Apple Certification Authority
-        Valid From          : 2012/02/01 17:12:15 -0500
-        Valid Until         : 2027/02/01 17:12:15 -0500
-
-     3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
-        SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
-        Common Name         : Apple Root CA
-        Organization        : Apple Inc.
-        Organizational Unit : Apple Certification Authority
-        Valid From          : 2006/04/25 17:40:36 -0400
-        Valid Until         : 2035/02/09 16:40:36 -0500
-```
-
-If you wanted to whitelist or blacklist all software signed with this perticular Dropbox signing certificate you would use the leaf SHA-256 fingerprint.
-
-`2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2`
-
-Santa does not evaluate the `Valid From` or `Valid Until` fields, nor does it check the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) for revoked certificates. Adding rules for the certificate chain's intermediates or roots has no effect on binaries signing by a leaf. Santa ignores the chain and is only concerned with the leaf certificate's SHA-256 hash.
-
-##### Rule Evaluation
-
-When a process is trying to `execve()` santad retrieves information on the binary,  including a hash of the entire file and the signing chain (if any). The hash and signing leaf certificate are then passed through the [SNTPolicyProcessor](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.h). Rules are evaluated from most specific to least specific. First binary (either whitelist or blacklist), then certificate (either whitelist or blacklist). If no rules are found that apply, scopes are then searched. See the [scopes.md](scopes.md) document for more information on scopes.
-
-You can use the `santactl fileinfo` command to check the status of any given binary on the filesystem.
-
-###### Whitelisted with a Binary Rule 
-
-```sh
-⇒  santactl fileinfo /Applications/Hex\ Fiend.app --key Rule
-Whitelisted (Binary)
-```
-
-###### Whitelisted with a Certificate Rule
-
-```sh
-⇒  santactl fileinfo /Applications/Safari.app --key Rule
-Whitelisted (Certificate)
-```
-
-###### Blacklisted with a Binary Rule
-
-```sh
-⇒  santactl fileinfo /usr/bin/yes --key Rule
-Blacklisted (Binary)
-```
-
-###### Blacklisted with a Certificate Rule
-
-```sh
-⇒  santactl fileinfo /Applications/Malware.app --key Rule
-Blacklisted (Certificate)
-```
-
-You can also check arbitrary SHA-256 binary and certificate hashes for rules. The rule verb needs to be run with root privileges.
-
-For checking the SHA-256 hash of `/usr/bin/yes`:
-
-```sh
-sudo santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /usr/bin/yes)
-Blacklisted (Binary)
-```
-
-For checking the SHA-256 hash of `/usr/bin/yes ` signing certificate:
-
-```sh
-⇒  sudo santactl rule --check --certificate --sha256 $(santactl fileinfo --cert-index 1 --key SHA-256 /usr/bin/yes)
-Whitelisted (Certificate)
-```
-
-##### Built-in rules
-
-To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup:
-
-* The signing certificate santad is signed with
-* The signing certificate launchd is signed with
-
-By creating these two rules at startup, Santa should never block critical Apple system binaries or other Santa components.

Docs/details/santa-driver.md

@@ -1,94 +0,0 @@
-# santa-driver
-
-santa-driver is a macOS [kernel extension](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptIntro/introduction.html) (KEXT) that makes use of the [Kernel Authorization](https://developer.apple.com/library/content/technotes/tn2127/_index.html) (Kauth) KPI. This allows santa-driver to listen for events and either deny or defer the decision of those events. The santa-driver acts as an intermediary layer between Kauth and santad, with some caching to lower the overhead of decision making.
-
-##### Kauth
-
-santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments:
-
-* `const char *scope`
-* `kauth_scope_callback_t _callback`_
-* `void *contex`
-
-It returns a `kauth_listener_t` that is stored for later use, in Santa's case to stop listening.
-
-###### KAUTH_SCOPE_VNODE
-
-Here is how santa-driver starts listening for `KAUTH_SCOPE_VNODE` events.
-
-```c++
-vnode_listener_ = kauth_listen_scope(
-    KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
-```
-
-The function `vnode_scope_callback` is called for every vnode event. There are many types of vnode events, they complete list can be viewed in the kauth.h. There are many types of vnode events, the complete list can be viewed in kauth.h. Santa is only concerned with regular files generating `KAUTH_VNODE_EXECUTE` [1] and `KAUTH_VNODE_WRITE_DATA` events. All non-regular files and unnecessary vnode events are filtered out.
-
-Here is how santa-driver stops listening for `KAUTH_SCOPE_VNODE` events:
-
-```c++
-kauth_unlisten_scope(vnode_listener_);
-```
-
-[1] `KAUTH_VNODE_EXECUTE` events that do not have the `KAUTH_VNODE_ACCESS` advisory bit set.
-
-###### KAUTH_SCOPE_FILEOP
-
-Santa also listens for file operations, this is mainly used for logging [1] and cache invalidation. 
-
-* `KAUTH_FILEOP_DELETE`, `KAUTH_FILEOP_RENAME`, `KAUTH_FILEOP_EXCHANGE` and `KAUTH_FILEOP_LINK` are logged
-* `KAUTH_FILEOP_EXEC` is used to log `execve()`s. Since the `KAUTH_VNODE_EXECUTE` is used to allow or deny an `execve()` the process arguments have not been setup yet. Since `KAUTH_FILEOP_EXEC` is triggered after an `execve()` it is used to log the `execve()`.
-
-[1] `KAUTH_FILEOP_CLOSE` is used to invalidate that file's representation in the cache. If a file has changed it needs to be re-evalauted. This is particularly necessary for files that were added to the cache with an action of allow.
-
-##### Driver Interface
-
-santa-driver implements an [IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc) subclass and santad interacts with it through IOKit/IOKitLib.h functions.
-
-[//]: # "TODO(bur, rah) Flesh out the details"
-
-##### Cache
-
-To aid in performance, santa-driver utilizes a caching system to hold the state of all observed `execve()` events.
-
-###### Key
-
-The key is a `uint64_t`. The top 32 bits hold the filesystem ID, while the bottom 32 bits hold the file unique ID. Together we call this the vnode_id.
-
-```c++
-uint64_t vnode_id = (((uint64_t)fsid << 32) | fileid);
-```
-
-###### Value
-
-The value is a `uint64_t` containing the action necessary, along with the decision timestamp. The action is stored in the top 8 bits. The decision timestamp is stored in the remaining 56 bits.
-
-```c++
-santa_action_t action = (santa_action_t)(cache_val >> 56);
-uint64_t decision_time = (cache_val & ~(0xFF00000000000000));
-```
-
-The possible actions are:
-
-| Actions                 | Expiry Time      | Description                              |
-| ----------------------- | ---------------- | ---------------------------------------- |
-| `ACTION_REQUEST_BINARY` | None             | Awaiting an allow or deny decision from santad. |
-| `ACTION_RESPOND_ALLOW`  | None             | Allow the `execve()`                     |
-| `ACTION_RESPOND_DENY`   | 500 milliseconds | Deny the `execve()`, but re-evalaute after 500 milliseconds. If someone is trying to run a banned binary continually every millisecond for example, only 2 evaluation requests to santad for would occur per second. This mitigates a denial of service type attack on santad. |
-
-###### Invalidation
-
-Besides the expiry time for individual entries, the entire cache will be cleared if any of the following events takes place:
-
-* Addition of a blacklist rule
-* Addition of a blacklist regex scope
-* Cache fills up. This defaults to `5000` entries for the root volume and `500` for all other mounted volumes.
-
-To view the current kernel cache count see the "Kernel info" section of `santactl status`:
-
-```sh
-⇒  santactl status
->>> Kernel Info
-    Root cache count          | 107
-    Non-root cache count      | 0
-```
-

Docs/details/santabs.md

@@ -1,44 +0,0 @@
-# santabs
-
-The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with the same privileges as its calling process. Currently, santad is the only caller of santabs, so santabs runs as root.
-
-##### Events
-
-The santabs process is quite simple and only does one thing: it generates non-execution events for the contents of a bundle.
-
-When there is an `execve()` that is blocked within a bundle, a few actions take place:
-
-1. The highest ancestor bundle in the tree is found
-
-   * So `/Applications/DVD Player.app/Contents/MacOS/DVD Player` would be `/Applications/DVD Player.app`
-   * Or `/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension` would be `/Applications/Safari.app`
-
-2. The ancestor bundle is then searched for Mach-O executables
-
-   * For Safari that would currently be 4 binaries
-
-   * ```sh
-     Hashing time: 53 ms
-     4 events found
-     BundleHash: 718773556ca5ea798f984fde2fe1a5994f175900b26d2964c9358a0f469a4ac6
-     BundleID: com.apple.Safari
-     	SHA-256: ea872e83a518ce442ed050c4408a448d915e2bae90ef8455ce7805448d864a3e
-     	Path: /Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
-     BundleID: com.apple.Safari
-     	SHA-256: 1a43283857b1822164f82af274c476204748c0a2894dbcaa11ed17f78e0273cc
-     	Path: /Applications/Safari.app/Contents/MacOS/Safari
-     BundleID: com.apple.Safari
-     	SHA-256: ab0ac54dd90144931b681d1e84e198c6510be44ac5339437bc004e60777af7ba
-     	Path: /Applications/Safari.app/Contents/Resources/appdiagnose
-     BundleID: com.apple.Safari
-     	SHA-256: f49c5aa3a7373127d0b4945782b1fa375dd3707d66808fd66b7c0756430defa8
-     	Path: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService
-     ```
-
-3. Events are created for each binary and the bundle hash is calculated
-
-4. These events are sent to the sync server for processing
-
-##### Bundle Hash
-
-The found events are sorted by their file SHA-256 hash. The hashes are concatenated and then SHA-256 hashed. This is now a strong indicator on what Mach-O executables were within the bundle at the time of scan. This can then be verified by the sync server when deciding to generate rules.

Docs/details/santad.md

@@ -1,23 +0,0 @@
-# santad
-
-The santad process does the heavy lifting when it comes to making decisions about binary executions. It also handles brokering all of the XPC connections between the various components of Santa. It does all of this with performance being at the forefront. 
-
-##### A note on performance
-
-On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes `execve()` at the same time, the CPU and memory usage can spike. All of the `execve()` decisions are made on high priority threads to ensure decisions are posted back to the kernel as soon as possible. A watchdog thread will log warnings when sustained high CPU (>20%) and memory (>250MB) usage by santad is detected.
-
-##### On Launch
-
-The very first thing santad does once it has been launched is to load and connect to santa-driver. Only one connection may be active at any given time.
-
-At this point, santa-driver is loaded and running in the kernel, but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages, it needs to setup a few more things:
-
-* The rule and event databases are initialized
-* Connections to Santa (GUI) and santactl sync daemon are established. 
-* The config file is processed.
-
-santad is now ready to start processing decision and logging messages from santa-driver. The listeners are started and santad sits in a run loop awaiting messages from santa-driver. 
-
-##### Running
-
-Messages are read from a shared memory queue (`IODataQueueMemory` ) on a single thread. A callback is invoked for each message. The callback then dispatches all the work of processing a decision message to a concurrent high priority queue. The log messages are dispatched to a low priority queue for processing.

Docs/details/scopes.md

@@ -1,27 +0,0 @@
-# Scopes
-
-In addition to rules, Santa can whitelist or blacklist based on scopes. Currently, only a few scopes are implemented. They fall into one of two categories: a whitelist scope or blacklist scope. Scopes are evaluated after rules, with blacklist evaluation preceding whitelist.
-
-Scopes are a broader way of whitelisting or blacklisting `execve()`s.
-
-For configuration of scopes see [configuration.md](../deployment/configuration.md).
-
-##### Blacklist Scopes
-
-| Scope                | Configurable |
-| -------------------- | ------------ |
-| Blacklist Path Regex | Yes          |
-| Missing __PAGEZERO   | Yes          |
-
-##### Whitelist Scopes
-
-| Scope                | Configurable |
-| -------------------- | ------------ |
-| Whitelist Path Regex | Yes          |
-| Not a Mach-O         | No           |
-
-As seen above, Santa will whitelist any non Mach-O binary under a whitelist scope. However, a blacklist regex or binary SHA-256 rule can be used to block non Mach-O `execve()`s since they are evaluated before the whitelist scopes.
-
-##### Regex Caveats
-
-The paths covered by the whitelist and blacklist regex patterns are not tracked. If an `execve()` is allowed initially, then moved into a blacklist directory, Santa has no knowledge of that move. Since santa-driver caches decisions, the recently moved file will continue to be allowed to `execve()` even though it is now within a blacklisted regex path. The cache holds "allow" decisions until invalidated and "deny" decisions for 500 milliseconds. Going from a blacklist path to a whitelist path is not largely affected.

Docs/introduction/binary-whitelisting-overview.md

@@ -1,31 +0,0 @@
-# Binary Whitelisting Overview
-
-#### Background
-
-The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes the Kernel Authorization (Kauth) KPI. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document.
-
-#### Flow of an execve()
-
-This is a high level overview of the binary whitelisting / blacklisting decision process. For a more detailed account of each part, see the respective documentation. This flow does not cover the logging component of Santa, see the [logs.md](../details/logs.md) documentation for more info.
-
-###### Kernel Space
-
-0. santa-driver registers itself as a `KAUTH_SCOPE_VNODE` listener. This flow follows how santa-driver handles `KAUTH_VNODE_EXECUTE` events.
-1. A santa-driver Kauth callback function is executed by the kernel when a process is trying to `execve()`. In most cases, the `execve()` takes place right after a process calls `fork()` to start a new process. This function is running on a kernel thread representing the new process. Information on where to find the executable is provided. This information is known as the `vnode_id`.
-2. santa-driver then checks if its cache has an allow or deny entry for the `vnode_id`. If so it returns that decision to the Kauth KPI. 
-   * If Kauth receives a deny, it will stop the `execve()` from taking place. 
-   * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer.
-3. If there is no entry for the `vnode_id` in the cache a few actions occur:
-   * santa-driver hands off the decision making to santad.
-   * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`.  This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation.
-   * If the executing file is written to while any of the threads are waiting for a response the `ACTION_REQUEST_BINARY` entry is removed, forcing the decision-making process to be restarted.
-
-###### User Space
-
-1. santad is listening for decision requests from santa-driver.
-   * More information is collected about the executable that lives at the `vnode_id`. Since this codepath has a sleeping kernel thread waiting for a decision, extra care is taken to be as performant as possible.
-2. santad uses the information it has gathered to make a decision to allow or deny the `execve()`. There are more details on how these decisions are made in the [rules.md](../details/rules.md) and [scopes.md](../details/scopes.md) documents.
-3. The decision is posted back to santa-driver.
-4. If there was a deny decision, a message is sent to Santa GUI to display a user popup notification.
-
-

Docs/introduction/syncing-overview.md

@@ -1,27 +0,0 @@
-# Syncing Overview
-
-#### Background
-
-Santa can be run and configured without a sync server. Doing so will enable an admin to configure rules with the `santactl rule` command. Using a sync server will enable an admin to configures rules and multiple other settings from the sync server itself. Santa was designed from the start with a sync server in mind. This allows an admin to easily configure and sync rules across a fleet of macOS systems. This document explains the syncing process.
-
-#### Flow of a full sync
-
-This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events.
-
-0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `execve()` `santactl sync —-daemon`. Before the new process calls `execve()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes.
-1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync server to process.
-2. The full sync starts. There are a number of stages to a full sync:
-   1. preflight: The sync server can set various settings for Santa.
-   2. logupload (optional): The sync server can request that the Santa logs be uploaded to an endpoint.
-   3. eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
-   4. ruledownload: Download rules from the sync server.
-   5. postflight: Updates timestamps for successful syncs.
-3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this:
-   1. The sync server can send down a configuration in the preflight to override the 10min interval. It can be anything greater than 10min.
-   2. Firebase Cloud Messaging (FCM) can be used. The sync server can send down a configuration in the preflight to have the santactl daemon to start listening for FCM messages. If a connection to FCM is made, the full sync interval drops to a default of 4 hours. This can be further configured by a preflight configuration. The FCM connection allows the sync-sever to talk directly with Santa. This way we can reduce polling the sync server dramatically.
-4. Full syncs will continue to take place at their configured interval. If configured FCM messages will continue to be digested and acted upon.
-
-#### santactl XPC interface
-
-When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.
-

Docs/theme/Santa.css

@@ -1,3 +0,0 @@
-.wy-side-nav-search {
-  background-color: rgb(253, 67, 69);
-}

Fuzzing/santacache/src/main.cpp

@@ -14,10 +14,11 @@
 
 #include <SantaCache.h>
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
-extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data,
+                                      std::size_t size) {
   static SantaCache<uint64_t, uint64_t> decision_cache(5000, 2);
 
   std::uint64_t fields[2] = {};
@@ -33,7 +34,8 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   auto returned_value = decision_cache.get(fields[0]);
 
   if (returned_value != fields[1]) {
-    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value << "\n";
+    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value
+              << "\n";
     return 1;
   }
 

Fuzzing/santactl/src/main.mm

@@ -12,14 +12,14 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 #include <vector>
 
-#include <SNTCommandSyncRuleDownload.h>
-#include <SNTCommandSyncState.h>
-#include <SNTCommandSyncConstants.h>
 #include <SNTRule.h>
+#include <SNTSyncConstants.h>
+#include <SNTSyncRuleDownload.h>
+#include <SNTSyncState.h>
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   NSData *buffer = [NSData dataWithBytes:static_cast<const void *>(data) length:size];
@@ -41,12 +41,12 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
     return 0;
   }
 
-  SNTCommandSyncState *state = [[SNTCommandSyncState alloc] init];
+  SNTSyncState *state = [[SNTSyncState alloc] init];
   if (!state) {
     return 0;
   }
 
-  SNTCommandSyncRuleDownload *obj = [[SNTCommandSyncRuleDownload alloc] initWithState:state];
+  SNTSyncRuleDownload *obj = [[SNTSyncRuleDownload alloc] initWithState:state];
   if (!obj) {
     return 0;
   }
@@ -57,6 +57,6 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
       std::cerr << "Rule: " << [[rule description] UTF8String] << "\n";
     }
   }
- 
+
   return 0;
 }

Fuzzing/santad/src/checkCacheForVnodeID.mm

@@ -12,8 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
@@ -23,15 +23,14 @@
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   if (size > 16) {
-    std::cerr << "Invalid buffer size of " << size
-              <<  " (should be <= 16)" << std::endl;
+    std::cerr << "Invalid buffer size of " << size << " (should be <= 16)" << std::endl;
 
     return 1;
   }
 
   santa_vnode_id_t vnodeID = {};
   std::memcpy(&vnodeID, data, size);
-  
+
   MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
   daemonConn.invalidationHandler = ^{
     printf("An error occurred communicating with the daemon, is it running?\n");
@@ -40,16 +39,20 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
 
   [daemonConn resume];
 
-  [[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
-                                                  withReply:^(santa_action_t action) {
-    if (action == ACTION_RESPOND_ALLOW) {
-      std::cerr << "File exists in [whitelist] kernel cache" << std::endl;;
-    } else if (action == ACTION_RESPOND_DENY) {
-      std::cerr << "File exists in [blacklist] kernel cache" << std::endl;;
-    } else if (action == ACTION_UNSET) {
-      std::cerr << "File does not exist in cache" << std::endl;;
-    }
-  }];
-  
+  [[daemonConn remoteObjectProxy]
+    checkCacheForVnodeID:vnodeID
+               withReply:^(santa_action_t action) {
+                 if (action == ACTION_RESPOND_ALLOW) {
+                   std::cerr << "File exists in [whitelist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == ACTION_RESPOND_DENY) {
+                   std::cerr << "File exists in [blacklist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == ACTION_UNSET) {
+                   std::cerr << "File does not exist in cache" << std::endl;
+                   ;
+                 }
+               }];
+
   return 0;
 }

Fuzzing/santad/src/databaseRemoveEventsWithIDs.mm

@@ -12,8 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 

Fuzzing/santad/src/databaseRuleAddRules.mm

@@ -12,8 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
@@ -34,9 +34,8 @@ struct InputData {
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   if (size > sizeof(InputData)) {
-    std::cerr << "Invalid buffer size of " << size
-              <<  " (should be <= " << sizeof(InputData)
-              << ")" << std::endl;
+    std::cerr << "Invalid buffer size of " << size << " (should be <= " << sizeof(InputData) << ")"
+              << std::endl;
 
     return 1;
   }
@@ -45,11 +44,11 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   std::memcpy(&input_data, data, size);
 
   SNTRule *newRule = [[SNTRule alloc] init];
-  newRule.state = (SNTRuleState) input_data.state;
-  newRule.type = (SNTRuleType) input_data.type;
-  newRule.shasum = @(input_data.hash);
+  newRule.state = (SNTRuleState)input_data.state;
+  newRule.type = (SNTRuleType)input_data.type;
+  newRule.identifier = @(input_data.hash);
   newRule.customMsg = @"";
-  
+
   MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
   daemonConn.invalidationHandler = ^{
     printf("An error occurred communicating with the daemon, is it running?\n");
@@ -57,17 +56,18 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   };
 
   [daemonConn resume];
-  [[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
-                                                 cleanSlate:NO
-                                                      reply:^(NSError *error) {
-    if (!error) {
-      if (newRule.state == SNTRuleStateRemove) {
-        printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-      } else {
-        printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-      }
-    }
-  }];
-  
+  [[daemonConn remoteObjectProxy]
+    databaseRuleAddRules:@[ newRule ]
+              cleanSlate:NO
+                   reply:^(NSError *error) {
+                     if (!error) {
+                       if (newRule.state == SNTRuleStateRemove) {
+                         printf("Removed rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       } else {
+                         printf("Added rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       }
+                     }
+                   }];
+
   return 0;
 }

README.md

@@ -1,29 +1,23 @@
-# Santa [![Build Status][build-status-img]][build-status-link] [![Documentation Status][doc-status-img]][doc-status-link]
-
-[build-status-img]: https://travis-ci.org/google/santa.png?branch=master
-[build-status-link]: https://travis-ci.org/google/santa
-[doc-status-img]: https://readthedocs.org/projects/santa/badge/?version=latest
-[doc-status-link]: https://santa.readthedocs.io/en/latest/?badge=latest
+# Santa [![CI](https://github.com/google/santa/actions/workflows/ci.yml/badge.svg)](https://github.com/google/santa/actions/workflows/ci.yml) [![Coverage Status](https://coveralls.io/repos/github/google/santa/badge.svg?branch=main)](https://coveralls.io/github/google/santa?branch=main)
 
 <p align="center">
-    <img src="./Source/SantaGUI/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
+    <img src="./Source/santa/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
 </p>
 
-Santa is a binary whitelisting/blacklisting system for macOS. It consists of a
-kernel extension that monitors for executions, a userland daemon that makes
-execution decisions based on the contents of a SQLite database, a GUI agent
-that notifies the user in case of a block decision and a command-line utility
-for managing the system and synchronizing the database with a server.
