Sync clean all (#1275)

* WIP Clean syncs now leave non-transitive rules by default

* WIP Get existing tests compiling and passing

* Remove clean all sync server key. Basic tests.

* Add SNTConfiguratorTest, test deprecated key migration

* Revert changes to santactl status output

* Add new preflight response sync type key, lots of tests

* Rework configurator flow a bit so calls cannot be made out of order

* Comment clean sync states. Test all permutations.

* Update docs for new sync keys

* Doc updates as requested in PR

.allstar/binary_artifacts.yaml

@@ -0,0 +1,19 @@
+# Ignore reason: These crafted binaries are used in tests
+ignorePaths:
+- Fuzzing/common/MachOParse_corpus/ret0
+- Source/common/testdata/bad_pagezero
+- Source/common/testdata/missing_pagezero
+- Source/common/testdata/missing_pagezero
+- Source/common/testdata/missing_pagezero
+- Source/common/testdata/32bitplist
+- Source/common/testdata/BundleExample.app/Contents/MacOS/BundleExample
+- Source/common/testdata/DirectoryBundle/Contents/MacOS/DirectoryBundle
+- Source/common/testdata/DirectoryBundle/Contents/Resources/BundleExample.app/Contents/MacOS/BundleExample
+- Source/santad/testdata/binaryrules/badbinary
+- Source/santad/testdata/binaryrules/goodbinary
+- Source/santad/testdata/binaryrules/badcert
+- Source/santad/testdata/binaryrules/banned_teamid_allowed_binary
+- Source/santad/testdata/binaryrules/banned_teamid
+- Source/santad/testdata/binaryrules/goodcert
+- Source/santad/testdata/binaryrules/noop
+- Source/santad/testdata/binaryrules/rules.db

.bazelrc

@@ -1,2 +1,47 @@
 build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes
-build --host_force_python=PY2
+
+build --copt=-Werror
+build --copt=-Wall
+build --copt=-Wno-error=deprecated-declarations
+# Disable -Wunknown-warning-option because deprecated-non-prototype
+# isn't recognized on older SDKs
+build --copt=-Wno-unknown-warning-option
+build --copt=-Wno-error=deprecated-non-prototype
+build --per_file_copt=.*\.mm\$@-std=c++17
+build --cxxopt=-std=c++17
+build --host_cxxopt=-std=c++17
+
+build --copt=-DSANTA_OPEN_SOURCE=1
+build --cxxopt=-DSANTA_OPEN_SOURCE=1
+
+# Many config options for sanitizers pulled from
+# https://github.com/protocolbuffers/protobuf/blob/main/.bazelrc
+build:san-common --strip=never
+build:san-common --copt="-Wno-macro-redefined"
+build:san-common --copt="-D_FORTIFY_SOURCE=0"
+build:san-common --copt="-O1"
+build:san-common --copt="-fno-omit-frame-pointer"
+
+build:asan --config=san-common
+build:asan --copt="-fsanitize=address"
+build:asan --copt="-DADDRESS_SANITIZER"
+build:asan --linkopt="-fsanitize=address"
+build:asan --test_env="ASAN_OPTIONS=log_path=/tmp/san_out"
+
+build:tsan --config=san-common
+build:tsan --copt="-fsanitize=thread"
+build:tsan --copt="-DTHREAD_SANITIZER=1"
+build:tsan --linkopt="-fsanitize=thread"
+build:tsan --test_env="TSAN_OPTIONS=log_path=/tmp/san_out:halt_on_error=true"
+
+build:ubsan --config=san-common
+build:ubsan --copt="-fsanitize=undefined"
+build:ubsan --copt="-DUNDEFINED_SANITIZER=1"
+build:ubsan --copt="-fno-sanitize=function" --copt="-fno-sanitize=vptr"
+build:ubsan --linkopt="-fsanitize=undefined"
+build:ubsan --test_env="UBSAN_OPTIONS=log_path=/tmp/san_out"
+
+build:fuzz --config=san-common
+build:fuzz --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing//fuzzing/engines:libfuzzer
+build:fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=libfuzzer
+build:fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=asan

.bazelversion

@@ -0,0 +1 @@
+6.3.2

.clang-format

@@ -1,18 +1,18 @@
+Language: ObjC
 BasedOnStyle: Google
-Language: Cpp
-Standard: Cpp11
 
-# Disable ColumnLimit because it causes some very weird line breaks.
-# For ObjC the limit is 100
-# For Cpp  the limit is 80
-ColumnLimit: 0
+IndentWidth: 2
+ObjCBlockIndentWidth: 2
+ContinuationIndentWidth: 2
+
+# For ObjC, the line limit is 100
+ColumnLimit: 100
 
 # Allow short case statements to be on a single line
 AllowShortCaseLabelsOnASingleLine: true
 
-# Ban short loops and functions on a single line
 AllowShortLoopsOnASingleLine: false
-AllowShortFunctionsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
 
 # Allow spaces in NSArray/NSDictionary literals @[ and @{
 SpacesInContainerLiterals: true
@@ -20,3 +20,13 @@ SpacesInContainerLiterals: true
 # For pointers, always put the * next to the variable name.
 DerivePointerAlignment: false
 PointerAlignment: Right
+
+
+---
+Language: Cpp
+Standard: Cpp11
+
+BasedOnStyle: Google
+
+# For C++, the line limit is 80
+ColumnLimit: 80

.github/workflows/check-markdown.yml

@@ -0,0 +1,17 @@
+name: Check Markdown
+
+on:
+  pull_request:
+    paths:
+      - "**.md"
+
+jobs:
+  markdown-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Santa"
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # ratchet:actions/checkout@master
+      - name: "Check for deadlinks"
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # ratchet:gaurav-nelson/github-action-markdown-link-check@v1
+      - name: "Check for trailing whitespace and newlines"
+        run: "! git grep -EIn $'[ \t]+$' -- ':(exclude)*.patch'"

.github/workflows/ci.yml

@@ -0,0 +1,51 @@
+name: CI
+on:
+  push:
+    branches:
+      - '*'
+    paths:
+      - 'Source/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'Source/**'
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Run linters
+        run: ./Testing/lint.sh
+  build_userspace:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-11, macos-12, macos-13]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Build Userspace
+        run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
+  unit_tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-11, macos-12, macos-13]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Run All Tests
+        run: bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
+  test_coverage:
+    runs-on: macos-11
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Generate test coverage
+        run: sh ./generate_cov.sh
+      - name: Coveralls
+        uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # ratchet:coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: ./bazel-out/_coverage/_coverage_report.dat
+          flag-name: Unit

.github/workflows/continuous.yml

@@ -0,0 +1,13 @@
+name: continuous
+on:
+  schedule:
+    - cron: '0 10 * * *' # Every day at 10:00 UTC
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+
+jobs:
+  preqs:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Checks for flaky tests
+        run: bazel test --test_strategy=exclusive --test_output=errors --runs_per_test 50 -t- :unit_tests --define=SANTA_BUILD_TYPE=adhoc

.github/workflows/e2e.yml

@@ -0,0 +1,49 @@
+name: E2E
+
+on:
+  schedule:
+    - cron: '0 4 * * *' # Every day at 4:00 UTC (not to interfere with fuzzing)
+  workflow_dispatch:
+
+jobs:
+  start_vm:
+    runs-on: e2e-host
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Start VM
+        run: python3 Testing/integration/actions/start_vm.py macOS_14.bundle.tar.gz
+
+  integration:
+    runs-on: e2e-vm
+    env:
+      VM_PASSWORD: ${{ secrets.VM_PASSWORD }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+      - name: Add homebrew to PATH
+        run: echo "/opt/homebrew/bin/" >> $GITHUB_PATH
+      - name: Install configuration profile
+        run: bazel run //Testing/integration:install_profile -- Testing/integration/configs/default.mobileconfig
+      - name: Build, install, and sync santa
+        run: |
+          bazel run :reload --define=SANTA_BUILD_TYPE=adhoc
+          bazel run //Testing/integration:allow_sysex
+      - name: Test config changes
+        run: ./Testing/integration/test_config_changes.sh
+      - name: Build, install, and start moroz
+        run: |
+          bazel build @com_github_groob_moroz//cmd/moroz:moroz
+          cp bazel-bin/external/com_github_groob_moroz/cmd/moroz/moroz_/moroz /tmp/moroz
+          /tmp/moroz -configs="$GITHUB_WORKSPACE/Testing/integration/configs/moroz_default/global.toml" -use-tls=false &
+          sudo santactl sync --debug
+      - name: Run integration test binaries
+        run: |
+          bazel test //Testing/integration:integration_tests
+          sleep 3
+          bazel run //Testing/integration:dismiss_santa_popup || true
+      - name: Test sync server changes
+        run: ./Testing/integration/test_sync_changes.sh
+      - name: Test USB blocking
+        run: ./Testing/integration/test_usb.sh
+      - name: Poweroff
+        if: ${{ always() }}
+        run: sudo shutdown -h +1

.github/workflows/fuzz.yml

@@ -0,0 +1,35 @@
+name: Fuzzing
+
+on:
+  schedule:
+    - cron: '0 6 * * *' # Every day at 6:00 UTC
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+
+jobs:
+  start_vm:
+    runs-on: e2e-host
+    steps:
+      - uses: actions/checkout@v3
+      - name: Start VM
+        run: python3 Testing/integration/actions/start_vm.py macOS_13.bundle.tar.gz
+
+  fuzz:
+    runs-on: e2e-vm
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup libfuzzer
+        run: Fuzzing/install_libclang_fuzzer.sh
+      - name: Fuzz
+        run: |
+          for target in $(bazel query 'kind(fuzzing_launcher, //Fuzzing:all)'); do
+            bazel run --config=fuzz $target -- -- -max_len=32768 -runs=1000000 -timeout=5
+          done
+      - name: Upload crashes
+        uses: actions/upload-artifact@v1
+        if: failure()
+        with:
+          name: artifacts
+          path: /tmp/fuzzing/artifacts
+      - name: Poweroff VM
+        if: ${{ always() }}
+        run: sudo shutdown -h +1

.github/workflows/sanitizers.yml

@@ -0,0 +1,30 @@
+name: sanitizers
+on:
+  schedule:
+    - cron: '0 16 * * *'
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        sanitizer: [asan, tsan, ubsan]
+    steps:
+      - uses: actions/checkout@v3
+      - name: ${{ matrix.sanitizer }}
+        run: |
+          CLANG_VERSION=$(clang --version | head -n 1 | cut -d' ' -f 4)
+          DYLIB_PATH="$(xcode-select -p)/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.${{ matrix.sanitizer }}_osx_dynamic.dylib"
+
+          bazel test --config=${{ matrix.sanitizer }} \
+            --test_strategy=exclusive --test_output=all \
+            --test_env=DYLD_INSERT_LIBRARIES=${DYLIB_PATH} \
+            --runs_per_test 5 -t- :unit_tests \
+            --define=SANTA_BUILD_TYPE=adhoc
+      - name: Upload logs
+        uses: actions/upload-artifact@v1
+        if: failure()
+        with:
+          name: logs
+          path: /tmp/san_out*

.gitignore

@@ -1,3 +1,20 @@
 .DS_Store
-default.profraw
+*.profraw
+*.provisionprofile
 bazel-*
+Pods
+Santa.xcodeproj/*
+Santa.xcworkspace/*
+CoverageData/*
+*.tulsiconf-user
+xcuserdata
+tulsigen-*
+*.crt
+*.key
+*.pem
+*.p12
+*.keychain
+*.swp
+compile_commands.json
+.cache/
+.vscode/*

.pylintrc

@@ -0,0 +1,429 @@
+# This Pylint rcfile contains a best-effort configuration to uphold the
+# best-practices and style described in the Google Python style guide:
+#   https://google.github.io/styleguide/pyguide.html
+#
+# Its canonical open-source location is:
+#   https://google.github.io/styleguide/pylintrc
+
+[MASTER]
+
+# Files or directories to be skipped. They should be base names, not paths.
+ignore=third_party
+
+# Files or directories matching the regex patterns are skipped. The regex
+# matches against base names, not paths.
+ignore-patterns=
+
+# Pickle collected data for later comparisons.
+persistent=no
+
+# List of plugins (as comma separated values of python modules names) to load,
+# usually to register additional checkers.
+load-plugins=
+
+# Use multiple processes to speed up Pylint.
+jobs=4
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+
+[MESSAGES CONTROL]
+
+# Only show warnings with the listed confidence levels. Leave empty to show
+# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
+confidence=
+
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time (only on the command line, not in the configuration file where
+# it should appear only once). See also the "--disable" option for examples.
+#enable=
+
+# Disable the message, report, category or checker with the given id(s). You
+# can either give multiple identifiers separated by comma (,) or put this
+# option multiple times (only on the command line, not in the configuration
+# file where it should appear only once).You can also use "--disable=all" to
+# disable everything first and then reenable specific checks. For example, if
+# you want to run only the similarities checker, you can use "--disable=all
+# --enable=similarities". If you want to run only the classes checker, but have
+# no Warning level messages displayed, use"--disable=all --enable=classes
+# --disable=W"
+disable=abstract-method,
+        apply-builtin,
+        arguments-differ,
+        attribute-defined-outside-init,
+        backtick,
+        bad-option-value,
+        basestring-builtin,
+        buffer-builtin,
+        c-extension-no-member,
+        consider-using-enumerate,
+        cmp-builtin,
+        cmp-method,
+        coerce-builtin,
+        coerce-method,
+        delslice-method,
+        div-method,
+        duplicate-code,
+        eq-without-hash,
+        execfile-builtin,
+        file-builtin,
+        filter-builtin-not-iterating,
+        fixme,
+        getslice-method,
+        global-statement,
+        hex-method,
+        idiv-method,
+        implicit-str-concat,
+        import-error,
+        import-self,
+        import-star-module-level,
+        inconsistent-return-statements,
+        input-builtin,
+        intern-builtin,
+        invalid-str-codec,
+        locally-disabled,
+        long-builtin,
+        long-suffix,
+        map-builtin-not-iterating,
+        misplaced-comparison-constant,
+        missing-function-docstring,
+        metaclass-assignment,
+        next-method-called,
+        next-method-defined,
+        no-absolute-import,
+        no-else-break,
+        no-else-continue,
+        no-else-raise,
+        no-else-return,
+        no-init,  # added
+        no-member,
+        no-name-in-module,
+        no-self-use,
+        nonzero-method,
+        oct-method,
+        old-division,
+        old-ne-operator,
+        old-octal-literal,
+        old-raise-syntax,
+        parameter-unpacking,
+        print-statement,
+        raising-string,
+        range-builtin-not-iterating,
+        raw_input-builtin,
+        rdiv-method,
+        reduce-builtin,
+        relative-import,
+        reload-builtin,
+        round-builtin,
+        setslice-method,
+        signature-differs,
+        standarderror-builtin,
+        suppressed-message,
+        sys-max-int,
+        too-few-public-methods,
+        too-many-ancestors,
+        too-many-arguments,
+        too-many-boolean-expressions,
+        too-many-branches,
+        too-many-instance-attributes,
+        too-many-locals,
+        too-many-nested-blocks,
+        too-many-public-methods,
+        too-many-return-statements,
+        too-many-statements,
+        trailing-newlines,
+        unichr-builtin,
+        unicode-builtin,
+        unnecessary-pass,
+        unpacking-in-except,
+        useless-else-on-loop,
+        useless-object-inheritance,
+        useless-suppression,
+        using-cmp-argument,
+        wrong-import-order,
+        xrange-builtin,
+        zip-builtin-not-iterating,
+
+
+[REPORTS]
+
+# Set the output format. Available formats are text, parseable, colorized, msvs
+# (visual studio) and html. You can also give a reporter class, eg
+# mypackage.mymodule.MyReporterClass.
+output-format=text
+
+# Tells whether to display a full report or only the messages
+reports=no
+
+# Python expression which should return a note less than 10 (10 is the highest
+# note). You have access to the variables errors warning, statement which
+# respectively contain the number of errors / warnings messages and the total
+# number of statements analyzed. This is used by the global evaluation report
+# (RP0004).
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details
+#msg-template=
+
+
+[BASIC]
+
+# Good variable names which should always be accepted, separated by a comma
+good-names=main,_
+
+# Bad variable names which should always be refused, separated by a comma
+bad-names=
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Include a hint for the correct naming format with invalid-name
+include-naming-hint=no
+
+# List of decorators that produce properties, such as abc.abstractproperty. Add
+# to this list to register other decorators that produce valid properties.
+property-classes=abc.abstractproperty,cached_property.cached_property,cached_property.threaded_cached_property,cached_property.cached_property_with_ttl,cached_property.threaded_cached_property_with_ttl
+
+# Regular expression matching correct function names
+function-rgx=^(?:(?P<exempt>setUp|tearDown|setUpModule|tearDownModule)|(?P<camel_case>_?[A-Z][a-zA-Z0-9]*)|(?P<snake_case>_?[a-z][a-z0-9_]*))$
+
+# Regular expression matching correct variable names
+variable-rgx=^[a-z][a-z0-9_]*$
+
+# Regular expression matching correct constant names
+const-rgx=^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$
+
+# Regular expression matching correct attribute names
+attr-rgx=^_{0,2}[a-z][a-z0-9_]*$
+
+# Regular expression matching correct argument names
+argument-rgx=^[a-z][a-z0-9_]*$
+
+# Regular expression matching correct class attribute names
+class-attribute-rgx=^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$
+
+# Regular expression matching correct inline iteration names
+inlinevar-rgx=^[a-z][a-z0-9_]*$
+
+# Regular expression matching correct class names
+class-rgx=^_?[A-Z][a-zA-Z0-9]*$
+
+# Regular expression matching correct module names
+module-rgx=^(_?[a-z][a-z0-9_]*|__init__)$
+
+# Regular expression matching correct method names
+method-rgx=(?x)^(?:(?P<exempt>_[a-z0-9_]+__|runTest|setUp|tearDown|setUpTestCase|tearDownTestCase|setupSelf|tearDownClass|setUpClass|(test|assert)_*[A-Z0-9][a-zA-Z0-9_]*|next)|(?P<camel_case>_{0,2}[A-Z][a-zA-Z0-9_]*)|(?P<snake_case>_{0,2}[a-z][a-z0-9_]*))$
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=(__.*__|main|test.*|.*test|.*Test)$
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=10
+
+
+[TYPECHECK]
+
+# List of decorators that produce context managers, such as
+# contextlib.contextmanager. Add to this list to register other decorators that
+# produce valid context managers.
+contextmanager-decorators=contextlib.contextmanager,contextlib2.contextmanager
+
+# Tells whether missing members accessed in mixin class should be ignored. A
+# mixin class is detected if its name ends with "mixin" (case insensitive).
+ignore-mixin-members=yes
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis. It
+# supports qualified module names, as well as Unix pattern matching.
+ignored-modules=
+
+# List of class names for which member attributes should not be checked (useful
+# for classes with dynamically set attributes). This supports the use of
+# qualified names.
+ignored-classes=optparse.Values,thread._local,_thread._local
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E1101 when accessed. Python regular
+# expressions are accepted.
+generated-members=
+
+
+[FORMAT]
+
+# Maximum number of characters on a single line.
+max-line-length=80
+
+# TODO(https://github.com/PyCQA/pylint/issues/3352): Direct pylint to exempt
+# lines made too long by directives to pytype.
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=(?x)(
+  ^\s*(\#\ )?<?https?://\S+>?$|
+  ^\s*(from\s+\S+\s+)?import\s+.+$)
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=yes
+
+# Maximum number of lines in a module
+max-module-lines=99999
+
+# String used as indentation unit.  The internal Google style guide mandates 2
+# spaces.  Google's externaly-published style guide says 4, consistent with
+# PEP 8.  Here, we use 2 spaces, for conformity with many open-sourced Google
+# projects (like TensorFlow).
+indent-string='  '
+
+# Number of spaces of indent required inside a hanging  or continued line.
+indent-after-paren=4
+
+# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
+expected-line-ending-format=
+
+
+[MISCELLANEOUS]
+
+# List of note tags to take in consideration, separated by a comma.
+notes=TODO
+
+
+[STRING]
+
+# This flag controls whether inconsistent-quotes generates a warning when the
+# character used as a quote delimiter is used inconsistently within a module.
+check-quote-consistency=yes
+
+
+[VARIABLES]
+
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# A regular expression matching the name of dummy variables (i.e. expectedly
+# not used).
+dummy-variables-rgx=^\*{0,2}(_$|unused_|dummy_)
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid to define new builtins when possible.
+additional-builtins=
+
+# List of strings which can identify a callback function by name. A callback
+# name must start or end with one of those strings.
+callbacks=cb_,_cb
+
+# List of qualified module names which can have objects that can redefine
+# builtins.
+redefining-builtins-modules=six,six.moves,past.builtins,future.builtins,functools
+
+
+[LOGGING]
+
+# Logging modules to check that the string format arguments are in logging
+# function parameter format
+logging-modules=logging,absl.logging,tensorflow.io.logging
+
+
+[SIMILARITIES]
+
+# Minimum lines number of a similarity.
+min-similarity-lines=4
+
+# Ignore comments when computing similarities.
+ignore-comments=yes
+
+# Ignore docstrings when computing similarities.
+ignore-docstrings=yes
+
+# Ignore imports when computing similarities.
+ignore-imports=no
+
+
+[SPELLING]
+
+# Spelling dictionary name. Available dictionaries: none. To make it working
+# install python-enchant package.
+spelling-dict=
+
+# List of comma separated words that should not be checked.
+spelling-ignore-words=
+
+# A path to a file that contains private dictionary; one word per line.
+spelling-private-dict-file=
+
+# Tells whether to store unknown words to indicated private dictionary in
+# --spelling-private-dict-file option instead of raising a message.
+spelling-store-unknown-words=no
+
+
+[IMPORTS]
+
+# Deprecated modules which should not be used, separated by a comma
+deprecated-modules=regsub,
+                   TERMIOS,
+                   Bastion,
+                   rexec,
+                   sets
+
+# Create a graph of every (i.e. internal and external) dependencies in the
+# given file (report RP0402 must not be disabled)
+import-graph=
+
+# Create a graph of external dependencies in the given file (report RP0402 must
+# not be disabled)
+ext-import-graph=
+
+# Create a graph of internal dependencies in the given file (report RP0402 must
+# not be disabled)
+int-import-graph=
+
+# Force import order to recognize a module as part of the standard
+# compatibility libraries.
+known-standard-library=
+
+# Force import order to recognize a module as part of a third party library.
+known-third-party=enchant, absl
+
+# Analyse import fallback blocks. This can be used to support both Python 2 and
+# 3 compatible code, which means that the block might have code that exists
+# only in one or another interpreter, leading to false positives when analysed.
+analyse-fallback-blocks=no
+
+
+[CLASSES]
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,
+                      __new__,
+                      setUp
+
+# List of member names, which should be excluded from the protected access
+# warning.
+exclude-protected=_asdict,
+                  _fields,
+                  _replace,
+                  _source,
+                  _make
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls,
+                            class_
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=mcs
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when being caught. Defaults to
+# "Exception"
+overgeneral-exceptions=StandardError,
+                       Exception,
+                       BaseException

.travis.yml

@@ -1,14 +0,0 @@
----
-os: osx
-osx_image: xcode10.2
-language: objective-c
-sudo: false
-
-addons:
-  homebrew:
-    taps: bazelbuild/tap
-    packages: bazelbuild/tap/bazel
-
-script:
- - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug
- - bazel test :unit_tests --show_progress_rate_limit=30.0 --test_output=errors --color=no --verbose_failures --sandbox_debug

BUILD

@@ -1,18 +1,38 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])  # Apache 2.0
-
-exports_files(["LICENSE"])
-
 load("@build_bazel_rules_apple//apple:versioning.bzl", "apple_bundle_version")
 load("//:helper.bzl", "run_command")
-load("//:version.bzl", "SANTA_VERSION")
+
+package(default_visibility = ["//:santa_package_group"])
+
+licenses(["notice"])
+
+exports_files(["LICENSE"])
 
 # The version label for mac_* rules.
 apple_bundle_version(
     name = "version",
-    build_version = SANTA_VERSION,
-    short_version_string = SANTA_VERSION,
+    build_label_pattern = ".*santa_{release}\\.{build}",
+    build_version = "{release}.{build}",
+    capture_groups = {
+        "release": "\\d{4}\\.\\d+",
+        "build": "\\d+",
+    },
+    fallback_build_label = "santa_9999.1.1",
+    short_version_string = "{release}",
+)
+
+# Used to detect release builds
+config_setting(
+    name = "release_build",
+    values = {"define": "SANTA_BUILD_TYPE=release"},
+    visibility = [":santa_package_group"],
+)
+
+# Adhoc signed - provisioning profiles are not used.
+# Used for CI runs and dev builds when SIP is disabled.
+config_setting(
+    name = "adhoc_build",
+    values = {"define": "SANTA_BUILD_TYPE=adhoc"},
+    visibility = [":santa_package_group"],
 )
 
 # Used to detect optimized builds
@@ -21,6 +41,11 @@ config_setting(
     values = {"compilation_mode": "opt"},
 )
 
+package_group(
+    name = "santa_package_group",
+    packages = ["//..."],
+)
+
 ################################################################################
 # Loading/Unloading/Reloading
 ################################################################################
@@ -28,8 +53,10 @@ run_command(
     name = "unload",
     cmd = """
 sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
-sudo kextunload -b com.google.santa-driver 2>/dev/null
-launchctl unload /Library/LaunchAgents/com.google.santagui.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.syncservice.plist 2>/dev/null
+launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
 """,
 )
 
@@ -37,19 +64,24 @@ run_command(
     name = "load",
     cmd = """
 sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
-launchctl load /Library/LaunchAgents/com.google.santagui.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.syncservice.plist
+launchctl load /Library/LaunchAgents/com.google.santa.plist
 """,
 )
 
 run_command(
     name = "reload",
-    srcs = ["//Source/santa_driver"],
+    srcs = [
+        "//Source/gui:Santa",
+    ],
     cmd = """
 set -e
 
 rm -rf /tmp/bazel_santa_reload
 unzip -d /tmp/bazel_santa_reload \
-    $${BUILD_WORKSPACE_DIRECTORY}/bazel-bin/Source/santa_driver/santa_driver.zip >/dev/null
+    $${BUILD_WORKSPACE_DIRECTORY}/bazel-out/*$(COMPILATION_MODE)*/bin/Source/gui/Santa.zip >/dev/null
 echo "You may be asked for your password for sudo"
 sudo BINARIES=/tmp/bazel_santa_reload CONF=$${BUILD_WORKSPACE_DIRECTORY}/Conf \
     $${BUILD_WORKSPACE_DIRECTORY}/Conf/install.sh
@@ -64,27 +96,31 @@ echo "Time to stop being naughty"
 genrule(
     name = "release",
     srcs = [
-        "//Source/santa_driver",
+        "//Source/gui:Santa",
         "Conf/install.sh",
         "Conf/uninstall.sh",
+        "Conf/com.google.santa.bundleservice.plist",
+        "Conf/com.google.santa.metricservice.plist",
+        "Conf/com.google.santa.syncservice.plist",
         "Conf/com.google.santad.plist",
-        "Conf/com.google.santagui.plist",
-        "Conf/com.google.santa.asl.conf",
+        "Conf/com.google.santa.plist",
         "Conf/com.google.santa.newsyslog.conf",
-        "Conf/Package/Makefile",
+        "Conf/Package/Distribution.xml",
+        "Conf/Package/notarization_tool.sh",
+        "Conf/Package/package_and_sign.sh",
         "Conf/Package/postinstall",
         "Conf/Package/preinstall",
     ],
-    outs = ["santa-" + SANTA_VERSION + ".tar.gz"],
+    outs = ["santa-release.tar.gz"],
     cmd = select({
         "//conditions:default": """
         echo "ERROR: Trying to create a release tarball without optimization."
         echo "Please add '-c opt' flag to bazel invocation"
         """,
         ":opt_build": """
-      # Extract santa_driver.zip
+      # Extract Santa.zip
       for SRC in $(SRCS); do
-        if [[ $$(basename $${SRC}) == "santa_driver.zip" ]]; then
+        if [ "$$(basename $${SRC})" == "Santa.zip" ]; then
           mkdir -p $(@D)/binaries
           unzip -q $${SRC} -d $(@D)/binaries >/dev/null
         fi
@@ -92,19 +128,15 @@ genrule(
 
       # Copy config files
       for SRC in $(SRCS); do
-        if [[ "$$(dirname $${SRC})" == *"Conf" ]]; then
+        if [[ "$$(dirname $${SRC})" == *"Conf"* ]]; then
           mkdir -p $(@D)/conf
-          cp $${SRC} $(@D)/conf/
+          cp -H $${SRC} $(@D)/conf/
         fi
       done
 
       # Gather together the dSYMs. Throw an error if no dSYMs were found
       for SRC in $(SRCS); do
         case $${SRC} in
-          *santa-driver.kext.dSYM*Info.plist)
-            mkdir -p $(@D)/dsym
-            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
-            ;;
           *santad.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
@@ -113,14 +145,26 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santactl.dSYM
             ;;
-          *santabs.xpc.dSYM*Info.plist)
+          *santabundleservice.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
-            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabs.xpc.dSYM
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
+            ;;
+          *santametricservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
+            ;;
+          *santasyncservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santasyncservice.dSYM
             ;;
           *Santa.app.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
             ;;
+          *com.google.santa.daemon.systemextension.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
+            ;;
         esac
       done
 
@@ -134,7 +178,7 @@ genrule(
       # Update all the timestamps to now. Bazel avoids timestamps to allow
       # builds to be hermetic and cacheable but for releases we want the
       # timestamps to be more-or-less correct.
-      find $(@D)/{binaries,conf,dsym} -exec touch {} \;
+      find $(@D)/{binaries,conf,dsym} -exec touch {} \\;
 
       # Create final output tar
       tar -C $(@D) -czpf $(@) binaries dsym conf
@@ -146,13 +190,11 @@ genrule(
 test_suite(
     name = "unit_tests",
     tests = [
-        "//Source/common:SNTFileInfoTest",
-        "//Source/santa_driver:SantaCacheTest",
-        "//Source/santa_driver:SantaPrefixTreeTest",
-        "//Source/santactl:SNTCommandFileInfoTest",
-        "//Source/santactl:SNTCommandSyncTest",
-        "//Source/santad:SNTEventTableTest",
-        "//Source/santad:SNTExecutionControllerTest",
-        "//Source/santad:SNTRuleTableTest",
+        "//Source/common:unit_tests",
+        "//Source/gui:unit_tests",
+        "//Source/santactl:unit_tests",
+        "//Source/santad:unit_tests",
+        "//Source/santametricservice:unit_tests",
+        "//Source/santasyncservice:unit_tests",
     ],
 )

CODEOWNERS

@@ -0,0 +1 @@
+* @google/macendpoints

CONTRIBUTING.md

@@ -1,37 +0,0 @@
-Want to contribute? Great! First, read this page (including the small print at the end).
-
-### Before you contribute
-Before we can use your code, you must sign the
-[Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual)
-(CLA), which you can do online. The CLA is necessary mainly because you own the
-copyright to your changes, even after your contribution becomes part of our
-codebase, so we need your permission to use and distribute your code. We also
-need to be sure of various other things—for instance that you'll tell us if you
-know that your code infringes on other people's patents. You don't have to sign
-the CLA until after you've submitted your code for review and a member has
-approved it, but you must do it before we can put your code into our codebase.
-
-Before you start working on a larger contribution, you should get in touch with
-us first through the [issue tracker](https://github.com/google/santa/issues)
-with your idea so that we can help out and possibly guide you. Coordinating up 
-front makes it much easier to avoid frustration later on.
-
-### Code reviews
-All submissions, including submissions by project members, require review. We
-use GitHub pull requests for this purpose. It's also a good idea to run the
-tests beforehand, which you can do with the following commands:
-
-```sh
-rake tests:logic
-rake tests:kernel  # only necessary if you're changing the kext code
-```
-### Code Style
-
-All code submissions should try to match the surrounding code.  Wherever possible,
-code should adhere to either the
-[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
-or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
-
-### The small print
-Contributions made by corporations are covered by a different agreement than
-the one above, the [Software Grant and Corporate Contributor License Agreement](https://developers.google.com/open-source/cla/corporate).