+Santa is a binary authorization system for macOS. It consists of a system or
+kernel extension (depending on the macOS version) that monitors for executions,
+a daemon that makes execution decisions based on the contents of a local
+database, a GUI agent that notifies the user in case of a block decision
+and a command-line utility for managing the system and synchronizing the
+database with a server.
 
 It is named Santa because it keeps track of binaries that are naughty or nice.
 
-Santa is a project of Google's Macintosh Operations Team.
-
 # Docs
 
 The Santa docs are stored in the
-[Docs](https://github.com/google/santa/blob/master/Docs) directory. A Read the
-Docs instance is available here: https://santa.readthedocs.io.
+[Docs](https://github.com/google/santa/blob/main/docs) directory and published
+at http://santa.dev.
 
 The docs include deployment options, details on how parts of Santa work and
 instructions for developing Santa itself.
@@ -35,29 +29,32 @@ the [santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
 great place.
 
 If you believe you have a bug, feel free to report [an
-issue](https://github.com/google/santa/isues) and we'll respond as soon as we
+issue](https://github.com/google/santa/issues) and we'll respond as soon as we
 can.
 
+If you believe you've found a vulnerability, please read the
+[security policy](https://github.com/google/santa/security/policy) for
+disclosure reporting.
 
-# Admin-Related Features
+# Features
 
 * Multiple modes: In the default MONITOR mode, all binaries except those marked
-  as blacklisted will be allowed to run, whilst being logged and recorded in
-  the events database. In LOCKDOWN mode, only whitelisted binaries are allowed
-  to run.
+  as blocked will be allowed to run, whilst being logged and recorded in
+  the events database. In LOCKDOWN mode, only listed binaries are allowed to
+  run.
 
 * Event logging: When the kext is loaded, all binary launches are logged.  When
   in either mode, all unknown or denied binaries are stored in the database to
   enable later aggregation.
 
 * Certificate-based rules, with override levels: Instead of relying on a
-  binary's hash (or 'fingerprint'), executables can be whitelisted/blacklisted
-  by their signing certificate. You can therefore trust/block all binaries by a
+  binary's hash (or 'fingerprint'), executables can be allowed/blocked by their
+  signing certificate. You can therefore allow/block all binaries by a
   given publisher that were signed with that cert across version updates. A
-  binary can only be whitelisted by its certificate if its signature validates
-  correctly, but a rule for a binary's fingerprint will override a decision for
-  a certificate; i.e. you can whitelist a certificate while blacklisting a
-  binary signed with that certificate, or vice-versa.
+  binary can only be allowed by its certificate if its signature validates
+  correctly but a rule for a binary's fingerprint will override a decision for
+  a certificate; i.e. you can allowlist a certificate while blocking a binary
+  signed with that certificate, or vice-versa.
 
 * Path-based rules (via NSRegularExpression/ICU): This allows a similar feature
   to that found in Managed Client (the precursor to configuration profiles,
@@ -70,10 +67,18 @@ can.
 * Failsafe cert rules: You cannot put in a deny rule that would block the
   certificate used to sign launchd, a.k.a. pid 1, and therefore all components
   used in macOS. The binaries in every OS update (and in some cases entire new
-  versions) are therefore auto-whitelisted. This does not affect binaries from
-  Apple's App Store, which use various certs that change regularly for common
-  apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct
-  separate cert than other Google apps.
+  versions) are therefore automatically allowed. This does not affect binaries
+  from Apple's App Store, which use various certs that change regularly for
+  common apps. Likewise, you cannot block Santa itself, and Santa uses a
+  distinct separate cert than other Google apps.
+
+* Userland components validate each other: each of the userland components (the
+  daemon, the GUI agent and the command-line utility) communicate with each
+  other using XPC and check that their signing certificates are identical
+  before any communication is accepted.
+
+* Caching: allowed binaries are cached so the processing required to make a
+  request is only done if the binary isn't already cached.
 
 # Intentions and Expectations
 
@@ -90,42 +95,17 @@ protect hosts in whatever other ways you see fit.
 
 # Security and Performance-Related Features
 
-* In-kernel caching: whitelisted binaries are cached in the kernel so the
-  processing required to make a request is only done if the binary isn't
-  already cached.
-
-* Userland components validate each other: each of the userland components (the
-  daemon, the GUI agent and the command-line utility) communicate with each
-  other using XPC and check that their signing certificates are identical
-  before any communication is accepted.
-
-* Kext uses only KPIs: the kernel extension only uses provided kernel
-  programming interfaces to do its job. This means that the kext code should
-  continue to work across OS versions.
-
 # Known Issues
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
   dynamic libraries loaded with dlopen, libraries on disk that have been
-  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version
-  0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were
-  exploited in some versions of macOS. We are working on also protecting
-  against similar avenues of attack.
-
-* Kext communication security: the kext will only accept a connection from a
-  single client at a time and said client must be running as root. We haven't
-  yet found a good way to ensure the kext only accepts connections from a valid
-  client.
-
-* Database protection: the SQLite database is installed with permissions so
-  that only the root user can read/write it. We're considering approaches to
-  secure this further.
+  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`.
 
 * Scripts: Santa is currently written to ignore any execution that isn't a
   binary. This is because after weighing the administration cost vs the
   benefit, we found it wasn't worthwhile. Additionally, a number of
   applications make use of temporary generated scripts, which we can't possibly
-  whitelist and not doing so would cause problems. We're happy to revisit this
+  allowlist and not doing so would cause problems. We're happy to revisit this
   (or at least make it an option) if it would be useful to others.
 
 # Sync Servers
@@ -134,13 +114,17 @@ protect hosts in whatever other ways you see fit.
   management server, which uploads events that have occurred on the machine and
   downloads new rules. There are several open-source servers you can sync with:
 
-    * [Upvote](https://github.com/google/upvote) - An AppEngine-based server
-      that implements social voting to make managing a large fleet easier.
     * [Moroz](https://github.com/groob/moroz) - A simple golang server that
       serves hardcoded rules from simple configuration files.
+    * [Rudolph](https://github.com/airbnb/rudolph) - An AWS-based serverless sync service
+      primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden.
+      Rudolph is designed to be fast, easy-to-use, and cost-efficient.
     * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A
       centralized service that pulls data from multiple sources and deploy
       configurations to multiple services.
+    * [Zercurity](https://github.com/zercurity/zercurity) - A dockerized service
+      for managing and monitoring applications across a large fleet utilizing
+      Santa + Osquery.
 
 * Alternatively, `santactl` can configure rules locally (without a sync
   server).
@@ -150,34 +134,12 @@ protect hosts in whatever other ways you see fit.
 A tool like Santa doesn't really lend itself to screenshots, so here's a video
 instead.
 
-<p align="center"> <img src="https://zippy.gfycat.com/MadFatalAmphiuma.gif"
-alt="Santa Block Video" /> </p>
 
-# Kext Signing
-Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
-Developer ID certificate with a kernel extension flag. Without it, the only way
-to load an extension is to enable kext-dev-mode or disable SIP, depending on
-the OS version.
-
-There are two possible solutions for this, for distribution purposes:
-
-1) Use a [pre-built, pre-signed
-version](https://github.com/google/santa/releases) of the kext that we supply.
-Each time changes are made to the kext code we will update the pre-built
-version that you can make use of. This doesn't prevent you from making changes
-to the non-kext parts of Santa and distributing those.  If you make changes to
-the kext and make a pull request, we can merge them in and distribute a new
-version of the pre-signed kext.
-
-2) Apply for your own [kext signing
-certificate](https://developer.apple.com/contact/kext/).  Apple will only grant
-this for broad distribution within an organization, they won't issue them just
-for testing purposes.
+<p align="center"> <img src="https://thumbs.gfycat.com/MadFatalAmphiuma-small.gif" alt="Santa Block Video" /> </p>
 
 # Contributing
 Patches to this project are very much welcome. Please see the
-[CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
-file.
+[CONTRIBUTING](https://santa.dev/development/contributing) doc.
 
 # Disclaimer
 This is **not** an official Google product.

SECURITY.md

@@ -0,0 +1,12 @@
+# Reporting a Vulnerability
+
+If you believe you have found a security vulnerability, we would appreciate private disclosure
+so that we can work on a fix before disclosure. Any vulnerabilities reported to us will be 
+disclosed publicly either when a new version with fixes is released or 90 days has passed,
+whichever comes first.
+
+To report vulnerabilities to us privately, please e-mail `santa-team@google.com`.
+If you want to encrypt your e-mail, you can use our GPG key `0x92AFE41DAB49BBB6`
+available on pool.sks-keyservers.net:
+
+`gpg --keyserver pool.sks-keyservers.net --recv-key 0x92AFE41DAB49BBB6`

Source/SantaGUI/main.m

@@ -1,27 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import <Cocoa/Cocoa.h>
-
-#import "Source/SantaGUI/SNTAppDelegate.h"
-
-int main(int argc, const char *argv[]) {
-  @autoreleasepool {
-    NSApplication *app = [NSApplication sharedApplication];
-    SNTAppDelegate *delegate = [[SNTAppDelegate alloc] init];
-    [app setDelegate:delegate];
-    [app finishLaunching];
-    [app run];
-  }
-}

Source/common/BUILD

@@ -1,15 +1,31 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])  # Apache 2.0
-
 load("//:helper.bzl", "santa_unit_test")
 
+package(default_visibility = ["//:santa_package_group"])
+
+licenses(["notice"])
+
+cc_library(
+    name = "SantaCache",
+    hdrs = ["SantaCache.h"],
+    deps = ["//Source/common:SNTKernelCommon"],
+)
+
+santa_unit_test(
+    name = "SantaCacheTest",
+    srcs = [
+        "SantaCache.h",
+        "SantaCacheTest.mm",
+    ],
+    deps = ["//Source/common:SNTKernelCommon"],
+)
+
 objc_library(
     name = "SNTBlockMessage",
     srcs = ["SNTBlockMessage.m"],
     hdrs = ["SNTBlockMessage.h"],
     deps = [
         ":SNTConfigurator",
+        ":SNTLogging",
         ":SNTStoredEvent",
     ],
 )
@@ -18,11 +34,12 @@ objc_library(
     name = "SNTBlockMessage_SantaGUI",
     srcs = ["SNTBlockMessage.m"],
     hdrs = ["SNTBlockMessage.h"],
+    defines = ["SANTAGUI"],
     deps = [
         ":SNTConfigurator",
+        ":SNTLogging",
         ":SNTStoredEvent",
     ],
-    defines = ["SANTAGUI"],
 )
 
 objc_library(
@@ -35,7 +52,7 @@ objc_library(
     ],
 )
 
-cc_library(
+objc_library(
     name = "SNTCommonEnums",
     hdrs = ["SNTCommonEnums.h"],
 )
@@ -46,7 +63,6 @@ objc_library(
     hdrs = ["SNTConfigurator.h"],
     deps = [
         ":SNTCommonEnums",
-        ":SNTLogging",
         ":SNTStrengthify",
         ":SNTSystemInfo",
     ],
@@ -71,17 +87,56 @@ objc_library(
 cc_library(
     name = "SNTKernelCommon",
     hdrs = ["SNTKernelCommon.h"],
+    defines = [
+        "TARGET_OS_OSX",
+        "TARGET_OS_MAC",
+    ],
 )
 
 cc_library(
     name = "SNTLoggingKernel",
     hdrs = ["SNTLogging.h"],
+    copts = [
+        "-mkernel",
+        "-I__BAZEL_XCODE_SDKROOT__/System/Library/Frameworks/Kernel.framework/Headers",
+    ],
+    defines = [
+        "KERNEL",
+        "TARGET_OS_OSX",
+        "TARGET_OS_MAC",
+    ],
 )
 
 objc_library(
     name = "SNTLogging",
     srcs = ["SNTLogging.m"],
     hdrs = ["SNTLogging.h"],
+    deps = [":SNTConfigurator"],
+)
+
+cc_library(
+    name = "SNTPrefixTree",
+    srcs = ["SNTPrefixTree.cc"],
+    hdrs = ["SNTPrefixTree.h"],
+    copts = ["-std=c++11"],
+    deps = [":SNTLogging"],
+)
+
+cc_library(
+    name = "SNTPrefixTreeKernel",
+    srcs = ["SNTPrefixTree.cc"],
+    hdrs = ["SNTPrefixTree.h"],
+    copts = [
+        "-std=c++11",
+        "-mkernel",
+        "-I__BAZEL_XCODE_SDKROOT__/System/Library/Frameworks/Kernel.framework/Headers",
+    ],
+    defines = [
+        "KERNEL",
+        "TARGET_OS_OSX",
+        "TARGET_OS_MAC",
+    ],
+    deps = [":SNTLoggingKernel"],
 )
 
 objc_library(
@@ -117,7 +172,19 @@ objc_library(
     name = "SNTXPCBundleServiceInterface",
     srcs = ["SNTXPCBundleServiceInterface.m"],
     hdrs = ["SNTXPCBundleServiceInterface.h"],
-    deps = [":SNTStoredEvent"],
+    deps = [
+        ":SNTStoredEvent",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCMetricServiceInterface",
+    srcs = ["SNTXPCMetricServiceInterface.m"],
+    hdrs = ["SNTXPCMetricServiceInterface.h"],
+    deps = [
+        "@MOLXPCConnection",
+    ],
 )
 
 objc_library(
@@ -125,6 +192,7 @@ objc_library(
     srcs = ["SNTXPCControlInterface.m"],
     hdrs = ["SNTXPCControlInterface.h"],
     deps = [
+        ":SNTConfigurator",
         ":SNTStoredEvent",
         ":SNTXPCUnprivilegedControlInterface",
         "@MOLXPCConnection",
@@ -141,6 +209,13 @@ objc_library(
     ],
 )
 
+objc_library(
+    name = "SNTMetricSet",
+    srcs = ["SNTMetricSet.m"],
+    hdrs = ["SNTMetricSet.h"],
+    deps = [":SNTCommonEnums"],
+)
+
 objc_library(
     name = "SNTXPCSyncdInterface",
     srcs = ["SNTXPCSyncdInterface.m"],
@@ -151,6 +226,16 @@ objc_library(
     ],
 )
 
+objc_library(
+    name = "SNTXPCSyncServiceInterface",
+    srcs = ["SNTXPCSyncServiceInterface.m"],
+    hdrs = ["SNTXPCSyncServiceInterface.h"],
+    deps = [
+        ":SNTStoredEvent",
+        "@MOLXPCConnection",
+    ],
+)
+
 objc_library(
     name = "SNTXPCUnprivilegedControlInterface",
     srcs = ["SNTXPCUnprivilegedControlInterface.m"],
@@ -170,6 +255,7 @@ santa_unit_test(
     name = "SNTFileInfoTest",
     srcs = ["SNTFileInfoTest.m"],
     resources = [
+        "testdata/32bitplist",
         "testdata/bad_pagezero",
         "testdata/missing_pagezero",
     ],
@@ -179,3 +265,26 @@ santa_unit_test(
     ]),
     deps = [":SNTFileInfo"],
 )
+
+santa_unit_test(
+    name = "SNTPrefixTreeTest",
+    srcs = ["SNTPrefixTreeTest.mm"],
+    deps = [":SNTPrefixTree"],
+)
+
+santa_unit_test(
+    name = "SNTMetricSetTest",
+    srcs = ["SNTMetricSetTest.m"],
+    deps = [":SNTMetricSet"],
+)
+
+test_suite(
+    name = "unit_tests",
+    tests = [
+        ":SNTFileInfoTest",
+        ":SNTMetricSetTest",
+        ":SNTPrefixTreeTest",
+        ":SantaCacheTest",
+    ],
+    visibility = ["//:santa_package_group"],
+)

Source/common/SNTBlockMessage.m

@@ -17,31 +17,33 @@
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
 
 @implementation SNTBlockMessage
 
 + (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
                                          customMessage:(NSString *)customMessage {
-  NSString *htmlHeader = @"<html><head><style>"
-      @"body {"
-      @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
-      @"  font-size: 13px;"
-      @"  color: %@;"
-      @"  text-align: center;"
-      @"}"
+  NSString *htmlHeader =
+    @"<html><head><style>"
+    @"body {"
+    @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
+    @"  font-size: 13px;"
+    @"  color: %@;"
+    @"  text-align: center;"
+    @"}"
 
-      // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
-      @"@media (prefers-color-scheme: dark) {"
-      @"  body {"
-      @"    color: #ddd;"
-      @"  }"
-      @"}"
-      @"</style></head><body>";
+    // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
+    @"@media (prefers-color-scheme: dark) {"
+    @"  body {"
+    @"    color: #ddd;"
+    @"  }"
+    @"}"
+    @"</style></head><body>";
 
   // Support Dark Mode. Note, the returned NSAttributedString is static and does not update when
   // the OS switches modes.
   NSString *mode = [NSUserDefaults.standardUserDefaults stringForKey:@"AppleInterfaceStyle"];
-  BOOL dark =  [mode isEqualToString:@"Dark"];
+  BOOL dark = [mode isEqualToString:@"Dark"];
   htmlHeader = [NSString stringWithFormat:htmlHeader, dark ? @"#ddd" : @"#333"];
 
   NSString *htmlFooter = @"</body></html>";
@@ -89,13 +91,14 @@
 
   // Strip any HTML tags out of the message. Also remove any content inside <style> tags and
   // replace <br> elements with a newline.
-  NSString *stripXslt = @"<?xml version='1.0' encoding='utf-8'?>"
-      @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
-      @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
-      @"<xsl:output method='text'/>"
-      @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
-      @"<xsl:template match='style'/>"
-      @"</xsl:stylesheet>";
+  NSString *stripXslt =
+    @"<?xml version='1.0' encoding='utf-8'?>"
+    @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
+    @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
+    @"<xsl:output method='text'/>"
+    @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
+    @"<xsl:template match='style'/>"
+    @"</xsl:stylesheet>";
   NSData *data = [xml objectByApplyingXSLTString:stripXslt arguments:NULL error:&error];
   if (error || ![data isKindOfClass:[NSData class]]) {
     return html;
@@ -106,13 +109,16 @@
 + (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
+  NSString *hostname = [SNTSystemInfo longHostname];
+  NSString *uuid = [SNTSystemInfo hardwareUUID];
+  NSString *serial = [SNTSystemInfo serialNumber];
   NSString *formatStr = config.eventDetailURL;
   if (!formatStr.length) return nil;
 
   if (event.fileSHA256) {
     formatStr =
-        [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                             withString:event.fileBundleHash ?: event.fileSHA256];
+      [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                           withString:event.fileBundleHash ?: event.fileSHA256];
   }
   if (event.executingUser) {
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
@@ -122,6 +128,15 @@
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
                                                      withString:config.machineID];
   }
+  if (hostname.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%" withString:hostname];
+  }
+  if (uuid.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%" withString:uuid];
+  }
+  if (serial.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%" withString:serial];
+  }
 
   return [NSURL URLWithString:formatStr];
 }

Source/common/SNTCachedDecision.h

@@ -17,6 +17,8 @@
 #import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTKernelCommon.h"
 
+@class MOLCertificate;
+
 ///
 ///  Store information about executions from decision making for later logging.