CONTRIBUTING.md

@@ -0,0 +1 @@
+docs/development/contributing.md

Conf/Package/Distribution.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<installer-gui-script minSpecVersion="1">
+<title>Santa</title>
+<options customize="never" allow-external-scripts="no" hostArchitectures="x86_64,arm64" />
+
+<choices-outline>
+	<line choice="default" />
+</choices-outline>
+
+<choice id="default">
+    <pkg-ref id="com.google.santa"/>
+</choice>
+
+<pkg-ref id="com.google.santa">app.pkg</pkg-ref>
+
+</installer-gui-script>

Conf/Package/Makefile

@@ -1,95 +0,0 @@
-#
-#  Package Makefile for Santa
-#  Requires TheLuggage (github.com/unixorn/luggage) to be installed
-#
-#  Will generate a package based on the latest release. You can replace
-#  the PACKAGE_VERSION variable with a specific variable instead if you wish.
-#
-
-LUGGAGE:=/usr/local/share/luggage/luggage.make
-include ${LUGGAGE}
-
-TITLE:=santa
-REVERSE_DOMAIN:=com.google
-
-# Get latest Release version using the GitHub API. Each release is bound to a
-# git tag, which should always be a semantic version number. The most recent
-# release is always first in the API result.
-PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/releases |\
-	python -c 'import json, sys; print json.load(sys.stdin)[0]["tag_name"]' 2>/dev/null)
-
-# Get the download URL for the latest Release. Each release should have a
-# tarball named santa-$version.tar.bz2 containing all of the files associated
-# with that release. The tarball layout is:
-#
-#   santa-$version.tar.bz2
-#   +--santa-$version
-#         |-- binaries
-#         |    |-- santa-driver.kext
-#         |    |-- Santa.app
-#         |-- conf
-#         |    |-- install.sh
-#         |    |-- com.google.santad.plist
-#         |    |-- com.google.santagui.plist
-#         |    +-- com.google.santa.asl.conf
-#         |    +-- com.google.santa.newsyslog.conf
-#         +--dsym
-#              |-- santa-driver.kext.dSYM
-#              |-- Santa.app.dSYM
-#              |-- santad.dSYM
-#              +-- santactl.dSYM
-PACKAGE_DOWNLOAD_URL:="https://github.com/google/santa/releases/download/${PACKAGE_VERSION}/santa-${PACKAGE_VERSION}.tar.bz2"
-
-PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
-	pack-applications-Santa.app \
-	pack-Library-LaunchDaemons-com.google.santad.plist \
-	pack-Library-LaunchAgents-com.google.santagui.plist \
-	pack-etc-asl-com.google.santa.asl.conf \
-	pack-etc-newsyslog.d-com.google.santa.newsyslog.conf \
-	pack-script-preinstall \
-	pack-script-postinstall
-
-santa-driver.kext: download
-Santa.app: download
-com.google.santad.plist: download
-com.google.santagui.plist: download
-com.google.santa.asl.conf: download
-com.google.santa.newsyslog.conf: download
-
-download:
-	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
-
-	@curl -fL ${PACKAGE_DOWNLOAD_URL} | tar xvj --strip=2
-	@rm -rf *.dSYM
-
-pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
-	@sudo mkdir -p ${WORK_D}/private/etc/asl
-	@sudo chown root:wheel ${WORK_D}/private/etc/asl
-	@sudo chmod 755 ${WORK_D}/private/etc/asl
-	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
-
-pack-etc-newsyslog.d-com.google.santa.newsyslog.conf: com.google.santa.newsyslog.conf l_private_etc
-	@sudo mkdir -p ${WORK_D}/private/etc/newsyslog.d
-	@sudo chown root:wheel ${WORK_D}/private/etc/newsyslog.d
-	@sudo chmod 755 ${WORK_D}/private/etc/newsyslog.d
-	@sudo install -m 644 -o root -g wheel com.google.santa.newsyslog.conf ${WORK_D}/private/etc/newsyslog.d
-
-pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
-	@sudo mkdir -p ${WORK_D}/Library/Extensions
-	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chown -R root:wheel ${WORK_D}/Library/Extensions/santa-driver.kext
-	@sudo chmod -R 755 ${WORK_D}/Library/Extensions/santa-driver.kext
-
-clean: myclean
-
-myclean:
-	@rm -rf *.dSYM
-	@rm -rf Santa.app
-	@rm -rf santa-driver.kext
-	@rm -f config.plist
-	@rm -f com.google.santa.asl.conf
-	@rm -f com.google.santa.newsyslog.conf
-	@rm -f com.google.santad.plist
-	@rm -f com.google.santagui.plist
-	@rm -f install.sh
-	@rm -f uninstall.sh

Conf/Package/notarization_tool.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Example NOTARIZATION_TOOL wrapper.
+
+/usr/bin/xcrun notarytool submit "${2}" --wait \
+  --apple-id "${NOTARIZATION_USERNAME}" --password "${NOTARIZATION_PASSWORD}"

Conf/Package/package_and_sign.sh

@@ -0,0 +1,182 @@
+#!/bin/bash
+
+# This script signs all of Santa's components, verifies the signatures,
+# notarizes all of the components, staples them, packages them up, signs the
+# package, notarizes the package, puts the package in a DMG and notarizes the
+# DMG. It also outputs a single release tarball.
+# All of the following environment variables are required.
+
+# RELEASE_ROOT is a required environment variable that points to the root
+# of an extracted release tarball produced with the :release and :release_driver
+# rules in Santa's main BUILD file.
+[[ -n "${RELEASE_ROOT}" ]] || die "RELEASE_ROOT unset"
+
+# SIGNING_IDENTITY, SIGNING_TEAMID and SIGNING_KEYCHAIN are required environment
+# variables specifying the identity and keychain to pass to the codesign tool
+# and the team ID to use for verification.
+[[ -n "${SIGNING_IDENTITY}" ]] || die "SIGNING_IDENTITY unset"
+[[ -n "${SIGNING_TEAMID}" ]] || die "SIGNING_TEAMID unset"
+[[ -n "${SIGNING_KEYCHAIN}" ]] || die "SIGNING_KEYCHAIN unset"
+
+# INSTALLER_SIGNING_IDENTITY and INSTALLER_SIGNING_KEYCHAIN are required
+# environment variables specifying the identity and keychain to use when signing
+# the distribution package.
+[[ -n "${INSTALLER_SIGNING_IDENTITY}" ]] || die "INSTALLER_SIGNING_IDENTITY unset"
+[[ -n "${INSTALLER_SIGNING_KEYCHAIN}" ]] || die "INSTALLER_SIGNING_KEYCHAIN unset"
+
+# NOTARIZATION_TOOL is a required environment variable pointing to a wrapper
+# tool around the tool to use for notarization. The tool must take 2 flags:
+#    --file
+#        - pointing at a zip file containing the artifact to notarize
+[[ -n "${NOTARIZATION_TOOL}" ]] || die "NOTARIZATION_TOOL unset"
+
+# ARTIFACTS_DIR is a required environment variable pointing at a directory to
+# place the output artifacts in.
+[[ -n "${ARTIFACTS_DIR}" ]] || die "ARTIFACTS_DIR unset"
+
+################################################################################
+
+function die {
+  echo "${@}"
+  exit 2
+}
+
+readonly INPUT_APP="${RELEASE_ROOT}/binaries/Santa.app"
+readonly INPUT_SYSX="${INPUT_APP}/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension"
+readonly INPUT_SANTACTL="${INPUT_APP}/Contents/MacOS/santactl"
+readonly INPUT_SANTABS="${INPUT_APP}/Contents/MacOS/santabundleservice"
+readonly INPUT_SANTAMS="${INPUT_APP}/Contents/MacOS/santametricservice"
+readonly INPUT_SANTASS="${INPUT_APP}/Contents/MacOS/santasyncservice"
+
+readonly RELEASE_NAME="santa-$(/usr/bin/defaults read "${INPUT_APP}/Contents/Info.plist" CFBundleShortVersionString)"
+
+readonly SCRATCH=$(/usr/bin/mktemp -d "${TMPDIR}/santa-"XXXXXX)
+readonly APP_PKG_ROOT="${SCRATCH}/app_pkg_root"
+readonly APP_PKG_SCRIPTS="${SCRATCH}/pkg_scripts"
+readonly ENTITLEMENTS="${SCRATCH}/entitlements"
+
+readonly SCRIPT_PATH="$(/usr/bin/dirname -- ${BASH_SOURCE[0]})"
+
+/bin/mkdir -p "${APP_PKG_ROOT}" "${APP_PKG_SCRIPTS}" "${ENTITLEMENTS}"
+
+readonly DMG_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.dmg"
+readonly TAR_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.tar.gz"
+
+# Sign all of binaries/bundles. Maintain inside-out ordering where necessary
+for ARTIFACT in "${INPUT_SANTACTL}" "${INPUT_SANTABS}" "${INPUT_SANTAMS}" "${INPUT_SANTASS}" "${INPUT_SYSX}" "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+  EN="${ENTITLEMENTS}/${BN}.entitlements"
+
+  echo "extracting ${BN} entitlements"
+  /usr/bin/codesign -d --entitlements "${EN}" "${ARTIFACT}"
+  if [[ -s "${EN}" ]]; then
+    EN="--entitlements ${EN}"
+  else
+    EN=""
+  fi
+
+  echo "codesigning ${BN}"
+  /usr/bin/codesign --sign "${SIGNING_IDENTITY}" --keychain "${SIGNING_KEYCHAIN}" \
+        ${EN} --timestamp --force --generate-entitlement-der \
+        --options library,kill,runtime "${ARTIFACT}"
+done
+
+# Notarize all the bundles
+for ARTIFACT in "${INPUT_SYSX}" "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "zipping ${BN}"
+  /usr/bin/zip -9r "${SCRATCH}/${BN}.zip" "${ARTIFACT}"
+
+  echo "notarizing ${BN}"
+  PBID=$(/usr/bin/defaults read "${ARTIFACT}/Contents/Info.plist" CFBundleIdentifier)
+  "${NOTARIZATION_TOOL}" --file "${SCRATCH}/${BN}.zip"
+done
+
+# Staple the App.
+for ARTIFACT in "${INPUT_APP}"; do
+  BN=$(/usr/bin/basename "${ARTIFACT}")
+
+  echo "stapling ${BN}"
+  /usr/bin/xcrun stapler staple "${ARTIFACT}"
+done
+
+# Ensure _CodeSignature/CodeResources files have 0644 permissions so they can
+# be verified without using sudo.
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type f -name CodeResources -exec chmod 0644 {} \;
+/usr/bin/find "${RELEASE_ROOT}/binaries" -type d -exec chmod 0755 {} \;
+/usr/bin/find "${RELEASE_ROOT}/conf" -type f -name "com.google.santa*" -exec chmod 0644 {} \;
+
+echo "verifying signatures"
+/usr/bin/codesign -vv -R="certificate leaf[subject.OU] = ${SIGNING_TEAMID}" \
+  "${RELEASE_ROOT}/binaries/"* || die "bad signature"
+
+echo "creating fresh release tarball"
+/bin/mkdir -p "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/binaries" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/conf" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/bin/cp -r "${RELEASE_ROOT}/dsym" "${SCRATCH}/tar_root/${RELEASE_NAME}"
+/usr/bin/tar -C "${SCRATCH}/tar_root" -czvf "${TAR_PATH}" "${RELEASE_NAME}" || die "failed to create release tarball"
+
+echo "creating app pkg"
+/bin/mkdir -p "${APP_PKG_ROOT}/Applications" \
+  "${APP_PKG_ROOT}/Library/LaunchAgents" \
+  "${APP_PKG_ROOT}/Library/LaunchDaemons" \
+  "${APP_PKG_ROOT}/private/etc/asl" \
+  "${APP_PKG_ROOT}/private/etc/newsyslog.d"
+/bin/cp -vXR "${RELEASE_ROOT}/binaries/Santa.app" "${APP_PKG_ROOT}/Applications/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santad.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.plist" "${APP_PKG_ROOT}/Library/LaunchAgents/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.bundleservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.metricservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.syncservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.asl.conf" "${APP_PKG_ROOT}/private/etc/asl/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.newsyslog.conf" "${APP_PKG_ROOT}/private/etc/newsyslog.d/"
+/bin/cp -vXL "${SCRIPT_PATH}/preinstall" "${APP_PKG_SCRIPTS}/"
+/bin/cp -vXL "${SCRIPT_PATH}/postinstall" "${APP_PKG_SCRIPTS}/"
+/bin/chmod +x "${APP_PKG_SCRIPTS}/"*
+
+# Disable bundle relocation.
+/usr/bin/pkgbuild --analyze --root "${APP_PKG_ROOT}" "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsRelocatable -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleIsVersionChecked -bool NO "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace BundleOverwriteAction -string upgrade "${SCRATCH}/component.plist"
+/usr/bin/plutil -replace ChildBundles -json "[]" "${SCRATCH}/component.plist"
+
+# Build app package
+/usr/bin/pkgbuild --identifier "com.google.santa" \
+  --version "$(echo "${RELEASE_NAME}" | cut -d - -f2)" \
+  --root "${APP_PKG_ROOT}" \
+  --component-plist "${SCRATCH}/component.plist" \
+  --scripts "${APP_PKG_SCRIPTS}" \
+  "${SCRATCH}/app.pkg"
+
+# Build signed distribution package
+echo "productbuild pkg"
+/bin/mkdir -p "${SCRATCH}/${RELEASE_NAME}"
+/usr/bin/productbuild \
+  --distribution "${SCRIPT_PATH}/Distribution.xml" \
+  --package-path "${SCRATCH}" \
+  --sign "${INSTALLER_SIGNING_IDENTITY}" --keychain "${INSTALLER_SIGNING_KEYCHAIN}" \
+  "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg"
+
+echo "verifying pkg signature"
+/usr/sbin/pkgutil --check-signature "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "bad pkg signature"
+
+echo "notarizing pkg"
+"${NOTARIZATION_TOOL}" --file "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg"
+
+echo "stapling pkg"
+/usr/bin/xcrun stapler staple "${SCRATCH}/${RELEASE_NAME}/${RELEASE_NAME}.pkg" || die "failed to staple pkg"
+
+echo "wrapping pkg in dmg"
+/usr/bin/hdiutil create -fs HFS+ -format UDZO \
+    -volname "${RELEASE_NAME}" \
+    -ov -imagekey zlib-level=9 \
+    -srcfolder "${SCRATCH}/${RELEASE_NAME}/" "${DMG_PATH}" || die "failed to wrap pkg in dmg"
+
+echo "notarizing dmg"
+"${NOTARIZATION_TOOL}" --file "${DMG_PATH}"
+
+echo "stapling dmg"
+/usr/bin/xcrun stapler staple "${DMG_PATH}" || die "failed to staple dmg"

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -9,20 +9,28 @@
 # Restart syslogd to pick up ASL configuration change
 /usr/bin/killall -HUP syslogd
 
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-sleep 1
-
-/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-
-sleep 1
-
 # Create hopefully useful symlink for santactl
 mkdir -p /usr/local/bin
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
+/bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -z "$user" ]] && exit 0
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Remove the kext before com.google.santa.daemon loads if the SystemExtension is already present.
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && rm -rf /Library/Extensions/santa-driver.kext
 
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+# Load com.google.santa.bundleservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+
+# Load com.google.santa.metricservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+# Load com.google.santa.syncservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.syncservice.plist
+
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -6,22 +6,28 @@
 
 [[ $3 != "/" ]] && exit 0
 
-/bin/launchctl remove com.google.santad
+/bin/launchctl remove com.google.santad || true
+/bin/launchctl remove com.google.santa.bundleservice || true
+/bin/launchctl remove com.google.santa.metricservice || true
+/bin/launchctl remove com.google.santa.syncservice || true
 
-sleep 1
+/bin/sleep 1
 
-/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1 || true
 
 # Remove cruft from old Santa versions
-/bin/rm /usr/libexec/santad
-/bin/rm /usr/sbin/santactl
+/bin/rm -f /usr/libexec/santad
+/bin/rm -f /usr/sbin/santactl
 /bin/launchctl remove com.google.santasync
-/bin/rm /Library/LaunchDaemons/com.google.santasync.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
 /bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
-sleep 1
+/bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/com.google.santa.asl.conf

@@ -1,6 +0,0 @@
-# Copy this file to /etc/asl to log all messages from santa-driver to the log file
-> /var/db/santa/santa.log format="[$((Time)(ISO8601Z.3))] $Message" mode=0644 rotate=seq compress file_max=25M all_max=100M uid=0 gid=0
-? [= Sender kernel] [S= Message santa-driver:] claim
-? [= Sender kernel] [S= Message santa-driver:] file /var/db/santa/santa.log
-? [= Facility com.google.santa] claim
-? [= Facility com.google.santa] file /var/db/santa/santa.log

Conf/com.google.santa.bundleservice.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.bundleservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santabundleservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.bundleservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
+	<key>ThrottleInterval</key>
+	<integer>0</integer>
+</dict>
+</plist>

Conf/com.google.santa.metricservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.metricservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santametricservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.metricservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/com.google.santa.newsyslog.conf

@@ -1,2 +1,2 @@
 # logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
-/var/db/santa/santa.log   root:wheel          644    10    25000     *      NZ
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      Z

Conf/com.google.santa.plist

@@ -3,10 +3,10 @@
 <plist version="1.0">
 <dict>
 				<key>Label</key>
-				<string>com.google.santagui</string>
+				<string>com.google.santa</string>
 				<key>ProgramArguments</key>
 				<array>
-					<string>/Library/Extensions/santa-driver.kext/Contents/Resources/Santa.app/Contents/MacOS/Santa</string>
+					<string>/Applications/Santa.app/Contents/MacOS/Santa</string>
 					<string>--syslog</string>
 				</array>
 				<key>RunAtLoad</key>

Conf/com.google.santa.syncservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.syncservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santasyncservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.syncservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<false/>
+</dict>
+</plist>

Conf/com.google.santad.plist

@@ -1,24 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-				<key>Label</key>
-				<string>com.google.santad</string>
-				<key>ProgramArguments</key>
-				<array>
-					<string>/Library/Extensions/santa-driver.kext/Contents/MacOS/santad</string>
-					<string>--syslog</string>
-				</array>
-				<key>MachServices</key>
-				<dict>
-					<key>SantaXPCControl</key>
-					<true/>
-				</dict>
-				<key>RunAtLoad</key>
-				<true/>
-				<key>KeepAlive</key>
-				<true />
-				<key>ProcessType</key>
-				<string>Interactive</string>
+	<key>Label</key>
+	<string>com.google.santad</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.daemon</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>ProcessType</key>
+	<string>Interactive</string>
 </dict>
 </plist>

Conf/install.sh

@@ -21,6 +21,15 @@ fi
 # Unload santad and scheduled sync job.
 /bin/launchctl remove com.google.santad >/dev/null 2>&1
 
+# Unload bundle service
+/bin/launchctl remove com.google.santa.bundleservice >/dev/null 2>&1
+
+# Unload metric service
+/bin/launchctl remove com.google.santa.metricservice >/dev/null 2>&1
+
+# Unload sync service
+/bin/launchctl remove com.google.santa.syncservice >/dev/null 2>&1
+
 # Unload kext.
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 
@@ -28,8 +37,10 @@ fi
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
@@ -38,33 +49,40 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm /usr/sbin/santactl >/dev/null 2>&1
 /bin/rm -rf /Applications/Santa.app 2>&1
 /bin/rm -rf /Library/Extensions/santa-driver.kext 2>&1
+/bin/rm /etc/asl/com.google.santa.asl.conf
 
 # Copy new files.
-/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
+/bin/mkdir -p /var/db/santa
+
+/bin/cp -r ${BINARIES}/Santa.app /Applications
+
 /bin/mkdir -p /usr/local/bin
-/bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
-
-if [ ! -d /var/db/santa ] ; then
-  /bin/mkdir /var/db/santa
-fi
+/bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
 
+/bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
+/bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.metricservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.syncservice.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
-/bin/cp ${CONF}/com.google.santagui.plist /Library/LaunchAgents
-/bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Load kext.
-/sbin/kextload /Library/Extensions/santa-driver.kext
-
-# Load santad and scheduled sync jobs.
+# Load com.google.santa.daemon
 /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load GUI agent if someone is logged in.
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} \
-  /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
+# Load com.google.santa.bundleservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
+# Load com.google.santa.syncservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.syncservice.plist
+
+# Load GUI agent if someone is logged in.
+[[ -z "${GUI_USER}" ]] && exit 0
+
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/uninstall.sh

@@ -6,18 +6,30 @@
 
 [ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
 
+# For macOS 10.15+ this will block up to 60 seconds
+/bin/launchctl list EQHXZ8M8AV.com.google.santa.daemon > /dev/null 2>&1 && /Applications/Santa.app/Contents/MacOS/Santa --unload-system-extension
+
 /bin/launchctl remove com.google.santad
+# remove helper XPC services
+/bin/launchctl remove com.google.santa.bundleservice
+/bin/launchctl remove com.google.santa.metricservice
+/bin/launchctl remove com.google.santa.syncservice
 sleep 1
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
 # and to clean out the log config, although it won't write after wiping the binary
 /usr/bin/killall -HUP syslogd
 # delete artifacts on-disk
 /bin/rm -rf /Applications/Santa.app
 /bin/rm -rf /Library/Extensions/santa-driver.kext
 /bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchAgents/com.google.santa.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.metricservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.syncservice.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
 /bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink

Fuzzing/BUILD

@@ -0,0 +1,11 @@
+load("fuzzing.bzl", "objc_fuzz_test")
+
+objc_fuzz_test(
+    name = "MachOParse",
+    srcs = ["common/MachOParse.mm"],
+    corpus = glob(["common/MachOParse_corpus/*"]),
+    linkopts = ["-lsqlite3"],
+    deps = [
+        "//Source/common:SNTFileInfo",
+    ],
+)

Fuzzing/common/MachOParse.mm

@@ -0,0 +1,40 @@
+#import <Foundation/Foundation.h>
+#include <libproc.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#import "Source/common/SNTFileInfo.h"
+
+int get_num_fds() {
+  return proc_pidinfo(getpid(), PROC_PIDLISTFDS, 0, NULL, 0) / PROC_PIDLISTFD_SIZE;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  static NSString *tmpPath =
+    [NSTemporaryDirectory() stringByAppendingPathComponent:[[NSUUID UUID] UUIDString]];
+
+  int num_fds_pre = get_num_fds();
+
+  @autoreleasepool {
+    NSData *input = [NSData dataWithBytesNoCopy:(void *)data length:size freeWhenDone:false];
+    [input writeToFile:tmpPath atomically:false];
+
+    NSError *error;
+    SNTFileInfo *fi = [[SNTFileInfo alloc] initWithResolvedPath:tmpPath error:&error];
+    if (!fi || error != nil) {
+      NSLog(@"Error: %@", error);
+      return -1;
+    }
+
+    // Mach-O Parsing
+    [fi architectures];
+    [fi isMissingPageZero];
+    [fi infoPlist];
+  }
+
+  if (num_fds_pre != get_num_fds()) {
+    abort();
+  }
+
+  return 0;
+}

Fuzzing/fuzzing.bzl

@@ -0,0 +1,20 @@
+"""Utilities for fuzzing Santa"""
+
+load("@rules_fuzzing//fuzzing:cc_defs.bzl", "cc_fuzz_test")
+
+def objc_fuzz_test(name, srcs, deps, corpus, linkopts = [], **kwargs):
+    native.objc_library(
+        name = "%s_lib" % name,
+        srcs = srcs,
+        deps = deps,
+        **kwargs
+    )
+
+    cc_fuzz_test(
+        name = name,
+        deps = [
+            "%s_lib" % name,
+        ],
+        linkopts = linkopts,
+        corpus = corpus,
+    )

Fuzzing/install_libclang_fuzzer.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Xcode doesn't include the fuzzer runtime, but the one LLVM ships is compatible with Apple clang.
+set -uexo pipefail
+
+CLANG_VERSION=$(clang --version | head -n 1 | cut -d' ' -f 4)
+DST_PATH="$(xcode-select -p)/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a"
+
+if [ -f ${DST_PATH} ]; then
+  exit 0;
+fi
+
+curl -O -L https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin.tar.xz
+tar xvf clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin.tar.xz clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a
+cp clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a ${DST_PATH}

Fuzzing/libFuzzer/.gitignore

@@ -1,4 +0,0 @@
-bin
-llvm-*.src
-llvm-*.src.tar.xz
-

Fuzzing/libFuzzer/build.sh

@@ -1,109 +0,0 @@
-#!/usr/bin/env bash
-
-LLVM_VERSION='5.0.1'
-LLVM_COMPILERRT_TARBALL_NAME="llvm-${LLVM_VERSION}.src.tar.xz"
-LLVM_COMPILERRT_SRC_FOLDER_NAME=`echo "${LLVM_COMPILERRT_TARBALL_NAME}" | cut -d '.' -f 1-4`
-LLVM_COMPILERRT_TARBALL_URL="http://releases.llvm.org/${LLVM_VERSION}/${LLVM_COMPILERRT_TARBALL_NAME}"
-
-LIBFUZZER_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-LOG_FILE=`mktemp`
-
-main() {
-  echo "libFuzzer build script"
-
-  echo " > Checking dependencies..."
-  checkDependencies || return 1
-
-  echo " > Entering libFuzzer folder..."
-  cd "${LIBFUZZER_FOLDER}" > /dev/null 2>&1
-  if [ $? -ne 0 ] ; then
-    echo "Failed to enter the libFuzzer folder: ${LIBFUZZER_FOLDER}"
-    return 1
-  fi
-
-  if [ ! -f "${LLVM_COMPILERRT_TARBALL_NAME}" ] ; then
-    echo " > Downloading the LLVM tarball..."
-    curl "${LLVM_COMPILERRT_TARBALL_URL}" -o "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
-    if [ $? -ne 0 ] ; then
-      dumpLogFile "Failed to download the LLVM tarball"
-      return 1
-    fi
-  else
-    echo " > An existing LLVM tarball was found"
-  fi
-
-  if [ -d "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" ] ; then
-    echo " > Deleting existing LLVM folder..."
-    rm -rf "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" > "${LOG_FILE}" 2>&1
-    if [ $? -ne 0 ] ; then
-      dumpLogFile "Failed to delete the existing source folder"
-      return 1
-    fi
-  fi
-
-  echo " > Extracting the LLVM tarball..."
-  tar xf "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
-  if [ $? -ne 0 ] ; then
-    rm "${LLVM_COMPILERRT_TARBALL_NAME}" "${LLVM_COMPILERRT_SRC_FOLDER_NAME}"
-    dumpLogFile "Failed to extract the LLVM tarball"
-    return 1
-  fi
-
-  if [ -d "bin" ] ; then
-    echo " > Deleting existing bin folder..."
-    rm -rf "bin" > "${LOG_FILE}" 2>&1
-    if [ $? -ne 0 ] ; then
-      dumpLogFile "Failed to delete the existing bin folder"
-      return 1
-    fi
-  fi
-
-  mkdir "bin" > "${LOG_FILE}" 2>&1
-  if [ $? -ne 0 ] ; then
-    dumpLogFile "Failed to create the bin folder"
-    return 1
-  fi
-
-  echo " > Building libFuzzer..."
-  ( cd "bin" && "../${LLVM_COMPILERRT_SRC_FOLDER_NAME}/lib/Fuzzer/build.sh" ) > "${LOG_FILE}" 2>&1
-  if [ $? -ne 0 ] ; then
-    dumpLogFile "Failed to build the library"
-    return 1
-  fi
-
-  printf "\nFinished building libFuzzer\n"
-  rm "${LOG_FILE}"
-
-  return 0
-}
-
-checkDependencies() {
-  executable_list=( "clang++" "curl" "tar" )
-
-  for executable in "${executable_list[@]}" ; do
-    which "${executable}" > /dev/null 2>&1
-    if [ $? -ne 0 ] ; then
-      echo "The following program was not found: ${executable}"
-      return 1
-    fi
-  done
-
-  return 0
-}
-
-dumpLogFile() {
-  if [ $# -eq 1 ] ; then
-    local message="$1"
-  else
-    local message="An error has occurred"
-  fi
-
-  printf "${message}\n"
-  printf "Log file follows\n===\n"
-  cat "${LOG_FILE}"
-  printf "\n===\n"
-  rm "${LOG_FILE}"
-}
-
-main $@
-exit $?