 ///
@@ -26,8 +28,12 @@
 @property SNTEventState decision;
 @property NSString *decisionExtra;
 @property NSString *sha256;
+
 @property NSString *certSHA256;
 @property NSString *certCommonName;
+@property NSArray<MOLCertificate *> *certChain;
+@property NSString *teamID;
+
 @property NSString *quarantineURL;
 
 @property NSString *customMsg;

Source/common/SNTCommonEnums.h

@@ -24,18 +24,19 @@ typedef NS_ENUM(NSInteger, SNTRuleType) {
 
   SNTRuleTypeBinary = 1,
   SNTRuleTypeCertificate = 2,
+  SNTRuleTypeTeamID = 3,
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleState) {
   SNTRuleStateUnknown,
 
-  SNTRuleStateWhitelist = 1,
-  SNTRuleStateBlacklist = 2,
-  SNTRuleStateSilentBlacklist = 3,
+  SNTRuleStateAllow = 1,
+  SNTRuleStateBlock = 2,
+  SNTRuleStateSilentBlock = 3,
   SNTRuleStateRemove = 4,
 
-  SNTRuleStateWhitelistCompiler = 5,
-  SNTRuleStateWhitelistTransitive = 6,
+  SNTRuleStateAllowCompiler = 5,
+  SNTRuleStateAllowTransitive = 6,
 };
 
 typedef NS_ENUM(NSInteger, SNTClientMode) {
@@ -55,6 +56,7 @@ typedef NS_ENUM(NSInteger, SNTEventState) {
   SNTEventStateBlockBinary = 1 << 17,
   SNTEventStateBlockCertificate = 1 << 18,
   SNTEventStateBlockScope = 1 << 19,
+  SNTEventStateBlockTeamID = 1 << 20,
 
   // Bits 24-31 store allow decision types
   SNTEventStateAllowUnknown = 1 << 24,
@@ -64,6 +66,7 @@ typedef NS_ENUM(NSInteger, SNTEventState) {
   SNTEventStateAllowCompiler = 1 << 28,
   SNTEventStateAllowTransitive = 1 << 29,
   SNTEventStateAllowPendingTransitive = 1 << 30,
+  SNTEventStateAllowTeamID = 1 << 31,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFF << 16,
@@ -74,7 +77,6 @@ typedef NS_ENUM(NSInteger, SNTRuleTableError) {
   SNTRuleTableErrorEmptyRuleArray,
   SNTRuleTableErrorInsertOrReplaceFailed,
   SNTRuleTableErrorInvalidRule,
-  SNTRuleTableErrorMissingRequiredRule,
   SNTRuleTableErrorRemoveFailed
 };
 
@@ -92,7 +94,15 @@ typedef NS_ENUM(NSInteger, SNTEventLogType) {
   SNTEventLogTypeFilelog,
 };
 
+typedef NS_ENUM(NSInteger, SNTMetricFormatType) {
+  SNTMetricFormatTypeUnknown,
+  SNTMetricFormatTypeRawJSON,
+  SNTMetricFormatTypeMonarchJSON,
+};
+
 static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
-static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
-static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";
-static const char *kSantaAppPath = "/Library/Extensions/santa-driver.kext/Contents/Resources/Santa.app";
+static const char *kSantaDPath =
+  "/Applications/Santa.app/Contents/Library/SystemExtensions/"
+  "com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon";
+static const char *kSantaCtlPath = "/Applications/Santa.app/Contents/MacOS/santactl";
+static const char *kSantaAppPath = "/Applications/Santa.app";

Source/common/SNTConfigurator.h

@@ -36,32 +36,32 @@
 - (void)setSyncServerClientMode:(SNTClientMode)newMode;
 
 ///
-///  The regex of whitelisted paths. Regexes are specified in ICU format.
+///  The regex of allowed paths. Regexes are specified in ICU format.
 ///
 ///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(readonly, nonatomic) NSRegularExpression *whitelistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *allowedPathRegex;
 
 ///
-///  Set the regex of whitelisted paths as received from a sync server.
+///  Set the regex of allowed paths as received from a sync server.
 ///
-- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re;
+- (void)setSyncServerAllowedPathRegex:(NSRegularExpression *)re;
 
 ///
-///  The regex of blacklisted paths. Regexes are specified in ICU format.
+///  The regex of blocked paths. Regexes are specified in ICU format.
 ///
 ///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(readonly, nonatomic) NSRegularExpression *blacklistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *blockedPathRegex;
 
 ///
-///  Set the regex of blacklisted paths as received from a sync server.
+///  Set the regex of blocked paths as received from a sync server.
 ///
-- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re;
+- (void)setSyncServerBlockedPathRegex:(NSRegularExpression *)re;
 
 ///
 ///  The regex of paths to log file changes for. Regexes are specified in ICU format.
@@ -130,6 +130,14 @@
 ///
 @property(readonly, nonatomic) BOOL enablePageZeroProtection;
 
+///
+///  Enable bad signature protection, defaults to NO.
+///  When enabled, a binary that is signed but has a bad signature (cert revoked, binary
+///  tampered with, etc.) will be blocked regardless of client-mode unless a binary allowlist
+///  rule exists.
+///
+@property(readonly, nonatomic) BOOL enableBadSignatureProtection;
+
 ///
 ///  Defines how event logs are stored. Options are:
 ///    SNTEventLogTypeSyslog: Sent to ASL or ULS (if built with the 10.12 SDK or later).
@@ -156,8 +164,33 @@
 ///
 @property(readonly, nonatomic) BOOL enableMachineIDDecoration;
 
+///
+///  Use the bundled SystemExtension on macOS 10.15+, defaults to YES.
+///  Disable to continue using the bundled KEXT.
+///  This is a one way switch, if this is ever true on macOS 10.15+ the KEXT will be deleted.
+///  This gives admins control over the timing of switching to the SystemExtension. The intended use
+///  case is to have an MDM deliver the requisite SystemExtension and TCC profiles before attempting
+///  to load.
+///
+@property(readonly, nonatomic) BOOL enableSystemExtension;
+
+///
+///  Use an internal cache for decisions instead of relying on the caching
+///  mechanism built-in to the EndpointSecurity framework. This may increase
+///  performance, particularly when Santa is run alongside other system
+///  extensions.
+///  Has no effect if the system extension is not being used. Defaults to NO.
+///
+@property(readonly, nonatomic) BOOL enableSysxCache;
+
 #pragma mark - GUI Settings
 
+///
+/// The text to display when opening Santa.app.
+/// If unset, the default text will be displayed.
+///
+@property(readonly, nonatomic) NSString *aboutText;
+
 ///
 ///  The URL to open when the user clicks "More Info..." when opening Santa.app.
 ///  If unset, the button will not be displayed.
@@ -174,6 +207,9 @@
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
+///  %serial%      -- System's serial number.
+///  %uuid%        -- System's UUID.
+///  %hostname%    -- System's full hostname.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
@@ -218,6 +254,14 @@
 ///
 @property(readonly, nonatomic) NSURL *syncBaseURL;
 
+///
+///  Proxy settings for syncing.
+///  This dictionary is passed directly to NSURLSession. The allowed keys
+///  are loosely documented at
+///  https://developer.apple.com/documentation/cfnetwork/global_proxy_settings_constants.
+///
+@property(readonly, nonatomic) NSDictionary *syncProxyConfig;
+
 ///
 ///  The machine owner.
 ///
@@ -238,6 +282,23 @@
 ///
 @property(nonatomic) BOOL syncCleanRequired;
 
+///
+/// USB Mount Blocking. Defaults to false.
+///
+@property(nonatomic) BOOL blockUSBMount;
+
+///
+/// Comma-seperated `$ mount -o` arguments used for forced remounting of USB devices. Default
+/// to fully allow/deny without remounting if unset.
+///
+@property(nonatomic) NSArray<NSString *> *remountUSBMode;
+
+///
+/// When `blockUSBMount` is set, this is the message shown to the user when a device is blocked
+/// If this message is not configured, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *usbBlockMessage;
+
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
 ///
@@ -249,14 +310,14 @@
 ///
 @property BOOL enableBundles;
 
-#pragma mark Transitive Whitelisting Settings
+#pragma mark Transitive Allowlist Settings
 
 ///
-///  If YES, binaries marked with SNTRuleStateWhitelistCompiler rules are allowed to transitively
-///  whitelist any executables that they produce.  If NO, SNTRuleStateWhitelistCompiler rules are
-///  interpreted as if they were simply SNTRuleStateWhitelist rules.  Defaults to NO.
+///  If YES, binaries marked with SNTRuleStateAllowCompiler rules are allowed to transitively
+///  allow any executables that they produce.  If NO, SNTRuleStateAllowCompiler rules are
+///  interpreted as if they were simply SNTRuleStateAllow rules.  Defaults to NO.
 ///
-@property BOOL enableTransitiveWhitelisting;
+@property BOOL enableTransitiveRules;
 
 #pragma mark Server Auth Settings
 
@@ -295,6 +356,77 @@
 ///
 @property(readonly, nonatomic) NSString *syncClientAuthCertificateIssuer;
 
+///
+///  If true, forks and exits will be logged. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableForkAndExitLogging;
+
+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only
+///  applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
+///
+///  If true, debug logging will be enabled for all Santa components. Defaults to false.
+///  Passing --debug as an executable argument will enable debug logging for that specific
+///  component.
+///
+@property(readonly, nonatomic) BOOL enableDebugLogging;
+
+///
+///  If true, compressed requests from "santactl sync" will set "Content-Encoding" to "zlib"
+///  instead of the new default "deflate". If syncing with Upvote deployed at commit 0b4477d
+///  or below, set this option to true.
+///  Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableBackwardsCompatibleContentEncoding;
+
+///
+///  Contains the FCM project name.
+///
+@property(readonly, nonatomic) NSString *fcmProject;
+
+///
+///  Contains the FCM project entity.
+///
+@property(readonly, nonatomic) NSString *fcmEntity;
+
+///
+///  Contains the FCM project API key.
+///
+@property(readonly, nonatomic) NSString *fcmAPIKey;
+
+///
+///  True if fcmProject, fcmEntity and fcmAPIKey are all set. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL fcmEnabled;
+
+///
+/// True if metricsFormat and metricsURL are set. False otherwise.
+///
+@property(readonly, nonatomic) BOOL exportMetrics;
+
+///
+/// Format to export Metrics as.
+///
+@property(readonly, nonatomic) SNTMetricFormatType metricFormat;
+
+///
+/// URL describing where metrics are exported, defaults to nil.
+///
+@property(readonly, nonatomic) NSURL *metricURL;
+
+///
+/// Extra Metric Labels to add to the metrics payloads.
+///
+@property(readonly, nonatomic) NSDictionary *extraMetricLabels;
+
+///
+/// Duration in seconds of how often the metrics should be exported.
+///
+@property(readonly, nonatomic) NSUInteger metricExportInterval;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfigurator.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2021 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 
 #include <sys/stat.h>
 
-#import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStrengthify.h"
 #import "Source/common/SNTSystemInfo.h"
 
@@ -24,13 +23,16 @@
 /// A NSUserDefaults object set to use the com.google.santa suite.
 @property(readonly, nonatomic) NSUserDefaults *defaults;
 
-// Keys and expected value types.
+/// Keys and expected value types.
 @property(readonly, nonatomic) NSDictionary *syncServerKeyTypes;
 @property(readonly, nonatomic) NSDictionary *forcedConfigKeyTypes;
 
 /// Holds the configurations from a sync server and mobileconfig.
 @property NSMutableDictionary *syncState;
 @property NSMutableDictionary *configState;
+
+/// Was --debug passed as an argument to this process?
+@property(readonly, nonatomic) BOOL debugFlag;
 @end
 
 @implementation SNTConfigurator
@@ -43,6 +45,7 @@ static NSString *const kMobileConfigDomain = @"com.google.santa";
 
 /// The keys managed by a mobileconfig.
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
+static NSString *const kSyncProxyConfigKey = @"SyncProxyConfiguration";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
 static NSString *const kClientAuthCertificateCNKey = @"ClientAuthCertificateCN";
@@ -57,6 +60,7 @@ static NSString *const kMachineOwnerPlistKeyKey = @"MachineOwnerKey";
 static NSString *const kMachineIDPlistFileKey = @"MachineIDPlist";
 static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 
+static NSString *const kAboutText = @"AboutText";
 static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
 static NSString *const kEventDetailURLKey = @"EventDetailURL";
 static NSString *const kEventDetailTextKey = @"EventDetailText";
@@ -66,6 +70,7 @@ static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
 static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
 
 static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection";
+static NSString *const kEnableBadSignatureProtectionKey = @"EnableBadSignatureProtection";
 
 static NSString *const kFileChangesRegexKey = @"FileChangesRegex";
 static NSString *const kFileChangesPrefixFiltersKey = @"FileChangesPrefixFilters";
@@ -75,11 +80,36 @@ static NSString *const kEventLogPath = @"EventLogPath";
 
 static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration";
 
+static NSString *const kEnableSystemExtension = @"EnableSystemExtension";
+static NSString *const kEnableSysxCache = @"EnableSysxCache";
+
+static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging";
+static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients";
+static NSString *const kEnableDebugLogging = @"EnableDebugLogging";
+
+static NSString *const kEnableBackwardsCompatibleContentEncoding =
+  @"EnableBackwardsCompatibleContentEncoding";
+
+static NSString *const kFCMProject = @"FCMProject";
+static NSString *const kFCMEntity = @"FCMEntity";
+static NSString *const kFCMAPIKey = @"FCMAPIKey";
+
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
-static NSString *const kEnableTransitiveWhitelistingKey = @"EnableTransitiveWhitelisting";
-static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
-static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
+static NSString *const kBlockUSBMountKey = @"BlockUSBMount";
+static NSString *const kRemountUSBModeKey = @"RemountUSBMode";
+static NSString *const kEnableTransitiveRulesKey = @"EnableTransitiveRules";
+static NSString *const kEnableTransitiveRulesKeyDeprecated = @"EnableTransitiveWhitelisting";
+static NSString *const kAllowedPathRegexKey = @"AllowedPathRegex";
+static NSString *const kAllowedPathRegexKeyDeprecated = @"WhitelistRegex";
+static NSString *const kBlockedPathRegexKey = @"BlockedPathRegex";
+static NSString *const kBlockedPathRegexKeyDeprecated = @"BlacklistRegex";
+
+// TODO(markowsky): move these to sync server only.
+static NSString *const kMetricFormat = @"MetricFormat";
+static NSString *const kMetricURL = @"MetricURL";
+static NSString *const kMetricExportInterval = @"MetricExportInterval";
+static NSString *const kMetricExtraLabels = @"MetricExtraLabels";
 
 // The keys managed by a sync server.
 static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
@@ -95,23 +125,36 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
     Class string = [NSString class];
     Class data = [NSData class];
     Class array = [NSArray class];
+    Class dictionary = [NSDictionary class];
     _syncServerKeyTypes = @{
       kClientModeKey : number,
-      kEnableTransitiveWhitelistingKey : number,
-      kWhitelistRegexKey : re,
-      kBlacklistRegexKey : re,
+      kEnableTransitiveRulesKey : number,
+      kEnableTransitiveRulesKeyDeprecated : number,
+      kAllowedPathRegexKey : re,
+      kAllowedPathRegexKeyDeprecated : re,
+      kBlockedPathRegexKey : re,
+      kBlockedPathRegexKeyDeprecated : re,
+      kBlockUSBMountKey : number,
+      kRemountUSBModeKey : array,
       kFullSyncLastSuccess : date,
       kRuleSyncLastSuccess : date,
       kSyncCleanRequired : number
     };
     _forcedConfigKeyTypes = @{
       kClientModeKey : number,
-      kEnableTransitiveWhitelistingKey : number,
+      kEnableTransitiveRulesKey : number,
+      kEnableTransitiveRulesKeyDeprecated : number,
       kFileChangesRegexKey : re,
       kFileChangesPrefixFiltersKey : array,
-      kWhitelistRegexKey : re,
-      kBlacklistRegexKey : re,
+      kAllowedPathRegexKey : re,
+      kAllowedPathRegexKeyDeprecated : re,
+      kBlockedPathRegexKey : re,
+      kBlockedPathRegexKeyDeprecated : re,
+      kBlockUSBMountKey : number,
+      kRemountUSBModeKey : array,
       kEnablePageZeroProtectionKey : number,
+      kEnableBadSignatureProtectionKey : number,
+      kAboutText : string,
       kMoreInfoURLKey : string,
       kEventDetailURLKey : string,
       kEventDetailTextKey : string,
@@ -120,11 +163,12 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kModeNotificationMonitor : string,
       kModeNotificationLockdown : string,
       kSyncBaseURLKey : string,
+      kSyncProxyConfigKey : dictionary,
       kClientAuthCertificateFileKey : string,
       kClientAuthCertificatePasswordKey : string,
       kClientAuthCertificateCNKey : string,
       kClientAuthCertificateIssuerKey : string,
-      kServerAuthRootsDataKey  : data,
+      kServerAuthRootsDataKey : data,
       kServerAuthRootsFileKey : string,
       kMachineOwnerKey : string,
       kMachineIDKey : string,
@@ -135,11 +179,25 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kEventLogType : string,
       kEventLogPath : string,
       kEnableMachineIDDecoration : number,
+      kEnableSystemExtension : number,
+      kEnableSysxCache : number,
+      kEnableForkAndExitLogging : number,
+      kIgnoreOtherEndpointSecurityClients : number,
+      kEnableDebugLogging : number,
+      kEnableBackwardsCompatibleContentEncoding : number,
+      kFCMProject : string,
+      kFCMEntity : string,
+      kFCMAPIKey : string,
+      kMetricFormat : string,
+      kMetricURL : string,
+      kMetricExportInterval : number,
+      kMetricExtraLabels : dictionary,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
     _configState = [self readForcedConfig];
     _syncState = [self readSyncStateFromDisk] ?: [NSMutableDictionary dictionary];
+    _debugFlag = [[NSProcessInfo processInfo].arguments containsObject:@"--debug"];
     [self startWatchingDefaults];
   }
   return self;
@@ -189,11 +247,11 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self syncAndConfigStateSet];
 }
 
-+ (NSSet *)keyPathsForValuesAffectingWhitelistPathRegex {
++ (NSSet *)keyPathsForValuesAffectingAllowlistPathRegex {
   return [self syncAndConfigStateSet];
 }
 
-+ (NSSet *)keyPathsForValuesAffectingBlacklistPathRegex {
++ (NSSet *)keyPathsForValuesAffectingBlocklistPathRegex {
   return [self syncAndConfigStateSet];
 }
 
@@ -213,6 +271,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingAboutText {
+  return [self configStateSet];
+}
+
 + (NSSet *)keyPathsForValuesAffectingMoreInfoURL {
   return [self configStateSet];
 }
@@ -297,10 +359,54 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
-+ (NSSet *)keyPathsForValuesAffectingEnableTransitiveWhitelisting {
++ (NSSet *)keyPathsForValuesAffectingEnableTransitiveRules {
   return [self syncAndConfigStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingEnableSystemExtension {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableSysxCache {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableForkAndExitLogging {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingIgnoreOtherEndpointSecurityClients {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableDebugLogging {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableBackwardsCompatibleContentEncoding {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFcmProject {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFcmEntity {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFcmAPIKey {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingFcmEnabled {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableBadSignatureProtection {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -320,37 +426,58 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 - (void)setSyncServerClientMode:(SNTClientMode)newMode {
   if (newMode == SNTClientModeMonitor || newMode == SNTClientModeLockdown) {
     [self updateSyncStateForKey:kClientModeKey value:@(newMode)];
-  } else {
-    LOGW(@"Ignoring request to change client mode to %ld", newMode);
   }
 }
 
-- (BOOL)enableTransitiveWhitelisting {
-  NSNumber *n = self.syncState[kEnableTransitiveWhitelistingKey];
-  if (n) {
-    return [n boolValue];
-  }
-  return [self.configState[kEnableTransitiveWhitelistingKey] boolValue];
+- (BOOL)enableTransitiveRules {
+  NSNumber *n = self.syncState[kEnableTransitiveRulesKey];
+  if (n) return [n boolValue];
+
+  n = self.syncState[kEnableTransitiveRulesKeyDeprecated];
+  if (n) return [n boolValue];
+
+  n = self.configState[kEnableTransitiveRulesKeyDeprecated];
+  if (n) return [n boolValue];
+
+  return [self.configState[kEnableTransitiveRulesKey] boolValue];
 }
 
-- (void)setEnableTransitiveWhitelisting:(BOOL)enabled {
-  [self updateSyncStateForKey:kEnableTransitiveWhitelistingKey value:@(enabled)];
+- (void)setEnableTransitiveRules:(BOOL)enabled {
+  [self updateSyncStateForKey:kEnableTransitiveRulesKey value:@(enabled)];
 }
 
-- (NSRegularExpression *)whitelistPathRegex {
-  return self.syncState[kWhitelistRegexKey] ?: self.configState[kWhitelistRegexKey];
+- (NSRegularExpression *)allowedPathRegex {
+  NSRegularExpression *r = self.syncState[kAllowedPathRegexKey];
+  if (r) return r;
+
+  r = self.syncState[kAllowedPathRegexKeyDeprecated];
+  if (r) return r;
+
+  r = self.configState[kAllowedPathRegexKey];
+  if (r) return r;
+
+  return self.configState[kAllowedPathRegexKeyDeprecated];
 }
 
-- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re {
-  [self updateSyncStateForKey:kWhitelistRegexKey value:re];
+- (void)setSyncServerAllowedPathRegex:(NSRegularExpression *)re {
+  [self updateSyncStateForKey:kAllowedPathRegexKey value:re];
 }
 
-- (NSRegularExpression *)blacklistPathRegex {
-  return self.syncState[kBlacklistRegexKey] ?: self.configState[kBlacklistRegexKey];
+- (NSRegularExpression *)blockedPathRegex {
+  NSRegularExpression *r = self.syncState[kBlockedPathRegexKey];
+  if (r) return r;
+
+  r = self.syncState[kBlockedPathRegexKeyDeprecated];
+  if (r) return r;
+
+  r = self.configState[kBlockedPathRegexKey];
+  if (r) return r;
+
+  return self.configState[kBlockedPathRegexKeyDeprecated];
 }
 
-- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re {
-  [self updateSyncStateForKey:kBlacklistRegexKey value:re];
+- (void)setSyncServerBlockedPathRegex:(NSRegularExpression *)re {
+  [self updateSyncStateForKey:kBlockedPathRegexKey value:re];
 }
 
 - (NSRegularExpression *)fileChangesRegex {
@@ -361,26 +488,51 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   NSArray *filters = self.configState[kFileChangesPrefixFiltersKey];
   for (id filter in filters) {
     if (![filter isKindOfClass:[NSString class]]) {
-      LOGE(@"Ignoring FileChangesPrefixFilters: array contains a non-string %@", filter);
       return nil;
     }
   }
   return filters;
 }
 
+- (void)setRemountUSBMode:(NSArray<NSString *> *)args {
+  [self updateSyncStateForKey:kRemountUSBModeKey value:args];
+}
+
+- (NSArray<NSString *> *)remountUSBMode {
+  NSArray<NSString *> *args = self.configState[kRemountUSBModeKey];
+  for (id arg in args) {
+    if (![arg isKindOfClass:[NSString class]]) {
+      return nil;
+    }
+  }
+  return args;
+}
+
 - (NSURL *)syncBaseURL {
   NSString *urlString = self.configState[kSyncBaseURLKey];
   if (![urlString hasSuffix:@"/"]) urlString = [urlString stringByAppendingString:@"/"];
   NSURL *url = [NSURL URLWithString:urlString];
-  if (urlString && !url) LOGW(@"SyncBaseURL is not a valid URL!");
   return url;
 }
 
+- (NSDictionary *)syncProxyConfig {
+  return self.configState[kSyncProxyConfigKey];
+}
+
 - (BOOL)enablePageZeroProtection {
   NSNumber *number = self.configState[kEnablePageZeroProtectionKey];
   return number ? [number boolValue] : YES;
 }
 
+- (BOOL)enableBadSignatureProtection {
+  NSNumber *number = self.configState[kEnableBadSignatureProtectionKey];
+  return number ? [number boolValue] : NO;
+}
+
+- (NSString *)aboutText {
+  return self.configState[kAboutText];
+}
+
 - (NSURL *)moreInfoURL {
   return [NSURL URLWithString:self.configState[kMoreInfoURLKey]];
 }
@@ -501,6 +653,108 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return number ? [number boolValue] : NO;
 }
 
+- (BOOL)enableSystemExtension {
+  if (@available(macOS 10.15, *)) {
+    NSFileManager *fm = [NSFileManager defaultManager];
+    if (![fm fileExistsAtPath:@"/Library/Extensions/santa-driver.kext"]) return YES;
+    NSNumber *number = self.configState[kEnableSystemExtension];
+    return number ? [number boolValue] : YES;
+  } else {
+    return NO;
+  }
+}
+
+- (BOOL)enableSysxCache {
+  NSNumber *number = self.configState[kEnableSysxCache];
+  return number ? [number boolValue] : YES;
+}
+
+- (BOOL)enableForkAndExitLogging {
+  NSNumber *number = self.configState[kEnableForkAndExitLogging];
+  return number ? [number boolValue] : NO;
+}
+
+- (BOOL)ignoreOtherEndpointSecurityClients {
+  NSNumber *number = self.configState[kIgnoreOtherEndpointSecurityClients];
+  return number ? [number boolValue] : NO;
+}
+
+- (BOOL)enableDebugLogging {
+  NSNumber *number = self.configState[kEnableDebugLogging];
+  return [number boolValue] || self.debugFlag;
+}
+
+- (BOOL)enableBackwardsCompatibleContentEncoding {
+  NSNumber *number = self.configState[kEnableBackwardsCompatibleContentEncoding];
+  return number ? [number boolValue] : NO;
+}
+
+- (NSString *)fcmProject {
+  return self.configState[kFCMProject];
+}
+
+- (NSString *)fcmEntity {
+  return self.configState[kFCMEntity];
+}
+
+- (NSString *)fcmAPIKey {
+  return self.configState[kFCMAPIKey];
+}
+
+- (BOOL)fcmEnabled {
+  return (self.fcmProject.length && self.fcmEntity.length && self.fcmAPIKey.length);
+}
+
+- (void)setBlockUSBMount:(BOOL)enabled {
+  [self updateSyncStateForKey:kBlockUSBMountKey value:@(enabled)];
+}
+
+- (BOOL)blockUSBMount {
+  NSNumber *number = self.configState[kBlockUSBMountKey];
+  return number ? [number boolValue] : NO;
+}
+
+///
+/// Returns YES if all of the necessary options are set to export metrics, NO
+/// otherwise.