Fuzzing/santacache/src/main.cpp

@@ -14,10 +14,11 @@
 
 #include <SantaCache.h>
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
-extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data,
+                                      std::size_t size) {
   static SantaCache<uint64_t, uint64_t> decision_cache(5000, 2);
 
   std::uint64_t fields[2] = {};
@@ -33,7 +34,8 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   auto returned_value = decision_cache.get(fields[0]);
 
   if (returned_value != fields[1]) {
-    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value << "\n";
+    std::cout << fields[0] << ", " << fields[1] << " -> " << returned_value
+              << "\n";
     return 1;
   }
 

Fuzzing/santactl/src/main.mm

@@ -12,14 +12,14 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 #include <vector>
 
-#include <SNTCommandSyncRuleDownload.h>
-#include <SNTCommandSyncState.h>
-#include <SNTCommandSyncConstants.h>
 #include <SNTRule.h>
+#include <SNTSyncConstants.h>
+#include <SNTSyncRuleDownload.h>
+#include <SNTSyncState.h>
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   NSData *buffer = [NSData dataWithBytes:static_cast<const void *>(data) length:size];
@@ -41,12 +41,12 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
     return 0;
   }
 
-  SNTCommandSyncState *state = [[SNTCommandSyncState alloc] init];
+  SNTSyncState *state = [[SNTSyncState alloc] init];
   if (!state) {
     return 0;
   }
 
-  SNTCommandSyncRuleDownload *obj = [[SNTCommandSyncRuleDownload alloc] initWithState:state];
+  SNTSyncRuleDownload *obj = [[SNTSyncRuleDownload alloc] initWithState:state];
   if (!obj) {
     return 0;
   }
@@ -57,6 +57,6 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
       std::cerr << "Rule: " << [[rule description] UTF8String] << "\n";
     }
   }
- 
+
   return 0;
 }

Fuzzing/santad/src/checkCacheForVnodeID.mm

@@ -12,26 +12,26 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
 #import "SNTCommandController.h"
 #import "SNTRule.h"
 #import "SNTXPCControlInterface.h"
+#import "Source/common/SNTCommonEnums.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   if (size > 16) {
-    std::cerr << "Invalid buffer size of " << size
-              <<  " (should be <= 16)" << std::endl;
+    std::cerr << "Invalid buffer size of " << size << " (should be <= 16)" << std::endl;
 
     return 1;
   }
 
-  santa_vnode_id_t vnodeID = {};
+  SantaVnode vnodeID = {};
   std::memcpy(&vnodeID, data, size);
-  
+
   MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
   daemonConn.invalidationHandler = ^{
     printf("An error occurred communicating with the daemon, is it running?\n");
@@ -40,16 +40,20 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
 
   [daemonConn resume];
 
-  [[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID
-                                                  withReply:^(santa_action_t action) {
-    if (action == ACTION_RESPOND_ALLOW) {
-      std::cerr << "File exists in [whitelist] kernel cache" << std::endl;;
-    } else if (action == ACTION_RESPOND_DENY) {
-      std::cerr << "File exists in [blacklist] kernel cache" << std::endl;;
-    } else if (action == ACTION_UNSET) {
-      std::cerr << "File does not exist in cache" << std::endl;;
-    }
-  }];
-  
+  [[daemonConn remoteObjectProxy]
+    checkCacheForVnodeID:vnodeID
+               withReply:^(SNTAction action) {
+                 if (action == SNTActionRespondAllow) {
+                   std::cerr << "File exists in [whitelist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == SNTActionRespondDeny) {
+                   std::cerr << "File exists in [blacklist] kernel cache" << std::endl;
+                   ;
+                 } else if (action == SNTActionUnset) {
+                   std::cerr << "File does not exist in cache" << std::endl;
+                   ;
+                 }
+               }];
+
   return 0;
 }

Fuzzing/santad/src/databaseRemoveEventsWithIDs.mm

@@ -12,8 +12,8 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 

Fuzzing/santad/src/databaseRuleAddRules.mm

@@ -12,12 +12,13 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include <iostream>
 #include <cstdint>
+#include <iostream>
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
 #import "SNTCommandController.h"
+#import "SNTCommonEnums.h"
 #import "SNTRule.h"
 #import "SNTXPCControlInterface.h"
 
@@ -34,9 +35,8 @@ struct InputData {
 
 extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
   if (size > sizeof(InputData)) {
-    std::cerr << "Invalid buffer size of " << size
-              <<  " (should be <= " << sizeof(InputData)
-              << ")" << std::endl;
+    std::cerr << "Invalid buffer size of " << size << " (should be <= " << sizeof(InputData) << ")"
+              << std::endl;
 
     return 1;
   }
@@ -45,11 +45,11 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   std::memcpy(&input_data, data, size);
 
   SNTRule *newRule = [[SNTRule alloc] init];
-  newRule.state = (SNTRuleState) input_data.state;
-  newRule.type = (SNTRuleType) input_data.type;
-  newRule.shasum = @(input_data.hash);
+  newRule.state = (SNTRuleState)input_data.state;
+  newRule.type = (SNTRuleType)input_data.type;
+  newRule.identifier = @(input_data.hash);
   newRule.customMsg = @"";
-  
+
   MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
   daemonConn.invalidationHandler = ^{
     printf("An error occurred communicating with the daemon, is it running?\n");
@@ -57,17 +57,18 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
   };
 
   [daemonConn resume];
-  [[daemonConn remoteObjectProxy] databaseRuleAddRules:@[newRule]
-                                                 cleanSlate:NO
-                                                      reply:^(NSError *error) {
-    if (!error) {
-      if (newRule.state == SNTRuleStateRemove) {
-        printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-      } else {
-        printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
-      }
-    }
-  }];
-  
+  [[daemonConn remoteObjectProxy]
+    databaseRuleAddRules:@[ newRule ]
+             ruleCleanup:SNTRuleCleanupNone
+                   reply:^(NSError *error) {
+                     if (!error) {
+                       if (newRule.state == SNTRuleStateRemove) {
+                         printf("Removed rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       } else {
+                         printf("Added rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
+                       }
+                     }
+                   }];
+
   return 0;
 }

LICENSE

@@ -200,3 +200,4 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+

README.md

@@ -1,29 +1,28 @@
-# Santa [![Build Status][build-status-img]][build-status-link] [![Documentation Status][doc-status-img]][doc-status-link]
+# Santa
 
-[build-status-img]: https://travis-ci.org/google/santa.png?branch=master
-[build-status-link]: https://travis-ci.org/google/santa
-[doc-status-img]: https://readthedocs.org/projects/santa/badge/?version=latest
-[doc-status-link]: https://santa.readthedocs.io/en/latest/?badge=latest
+[![license](https://img.shields.io/github/license/google/santa)](https://github.com/google/santa/blob/main/LICENSE)
+[![CI](https://github.com/google/santa/actions/workflows/ci.yml/badge.svg)](https://github.com/google/santa/actions/workflows/ci.yml)
+[![latest release](https://img.shields.io/github/v/release/google/santa.svg)](https://github.com/google/santa/releases/latest)
+[![latest release date](https://img.shields.io/github/release-date/google/santa.svg)](https://github.com/google/santa/releases/latest)
+[![downloads](https://img.shields.io/github/downloads/google/santa/latest/total)](https://github.com/google/santa/releases/latest)
 
 <p align="center">
-    <img src="./Source/SantaGUI/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
+    <img src="./docs/images/santa-sleigh-256.png" height="128" alt="Santa Icon" />
 </p>
 
-Santa is a binary whitelisting/blacklisting system for macOS. It consists of a
-kernel extension that monitors for executions, a userland daemon that makes
-execution decisions based on the contents of a SQLite database, a GUI agent
-that notifies the user in case of a block decision and a command-line utility
-for managing the system and synchronizing the database with a server.
+Santa is a binary and file access authorization system for macOS. It consists of a system
+extension that monitors for executions, a daemon that makes execution decisions
+based on the contents of a local database, a GUI agent that notifies the user in
+case of a block decision and a command-line utility for managing the system and
+synchronizing the database with a server.
 
 It is named Santa because it keeps track of binaries that are naughty or nice.
 
-Santa is a project of Google's Macintosh Operations Team.
-
 # Docs
 
 The Santa docs are stored in the
-[Docs](https://github.com/google/santa/blob/master/docs) directory. A Read the
-Docs instance is available here: https://santa.readthedocs.io.
+[Docs](https://github.com/google/santa/blob/main/docs) directory and published
+at https://santa.dev.
 
 The docs include deployment options, details on how parts of Santa work and
 instructions for developing Santa itself.
@@ -35,29 +34,30 @@ the [santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
 great place.
 
 If you believe you have a bug, feel free to report [an
-issue](https://github.com/google/santa/isues) and we'll respond as soon as we
+issue](https://github.com/google/santa/issues) and we'll respond as soon as we
 can.
 
+If you believe you've found a vulnerability, please read the
+[security policy](https://github.com/google/santa/security/policy) for
+disclosure reporting.
 
-# Admin-Related Features
+# Features
 
 * Multiple modes: In the default MONITOR mode, all binaries except those marked
-  as blacklisted will be allowed to run, whilst being logged and recorded in
-  the events database. In LOCKDOWN mode, only whitelisted binaries are allowed
-  to run.
+  as blocked will be allowed to run, whilst being logged and recorded in
+  the events database. In LOCKDOWN mode, only listed binaries are allowed to
+  run.
 
-* Event logging: When the kext is loaded, all binary launches are logged.  When
-  in either mode, all unknown or denied binaries are stored in the database to
-  enable later aggregation.
+* Event logging: When the system extension is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
 * Certificate-based rules, with override levels: Instead of relying on a
-  binary's hash (or 'fingerprint'), executables can be whitelisted/blacklisted
-  by their signing certificate. You can therefore trust/block all binaries by a
+  binary's hash (or 'fingerprint'), executables can be allowed/blocked by their
+  signing certificate. You can therefore allow/block all binaries by a
   given publisher that were signed with that cert across version updates. A
-  binary can only be whitelisted by its certificate if its signature validates
-  correctly, but a rule for a binary's fingerprint will override a decision for
-  a certificate; i.e. you can whitelist a certificate while blacklisting a
-  binary signed with that certificate, or vice-versa.
+  binary can only be allowed by its certificate if its signature validates
+  correctly but a rule for a binary's fingerprint will override a decision for
+  a certificate; i.e. you can allowlist a certificate while blocking a binary
+  signed with that certificate, or vice-versa.
 
 * Path-based rules (via NSRegularExpression/ICU): This allows a similar feature
   to that found in Managed Client (the precursor to configuration profiles,
@@ -70,10 +70,18 @@ can.
 * Failsafe cert rules: You cannot put in a deny rule that would block the
   certificate used to sign launchd, a.k.a. pid 1, and therefore all components
   used in macOS. The binaries in every OS update (and in some cases entire new
-  versions) are therefore auto-whitelisted. This does not affect binaries from
-  Apple's App Store, which use various certs that change regularly for common
-  apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct
-  separate cert than other Google apps.
+  versions) are therefore automatically allowed. This does not affect binaries
+  from Apple's App Store, which use various certs that change regularly for
+  common apps. Likewise, you cannot block Santa itself, and Santa uses a
+  distinct separate cert than other Google apps.
+
+* Userland components validate each other: each of the userland components (the
+  daemon, the GUI agent and the command-line utility) communicate with each
+  other using XPC and check that their signing certificates are identical
+  before any communication is accepted.
+
+* Caching: allowed binaries are cached so the processing required to make a
+  request is only done if the binary isn't already cached.
 
 # Intentions and Expectations
 
@@ -90,42 +98,17 @@ protect hosts in whatever other ways you see fit.
 
 # Security and Performance-Related Features
 
-* In-kernel caching: whitelisted binaries are cached in the kernel so the
-  processing required to make a request is only done if the binary isn't
-  already cached.
-
-* Userland components validate each other: each of the userland components (the
-  daemon, the GUI agent and the command-line utility) communicate with each
-  other using XPC and check that their signing certificates are identical
-  before any communication is accepted.
-
-* Kext uses only KPIs: the kernel extension only uses provided kernel
-  programming interfaces to do its job. This means that the kext code should
-  continue to work across OS versions.
-
 # Known Issues
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
   dynamic libraries loaded with dlopen, libraries on disk that have been
-  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version
-  0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were
-  exploited in some versions of macOS. We are working on also protecting
-  against similar avenues of attack.
-
-* Kext communication security: the kext will only accept a connection from a
-  single client at a time and said client must be running as root. We haven't
-  yet found a good way to ensure the kext only accepts connections from a valid
-  client.
-
-* Database protection: the SQLite database is installed with permissions so
-  that only the root user can read/write it. We're considering approaches to
-  secure this further.
+  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`.
 
 * Scripts: Santa is currently written to ignore any execution that isn't a
   binary. This is because after weighing the administration cost vs the
   benefit, we found it wasn't worthwhile. Additionally, a number of
   applications make use of temporary generated scripts, which we can't possibly
-  whitelist and not doing so would cause problems. We're happy to revisit this
+  allowlist and not doing so would cause problems. We're happy to revisit this
   (or at least make it an option) if it would be useful to others.
 
 # Sync Servers
@@ -134,13 +117,17 @@ protect hosts in whatever other ways you see fit.
   management server, which uploads events that have occurred on the machine and
   downloads new rules. There are several open-source servers you can sync with:
 
-    * [Upvote](https://github.com/google/upvote) - An AppEngine-based server
-      that implements social voting to make managing a large fleet easier.
     * [Moroz](https://github.com/groob/moroz) - A simple golang server that
       serves hardcoded rules from simple configuration files.
+    * [Rudolph](https://github.com/airbnb/rudolph) - An AWS-based serverless sync service
+      primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden.
+      Rudolph is designed to be fast, easy-to-use, and cost-efficient.
     * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A
       centralized service that pulls data from multiple sources and deploy
       configurations to multiple services.
+    * [Zercurity](https://github.com/zercurity/zercurity) - A dockerized service
+      for managing and monitoring applications across a large fleet utilizing
+      Santa + Osquery.
 
 * Alternatively, `santactl` can configure rules locally (without a sync
   server).
@@ -150,34 +137,12 @@ protect hosts in whatever other ways you see fit.
 A tool like Santa doesn't really lend itself to screenshots, so here's a video
 instead.
 
-<p align="center"> <img src="https://zippy.gfycat.com/MadFatalAmphiuma.gif"
-alt="Santa Block Video" /> </p>
 
-# Kext Signing
-Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
-Developer ID certificate with a kernel extension flag. Without it, the only way
-to load an extension is to enable kext-dev-mode or disable SIP, depending on
-the OS version.
-
-There are two possible solutions for this, for distribution purposes:
-
-1) Use a [pre-built, pre-signed
-version](https://github.com/google/santa/releases) of the kext that we supply.
-Each time changes are made to the kext code we will update the pre-built
-version that you can make use of. This doesn't prevent you from making changes
-to the non-kext parts of Santa and distributing those.  If you make changes to
-the kext and make a pull request, we can merge them in and distribute a new
-version of the pre-signed kext.
-
-2) Apply for your own [kext signing
-certificate](https://developer.apple.com/contact/kext/).  Apple will only grant
-this for broad distribution within an organization, they won't issue them just
-for testing purposes.
+<p align="center"> <img src="./docs/images/santa-block.gif" alt="Santa Block Video" /> </p>
 
 # Contributing
 Patches to this project are very much welcome. Please see the
-[CONTRIBUTING](https://github.com/google/santa/blob/master/CONTRIBUTING.md)
-file.
+[CONTRIBUTING](https://santa.dev/development/contributing) doc.
 
 # Disclaimer
 This is **not** an official Google product.

SECURITY.md

@@ -0,0 +1,14 @@
+# Reporting a Vulnerability
+
+If you believe you have found a security vulnerability, we would appreciate a private report
+so that we can work on and release a fix before public disclosure. Any vulnerabilities reported to us will be
+disclosed publicly either when a new version with fixes is released or 90 days has passed,
+whichever comes first.
+
+To report vulnerabilities to us privately, either:
+
+1) Report the vulnerability [through GitHub](https://github.com/google/santa/security/advisories/new).
+
+2) E-mail `santa-team@google.com`. If you want to encrypt your e-mail, you can use our GPG key `0x92AFE41DAB49BBB6` available on keyserver.ubuntu.com:
+
+    `gpg --keyserver keyserver.ubuntu.com --recv-key 0x92AFE41DAB49BBB6`

Source/SantaGUI/BUILD

@@ -1,54 +0,0 @@
-licenses(["notice"])  # Apache 2.0
-
-exports_files([
-    "Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-256.png",
-])
-
-load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
-
-objc_library(
-    name = "SantaGUI_lib",
-    srcs = [
-        "SNTAboutWindowController.h",
-        "SNTAboutWindowController.m",
-        "SNTAccessibleTextField.h",
-        "SNTAccessibleTextField.m",
-        "SNTAppDelegate.h",
-        "SNTAppDelegate.m",
-        "SNTMessageWindow.h",
-        "SNTMessageWindow.m",
-        "SNTMessageWindowController.h",
-        "SNTMessageWindowController.m",
-        "SNTNotificationManager.h",
-        "SNTNotificationManager.m",
-        "main.m",
-    ],
-    data = [
-        "Resources/AboutWindow.xib",
-        "Resources/MessageWindow.xib",
-    ],
-    sdk_frameworks = [
-        "IOKit",
-        "SecurityInterface",
-    ],
-    deps = [
-        "//Source/common:SNTBlockMessage_SantaGUI",
-        "//Source/common:SNTConfigurator",
-        "//Source/common:SNTXPCControlInterface",
-        "//Source/common:SNTXPCNotifierInterface",
-        "@MOLCodesignChecker",
-        "@MOLXPCConnection",
-    ],
-)
-
-macos_application(
-    name = "SantaGUI",
-    app_icons = glob(["Resources/Images.xcassets/**"]),
-    bundle_id = "com.google.SantaGUI",
-    bundle_name = "Santa",
-    infoplists = ["Resources/SantaGUI-Info.plist"],
-    minimum_os_version = "10.9",
-    version = "//:version",
-    visibility = ["//visibility:public"],
-    deps = [":SantaGUI_lib"],
-)

Source/SantaGUI/Resources/AboutWindow.xib

@@ -1,94 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="14460.31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
-    <dependencies>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="14460.31"/>
-        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
-    </dependencies>
-    <objects>
-        <customObject id="-2" userLabel="File's Owner" customClass="SNTAboutWindowController">
-            <connections>
-                <outlet property="moreInfoButton" destination="SRu-Kf-vu5" id="Vj2-9Q-05d"/>
-                <outlet property="window" destination="F0z-JX-Cv5" id="gIp-Ho-8D9"/>
-            </connections>
-        </customObject>
-        <customObject id="-1" userLabel="First Responder" customClass="FirstResponder"/>
-        <customObject id="-3" userLabel="Application" customClass="NSObject"/>
-        <window title="Santa" allowsToolTipsWhenApplicationIsInactive="NO" autorecalculatesKeyViewLoop="NO" releasedWhenClosed="NO" visibleAtLaunch="NO" animationBehavior="default" id="F0z-JX-Cv5">
-            <windowStyleMask key="styleMask" titled="YES" closable="YES"/>
-            <rect key="contentRect" x="196" y="240" width="480" height="200"/>
-            <rect key="screenRect" x="0.0" y="0.0" width="3840" height="1577"/>
-            <view key="contentView" id="se5-gp-TjO">
-                <rect key="frame" x="0.0" y="0.0" width="480" height="200"/>
-                <autoresizingMask key="autoresizingMask"/>
-                <subviews>
-                    <textField horizontalHuggingPriority="251" verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="BnL-ZS-kXw">
-                        <rect key="frame" x="199" y="140" width="83" height="40"/>
-                        <constraints>
-                            <constraint firstAttribute="height" constant="40" id="UK2-2L-lPx"/>
-                            <constraint firstAttribute="width" constant="79" id="lDf-D7-qlY"/>
-                        </constraints>
-                        <textFieldCell key="cell" scrollable="YES" lineBreakMode="clipping" sendsActionOnEndEditing="YES" title="Santa" id="VVj-gU-bzy">
-                            <font key="font" size="34" name="HelveticaNeue-UltraLight"/>
-                            <color key="textColor" name="labelColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="textBackgroundColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <textField verticalHuggingPriority="750" horizontalCompressionResistancePriority="250" fixedFrame="YES" setsMaxLayoutWidthAtFirstLayout="YES" translatesAutoresizingMaskIntoConstraints="NO" id="uh6-q0-RzL">
-                        <rect key="frame" x="18" y="65" width="444" height="60"/>
-                        <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/>
-                        <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
-                            <font key="font" metaFont="system"/>
-                            <string key="title">Santa is an application whitelisting system for macOS.
-
-There are no user-configurable settings.</string>
-                            <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>
-                            <color key="backgroundColor" name="controlColor" catalog="System" colorSpace="catalog"/>
-                        </textFieldCell>
-                    </textField>
-                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="SRu-Kf-vu5">
-                        <rect key="frame" x="130" y="21" width="111" height="32"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="99" id="JHv-2J-QSe"/>
-                        </constraints>
-                        <buttonCell key="cell" type="push" title="More Info..." bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="6fe-ju-aET">
-                            <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
-                            <font key="font" metaFont="system"/>
-                        </buttonCell>
-                        <connections>
-                            <action selector="openMoreInfoURL:" target="-2" id="dps-TN-rkS"/>
-                        </connections>
-                    </button>
-                    <button verticalHuggingPriority="750" translatesAutoresizingMaskIntoConstraints="NO" id="Udo-BY-n7e">
-                        <rect key="frame" x="240" y="21" width="111" height="32"/>
-                        <constraints>
-                            <constraint firstAttribute="width" constant="99" id="2Xc-ax-2bV"/>
-                        </constraints>
-                        <buttonCell key="cell" type="push" title="Dismiss" bezelStyle="rounded" alignment="center" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="uSw-o1-lWW">
-                            <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
-                            <font key="font" metaFont="system"/>
-                            <string key="keyEquivalent" base64-UTF8="YES">
-DQ
-</string>
-                        </buttonCell>
-                        <connections>
-                            <action selector="orderOut:" target="-1" id="6oW-zI-zn5"/>
-                        </connections>
-                    </button>
-                </subviews>
-                <constraints>
-                    <constraint firstItem="Udo-BY-n7e" firstAttribute="leading" secondItem="se5-gp-TjO" secondAttribute="leading" priority="900" constant="191" id="1T4-DB-Dz8"/>
-                    <constraint firstItem="SRu-Kf-vu5" firstAttribute="leading" secondItem="se5-gp-TjO" secondAttribute="leading" constant="136" id="Ake-nU-qhW"/>
-                    <constraint firstItem="BnL-ZS-kXw" firstAttribute="top" secondItem="se5-gp-TjO" secondAttribute="top" constant="20" symbolic="YES" id="Fj1-SG-mzF"/>
-                    <constraint firstAttribute="bottom" secondItem="Udo-BY-n7e" secondAttribute="bottom" constant="28" id="bpF-hC-haN"/>
-                    <constraint firstAttribute="bottom" secondItem="SRu-Kf-vu5" secondAttribute="bottom" constant="28" id="fCB-02-SEt"/>
-                    <constraint firstItem="BnL-ZS-kXw" firstAttribute="centerX" secondItem="se5-gp-TjO" secondAttribute="centerX" id="kez-S0-6Gg"/>
-                    <constraint firstItem="Udo-BY-n7e" firstAttribute="leading" secondItem="SRu-Kf-vu5" secondAttribute="trailing" constant="11" id="sYO-yY-w9w"/>
-                </constraints>
-            </view>
-            <connections>
-                <outlet property="delegate" destination="-2" id="0bl-1N-AYu"/>
-            </connections>
-            <point key="canvasLocation" x="323" y="317"/>
-        </window>
-    </objects>
-</document>

Source/SantaGUI/SNTNotificationManager.m

@@ -1,281 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "Source/SantaGUI/SNTNotificationManager.h"
-
-#import <MOLXPCConnection/MOLXPCConnection.h>
-
-#import "Source/common/SNTBlockMessage.h"
-#import "Source/common/SNTConfigurator.h"
-#import "Source/common/SNTLogging.h"
-#import "Source/common/SNTStoredEvent.h"
-#import "Source/common/SNTStrengthify.h"
-#import "Source/common/SNTXPCControlInterface.h"
-
-@interface SNTNotificationManager ()
-
-///  The currently displayed notification
-@property SNTMessageWindowController *currentWindowController;
-
-///  The queue of pending notifications
-@property(readonly) NSMutableArray *pendingNotifications;
-
-///  The connection to the bundle service
-@property MOLXPCConnection *bundleServiceConnection;
-
-///  A semaphore to block bundle hashing until a connection is established
-@property dispatch_semaphore_t bundleServiceSema;
-
-// A serial queue for holding hashBundleBinaries requests
-@property dispatch_queue_t hashBundleBinariesQueue;
-
-@end
-
-@implementation SNTNotificationManager
-
-static NSString * const silencedNotificationsKey = @"SilencedNotifications";
-
-- (instancetype)init {
-  self = [super init];
-  if (self) {
-    _pendingNotifications = [[NSMutableArray alloc] init];
-    _bundleServiceSema = dispatch_semaphore_create(0);
-    _hashBundleBinariesQueue = dispatch_queue_create("com.google.santagui.hashbundlebinaries",
-                                                     DISPATCH_QUEUE_SERIAL);
-  }
-  return self;
-}
-
-- (void)windowDidCloseSilenceHash:(NSString *)hash {
-  if (hash) [self updateSilenceDate:[NSDate date] forHash:hash];
-
-  [self.pendingNotifications removeObject:self.currentWindowController];
-  self.currentWindowController = nil;
-
-  if ([self.pendingNotifications count]) {
-    self.currentWindowController = [self.pendingNotifications firstObject];
-    [self.currentWindowController showWindow:self];
-    if (self.currentWindowController.event.needsBundleHash) {
-      dispatch_async(self.hashBundleBinariesQueue, ^{
-        [self hashBundleBinariesForEvent:self.currentWindowController.event];
-      });
-    }
-  } else {
-    // Tear down the bundle service
-    self.bundleServiceSema = dispatch_semaphore_create(0);
-    [self.bundleServiceConnection invalidate];
-    self.bundleServiceConnection = nil;
-    [NSApp hide:self];
-  }
-}
-
-- (void)updateSilenceDate:(NSDate *)date forHash:(NSString *)hash {
-  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
-  NSMutableDictionary *d = [[ud objectForKey:silencedNotificationsKey] mutableCopy];
-  if (!d) d = [NSMutableDictionary dictionary];
-  if (date) {
-    d[hash] = date;
-  } else {
-    [d removeObjectForKey:hash];
-  }
-  [ud setObject:d forKey:silencedNotificationsKey];
-}
-
-#pragma mark SNTNotifierXPC protocol methods
-
-- (void)postClientModeNotification:(SNTClientMode)clientmode {
-  NSUserNotification *un = [[NSUserNotification alloc] init];
-  un.title = @"Santa";
-  un.hasActionButton = NO;
-  NSString *customMsg;
-  switch (clientmode) {
-    case SNTClientModeMonitor:
-      un.informativeText = @"Switching into Monitor mode";
-      customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
-      if (!customMsg) break;
-      if (!customMsg.length) return;
-      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
-      break;
-    case SNTClientModeLockdown:
-      un.informativeText = @"Switching into Lockdown mode";
-      customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
-      if (!customMsg) break;
-      if (!customMsg.length) return;
-      un.informativeText = [SNTBlockMessage stringFromHTML:customMsg];
-      break;
-    default:
-      return;
-  }
-  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
-}
-
-- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
-  // See if this binary is already in the list of pending notifications.
-  NSPredicate *predicate =
-      [NSPredicate predicateWithFormat:@"event.fileSHA256==%@", event.fileSHA256];
-  if ([[self.pendingNotifications filteredArrayUsingPredicate:predicate] count]) return;
-
-  // See if this binary is silenced.
-  NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
-  NSDate *silenceDate = [ud objectForKey:silencedNotificationsKey][event.fileSHA256];
-  if ([silenceDate isKindOfClass:[NSDate class]]) {
-    NSDate *oneDayAgo = [NSDate dateWithTimeIntervalSinceNow:-86400];
-    if ([silenceDate compare:[NSDate date]] == NSOrderedDescending) {
-      LOGI(@"Notification silence: date is in the future, ignoring");
-      [self updateSilenceDate:nil forHash:event.fileSHA256];
-    } else if ([silenceDate compare:oneDayAgo] == NSOrderedAscending) {
-      LOGI(@"Notification silence: date is more than one day ago, ignoring");
-      [self updateSilenceDate:nil forHash:event.fileSHA256];
-    } else {
-      LOGI(@"Notification silence: dropping notification for %@", event.fileSHA256);
-      return;
-    }
-  }
-
-  if (!event) {
-    LOGI(@"Error: Missing event object in message received from daemon!");
-    return;
-  }
-
-  // Notifications arrive on a background thread but UI updates must happen on the main thread.
-  // This includes making windows.
-  dispatch_async(dispatch_get_main_queue(), ^{
-    SNTMessageWindowController *pendingMsg =
-        [[SNTMessageWindowController alloc] initWithEvent:event andMessage:message];
-    pendingMsg.delegate = self;
-    [self.pendingNotifications addObject:pendingMsg];
-
-    // If a notification isn't currently being displayed, display the incoming one.
-    if (!self.currentWindowController) {
-      self.currentWindowController = pendingMsg;
-      [pendingMsg showWindow:nil];
-      if (self.currentWindowController.event.needsBundleHash) {
-        dispatch_async(self.hashBundleBinariesQueue, ^{
-          [self hashBundleBinariesForEvent:self.currentWindowController.event];
-        });
-      }
-    }
-  });
-}
-
-- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
-  NSUserNotification *un = [[NSUserNotification alloc] init];
-  un.title = @"Santa";
-  un.hasActionButton = NO;
-  un.informativeText = message ?: @"Requested application can now be run";
-  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
-}
-
-#pragma mark SNTBundleNotifierXPC protocol methods
-
-- (void)updateCountsForEvent:(SNTStoredEvent *)event
-                 binaryCount:(uint64_t)binaryCount
-                   fileCount:(uint64_t)fileCount
-                 hashedCount:(uint64_t)hashedCount {
-  if ([self.currentWindowController.event.idx isEqual:event.idx]) {
-    dispatch_async(dispatch_get_main_queue(), ^{
-      self.currentWindowController.foundFileCountLabel.stringValue =
-          [NSString stringWithFormat:@"%llu binaries / %llu %@",
-               binaryCount, hashedCount ?: fileCount, hashedCount ? @"hashed" : @"files"];
-    });
-  }
-}
-
-- (void)setBundleServiceListener:(NSXPCListenerEndpoint *)listener {
-  // Ensure any existing listener is invalidated.
-  self.bundleServiceConnection.invalidationHandler = nil;
-  [self.bundleServiceConnection invalidate];
-  
-  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithListener:listener];
-  c.remoteInterface = [SNTXPCBundleServiceInterface bundleServiceInterface];
-  [c resume];
-  self.bundleServiceConnection = c;
-
-  WEAKIFY(self);
-  self.bundleServiceConnection.invalidationHandler = ^{
-    STRONGIFY(self);
-    if (self.currentWindowController) {
-      [self updateBlockNotification:self.currentWindowController.event withBundleHash:nil];
-    }
-  };
-
-  dispatch_semaphore_signal(self.bundleServiceSema);
-}
-
-#pragma mark SNTBundleNotifierXPC helper methods
-
-- (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event {
-  self.currentWindowController.foundFileCountLabel.stringValue = @"Searching for files...";
-
-  // Wait a max of 6 secs for the bundle service. Should the bundle service fall over, it will
-  // reconnect within 5 secs. Otherwise abandon bundle hashing and display the blockable event.
-  if (dispatch_semaphore_wait(self.bundleServiceSema,
-                              dispatch_time(DISPATCH_TIME_NOW, 6 * NSEC_PER_SEC))) {
-    [self updateBlockNotification:event withBundleHash:nil];
-    return;
-  }
-
-  // Let all future requests flow, until the connection is terminated and we go back to waiting.
-  dispatch_semaphore_signal(self.bundleServiceSema);
-
-  // NSProgress becomes current for this thread. XPC messages vend a child node to the receiver.
-  [self.currentWindowController.progress becomeCurrentWithPendingUnitCount:100];
-
-  // Start hashing. Progress is reported to the root NSProgress (currentWindowController.progress).
-  [[self.bundleServiceConnection remoteObjectProxy]
-      hashBundleBinariesForEvent:event
-                           reply:^(NSString *bh, NSArray<SNTStoredEvent *> *events, NSNumber *ms) {
-    // Revert to displaying the blockable event if we fail to calculate the bundle hash
-    if (!bh) return [self updateBlockNotification:event withBundleHash:nil];
-
-    event.fileBundleHash = bh;
-    event.fileBundleBinaryCount = @(events.count);
-    event.fileBundleHashMilliseconds = ms;
-    event.fileBundleExecutableRelPath = [events.firstObject fileBundleExecutableRelPath];
-    for (SNTStoredEvent *se in events) {
-      se.fileBundleHash = bh;
-      se.fileBundleBinaryCount = @(events.count);
-      se.fileBundleHashMilliseconds = ms;
-    }
-
-    // Send the results to santad. It will decide if they need to be synced.
-    MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
-    [daemonConn resume];
-    [[daemonConn remoteObjectProxy] syncBundleEvent:event relatedEvents:events];
-    [daemonConn invalidate];
-
-    // Update the UI with the bundle hash. Also make the openEventButton available.
-    [self updateBlockNotification:event withBundleHash:bh];
-  }];
-  [self.currentWindowController.progress resignCurrent];
-}
-
-- (void)updateBlockNotification:(SNTStoredEvent *)event withBundleHash:(NSString *)bundleHash {
-  dispatch_async(dispatch_get_main_queue(), ^{
-    if ([self.currentWindowController.event.idx isEqual:event.idx]) {
-      if (bundleHash) {
-        [self.currentWindowController.bundleHashLabel setHidden:NO];
-      } else {
-        [self.currentWindowController.bundleHashLabel removeFromSuperview];
-        [self.currentWindowController.bundleHashTitle removeFromSuperview];
-      }
-      self.currentWindowController.event.fileBundleHash = bundleHash;
-      [self.currentWindowController.foundFileCountLabel removeFromSuperview];
-      [self.currentWindowController.hashingIndicator setHidden:YES];
-      [self.currentWindowController.openEventButton setEnabled:YES];
-    }
-  });
-}
-
-@end