+///
+- (BOOL)exportMetrics {
+  return [self metricFormat] != SNTMetricFormatTypeUnknown &&
+         ![self.configState[kMetricURL] isEqualToString:@""];
+}
+
+- (SNTMetricFormatType)metricFormat {
+  NSString *normalized = [self.configState[kMetricFormat] lowercaseString];
+
+  normalized = [normalized stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceCharacterSet]];
+
+  if ([normalized isEqualToString:@"rawjson"]) {
+    return SNTMetricFormatTypeRawJSON;
+  } else if ([normalized isEqualToString:@"monarchjson"]) {
+    return SNTMetricFormatTypeMonarchJSON;
+  } else {
+    return SNTMetricFormatTypeUnknown;
+  }
+}
+
+- (NSURL *)metricURL {
+  return [NSURL URLWithString:self.configState[kMetricURL]];
+}
+
+// Returns a default value of 30 (for 30 seconds).
+- (NSUInteger)metricExportInterval {
+  NSNumber *configuredInterval = self.configState[kMetricExportInterval];
+
+  if (configuredInterval == nil) {
+    return 30;
+  }
+  return [configuredInterval unsignedIntegerValue];
+}
+
+- (NSDictionary *)extraMetricLabels {
+  return self.configState[kMetricExtraLabels];
+}
+
 #pragma mark Private
 
 ///
@@ -524,7 +778,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   // Only santad should read this file.
   if (geteuid() != 0) return nil;
   NSMutableDictionary *syncState =
-      [NSMutableDictionary dictionaryWithContentsOfFile:kSyncStateFilePath];
+    [NSMutableDictionary dictionaryWithContentsOfFile:kSyncStateFilePath];
   for (NSString *key in syncState.allKeys) {
     if (self.syncServerKeyTypes[key] == [NSRegularExpression class]) {
       NSString *pattern = [syncState[key] isKindOfClass:[NSString class]] ? syncState[key] : nil;
@@ -547,11 +801,12 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   if (geteuid() != 0) return;
   // Either remove
   NSMutableDictionary *syncState = self.syncState.mutableCopy;
-  syncState[kWhitelistRegexKey] = [syncState[kWhitelistRegexKey] pattern];
-  syncState[kBlacklistRegexKey] = [syncState[kBlacklistRegexKey] pattern];
+  syncState[kAllowedPathRegexKey] = [syncState[kAllowedPathRegexKey] pattern];
+  syncState[kBlockedPathRegexKey] = [syncState[kBlockedPathRegexKey] pattern];
   [syncState writeToFile:kSyncStateFilePath atomically:YES];
-  [[NSFileManager defaultManager] setAttributes:@{ NSFilePosixPermissions : @0644 }
-                                   ofItemAtPath:kSyncStateFilePath error:NULL];
+  [[NSFileManager defaultManager] setAttributes:@{NSFilePosixPermissions : @0644}
+                                   ofItemAtPath:kSyncStateFilePath
+                                          error:NULL];
 }
 
 - (void)clearSyncState {
@@ -586,8 +841,9 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 - (void)startWatchingDefaults {
-  // Only santad should listen.
-  if (geteuid() != 0) return;
+  // Only com.google.santa.daemon should listen.
+  NSString *processName = [[NSProcessInfo processInfo] processName];
+  if (![processName isEqualToString:@"com.google.santa.daemon"]) return;
   [[NSNotificationCenter defaultCenter] addObserver:self
                                            selector:@selector(defaultsChanged:)
                                                name:NSUserDefaultsDidChangeNotification

Source/common/SNTFileInfo.h

@@ -40,7 +40,6 @@
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
-
 ///
 ///  Initializer for already resolved paths.
 ///

Source/common/SNTFileInfo.m

@@ -15,8 +15,8 @@
 #import "Source/common/SNTFileInfo.h"
 
 #import <CommonCrypto/CommonDigest.h>
-#import <fmdb/FMDB.h>
 #import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <fmdb/FMDB.h>
 
 #include <mach-o/arch.h>
 #include <mach-o/loader.h>
@@ -25,7 +25,6 @@
 #include <sys/stat.h>
 #include <sys/xattr.h>
 
-
 // Simple class to hold the data of a mach_header and the offset within the file
 // in which that header was found.
 @interface MachHeaderWithOffset : NSObject
@@ -143,67 +142,68 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (void)hashSHA1:(NSString **)sha1 SHA256:(NSString **)sha256 {
   const int MAX_CHUNK_SIZE = 256 * 1024;  // 256 KB
   const size_t chunkSize = _fileSize > MAX_CHUNK_SIZE ? MAX_CHUNK_SIZE : _fileSize;
-  char chunk[chunkSize];
+  char *chunk = malloc(chunkSize);
 
-  CC_SHA1_CTX c1;
-  CC_SHA256_CTX c256;
+  @try {
+    CC_SHA1_CTX c1;
+    CC_SHA256_CTX c256;
 
-  if (sha1) CC_SHA1_Init(&c1);
-  if (sha256) CC_SHA256_Init(&c256);
+    if (sha1) CC_SHA1_Init(&c1);
+    if (sha256) CC_SHA256_Init(&c256);
 
-  int fd = self.fileHandle.fileDescriptor;
+    int fd = self.fileHandle.fileDescriptor;
 
-  fcntl(fd, F_RDAHEAD, 1);
-  struct radvisory radv;
-  radv.ra_offset = 0;
-  const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
-  radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
-  fcntl(fd, F_RDADVISE, &radv);
-  ssize_t bytesRead;
+    fcntl(fd, F_RDAHEAD, 1);
+    struct radvisory radv;
+    radv.ra_offset = 0;
+    const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
+    radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
+    fcntl(fd, F_RDADVISE, &radv);
+    ssize_t bytesRead;
 
-  for (uint64_t offset = 0; offset < _fileSize;) {
-    bytesRead = pread(fd, chunk, chunkSize, offset);
-    if (bytesRead > 0) {
-      if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
-      if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
-      offset += bytesRead;
-    } else if (bytesRead == -1 && errno == EINTR) {
-      continue;
-    } else {
-      return;
+    for (uint64_t offset = 0; offset < _fileSize;) {
+      bytesRead = pread(fd, chunk, chunkSize, offset);
+      if (bytesRead > 0) {
+        if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
+        if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
+        offset += bytesRead;
+      } else if (bytesRead == -1 && errno == EINTR) {
+        continue;
+      } else {
+        return;
+      }
     }
-  }
 
-  // We turn off Read Ahead that we turned on
-  fcntl(fd, F_RDAHEAD, 0);
-  if (sha1) {
-    unsigned char digest[CC_SHA1_DIGEST_LENGTH];
-    CC_SHA1_Final(digest, &c1);
-    NSString *const SHA1FormatString =
+    // We turn off Read Ahead that we turned on
+    fcntl(fd, F_RDAHEAD, 0);
+    if (sha1) {
+      unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+      CC_SHA1_Final(digest, &c1);
+      NSString *const SHA1FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
-    *sha1 = [[NSString alloc]
-        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
+      *sha1 = [[NSString alloc]
+        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
                        digest[17], digest[18], digest[19]];
-  }
-  if (sha256) {
-    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256_Final(digest, &c256);
-    NSString *const SHA256FormatString =
+    }
+    if (sha256) {
+      unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+      CC_SHA256_Final(digest, &c256);
+      NSString *const SHA256FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
          "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
 
-    *sha256 = [[NSString alloc]
-        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
-                       digest[17], digest[18], digest[19], digest[20],
-                       digest[21], digest[22], digest[23], digest[24],
-                       digest[25], digest[26], digest[27], digest[28],
+      *sha256 = [[NSString alloc]
+        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19], digest[20], digest[21], digest[22],
+                       digest[23], digest[24], digest[25], digest[26], digest[27], digest[28],
                        digest[29], digest[30], digest[31]];
+    }
+  } @finally {
+    free(chunk);
   }
 }
 
@@ -288,15 +288,15 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (BOOL)isMissingPageZero {
   // This method only checks i386 arch because the kernel enforces this for other archs
   // See bsd/kern/mach_loader.c, search for enforce_hard_pagezero.
-  MachHeaderWithOffset *x86Header = self.machHeaders[[self nameForCPUType:CPU_TYPE_X86
-                                                               cpuSubType:CPU_SUBTYPE_I386_ALL]];
+  MachHeaderWithOffset *x86Header =
+    self.machHeaders[[self nameForCPUType:CPU_TYPE_X86 cpuSubType:CPU_SUBTYPE_I386_ALL]];
   if (!x86Header) return NO;
 
   struct mach_header *mh = (struct mach_header *)[x86Header.data bytes];
   if (mh->filetype != MH_EXECUTE) return NO;
 
-  NSRange range = NSMakeRange(x86Header.offset + sizeof(struct mach_header),
-                              sizeof(struct segment_command));
+  NSRange range =
+    NSMakeRange(x86Header.offset + sizeof(struct mach_header), sizeof(struct segment_command));
   NSData *lcData = [self safeSubdataWithRange:range];
   if (!lcData) return NO;
 
@@ -306,9 +306,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   struct load_command *lc = (struct load_command *)[lcData bytes];
   if (lc->cmd == LC_SEGMENT) {
     struct segment_command *segment = (struct segment_command *)lc;
-    if (segment->vmaddr == 0 && segment->vmsize != 0 &&
-        segment->initprot == 0 && segment->maxprot == 0 &&
-        strcmp("__PAGEZERO", segment->segname) == 0) {
+    if (segment->vmaddr == 0 && segment->vmsize != 0 && segment->initprot == 0 &&
+        segment->maxprot == 0 && strcmp("__PAGEZERO", segment->segname) == 0) {
       return NO;
     }
   }
@@ -358,7 +357,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   while (pathComponents.count > 1) {
     NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
     if ([bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
-      if (!ancestor ||
+      if ((!ancestor && bndl.bundlePath.pathExtension.length) ||
           [[self allowedAncestorExtensions] containsObject:bndl.bundlePath.pathExtension]) {
         bundle = bndl;
       }
@@ -372,7 +371,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (NSBundle *)bundle {
   if (!self.bundleRef) {
     self.bundleRef =
-        [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
+      [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
   }
   return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
@@ -413,8 +412,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (NSString *)bundleName {
-  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description] ?:
-         [[self.infoPlist objectForKey:@"CFBundleName"] description];
+  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description]
+           ?: [[self.infoPlist objectForKey:@"CFBundleName"] description];
 }
 
 - (NSString *)bundleVersion {
@@ -463,8 +462,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
   NSMutableDictionary *machHeaders = [NSMutableDictionary dictionary];
 
-  NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0,
-                                                                                          4096)]];
+  NSData *machHeader =
+    [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0, 4096)]];
   if (machHeader) {
     struct mach_header *mh = (struct mach_header *)[machHeader bytes];
     MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader offset:0];
@@ -547,24 +546,51 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   for (uint32_t i = 0; i < ncmds; ++i) {
     NSData *cmdData = [self safeSubdataWithRange:NSMakeRange(offset, sz_segment)];
     if (!cmdData) return nil;
-    struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
-    if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
-      if (memcmp(lc->segname, "__TEXT", 6) == 0) {
+
+    if (is64) {
+      struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT_64 && memcmp(lc->segname, "__TEXT", 6) == 0) {
         nsects = lc->nsects;
         offset += sz_segment;
         break;
       }
+      offset += lc->cmdsize;
+    } else {
+      struct segment_command *lc = (struct segment_command *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT && memcmp(lc->segname, "__TEXT", 6) == 0) {
+        nsects = lc->nsects;
+        offset += sz_segment;
+        break;
+      }
+      offset += lc->cmdsize;
     }
-    offset += lc->cmdsize;
   }
 
   // Loop through the sections in the __TEXT segment looking for an __info_plist section.
   for (uint32_t i = 0; i < nsects; ++i) {
     NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
     if (!sectData) return nil;
-    struct section_64 *sect = (struct section_64 *)[sectData bytes];
-    if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
-      NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
+    uint64_t sectoffset, sectsize = 0;
+    BOOL found = NO;
+    if (is64) {
+      struct section_64 *sect = (struct section_64 *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    } else {
+      struct section *sect = (struct section *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    }
+
+    if (found) {
+      NSData *plistData =
+        [self safeSubdataWithRange:NSMakeRange(mhwo.offset + sectoffset, sectsize)];
       if (!plistData) return nil;
       NSDictionary *plist;
       plist = [NSPropertyListSerialization propertyListWithData:plistData
@@ -636,9 +662,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
         }
 
         NSURL *dbPath = [NSURL fileURLWithPathComponents:@[
-          fileOwnerHomeDir,
-          @"Library",
-          @"Preferences",
+          fileOwnerHomeDir, @"Library", @"Preferences",
           @"com.apple.LaunchServices.QuarantineEventsV2"
         ]];
         FMDatabase *db = [FMDatabase databaseWithPath:[dbPath absoluteString]];
@@ -657,7 +681,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
             quarantineDict[@"LSQuarantineDataURL"] = [NSURL URLWithString:dataURLString];
             quarantineDict[@"LSQuarantineOriginURL"] = [NSURL URLWithString:originURLString];
             quarantineDict[@"LSQuarantineTimestamp"] =
-                [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
+              [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
 
             self.quarantineDict = quarantineDict;
           }

Source/common/SNTFileInfoTest.m

@@ -39,9 +39,8 @@
   sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../../../../../../../bin/ls"];
   XCTAssertEqualObjects(sut.path, @"/bin/ls");
 
-  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/qlmanage"];
-  XCTAssertEqualObjects(sut.path, @"/System/Library/Frameworks/QuickLook.framework/Versions/A/"
-                                  @"Resources/quicklookd.app/Contents/MacOS/qlmanage");
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/sbin/DirectoryService"];
+  XCTAssertEqualObjects(sut.path, @"/usr/libexec/dspluginhelperd");
 }
 
 - (void)testSHA1 {
@@ -72,7 +71,6 @@
   XCTAssertTrue(sut.isExecutable);
 
   XCTAssertFalse(sut.isDylib);
-  XCTAssertFalse(sut.isFat);
   XCTAssertFalse(sut.isKext);
   XCTAssertFalse(sut.isScript);
 }
@@ -92,9 +90,8 @@
 }
 
 - (void)testKext {
-  SNTFileInfo *sut =
-      [[SNTFileInfo alloc] initWithPath:
-          @"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc]
+    initWithPath:@"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];
 
   XCTAssertTrue(sut.isMachO);
   XCTAssertTrue(sut.isKext);
@@ -106,7 +103,7 @@
 }
 
 - (void)testDylibs {
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/lib/libsqlite3.dylib"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/lib/system/libsystem_platform.dylib"];
 
   XCTAssertTrue(sut.isMachO);
   XCTAssertTrue(sut.isDylib);
@@ -220,8 +217,7 @@
 }
 
 - (void)testNonBundle {
-  SNTFileInfo *sut =
-  [[SNTFileInfo alloc] initWithPath:@"/usr/bin/yes"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/yes"];
 
   XCTAssertNil([sut bundle]);
 
@@ -231,10 +227,16 @@
 }
 
 - (void)testEmbeddedInfoPlist {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"32bitplist"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertNotNil([sut infoPlist]);
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleShortVersionString"], @"1.0");
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleIdentifier"], @"com.google.i386plist");
+
   // csreq is installed on all machines with Xcode installed. If you're running these tests,
   // it should be available..
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/csreq"];
-
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/csreq"];
   XCTAssertNotNil([sut infoPlist]);
 }
 

Source/common/SNTKernelCommon.h

@@ -16,17 +16,18 @@
 /// Common defines between kernel <-> userspace
 ///
 
-#include <sys/param.h>
-
 #ifndef SANTA__COMMON__KERNELCOMMON_H
 #define SANTA__COMMON__KERNELCOMMON_H
 
+#include <stdint.h>
+#include <sys/param.h>
+
 // Defines the name of the userclient class and the driver bundle ID.
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
 
 // Branch prediction
-#define likely(x)   __builtin_expect(!!(x), 1)
+#define likely(x) __builtin_expect(!!(x), 1)
 #define unlikely(x) __builtin_expect(!!(x), 0)
 
 // List of methods supported by the driver.