Source/common/BUILD

@@ -1,16 +1,164 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])  # Apache 2.0
-
+load("@rules_cc//cc:defs.bzl", "cc_proto_library")
 load("//:helper.bzl", "santa_unit_test")
 
+package(
+    default_visibility = ["//:santa_package_group"],
+)
+
+licenses(["notice"])
+
+proto_library(
+    name = "santa_proto",
+    srcs = ["santa.proto"],
+    deps = [
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:timestamp_proto",
+    ],
+)
+
+cc_proto_library(
+    name = "santa_cc_proto",
+    deps = [":santa_proto"],
+)
+
+# Note: Simple wrapper for a `cc_proto_library` target which cannot be directly
+# depended upon by an `objc_library` target.
+cc_library(
+    name = "santa_cc_proto_library_wrapper",
+    hdrs = ["santa_proto_include_wrapper.h"],
+    deps = [
+        ":santa_cc_proto",
+    ],
+)
+
+objc_library(
+    name = "SystemResources",
+    srcs = ["SystemResources.mm"],
+    hdrs = ["SystemResources.h"],
+    deps = [
+        ":SNTLogging",
+    ],
+)
+
+objc_library(
+    name = "SNTDeepCopy",
+    srcs = ["SNTDeepCopy.m"],
+    hdrs = ["SNTDeepCopy.h"],
+)
+
+cc_library(
+    name = "SantaCache",
+    hdrs = ["SantaCache.h"],
+    deps = [":BranchPrediction"],
+)
+
+santa_unit_test(
+    name = "SantaCacheTest",
+    srcs = ["SantaCacheTest.mm"],
+    deps = [
+        ":SantaCache",
+    ],
+)
+
+# This target shouldn't be used directly.
+# Use a more specific scoped type instead.
+objc_library(
+    name = "ScopedTypeRef",
+    hdrs = ["ScopedTypeRef.h"],
+    visibility = ["//Source/common:__pkg__"],
+)
+
+objc_library(
+    name = "ScopedCFTypeRef",
+    hdrs = ["ScopedCFTypeRef.h"],
+    deps = [
+        ":ScopedTypeRef",
+    ],
+)
+
+santa_unit_test(
+    name = "ScopedCFTypeRefTest",
+    srcs = ["ScopedCFTypeRefTest.mm"],
+    sdk_frameworks = [
+        "Security",
+    ],
+    deps = [
+        ":ScopedCFTypeRef",
+    ],
+)
+
+objc_library(
+    name = "ScopedIOObjectRef",
+    hdrs = ["ScopedIOObjectRef.h"],
+    sdk_frameworks = [
+        "IOKit",
+    ],
+    deps = [
+        ":ScopedTypeRef",
+    ],
+)
+
+santa_unit_test(
+    name = "ScopedIOObjectRefTest",
+    srcs = ["ScopedIOObjectRefTest.mm"],
+    sdk_frameworks = [
+        "IOKit",
+    ],
+    deps = [
+        ":ScopedIOObjectRef",
+        "//Source/santad:EndpointSecuritySerializerUtilities",
+    ],
+)
+
+objc_library(
+    name = "BranchPrediction",
+    hdrs = ["BranchPrediction.h"],
+)
+
+objc_library(
+    name = "SantaVnode",
+    hdrs = ["SantaVnode.h"],
+)
+
+objc_library(
+    name = "Platform",
+    hdrs = ["Platform.h"],
+)
+
+objc_library(
+    name = "String",
+    hdrs = ["String.h"],
+)
+
+objc_library(
+    name = "SantaVnodeHash",
+    srcs = ["SantaVnodeHash.mm"],
+    hdrs = ["SantaVnodeHash.h"],
+    deps = [
+        ":SantaCache",
+        ":SantaVnode",
+    ],
+)
+
+objc_library(
+    name = "CertificateHelpers",
+    srcs = ["CertificateHelpers.m"],
+    hdrs = ["CertificateHelpers.h"],
+    deps = [
+        "@MOLCertificate",
+    ],
+)
+
 objc_library(
     name = "SNTBlockMessage",
     srcs = ["SNTBlockMessage.m"],
     hdrs = ["SNTBlockMessage.h"],
     deps = [
         ":SNTConfigurator",
+        ":SNTFileAccessEvent",
+        ":SNTLogging",
         ":SNTStoredEvent",
+        ":SNTSystemInfo",
     ],
 )
 
@@ -18,40 +166,91 @@ objc_library(
     name = "SNTBlockMessage_SantaGUI",
     srcs = ["SNTBlockMessage.m"],
     hdrs = ["SNTBlockMessage.h"],
+    defines = ["SANTAGUI"],
     deps = [
         ":SNTConfigurator",
+        ":SNTFileAccessEvent",
+        ":SNTLogging",
         ":SNTStoredEvent",
+        ":SNTSystemInfo",
     ],
-    defines = ["SANTAGUI"],
 )
 
 objc_library(
     name = "SNTCachedDecision",
-    srcs = ["SNTCachedDecision.m"],
+    srcs = ["SNTCachedDecision.mm"],
     hdrs = ["SNTCachedDecision.h"],
     deps = [
         ":SNTCommonEnums",
-        ":SNTKernelCommon",
+        ":SantaVnode",
     ],
 )
 
-cc_library(
+objc_library(
+    name = "SNTDeviceEvent",
+    srcs = ["SNTDeviceEvent.m"],
+    hdrs = ["SNTDeviceEvent.h"],
+    module_name = "santa_common_SNTDeviceEvent",
+    sdk_frameworks = [
+        "Foundation",
+    ],
+    deps = [
+        ":SNTCommonEnums",
+    ],
+)
+
+objc_library(
+    name = "SNTFileAccessEvent",
+    srcs = ["SNTFileAccessEvent.m"],
+    hdrs = ["SNTFileAccessEvent.h"],
+    module_name = "santa_common_SNTFileAccessEvent",
+    sdk_frameworks = [
+        "Foundation",
+    ],
+    deps = [
+        ":CertificateHelpers",
+        "@MOLCertificate",
+    ],
+)
+
+objc_library(
     name = "SNTCommonEnums",
-    hdrs = ["SNTCommonEnums.h"],
+    textual_hdrs = ["SNTCommonEnums.h"],
 )
 
 objc_library(
     name = "SNTConfigurator",
     srcs = ["SNTConfigurator.m"],
     hdrs = ["SNTConfigurator.h"],
+    module_name = "santa_common_SNTConfigurator",
+    sdk_frameworks = [
+        "Foundation",
+    ],
     deps = [
         ":SNTCommonEnums",
-        ":SNTLogging",
+        ":SNTRule",
         ":SNTStrengthify",
         ":SNTSystemInfo",
     ],
 )
 
+objc_library(
+    name = "SNTKVOManager",
+    srcs = ["SNTKVOManager.mm"],
+    hdrs = ["SNTKVOManager.h"],
+    deps = [
+        ":SNTLogging",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTKVOManagerTest",
+    srcs = ["SNTKVOManagerTest.mm"],
+    deps = [
+        ":SNTKVOManager",
+    ],
+)
+
 objc_library(
     name = "SNTDropRootPrivs",
     srcs = ["SNTDropRootPrivs.m"],
@@ -63,32 +262,54 @@ objc_library(
     srcs = ["SNTFileInfo.m"],
     hdrs = ["SNTFileInfo.h"],
     deps = [
+        ":SNTLogging",
         "@FMDB",
         "@MOLCodesignChecker",
     ],
 )
 
-cc_library(
-    name = "SNTKernelCommon",
-    hdrs = ["SNTKernelCommon.h"],
-)
-
-cc_library(
-    name = "SNTLoggingKernel",
-    hdrs = ["SNTLogging.h"],
-)
-
 objc_library(
     name = "SNTLogging",
     srcs = ["SNTLogging.m"],
     hdrs = ["SNTLogging.h"],
+    deps = [":SNTConfigurator"],
+)
+
+objc_library(
+    name = "PrefixTree",
+    hdrs = ["PrefixTree.h"],
+    deps = [
+        ":SNTLogging",
+        "@com_google_absl//absl/synchronization",
+    ],
+)
+
+objc_library(
+    name = "Unit",
+    hdrs = ["Unit.h"],
 )
 
 objc_library(
     name = "SNTRule",
     srcs = ["SNTRule.m"],
     hdrs = ["SNTRule.h"],
-    deps = [":SNTCommonEnums"],
+    sdk_frameworks = [
+        "Foundation",
+    ],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTSyncConstants",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTRuleTest",
+    srcs = ["SNTRuleTest.m"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTRule",
+        ":SNTSyncConstants",
+    ],
 )
 
 objc_library(
@@ -106,27 +327,59 @@ cc_library(
     hdrs = ["SNTStrengthify.h"],
 )
 
+objc_library(
+    name = "SNTSyncConstants",
+    srcs = ["SNTSyncConstants.m"],
+    hdrs = ["SNTSyncConstants.h"],
+    sdk_frameworks = [
+        "Foundation",
+    ],
+)
+
 objc_library(
     name = "SNTSystemInfo",
     srcs = ["SNTSystemInfo.m"],
     hdrs = ["SNTSystemInfo.h"],
-    sdk_frameworks = ["IOKit"],
+    sdk_frameworks = [
+        "Foundation",
+        "IOKit",
+    ],
 )
 
 objc_library(
     name = "SNTXPCBundleServiceInterface",
     srcs = ["SNTXPCBundleServiceInterface.m"],
     hdrs = ["SNTXPCBundleServiceInterface.h"],
-    deps = [":SNTStoredEvent"],
+    deps = [
+        ":SNTStoredEvent",
+        "@MOLXPCConnection",
+    ],
+)
+
+objc_library(
+    name = "SNTXPCMetricServiceInterface",
+    srcs = ["SNTXPCMetricServiceInterface.m"],
+    hdrs = ["SNTXPCMetricServiceInterface.h"],
+    deps = [
+        "@MOLXPCConnection",
+    ],
 )
 
 objc_library(
     name = "SNTXPCControlInterface",
     srcs = ["SNTXPCControlInterface.m"],
     hdrs = ["SNTXPCControlInterface.h"],
+    defines = select({
+        "//:adhoc_build": ["SANTAADHOC"],
+        "//conditions:default": None,
+    }),
     deps = [
+        ":SNTCommonEnums",
+        ":SNTConfigurator",
+        ":SNTRule",
         ":SNTStoredEvent",
         ":SNTXPCUnprivilegedControlInterface",
+        "@MOLCodesignChecker",
         "@MOLXPCConnection",
     ],
 )
@@ -142,12 +395,20 @@ objc_library(
 )
 
 objc_library(
-    name = "SNTXPCSyncdInterface",
-    srcs = ["SNTXPCSyncdInterface.m"],
-    hdrs = ["SNTXPCSyncdInterface.h"],
+    name = "SNTMetricSet",
+    srcs = ["SNTMetricSet.m"],
+    hdrs = ["SNTMetricSet.h"],
+    deps = [":SNTCommonEnums"],
+)
+
+objc_library(
+    name = "SNTXPCSyncServiceInterface",
+    srcs = ["SNTXPCSyncServiceInterface.m"],
+    hdrs = ["SNTXPCSyncServiceInterface.h"],
     deps = [
         ":SNTCommonEnums",
         ":SNTStoredEvent",
+        "@MOLXPCConnection",
     ],
 )
 
@@ -157,10 +418,10 @@ objc_library(
     hdrs = ["SNTXPCUnprivilegedControlInterface.h"],
     deps = [
         ":SNTCommonEnums",
-        ":SNTKernelCommon",
         ":SNTRule",
         ":SNTStoredEvent",
         ":SNTXPCBundleServiceInterface",
+        ":SantaVnode",
         "@MOLCertificate",
         "@MOLXPCConnection",
     ],
@@ -170,6 +431,7 @@ santa_unit_test(
     name = "SNTFileInfoTest",
     srcs = ["SNTFileInfoTest.m"],
     resources = [
+        "testdata/32bitplist",
         "testdata/bad_pagezero",
         "testdata/missing_pagezero",
     ],
@@ -179,3 +441,81 @@ santa_unit_test(
     ]),
     deps = [":SNTFileInfo"],
 )
+
+santa_unit_test(
+    name = "PrefixTreeTest",
+    srcs = ["PrefixTreeTest.mm"],
+    deps = [":PrefixTree"],
+)
+
+santa_unit_test(
+    name = "SNTMetricSetTest",
+    srcs = ["SNTMetricSetTest.m"],
+    deps = [":SNTMetricSet"],
+)
+
+santa_unit_test(
+    name = "SNTCachedDecisionTest",
+    srcs = ["SNTCachedDecisionTest.mm"],
+    deps = [
+        "//Source/common:SNTCachedDecision",
+        "//Source/common:TestUtils",
+        "@OCMock",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTBlockMessageTest",
+    srcs = ["SNTBlockMessageTest.m"],
+    deps = [
+        ":SNTBlockMessage",
+        ":SNTConfigurator",
+        ":SNTFileAccessEvent",
+        ":SNTStoredEvent",
+        ":SNTSystemInfo",
+        "@OCMock",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTConfiguratorTest",
+    srcs = ["SNTConfiguratorTest.m"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTConfigurator",
+        "@OCMock",
+    ],
+)
+
+test_suite(
+    name = "unit_tests",
+    tests = [
+        ":PrefixTreeTest",
+        ":SNTBlockMessageTest",
+        ":SNTCachedDecisionTest",
+        ":SNTConfiguratorTest",
+        ":SNTFileInfoTest",
+        ":SNTKVOManagerTest",
+        ":SNTMetricSetTest",
+        ":SNTRuleTest",
+        ":SantaCacheTest",
+        ":ScopedCFTypeRefTest",
+        ":ScopedIOObjectRefTest",
+    ],
+    visibility = ["//:santa_package_group"],
+)
+
+objc_library(
+    name = "TestUtils",
+    testonly = 1,
+    srcs = ["TestUtils.mm"],
+    hdrs = ["TestUtils.h"],
+    sdk_dylibs = [
+        "bsm",
+    ],
+    deps = [
+        ":SystemResources",
+        "@OCMock",
+        "@com_google_googletest//:gtest",
+    ],
+)

Source/common/BranchPrediction.h

@@ -0,0 +1,22 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#ifndef SANTA__COMMON__BRANCHPREDICTION_H
+#define SANTA__COMMON__BRANCHPREDICTION_H
+
+// Helpful macros to use when the the outcome is largely known
+#define likely(x) __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
+#endif

Source/common/CertificateHelpers.h

@@ -0,0 +1,43 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import <MOLCertificate/MOLCertificate.h>
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+
+/**
+  Return a string representing publisher info from the provided certs
+
+  @param certs A certificate chain
+  @param teamID A team ID to be displayed for apps from the App Store
+
+  @return A string that tries to be more helpful to users by extracting
+  appropriate information from the certificate chain.
+*/
+NSString *Publisher(NSArray<MOLCertificate *> *certs, NSString *teamID);
+
+/**
+  Return an array of the underlying SecCertificateRef's for the given array
+  of MOLCertificates.
+
+  @param certs An array of MOLCertificates
+
+  @return An array of SecCertificateRefs. WARNING: If the refs need to be used
+  for a long time be careful to properly CFRetain/CFRelease the returned items.
+*/
+NSArray<id> *CertificateChain(NSArray<MOLCertificate *> *certs);
+
+__END_DECLS

Source/common/CertificateHelpers.m

@@ -0,0 +1,42 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/CertificateHelpers.h"
+
+#include <Security/SecCertificate.h>
+
+NSString *Publisher(NSArray<MOLCertificate *> *certs, NSString *teamID) {
+  MOLCertificate *leafCert = [certs firstObject];
+
+  if ([leafCert.commonName isEqualToString:@"Apple Mac OS Application Signing"]) {
+    return [NSString stringWithFormat:@"App Store (Team ID: %@)", teamID];
+  } else if (leafCert.commonName && leafCert.orgName) {
+    return [NSString stringWithFormat:@"%@ - %@", leafCert.orgName, leafCert.commonName];
+  } else if (leafCert.commonName) {
+    return leafCert.commonName;
+  } else if (leafCert.orgName) {
+    return leafCert.orgName;
+  } else {
+    return nil;
+  }
+}
+
+NSArray<id> *CertificateChain(NSArray<MOLCertificate *> *certs) {
+  NSMutableArray *certArray = [NSMutableArray arrayWithCapacity:[certs count]];
+  for (MOLCertificate *cert in certs) {
+    [certArray addObject:(id)cert.certRef];
+  }
+
+  return certArray;
+}

Source/common/Platform.h

@@ -0,0 +1,34 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#ifndef SANTA__COMMON__PLATFORM_H
+#define SANTA__COMMON__PLATFORM_H
+
+#include <Availability.h>
+
+#if defined(MAC_OS_VERSION_12_0) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
+#define HAVE_MACOS_12 1
+#else
+#define HAVE_MACOS_12 0
+#endif
+
+#if defined(MAC_OS_VERSION_13_0) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_13_0
+#define HAVE_MACOS_13 1
+#else
+#define HAVE_MACOS_13 0
+#endif
+
+#endif

Source/common/PrefixTree.h

@@ -0,0 +1,302 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#ifndef SANTA__COMMON__PREFIXTREE_H
+#define SANTA__COMMON__PREFIXTREE_H
+
+#include <sys/syslimits.h>
+
+#include <optional>
+
+#import "Source/common/SNTLogging.h"
+#include "absl/synchronization/mutex.h"
+
+#if SANTA_PREFIX_TREE_DEBUG
+#define DEBUG_LOG LOGD
+#else
+#define DEBUG_LOG(format, ...)  // NOP
+#endif
+
+namespace santa::common {
+
+template <typename ValueT>
+class PrefixTree {
+ private:
+  // Forward declaration
+  enum class NodeType;
+  class TreeNode;
+
+ public:
+  PrefixTree(uint32_t max_depth = PATH_MAX)
+      : root_(new TreeNode()), max_depth_(max_depth), node_count_(0) {}
+
+  ~PrefixTree() { PruneLocked(root_); }
+
+  bool InsertPrefix(const char *s, ValueT value) {
+    absl::MutexLock lock(&lock_);
+    return InsertLocked(s, value, NodeType::kPrefix);
+  }
+
+  bool InsertLiteral(const char *s, ValueT value) {
+    absl::MutexLock lock(&lock_);
+    return InsertLocked(s, value, NodeType::kLiteral);
+  }
+
+  bool HasPrefix(const char *input) {
+    absl::ReaderMutexLock lock(&lock_);
+    return HasPrefixLocked(input);
+  }
+
+  std::optional<ValueT> LookupLongestMatchingPrefix(const char *input) {
+    if (!input) {
+      return std::nullopt;
+    }
+
+    absl::ReaderMutexLock lock(&lock_);
+    return LookupLongestMatchingPrefixLocked(input);
+  }
+
+  void Reset() {
+    absl::MutexLock lock(&lock_);
+    PruneLocked(root_);
+    root_ = new TreeNode();
+    node_count_ = 0;
+  }
+
+  uint32_t NodeCount() {
+    absl::ReaderMutexLock lock(&lock_);
+    return node_count_;
+  }
+
+#if SANTA_PREFIX_TREE_DEBUG
+  void Print() {
+    char buf[max_depth_ + 1];
+    memset(buf, 0, sizeof(buf));
+
+    absl::ReaderMutexLock lock(&lock_);
+    PrintLocked(root_, buf, 0);
+  }
+#endif
+
+ private:
+  ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_)
+  bool InsertLocked(const char *input, ValueT value, NodeType node_type) {
+    const char *p = input;
+    TreeNode *node = root_;
+
+    while (*p) {
+      uint8_t cur_byte = (uint8_t)*p;
+
+      TreeNode *child_node = node->children_[cur_byte];
+      if (!child_node) {
+        // Current node doesn't exist...
+        // Create the rest of the nodes in the tree for the given string
+
+        // Keep a pointer to where this new branch starts from. If the
+        // input length exceeds max_depth, the new branch will need to
+        // be pruned.
+        TreeNode *branch_start_node = node;
+        uint8_t branch_start_byte = (uint8_t)*p;
+
+        do {
+          TreeNode *new_node = new TreeNode();
+          node->children_[cur_byte] = new_node;
+          node = new_node;
+          node_count_++;
+
+          // Check current depth...
+          if (p - input >= max_depth_) {
+            // Attempted to add a string that exceeded max depth
+            // Prune tree from start of this new branch
+            PruneLocked(branch_start_node->children_[branch_start_byte]);
+            branch_start_node->children_[branch_start_byte] = nullptr;
+
+            return false;
+          }
+
+          cur_byte = (uint8_t) * ++p;
+        } while (*p);
+
+        node->node_type_ = node_type;
+        node->value_ = value;
+
+        return true;
+      } else if (*(p + 1) == '\0') {
+        // Current node exists and we're at the end of our input...
+        // Note: The current node's data will be overwritten
+
+        // Only increment node count if the previous node type wasn't already a
+        // prefix or literal type (in which case it was already counted)
+        if (child_node->node_type_ == NodeType::kInner) {
+          node_count_++;
+        }
+
+        child_node->node_type_ = node_type;
+        child_node->value_ = value;
+        return true;
+      }
+
+      node = child_node;
+      p++;
+    }
+
+    // Should only get here when input is an empty string
+    return false;
+  }
+
+  ABSL_SHARED_LOCKS_REQUIRED(lock_)
+  bool HasPrefixLocked(const char *input) {
+    TreeNode *node = root_;
+    const char *p = input;
+
+    while (*p) {
+      node = node->children_[(uint8_t)*p++];
+
+      if (!node) {
+        break;
+      }
+
+      if (node->node_type_ == NodeType::kPrefix ||
+          (*p == '\0' && node->node_type_ == NodeType::kLiteral)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  ABSL_SHARED_LOCKS_REQUIRED(lock_)
+  std::optional<ValueT> LookupLongestMatchingPrefixLocked(const char *input) {
+    TreeNode *node = root_;
+    TreeNode *match = nullptr;
+    const char *p = input;
+
+    while (*p) {
+      node = node->children_[(uint8_t)*p++];
+
+      if (!node) {
+        break;
+      }
+
+      if (node->node_type_ == NodeType::kPrefix ||
+          (*p == '\0' && node->node_type_ == NodeType::kLiteral)) {
+        match = node;
+      }
+    }
+
+    return match ? std::make_optional<ValueT>(match->value_) : std::nullopt;
+  }
+
+  ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_)
+  void PruneLocked(TreeNode *target) {
+    if (!target) {
+      return;
+    }
+
+    // For deep trees, a recursive approach will generate too many stack frames.
+    // Since the depth of the tree is configurable, err on the side of caution
+    // and use a "stack" to walk the tree in a non-recursive manner.
+    TreeNode **stack = new TreeNode *[node_count_ + 1];
+    if (!stack) {
+      LOGE(@"Unable to prune tree!");
+      return;
+    }
+
+    uint32_t count = 0;
+
+    // Seed the "stack" with a starting node.
+    stack[count++] = target;
+
+    // Start at the target node and walk the tree to find and delete all the
+    // sub-nodes.
+    while (count) {
+      TreeNode *node = stack[--count];
+
+      for (int i = 0; i < 256; ++i) {
+        if (!node->children_[i]) {
+          continue;
+        }
+        stack[count++] = node->children_[i];
+      }
+
+      delete node;
+      --node_count_;
+    }
+
+    delete[] stack;
+  }
+
+#if SANTA_PREFIX_TREE_DEBUG
+  ABSL_SHARED_LOCKS_REQUIRED(lock_)
+  void PrintLocked(TreeNode *node, char *buf, uint32_t depth) {
+    for (size_t i = 0; i < 256; i++) {
+      TreeNode *cur_node = node->children_[i];
+      if (cur_node) {
+        buf[depth] = i;
+        if (cur_node->node_type_ != NodeType::kInner) {
+          printf("\t%s (type: %s)\n", buf,
+                 cur_node->node_type_ == NodeType::kPrefix ? "prefix" : "literal");
+        }
+        PrintLocked(cur_node, buf, depth + 1);
+        buf[depth] = '\0';
+      }
+    }
+  }
+#endif
+
+  enum class NodeType {
+    kInner = 0,
+    kPrefix,
+    kLiteral,
+  };
+
+  ///
+  ///  TreeNode is a wrapper class that represents one byte.
+  ///  1 node can represent a whole ASCII character.
+  ///  For example a pointer to the 'A' node will be stored at children[0x41].
+  ///  It takes 1-4 nodes to represent a UTF-8 encoded Unicode character.
+  ///
+  ///  The path for "/🤘" would look like this:
+  ///      children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4]
+  ///      -> children[0x98]
+  ///
+  ///  The path for "/dev" is:
+  ///      children[0x2f] -> children[0x64] -> children[0x65] -> children[0x76]
+  ///
+  ///  Lookups of children are O(1).
+  ///
+  ///  Having the nodes represented by a smaller width, such as a nibble (1/2
+  ///  byte), would drastically decrease the memory footprint but would double
+  ///  required dereferences.
+  ///
+  ///  TODO(bur): Potentially convert this into a full on radix tree.
+  ///
+  class TreeNode {
+   public:
+    TreeNode() : children_(), node_type_(NodeType::kInner) {}
+    ~TreeNode() = default;
+    TreeNode *children_[256];
+    PrefixTree::NodeType node_type_;
+    ValueT value_;
+  };
+
+  TreeNode *root_;
+  const uint32_t max_depth_;
+  uint32_t node_count_ ABSL_GUARDED_BY(lock_);
+  absl::Mutex lock_;
+};
+
+}  // namespace santa::common
+
+#endif

Source/common/PrefixTreeTest.mm

@@ -0,0 +1,224 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#define SANTA_PREFIX_TREE_DEBUG 1
+#include "Source/common/PrefixTree.h"
+
+using santa::common::PrefixTree;
+
+@interface PrefixTreeTest : XCTestCase
+@end
+
+@implementation PrefixTreeTest
+
+- (void)testBasic {
+  PrefixTree<int> tree;
+
+  XCTAssertFalse(tree.HasPrefix("/foo/bar/baz"));
+  XCTAssertFalse(tree.HasPrefix("/foo/bar.txt"));
+  XCTAssertFalse(tree.HasPrefix("/baz"));
+
+  XCTAssertTrue(tree.InsertPrefix("/foo", 12));
+  XCTAssertTrue(tree.InsertPrefix("/bar", 34));
+  XCTAssertTrue(tree.InsertLiteral("/foo/bar", 56));
+
+  // Re-inserting something that exists is allowed
+  XCTAssertTrue(tree.InsertLiteral("/foo", 78));
+  XCTAssertTrue(tree.InsertPrefix("/foo", 56));
+
+  XCTAssertTrue(tree.HasPrefix("/foo/bar/baz"));
+  XCTAssertTrue(tree.HasPrefix("/foo/bar.txt"));
+  XCTAssertFalse(tree.HasPrefix("/baz"));
+
+  // Empty strings are not supported
+  XCTAssertFalse(tree.InsertLiteral("", 0));
+  XCTAssertFalse(tree.InsertPrefix("", 0));
+}
+
+- (void)testHasPrefix {
+  PrefixTree<int> tree;
+
+  XCTAssertTrue(tree.InsertPrefix("/foo", 0));
+  XCTAssertTrue(tree.InsertLiteral("/bar", 0));
+  XCTAssertTrue(tree.InsertLiteral("/baz", 0));
+  XCTAssertTrue(tree.InsertLiteral("/qaz", 0));
+
+  // Check that a tree with a matching prefix is successful
+  XCTAssertTrue(tree.HasPrefix("/foo.txt"));
+
+  // This shouldn't succeed because `/bar` `/baz` and `qaz` are literals
+  XCTAssertFalse(tree.HasPrefix("/bar.txt"));
+  XCTAssertFalse(tree.HasPrefix("/baz.txt"));
+  XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
+
+  // Now change `/bar` to a prefix type and retest HasPrefix
+  // `/bar.txt` should now succeed, but `/baz.txt` should still not pass
+  XCTAssertTrue(tree.InsertPrefix("/bar", 0));
+  XCTAssertTrue(tree.HasPrefix("/bar.txt"));
+  XCTAssertFalse(tree.HasPrefix("/baz.txt"));
+  XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
+
+  // Insert a new prefix string to allow `/baz.txt` to have a valid prefix
+  XCTAssertTrue(tree.InsertPrefix("/b", 0));
+  XCTAssertTrue(tree.HasPrefix("/baz.txt"));
+  XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
+
+  // An exact match on a literal allows HasPrefix to succeed
+  XCTAssertTrue(tree.InsertLiteral("/qaz.txt", 0));
+  XCTAssertTrue(tree.HasPrefix("/qaz.txt"));
+}
+
+- (void)testLookupLongestMatchingPrefix {
+  PrefixTree<int> tree;
+
+  XCTAssertTrue(tree.InsertPrefix("/foo", 12));
+  XCTAssertTrue(tree.InsertPrefix("/bar", 34));
+  XCTAssertTrue(tree.InsertPrefix("/foo/bar.txt", 56));
+
+  std::optional<int> value;
+
+  // Matching exact prefix
+  value = tree.LookupLongestMatchingPrefix("/foo");
+  XCTAssertEqual(value.value_or(0), 12);
+
+  // Ensure changing node type works as expected
+  // Literals must match exactly.
+  value = tree.LookupLongestMatchingPrefix("/foo/bar.txt.tmp");
+  XCTAssertEqual(value.value_or(0), 56);
+  XCTAssertTrue(tree.InsertLiteral("/foo/bar.txt", 90));
+  value = tree.LookupLongestMatchingPrefix("/foo/bar.txt.tmp");
+  XCTAssertEqual(value.value_or(0), 12);
+
+  // Inserting over an exiting node returns the new value
+  XCTAssertTrue(tree.InsertPrefix("/foo", 78));
+  value = tree.LookupLongestMatchingPrefix("/foo");
+  XCTAssertEqual(value.value_or(0), 78);
+
+  // No matching prefix
+  value = tree.LookupLongestMatchingPrefix("/asdf");
+  XCTAssertEqual(value.value_or(0), 0);
+}
+
+- (void)testNodeCounts {
+  const uint32_t maxDepth = 100;
+  PrefixTree<int> tree(100);
+
+  XCTAssertEqual(tree.NodeCount(), 0);
+
+  // Start with a small string
+  XCTAssertTrue(tree.InsertPrefix("asdf", 0));
+  XCTAssertEqual(tree.NodeCount(), 4);
+
+  // Add a couple more characters to the existing string
+  XCTAssertTrue(tree.InsertPrefix("asdfgh", 0));
+  XCTAssertEqual(tree.NodeCount(), 6);
+
+  // Inserting a string that exceeds max depth doesn't increase node count
+  XCTAssertFalse(tree.InsertPrefix(std::string(maxDepth + 10, 'A').c_str(), 0));
+  XCTAssertEqual(tree.NodeCount(), 6);
+
+  // Add a new string that is a prefix of an existing string
+  // This should increment the count by one since a new terminal node exists
+  XCTAssertTrue(tree.InsertPrefix("as", 0));
+  XCTAssertEqual(tree.NodeCount(), 7);
+
+  // Re-inserting onto an existing node shouldn't modify the count
+  tree.InsertLiteral("as", 0);
+  tree.InsertPrefix("as", 0);
+  XCTAssertEqual(tree.NodeCount(), 7);
+}
+
+- (void)testReset {
+  // Ensure resetting a tree removes all content
+  PrefixTree<int> tree;
+
+  tree.Reset();
+  XCTAssertEqual(tree.NodeCount(), 0);
+
+  XCTAssertTrue(tree.InsertPrefix("asdf", 0));
+  XCTAssertTrue(tree.InsertPrefix("qwerty", 0));
+
+  XCTAssertTrue(tree.HasPrefix("asdf"));
+  XCTAssertTrue(tree.HasPrefix("qwerty"));
+  XCTAssertEqual(tree.NodeCount(), 10);
+
+  tree.Reset();
+  XCTAssertFalse(tree.HasPrefix("asdf"));
+  XCTAssertFalse(tree.HasPrefix("qwerty"));
+  XCTAssertEqual(tree.NodeCount(), 0);
+}
+
+- (void)testComplexValues {
+  class Foo {
+   public:
+    Foo(int x) : x_(x) {}
+    int X() { return x_; }
+
+   private:
+    int x_;
+  };
+
+  PrefixTree<std::shared_ptr<Foo>> tree;
+
+  XCTAssertTrue(tree.InsertPrefix("foo", std::make_shared<Foo>(123)));
+  XCTAssertTrue(tree.InsertPrefix("bar", std::make_shared<Foo>(456)));
+
+  std::optional<std::shared_ptr<Foo>> value;
+  value = tree.LookupLongestMatchingPrefix("foo");
+  XCTAssertTrue(value.has_value() && value->get()->X() == 123);
+
+  value = tree.LookupLongestMatchingPrefix("bar");
+  XCTAssertTrue(value.has_value() && value->get()->X() == 456);
+
+  value = tree.LookupLongestMatchingPrefix("asdf");
+  XCTAssertFalse(value.has_value());
+}
+
+- (void)testThreading {
+  uint32_t count = 4096;
+  auto t = new PrefixTree<int>(count * (uint32_t)[NSUUID UUID].UUIDString.length);
+
+  __block NSMutableArray *UUIDs = [NSMutableArray arrayWithCapacity:count];
+  for (int i = 0; i < count; ++i) {
+    [UUIDs addObject:[NSUUID UUID].UUIDString];
+  }
+
+  __block _Atomic BOOL stop = NO;
+
+  // Create a bunch of background noise.
+  dispatch_async(dispatch_get_global_queue(0, 0), ^{
+    for (uint64_t i = 0; i < UINT64_MAX; ++i) {
+      dispatch_async(dispatch_get_global_queue(0, 0), ^{
+        t->HasPrefix([UUIDs[i % count] UTF8String]);
+      });
+      if (stop) return;
+    }
+  });
+
+  // Fill up the tree.
+  dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
+    XCTAssertEqual(t->InsertPrefix([UUIDs[i] UTF8String], 0), true);
+  });
+
+  // Make sure every leaf byte is found.
+  dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
+    XCTAssertTrue(t->HasPrefix([UUIDs[i] UTF8String]));
+  });
+
+  stop = YES;
+}
+
+@end