@@ -81,15 +82,16 @@ typedef enum {
   ACTION_NOTIFY_EXCHANGE = 34,
   ACTION_NOTIFY_DELETE = 35,
   ACTION_NOTIFY_WHITELIST = 36,
+  ACTION_NOTIFY_FORK = 37,
+  ACTION_NOTIFY_EXIT = 38,
 
   // ERROR
   ACTION_ERROR = 99,
 } santa_action_t;
 
-#define RESPONSE_VALID(x) \
-  (x == ACTION_RESPOND_ALLOW || \
-   x == ACTION_RESPOND_DENY || \
-   x == ACTION_RESPOND_ALLOW_COMPILER || \
+#define RESPONSE_VALID(x)                                   \
+  (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY || \
+   x == ACTION_RESPOND_ALLOW_COMPILER ||                    \
    x == ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE)
 
 // Struct to manage vnode IDs
@@ -98,11 +100,11 @@ typedef struct santa_vnode_id_t {
   uint64_t fileid;
 
 #ifdef __cplusplus
-  bool operator==(const santa_vnode_id_t& rhs) const {
+  bool operator==(const santa_vnode_id_t &rhs) const {
     return fsid == rhs.fsid && fileid == rhs.fileid;
   }
-  // This _must not_ be used for anything security-sensitive. It exists solely to make
-  // the msleep/wakeup calls easier.
+  // This _must not_ be used for anything security-sensitive. It exists solely
+  // to make the msleep/wakeup calls easier.
   uint64_t unsafe_simple_id() const {
     return (((uint64_t)fsid << 32) | fileid);
   }
@@ -116,6 +118,7 @@ typedef struct {
   uid_t uid;
   gid_t gid;
   pid_t pid;
+  int pidversion;
   pid_t ppid;
   char path[MAXPATHLEN];
   char newpath[MAXPATHLEN];
@@ -124,6 +127,14 @@ typedef struct {
   // While process names can technically be 4*MAXPATHLEN, that never
   // actually happens, so only take MAXPATHLEN and throw away any excess.
   char pname[MAXPATHLEN];
+
+  // For messages that originate from EndpointSecurity, this points to a copy of
+  // the message.
+  void *es_message;
+
+  // For messages that originate from EndpointSecurity, this points to an
+  // NSArray of the arguments.
+  void *args_array;
 } santa_message_t;
 
 // Used for the kSantaUserClientCacheBucketCount request.

Source/common/SNTLogging.h

@@ -34,6 +34,10 @@
 
 #else  // KERNEL
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #import <Foundation/Foundation.h>
 
 typedef enum : NSUInteger {
@@ -52,7 +56,7 @@ typedef enum : NSUInteger {
 ///  @param ... the arguments to format.
 ///
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
-    __attribute__((format(__NSString__, 3, 4)));
+  __attribute__((format(__NSString__, 3, 4)));
 
 /// Simple logging macros
 #define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__)
@@ -60,6 +64,10 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
 #define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__)
 #define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__)
 
+#ifdef __cplusplus
+}  // extern C
+#endif
+
 #endif  // KERNEL
 
 #endif  // SANTA__COMMON__LOGGING_H

Source/common/SNTLogging.m

@@ -14,6 +14,8 @@
 
 #import "Source/common/SNTLogging.h"
 
+#import "Source/common/SNTConfigurator.h"
+
 #import <asl.h>
 #import <pthread.h>
 
@@ -39,13 +41,13 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   dispatch_once(&pred, ^{
     binaryName = [[NSProcessInfo processInfo] processName];
 
-    // If debug logging is enabled, the process must be restarted.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
+    if ([SNTConfigurator configurator].enableDebugLogging) {
       logLevel = LOG_LEVEL_DEBUG;
     }
 
     // If requested, redirect output to syslog.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"]) {
+    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"] ||
+        [binaryName isEqualToString:@"com.google.santa.daemon"]) {
       useSyslog = YES;
       pthread_key_create(&syslogKey, syslogClientDestructor);
     }
@@ -82,11 +84,14 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
       case LOG_LEVEL_INFO:
         levelName = "I";
-        syslogLevel = ASL_LEVEL_NOTICE; // Maps to ULS Default
+        syslogLevel = ASL_LEVEL_NOTICE;  // Maps to ULS Default
         break;
       case LOG_LEVEL_DEBUG:
         levelName = "D";
-        syslogLevel = ASL_LEVEL_DEBUG;
+        // Log debug messages at the same ASL level as INFO.
+        // While it would make sense to use DEBUG, watching debug-level logs
+        // in Console means enabling all debug logs, which is absurdly noisy.
+        syslogLevel = ASL_LEVEL_NOTICE;
         break;
     }
 

Source/common/SNTMetricSet.h

@@ -0,0 +1,197 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import "SNTCommonEnums.h"
+
+/**
+ * Provides an abstraction for various metric systems that will be exported to
+ * monitoring systems via the MetricService. This is used to store internal
+ * counters and metrics that can be exported to an external monitoring system.
+ *
+ * `SNTMetricSet` for storing and creating metrics and counters. This is
+ *   the externally visible interface
+ *   class.
+ *
+ *  Metric classes:
+ *   * `SNTMetric` to store metric values broken down by "field" dimensions.
+ *   * subclasses of `SNTMetric` with suitable setters:
+ *     * `SNTMetricCounter`
+ *     * `SNTMetricGaugeInt64`
+ *     * `SNTMetricGaugeDouble`
+ *     * `SNTMetricString`
+ *     * `SNTMetricBool`
+ */
+
+NS_ASSUME_NONNULL_BEGIN
+
+typedef NS_ENUM(NSInteger, SNTMetricType) {
+  SNTMetricTypeUnknown = 0,
+  SNTMetricTypeConstantBool = 1,
+  SNTMetricTypeConstantString = 2,
+  SNTMetricTypeConstantInt64 = 3,
+  SNTMetricTypeConstantDouble = 4,
+  SNTMetricTypeGaugeBool = 5,
+  SNTMetricTypeGaugeString = 6,
+  SNTMetricTypeGaugeInt64 = 7,
+  SNTMetricTypeGaugeDouble = 8,
+  SNTMetricTypeCounter = 9,
+};
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType);
+
+@interface SNTMetric : NSObject
+- (NSDictionary *)export;
+@end
+
+@interface SNTMetricCounter : SNTMetric
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricInt64Gauge : SNTMetric
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricDoubleGauge : SNTMetric
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricStringGauge : SNTMetric
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricBooleanGauge : SNTMetric
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+/**
+ * A registry of metrics with associated fields.
+ */
+@interface SNTMetricSet : NSObject
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username;
+
+/* Returns a counter with the given name, field names and help
+ *  text, registered with the MetricSet.
+ *
+ * @param name The counter name, for example @"/proc/cpu".
+ * @param fieldNames The counter's field names, for example @[@"result"].
+ * @param helpText The counter's help description.
+ * @return A counter with the given specification registered with this root.
+ *   The returned counter might have been created earlier with the same
+ *   specification.
+ * @throw NSInternalInconsistencyException When trying to register a second
+ *   counter with the same name but a different schema as an existing one
+ */
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)text;
+
+/**
+ * Returns a shared global instance with default root labels and metrics registered.
+ */
++ (instancetype)sharedInstance;
+
+/**
+ *  Add a root label to the MetricSet.
+ */
+- (void)addRootLabel:(NSString *)label value:(NSString *)value;
+
+/**
+ * Remove a root label from the MetricSet.
+ */
+- (void)removeRootLabel:(NSString *)labelName;
+
+/**
+ * Returns a int64 gauge metric with the given Streamz name and help text,
+ * registered with this MetricSet.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText;
+
+/**
+ * Returns a double gauge metric with the given name and help text,
+ * registered with this root.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a string gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/santa/mode".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a boolean gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText;
+
+/** Creates a constant metric with a string value and no fields. */
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantBooleanWithName:(NSString *)name helpText:(NSString *)helpText value:(BOOL)value;
+
+/** Register a callback to get executed just before each export. */
+- (void)registerCallback:(void (^)(void))callback;
+
+/** Export creates an NSDictionary of the state of the metrics */
+- (NSDictionary *)export;
+@end
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format);
+
+/** Normalizes dates in an exported dictionary to be ISO8601 timestamp strings in
+ *  UTC time.
+ */
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics);
+
+NS_ASSUME_NONNULL_END

Source/common/SNTMetricSet.m

@@ -0,0 +1,672 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTMetricSet.h"
+#import "SNTCommonEnums.h"
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType) {
+  NSString *typeStr;
+  switch (metricType) {
+    case SNTMetricTypeConstantBool: typeStr = @"SNTMetricTypeConstantBool"; break;
+    case SNTMetricTypeConstantString: typeStr = @"SNTMetricTypeConstantString"; break;
+    case SNTMetricTypeConstantInt64: typeStr = @"SNTMetricTypeConstantInt64"; break;
+    case SNTMetricTypeConstantDouble: typeStr = @"SNTMetricTypeConstantDouble"; break;
+    case SNTMetricTypeGaugeBool: typeStr = @"SNTMetricTypeGaugeBool"; break;
+    case SNTMetricTypeGaugeString: typeStr = @"SNTMetricTypeGaugeString"; break;
+    case SNTMetricTypeGaugeInt64: typeStr = @"SNTMetricTypeGaugeInt64"; break;
+    case SNTMetricTypeGaugeDouble: typeStr = @"SNTMetricTypeGaugeDouble"; break;
+    case SNTMetricTypeCounter: typeStr = @"SNTMetricTypeCounter"; break;
+    default: typeStr = @"SNTMetricTypeUnknown"; break;
+  }
+  return [NSString stringWithFormat:@"%@ %ld", typeStr, metricType];
+}
+
+/**
+ *  SNTMetricValue encapsulates the value of a metric along with the creation
+ *  and update timestamps. It is thread-safe and has a separate field for each
+ *  metric type.
+ *
+ *  It is intended to only be used by SNTMetrics;
+ */
+@interface SNTMetricValue : NSObject
+/** Increment the counter by the step value, updating timestamps appropriately. */
+- (void)addInt64:(long long)step;
+
+/** Set the Int64 value. */
+- (void)setInt64:(long long)value;
+
+/** Set the double value. */
+- (void)setDouble:(double)value;
+
+/** Set the string value. */
+- (void)setString:(NSString *)value;
+
+/** Set the BOOL string value. */
+- (void)setBool:(BOOL)value;
+
+/**
+ * Clears the last update timestamp.
+ *
+ * This makes the metric value always emit the current timestamp as last update timestamp.
+ */
+- (void)clearLastUpdateTimestamp;
+
+/** Getters */
+- (long long)getInt64Value;
+- (double)getDoubleValue;
+- (NSString *)getStringValue;
+@end
+
+@implementation SNTMetricValue {
+  /** The int64 value for the SNTMetricValue, if set. */
+  long long _int64Value;
+
+  /** The double value for the SNTMetricValue, if set. */
+  double _doubleValue;
+
+  /** The string value for the SNTMetricValue, if set. */
+  NSString *_stringValue;
+
+  /** The boolean value for the SNTMetricValue, if set. */
+  BOOL _boolValue;
+
+  /** The first time this cell got created in the current process. */
+  NSDate *_creationTime;
+
+  /** The last time that the counter value was changed. */
+  NSDate *_lastUpdate;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _creationTime = [NSDate date];
+    _lastUpdate = _creationTime;
+  }
+  return self;
+}
+
+- (void)addInt64:(long long)step {
+  @synchronized(self) {
+    _int64Value += step;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (void)setInt64:(long long)value {
+  @synchronized(self) {
+    _int64Value = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (long long)getInt64Value {
+  @synchronized(self) {
+    return _int64Value;
+  }
+}
+
+- (void)setDouble:(double)value {
+  @synchronized(self) {
+    _doubleValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (double)getDoubleValue {
+  @synchronized(self) {
+    return _doubleValue;
+  }
+}
+
+- (void)setString:(NSString *)value {
+  @synchronized(self) {
+    _stringValue = [value copy];
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (NSString *)getStringValue {
+  @synchronized(self) {
+    return [_stringValue copy];
+  }
+}
+
+- (void)setBool:(BOOL)value {
+  @synchronized(self) {
+    _boolValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (BOOL)getBoolValue {
+  @synchronized(self) {
+    return _boolValue;
+  }
+}
+
+- (void)clearLastUpdateTimestamp {
+  @synchronized(self) {
+    _lastUpdate = nil;
+  }
+}
+
+- (NSDate *)getLastUpdatedTimestamp {
+  NSDate *updated = nil;
+  @synchronized(self) {
+    updated = [_lastUpdate copy];
+  }
+  return updated;
+}
+
+- (NSDate *)getCreatedTimestamp {
+  NSDate *created = nil;
+  @synchronized(self) {
+    created = [_creationTime copy];
+  }
+  return created;
+}
+@end
+
+@implementation SNTMetric {
+ @private
+  /** Fully qualified metric name e.g. /ops/security/santa. */
+  NSString *_name;
+  /** A help text for the metric to be exported to be exported. **/
+  NSString *_help;
+
+  /** Sorted list of the fieldNames **/
+  NSArray<NSString *> *_fieldNames;
+  /** Mapping of field values to actual metric values (e.g. metric /proc/cpu_usage @"mode"=@"user"
+   * -> 0.89 */
+  NSMutableDictionary<NSArray<NSString *> *, SNTMetricValue *> *_metricsForFieldValues;
+  /** the type of metric this is e.g. counter, gauge etc. **/
+  SNTMetricType _type;
+}
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)help
+                        type:(SNTMetricType)type {
+  self = [super init];
+  if (self) {
+    _name = [name copy];
+    _help = [help copy];
+    _fieldNames = [fieldNames copy];
+    _metricsForFieldValues = [[NSMutableDictionary alloc] init];
+    _type = type;
+  }
+  return self;
+}
+
+- (NSString *)name {
+  return _name;
+}
+
+- (BOOL)hasSameSchemaAsMetric:(SNTMetric *)other {
+  if (![other isKindOfClass:[self class]]) {
+    return NO;
+  }
+  return [_name isEqualToString:other->_name] && [_help isEqualToString:other->_help] &&
+         [_fieldNames isEqualTo:other->_fieldNames] && _type == other->_type;
+}
+
+/** Retrieves the SNTMetricValue for a given field value.
+   Creates a new SNTMetricValue if none is present. */
+- (SNTMetricValue *)metricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  NSParameterAssert(fieldValues.count == _fieldNames.count);
+  SNTMetricValue *metricValue = nil;
+  @synchronized(self) {
+    metricValue = _metricsForFieldValues[fieldValues];
+
+    if (!metricValue) {
+      // Deep copy to prevent mutations to the keys we store in the dictionary.
+      fieldValues = [fieldValues copy];
+      metricValue = [[SNTMetricValue alloc] init];
+      _metricsForFieldValues[fieldValues] = metricValue;
+    }
+  }
+
+  return metricValue;
+}
+
+- (NSDictionary *)encodeMetricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = _metricsForFieldValues[fieldValues];
+
+  NSMutableDictionary *fieldDict = [[NSMutableDictionary alloc] init];
+
+  fieldDict[@"created"] = [metricValue getCreatedTimestamp];
+  fieldDict[@"last_updated"] = [metricValue getLastUpdatedTimestamp];
+  fieldDict[@"value"] = [fieldValues componentsJoinedByString:@","];
+
+  switch (_type) {
+    case SNTMetricTypeConstantBool:
+    case SNTMetricTypeGaugeBool:
+      fieldDict[@"data"] = [NSNumber numberWithBool:[metricValue getBoolValue]];
+      break;
+    case SNTMetricTypeConstantInt64:
+    case SNTMetricTypeCounter:
+    case SNTMetricTypeGaugeInt64:
+      fieldDict[@"data"] = [NSNumber numberWithLongLong:[metricValue getInt64Value]];
+      break;
+    case SNTMetricTypeConstantDouble:
+    case SNTMetricTypeGaugeDouble:
+      fieldDict[@"data"] = [NSNumber numberWithDouble:[metricValue getDoubleValue]];
+      break;
+    case SNTMetricTypeConstantString:
+    case SNTMetricTypeGaugeString: fieldDict[@"data"] = [metricValue getStringValue]; break;
+    default: break;
+  }
+  return fieldDict;
+}
+
+- (NSDictionary *)export {
+  NSMutableDictionary *metricDict = [NSMutableDictionary dictionaryWithCapacity:_fieldNames.count];
+  metricDict[@"type"] = [NSNumber numberWithInt:(int)_type];
+  metricDict[@"fields"] = [[NSMutableDictionary alloc] init];
+  metricDict[@"description"] = [_help copy];
+
+  if (_fieldNames.count == 0) {
+    metricDict[@"fields"][@""] = @[ [self encodeMetricValueForFieldValues:@[]] ];
+  } else {
+    for (NSString *fieldName in _fieldNames) {
+      NSMutableArray *fieldVals = [[NSMutableArray alloc] init];
+
+      for (NSArray<NSString *> *fieldValues in _metricsForFieldValues) {
+        [fieldVals addObject:[self encodeMetricValueForFieldValues:fieldValues]];
+      }
+
+      metricDict[@"fields"][fieldName] = fieldVals;
+    }
+  }
+  return metricDict;
+}
+@end
+
+@implementation SNTMetricCounter
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeCounter];
+}
+
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return;
+  }
+  [metricValue addInt64:step];
+}
+
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues {
+  [self incrementBy:1 forFieldValues:fieldValues];
+}
+
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricInt64Gauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeInt64];
+}
+
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setInt64:value];
+}
+
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricDoubleGauge
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeDouble];
+}
+
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setDouble:value];
+}
+
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getDoubleValue];
+}
+@end
+
+@implementation SNTMetricStringGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeString];
+}
+
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setString:value];
+}
+
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return nil;
+  }
+
+  return [metricValue getStringValue];
+}
+@end
+
+@implementation SNTMetricBooleanGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeBool];
+}
+
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setBool:value];
+}
+
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return false;
+  }
+
+  return [metricValue getBoolValue];
+}
+@end
+
+/**
+ *  SNTMetricSet is the top level container for all metrics and metrics value
+ *  its is abstracted from specific implementations but is close to Google's
+ *  Monarch and Prometheus formats.
+ */
+@implementation SNTMetricSet {
+ @private
+  /** Labels that are used to identify the entity to that all metrics apply to. */
+  NSMutableDictionary<NSString *, NSString *> *_rootLabels;
+  /** Registered metrics keyed by name */
+  NSMutableDictionary<NSString *, SNTMetric *> *_metrics;
+
+  /** Callbacks to update metric values before exporting metrics */
+  NSMutableArray<void (^)(void)> *_callbacks;
+}
+
++ (instancetype)sharedInstance {
+  static SNTMetricSet *sharedMetrics;
+  static dispatch_once_t onceToken;
+
+  dispatch_once(&onceToken, ^{
+    sharedMetrics = [[SNTMetricSet alloc] init];
+  });
+
+  return sharedMetrics;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+  }
+  return self;
+}
+
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+
+    _rootLabels[@"hostname"] = [hostname copy];
+    _rootLabels[@"username"] = [username copy];
+  }
+
+  return self;
+}
+
+- (void)addRootLabel:(NSString *)label value:(NSString *)value {
+  @synchronized(self) {
+    _rootLabels[label] = value;
+  }
+}
+
+- (void)removeRootLabel:(NSString *)label {
+  @synchronized(self) {
+    [_rootLabels removeObjectForKey:label];
+  }
+}
+
+- (SNTMetric *)registerMetric:(nonnull SNTMetric *)metric {
+  @synchronized(self) {
+    SNTMetric *oldMetric = _metrics[[metric name]];
+    if ([oldMetric hasSameSchemaAsMetric:metric]) {
+      return oldMetric;
+    }
+    NSAssert(!oldMetric, @"metric registered twice: %@", metric.name);
+    _metrics[metric.name] = metric;
+  }
+  return metric;
+}
+
+- (void)registerCallback:(void (^)(void))callback {
+  @synchronized(self) {
+    [_callbacks addObject:callback];
+  }
+}
+
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)helpText {
+  SNTMetricCounter *c = [[SNTMetricCounter alloc] initWithName:name
+                                                    fieldNames:fieldNames
+                                                      helpText:helpText];
+  return (SNTMetricCounter *)[self registerMetric:c];
+}
+
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText {
+  SNTMetricInt64Gauge *g = [[SNTMetricInt64Gauge alloc] initWithName:name
+                                                          fieldNames:fieldNames
+                                                            helpText:helpText];
+  return (SNTMetricInt64Gauge *)[self registerMetric:g];
+}
+
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricDoubleGauge *g = [[SNTMetricDoubleGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricDoubleGauge *)[self registerMetric:g];
+}
+
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricStringGauge *s = [[SNTMetricStringGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricStringGauge *)[self registerMetric:s];
+}
+
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText {
+  SNTMetricBooleanGauge *b = [[SNTMetricBooleanGauge alloc] initWithName:name
+                                                              fieldNames:fieldNames
+                                                                helpText:helpText];
+
+  return (SNTMetricBooleanGauge *)[self registerMetric:b];
+}
+
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantString];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setString:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantInt64];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setInt64:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantBooleanWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(BOOL)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantBool];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setBool:value];
+  [self registerMetric:metric];
+}
+
+/** Export current state of the SNTMetricSet as an NSDictionary. */
+- (NSDictionary *)export {
+  NSDictionary *exported = nil;
+
+  // Invoke callbacks to ensure metrics are up to date.
+  for (void (^cb)(void) in _callbacks) {
+    cb();
+  }
+
+  @synchronized(self) {
+    NSMutableDictionary *exportDict = [[NSMutableDictionary alloc] init];
+    exportDict[@"root_labels"] = [_rootLabels copy];
+    exportDict[@"metrics"] = [[NSMutableDictionary alloc] init];
+
+    // TODO(markowsky) Sort the metrics so we always get the same output.
+    for (NSString *metricName in _metrics) {
+      exportDict[@"metrics"][metricName] = [_metrics[metricName] export];
+    }
+
+    exported = [NSDictionary dictionaryWithDictionary:exportDict];
+  }
+  return exported;
+}
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format) {
+  switch (format) {
+    case SNTMetricFormatTypeRawJSON: return @"rawjson";
+    case SNTMetricFormatTypeMonarchJSON: return @"monarchjson";
+    default: return @"Unknown Metric Format";
+  }
+}
+
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics) {
+  NSMutableDictionary *mutableMetrics = [metrics mutableCopy];
+
+  id formatter;
+
+  if (@available(macOS 10.13, *)) {
+    NSISO8601DateFormatter *isoFormatter = [[NSISO8601DateFormatter alloc] init];
+
+    isoFormatter.formatOptions =
+      NSISO8601DateFormatWithInternetDateTime | NSISO8601DateFormatWithFractionalSeconds;
+    formatter = isoFormatter;
+  } else {
+    NSDateFormatter *localFormatter = [[NSDateFormatter alloc] init];
+    [localFormatter setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"];
+    [localFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
+    formatter = localFormatter;
+  }
+
+  for (NSString *metricName in mutableMetrics[@"metrics"]) {
+    NSMutableDictionary *metric = mutableMetrics[@"metrics"][metricName];
+
+    for (NSString *field in metric[@"fields"]) {
+      NSMutableArray<NSMutableDictionary *> *values = metric[@"fields"][field];
+
+      [values enumerateObjectsUsingBlock:^(id object, NSUInteger index, BOOL *stop) {
+        values[index][@"created"] = [formatter stringFromDate:values[index][@"created"]];
+        values[index][@"last_updated"] = [formatter stringFromDate:values[index][@"last_updated"]];
+      }];
+    }
+  }
+
+  return mutableMetrics;
+}
+
+@end

Source/common/SNTMetricSetTest.m

@@ -0,0 +1,675 @@
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTMetricSet.h"
+
+@interface SNTMetricCounterTest : XCTestCase
+@end
+
+@interface SNTMetricGaugeInt64Test : XCTestCase
+@end
+
+@interface SNTMetricDoubleGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricBooleanGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricStringGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricSetTest : XCTestCase
+@end
+
+@interface SNTMetricSetHelperFunctionsTest : XCTestCase
+@end
+
+// Stub out NSDate's date method
+@implementation NSDate (custom)
+
++ (instancetype)date {
+  NSDateFormatter *formatter = NSDateFormatter.new;
+  [formatter setDateFormat:@"yyyy-MM-dd HH:mm:ssZZZ"];
+  return [formatter dateFromString:@"2021-08-05 13:00:10+0000"];
+}
+
+@end
+
+@implementation SNTMetricCounterTest
+- (void)testSimpleCounter {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c, @"Expected returned SNTMetricCounter to not be nil");
+  [c incrementForFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(1, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremendted by 1");
+  [c incrementBy:3 forFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(4, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremendted by 3");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c);
+  [c incrementForFieldValues:@[ @"certificate" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+    @"description" : @"Count of exec events broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"certificate",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:1]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([c export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *a = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  SNTMetricCounter *b = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  XCTAssertEqual(a, b, @"Unexpected new counter returned.");
+}
+@end
+
+@implementation SNTMetricBooleanGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  XCTAssertTrue([b getBoolValueForFieldValues:@[]]);
+  [b set:false forFieldValues:@[]];
+  XCTAssertFalse([b getBoolValueForFieldValues:@[]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeBool],
+    @"description" : @"Is the daemon connected.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithBool:true]
+      } ]
+    }
+  };
+
+  NSDictionary *output = [b export];
+  XCTAssertEqualObjects(output, expected);
+}
+
+- (void)testAddingBooleanWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *a = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  XCTAssertEqual(a, b, @"Unexpected new boolean gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricGaugeInt64Test
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  // Increase the gauge
+  [g set:500 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(500, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Decrease after increase
+  [g set:100 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(100, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Increase after decrease
+  [g set:750 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(750, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // TODO: export the tree to JSON and confirm the structure is correct.
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+    @"description" : @"Count of rules broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"binary",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:250]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *a = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  SNTMetricInt64Gauge *b = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricDoubleGaugeTest
+
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.45, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+
+  // Increase the gauge
+  [g set:(double)0.90 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.90, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Decrease after increase
+  [g set:0.71 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.71, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Increase after decrease
+  [g set:0.75 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.75, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  [g set:(double)0.90 forFieldValues:@[ @"system" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeDouble],
+    @"description" : @"CPU time consumed by this process.",
+    @"fields" : @{
+      @"mode" : @[
+        @{
+          @"value" : @"user",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.45]
+        },
+        @{
+          @"value" : @"system",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.90]
+        }
+      ]
+    }
+  };
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *a = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricDoubleGauge *b = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+@end
+
+@implementation SNTMetricStringGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+  XCTAssertEqualObjects([s getStringValueForFieldValues:@[]], @"testValue");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeString],
+    @"description" : @"String description of the mode.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : @"testValue"
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([s export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *a = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricStringGauge *b = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricSetTest
+- (void)testRootLabels {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addRootLabel:@"hostname" value:@"localhost"];
+
+  NSDictionary *expected = @{@"root_labels" : @{@"hostname" : @"localhost"}, @"metrics" : @{}};
+
+  XCTAssertEqualObjects(expected, [metricSet export]);
+
+  // ensure that adding a rootLabel with the same name overwrites.
+  expected = @{@"root_labels" : @{@"hostname" : @"localhost2"}, @"metrics" : @{}};
+  [metricSet addRootLabel:@"hostname" value:@"localhost2"];
+
+  XCTAssertEqualObjects(expected, [metricSet export],
+                        @"failed to overwrite rootLabel with second call to addRootLabel");
+
+  // ensure that removing a rootLabelWorks
+  expected = @{@"root_labels" : @{}, @"metrics" : @{}};
+  [metricSet removeRootLabel:@"hostname"];
+}
+
+- (void)testDoubleRegisteringIncompatibleMetricsFails {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c = [metricSet counterWithName:@"/foo/bar"
+                                        fieldNames:@[ @"field" ]
+                                          helpText:@"lorem ipsum"];
+
+  XCTAssertNotNil(c);
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"incompatible" ]
+                                    helpText:@"A little help text"],
+                  @"Should raise error for incompatible field names");
+
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"result" ]
+                                    helpText:@"INCOMPATIBLE"],
+                  @"Should raise error for incompatible help text");
+}
+
+- (void)testRegisterCallback {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  // Register a callback metric which increments by one before export
+  SNTMetricInt64Gauge *gauge = [metricSet int64GaugeWithName:@"/foo/bar"
+                                                  fieldNames:@[]
+                                                    helpText:@"Number of callbacks done"];
+  __block int count = 0;
+  [metricSet registerCallback:^(void) {
+    count++;
+    [gauge set:count forFieldValues:@[]];
+  }];
+
+  // ensure the callback is called.
+  [metricSet export];
+
+  XCTAssertEqual([gauge getGaugeValueForFieldValues:@[]], 1);
+}
+
+- (void)testAddConstantBool {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantBooleanWithName:@"/tautology"
+                               helpText:@"The first rule of tautology club is the first rule"
+                                  value:YES];
+
+  NSDictionary *expected = @{
+    @"/tautology" : @{
+      @"description" : @"The first rule of tautology club is the first rule",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithBool:true]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantString {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Build label for the binary"
+                                 value:@"20210806.0.1"];
+
+  NSDictionary *expected = @{
+    @"/build/label" : @{
+      @"description" : @"Build label for the binary",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : @"20210806.0.1"
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantInt {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantIntegerWithName:@"/deep/thought/answer"
+                               helpText:@"Life, the universe, and everything"
+                                  value:42];
+
+  NSDictionary *expected = @{
+    @"/deep/thought/answer" : @{
+      @"description" : @"Life, the universe, and everything",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithLongLong:42]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] initWithHostname:@"testHost"
+                                                          username:@"testUser"];
+
+  // Add constants
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Software version running."
+                                 value:@"20210809.0.1"];
+  [metricSet addConstantBooleanWithName:@"/santa/using_endpoint_security_framework"
+                               helpText:@"Is santad using the endpoint security framework."
+                                  value:TRUE];
+  [metricSet
+    addConstantIntegerWithName:@"/proc/birth_timestamp"
+                      helpText:@"Start time of this santad instance, in microseconds since epoch"
+                         value:(long long)(0x12345668910)];
+  // Add Metrics
+  SNTMetricCounter *c = [metricSet counterWithName:@"/santa/events"
+                                        fieldNames:@[ @"rule_type" ]
+                                          helpText:@"Count of events on the host"];
+
+  [c incrementForFieldValues:@[ @"binary" ]];
+  [c incrementBy:2 forFieldValues:@[ @"certificate" ]];
+
+  SNTMetricInt64Gauge *g = [metricSet int64GaugeWithName:@"/santa/rules"
+                                              fieldNames:@[ @"rule_type" ]
+                                                helpText:@"Number of rules."];
+
+  [g set:1 forFieldValues:@[ @"binary" ]];
+  [g set:3 forFieldValues:@[ @"certificate" ]];
+
+  // Add Metrics with callback
+  SNTMetricInt64Gauge *virtualMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/virtual_size"
+                       fieldNames:@[]
+                         helpText:@"The virtual memory size of this process."];
+
+  SNTMetricInt64Gauge *residentMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/resident_size"
+                       fieldNames:@[]
+                         helpText:@"The resident set size of this process."];
+
+  [metricSet registerCallback:^(void) {
+    [virtualMemoryGauge set:987654321 forFieldValues:@[]];
+    [residentMemoryGauge set:123456789 forFieldValues:@[]];
+  }];
+
+  NSDictionary *expected = @{
+    @"root_labels" : @{@"hostname" : @"testHost", @"username" : @"testUser"},
+    @"metrics" : @{
+      @"/build/label" : @{
+        @"description" : @"Software version running.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : @"20210809.0.1"
+          } ]
+        }
+      },
+      @"/santa/events" : @{
+        @"description" : @"Count of events on the host",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:2],
+            },
+          ],
+        },
+      },
+      @"/santa/rules" : @{
+        @"description" : @"Number of rules.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:3],
+            }
+          ]
+        },
+      },
+      @"/santa/using_endpoint_security_framework" : @{
+        @"description" : @"Is santad using the endpoint security framework.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithBool:YES]
+          } ]
+        }
+      },
+      @"/proc/birth_timestamp" : @{
+        @"description" : @"Start time of this santad instance, in microseconds since epoch",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithLong:1250999830800]
+          } ]
+        },
+      },
+      @"/proc/memory/virtual_size" : @{
+        @"description" : @"The virtual memory size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:987654321]
+          } ]
+        }
+      },
+      @"/proc/memory/resident_size" : @{
+        @"description" : @"The resident set size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:123456789]
+          } ]
+        },
+      },
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export], expected);
+}
+@end
+
+@implementation SNTMetricSetHelperFunctionsTest
+- (void)testMakeMetricString {
+  NSArray<NSDictionary *> *tests = @[
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeUnknown],
+      @"expected" : @"SNTMetricTypeUnknown 0"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantBool],
+      @"expected" : @"SNTMetricTypeConstantBool 1"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantString],
+      @"expected" : @"SNTMetricTypeConstantString 2"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantInt64],
+      @"expected" : @"SNTMetricTypeConstantInt64 3"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantDouble],
+      @"expected" : @"SNTMetricTypeConstantDouble 4"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeBool],
+      @"expected" : @"SNTMetricTypeGaugeBool 5"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeString],
+      @"expected" : @"SNTMetricTypeGaugeString 6"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeInt64],
+      @"expected" : @"SNTMetricTypeGaugeInt64 7"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeDouble],
+      @"expected" : @"SNTMetricTypeGaugeDouble 8"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeCounter],
+      @"expected" : @"SNTMetricTypeCounter 9"
+    }
+  ];
+
+  for (NSDictionary *test in tests) {
+    NSString *output = SNTMetricMakeStringFromMetricType([test[@"input"] integerValue]);
+    XCTAssertEqualObjects(test[@"expected"], output, @"expected %@ got %@", test[@"expected"],
+                          output);
+  }
+}
+@end

Source/common/SNTPrefixTree.cc

@@ -12,58 +12,65 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include "Source/santa_driver/SantaPrefixTree.h"
+#include "Source/common/SNTPrefixTree.h"
 
 #ifdef KERNEL
 #include <libkern/locks.h>
 
 #include "Source/common/SNTLogging.h"
+
 #else
+
 #include <string.h>
 
-#define LOGD(format, ...) // NOP
-#define LOGE(format, ...) // NOP
+#include <mutex>
 
-#define lck_grp_attr_alloc_init() nullptr
-#define lck_grp_alloc_init(name, attr) nullptr
-#define lck_attr_alloc_init() nullptr
+#define LOGD(format, ...)  // NOP
+#define LOGE(format, ...)  // NOP
 
-#define lck_rw_alloc_init(g, a) new std::shared_mutex
-#define lck_mtx_alloc_init(g, a) new std::mutex
+#define lck_rw_lock_shared(l) pthread_rwlock_rdlock(&l)
+#define lck_rw_unlock_shared(l) pthread_rwlock_unlock(&l)
+#define lck_rw_lock_exclusive(l) pthread_rwlock_wrlock(&l)
+#define lck_rw_unlock_exclusive(l) pthread_rwlock_unlock(&l)
 
-#define lck_attr_free(attr) // NOP
-#define lck_grp_free(grp) // NOP
-#define lck_grp_attr_free(grp_attr) // NOP
-
-#define lck_rw_lock_shared(l) l->lock_shared()
-#define lck_rw_unlock_shared(l) l->unlock_shared()
-#define lck_rw_lock_exclusive(l) l->lock()
-#define lck_rw_unlock_exclusive(l) l->unlock()
-
-#define lck_rw_lock_shared_to_exclusive(l) ({ l->unlock_shared(); false; })
-#define lck_rw_lock_exclusive_to_shared(l) l->unlock(); l->lock_shared()
+#define lck_rw_lock_shared_to_exclusive(l) \
+  ({                                       \
+    pthread_rwlock_unlock(&l);             \
+    false;                                 \
+  })
+#define lck_rw_lock_exclusive_to_shared(l) \
+  ({                                       \
+    pthread_rwlock_unlock(&l);             \
+    pthread_rwlock_rdlock(&l);             \
+  })
 
 #define lck_mtx_lock(l) l->lock()
 #define lck_mtx_unlock(l) l->unlock()
-#endif // KERNEL
+#endif  // KERNEL
 
-SantaPrefixTree::SantaPrefixTree(uint32_t max_nodes) {
+SNTPrefixTree::SNTPrefixTree(uint32_t max_nodes) {
   root_ = new SantaPrefixNode();
   node_count_ = 0;
   max_nodes_ = max_nodes;
 
+#ifdef KERNEL
   spt_lock_grp_attr_ = lck_grp_attr_alloc_init();
-  spt_lock_grp_ = lck_grp_alloc_init("santa-prefix-tree-lock", spt_lock_grp_attr_);
+  spt_lock_grp_ =
+      lck_grp_alloc_init("santa-prefix-tree-lock", spt_lock_grp_attr_);
   spt_lock_attr_ = lck_attr_alloc_init();
 
   spt_lock_ = lck_rw_alloc_init(spt_lock_grp_, spt_lock_attr_);
   spt_add_lock_ = lck_mtx_alloc_init(spt_lock_grp_, spt_lock_attr_);
+#else
+  pthread_rwlock_init(&spt_lock_, nullptr);
+  spt_add_lock_ = new std::mutex;
+#endif
 }
 
-IOReturn SantaPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
-  // Serialize requests to AddPrefix. Otherwise one AddPrefix thread could overwrite whole
-  // branches of another. HasPrefix is still free to read the tree, until AddPrefix needs to
-  // modify it.
+IOReturn SNTPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
+  // Serialize requests to AddPrefix. Otherwise one AddPrefix thread could
+  // overwrite whole branches of another. HasPrefix is still free to read the
+  // tree, until AddPrefix needs to modify it.
   lck_mtx_lock(spt_add_lock_);
 
   // Don't allow an empty prefix.
@@ -78,13 +85,13 @@ IOReturn SantaPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
   lck_rw_lock_shared(spt_lock_);
 
   SantaPrefixNode *node = root_;
-  for (int i = 0; i < len; ++i) {
+  for (size_t i = 0; i < len; ++i) {
     // If there is a node in the path that is considered a prefix, stop adding.
     // For our purposes we only care about the shortest path that matches.
     if (node->isPrefix) break;
 
     // Only process a byte at a time.
-    uint8_t value = prefix[i];
+    uint8_t value = (uint8_t)prefix[i];
 
     // Create the child if it does not exist.
     if (!node->children[value]) {
@@ -107,7 +114,7 @@ IOReturn SantaPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
 
       // Create the rest of the prefix.
       while (i < len) {
-        value = prefix[i++];
+        value = (uint8_t)prefix[i++];
 
         SantaPrefixNode *new_node = new SantaPrefixNode();
         node->children[value] = new_node;
@@ -156,14 +163,15 @@ IOReturn SantaPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
   return kIOReturnSuccess;
 }
 
-bool SantaPrefixTree::HasPrefix(const char *string) {
+bool SNTPrefixTree::HasPrefix(const char *string) {
   lck_rw_lock_shared(spt_lock_);
 
   auto found = false;
 
   SantaPrefixNode *node = root_;
 
-  // A well formed tree will always break this loop. Even if string doesn't terminate.
+  // A well formed tree will always break this loop. Even if string doesn't
+  // terminate.
   const char *p = string;
   while (*p) {
     // Only process a byte at a time.
@@ -184,7 +192,7 @@ bool SantaPrefixTree::HasPrefix(const char *string) {
   return found;
 }
 
-void SantaPrefixTree::Reset() {
+void SNTPrefixTree::Reset() {
   lck_rw_lock_exclusive(spt_lock_);
 
   PruneNode(root_);
@@ -194,11 +202,11 @@ void SantaPrefixTree::Reset() {
   lck_rw_unlock_exclusive(spt_lock_);
 }
 
-void SantaPrefixTree::PruneNode(SantaPrefixNode *target) {
+void SNTPrefixTree::PruneNode(SantaPrefixNode *target) {
   if (!target) return;
 
-  // For deep trees, a recursive approach will generate too many stack frames. Make a "stack"
-  // and walk the tree.
+  // For deep trees, a recursive approach will generate too many stack frames.
+  // Make a "stack" and walk the tree.
   auto stack = new SantaPrefixNode *[node_count_ + 1];
   if (!stack) {
     LOGE("Unable to prune tree!");
@@ -210,7 +218,8 @@ void SantaPrefixTree::PruneNode(SantaPrefixNode *target) {
   // Seed the "stack" with a starting node.
   stack[count++] = target;
 
-  // Start at the target node and walk the tree to find and delete all the sub-nodes.
+  // Start at the target node and walk the tree to find and delete all the
+  // sub-nodes.
   while (count) {
     auto node = stack[--count];
 
@@ -226,13 +235,13 @@ void SantaPrefixTree::PruneNode(SantaPrefixNode *target) {
   delete[] stack;
 }
 
-SantaPrefixTree::~SantaPrefixTree() {
+SNTPrefixTree::~SNTPrefixTree() {
   lck_rw_lock_exclusive(spt_lock_);
   PruneNode(root_);
   root_ = nullptr;
   lck_rw_unlock_exclusive(spt_lock_);
 
-  #ifdef KERNEL
+#ifdef KERNEL
   if (spt_lock_) {
     lck_rw_free(spt_lock_, spt_lock_grp_);
     spt_lock_ = nullptr;
@@ -242,7 +251,6 @@ SantaPrefixTree::~SantaPrefixTree() {
     lck_mtx_free(spt_add_lock_, spt_lock_grp_);
     spt_add_lock_ = nullptr;
   }
-  #endif
 
   if (spt_lock_attr_) {
     lck_attr_free(spt_lock_attr_);
@@ -258,4 +266,7 @@ SantaPrefixTree::~SantaPrefixTree() {
     lck_grp_attr_free(spt_lock_grp_attr_);
     spt_lock_grp_attr_ = nullptr;
   }
+#else
+  pthread_rwlock_destroy(&spt_lock_);
+#endif
 }

Source/common/SNTPrefixTree.h

@@ -22,16 +22,17 @@
 #include <libkern/locks.h>
 #else
 // Support for unit testing.
-// Requires c++17 / macOS 10.12.
-// TODO(bur): Handle warnings from bumping target version of the tests to 10.12.
-#include <shared_mutex>
-#endif // KERNEL
+#include <pthread.h>
+#include <stdint.h>
+
+#include <mutex>
+#endif  // KERNEL
 
 ///
 ///  SantaPrefixTree is a simple prefix tree implementation.
 ///  Operations are thread safe.