Source/common/SNTBlockMessage.h

@@ -18,26 +18,38 @@
 #import <Foundation/Foundation.h>
 #endif
 
+#import "Source/common/SNTFileAccessEvent.h"
+#import "Source/common/SNTStoredEvent.h"
+
 @class SNTStoredEvent;
 
 @interface SNTBlockMessage : NSObject
 
 ///
 ///  Return a message suitable for presenting to the user.
-///  Uses either the configured message depending on the event type or a custom message
-///  if the rule that blocked this file included one.
 ///
 ///  In SantaGUI this will return an NSAttributedString with links and formatting included
 ///  while for santad all HTML will be properly stripped.
 ///
++ (NSAttributedString *)formatMessage:(NSString *)message;
+
+///
+///  Uses either the configured message depending on the event type or a custom message
+///  if the rule that blocked this file included one, formatted using
+///  +[SNTBlockMessage formatMessage].
+///
 + (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
                                          customMessage:(NSString *)customMessage;
 
++ (NSAttributedString *)attributedBlockMessageForFileAccessEvent:(SNTFileAccessEvent *)event
+                                                   customMessage:(NSString *)customMessage;
+
 ///
 ///  Return a URL generated from the EventDetailURL configuration key
 ///  after replacing templates in the URL with values from the event.
 ///
-+ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event;
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event customURL:(NSString *)url;
++ (NSURL *)eventDetailURLForFileAccessEvent:(SNTFileAccessEvent *)event customURL:(NSString *)url;
 
 ///
 ///  Strip HTML from a string, replacing <br /> with newline.

Source/common/SNTBlockMessage.m

@@ -15,37 +15,55 @@
 #import "Source/common/SNTBlockMessage.h"
 
 #import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTFileAccessEvent.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
 
 @implementation SNTBlockMessage
 
-+ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
-                                         customMessage:(NSString *)customMessage {
-  NSString *htmlHeader = @"<html><head><style>"
-      @"body {"
-      @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
-      @"  font-size: 13px;"
-      @"  color: %@;"
-      @"  text-align: center;"
-      @"}"
++ (NSAttributedString *)formatMessage:(NSString *)message {
+  NSString *htmlHeader =
+    @"<html><head><style>"
+    @"body {"
+    @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
+    @"  font-size: 13px;"
+    @"  color: %@;"
+    @"  text-align: center;"
+    @"}"
 
-      // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
-      @"@media (prefers-color-scheme: dark) {"
-      @"  body {"
-      @"    color: #ddd;"
-      @"  }"
-      @"}"
-      @"</style></head><body>";
+    // Supported in beta WebKit. Not sure if it is dynamic when used with NSAttributedString.
+    @"@media (prefers-color-scheme: dark) {"
+    @"  body {"
+    @"    color: #ddd;"
+    @"  }"
+    @"}"
+    @"</style></head><body>";
 
   // Support Dark Mode. Note, the returned NSAttributedString is static and does not update when
   // the OS switches modes.
   NSString *mode = [NSUserDefaults.standardUserDefaults stringForKey:@"AppleInterfaceStyle"];
-  BOOL dark =  [mode isEqualToString:@"Dark"];
+  BOOL dark = [mode isEqualToString:@"Dark"];
   htmlHeader = [NSString stringWithFormat:htmlHeader, dark ? @"#ddd" : @"#333"];
 
   NSString *htmlFooter = @"</body></html>";
 
+  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
+
+#ifdef SANTAGUI
+  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
+  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
+#else
+  NSString *strippedHTML = [self stringFromHTML:fullHTML];
+  if (!strippedHTML) {
+    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
+  }
+  return [[NSAttributedString alloc] initWithString:strippedHTML];
+#endif
+}
+
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage {
   NSString *message;
   if (customMessage.length) {
     message = customMessage;
@@ -62,19 +80,19 @@
                 @"because it has been deemed malicious.";
     }
   }
+  return [SNTBlockMessage formatMessage:message];
+}
 
-  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
-
-#ifdef SANTAGUI
-  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
-  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
-#else
-  NSString *strippedHTML = [self stringFromHTML:fullHTML];
-  if (!strippedHTML) {
-    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
++ (NSAttributedString *)attributedBlockMessageForFileAccessEvent:(SNTFileAccessEvent *)event
+                                                   customMessage:(NSString *)customMessage {
+  NSString *message = customMessage;
+  if (!message.length) {
+    message = [[SNTConfigurator configurator] fileAccessBlockMessage];
+    if (!message.length) {
+      message = @"Access to a file has been denied.";
+    }
   }
-  return [[NSAttributedString alloc] initWithString:strippedHTML];
-#endif
+  return [SNTBlockMessage formatMessage:message];
 }
 
 + (NSString *)stringFromHTML:(NSString *)html {
@@ -89,13 +107,14 @@
 
   // Strip any HTML tags out of the message. Also remove any content inside <style> tags and
   // replace <br> elements with a newline.
-  NSString *stripXslt = @"<?xml version='1.0' encoding='utf-8'?>"
-      @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
-      @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
-      @"<xsl:output method='text'/>"
-      @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
-      @"<xsl:template match='style'/>"
-      @"</xsl:stylesheet>";
+  NSString *stripXslt =
+    @"<?xml version='1.0' encoding='utf-8'?>"
+    @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
+    @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
+    @"<xsl:output method='text'/>"
+    @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
+    @"<xsl:template match='style'/>"
+    @"</xsl:stylesheet>";
   NSData *data = [xml objectByApplyingXSLTString:stripXslt arguments:NULL error:&error];
   if (error || ![data isKindOfClass:[NSData class]]) {
     return html;
@@ -103,27 +122,127 @@
   return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
 }
 
-+ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
++ (NSString *)replaceFormatString:(NSString *)str
+                         withDict:(NSDictionary<NSString *, NSString * (^)()> *)replacements {
+  __block NSString *formatStr = str;
+
+  [replacements
+    enumerateKeysAndObjectsUsingBlock:^(NSString *key, NSString * (^computeValue)(), BOOL *stop) {
+      NSString *value = computeValue();
+      if (value) {
+        formatStr = [formatStr stringByReplacingOccurrencesOfString:key withString:value];
+      }
+    }];
+
+  return formatStr;
+}
+
+// Returns either the generated URL for the passed in event, or an NSURL from the passed in custom
+// URL string. If the custom URL string is the string "null", nil will be returned. If no custom
+// URL is passed and there is no configured EventDetailURL template, nil will be returned.
+// The following "format strings" will be replaced in the URL, if they are present:
+//
+//   %file_identifier%           - The SHA-256 of the binary being executed.
+//   %bundle_or_file_identifier% - The hash of the bundle containing this file or the file itself,
+//                                 if no bundle hash is present.
+//   %username%                  - The executing user's name.
+//   %machine_id%                - The configured machine ID for this host.
+//   %hostname%                  - The machine's FQDN.
+//   %uuid%                      - The machine's UUID.
+//   %serial%                    - The machine's serial number.
+//
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event customURL:(NSString *)url {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
-  NSString *formatStr = config.eventDetailURL;
-  if (!formatStr.length) return nil;
-
-  if (event.fileSHA256) {
-    formatStr =
-        [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                             withString:event.fileBundleHash ?: event.fileSHA256];
-  }
-  if (event.executingUser) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
-                                                     withString:event.executingUser];
-  }
-  if (config.machineID) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
-                                                     withString:config.machineID];
+  NSString *formatStr = url;
+  if (!formatStr.length) {
+    formatStr = config.eventDetailURL;
+    if (!formatStr.length) {
+      return nil;
+    }
   }
 
-  return [NSURL URLWithString:formatStr];
+  if ([formatStr isEqualToString:@"null"]) {
+    return nil;
+  }
+
+  // Disabling clang-format. See comment in `eventDetailURLForFileAccessEvent:customURL:`
+  // clang-format off
+  NSDictionary<NSString *, NSString * (^)()> *kvReplacements =
+    [NSDictionary dictionaryWithObjectsAndKeys:
+      // This key is deprecated, use %file_identifier% or %bundle_or_file_identifier%
+      ^{ return event.fileSHA256 ? event.fileBundleHash ?: event.fileSHA256 : nil; },
+                                                 @"%file_sha%",
+      ^{ return event.fileSHA256; },             @"%file_identifier%",
+      ^{ return event.fileSHA256 ? event.fileBundleHash ?: event.fileSHA256 : nil; },
+                                                 @"%bundle_or_file_identifier%",
+      ^{ return event.executingUser; },          @"%username%",
+      ^{ return config.machineID; },             @"%machine_id%",
+      ^{ return [SNTSystemInfo longHostname]; }, @"%hostname%",
+      ^{ return [SNTSystemInfo hardwareUUID]; }, @"%uuid%",
+      ^{ return [SNTSystemInfo serialNumber]; }, @"%serial%",
+      nil];
+  // clang-format on
+
+  formatStr = [SNTBlockMessage replaceFormatString:formatStr withDict:kvReplacements];
+
+  NSURL *u = [NSURL URLWithString:formatStr];
+  if (!u) {
+    LOGW(@"Unable to generate event detail URL for string '%@'", formatStr);
+  }
+
+  return u;
+}
+
+// Returns either the generated URL for the passed in event, or an NSURL from the passed in custom
+// URL string. If the custom URL string is the string "null", nil will be returned. If no custom
+// URL is passed and there is no configured EventDetailURL template, nil will be returned.
+// The following "format strings" will be replaced in the URL, if they are present:
+//
+//   %rule_version%    - The version of the rule that was violated.
+//   %rule_name%       - The name of the rule that was violated.
+//   %file_identifier% - The SHA-256 of the binary being executed.
+//   %accessed_path%   - The path accessed by the binary.
+//   %username%        - The executing user's name.
+//   %machine_id%      - The configured machine ID for this host.
+//   %hostname%        - The machine's FQDN.
+//   %uuid%            - The machine's UUID.
+//   %serial%          - The machine's serial number.
+//
++ (NSURL *)eventDetailURLForFileAccessEvent:(SNTFileAccessEvent *)event customURL:(NSString *)url {
+  if (!url.length || [url isEqualToString:@"null"]) {
+    return nil;
+  }
+
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  // Clang format goes wild here. If you use the container literal syntax `@{}` with a block value
+  // type, it seems to break the clang format on/off functionality and breaks formatting for the
+  // remainder of the file.
+  // Using `dictionaryWithObjectsAndKeys` and disabling clang format as a workaround.
+  // clang-format off
+  NSDictionary<NSString *, NSString * (^)()> *kvReplacements =
+    [NSDictionary dictionaryWithObjectsAndKeys:
+      ^{ return event.ruleVersion; },            @"%rule_version%",
+      ^{ return event.ruleName; },               @"%rule_name%",
+      ^{ return event.fileSHA256; },             @"%file_identifier%",
+      ^{ return event.accessedPath; },           @"%accessed_path%",
+      ^{ return event.executingUser; },          @"%username%",
+      ^{ return config.machineID; },             @"%machine_id%",
+      ^{ return [SNTSystemInfo longHostname]; }, @"%hostname%",
+      ^{ return [SNTSystemInfo hardwareUUID]; }, @"%uuid%",
+      ^{ return [SNTSystemInfo serialNumber]; }, @"%serial%",
+      nil];
+  // clang-format on
+
+  NSString *formatStr = [SNTBlockMessage replaceFormatString:url withDict:kvReplacements];
+
+  NSURL *u = [NSURL URLWithString:formatStr];
+  if (!u) {
+    LOGW(@"Unable to generate event detail URL for string '%@'", formatStr);
+  }
+
+  return u;
 }
 
 @end

Source/common/SNTBlockMessageTest.m

@@ -0,0 +1,95 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <OCMock/OCMock.h>
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTBlockMessage.h"
+#import "Source/common/SNTConfigurator.h"
+#include "Source/common/SNTFileAccessEvent.h"
+#include "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
+
+@interface SNTBlockMessageTest : XCTestCase
+@property id mockConfigurator;
+@property id mockSystemInfo;
+@end
+
+@implementation SNTBlockMessageTest
+
+- (void)setUp {
+  self.mockConfigurator = OCMClassMock([SNTConfigurator class]);
+  OCMStub([self.mockConfigurator configurator]).andReturn(self.mockConfigurator);
+  OCMStub([self.mockConfigurator machineID]).andReturn(@"my_mid");
+
+  self.mockSystemInfo = OCMClassMock([SNTSystemInfo class]);
+  OCMStub([self.mockSystemInfo longHostname]).andReturn(@"my_hn");
+  OCMStub([self.mockSystemInfo hardwareUUID]).andReturn(@"my_u");
+  OCMStub([self.mockSystemInfo serialNumber]).andReturn(@"my_s");
+}
+
+- (void)testEventDetailURLForEvent {
+  SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+
+  se.fileSHA256 = @"my_fi";
+  se.executingUser = @"my_un";
+
+  NSString *url = @"http://"
+                  @"localhost?fs=%file_sha%&fi=%file_identifier%&bfi=%bundle_or_file_identifier%&"
+                  @"un=%username%&mid=%machine_id%&hn=%hostname%&u=%uuid%&s=%serial%";
+  NSString *wantUrl =
+    @"http://"
+    @"localhost?fs=my_fi&fi=my_fi&bfi=my_fi&bfi=my_fi&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  NSURL *gotUrl = [SNTBlockMessage eventDetailURLForEvent:se customURL:url];
+
+  // Set fileBundleHash and test again for newly expected values
+  se.fileBundleHash = @"my_fbh";
+
+  wantUrl = @"http://"
+            @"localhost?fs=my_fbh&fi=my_fi&bfi=my_fbh&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  gotUrl = [SNTBlockMessage eventDetailURLForEvent:se customURL:url];
+
+  XCTAssertEqualObjects(gotUrl.absoluteString, wantUrl);
+
+  XCTAssertNil([SNTBlockMessage eventDetailURLForEvent:se customURL:nil]);
+  XCTAssertNil([SNTBlockMessage eventDetailURLForEvent:se customURL:@"null"]);
+}
+
+- (void)testEventDetailURLForFileAccessEvent {
+  SNTFileAccessEvent *fae = [[SNTFileAccessEvent alloc] init];
+
+  fae.ruleVersion = @"my_rv";
+  fae.ruleName = @"my_rn";
+  fae.fileSHA256 = @"my_fi";
+  fae.accessedPath = @"my_ap";
+  fae.executingUser = @"my_un";
+
+  NSString *url = @"http://"
+                  @"localhost?rv=%rule_version%&rn=%rule_name%&fi=%file_identifier%&ap=%accessed_"
+                  @"path%&un=%username%&mid=%machine_id%&hn=%hostname%&u=%uuid%&s=%serial%";
+  NSString *wantUrl =
+    @"http://"
+    @"localhost?rv=my_rv&rn=my_rn&fi=my_fi&ap=my_ap&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  NSURL *gotUrl = [SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:url];
+
+  XCTAssertEqualObjects(gotUrl.absoluteString, wantUrl);
+
+  XCTAssertNil([SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:nil]);
+  XCTAssertNil([SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:@"null"]);
+}
+
+@end

Source/common/SNTCachedDecision.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,25 +12,39 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <EndpointSecurity/EndpointSecurity.h>
 #import <Foundation/Foundation.h>
 
 #import "Source/common/SNTCommonEnums.h"
-#import "Source/common/SNTKernelCommon.h"
+#import "Source/common/SantaVnode.h"
+
+@class MOLCertificate;
 
 ///
 ///  Store information about executions from decision making for later logging.
 ///
 @interface SNTCachedDecision : NSObject
 
-@property santa_vnode_id_t vnodeId;
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile;
+
+@property SantaVnode vnodeId;
 @property SNTEventState decision;
+@property SNTClientMode decisionClientMode;
 @property NSString *decisionExtra;
 @property NSString *sha256;
+
 @property NSString *certSHA256;
 @property NSString *certCommonName;
+@property NSArray<MOLCertificate *> *certChain;
+@property NSString *teamID;
+@property NSString *signingID;
+@property NSDictionary *entitlements;
+@property BOOL entitlementsFiltered;
+
 @property NSString *quarantineURL;
 
 @property NSString *customMsg;
+@property NSString *customURL;
 @property BOOL silentBlock;
 
 @end

Source/common/SNTCachedDecision.mm

@@ -0,0 +1,28 @@
+
+/// Copyright 2015-2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "Source/common/SNTCachedDecision.h"
+
+@implementation SNTCachedDecision
+
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile {
+  self = [super init];
+  if (self) {
+    _vnodeId = SantaVnode::VnodeForFile(esFile);
+  }
+  return self;
+}
+
+@end

Source/common/SNTCachedDecisionTest.mm

@@ -0,0 +1,36 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTCachedDecision.h"
+#include "Source/common/TestUtils.h"
+
+@interface SNTCachedDecisionTest : XCTestCase
+@end
+
+@implementation SNTCachedDecisionTest
+
+- (void)testSNTCachedDecisionInit {
+  // Ensure the vnodeId field is properly set from the es_file_t
+  struct stat sb = MakeStat();
+  es_file_t file = MakeESFile("foo", sb);
+
+  SNTCachedDecision *cd = [[SNTCachedDecision alloc] initWithEndpointSecurityFile:&file];
+
+  XCTAssertEqual(sb.st_ino, cd.vnodeId.fileid);
+  XCTAssertEqual(sb.st_dev, cd.vnodeId.fsid);
+}
+
+@end

Source/common/SNTCommonEnums.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -19,23 +19,49 @@
 ///  The integer values are also stored in the database and so shouldn't be changed.
 ///
 
-typedef NS_ENUM(NSInteger, SNTRuleType) {
-  SNTRuleTypeUnknown,
+typedef NS_ENUM(NSInteger, SNTAction) {
+  SNTActionUnset,
 
-  SNTRuleTypeBinary = 1,
-  SNTRuleTypeCertificate = 2,
+  // REQUESTS
+  // If an operation is awaiting a cache decision from a similar operation
+  // currently being processed, it will poll about every 5 ms for an answer.
+  SNTActionRequestBinary,
+
+  // RESPONSES
+  SNTActionRespondAllow,
+  SNTActionRespondDeny,
+  SNTActionRespondAllowCompiler,
+};
+
+#define RESPONSE_VALID(x) \
+  (x == SNTActionRespondAllow || x == SNTActionRespondDeny || x == SNTActionRespondAllowCompiler)
+
+// Supported Rule Types
+//
+// Note: These enum values should be in order of decreasing precedence as
+// evaluated by Santa. When adding new enum values, leave some space so that
+// additional rules can be added without violating this. The ordering isn't
+// strictly necessary but improves readability and may preemptively prevent
+// issues should SQLite behavior change.
+typedef NS_ENUM(NSInteger, SNTRuleType) {
+  SNTRuleTypeUnknown = 0,
+
+  SNTRuleTypeBinary = 1000,
+  SNTRuleTypeSigningID = 2000,
+  SNTRuleTypeCertificate = 3000,
+  SNTRuleTypeTeamID = 4000,
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleState) {
   SNTRuleStateUnknown,
 
-  SNTRuleStateWhitelist = 1,
-  SNTRuleStateBlacklist = 2,
-  SNTRuleStateSilentBlacklist = 3,
+  SNTRuleStateAllow = 1,
+  SNTRuleStateBlock = 2,
+  SNTRuleStateSilentBlock = 3,
   SNTRuleStateRemove = 4,
 
-  SNTRuleStateWhitelistCompiler = 5,
-  SNTRuleStateWhitelistTransitive = 6,
+  SNTRuleStateAllowCompiler = 5,
+  SNTRuleStateAllowTransitive = 6,
 };
 
 typedef NS_ENUM(NSInteger, SNTClientMode) {
@@ -45,36 +71,40 @@ typedef NS_ENUM(NSInteger, SNTClientMode) {
   SNTClientModeLockdown = 2,
 };
 
-typedef NS_ENUM(NSInteger, SNTEventState) {
+typedef NS_ENUM(uint64_t, SNTEventState) {
   // Bits 0-15 bits store non-decision types
   SNTEventStateUnknown = 0,
   SNTEventStateBundleBinary = 1,
 
-  // Bits 16-23 store deny decision types
-  SNTEventStateBlockUnknown = 1 << 16,
-  SNTEventStateBlockBinary = 1 << 17,
-  SNTEventStateBlockCertificate = 1 << 18,
-  SNTEventStateBlockScope = 1 << 19,
+  // Bits 16-39 store deny decision types
+  SNTEventStateBlockUnknown = 1ULL << 16,
+  SNTEventStateBlockBinary = 1ULL << 17,
+  SNTEventStateBlockCertificate = 1ULL << 18,
+  SNTEventStateBlockScope = 1ULL << 19,
+  SNTEventStateBlockTeamID = 1ULL << 20,
+  SNTEventStateBlockLongPath = 1ULL << 21,
+  SNTEventStateBlockSigningID = 1ULL << 22,
 
-  // Bits 24-31 store allow decision types
-  SNTEventStateAllowUnknown = 1 << 24,
-  SNTEventStateAllowBinary = 1 << 25,
-  SNTEventStateAllowCertificate = 1 << 26,
-  SNTEventStateAllowScope = 1 << 27,
-  SNTEventStateAllowCompiler = 1 << 28,
-  SNTEventStateAllowTransitive = 1 << 29,
-  SNTEventStateAllowPendingTransitive = 1 << 30,
+  // Bits 40-63 store allow decision types
+  SNTEventStateAllowUnknown = 1ULL << 40,
+  SNTEventStateAllowBinary = 1ULL << 41,
+  SNTEventStateAllowCertificate = 1ULL << 42,
+  SNTEventStateAllowScope = 1ULL << 43,
+  SNTEventStateAllowCompiler = 1ULL << 44,
+  SNTEventStateAllowTransitive = 1ULL << 45,
+  SNTEventStateAllowPendingTransitive = 1ULL << 46,
+  SNTEventStateAllowTeamID = 1ULL << 47,
+  SNTEventStateAllowSigningID = 1ULL << 48,
 
   // Block and Allow masks
-  SNTEventStateBlock = 0xFF << 16,
-  SNTEventStateAllow = 0xFF << 24
+  SNTEventStateBlock = 0xFFFFFFULL << 16,
+  SNTEventStateAllow = 0xFFFFFFULL << 40,
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleTableError) {
   SNTRuleTableErrorEmptyRuleArray,
   SNTRuleTableErrorInsertOrReplaceFailed,
   SNTRuleTableErrorInvalidRule,
-  SNTRuleTableErrorMissingRequiredRule,
   SNTRuleTableErrorRemoveFailed
 };
 
@@ -90,9 +120,76 @@ typedef NS_ENUM(NSInteger, SNTBundleEventAction) {
 typedef NS_ENUM(NSInteger, SNTEventLogType) {
   SNTEventLogTypeSyslog,
   SNTEventLogTypeFilelog,
+  SNTEventLogTypeProtobuf,
+  SNTEventLogTypeJSON,
+  SNTEventLogTypeNull,
 };
 
-static const char *kKextPath = "/Library/Extensions/santa-driver.kext";
-static const char *kSantaDPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santad";
-static const char *kSantaCtlPath = "/Library/Extensions/santa-driver.kext/Contents/MacOS/santactl";
-static const char *kSantaAppPath = "/Library/Extensions/santa-driver.kext/Contents/Resources/Santa.app";
+// The return status of a sync.
+typedef NS_ENUM(NSInteger, SNTSyncStatusType) {
+  SNTSyncStatusTypeSuccess,
+  SNTSyncStatusTypePreflightFailed,
+  SNTSyncStatusTypeEventUploadFailed,
+  SNTSyncStatusTypeRuleDownloadFailed,
+  SNTSyncStatusTypePostflightFailed,
+  SNTSyncStatusTypeTooManySyncsInProgress,
+  SNTSyncStatusTypeMissingSyncBaseURL,
+  SNTSyncStatusTypeMissingMachineID,
+  SNTSyncStatusTypeDaemonTimeout,
+  SNTSyncStatusTypeSyncStarted,
+  SNTSyncStatusTypeUnknown,
+};
+
+typedef NS_ENUM(NSInteger, SNTSyncContentEncoding) {
+  SNTSyncContentEncodingNone,
+  SNTSyncContentEncodingDeflate,
+  SNTSyncContentEncodingGzip,
+};
+
+typedef NS_ENUM(NSInteger, SNTMetricFormatType) {
+  SNTMetricFormatTypeUnknown,
+  SNTMetricFormatTypeRawJSON,
+  SNTMetricFormatTypeMonarchJSON,
+};
+
+typedef NS_ENUM(NSInteger, SNTOverrideFileAccessAction) {
+  SNTOverrideFileAccessActionNone,
+  SNTOverrideFileAccessActionAuditOnly,
+  SNTOverrideFileAccessActionDiable,
+};
+
+typedef NS_ENUM(NSInteger, SNTDeviceManagerStartupPreferences) {
+  SNTDeviceManagerStartupPreferencesNone,
+  SNTDeviceManagerStartupPreferencesUnmount,
+  SNTDeviceManagerStartupPreferencesForceUnmount,
+  SNTDeviceManagerStartupPreferencesRemount,
+  SNTDeviceManagerStartupPreferencesForceRemount,
+};
+
+typedef NS_ENUM(NSInteger, SNTSyncType) {
+  SNTSyncTypeNormal,
+  SNTSyncTypeClean,
+  SNTSyncTypeCleanAll,
+};
+
+typedef NS_ENUM(NSInteger, SNTRuleCleanup) {
+  SNTRuleCleanupNone,
+  SNTRuleCleanupAll,
+  SNTRuleCleanupNonTransitive,
+};
+
+#ifdef __cplusplus
+enum class FileAccessPolicyDecision {
+  kNoPolicy,
+  kDenied,
+  kDeniedInvalidSignature,
+  kAllowed,
+  kAllowedReadAccess,
+  kAllowedAuditOnly,
+};
+#endif
+
+static const char *kSantaDPath =
+  "/Applications/Santa.app/Contents/Library/SystemExtensions/"
+  "com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon";
+static const char *kSantaAppPath = "/Applications/Santa.app";

Source/common/SNTConfigurator.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 #import "Source/common/SNTCommonEnums.h"
 
+@class SNTRule;
+
 ///
 ///  Singleton that provides an interface for managing configuration values on disk
 ///  @note This class is designed as a singleton but that is not strictly enforced.
@@ -26,7 +28,7 @@
 #pragma mark - Daemon Settings
 
 ///
-///  The operating mode.
+///  The operating mode. Defaults to MONITOR.
 ///
 @property(readonly, nonatomic) SNTClientMode clientMode;
 
@@ -36,32 +38,70 @@
 - (void)setSyncServerClientMode:(SNTClientMode)newMode;
 