 ///
-class SantaPrefixTree {
+class SNTPrefixTree {
  public:
   // Add a prefix to the tree.
   // Optionally pass node_count to get the number of nodes after the add.
@@ -43,8 +44,8 @@ class SantaPrefixTree {
   // Reset the tree.
   void Reset();
 
-  SantaPrefixTree(uint32_t max_nodes = kDefaultMaxNodes);
-  ~SantaPrefixTree();
+  SNTPrefixTree(uint32_t max_nodes = kDefaultMaxNodes);
+  ~SNTPrefixTree();
 
  private:
   ///
@@ -54,15 +55,17 @@ class SantaPrefixTree {
   ///  It takes 1-4 nodes to represent a UTF-8 encoded Unicode character.
   ///
   ///  The path for "/🤘" would look like this:
-  ///      children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4] -> children[0x98]
+  ///      children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4]
+  ///      -> children[0x98]
   ///
   ///  The path for "/dev" is:
   ///      children[0x2f] -> children[0x64] -> children[0x65] -> children[0x76]
   ///
   ///  Lookups of children are O(1).
   ///
-  ///  Having the nodes represented by a smaller width, such as a nibble (1/2 byte), would
-  ///  drastically decrease the memory footprint but would double required dereferences.
+  ///  Having the nodes represented by a smaller width, such as a nibble (1/2
+  ///  byte), would drastically decrease the memory footprint but would double
+  ///  required dereferences.
   ///
   ///  TODO(bur): Potentially convert this into a full on radix tree.
   ///
@@ -74,8 +77,8 @@ class SantaPrefixTree {
 
   // PruneNode will remove the passed in node from the tree.
   // The passed in node and all subnodes will be deleted.
-  // It is the caller's responsibility to reset the pointer to this node (held by the parent).
-  // If the tree is in use grab the exclusive lock.
+  // It is the caller's responsibility to reset the pointer to this node (held
+  // by the parent). If the tree is in use grab the exclusive lock.
   void PruneNode(SantaPrefixNode *);
 
   SantaPrefixNode *root_;
@@ -85,19 +88,16 @@ class SantaPrefixTree {
   uint32_t max_nodes_;
   uint32_t node_count_;
 
-  #ifdef KERNEL
+#ifdef KERNEL
   lck_grp_t *spt_lock_grp_;
   lck_grp_attr_t *spt_lock_grp_attr_;
   lck_attr_t *spt_lock_attr_;
   lck_rw_t *spt_lock_;
   lck_mtx_t *spt_add_lock_;
-  #else // KERNEL
-  void *spt_lock_grp_;
-  void *spt_lock_grp_attr_;
-  void *spt_lock_attr_;
-  std::shared_mutex *spt_lock_;
+#else   // KERNEL
+  pthread_rwlock_t spt_lock_;
   std::mutex *spt_add_lock_;
-  #endif // KERNEL
+#endif  // KERNEL
 };
 
 #endif /* SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H */

Source/common/SNTPrefixTreeTest.mm

@@ -14,22 +14,22 @@
 
 #import <XCTest/XCTest.h>
 
-#include "Source/santa_driver/SantaPrefixTree.h"
+#include "Source/common/SNTPrefixTree.h"
 
-@interface SantaPrefixTreeTest : XCTestCase
+@interface SNTPrefixTreeTest : XCTestCase
 @end
 
-@implementation SantaPrefixTreeTest
+@implementation SNTPrefixTreeTest
 
 - (void)testAddAndHas {
-  auto t = SantaPrefixTree();
+  auto t = SNTPrefixTree();
   XCTAssertFalse(t.HasPrefix("/private/var/tmp/file1"));
   t.AddPrefix("/private/var/tmp/");
   XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
 }
 
 - (void)testReset {
-  auto t = SantaPrefixTree();
+  auto t = SNTPrefixTree();
   t.AddPrefix("/private/var/tmp/");
   XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
   t.Reset();
@@ -38,33 +38,36 @@
 
 - (void)testThreading {
   uint32_t count = 4096;
-  auto t = new SantaPrefixTree(count * (uint32_t)[NSUUID UUID].UUIDString.length);
+  auto t = new SNTPrefixTree(count * (uint32_t)[NSUUID UUID].UUIDString.length);
 
   NSMutableArray *UUIDs = [NSMutableArray arrayWithCapacity:count];
   for (int i = 0; i < count; ++i) {
     [UUIDs addObject:[NSUUID UUID].UUIDString];
   }
 
+  __block BOOL stop = NO;
+
   // Create a bunch of background noise.
   dispatch_async(dispatch_get_global_queue(0, 0), ^{
-    dispatch_apply(UINT64_MAX, dispatch_get_global_queue(0, 0), ^(size_t i) {
-      t->HasPrefix([UUIDs[i % count] UTF8String]);
-    });
+    for (uint64_t i = 0; i < UINT64_MAX; ++i) {
+      dispatch_async(dispatch_get_global_queue(0, 0), ^{
+        t->HasPrefix([UUIDs[i % count] UTF8String]);
+      });
+      if (stop) return;
+    }
   });
 
   // Fill up the tree.
   dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
-    if (t->AddPrefix([UUIDs[i] UTF8String]) != kIOReturnSuccess) {
-      XCTFail();
-    }
+    XCTAssertEqual(t->AddPrefix([UUIDs[i] UTF8String]), kIOReturnSuccess);
   });
 
   // Make sure every leaf byte is found.
   dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
-    if (!t->HasPrefix([UUIDs[i] UTF8String])) {
-      XCTFail();
-    }
+    XCTAssertTrue(t->HasPrefix([UUIDs[i] UTF8String]));
   });
+
+  stop = YES;
 }
 
 @end

Source/common/SNTRule.h

@@ -19,12 +19,12 @@
 ///
 ///  Represents a Rule.
 ///
-@interface SNTRule : NSObject<NSSecureCoding>
+@interface SNTRule : NSObject <NSSecureCoding>
 
 ///
 ///  The hash of the object this rule is for
 ///
-@property(copy) NSString *shasum;
+@property(copy) NSString *identifier;
 
 ///
 ///  The state of this rule
@@ -50,7 +50,7 @@
 ///
 ///  Designated initializer.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
+- (instancetype)initWithIdentifier:(NSString *)identifier
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg
@@ -59,7 +59,7 @@
 ///
 ///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
+- (instancetype)initWithIdentifier:(NSString *)identifier
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg;

Source/common/SNTRule.m

@@ -14,20 +14,20 @@
 
 #import "Source/common/SNTRule.h"
 
-@interface SNTRule()
+@interface SNTRule ()
 @property(readwrite) NSUInteger timestamp;
 @end
 
 @implementation SNTRule
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg
-                     timestamp:(NSUInteger)timestamp {
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg
+                         timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
-    _shasum = shasum;
+    _identifier = identifier;
     _state = state;
     _type = type;
     _customMsg = customMsg;
@@ -36,28 +36,24 @@
   return self;
 }
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg {
-  self = [self initWithShasum:shasum
-                        state:state
-                         type:type
-                    customMsg:customMsg
-                    timestamp:0];
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg {
+  self = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg timestamp:0];
   // Initialize timestamp to current time if rule is transitive.
-  if (self && state == SNTRuleStateWhitelistTransitive) {
+  if (self && state == SNTRuleStateAllowTransitive) {
     [self resetTimestamp];
   }
   return self;
 }
 
-
 #pragma mark NSSecureCoding
 
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wobjc-literal-conversion"
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
 
 + (BOOL)supportsSecureCoding {
@@ -65,7 +61,7 @@
 }
 
 - (void)encodeWithCoder:(NSCoder *)coder {
-  ENCODE(self.shasum, @"shasum");
+  ENCODE(self.identifier, @"identifier");
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
@@ -75,7 +71,7 @@
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
-    _shasum = DECODE(NSString, @"shasum");
+    _identifier = DECODE(NSString, @"identifier");
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
@@ -92,24 +88,25 @@
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTRule class]]) return NO;
   SNTRule *o = other;
-  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+  return ([self.identifier isEqual:o.identifier] && self.state == o.state && self.type == o.type);
 }
 
 - (NSUInteger)hash {
   NSUInteger prime = 31;
   NSUInteger result = 1;
-  result = prime * result + [self.shasum hash];
+  result = prime * result + [self.identifier hash];
   result = prime * result + self.state;
   result = prime * result + self.type;
   return result;
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld, Timestamp: %lu",
-             self.shasum, self.state, self.type, (unsigned long)self.timestamp];
+  return [NSString
+    stringWithFormat:@"SNTRule: Identifier: %@, State: %ld, Type: %ld, Timestamp: %lu",
+                     self.identifier, self.state, self.type, (unsigned long)self.timestamp];
 }
 
-# pragma mark Last-access Timestamp
+#pragma mark Last-access Timestamp
 
 - (void)resetTimestamp {
   self.timestamp = (NSUInteger)[[NSDate date] timeIntervalSinceReferenceDate];

Source/common/SNTStoredEvent.h

@@ -19,7 +19,7 @@
 ///
 ///  Represents an event stored in the database.
 ///
-@interface SNTStoredEvent : NSObject<NSSecureCoding>
+@interface SNTStoredEvent : NSObject <NSSecureCoding>
 
 ///
 ///  An index for this event, randomly generated during initialization.

Source/common/SNTStoredEvent.m

@@ -21,11 +21,12 @@
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wobjc-literal-conversion"
 
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
-#define DECODEARRAY(cls, key) \
-    [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
-                            forKey:key]
+#define DECODEARRAY(cls, key)                                                             \
+  [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
+                          forKey:key]
 
 + (BOOL)supportsSecureCoding {
   return YES;
@@ -129,7 +130,7 @@
 
 - (NSString *)description {
   return
-      [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
+    [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
 #pragma clang diagnostic pop

Source/common/SNTStrengthify.h

@@ -12,11 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#define STRONGIFY(var) \
-  _Pragma("clang diagnostic push") \
-  _Pragma("clang diagnostic ignored \"-Wshadow\"") \
-  __strong __typeof(var) var = (Weak_##var); \
+#define STRONGIFY(var)                                 \
+  _Pragma("clang diagnostic push")                     \
+      _Pragma("clang diagnostic ignored \"-Wshadow\"") \
+          __strong __typeof(var) var = (Weak_##var);   \
   _Pragma("clang diagnostic pop")
 
-#define WEAKIFY(var) \
-  __weak __typeof(var) Weak_##var = (var);
+#define WEAKIFY(var) __weak __typeof(var) Weak_##var = (var);

Source/common/SNTSystemInfo.m

@@ -17,12 +17,12 @@
 @implementation SNTSystemInfo
 
 + (NSString *)serialNumber {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
   NSString *serial = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -30,12 +30,12 @@
 }
 
 + (NSString *)hardwareUUID {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (!platformExpert) return nil;
 
   NSString *uuid = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -63,8 +63,8 @@
 #pragma mark - Internal
 
 + (NSDictionary *)_systemVersionDictionary {
-  return [NSDictionary
-      dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
+  return
+    [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
 }
 
 @end

Source/common/SNTXPCBundleServiceInterface.h

@@ -14,6 +14,8 @@
 
 #import <Foundation/Foundation.h>
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 @class SNTStoredEvent;
 
 ///  A block that takes the calculated bundle hash, associated events and hashing time in ms.
@@ -25,7 +27,7 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 ///  @param listener The listener to connect back to the SantaGUI.
 ///
-- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+- (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
 
 ///
 ///  Hash a bundle for an event. The SNTBundleHashBlock will be called with nil parameters if a
@@ -39,6 +41,12 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 - (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
 
+///
+///  santabundleservice is launched on demand by launchd, call spindown to let santabundleservice
+///  know you are done with it.
+///
+- (void)spindown;
+
 @end
 
 @interface SNTXPCBundleServiceInterface : NSObject
@@ -52,6 +60,12 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 ///  Returns the MachService ID for this service.
 ///
-+ (NSString *)serviceId;
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santabundleservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCBundleServiceInterface.m

@@ -22,15 +22,22 @@
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleServiceXPC)];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(hashBundleBinariesForEvent:reply:)
-      argumentIndex:1
-            ofReply:YES];
+      forSelector:@selector(hashBundleBinariesForEvent:reply:)
+    argumentIndex:1
+          ofReply:YES];
 
   return r;
 }
 
-+ (NSString *)serviceId {
-  return @"com.google.santabs";
++ (NSString *)serviceID {
+  return @"com.google.santa.bundleservice";
+}
+
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
+                                                          privileged:YES];
+  c.remoteInterface = [self bundleServiceInterface];
+  return c;
 }
 
 @end

Source/common/SNTXPCControlInterface.h

@@ -34,6 +34,7 @@
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
 - (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
                   certificateSHA256:(NSString *)certificateSHA256
+                             teamID:(NSString *)teamID
                               reply:(void (^)(SNTRule *))reply;
 
 ///
@@ -44,10 +45,12 @@
 - (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
 - (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
-- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
-- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setAllowedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockUSBMount:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setRemountUSBMode:(NSArray *)remountUSBMode reply:(void (^)(void))reply;
 - (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
-- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setEnableTransitiveRules:(BOOL)enabled reply:(void (^)(void))reply;
 
 ///
 ///  Syncd Ops
@@ -57,12 +60,28 @@
 
 @end
 
-@interface SNTXPCControlInterface : SNTXPCUnprivilegedControlInterface
+@interface SNTXPCControlInterface : NSObject
 
 ///
-///  Internal method used to initialize the control interface
+///  Returns the MachService ID for this service.
 ///
++ (NSString *)serviceID;
 
-+ (void)initializeControlInterface:(NSXPCInterface *)r;
+///
+///  Returns the SystemExtension ID for this service.
+///
++ (NSString *)systemExtensionID;
+
+///
+///  Returns an initialized NSXPCInterface for the SNTUnprivilegedDaemonControlXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)controlInterface;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santad.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCControlInterface.m

@@ -14,29 +14,42 @@
 
 #import "Source/common/SNTXPCControlInterface.h"
 
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTRule.h"
 #import "Source/common/SNTStoredEvent.h"
 
+NSString *const kBundleID = @"com.google.santa.daemon";
+
 @implementation SNTXPCControlInterface
 
-+ (NSString *)serviceId {
-  return @"SantaXPCControl";
++ (NSString *)serviceID {
+  if ([[SNTConfigurator configurator] enableSystemExtension]) {
+    MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf];
+    // "teamid.com.google.santa.daemon.xpc"
+    NSString *t = cs.signingInformation[@"teamid"];
+    return [NSString stringWithFormat:@"%@.%@.xpc", t, kBundleID];
+  }
+  return kBundleID;
+}
+
++ (NSString *)systemExtensionID {
+  return kBundleID;
 }
 
 + (void)initializeControlInterface:(NSXPCInterface *)r {
-  [super initializeControlInterface:r];
-
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(databaseEventsPending:)
-      argumentIndex:0
-            ofReply:YES];
+      forSelector:@selector(databaseEventsPending:)
+    argumentIndex:0
+          ofReply:YES];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
-        forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
-      argumentIndex:0
-            ofReply:NO];
+      forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
+    argumentIndex:0
+          ofReply:NO];
 }
 
 + (NSXPCInterface *)controlInterface {
@@ -47,7 +60,7 @@
 }
 
 + (MOLXPCConnection *)configuredConnection {
-  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceId]
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
                                                           privileged:YES];
   c.remoteInterface = [self controlInterface];
   return c;

Source/common/SNTXPCMetricServiceInterface.h

@@ -0,0 +1,50 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+///  Protocol implemented by the metric service and utilized by santad
+///  exporting metrics to a monitoring system.
+@protocol SNTMetricServiceXPC
+
+///
+///  @param metrics The current metric/counter values serialized to an NSDictionary.
+///
+- (void)exportForMonitoring:(NSDictionary *)metrics;
+
+@end
+
+@interface SNTXPCMetricServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTMetricServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up
+///  before returning.
+///
++ (NSXPCInterface *)metricServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santametricservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
+
+@end

Source/common/SNTXPCMetricServiceInterface.m

@@ -0,0 +1,42 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTXPCMetricServiceInterface.h"
+
+@implementation SNTXPCMetricServiceInterface
+
++ (NSXPCInterface *)metricServiceInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTMetricServiceXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSDictionary class], [NSArray class], [NSNumber class],
+                                      [NSString class], [NSDate class], nil]
+      forSelector:@selector(exportForMonitoring:)
+    argumentIndex:0
+          ofReply:NO];
+
+  return r;
+}
+
++ (NSString *)serviceID {
+  return @"com.google.santa.metricservice";
+}
+
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
+                                                          privileged:NO];
+  c.remoteInterface = [self metricServiceInterface];
+  return c;
+}
+
+@end

Source/common/SNTXPCNotifierInterface.h

@@ -24,16 +24,10 @@
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message;
 - (void)postClientModeNotification:(SNTClientMode)clientmode;
 - (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message;
-@end
-
-/// Protocol implemented by SantaGUI and utilized by santabs
-@protocol SNTBundleNotifierXPC
 - (void)updateCountsForEvent:(SNTStoredEvent *)event
                  binaryCount:(uint64_t)binaryCount
                    fileCount:(uint64_t)fileCount
                  hashedCount:(uint64_t)hashedCount;
-
-- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener;
 @end
 
 @interface SNTXPCNotifierInterface : NSObject
@@ -44,10 +38,4 @@
 ///
 + (NSXPCInterface *)notifierInterface;
 
-///
-///  @return an initialized NSXPCInterface for the SNTBundleNotifierXPC protocol.
-///  Ensures any methods that accept custom classes as arguments are set-up before returning
-///
-+ (NSXPCInterface *)bundleNotifierInterface;
-
 @end

Source/common/SNTXPCNotifierInterface.m

@@ -20,8 +20,4 @@
   return [NSXPCInterface interfaceWithProtocol:@protocol(SNTNotifierXPC)];
 }
 
-+ (NSXPCInterface *)bundleNotifierInterface {
-  return [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleNotifierXPC)];
-}
-
 @end

Source/common/SNTXPCSyncServiceInterface.h

@@ -0,0 +1,56 @@
+/// Copyright 2020 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+#import "Source/common/SNTCommonEnums.h"
+
+@class SNTStoredEvent;
+
+///  A block that reports the number of rules processed.
+///  TODO(bur): Add more details about the sync.
+typedef void (^SNTFullSyncReplyBlock)(NSNumber *rulesProcessed);
+
+///  Protocol implemented by syncservice and utilized by daemon and ctl for communication with a
+///  sync server.
+@protocol SNTSyncServiceXPC
+- (void)postEventsToSyncServer:(NSArray<SNTStoredEvent *> *)events fromBundle:(BOOL)fromBundle;
+- (void)postBundleEventToSyncServer:(SNTStoredEvent *)event
+                              reply:(void (^)(SNTBundleEventAction))reply;
+- (void)isFCMListening:(void (^)(BOOL))reply;
+- (void)performFullSyncWithReply:(SNTFullSyncReplyBlock)reply;
+@end
+
+@interface SNTXPCSyncServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTSyncServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning.
+///
++ (NSXPCInterface *)syncServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with syncservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
+
+@end

Source/common/SNTXPCSyncServiceInterface.m

@@ -0,0 +1,43 @@
+/// Copyright 2020 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTXPCSyncServiceInterface.h"
+
+#import "Source/common/SNTStoredEvent.h"
+
+@implementation SNTXPCSyncServiceInterface
+
++ (NSXPCInterface *)syncServiceInterface {
+  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncServiceXPC)];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
+      forSelector:@selector(postEventsToSyncServer:fromBundle:)
+    argumentIndex:0
+          ofReply:NO];
+
+  return r;
+}
+
++ (NSString *)serviceID {
+  return @"com.google.santa.syncservice";
+}
+
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
+                                                          privileged:YES];
+  c.remoteInterface = [self syncServiceInterface];
+  return c;
+}
+
+@end

Source/common/SNTXPCSyncdInterface.m

@@ -22,9 +22,9 @@
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncdXPC)];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(postEventsToSyncServer:isFromBundle:)
-      argumentIndex:0
-            ofReply:NO];
+      forSelector:@selector(postEventsToSyncServer:isFromBundle:)
+    argumentIndex:0
+          ofReply:NO];
 
   return r;
 }

Source/common/SNTXPCUnprivilegedControlInterface.h

@@ -17,7 +17,6 @@
 
 #import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTKernelCommon.h"
-#import "Source/common/SNTXPCBundleServiceInterface.h"
 
 @class SNTRule;
 @class SNTStoredEvent;
@@ -39,10 +38,8 @@
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(int64_t binary,
-                                     int64_t certificate,
-                                     int64_t compiler,
-                                     int64_t transitive))reply;
+- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate, int64_t compiler,
+                                     int64_t transitive, int64_t teamID))reply;
 - (void)databaseEventCount:(void (^)(int64_t count))reply;
 
 ///
@@ -60,6 +57,7 @@
 - (void)decisionForFilePath:(NSString *)filePath
                  fileSHA256:(NSString *)fileSHA256
           certificateSHA256:(NSString *)certificateSHA256
+                     teamID:(NSString *)teamID
                       reply:(void (^)(SNTEventState))reply;
 
 ///
@@ -72,13 +70,17 @@
 - (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply;
 - (void)syncCleanRequired:(void (^)(BOOL))reply;
 - (void)enableBundles:(void (^)(BOOL))reply;
-- (void)enableTransitiveWhitelisting:(void (^)(BOOL))reply;
+- (void)enableTransitiveRules:(void (^)(BOOL))reply;
+
+///
+/// Metrics ops
+///
+- (void)metrics:(void (^)(NSDictionary *))reply;
 
 ///
 ///  GUI Ops
 ///
 - (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
-- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
 
 ///
 ///  Syncd Ops
@@ -88,34 +90,21 @@
 ///
 ///  Bundle Ops
 ///
-- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
 - (void)syncBundleEvent:(SNTStoredEvent *)event relatedEvents:(NSArray<SNTStoredEvent *> *)events;
 
 @end
 
 @interface SNTXPCUnprivilegedControlInterface : NSObject
 
-///
-///  Returns the MachService ID for this service.