 ///
-///  The regex of whitelisted paths. Regexes are specified in ICU format.
+///  Enable Fail Close mode. Defaults to NO.
+///  This controls Santa's behavior when a failure occurs, such as an
+///  inability to read a file. By default, to prevent bugs or misconfiguration
+///  from rendering a machine inoperable Santa will fail open and allow
+///  execution. With this setting enabled, Santa will fail closed if the client
+///  is in LOCKDOWN mode, offering a higher level of security but with a higher
+///  potential for causing problems.
+///
+@property(readonly, nonatomic) BOOL failClosed;
+
+///
+///  A set of static rules that should always apply. These can be used as a
+///  fallback set of rules for management tools that should always be allowed to
+///  run even if a sync server does something unexpected. It can also be used
+///  as the sole source of rules, distributed with an MDM.
+///
+///  The value of this key should be an array containing dictionaries. Each
+///  dictionary should contain the same keys used for syncing, e.g:
+///
+///  <key>StaticRules</key>
+///  <array>
+///    <dict>
+///      <key>identifier</key>
+///      <string>binary sha256, certificate sha256, team ID</string>
+///      <key>rule_type</key>
+///      <string>BINARY</string>  (one of BINARY, CERTIFICATE or TEAMID)
+///      <key>policy</key>
+///      <string>BLOCKLIST</string>  (one of ALLOWLIST, ALLOWLIST_COMPILER, BLOCKLIST,
+///                                   SILENT_BLOCKLIST)
+///    </dict>
+///  </array>
+///
+///  The return of this property is a dictionary where the keys are the
+///  identifiers of each rule, with the SNTRule as a value
+///
+@property(readonly, nonatomic) NSDictionary<NSString *, SNTRule *> *staticRules;
+
+///
+///  The regex of allowed paths. Regexes are specified in ICU format.
 ///
 ///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(readonly, nonatomic) NSRegularExpression *whitelistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *allowedPathRegex;
 
 ///
-///  Set the regex of whitelisted paths as received from a sync server.
+///  Set the regex of allowed paths as received from a sync server.
 ///
-- (void)setSyncServerWhitelistPathRegex:(NSRegularExpression *)re;
+- (void)setSyncServerAllowedPathRegex:(NSRegularExpression *)re;
 
 ///
-///  The regex of blacklisted paths. Regexes are specified in ICU format.
+///  The regex of blocked paths. Regexes are specified in ICU format.
 ///
 ///  The regex flags IXSM can be used, though the s (dotall) and m (multiline) flags are
 ///  pointless as a path only ever has a single line.
 ///  If the regex doesn't begin with ^ to match from the beginning of the line, it will be added.
 ///
-@property(readonly, nonatomic) NSRegularExpression *blacklistPathRegex;
+@property(readonly, nonatomic) NSRegularExpression *blockedPathRegex;
 
 ///
-///  Set the regex of blacklisted paths as received from a sync server.
+///  Set the regex of blocked paths as received from a sync server.
 ///
-- (void)setSyncServerBlacklistPathRegex:(NSRegularExpression *)re;
+- (void)setSyncServerBlockedPathRegex:(NSRegularExpression *)re;
 
 ///
 ///  The regex of paths to log file changes for. Regexes are specified in ICU format.
@@ -130,10 +170,23 @@
 ///
 @property(readonly, nonatomic) BOOL enablePageZeroProtection;
 
+///
+///  Enable bad signature protection, defaults to NO.
+///  When enabled, a binary that is signed but has a bad signature (cert revoked, binary
+///  tampered with, etc.) will be blocked regardless of client-mode unless a binary allowlist
+///  rule exists.
+///
+@property(readonly, nonatomic) BOOL enableBadSignatureProtection;
+
 ///
 ///  Defines how event logs are stored. Options are:
-///    SNTEventLogTypeSyslog: Sent to ASL or ULS (if built with the 10.12 SDK or later).
-///    SNTEventLogTypeFilelog: Sent to a file on disk. Use eventLogPath to specify a path.
+///    SNTEventLogTypeSyslog "syslog": Sent to ASL or ULS (if built with the 10.12 SDK or later).
+///    SNTEventLogTypeFilelog "file": Sent to a file on disk. Use eventLogPath to specify a path.
+///    SNTEventLogTypeNull "null": Logs nothing
+///    SNTEventLogTypeProtobuf "protobuf": (BETA) Sent to a file on disk, using a maildir-like
+///      format. Use spoolDirectory to specify a path. Use spoolDirectoryFileSizeThresholdKB,
+///      spoolDirectorySizeThresholdMB and spoolDirectoryEventMaxFlushTimeSec to configure
+///      additional settings.
 ///    Defaults to SNTEventLogTypeFilelog.
 ///    For mobileconfigs use EventLogType as the key and syslog or filelog strings as the value.
 ///
@@ -141,6 +194,13 @@
 ///
 @property(readonly, nonatomic) SNTEventLogType eventLogType;
 
+///
+/// Returns the raw value of the EventLogType configuration key instead of being
+/// converted to the SNTEventLogType enum. If the key is not set, the default log
+/// type is returned.
+///
+@property(readonly, nonatomic) NSString *eventLogTypeRaw;
+
 ///
 ///  If eventLogType is set to Filelog, eventLogPath will provide the path to save logs.
 ///  Defaults to /var/db/santa/santa.log.
@@ -149,15 +209,112 @@
 ///
 @property(readonly, nonatomic) NSString *eventLogPath;
 
+///
+///  If eventLogType is set to protobuf, spoolDirectory will provide the base path used for
+///  saving logs using a maildir-like format.
+///  Defaults to /var/db/santa/spool.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSString *spoolDirectory;
+
+///
+///  If eventLogType is set to protobuf, spoolDirectoryFileSizeThresholdKB sets the per-file size
+///  limit for files saved in the spoolDirectory.
+///  Defaults to 250.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSUInteger spoolDirectoryFileSizeThresholdKB;
+
+///
+///  If eventLogType is set to protobuf, spoolDirectorySizeThresholdMB sets the total size
+///  limit for all files saved in the spoolDirectory.
+///  Defaults to 100.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) NSUInteger spoolDirectorySizeThresholdMB;
+
+///
+///  If eventLogType is set to protobuf, spoolDirectoryEventMaxFlushTimeSec sets the maximum amount
+///  of time an event will be stored in memory before being written to disk.
+///  Defaults to 15.0.
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) float spoolDirectoryEventMaxFlushTimeSec;
+
+///
+///  If set, contains the filesystem access policy configuration.
+///
+///  @note: The property fileAccessPolicyPlist will be ignored if
+///         fileAccessPolicy is set.
+///  @note: This property is KVO compliant.
+///
+@property(readonly, nonatomic) NSDictionary *fileAccessPolicy;
+
+///
+///  If set, contains the path to the filesystem access policy config plist.
+///
+///  @note: This property will be ignored if fileAccessPolicy is set.
+///  @note: This property is KVO compliant.
+///
+@property(readonly, nonatomic) NSString *fileAccessPolicyPlist;
+
+///
+///  This is the message shown to the user when access to a file is blocked
+///  by a binary due to some rule in the current File Access policy if that rule
+///  doesn't provide a custom message. If this is not configured, a reasonable
+///  default is provided.
+///
+///  @note: This property is KVO compliant.
+///
+@property(readonly, nonatomic) NSString *fileAccessBlockMessage;
+
+///
+///  If fileAccessPolicyPlist is set, fileAccessPolicyUpdateIntervalSec
+///  sets the number of seconds between times that the configuration file is
+///  re-read and policies reconstructed.
+///  Defaults to 600 seconds (10 minutes)
+///
+///  @note: This property is KVO compliant, but should only be read once at santad startup.
+///
+@property(readonly, nonatomic) uint32_t fileAccessPolicyUpdateIntervalSec;
+
 ///
 /// Enabling this appends the Santa machine ID to the end of each log line. If nothing
-/// has been overriden, this is the host's UUID.
+/// has been overridden, this is the host's UUID.
 /// Defaults to NO.
 ///
 @property(readonly, nonatomic) BOOL enableMachineIDDecoration;
 
 #pragma mark - GUI Settings
 
+///
+///  When silent mode is enabled, Santa will never show notifications for
+///  blocked processes.
+///
+///  This can be a very confusing experience for users, use with caution.
+///
+///  Defaults to NO.
+///
+@property(readonly, nonatomic) BOOL enableSilentMode;
+
+///
+///  When silent TTY mode is enabled, Santa will not emit TTY notifications for
+///  blocked processes.
+///
+///  Defaults to NO.
+///
+@property(readonly, nonatomic) BOOL enableSilentTTYMode;
+
+///
+/// The text to display when opening Santa.app.
+/// If unset, the default text will be displayed.
+///
+@property(readonly, nonatomic) NSString *aboutText;
+
 ///
 ///  The URL to open when the user clicks "More Info..." when opening Santa.app.
 ///  If unset, the button will not be displayed.
@@ -174,6 +331,9 @@
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
+///  %serial%      -- System's serial number.
+///  %uuid%        -- System's UUID.
+///  %hostname%    -- System's full hostname.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
@@ -199,6 +359,20 @@
 ///
 @property(readonly, nonatomic) NSString *bannedBlockMessage;
 
+///
+/// This is the message shown to the user when a USB storage device's mount is denied
+/// from the BlockUSB configuration setting. If not configured, a reasonable
+/// default is provided.
+///
+@property(readonly, nonatomic) NSString *bannedUSBBlockMessage;
+
+///
+/// This is the message shown to the user when a USB storage device's mount is forcibly
+/// remounted to a different set of permissions from the BlockUSB and RemountUSBMode
+/// configuration settings. If not configured, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *remountUSBBlockMessage;
+
 ///
 ///  The notification text to display when the client goes into MONITOR mode.
 ///  Defaults to "Switching into Monitor mode"
@@ -218,6 +392,35 @@
 ///
 @property(readonly, nonatomic) NSURL *syncBaseURL;
 
+///
+///  Proxy settings for syncing.
+///  This dictionary is passed directly to NSURLSession. The allowed keys
+///  are loosely documented at
+///  https://developer.apple.com/documentation/cfnetwork/global_proxy_settings_constants.
+///
+@property(readonly, nonatomic) NSDictionary *syncProxyConfig;
+
+///
+///  Extra headers to include in all requests made during syncing.
+///  Keys and values must all be strings, any other type will be silently ignored.
+///  Some headers cannot be set through this key, including:
+///
+///    * Content-Encoding
+///    * Content-Length
+///    * Content-Type
+///    * Connection
+///    * Host
+///    * Proxy-Authenticate
+///    * Proxy-Authorization
+///    * WWW-Authenticate
+///
+///  The header "Authorization" is also documented by Apple to be one that will
+///  be ignored but this is not really the case, at least at present. If you
+///  are able to use a different header for this that would be safest but if not
+///  using Authorization /should/ be fine.
+///
+@property(readonly, nonatomic) NSDictionary *syncExtraHeaders;
+
 ///
 ///  The machine owner.
 ///
@@ -234,9 +437,55 @@
 @property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
-///  If YES a clean sync is required.
+///  Type of sync required (e.g. normal, clean, etc.).
 ///
-@property(nonatomic) BOOL syncCleanRequired;
+@property(nonatomic) SNTSyncType syncTypeRequired;
+
+#pragma mark - USB Settings
+
+///
+/// USB Mount Blocking. Defaults to false.
+///
+@property(nonatomic) BOOL blockUSBMount;
+
+///
+/// Comma-separated `$ mount -o` arguments used for forced remounting of USB devices. Default
+/// to fully allow/deny without remounting if unset.
+///
+@property(nonatomic) NSArray<NSString *> *remountUSBMode;
+
+///
+/// If set, defines the action that should be taken on existing USB mounts when
+/// Santa starts up.
+///
+/// Supported values are:
+///   * "Unmount": Unmount mass storage devices
+///   * "ForceUnmount": Force unmount mass storage devices
+///
+///
+/// Note: Existing mounts with mount flags that are a superset of RemountUSBMode
+/// are unaffected and left mounted.
+///
+@property(readonly, nonatomic) SNTDeviceManagerStartupPreferences onStartUSBOptions;
+
+///
+/// If set, will override the action taken when a file access rule violation
+/// occurs. This setting will apply across all rules in the file access policy.
+///
+/// Possible values are
+///   * "AuditOnly": When a rule is violated, it will be logged, but the access
+///     will not be blocked
+///   * "Disable": No access will be logged or blocked.
+///
+/// If not set, no override will take place and the file acces spolicy will
+/// apply as configured.
+///
+@property(readonly, nonatomic) SNTOverrideFileAccessAction overrideFileAccessAction;
+
+///
+///  Set the action that will override file access policy config action
+///
+- (void)setSyncServerOverrideFileAccessAction:(NSString *)action;
 
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
@@ -249,14 +498,14 @@
 ///
 @property BOOL enableBundles;
 
-#pragma mark Transitive Whitelisting Settings
+#pragma mark Transitive Allowlist Settings
 
 ///
-///  If YES, binaries marked with SNTRuleStateWhitelistCompiler rules are allowed to transitively
-///  whitelist any executables that they produce.  If NO, SNTRuleStateWhitelistCompiler rules are
-///  interpreted as if they were simply SNTRuleStateWhitelist rules.  Defaults to NO.
+///  If YES, binaries marked with SNTRuleStateAllowCompiler rules are allowed to transitively
+///  allow any executables that they produce.  If NO, SNTRuleStateAllowCompiler rules are
+///  interpreted as if they were simply SNTRuleStateAllow rules.  Defaults to NO.
 ///
-@property BOOL enableTransitiveWhitelisting;
+@property BOOL enableTransitiveRules;
 
 #pragma mark Server Auth Settings
 
@@ -295,6 +544,116 @@
 ///
 @property(readonly, nonatomic) NSString *syncClientAuthCertificateIssuer;
 
+///
+///  If true, syncs will upload events when a clean sync is requested. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableCleanSyncEventUpload;
+
+///
+///  If true, events will be uploaded for all executions, even those that are allowed.
+///  Use with caution, this generates a lot of events. Defaults to false.
+///
+@property(nonatomic) BOOL enableAllEventUpload;
+
+///
+///  If true, events will *not* be uploaded for ALLOW_UNKNOWN events for clients in Monitor mode.
+///
+@property(nonatomic) BOOL disableUnknownEventUpload;
+
+///
+///  If true, forks and exits will be logged. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableForkAndExitLogging;
+
+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only
+///  applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
+///
+///  If true, debug logging will be enabled for all Santa components. Defaults to false.
+///  Passing --debug as an executable argument will enable debug logging for that specific
+///  component.
+///
+@property(readonly, nonatomic) BOOL enableDebugLogging;
+
+///
+///  If true, compressed requests from "santactl sync" will set "Content-Encoding" to "zlib"
+///  instead of the new default "deflate". If syncing with Upvote deployed at commit 0b4477d
+///  or below, set this option to true.
+///  Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableBackwardsCompatibleContentEncoding;
+
+///
+/// If set, "santactl sync" will use the supplied "Content-Encoding", possible
+/// settings include "gzip", "deflate", "none". If empty defaults to "deflate".
+///
+@property(readonly, nonatomic) SNTSyncContentEncoding syncClientContentEncoding;
+
+///
+///  Contains the FCM project name.
+///
+@property(readonly, nonatomic) NSString *fcmProject;
+
+///
+///  Contains the FCM project entity.
+///
+@property(readonly, nonatomic) NSString *fcmEntity;
+
+///
+///  Contains the FCM project API key.
+///
+@property(readonly, nonatomic) NSString *fcmAPIKey;
+
+///
+///  True if fcmProject, fcmEntity and fcmAPIKey are all set. Defaults to false.
+///
+@property(readonly, nonatomic) BOOL fcmEnabled;
+
+///
+/// True if metricsFormat and metricsURL are set. False otherwise.
+///
+@property(readonly, nonatomic) BOOL exportMetrics;
+
+///
+/// Format to export Metrics as.
+///
+@property(readonly, nonatomic) SNTMetricFormatType metricFormat;
+
+///
+/// URL describing where metrics are exported, defaults to nil.
+///
+@property(readonly, nonatomic) NSURL *metricURL;
+
+///
+/// Extra Metric Labels to add to the metrics payloads.
+///
+@property(readonly, nonatomic) NSDictionary *extraMetricLabels;
+
+///
+/// Duration in seconds of how often the metrics should be exported.
+///
+@property(readonly, nonatomic) NSUInteger metricExportInterval;
+
+///
+/// Duration in seconds for metrics export timeout. Defaults to 30;
+///
+@property(readonly, nonatomic) NSUInteger metricExportTimeout;
+
+///
+/// List of prefix strings for which individual entitlement keys with a matching
+/// prefix should not be logged.
+///
+@property(readonly, nonatomic) NSArray<NSString *> *entitlementsPrefixFilter;
+
+///
+/// List of TeamIDs for which entitlements should not be logged. Use the string
+/// "platform" to refer to platform binaries.
+///
+@property(readonly, nonatomic) NSArray<NSString *> *entitlementsTeamIDFilter;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfiguratorTest.m

@@ -0,0 +1,102 @@
+/// Copyright 2024 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
+
+@interface SNTConfigurator (Testing)
+- (instancetype)initWithSyncStateFile:(NSString *)syncStateFilePath
+            syncStateAccessAuthorizer:(BOOL (^)(void))syncStateAccessAuthorizer;
+
+@property NSDictionary *syncState;
+@end
+
+@interface SNTConfiguratorTest : XCTestCase
+@property NSFileManager *fileMgr;
+@property NSString *testDir;
+@end
+
+@implementation SNTConfiguratorTest
+
+- (void)setUp {
+  self.fileMgr = [NSFileManager defaultManager];
+  self.testDir =
+    [NSString stringWithFormat:@"%@santa-configurator-%d", NSTemporaryDirectory(), getpid()];
+
+  XCTAssertTrue([self.fileMgr createDirectoryAtPath:self.testDir
+                        withIntermediateDirectories:YES
+                                         attributes:nil
+                                              error:nil]);
+}
+
+- (void)tearDown {
+  XCTAssertTrue([self.fileMgr removeItemAtPath:self.testDir error:nil]);
+}
+
+- (void)runMigrationTestsWithSyncState:(NSDictionary *)syncStatePlist
+                              verifier:(void (^)(SNTConfigurator *))verifierBlock {
+  NSString *syncStatePlistPath =
+    [NSString stringWithFormat:@"%@/test-sync-state.plist", self.testDir];
+
+  XCTAssertTrue([syncStatePlist writeToFile:syncStatePlistPath atomically:YES]);
+
+  SNTConfigurator *cfg = [[SNTConfigurator alloc] initWithSyncStateFile:syncStatePlistPath
+                                              syncStateAccessAuthorizer:^{
+                                                // Allow all access to the test plist
+                                                return YES;
+                                              }];
+
+  NSLog(@"sync state: %@", cfg.syncState);
+
+  verifierBlock(cfg);
+
+  XCTAssertTrue([self.fileMgr removeItemAtPath:syncStatePlistPath error:nil]);
+}
+
+- (void)testInitMigratesSyncStateKeys {
+  // SyncCleanRequired = YES
+  [self runMigrationTestsWithSyncState:@{@"SyncCleanRequired" : [NSNumber numberWithBool:YES]}
+                              verifier:^(SNTConfigurator *cfg) {
+                                XCTAssertEqual(cfg.syncState.count, 1);
+                                XCTAssertNil(cfg.syncState[@"SyncCleanRequired"]);
+                                XCTAssertNotNil(cfg.syncState[@"SyncTypeRequired"]);
+                                XCTAssertEqual([cfg.syncState[@"SyncTypeRequired"] integerValue],
+                                               SNTSyncTypeClean);
+                                XCTAssertEqual(cfg.syncState.count, 1);
+                              }];
+
+  // SyncCleanRequired = NO
+  [self runMigrationTestsWithSyncState:@{@"SyncCleanRequired" : [NSNumber numberWithBool:NO]}
+                              verifier:^(SNTConfigurator *cfg) {
+                                XCTAssertEqual(cfg.syncState.count, 1);
+                                XCTAssertNil(cfg.syncState[@"SyncCleanRequired"]);
+                                XCTAssertNotNil(cfg.syncState[@"SyncTypeRequired"]);
+                                XCTAssertEqual([cfg.syncState[@"SyncTypeRequired"] integerValue],
+                                               SNTSyncTypeNormal);
+                                XCTAssertEqual(cfg.syncState.count, 1);
+                              }];
+
+  // Empty state
+  [self runMigrationTestsWithSyncState:@{}
+                              verifier:^(SNTConfigurator *cfg) {
+                                XCTAssertEqual(cfg.syncState.count, 0);
+                                XCTAssertNil(cfg.syncState[@"SyncCleanRequired"]);
+                                XCTAssertNil(cfg.syncState[@"SyncTypeRequired"]);
+                              }];
+}
+
+@end

Source/common/SNTDeepCopy.h

@@ -0,0 +1,27 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+@interface NSArray (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy;
+
+@end
+
+@interface NSDictionary (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy;
+
+@end

Source/common/SNTDeepCopy.m

@@ -0,0 +1,53 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTDeepCopy.h"
+
+@implementation NSArray (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy {
+  NSMutableArray<__kindof NSObject *> *deepCopy = [NSMutableArray arrayWithCapacity:self.count];
+  for (id object in self) {
+    if ([object respondsToSelector:@selector(sntDeepCopy)]) {
+      [deepCopy addObject:[object sntDeepCopy]];
+    } else if ([object respondsToSelector:@selector(copyWithZone:)]) {
+      [deepCopy addObject:[object copy]];
+    } else {
+      [deepCopy addObject:object];
+    }
+  }
+  return deepCopy;
+}
+
+@end
+
+@implementation NSDictionary (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy {
+  NSMutableDictionary<__kindof NSObject *, __kindof NSObject *> *deepCopy =
+    [NSMutableDictionary dictionary];
+  for (id key in self) {
+    id value = self[key];
+    if ([value respondsToSelector:@selector(sntDeepCopy)]) {
+      deepCopy[key] = [value sntDeepCopy];
+    } else if ([value respondsToSelector:@selector(copyWithZone:)]) {
+      deepCopy[key] = [value copy];
+    } else {
+      deepCopy[key] = value;
+    }
+  }
+  return deepCopy;
+}
+
+@end

Source/common/SNTDeviceEvent.h

@@ -0,0 +1,27 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+@interface SNTDeviceEvent : NSObject <NSSecureCoding>
+
+- (instancetype)initWithOnName:(NSString *)mntonname fromName:(NSString *)mntfromname;
+
+@property NSString *mntonname;
+@property NSString *mntfromname;
+@property NSArray<NSString *> *remountArgs;
+
+- (NSString *)readableRemountArgs;
+
+@end

Source/common/SNTDeviceEvent.m

@@ -0,0 +1,63 @@
+#import "Source/common/SNTDeviceEvent.h"
+
+@implementation SNTDeviceEvent
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
+#define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
+#define DECODEARRAY(cls, key)                                                             \
+  [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
+                          forKey:key]
+
+- (instancetype)initWithOnName:(NSString *)mntonname fromName:(NSString *)mntfromname {
+  self = [super init];
+  if (self) {
+    _mntonname = mntonname;
+    _mntfromname = mntfromname;
+  }
+  return self;
+}
+
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
+
+- (void)encodeWithCoder:(NSCoder *)coder {
+  ENCODE(self.mntonname, @"mntonname");
+  ENCODE(self.mntfromname, @"mntfromname");
+  ENCODE(self.remountArgs, @"remountArgs");
+}
+
+- (instancetype)initWithCoder:(NSCoder *)decoder {
+  self = [super init];
+  if (self) {
+    _mntonname = DECODE(NSString, @"mntonname");
+    _mntfromname = DECODE(NSString, @"mntfromname");
+    _remountArgs = DECODEARRAY(NSString, @"remountArgs");
+  }
+  return self;
+}
+- (NSString *)description {
+  return [NSString stringWithFormat:@"SNTDeviceEvent '%@' -> '%@' (with permissions: [%@]",
+                                    self.mntfromname, self.mntonname,
+                                    [self.remountArgs componentsJoinedByString:@", "]];
+}
+
+- (NSString *)readableRemountArgs {
+  NSMutableArray<NSString *> *readable = [NSMutableArray array];
+  for (NSString *arg in self.remountArgs) {
+    if ([arg isEqualToString:@"rdonly"]) {
+      [readable addObject:@"read-only"];
+    } else if ([arg isEqualToString:@"noexec"]) {
+      [readable addObject:@"block executables"];
+    } else {
+      [readable addObject:arg];
+    }
+  }
+  return [readable componentsJoinedByString:@", "];
+}
+
+@end

Source/common/SNTFileAccessEvent.h

@@ -0,0 +1,99 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLCertificate/MOLCertificate.h>
+
+///
+///  Represents an event stored in the database.
+///
+@interface SNTFileAccessEvent : NSObject <NSSecureCoding>
+
+///
+/// The watched path that was accessed
+///
+@property NSString *accessedPath;
+
+///
+/// The rule version and name that were violated
+///
+@property NSString *ruleVersion;
+@property NSString *ruleName;
+
+///
+/// The SHA256 of the process that accessed the path
+///
+@property NSString *fileSHA256;
+
+///
+/// The path of the process that accessed the watched path
+///
+@property NSString *filePath;
+
+///
+/// If the process is part of a bundle, the name of the application
+///
+@property NSString *application;
+
+///
+/// If the executed file was signed, this is the Team ID if present in the signature information.
+///
+@property NSString *teamID;
+
+///
+/// If the executed file was signed, this is the Signing ID if present in the signature information.
+///
+@property NSString *signingID;
+
+///
+///  The user who executed the binary.
+///
+@property NSString *executingUser;
+
+///
+///  The process ID of the binary being executed.
+///
+@property NSNumber *pid;
+
+///
+///  The parent process ID of the binary being executed.
+///
+@property NSNumber *ppid;
+
+///
+///  The name of the parent process.
+///
+@property NSString *parentName;
+
+///
+/// If the executed file was signed, this is an NSArray of MOLCertificate's
+/// representing the signing chain.
+///
+@property NSArray<MOLCertificate *> *signingChain;
+
+///
+/// A string representing the publisher based on the signingChain
+///
+@property(readonly) NSString *publisherInfo;
+
+///
+/// Return an array of the underlying SecCertificateRef's of the signingChain
+///
+/// WARNING: If the refs need to be used for a long time be careful to properly
+/// CFRetain/CFRelease the returned items.
+///
+@property(readonly) NSArray *signingChainCertRefs;
+
+@end

Source/common/SNTFileAccessEvent.m

@@ -0,0 +1,97 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTFileAccessEvent.h"
+
+#import "Source/common/CertificateHelpers.h"
+
+@implementation SNTFileAccessEvent
+
+#define ENCODE(o)                               \
+  do {                                          \
+    if (self.o) {                               \
+      [coder encodeObject:self.o forKey:@(#o)]; \
+    }                                           \
+  } while (0)
+
+#define DECODE(o, c)                                             \
+  do {                                                           \
+    _##o = [decoder decodeObjectOfClass:[c class] forKey:@(#o)]; \
+  } while (0)
+
+#define DECODEARRAY(o, c)                                                                        \
+  do {                                                                                           \
+    _##o = [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [c class], nil] \
+                                   forKey:@(#o)];                                                \
+  } while (0)
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+  }
+  return self;
+}
+
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
+
+- (void)encodeWithCoder:(NSCoder *)coder {
+  ENCODE(accessedPath);
+  ENCODE(ruleVersion);
+  ENCODE(ruleName);
+  ENCODE(fileSHA256);
+  ENCODE(filePath);
+  ENCODE(application);
+  ENCODE(teamID);
+  ENCODE(teamID);
+  ENCODE(pid);
+  ENCODE(ppid);
+  ENCODE(parentName);
+  ENCODE(signingChain);
+}
+
+- (instancetype)initWithCoder:(NSCoder *)decoder {
+  self = [super init];
+  if (self) {
+    DECODE(accessedPath, NSString);
+    DECODE(ruleVersion, NSString);
+    DECODE(ruleName, NSString);
+    DECODE(fileSHA256, NSString);
+    DECODE(filePath, NSString);
+    DECODE(application, NSString);
+    DECODE(teamID, NSString);
+    DECODE(teamID, NSString);
+    DECODE(pid, NSNumber);
+    DECODE(ppid, NSNumber);
+    DECODE(parentName, NSString);
+    DECODEARRAY(signingChain, MOLCertificate);
+  }
+  return self;
+}
+
+- (NSString *)description {
+  return [NSString
+    stringWithFormat:@"SNTFileAccessEvent: Accessed: %@, By: %@", self.accessedPath, self.filePath];
+}
+
+- (NSString *)publisherInfo {
+  return Publisher(self.signingChain, self.teamID);
+}
+
+- (NSArray *)signingChainCertRefs {
+  return CertificateChain(self.signingChain);
+}
+
+@end

Source/common/SNTFileInfo.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,6 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <EndpointSecurity/EndpointSecurity.h>
 #import <Foundation/Foundation.h>
 
 @class MOLCodesignChecker;
@@ -32,6 +33,14 @@
 ///
 - (instancetype)initWithPath:(NSString *)path error:(NSError **)error;
 
+///
+///  Convenience initializer.
+///
+///  @param esFile Pointer to an es_file_t provided by the EndpointSecurity framework.
+///      Assumes that the path is a resolved path.
+///
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile error:(NSError **)error;
+
 ///
 ///  Convenience initializer.
 ///
@@ -40,7 +49,6 @@
 ///
 - (instancetype)initWithPath:(NSString *)path;
 
-
 ///
 ///  Initializer for already resolved paths.
 ///

Source/common/SNTFileInfo.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -15,8 +15,8 @@
 #import "Source/common/SNTFileInfo.h"
 
 #import <CommonCrypto/CommonDigest.h>
-#import <fmdb/FMDB.h>
 #import <MOLCodesignChecker/MOLCodesignChecker.h>
+#import <fmdb/FMDB.h>
 
 #include <mach-o/arch.h>
 #include <mach-o/loader.h>
@@ -25,6 +25,7 @@
 #include <sys/stat.h>
 #include <sys/xattr.h>
 
+#import "Source/common/SNTLogging.h"
 
 // Simple class to hold the data of a mach_header and the offset within the file
 // in which that header was found.
@@ -49,6 +50,7 @@
 @property NSFileHandle *fileHandle;
 @property NSUInteger fileSize;
 @property NSString *fileOwnerHomeDir;
+@property NSString *sha256Storage;
 
 // Cached properties
 @property NSBundle *bundleRef;
@@ -64,6 +66,26 @@
 extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
 - (instancetype)initWithResolvedPath:(NSString *)path error:(NSError **)error {
+  struct stat fileStat;
+  if (path.length) {
+    lstat(path.UTF8String, &fileStat);
+  }
+  return [self initWithResolvedPath:path stat:&fileStat error:error];
+}
+
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile error:(NSError **)error {
+  return [self initWithResolvedPath:@(esFile->path.data) stat:&esFile->stat error:error];
+}
+
+- (instancetype)initWithResolvedPath:(NSString *)path
+                                stat:(const struct stat *)fileStat
+                               error:(NSError **)error {
+  if (!fileStat) {
+    // This is a programming error. Bail.
+    LOGE(@"NULL stat buffer unsupported");
+    exit(EXIT_FAILURE);
+  }
+
   self = [super init];
   if (self) {
     _path = path;
@@ -77,9 +99,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return nil;
     }
 
-    struct stat fileStat;
-    lstat(_path.UTF8String, &fileStat);
-    if (!((S_IFMT & fileStat.st_mode) == S_IFREG)) {
+    if (!((S_IFMT & fileStat->st_mode) == S_IFREG)) {
       if (error) {
         NSString *errStr = [NSString stringWithFormat:@"Non regular file: %s", strerror(errno)];
         *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
@@ -89,12 +109,12 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return nil;
     }
 
-    _fileSize = fileStat.st_size;
+    _fileSize = fileStat->st_size;
 
     if (_fileSize == 0) return nil;
 
-    if (fileStat.st_uid != 0) {
-      struct passwd *pwd = getpwuid(fileStat.st_uid);
+    if (fileStat->st_uid != 0) {
+      struct passwd *pwd = getpwuid(fileStat->st_uid);
       if (pwd) {
         _fileOwnerHomeDir = @(pwd->pw_dir);
       }
@@ -143,67 +163,68 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (void)hashSHA1:(NSString **)sha1 SHA256:(NSString **)sha256 {
   const int MAX_CHUNK_SIZE = 256 * 1024;  // 256 KB
   const size_t chunkSize = _fileSize > MAX_CHUNK_SIZE ? MAX_CHUNK_SIZE : _fileSize;
-  char chunk[chunkSize];
+  char *chunk = malloc(chunkSize);
 
-  CC_SHA1_CTX c1;
-  CC_SHA256_CTX c256;
+  @try {
+    CC_SHA1_CTX c1;
+    CC_SHA256_CTX c256;
 
-  if (sha1) CC_SHA1_Init(&c1);
-  if (sha256) CC_SHA256_Init(&c256);
+    if (sha1) CC_SHA1_Init(&c1);
+    if (sha256) CC_SHA256_Init(&c256);
 
-  int fd = self.fileHandle.fileDescriptor;
+    int fd = self.fileHandle.fileDescriptor;
 
-  fcntl(fd, F_RDAHEAD, 1);
-  struct radvisory radv;
-  radv.ra_offset = 0;
-  const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
-  radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
-  fcntl(fd, F_RDADVISE, &radv);
-  ssize_t bytesRead;
+    fcntl(fd, F_RDAHEAD, 1);
+    struct radvisory radv;
+    radv.ra_offset = 0;
+    const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
+    radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
+    fcntl(fd, F_RDADVISE, &radv);
+    ssize_t bytesRead;
 
-  for (uint64_t offset = 0; offset < _fileSize;) {
-    bytesRead = pread(fd, chunk, chunkSize, offset);
-    if (bytesRead > 0) {
-      if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
-      if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
-      offset += bytesRead;
-    } else if (bytesRead == -1 && errno == EINTR) {
-      continue;
-    } else {
-      return;
+    for (uint64_t offset = 0; offset < _fileSize;) {
+      bytesRead = pread(fd, chunk, chunkSize, offset);
+      if (bytesRead > 0) {
+        if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
+        if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
+        offset += bytesRead;
+      } else if (bytesRead == -1 && errno == EINTR) {
+        continue;
+      } else {
+        return;
+      }
     }
-  }
 
-  // We turn off Read Ahead that we turned on
-  fcntl(fd, F_RDAHEAD, 0);
-  if (sha1) {
-    unsigned char digest[CC_SHA1_DIGEST_LENGTH];
-    CC_SHA1_Final(digest, &c1);
-    NSString *const SHA1FormatString =
+    // We turn off Read Ahead that we turned on
+    fcntl(fd, F_RDAHEAD, 0);
+    if (sha1) {
+      unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+      CC_SHA1_Final(digest, &c1);
+      NSString *const SHA1FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
-    *sha1 = [[NSString alloc]
-        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
+      *sha1 = [[NSString alloc]
+        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
                        digest[17], digest[18], digest[19]];
-  }
-  if (sha256) {
-    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256_Final(digest, &c256);
-    NSString *const SHA256FormatString =
+    }
+    if (sha256) {
+      unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+      CC_SHA256_Final(digest, &c256);
+      NSString *const SHA256FormatString =
         @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
          "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
 
-    *sha256 = [[NSString alloc]
-        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2],
-                       digest[3], digest[4], digest[5], digest[6], digest[7],
-                       digest[8], digest[9], digest[10], digest[11], digest[12],
-                       digest[13], digest[14], digest[15], digest[16],
-                       digest[17], digest[18], digest[19], digest[20],
-                       digest[21], digest[22], digest[23], digest[24],
-                       digest[25], digest[26], digest[27], digest[28],
+      *sha256 = [[NSString alloc]
+        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2], digest[3], digest[4],
+                       digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
+                       digest[11], digest[12], digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19], digest[20], digest[21], digest[22],
+                       digest[23], digest[24], digest[25], digest[26], digest[27], digest[28],
                        digest[29], digest[30], digest[31]];
+    }
+  } @finally {
+    free(chunk);
   }
 }
 
@@ -214,9 +235,13 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (NSString *)SHA256 {
-  NSString *sha256;
-  [self hashSHA1:NULL SHA256:&sha256];
-  return sha256;
+  // Memoize the value
+  if (!self.sha256Storage) {
+    NSString *sha256;
+    [self hashSHA1:NULL SHA256:&sha256];
+    self.sha256Storage = sha256;
+  }
+  return self.sha256Storage;
 }
 
 #pragma mark File Type Info
@@ -288,15 +313,15 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (BOOL)isMissingPageZero {
   // This method only checks i386 arch because the kernel enforces this for other archs
   // See bsd/kern/mach_loader.c, search for enforce_hard_pagezero.
-  MachHeaderWithOffset *x86Header = self.machHeaders[[self nameForCPUType:CPU_TYPE_X86
-                                                               cpuSubType:CPU_SUBTYPE_I386_ALL]];
+  MachHeaderWithOffset *x86Header =
+    self.machHeaders[[self nameForCPUType:CPU_TYPE_X86 cpuSubType:CPU_SUBTYPE_I386_ALL]];
   if (!x86Header) return NO;
 
   struct mach_header *mh = (struct mach_header *)[x86Header.data bytes];
   if (mh->filetype != MH_EXECUTE) return NO;
 
-  NSRange range = NSMakeRange(x86Header.offset + sizeof(struct mach_header),
-                              sizeof(struct segment_command));
+  NSRange range =
+    NSMakeRange(x86Header.offset + sizeof(struct mach_header), sizeof(struct segment_command));
   NSData *lcData = [self safeSubdataWithRange:range];
   if (!lcData) return NO;
 
@@ -306,9 +331,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   struct load_command *lc = (struct load_command *)[lcData bytes];
   if (lc->cmd == LC_SEGMENT) {
     struct segment_command *segment = (struct segment_command *)lc;
-    if (segment->vmaddr == 0 && segment->vmsize != 0 &&
-        segment->initprot == 0 && segment->maxprot == 0 &&
-        strcmp("__PAGEZERO", segment->segname) == 0) {
+    if (segment->vmaddr == 0 && segment->vmsize != 0 && segment->initprot == 0 &&
+        segment->maxprot == 0 && strcmp("__PAGEZERO", segment->segname) == 0) {
       return NO;
     }
   }
@@ -358,7 +382,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   while (pathComponents.count > 1) {
     NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
     if ([bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
-      if (!ancestor ||
+      if ((!ancestor && bndl.bundlePath.pathExtension.length) ||
           [[self allowedAncestorExtensions] containsObject:bndl.bundlePath.pathExtension]) {
         bundle = bndl;
       }
@@ -372,7 +396,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 - (NSBundle *)bundle {
   if (!self.bundleRef) {
     self.bundleRef =
-        [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
+      [self findBundleWithAncestor:self.useAncestorBundle] ?: (NSBundle *)[NSNull null];
   }
   return self.bundleRef == (NSBundle *)[NSNull null] ? nil : self.bundleRef;
 }
@@ -413,8 +437,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (NSString *)bundleName {
-  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description] ?:
-         [[self.infoPlist objectForKey:@"CFBundleName"] description];
+  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description]
+           ?: [[self.infoPlist objectForKey:@"CFBundleName"] description];
 }
 
 - (NSString *)bundleVersion {
@@ -463,8 +487,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
   NSMutableDictionary *machHeaders = [NSMutableDictionary dictionary];
 
-  NSData *machHeader = [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0,
-                                                                                          4096)]];
+  NSData *machHeader =
+    [self parseSingleMachHeader:[self safeSubdataWithRange:NSMakeRange(0, 4096)]];
   if (machHeader) {
     struct mach_header *mh = (struct mach_header *)[machHeader bytes];
     MachHeaderWithOffset *mhwo = [[MachHeaderWithOffset alloc] initWithData:machHeader offset:0];
@@ -547,24 +571,55 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   for (uint32_t i = 0; i < ncmds; ++i) {
     NSData *cmdData = [self safeSubdataWithRange:NSMakeRange(offset, sz_segment)];
     if (!cmdData) return nil;
-    struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
-    if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
-      if (memcmp(lc->segname, "__TEXT", 6) == 0) {
+
+    if (((struct load_command *)[cmdData bytes])->cmdsize < sizeof(struct load_command)) {
+      return nil;
+    }
+
+    if (is64) {
+      struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT_64 && memcmp(lc->segname, "__TEXT", 6) == 0) {
         nsects = lc->nsects;
         offset += sz_segment;
         break;
       }
+      offset += lc->cmdsize;
+    } else {
+      struct segment_command *lc = (struct segment_command *)[cmdData bytes];
+      if (lc->cmd == LC_SEGMENT && memcmp(lc->segname, "__TEXT", 6) == 0) {
+        nsects = lc->nsects;
+        offset += sz_segment;
+        break;
+      }
+      offset += lc->cmdsize;
     }
-    offset += lc->cmdsize;
   }
 
   // Loop through the sections in the __TEXT segment looking for an __info_plist section.
   for (uint32_t i = 0; i < nsects; ++i) {
     NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
     if (!sectData) return nil;
-    struct section_64 *sect = (struct section_64 *)[sectData bytes];
-    if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
-      NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
+    uint64_t sectoffset, sectsize = 0;
+    BOOL found = NO;
+    if (is64) {
+      struct section_64 *sect = (struct section_64 *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    } else {
+      struct section *sect = (struct section *)[sectData bytes];
+      if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+        sectoffset = sect->offset;
+        sectsize = sect->size;
+        found = YES;
+      }
+    }
+
+    if (found) {
+      NSData *plistData =
+        [self safeSubdataWithRange:NSMakeRange(mhwo.offset + sectoffset, sectsize)];
       if (!plistData) return nil;
       NSDictionary *plist;
       plist = [NSPropertyListSerialization propertyListWithData:plistData
@@ -591,7 +646,10 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///
 - (NSData *)safeSubdataWithRange:(NSRange)range {
   @try {
-    if ((range.location + range.length) > self.fileSize) return nil;
+    NSUInteger size;
+    if (__builtin_add_overflow(range.location, range.length, &size) || size > self.fileSize) {
+      return nil;
+    }
     [self.fileHandle seekToFileOffset:range.location];
     NSData *d = [self.fileHandle readDataOfLength:range.length];
     if (d.length != range.length) return nil;
@@ -636,9 +694,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
         }
 
         NSURL *dbPath = [NSURL fileURLWithPathComponents:@[
-          fileOwnerHomeDir,
-          @"Library",
-          @"Preferences",
+          fileOwnerHomeDir, @"Library", @"Preferences",
           @"com.apple.LaunchServices.QuarantineEventsV2"
         ]];
         FMDatabase *db = [FMDatabase databaseWithPath:[dbPath absoluteString]];
@@ -657,7 +713,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
             quarantineDict[@"LSQuarantineDataURL"] = [NSURL URLWithString:dataURLString];
             quarantineDict[@"LSQuarantineOriginURL"] = [NSURL URLWithString:originURLString];
             quarantineDict[@"LSQuarantineTimestamp"] =
-                [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
+              [NSDate dateWithTimeIntervalSinceReferenceDate:timeStamp];
 
             self.quarantineDict = quarantineDict;
           }

Source/common/SNTFileInfoTest.m

@@ -34,14 +34,18 @@
 - (void)testPathStandardizing {
   SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/Applications/Safari.app"];
   XCTAssertNotNil(sut);
-  XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
+  if (@available(macOS 13.0, *)) {
+    XCTAssertEqualObjects(sut.path, @"/System/Volumes/Preboot/Cryptexes/App/System/Applications/"
+                                    @"Safari.app/Contents/MacOS/Safari");
+  } else {
+    XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
+  }
 
   sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../../../../../../../bin/ls"];
   XCTAssertEqualObjects(sut.path, @"/bin/ls");
 
-  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/qlmanage"];
-  XCTAssertEqualObjects(sut.path, @"/System/Library/Frameworks/QuickLook.framework/Versions/A/"
-                                  @"Resources/quicklookd.app/Contents/MacOS/qlmanage");
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/sbin/DirectoryService"];
+  XCTAssertEqualObjects(sut.path, @"/usr/libexec/dspluginhelperd");
 }
 
 - (void)testSHA1 {
@@ -72,7 +76,6 @@
   XCTAssertTrue(sut.isExecutable);
 
   XCTAssertFalse(sut.isDylib);
-  XCTAssertFalse(sut.isFat);
   XCTAssertFalse(sut.isKext);
   XCTAssertFalse(sut.isScript);
 }
@@ -92,9 +95,13 @@
 }
 
 - (void)testKext {
-  SNTFileInfo *sut =
-      [[SNTFileInfo alloc] initWithPath:
-          @"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];
+  // Skip this test on macOS 13 as KEXTs have moved into the kernelcache.
+  if (@available(macOS 13.0, *)) {
+    return;
+  }
+
+  SNTFileInfo *sut = [[SNTFileInfo alloc]
+    initWithPath:@"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];
 
   XCTAssertTrue(sut.isMachO);
   XCTAssertTrue(sut.isKext);
@@ -106,7 +113,7 @@
 }
 
 - (void)testDylibs {
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/lib/libsqlite3.dylib"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/lib/system/libsystem_platform.dylib"];
 
   XCTAssertTrue(sut.isMachO);
   XCTAssertTrue(sut.isDylib);
@@ -220,8 +227,7 @@
 }
 
 - (void)testNonBundle {
-  SNTFileInfo *sut =
-  [[SNTFileInfo alloc] initWithPath:@"/usr/bin/yes"];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/yes"];
 
   XCTAssertNil([sut bundle]);
 
@@ -231,10 +237,16 @@
 }
 
 - (void)testEmbeddedInfoPlist {
+  NSString *path = [[NSBundle bundleForClass:[self class]] pathForResource:@"32bitplist"
+                                                                    ofType:@""];
+  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:path];
+  XCTAssertNotNil([sut infoPlist]);
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleShortVersionString"], @"1.0");
+  XCTAssertEqualObjects([sut infoPlist][@"CFBundleIdentifier"], @"com.google.i386plist");
+
   // csreq is installed on all machines with Xcode installed. If you're running these tests,
   // it should be available..
-  SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/csreq"];
-
+  sut = [[SNTFileInfo alloc] initWithPath:@"/usr/bin/csreq"];
   XCTAssertNotNil([sut infoPlist]);
 }
 

Source/common/SNTKVOManager.h

@@ -0,0 +1,34 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+// The callback type when KVO notifications are received for observed key paths.
+// The first parameter is the previous value, the second parameter is the new value.
+typedef void (^KVOCallback)(id oldValue, id newValue);
+
+@interface SNTKVOManager : NSObject
+
+// Add an observer for the selector on the given object. When a KVO notification
+// is received, the callback is called. If the notification contains objects that
+// are not of the expectedType, nil is passed as the argument to the callback.
+// The observer is removed when the returned instance is deallocated.
+- (instancetype)initWithObject:(id)object
+                      selector:(SEL)selector
+                          type:(Class)expectedType
+                      callback:(KVOCallback)callback;
+
+- (instancetype)init NS_UNAVAILABLE;
+
+@end

Source/common/SNTKVOManager.mm

@@ -0,0 +1,72 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTKVOManager.h"
+
+#import "Source/common/SNTLogging.h"
+
+@interface SNTKVOManager ()
+@property KVOCallback callback;
+@property Class expectedType;
+@property NSString *keyPath;
+@property id object;
+@end
+
+@implementation SNTKVOManager
+
+- (instancetype)initWithObject:(id)object
+                      selector:(SEL)selector
+                          type:(Class)expectedType
+                      callback:(KVOCallback)callback {
+  self = [super self];
+  if (self) {
+    NSString *selectorName = NSStringFromSelector(selector);
+    if (![object respondsToSelector:selector]) {
+      LOGE(@"Attempt to add observer for an unknown selector (%@) for object (%@)", selectorName,
+           [object class]);
+      return nil;
+    }
+
+    _object = object;
+    _keyPath = selectorName;
+    _expectedType = expectedType;
+    _callback = callback;
+
+    [object addObserver:self
+             forKeyPath:selectorName
+                options:(NSKeyValueObservingOptionNew | NSKeyValueObservingOptionOld)
+                context:NULL];
+  }
+  return self;
+}
+
+- (void)dealloc {
+  [self.object removeObserver:self forKeyPath:self.keyPath context:NULL];
+}
+
+- (void)observeValueForKeyPath:(NSString *)keyPath
+                      ofObject:(id)object
+                        change:(NSDictionary<NSString *, id> *)change
+                       context:(void *)context {
+  id oldValue = [change[NSKeyValueChangeOldKey] isKindOfClass:self.expectedType]
+                  ? change[NSKeyValueChangeOldKey]
+                  : nil;
+  id newValue = [change[NSKeyValueChangeNewKey] isKindOfClass:self.expectedType]
+                  ? change[NSKeyValueChangeNewKey]
+                  : nil;
+
+  self.callback(oldValue, newValue);
+}
+
+@end

Source/common/SNTKVOManagerTest.mm

@@ -0,0 +1,129 @@
+/// Copyright 2022 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTKVOManager.h"
+
+@interface Foo : NSObject
+@property NSNumber *propNumber;
+@property NSArray *propArray;
+@property id propId;
+@end
+
+@implementation Foo
+@end
+
+@interface SNTKVOManagerTest : XCTestCase
+@end
+
+@implementation SNTKVOManagerTest
+
+- (void)testInvalidSelector {
+  Foo *foo = [[Foo alloc] init];
+
+  SNTKVOManager *kvo = [[SNTKVOManager alloc] initWithObject:foo
+                                                    selector:NSSelectorFromString(@"doesNotExist")
+                                                        type:[NSNumber class]
+                                                    callback:^(id, id){
+                                                    }];
+
+  XCTAssertNil(kvo);
+}
+
+- (void)testNormalOperation {
+  Foo *foo = [[Foo alloc] init];
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  int origVal = 123;
+  int update1 = 456;
+  int update2 = 789;
+
+  foo.propNumber = @(origVal);
+
+  // Store the values from the callback to test against expected values
+  __block int oldVal;
+  __block int newVal;
+
+  SNTKVOManager *kvo =
+    [[SNTKVOManager alloc] initWithObject:foo
+                                 selector:@selector(propNumber)
+                                     type:[NSNumber class]
+                                 callback:^(NSNumber *oldValue, NSNumber *newValue) {
+                                   oldVal = [oldValue intValue];
+                                   newVal = [newValue intValue];
+                                   dispatch_semaphore_signal(sema);
+                                 }];
+  XCTAssertNotNil(kvo);
+
+  // Ensure an update to the observed property triggers the callback
+  foo.propNumber = @(update1);
+
+  XCTAssertEqual(0,
+                 dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
+                 "Failed waiting for first observable update");
+  XCTAssertEqual(oldVal, origVal);
+  XCTAssertEqual(newVal, update1);
+
+  // One more time why not
+  foo.propNumber = @(update2);
+
+  XCTAssertEqual(0,
+                 dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
+                 "Failed waiting for second observable update");
+  XCTAssertEqual(oldVal, update1);
+  XCTAssertEqual(newVal, update2);
+}
+
+- (void)testUnexpectedTypes {
+  Foo *foo = [[Foo alloc] init];
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  NSString *origVal = @"any_val";
+  NSString *update = @"new_val";
+  foo.propId = origVal;
+
+  __block id oldVal;
+  __block id newVal;
+
+  SNTKVOManager *kvo = [[SNTKVOManager alloc] initWithObject:foo
+                                                    selector:@selector(propId)
+                                                        type:[NSString class]
+                                                    callback:^(id oldValue, id newValue) {
+                                                      oldVal = oldValue;
+                                                      newVal = newValue;
+                                                      dispatch_semaphore_signal(sema);
+                                                    }];
+  XCTAssertNotNil(kvo);
+
+  // Update to an unexpected type (here, NSNumber instead of NSString)
+  foo.propId = @(123);
+
+  XCTAssertEqual(0,
+                 dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
+                 "Failed waiting for first observable update");
+  XCTAssertEqualObjects(oldVal, origVal);
+  XCTAssertNil(newVal);
+
+  // Update again with an expected type, ensure oldVal is now nil
+  foo.propId = update;
+
+  XCTAssertEqual(0,
+                 dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
+                 "Failed waiting for first observable update");
+  XCTAssertNil(oldVal);
+  XCTAssertEqualObjects(newVal, update);
+}
+
+@end

Source/common/SNTKernelCommon.h

@@ -1,135 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-///
-/// Common defines between kernel <-> userspace
-///
-
-#include <sys/param.h>
-
-#ifndef SANTA__COMMON__KERNELCOMMON_H
-#define SANTA__COMMON__KERNELCOMMON_H
-
-// Defines the name of the userclient class and the driver bundle ID.
-#define USERCLIENT_CLASS "com_google_SantaDriver"
-#define USERCLIENT_ID "com.google.santa-driver"
-
-// Branch prediction
-#define likely(x)   __builtin_expect(!!(x), 1)
-#define unlikely(x) __builtin_expect(!!(x), 0)
-
-// List of methods supported by the driver.
-enum SantaDriverMethods {
-  kSantaUserClientOpen,
-  kSantaUserClientAllowBinary,
-  kSantaUserClientAllowCompiler,
-  kSantaUserClientDenyBinary,
-  kSantaUserClientAcknowledgeBinary,
-  kSantaUserClientClearCache,
-  kSantaUserClientRemoveCacheEntry,
-  kSantaUserClientCacheCount,
-  kSantaUserClientCheckCache,
-  kSantaUserClientCacheBucketCount,
-  kSantaUserClientFilemodPrefixFilterAdd,
-  kSantaUserClientFilemodPrefixFilterReset,
-
-  // Any methods supported by the driver should be added above this line to
-  // ensure this remains the count of methods.
-  kSantaUserClientNMethods,
-};
-
-typedef enum {
-  QUEUETYPE_DECISION,
-  QUEUETYPE_LOG,
-} santa_queuetype_t;
-
-// Enum defining actions that can be passed down the IODataQueue and in
-// response methods.
-typedef enum {
-  ACTION_UNSET = 0,
-
-  // REQUESTS
-  ACTION_REQUEST_SHUTDOWN = 10,
-  ACTION_REQUEST_BINARY = 11,
-
-  // RESPONSES
-  ACTION_RESPOND_ALLOW = 20,
-  ACTION_RESPOND_DENY = 21,
-  ACTION_RESPOND_TOOLONG = 22,
-  ACTION_RESPOND_ACK = 23,
-  ACTION_RESPOND_ALLOW_COMPILER = 24,
-  // The following response is stored only in the kernel decision cache.
-  // It is removed by SNTCompilerController
-  ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE = 25,
-
-  // NOTIFY
-  ACTION_NOTIFY_EXEC = 30,
-  ACTION_NOTIFY_WRITE = 31,
-  ACTION_NOTIFY_RENAME = 32,
-  ACTION_NOTIFY_LINK = 33,
-  ACTION_NOTIFY_EXCHANGE = 34,
-  ACTION_NOTIFY_DELETE = 35,
-  ACTION_NOTIFY_WHITELIST = 36,
-
-  // ERROR
-  ACTION_ERROR = 99,
-} santa_action_t;
-
-#define RESPONSE_VALID(x) \
-  (x == ACTION_RESPOND_ALLOW || \
-   x == ACTION_RESPOND_DENY || \
-   x == ACTION_RESPOND_ALLOW_COMPILER || \
-   x == ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE)
-
-// Struct to manage vnode IDs
-typedef struct santa_vnode_id_t {
-  uint64_t fsid;
-  uint64_t fileid;
-
-#ifdef __cplusplus
-  bool operator==(const santa_vnode_id_t& rhs) const {
-    return fsid == rhs.fsid && fileid == rhs.fileid;
-  }
-  // This _must not_ be used for anything security-sensitive. It exists solely to make
-  // the msleep/wakeup calls easier.
-  uint64_t unsafe_simple_id() const {
-    return (((uint64_t)fsid << 32) | fileid);
-  }
-#endif
-} santa_vnode_id_t;
-
-// Message struct that is sent down the IODataQueue.
-typedef struct {
-  santa_action_t action;
-  santa_vnode_id_t vnode_id;
-  uid_t uid;
-  gid_t gid;
-  pid_t pid;
-  pid_t ppid;
-  char path[MAXPATHLEN];
-  char newpath[MAXPATHLEN];
-  // For file events, this is the process name.
-  // For exec requests, this is the parent process name.
-  // While process names can technically be 4*MAXPATHLEN, that never
-  // actually happens, so only take MAXPATHLEN and throw away any excess.
-  char pname[MAXPATHLEN];
-} santa_message_t;
-
-// Used for the kSantaUserClientCacheBucketCount request.
-typedef struct {
-  uint16_t per_bucket[1024];
-  uint64_t start;
-} santa_bucket_count_t;
-
-#endif  // SANTA__COMMON__KERNELCOMMON_H

Source/common/SNTLogging.h

@@ -13,26 +13,15 @@
 ///    limitations under the License.
 
 ///
-/// Logging definitions, for both kernel and user space.
+/// Logging definitions
 ///
 
 #ifndef SANTA__COMMON__LOGGING_H
 #define SANTA__COMMON__LOGGING_H
 
-#ifdef KERNEL
-
-#include <IOKit/IOLib.h>
-
-#ifdef DEBUG
-#define LOGD(format, ...) IOLog("D santa-driver: " format "\n", ##__VA_ARGS__);
-#else  // DEBUG
-#define LOGD(format, ...)
-#endif  // DEBUG
-#define LOGI(format, ...) IOLog("I santa-driver: " format "\n", ##__VA_ARGS__);
-#define LOGW(format, ...) IOLog("W santa-driver: " format "\n", ##__VA_ARGS__);
-#define LOGE(format, ...) IOLog("E santa-driver: " format "\n", ##__VA_ARGS__);
-
-#else  // KERNEL
+#ifdef __cplusplus
+extern "C" {
+#endif
 
 #import <Foundation/Foundation.h>
 
@@ -52,7 +41,7 @@ typedef enum : NSUInteger {
 ///  @param ... the arguments to format.
 ///
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
-    __attribute__((format(__NSString__, 3, 4)));
+  __attribute__((format(__NSString__, 3, 4)));
 
 /// Simple logging macros
 #define LOGD(logFormat, ...) logMessage(LOG_LEVEL_DEBUG, stdout, logFormat, ##__VA_ARGS__)
@@ -60,6 +49,11 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...)
 #define LOGW(logFormat, ...) logMessage(LOG_LEVEL_WARN, stderr, logFormat, ##__VA_ARGS__)
 #define LOGE(logFormat, ...) logMessage(LOG_LEVEL_ERROR, stderr, logFormat, ##__VA_ARGS__)
 
-#endif  // KERNEL
+/// Get the logging level for this process.
+LogLevel EffectiveLogLevel();
+
+#ifdef __cplusplus
+}  // extern C
+#endif
 
 #endif  // SANTA__COMMON__LOGGING_H

Source/common/SNTLogging.m

@@ -14,15 +14,11 @@
 
 #import "Source/common/SNTLogging.h"
 
+#import "Source/common/SNTConfigurator.h"
+
 #import <asl.h>
 #import <pthread.h>
 
-#ifdef DEBUG
-static LogLevel logLevel = LOG_LEVEL_DEBUG;
-#else
-static LogLevel logLevel = LOG_LEVEL_INFO;  // default to info
-#endif
-
 void syslogClientDestructor(void *arg) {
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
@@ -30,6 +26,21 @@ void syslogClientDestructor(void *arg) {
 #pragma clang diagnostic pop
 }
 
+LogLevel EffectiveLogLevel() {
+#ifdef DEBUG
+  static LogLevel logLevel = LOG_LEVEL_DEBUG;
+#else
+  static LogLevel logLevel = LOG_LEVEL_INFO;  // default to info
+#endif
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    if ([SNTConfigurator configurator].enableDebugLogging) {
+      logLevel = LOG_LEVEL_DEBUG;
+    }
+  });
+  return logLevel;
+}
+
 void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   static BOOL useSyslog = NO;
   static NSString *binaryName;
@@ -39,19 +50,15 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   dispatch_once(&pred, ^{
     binaryName = [[NSProcessInfo processInfo] processName];
 
-    // If debug logging is enabled, the process must be restarted.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
-      logLevel = LOG_LEVEL_DEBUG;
-    }
-
     // If requested, redirect output to syslog.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"]) {
+    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"] ||
+        [binaryName isEqualToString:@"com.google.santa.daemon"]) {
       useSyslog = YES;
       pthread_key_create(&syslogKey, syslogClientDestructor);
     }
   });
 
-  if (logLevel < level) return;
+  if (EffectiveLogLevel() < level) return;
 
   va_list args;
   va_start(args, format);
@@ -82,11 +89,14 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
       case LOG_LEVEL_INFO:
         levelName = "I";
-        syslogLevel = ASL_LEVEL_NOTICE; // Maps to ULS Default
+        syslogLevel = ASL_LEVEL_NOTICE;  // Maps to ULS Default
         break;
       case LOG_LEVEL_DEBUG:
         levelName = "D";
-        syslogLevel = ASL_LEVEL_DEBUG;
+        // Log debug messages at the same ASL level as INFO.
+        // While it would make sense to use DEBUG, watching debug-level logs
+        // in Console means enabling all debug logs, which is absurdly noisy.
+        syslogLevel = ASL_LEVEL_NOTICE;
         break;
     }
 