-///
-+ (NSString *)serviceId;
-
 ///
 ///  Returns an initialized NSXPCInterface for the SNTUnprivilegedDaemonControlXPC protocol.
 ///  Ensures any methods that accept custom classes as arguments are set-up before returning
 ///
 + (NSXPCInterface *)controlInterface;
 
-///
-///  Retrieve a pre-configured MOLXPCConnection for communicating with santad.
-///  Connections just needs any handlers set and then can be resumed and used.
-///
-+ (MOLXPCConnection *)configuredConnection;
-
 ///
 ///  Internal method used to initialize the control interface
 ///
-
 + (void)initializeControlInterface:(NSXPCInterface *)r;
 
 @end

Source/common/SNTXPCUnprivilegedControlInterface.m

@@ -21,34 +21,19 @@
 
 @implementation SNTXPCUnprivilegedControlInterface
 
-+ (NSString *)serviceId {
-  return @"SantaUnprivilegedXPCControl";
-}
-
 + (void)initializeControlInterface:(NSXPCInterface *)r {
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(hashBundleBinariesForEvent:reply:)
-      argumentIndex:1
-            ofReply:YES];
-
-  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(syncBundleEvent:relatedEvents:)
-      argumentIndex:1
-            ofReply:NO];
+      forSelector:@selector(syncBundleEvent:relatedEvents:)
+    argumentIndex:1
+          ofReply:NO];
 }
 
 + (NSXPCInterface *)controlInterface {
-  NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTUnprivilegedDaemonControlXPC)];
+  NSXPCInterface *r =
+    [NSXPCInterface interfaceWithProtocol:@protocol(SNTUnprivilegedDaemonControlXPC)];
   [self initializeControlInterface:r];
 
   return r;
 }
 
-+ (MOLXPCConnection *)configuredConnection {
-  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceId]
-                                                          privileged:YES];
-  c.remoteInterface = [self controlInterface];
-  return c;
-}
-
 @end

Source/common/SantaCache.h

@@ -24,20 +24,24 @@
 
 #ifdef KERNEL
 #include <IOKit/IOLib.h>
-#else // KERNEL
+#else  // KERNEL
 // Support for unit testing.
 #include <cstdio>
 #include <cstdlib>
 #include <cstring>
-// TODO(rah): Consider templatizing these.
-#define panic(args...) printf(args); printf("\n"); abort()
+#define panic(args...) \
+  printf(args);        \
+  printf("\n");        \
+  abort()
 #define IOMallocAligned(sz, alignment) malloc(sz);
 #define IOFreeAligned(addr, sz) free(addr)
 #define OSTestAndSet OSAtomicTestAndSet
 #define OSTestAndClear(bit, addr) OSAtomicTestAndClear(bit, addr) == 0
 #define OSIncrementAtomic(addr) OSAtomicIncrement64((volatile int64_t *)addr)
 #define OSDecrementAtomic(addr) OSAtomicDecrement64((volatile int64_t *)addr)
-#endif // KERNEL
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+#endif  // KERNEL
 
 /**
   A type to specialize to help SantaCache with its hashing.
@@ -45,12 +49,14 @@
   The default works for numeric types with a multiplicative hash
   using a prime near to the golden ratio, per Knuth.
 */
-template<typename T> uint64_t SantaCacheHasher(T const& t) {
-  return t * 11400714819323198549UL;
+template <typename T>
+uint64_t SantaCacheHasher(T const &t) {
+  return (uint64_t)t * 11400714819323198549UL;
 };
 
 /**
-  A somewhat simple, concurrent linked-list hash table intended for use in IOKit kernel extensions.
+  A somewhat simple, concurrent linked-list hash table intended for use in IOKit
+  kernel extensions.
 
   The type used for keys must overload the == operator and a specialization of
   SantaCacheHasher must exist for it.
@@ -61,24 +67,29 @@ template<typename T> uint64_t SantaCacheHasher(T const& t) {
   The number of buckets is calculated as `maximum_size` / `per_bucket`
   rounded up to the next power of 2. Locking is done per-bucket.
 */
-template<typename KeyT, typename ValueT> class SantaCache {
+template <typename KeyT, typename ValueT>
+class SantaCache {
  public:
   /**
     Initialize a newly created cache.
 
     @param maximum_size The maximum number of entries in this cache. Once this
         number is reached all the entries will be purged.
-    @param per_bucket The target number of entries in each bucket when cache is full.
-        A higher number will result in better performance but higher memory usage.
-        Cannot be higher than 64 to try and ensure buckets don't overflow.
+    @param per_bucket The target number of entries in each bucket when cache is
+    full. A higher number will result in better performance but higher memory
+    usage. Cannot be higher than 64 to try and ensure buckets don't overflow.
   */
   SantaCache(uint64_t maximum_size = 10000, uint8_t per_bucket = 5) {
-    if (unlikely(per_bucket > maximum_size)) per_bucket = maximum_size;
+    if (unlikely(per_bucket > maximum_size)) per_bucket = (uint8_t)maximum_size;
     if (unlikely(per_bucket < 1)) per_bucket = 1;
     if (unlikely(per_bucket > 64)) per_bucket = 64;
     max_size_ = maximum_size;
-    bucket_count_ = (1 << (32 - __builtin_clz((((uint32_t)max_size_ / per_bucket) - 1) ?: 1)));
-    buckets_ = (struct bucket *)IOMallocAligned(bucket_count_ * sizeof(struct bucket), 2);
+    bucket_count_ =
+        (1 << (32 -
+               __builtin_clz((((uint32_t)max_size_ / per_bucket) - 1) ?: 1)));
+    if (unlikely(bucket_count_ > UINT32_MAX)) bucket_count_ = UINT32_MAX;
+    buckets_ = (struct bucket *)IOMallocAligned(
+        bucket_count_ * sizeof(struct bucket), 2);
     bzero(buckets_, bucket_count_ * sizeof(struct bucket));
   }
 
@@ -120,7 +131,7 @@ template<typename KeyT, typename ValueT> class SantaCache {
 
     @return true if the value was set.
   */
-  bool set(const KeyT& key, const ValueT& value) {
+  bool set(const KeyT &key, const ValueT &value) {
     return set(key, value, {}, false);
   }
 
@@ -138,16 +149,14 @@ template<typename KeyT, typename ValueT> class SantaCache {
 
     @return true if the value was set
   */
-  bool set(const KeyT& key, const ValueT& value, const ValueT& previous_value) {
+  bool set(const KeyT &key, const ValueT &value, const ValueT &previous_value) {
     return set(key, value, previous_value, true);
   }
 
   /**
     An alias for `set(key, zero_)`
   */
-  inline void remove(const KeyT& key) {
-    set(key, zero_);
-  }
+  inline void remove(const KeyT &key) { set(key, zero_); }
 
   /**
     Remove all entries and free bucket memory.
@@ -181,24 +190,31 @@ template<typename KeyT, typename ValueT> class SantaCache {
   /**
     Return number of entries currently in cache.
   */
-  inline uint64_t count() const {
-    return count_;
-  }
+  inline uint64_t count() const { return count_; }
 
   /**
-    Fill in the per_bucket_counts array with the number of entries in each bucket.
+    Fill in the per_bucket_counts array with the number of entries in each
+    bucket.
 
-    The per_buckets_count array will contain the per-bucket counts, up to the number
-    in array_size. The start_bucket parameter will determine which bucket to start off
-    with and upon return will contain either 0 if no buckets are remaining or the next
-    bucket to begin with when called again.
+    The per_buckets_count array will contain the per-bucket counts, up to the
+    number in array_size. The start_bucket parameter will determine which bucket
+    to start off with and upon return will contain either 0 if no buckets are
+    remaining or the next bucket to begin with when called again.
   */
-  void bucket_counts(uint16_t *per_bucket_counts, uint16_t *array_size, uint64_t *start_bucket) {
-    if (per_bucket_counts == nullptr || array_size == nullptr || start_bucket == nullptr) return;
+  void bucket_counts(uint16_t *per_bucket_counts, uint16_t *array_size,
+                     uint64_t *start_bucket) {
+    if (per_bucket_counts == nullptr || array_size == nullptr ||
+        start_bucket == nullptr)
+      return;
 
     uint64_t start = *start_bucket;
+    if (start >= bucket_count_) {
+      *start_bucket = 0;
+      return;
+    }
+
     uint16_t size = *array_size;
-    if (start + size > bucket_count_) size = bucket_count_ - start;
+    if (start + size > bucket_count_) size = (uint16_t)(bucket_count_ - start);
 
     for (uint16_t i = 0; i < size; ++i) {
       uint16_t count = 0;
@@ -245,8 +261,8 @@ template<typename KeyT, typename ValueT> class SantaCache {
 
     @return true if the entry was set, false if it was not
   */
-  bool set(const KeyT& key, const ValueT& value,
-           const ValueT& previous_value, bool has_prev_value) {
+  bool set(const KeyT &key, const ValueT &value, const ValueT &previous_value,
+           bool has_prev_value) {
     struct bucket *bucket = &buckets_[hash(key)];
     lock(bucket);
     struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
@@ -302,7 +318,8 @@ template<typename KeyT, typename ValueT> class SantaCache {
 
     // Allocate a new entry, set the key and value, then put this new entry at
     // the head of this bucket's linked list.
-    struct entry *new_entry = (struct entry *)IOMallocAligned(sizeof(struct entry), 2);
+    struct entry *new_entry =
+        (struct entry *)IOMallocAligned(sizeof(struct entry), 2);
     bzero(new_entry, sizeof(struct entry));
     new_entry->key = key;
     new_entry->value = value;
@@ -318,7 +335,8 @@ template<typename KeyT, typename ValueT> class SantaCache {
     Lock a bucket. Spins until the lock is acquired.
   */
   inline void lock(struct bucket *bucket) const {
-    while (OSTestAndSet(7, (volatile uint8_t *)&bucket->head));
+    while (OSTestAndSet(7, (volatile uint8_t *)&bucket->head))
+      ;
   }
 
   /**
@@ -357,4 +375,8 @@ template<typename KeyT, typename ValueT> class SantaCache {
   }
 };
 
-#endif // SANTA__SANTA_DRIVER__SANTACACHE_H
+#ifndef KERNEL
+#pragma clang diagnostic pop
+#endif
+
+#endif  // SANTA__SANTA_DRIVER__SANTACACHE_H

Source/common/SantaCacheTest.mm

@@ -18,7 +18,7 @@
 #include <string>
 #include <vector>
 
-#include "Source/santa_driver/SantaCache.h"
+#include "Source/common/SantaCache.h"
 
 @interface SantaCacheTest : XCTestCase
 @end
@@ -102,9 +102,8 @@
 
   // Calculate stdev
   double accum = 0.0;
-  std::for_each(per_bucket.begin(), per_bucket.end(), [&](const double d) {
-    accum += (d - mean) * (d - mean);
-  });
+  std::for_each(per_bucket.begin(), per_bucket.end(),
+                [&](const double d) { accum += (d - mean) * (d - mean); });
   double stddev = sqrt(accum / (per_bucket.size() - 1));
   double maxStdDev = (double)br / 2;
   XCTAssertLessThanOrEqual(stddev, maxStdDev,
@@ -143,13 +142,15 @@
 
     dispatch_group_enter(group);
     dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
-      for (int i = 0; i < 5000; ++i) sut->set(i, 10000-i);
+      for (int i = 0; i < 5000; ++i)
+        sut->set(i, 10000 - i);
       dispatch_group_leave(group);
     });
 
     dispatch_group_enter(group);
     dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
-      for (int i = 5000; i < 10000; ++i) sut->set(i, 10000-i);
+      for (int i = 5000; i < 10000; ++i)
+        sut->set(i, 10000 - i);
       dispatch_group_leave(group);
     });
 
@@ -157,7 +158,8 @@
       XCTFail("Timed out while setting values for test");
     }
 
-    for (int i = 0; i < 10000; ++i) XCTAssertEqual(sut->get(i), 10000 - i);
+    for (int i = 0; i < 10000; ++i)
+      XCTAssertEqual(sut->get(i), 10000 - i);
   }
 
   delete sut;
@@ -193,7 +195,8 @@
   XCTAssertEqual(sut.get(3.1459124), 0);
 }
 
-template<> uint64_t SantaCacheHasher<std::string>(std::string const& s) {
+template <>
+uint64_t SantaCacheHasher<std::string>(std::string const &s) {
   return std::hash<std::string>{}(s);
 }
 
@@ -242,16 +245,17 @@ struct S {
   uint64_t first_val;
   uint64_t second_val;
 
-  bool operator==(const S& rhs) {
+  bool operator==(const S &rhs) {
     return first_val == rhs.first_val && second_val == rhs.second_val;
   }
 };
-template<> uint64_t SantaCacheHasher<S>(S const& s) {
+template <>
+uint64_t SantaCacheHasher<S>(S const &s) {
   return SantaCacheHasher<uint64_t>(s.first_val) ^ (SantaCacheHasher<uint64_t>(s.second_val) << 1);
 }
 
 - (void)testStructKeys {
-  auto sut =  SantaCache<S, uint64_t>(10, 2);
+  auto sut = SantaCache<S, uint64_t>(10, 2);
 
   S s1 = {1024, 2048};
   S s2 = {4096, 8192};
@@ -265,4 +269,22 @@ template<> uint64_t SantaCacheHasher<S>(S const& s) {
   XCTAssertEqual(sut.get(s3), 30);
 }
 
+- (void)testBucketCounts {
+  auto sut = new SantaCache<uint64_t, uint64_t>(UINT16_MAX, 1);
+
+  // These tests verify that the bucket_counts() function can't be abused
+  // with integer {over,under}flow issues in the input or going out-of-bounds
+  // on the buckets array.
+  uint16_t size = 2048;
+  uint64_t start = (UINT64_MAX - 2047);
+  uint16_t per_bucket_counts[2048];
+  sut->bucket_counts(per_bucket_counts, &size, &start);
+  XCTAssertEqual(start, 0, @"Check a high start can't overflow");
+
+  size = UINT16_MAX;
+  start = UINT16_MAX - 1;
+  sut->bucket_counts(per_bucket_counts, &size, &start);
+  XCTAssertEqual(start, 0, @"Check a large size can't overflow");
+}
+
 @end

Source/santa/BUILD

@@ -1,11 +1,11 @@
-licenses(["notice"])  # Apache 2.0
+load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
+
+licenses(["notice"])
 
 exports_files([
     "Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-256.png",
 ])
 
-load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
-
 objc_library(
     name = "SantaGUI_lib",
     srcs = [
@@ -30,10 +30,12 @@ objc_library(
     sdk_frameworks = [
         "IOKit",
         "SecurityInterface",
+        "SystemExtensions",
     ],
     deps = [
         "//Source/common:SNTBlockMessage_SantaGUI",
         "//Source/common:SNTConfigurator",
+        "//Source/common:SNTLogging",
         "//Source/common:SNTXPCControlInterface",
         "//Source/common:SNTXPCNotifierInterface",
         "@MOLCodesignChecker",
@@ -42,13 +44,29 @@ objc_library(
 )
 
 macos_application(
-    name = "SantaGUI",
+    name = "Santa",
+    additional_contents = {
+        "//Source/santactl": "MacOS",
+        "//Source/santabundleservice": "MacOS",
+        "//Source/santametricservice": "MacOS",
+        "//Source/santad:com.google.santa.daemon": "Library/SystemExtensions",
+    },
     app_icons = glob(["Resources/Images.xcassets/**"]),
-    bundle_id = "com.google.SantaGUI",
+    bundle_id = "com.google.santa",
     bundle_name = "Santa",
-    infoplists = ["Resources/SantaGUI-Info.plist"],
+    codesignopts = [
+        "--timestamp",
+        "--force",
+        "--options library,kill,runtime",
+    ],
+    entitlements = "Santa.app.entitlements",
+    infoplists = ["Info.plist"],
     minimum_os_version = "10.9",
+    provisioning_profile = select({
+        "//:ci_build": None,
+        "//conditions:default": "Santa_Dev.provisionprofile",
+    }),
     version = "//:version",
-    visibility = ["//visibility:public"],
+    visibility = ["//:santa_package_group"],
     deps = [":SantaGUI_lib"],
 )

Source/santa/Info.plist

@@ -2,31 +2,31 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>CFBundleInfoDictionaryVersion</key>
-	<string>6.0</string>
-	<key>CFBundlePackageType</key>
-	<string>APPL</string>
-	<key>NSHumanReadableCopyright</key>
-	<string>Google, Inc.</string>
-	<key>CFBundleIdentifier</key>
-	<string>com.google.SantaGUI</string>
-	<key>CFBundleName</key>
-	<string>Santa</string>
 	<key>CFBundleExecutable</key>
 	<string>Santa</string>
-	<key>CFBundleVersion</key>
-	<string>${SANTA_VERSION}</string>
-	<key>CFBundleShortVersionString</key>
-	<string>${SANTA_VERSION}</string>
-	<key>LSMinimumSystemVersion</key>
-	<string>${MACOSX_VERSION_MIN}</string>
-	<key>LSUIElement</key>
-	<true/>
-	<key>NSPrincipalClass</key>
-	<string>NSApplication</string>
 	<key>CFBundleIconFile</key>
 	<string>AppIcon</string>
 	<key>CFBundleIconName</key>
 	<string>AppIcon</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Santa</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>LSMinimumSystemVersion</key>
+	<string>${MACOSX_VERSION_MIN}</string>
+	<key>LSUIElement</key>
+	<true/>
+	<key>NSHumanReadableCopyright</key>
+	<string>Google LLC.</string>
+	<key>NSPrincipalClass</key>
+	<string>NSApplication</string>
 </dict>
 </plist>

Source/santa/Resources/AboutWindow.xib

@@ -7,6 +7,7 @@
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTAboutWindowController">
             <connections>
+                <outlet property="aboutTextField" destination="uh6-q0-RzL" id="oGn-hV-wwc"/>
                 <outlet property="moreInfoButton" destination="SRu-Kf-vu5" id="Vj2-9Q-05d"/>
                 <outlet property="window" destination="F0z-JX-Cv5" id="gIp-Ho-8D9"/>
             </connections>
@@ -38,7 +39,7 @@
                         <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/>
                         <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
                             <font key="font" metaFont="system"/>
-                            <string key="title">Santa is an application whitelisting system for macOS.
+                            <string key="title">Santa is an application control system for macOS.
 
 There are no user-configurable settings.</string>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>

Source/santa/Resources/Images.xcassets/Contents.json

@@ -3,4 +3,4 @@
     "version" : 1,
     "author" : "xcode"
   }
-}
+}

Source/santa/SNTAboutWindowController.h

@@ -16,6 +16,7 @@
 
 @interface SNTAboutWindowController : NSWindowController
 
+@property IBOutlet NSTextField *aboutTextField;
 @property IBOutlet NSButton *moreInfoButton;
 
 - (IBAction)openMoreInfoURL:(id)sender;

Source/santa/SNTAboutWindowController.m

@@ -12,7 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "Source/SantaGUI/SNTAboutWindowController.h"
+#import "Source/santa/SNTAboutWindowController.h"
 
 #import "Source/common/SNTConfigurator.h"
 
@@ -24,7 +24,12 @@
 
 - (void)loadWindow {
   [super loadWindow];
-  if (![[SNTConfigurator configurator] moreInfoURL]) {
+  SNTConfigurator *config = [SNTConfigurator configurator];
+  NSString *aboutText = [config aboutText];
+  if (aboutText) {
+    [self.aboutTextField setStringValue:aboutText];
+  }
+  if (![config moreInfoURL]) {
     [self.moreInfoButton removeFromSuperview];
   }
 }

Source/santa/SNTAccessibleTextField.m

@@ -12,14 +12,10 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "Source/SantaGUI/SNTAccessibleTextField.h"
+#import "Source/santa/SNTAccessibleTextField.h"
 
 @implementation SNTAccessibleTextField
 
-- (BOOL)accessibilityIsIgnored {
-  return NO;
-}
-
 - (NSString *)accessibilityLabel {
   if (self.toolTip && self.stringValue) {
     return [NSString stringWithFormat:@"%@: %@", self.toolTip, self.stringValue];

Source/santa/SNTAppDelegate.h

@@ -17,5 +17,5 @@
 ///
 /// Initiates and manages the connection to santad
 ///
-@interface SNTAppDelegate : NSObject<NSApplicationDelegate>
+@interface SNTAppDelegate : NSObject <NSApplicationDelegate>
 @end