Source/common/SNTMetricSet.h

@@ -0,0 +1,202 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import "SNTCommonEnums.h"
+
+/**
+ * Provides an abstraction for various metric systems that will be exported to
+ * monitoring systems via the MetricService. This is used to store internal
+ * counters and metrics that can be exported to an external monitoring system.
+ *
+ * `SNTMetricSet` for storing and creating metrics and counters. This is
+ *   the externally visible interface
+ *   class.
+ *
+ *  Metric classes:
+ *   * `SNTMetric` to store metric values broken down by "field" dimensions.
+ *   * subclasses of `SNTMetric` with suitable setters:
+ *     * `SNTMetricCounter`
+ *     * `SNTMetricGaugeInt64`
+ *     * `SNTMetricGaugeDouble`
+ *     * `SNTMetricString`
+ *     * `SNTMetricBool`
+ */
+
+NS_ASSUME_NONNULL_BEGIN
+
+typedef NS_ENUM(NSInteger, SNTMetricType) {
+  SNTMetricTypeUnknown = 0,
+  SNTMetricTypeConstantBool = 1,
+  SNTMetricTypeConstantString = 2,
+  SNTMetricTypeConstantInt64 = 3,
+  SNTMetricTypeConstantDouble = 4,
+  SNTMetricTypeGaugeBool = 5,
+  SNTMetricTypeGaugeString = 6,
+  SNTMetricTypeGaugeInt64 = 7,
+  SNTMetricTypeGaugeDouble = 8,
+  SNTMetricTypeCounter = 9,
+};
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType);
+
+@interface SNTMetric : NSObject
+- (NSDictionary *)export;
+@end
+
+@interface SNTMetricCounter : SNTMetric
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricInt64Gauge : SNTMetric
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricDoubleGauge : SNTMetric
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricStringGauge : SNTMetric
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+@interface SNTMetricBooleanGauge : SNTMetric
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues;
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues;
+@end
+
+/**
+ * A registry of metrics with associated fields.
+ */
+@interface SNTMetricSet : NSObject
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username;
+
+/* Returns a counter with the given name, field names and help
+ *  text, registered with the MetricSet.
+ *
+ * @param name The counter name, for example @"/proc/cpu".
+ * @param fieldNames The counter's field names, for example @[@"result"].
+ * @param helpText The counter's help description.
+ * @return A counter with the given specification registered with this root.
+ *   The returned counter might have been created earlier with the same
+ *   specification.
+ * @throw NSInternalInconsistencyException When trying to register a second
+ *   counter with the same name but a different schema as an existing one
+ */
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)text;
+
+/**
+ * Returns a shared global instance with default root labels and metrics registered.
+ */
++ (instancetype)sharedInstance;
+
+/**
+ * Resets all the metrics in this set. Intended only for testing.
+ */
+- (void)reset;
+
+/**
+ *  Add a root label to the MetricSet.
+ */
+- (void)addRootLabel:(NSString *)label value:(NSString *)value;
+
+/**
+ * Remove a root label from the MetricSet.
+ */
+- (void)removeRootLabel:(NSString *)labelName;
+
+/**
+ * Returns a int64 gauge metric with the given Streamz name and help text,
+ * registered with this MetricSet.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText;
+
+/**
+ * Returns a double gauge metric with the given name and help text,
+ * registered with this root.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a string gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/santa/mode".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText;
+
+/**
+ * Returns a boolean gauge metric with the given name and help text,
+ * registered with this metric set.
+ *
+ * @param name The metric name, for example @"/memory/free".
+ * @param fieldNames The metric's field names, for example @[@"type"].
+ * @param helpText The metric's help description.
+ */
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText;
+
+/** Creates a constant metric with a string value and no fields. */
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value;
+
+/** Creates a constant metric with an integer value and no fields. */
+- (void)addConstantBooleanWithName:(NSString *)name helpText:(NSString *)helpText value:(BOOL)value;
+
+/** Register a callback to get executed just before each export. */
+- (void)registerCallback:(void (^)(void))callback;
+
+/** Export creates an NSDictionary of the state of the metrics */
+- (NSDictionary *)export;
+@end
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format);
+
+/** Normalizes dates in an exported dictionary to be ISO8601 timestamp strings in
+ *  UTC time.
+ */
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics);
+
+NS_ASSUME_NONNULL_END

Source/common/SNTMetricSet.m

@@ -0,0 +1,673 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTMetricSet.h"
+#import "SNTCommonEnums.h"
+
+NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType) {
+  NSString *typeStr;
+  switch (metricType) {
+    case SNTMetricTypeConstantBool: typeStr = @"SNTMetricTypeConstantBool"; break;
+    case SNTMetricTypeConstantString: typeStr = @"SNTMetricTypeConstantString"; break;
+    case SNTMetricTypeConstantInt64: typeStr = @"SNTMetricTypeConstantInt64"; break;
+    case SNTMetricTypeConstantDouble: typeStr = @"SNTMetricTypeConstantDouble"; break;
+    case SNTMetricTypeGaugeBool: typeStr = @"SNTMetricTypeGaugeBool"; break;
+    case SNTMetricTypeGaugeString: typeStr = @"SNTMetricTypeGaugeString"; break;
+    case SNTMetricTypeGaugeInt64: typeStr = @"SNTMetricTypeGaugeInt64"; break;
+    case SNTMetricTypeGaugeDouble: typeStr = @"SNTMetricTypeGaugeDouble"; break;
+    case SNTMetricTypeCounter: typeStr = @"SNTMetricTypeCounter"; break;
+    default: typeStr = [NSString stringWithFormat:@"SNTMetricTypeUnknown %ld", metricType]; break;
+  }
+  return typeStr;
+}
+
+/**
+ *  SNTMetricValue encapsulates the value of a metric along with the creation
+ *  and update timestamps. It is thread-safe and has a separate field for each
+ *  metric type.
+ *
+ *  It is intended to only be used by SNTMetrics;
+ */
+@interface SNTMetricValue : NSObject
+/** Increment the counter by the step value, updating timestamps appropriately. */
+- (void)addInt64:(long long)step;
+
+/** Set the Int64 value. */
+- (void)setInt64:(long long)value;
+
+/** Set the double value. */
+- (void)setDouble:(double)value;
+
+/** Set the string value. */
+- (void)setString:(NSString *)value;
+
+/** Set the BOOL string value. */
+- (void)setBool:(BOOL)value;
+
+/**
+ * Clears the last update timestamp.
+ *
+ * This makes the metric value always emit the current timestamp as last update timestamp.
+ */
+- (void)clearLastUpdateTimestamp;
+
+/** Getters */
+- (long long)getInt64Value;
+- (double)getDoubleValue;
+- (NSString *)getStringValue;
+@end
+
+@implementation SNTMetricValue {
+  /** The int64 value for the SNTMetricValue, if set. */
+  long long _int64Value;
+
+  /** The double value for the SNTMetricValue, if set. */
+  double _doubleValue;
+
+  /** The string value for the SNTMetricValue, if set. */
+  NSString *_stringValue;
+
+  /** The boolean value for the SNTMetricValue, if set. */
+  BOOL _boolValue;
+
+  /** The first time this cell got created in the current process. */
+  NSDate *_creationTime;
+
+  /** The last time that the counter value was changed. */
+  NSDate *_lastUpdate;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _creationTime = [NSDate date];
+    _lastUpdate = _creationTime;
+  }
+  return self;
+}
+
+- (void)addInt64:(long long)step {
+  @synchronized(self) {
+    _int64Value += step;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (void)setInt64:(long long)value {
+  @synchronized(self) {
+    _int64Value = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (long long)getInt64Value {
+  @synchronized(self) {
+    return _int64Value;
+  }
+}
+
+- (void)setDouble:(double)value {
+  @synchronized(self) {
+    _doubleValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (double)getDoubleValue {
+  @synchronized(self) {
+    return _doubleValue;
+  }
+}
+
+- (void)setString:(NSString *)value {
+  @synchronized(self) {
+    _stringValue = [value copy];
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (NSString *)getStringValue {
+  @synchronized(self) {
+    return [_stringValue copy];
+  }
+}
+
+- (void)setBool:(BOOL)value {
+  @synchronized(self) {
+    _boolValue = value;
+    _lastUpdate = [NSDate date];
+  }
+}
+
+- (BOOL)getBoolValue {
+  @synchronized(self) {
+    return _boolValue;
+  }
+}
+
+- (void)clearLastUpdateTimestamp {
+  @synchronized(self) {
+    _lastUpdate = nil;
+  }
+}
+
+- (NSDate *)getLastUpdatedTimestamp {
+  NSDate *updated = nil;
+  @synchronized(self) {
+    updated = [_lastUpdate copy];
+  }
+  return updated;
+}
+
+- (NSDate *)getCreatedTimestamp {
+  NSDate *created = nil;
+  @synchronized(self) {
+    created = [_creationTime copy];
+  }
+  return created;
+}
+@end
+
+@implementation SNTMetric {
+ @private
+  /** Fully qualified metric name e.g. /ops/security/santa. */
+  NSString *_name;
+  /** A help text for the metric to be exported to be exported. **/
+  NSString *_help;
+
+  /** Sorted list of the fieldNames **/
+  NSArray<NSString *> *_fieldNames;
+  /** Mapping of field values to actual metric values (e.g. metric /proc/cpu_usage @"mode"=@"user"
+   * -> 0.89 */
+  NSMutableDictionary<NSArray<NSString *> *, SNTMetricValue *> *_metricsForFieldValues;
+  /** the type of metric this is e.g. counter, gauge etc. **/
+  SNTMetricType _type;
+}
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)help
+                        type:(SNTMetricType)type {
+  self = [super init];
+  if (self) {
+    _name = [name copy];
+    _help = [help copy];
+    _fieldNames = [fieldNames copy];
+    _metricsForFieldValues = [[NSMutableDictionary alloc] init];
+    _type = type;
+  }
+  return self;
+}
+
+- (NSString *)name {
+  return _name;
+}
+
+- (BOOL)hasSameSchemaAsMetric:(SNTMetric *)other {
+  if (![other isKindOfClass:[self class]]) {
+    return NO;
+  }
+  return [_name isEqualToString:other->_name] && [_help isEqualToString:other->_help] &&
+         [_fieldNames isEqualTo:other->_fieldNames] && _type == other->_type;
+}
+
+/** Retrieves the SNTMetricValue for a given field value.
+   Creates a new SNTMetricValue if none is present. */
+- (SNTMetricValue *)metricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  NSParameterAssert(fieldValues.count == _fieldNames.count);
+  SNTMetricValue *metricValue = nil;
+  @synchronized(self) {
+    metricValue = _metricsForFieldValues[fieldValues];
+
+    if (!metricValue) {
+      // Deep copy to prevent mutations to the keys we store in the dictionary.
+      fieldValues = [fieldValues copy];
+      metricValue = [[SNTMetricValue alloc] init];
+      _metricsForFieldValues[fieldValues] = metricValue;
+    }
+  }
+
+  return metricValue;
+}
+
+- (NSDictionary *)encodeMetricValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = _metricsForFieldValues[fieldValues];
+
+  NSMutableDictionary *fieldDict = [[NSMutableDictionary alloc] init];
+
+  fieldDict[@"created"] = [metricValue getCreatedTimestamp];
+  fieldDict[@"last_updated"] = [metricValue getLastUpdatedTimestamp];
+  fieldDict[@"value"] = [fieldValues componentsJoinedByString:@","];
+
+  switch (_type) {
+    case SNTMetricTypeConstantBool:
+    case SNTMetricTypeGaugeBool:
+      fieldDict[@"data"] = [NSNumber numberWithBool:[metricValue getBoolValue]];
+      break;
+    case SNTMetricTypeConstantInt64:
+    case SNTMetricTypeCounter:
+    case SNTMetricTypeGaugeInt64:
+      fieldDict[@"data"] = [NSNumber numberWithLongLong:[metricValue getInt64Value]];
+      break;
+    case SNTMetricTypeConstantDouble:
+    case SNTMetricTypeGaugeDouble:
+      fieldDict[@"data"] = [NSNumber numberWithDouble:[metricValue getDoubleValue]];
+      break;
+    case SNTMetricTypeConstantString:
+    case SNTMetricTypeGaugeString: fieldDict[@"data"] = [metricValue getStringValue]; break;
+    default: break;
+  }
+  return fieldDict;
+}
+
+- (NSDictionary *)export {
+  NSMutableDictionary *metricDict = [NSMutableDictionary dictionaryWithCapacity:_fieldNames.count];
+  metricDict[@"type"] = [NSNumber numberWithInt:(int)_type];
+  metricDict[@"fields"] = [[NSMutableDictionary alloc] init];
+  metricDict[@"description"] = [_help copy];
+
+  if (_fieldNames.count == 0) {
+    metricDict[@"fields"][@""] = @[ [self encodeMetricValueForFieldValues:@[]] ];
+  } else {
+    NSMutableArray *fieldVals = [[NSMutableArray alloc] init];
+
+    for (NSArray<NSString *> *fieldValues in _metricsForFieldValues) {
+      [fieldVals addObject:[self encodeMetricValueForFieldValues:fieldValues]];
+    }
+    metricDict[@"fields"][[_fieldNames componentsJoinedByString:@","]] = fieldVals;
+  }
+  return metricDict;
+}
+@end
+
+@implementation SNTMetricCounter
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeCounter];
+}
+
+- (void)incrementBy:(long long)step forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return;
+  }
+  [metricValue addInt64:step];
+}
+
+- (void)incrementForFieldValues:(NSArray<NSString *> *)fieldValues {
+  [self incrementBy:1 forFieldValues:fieldValues];
+}
+
+- (long long)getCountForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricInt64Gauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeInt64];
+}
+
+- (void)set:(long long)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setInt64:value];
+}
+
+- (long long)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getInt64Value];
+}
+@end
+
+@implementation SNTMetricDoubleGauge
+
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeDouble];
+}
+
+- (void)set:(double)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setDouble:value];
+}
+
+- (double)getGaugeValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return -1;
+  }
+
+  return [metricValue getDoubleValue];
+}
+@end
+
+@implementation SNTMetricStringGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)text {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:text
+                        type:SNTMetricTypeGaugeString];
+}
+
+- (void)set:(NSString *)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setString:value];
+}
+
+- (NSString *)getStringValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return nil;
+  }
+
+  return [metricValue getStringValue];
+}
+@end
+
+@implementation SNTMetricBooleanGauge
+- (instancetype)initWithName:(NSString *)name
+                  fieldNames:(NSArray<NSString *> *)fieldNames
+                    helpText:(NSString *)helpText {
+  return [super initWithName:name
+                  fieldNames:fieldNames
+                    helpText:helpText
+                        type:SNTMetricTypeGaugeBool];
+}
+
+- (void)set:(BOOL)value forFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+  [metricValue setBool:value];
+}
+
+- (BOOL)getBoolValueForFieldValues:(NSArray<NSString *> *)fieldValues {
+  SNTMetricValue *metricValue = [self metricValueForFieldValues:fieldValues];
+
+  if (!metricValue) {
+    return false;
+  }
+
+  return [metricValue getBoolValue];
+}
+@end
+
+/**
+ *  SNTMetricSet is the top level container for all metrics and metrics value
+ *  its is abstracted from specific implementations but is close to Google's
+ *  Monarch and Prometheus formats.
+ */
+@implementation SNTMetricSet {
+ @private
+  /** Labels that are used to identify the entity to that all metrics apply to. */
+  NSMutableDictionary<NSString *, NSString *> *_rootLabels;
+  /** Registered metrics keyed by name */
+  NSMutableDictionary<NSString *, SNTMetric *> *_metrics;
+
+  /** Callbacks to update metric values before exporting metrics */
+  NSMutableArray<void (^)(void)> *_callbacks;
+}
+
++ (instancetype)sharedInstance {
+  static SNTMetricSet *sharedMetrics;
+  static dispatch_once_t onceToken;
+
+  dispatch_once(&onceToken, ^{
+    sharedMetrics = [[SNTMetricSet alloc] init];
+  });
+
+  return sharedMetrics;
+}
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+  }
+  return self;
+}
+
+- (instancetype)initWithHostname:(NSString *)hostname username:(NSString *)username {
+  self = [super init];
+  if (self) {
+    _rootLabels = [[NSMutableDictionary alloc] init];
+    _metrics = [[NSMutableDictionary alloc] init];
+    _callbacks = [[NSMutableArray alloc] init];
+
+    _rootLabels[@"hostname"] = [hostname copy];
+    _rootLabels[@"username"] = [username copy];
+  }
+
+  return self;
+}
+
+- (void)reset {
+  _metrics = [[NSMutableDictionary alloc] init];
+}
+
+- (void)addRootLabel:(NSString *)label value:(NSString *)value {
+  @synchronized(self) {
+    _rootLabels[label] = value;
+  }
+}
+
+- (void)removeRootLabel:(NSString *)label {
+  @synchronized(self) {
+    [_rootLabels removeObjectForKey:label];
+  }
+}
+
+- (SNTMetric *)registerMetric:(nonnull SNTMetric *)metric {
+  @synchronized(self) {
+    SNTMetric *oldMetric = _metrics[[metric name]];
+    if ([oldMetric hasSameSchemaAsMetric:metric]) {
+      return oldMetric;
+    }
+    NSAssert(!oldMetric, @"metric registered twice: %@", metric.name);
+    _metrics[metric.name] = metric;
+  }
+  return metric;
+}
+
+- (void)registerCallback:(void (^)(void))callback {
+  @synchronized(self) {
+    [_callbacks addObject:callback];
+  }
+}
+
+- (SNTMetricCounter *)counterWithName:(NSString *)name
+                           fieldNames:(NSArray<NSString *> *)fieldNames
+                             helpText:(NSString *)helpText {
+  SNTMetricCounter *c = [[SNTMetricCounter alloc] initWithName:name
+                                                    fieldNames:fieldNames
+                                                      helpText:helpText];
+  return (SNTMetricCounter *)[self registerMetric:c];
+}
+
+- (SNTMetricInt64Gauge *)int64GaugeWithName:(NSString *)name
+                                 fieldNames:(NSArray<NSString *> *)fieldNames
+                                   helpText:(NSString *)helpText {
+  SNTMetricInt64Gauge *g = [[SNTMetricInt64Gauge alloc] initWithName:name
+                                                          fieldNames:fieldNames
+                                                            helpText:helpText];
+  return (SNTMetricInt64Gauge *)[self registerMetric:g];
+}
+
+- (SNTMetricDoubleGauge *)doubleGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricDoubleGauge *g = [[SNTMetricDoubleGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricDoubleGauge *)[self registerMetric:g];
+}
+
+- (SNTMetricStringGauge *)stringGaugeWithName:(NSString *)name
+                                   fieldNames:(NSArray<NSString *> *)fieldNames
+                                     helpText:(NSString *)helpText {
+  SNTMetricStringGauge *s = [[SNTMetricStringGauge alloc] initWithName:name
+                                                            fieldNames:fieldNames
+                                                              helpText:helpText];
+
+  return (SNTMetricStringGauge *)[self registerMetric:s];
+}
+
+- (SNTMetricBooleanGauge *)booleanGaugeWithName:(NSString *)name
+                                     fieldNames:(NSArray<NSString *> *)fieldNames
+                                       helpText:(NSString *)helpText {
+  SNTMetricBooleanGauge *b = [[SNTMetricBooleanGauge alloc] initWithName:name
+                                                              fieldNames:fieldNames
+                                                                helpText:helpText];
+
+  return (SNTMetricBooleanGauge *)[self registerMetric:b];
+}
+
+- (void)addConstantStringWithName:(NSString *)name
+                         helpText:(NSString *)helpText
+                            value:(NSString *)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantString];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setString:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantIntegerWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(long long)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantInt64];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setInt64:value];
+  [self registerMetric:metric];
+}
+
+- (void)addConstantBooleanWithName:(NSString *)name
+                          helpText:(NSString *)helpText
+                             value:(BOOL)value {
+  SNTMetric *metric = [[SNTMetric alloc] initWithName:name
+                                           fieldNames:@[]
+                                             helpText:helpText
+                                                 type:SNTMetricTypeConstantBool];
+
+  SNTMetricValue *metricValue = [metric metricValueForFieldValues:@[]];
+  [metricValue setBool:value];
+  [self registerMetric:metric];
+}
+
+/** Export current state of the SNTMetricSet as an NSDictionary. */
+- (NSDictionary *)export {
+  NSDictionary *exported = nil;
+
+  // Invoke callbacks to ensure metrics are up to date.
+  for (void (^cb)(void) in _callbacks) {
+    cb();
+  }
+
+  @synchronized(self) {
+    NSMutableDictionary *exportDict = [[NSMutableDictionary alloc] init];
+    exportDict[@"root_labels"] = [_rootLabels copy];
+    exportDict[@"metrics"] = [[NSMutableDictionary alloc] init];
+
+    // TODO(markowsky) Sort the metrics so we always get the same output.
+    for (NSString *metricName in _metrics) {
+      exportDict[@"metrics"][metricName] = [_metrics[metricName] export];
+    }
+
+    exported = [NSDictionary dictionaryWithDictionary:exportDict];
+  }
+  return exported;
+}
+
+// Returns a human readble string from an SNTMetricFormat type
+NSString *SNTMetricStringFromMetricFormatType(SNTMetricFormatType format) {
+  switch (format) {
+    case SNTMetricFormatTypeRawJSON: return @"rawjson";
+    case SNTMetricFormatTypeMonarchJSON: return @"monarchjson";
+    default: return @"Unknown Metric Format";
+  }
+}
+
+NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics) {
+  NSMutableDictionary *mutableMetrics = [metrics mutableCopy];
+
+  id formatter;
+
+  if (@available(macOS 10.13, *)) {
+    NSISO8601DateFormatter *isoFormatter = [[NSISO8601DateFormatter alloc] init];
+
+    isoFormatter.formatOptions =
+      NSISO8601DateFormatWithInternetDateTime | NSISO8601DateFormatWithFractionalSeconds;
+    formatter = isoFormatter;
+  } else {
+    NSDateFormatter *localFormatter = [[NSDateFormatter alloc] init];
+    [localFormatter setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"];
+    [localFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
+    formatter = localFormatter;
+  }
+
+  for (NSString *metricName in mutableMetrics[@"metrics"]) {
+    NSMutableDictionary *metric = mutableMetrics[@"metrics"][metricName];
+
+    for (NSString *field in metric[@"fields"]) {
+      NSMutableArray<NSMutableDictionary *> *values = metric[@"fields"][field];
+
+      [values enumerateObjectsUsingBlock:^(id object, NSUInteger index, BOOL *stop) {
+        values[index][@"created"] = [formatter stringFromDate:values[index][@"created"]];
+        values[index][@"last_updated"] = [formatter stringFromDate:values[index][@"last_updated"]];
+      }];
+    }
+  }
+
+  return mutableMetrics;
+}
+
+@end

Source/common/SNTMetricSetTest.m

@@ -0,0 +1,706 @@
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTMetricSet.h"
+
+@interface SNTMetricCounterTest : XCTestCase
+@end
+
+@interface SNTMetricGaugeInt64Test : XCTestCase
+@end
+
+@interface SNTMetricDoubleGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricBooleanGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricStringGaugeTest : XCTestCase
+@end
+
+@interface SNTMetricSetTest : XCTestCase
+@end
+
+@interface SNTMetricSetHelperFunctionsTest : XCTestCase
+@end
+
+// Stub out NSDate's date method
+@implementation NSDate (custom)
+
++ (instancetype)date {
+  NSDateFormatter *formatter = NSDateFormatter.new;
+  [formatter setDateFormat:@"yyyy-MM-dd HH:mm:ssZZZ"];
+  return [formatter dateFromString:@"2021-08-05 13:00:10+0000"];
+}
+
+@end
+
+@implementation SNTMetricCounterTest
+- (void)testSimpleCounter {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c, @"Expected returned SNTMetricCounter to not be nil");
+  [c incrementForFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(1, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremented by 1");
+  [c incrementBy:3 forFieldValues:@[ @"certificate" ]];
+  XCTAssertEqual(4, [c getCountForFieldValues:@[ @"certificate" ]],
+                 @"Counter not incremented by 3");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"rule_type" ]
+                      helpText:@"Count of exec events broken out by rule type."];
+
+  XCTAssertNotNil(c);
+  [c incrementForFieldValues:@[ @"certificate" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+    @"description" : @"Count of exec events broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"certificate",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:1]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([c export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *a = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  SNTMetricCounter *b = [metricSet counterWithName:@"/santa/counter"
+                                        fieldNames:@[]
+                                          helpText:@"Test counter."];
+
+  XCTAssertEqual(a, b, @"Unexpected new counter returned.");
+}
+@end
+
+@implementation SNTMetricBooleanGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  XCTAssertTrue([b getBoolValueForFieldValues:@[]]);
+  [b set:false forFieldValues:@[]];
+  XCTAssertFalse([b getBoolValueForFieldValues:@[]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+  XCTAssertNotNil(b);
+  [b set:true forFieldValues:@[]];
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeBool],
+    @"description" : @"Is the daemon connected.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithBool:true]
+      } ]
+    }
+  };
+
+  NSDictionary *output = [b export];
+  XCTAssertEqualObjects(output, expected);
+}
+
+- (void)testAddingBooleanWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricBooleanGauge *a = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  SNTMetricBooleanGauge *b = [metricSet booleanGaugeWithName:@"/santa/daemon_connected"
+                                                  fieldNames:@[]
+                                                    helpText:@"Is the daemon connected."];
+
+  XCTAssertEqual(a, b, @"Unexpected new boolean gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricGaugeInt64Test
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  // Increase the gauge
+  [g set:500 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(500, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Decrease after increase
+  [g set:100 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(100, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // Increase after decrease
+  [g set:750 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(750, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+  // TODO: export the tree to JSON and confirm the structure is correct.
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *g =
+    [metricSet int64GaugeWithName:@"/santa/rules"
+                       fieldNames:@[ @"rule_type" ]
+                         helpText:@"Count of rules broken out by rule type."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricGaugeInt64 to not be nil");
+  // set from zero
+  [g set:250 forFieldValues:@[ @"binary" ]];
+  XCTAssertEqual(250, [g getGaugeValueForFieldValues:@[ @"binary" ]]);
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+    @"description" : @"Count of rules broken out by rule type.",
+    @"fields" : @{
+      @"rule_type" : @[ @{
+        @"value" : @"binary",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : [NSNumber numberWithInt:250]
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricInt64Gauge *a = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  SNTMetricInt64Gauge *b = [metricSet int64GaugeWithName:@"/santa/int64gauge"
+                                              fieldNames:@[]
+                                                helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricDoubleGaugeTest
+
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.45, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+
+  // Increase the gauge
+  [g set:(double)0.90 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.90, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Decrease after increase
+  [g set:0.71 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.71, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+  // Increase after decrease
+  [g set:0.75 forFieldValues:@[ @"user" ]];
+  XCTAssertEqual(0.75, [g getGaugeValueForFieldValues:@[ @"user" ]]);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *g = [metricSet doubleGaugeWithName:@"/proc/cpu_usage"
+                                                fieldNames:@[ @"mode" ]
+                                                  helpText:@"CPU time consumed by this process."];
+
+  XCTAssertNotNil(g, @"Expected returned SNTMetricDoubleGauge to not be nil");
+  // set from zero
+  [g set:(double)0.45 forFieldValues:@[ @"user" ]];
+  [g set:(double)0.90 forFieldValues:@[ @"system" ]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeDouble],
+    @"description" : @"CPU time consumed by this process.",
+    @"fields" : @{
+      @"mode" : @[
+        @{
+          @"value" : @"user",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.45]
+        },
+        @{
+          @"value" : @"system",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithDouble:0.90]
+        }
+      ]
+    }
+  };
+  XCTAssertEqualObjects([g export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricDoubleGauge *a = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricDoubleGauge *b = [metricSet doubleGaugeWithName:@"/santa/doublegauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+@end
+
+@implementation SNTMetricStringGaugeTest
+- (void)testSimpleGauge {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+  XCTAssertEqualObjects([s getStringValueForFieldValues:@[]], @"testValue");
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *s = [metricSet stringGaugeWithName:@"/santa/mode"
+                                                fieldNames:@[]
+                                                  helpText:@"String description of the mode."];
+
+  XCTAssertNotNil(s);
+  [s set:@"testValue" forFieldValues:@[]];
+
+  NSDictionary *expected = @{
+    @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeString],
+    @"description" : @"String description of the mode.",
+    @"fields" : @{
+      @"" : @[ @{
+        @"value" : @"",
+        @"created" : [NSDate date],
+        @"last_updated" : [NSDate date],
+        @"data" : @"testValue"
+      } ]
+    }
+  };
+
+  XCTAssertEqualObjects([s export], expected);
+}
+
+- (void)testAddingMetricWithSameSchema {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricStringGauge *a = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  SNTMetricStringGauge *b = [metricSet stringGaugeWithName:@"/santa/stringgauge"
+                                                fieldNames:@[]
+                                                  helpText:@"Test gauge."];
+
+  XCTAssertEqual(a, b, @"Unexpected new gauge returned.");
+}
+
+@end
+
+@implementation SNTMetricSetTest
+- (void)testRootLabels {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addRootLabel:@"hostname" value:@"localhost"];
+
+  NSDictionary *expected = @{@"root_labels" : @{@"hostname" : @"localhost"}, @"metrics" : @{}};
+
+  XCTAssertEqualObjects(expected, [metricSet export]);
+
+  // ensure that adding a rootLabel with the same name overwrites.
+  expected = @{@"root_labels" : @{@"hostname" : @"localhost2"}, @"metrics" : @{}};
+  [metricSet addRootLabel:@"hostname" value:@"localhost2"];
+
+  XCTAssertEqualObjects(expected, [metricSet export],
+                        @"failed to overwrite rootLabel with second call to addRootLabel");
+
+  // ensure that removing a rootLabelWorks
+  expected = @{@"root_labels" : @{}, @"metrics" : @{}};
+  [metricSet removeRootLabel:@"hostname"];
+}
+
+- (void)testDoubleRegisteringIncompatibleMetricsFails {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  SNTMetricCounter *c = [metricSet counterWithName:@"/foo/bar"
+                                        fieldNames:@[ @"field" ]
+                                          helpText:@"lorem ipsum"];
+
+  XCTAssertNotNil(c);
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"incompatible" ]
+                                    helpText:@"A little help text"],
+                  @"Should raise error for incompatible field names");
+
+  XCTAssertThrows([metricSet counterWithName:@"/foo/bar"
+                                  fieldNames:@[ @"result" ]
+                                    helpText:@"INCOMPATIBLE"],
+                  @"Should raise error for incompatible help text");
+}
+
+- (void)testRegisterCallback {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  // Register a callback metric which increments by one before export
+  SNTMetricInt64Gauge *gauge = [metricSet int64GaugeWithName:@"/foo/bar"
+                                                  fieldNames:@[]
+                                                    helpText:@"Number of callbacks done"];
+  __block int count = 0;
+  [metricSet registerCallback:^(void) {
+    count++;
+    [gauge set:count forFieldValues:@[]];
+  }];
+
+  // ensure the callback is called.
+  [metricSet export];
+
+  XCTAssertEqual([gauge getGaugeValueForFieldValues:@[]], 1);
+}
+
+- (void)testAddConstantBool {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantBooleanWithName:@"/tautology"
+                               helpText:@"The first rule of tautology club is the first rule"
+                                  value:YES];
+
+  NSDictionary *expected = @{
+    @"/tautology" : @{
+      @"description" : @"The first rule of tautology club is the first rule",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithBool:true]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantString {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Build label for the binary"
+                                 value:@"20210806.0.1"];
+
+  NSDictionary *expected = @{
+    @"/build/label" : @{
+      @"description" : @"Build label for the binary",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : @"20210806.0.1"
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testAddConstantInt {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] init];
+  [metricSet addConstantIntegerWithName:@"/deep/thought/answer"
+                               helpText:@"Life, the universe, and everything"
+                                  value:42];
+
+  NSDictionary *expected = @{
+    @"/deep/thought/answer" : @{
+      @"description" : @"Life, the universe, and everything",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+      @"fields" : @{
+        @"" : @[ @{
+          @"value" : @"",
+          @"created" : [NSDate date],
+          @"last_updated" : [NSDate date],
+          @"data" : [NSNumber numberWithLongLong:42]
+        } ]
+      }
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export][@"metrics"], expected);
+}
+
+- (void)testExportNSDictionary {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] initWithHostname:@"testHost"
+                                                          username:@"testUser"];
+
+  // Add constants
+  [metricSet addConstantStringWithName:@"/build/label"
+                              helpText:@"Software version running."
+                                 value:@"20210809.0.1"];
+  [metricSet addConstantBooleanWithName:@"/santa/using_endpoint_security_framework"
+                               helpText:@"Is santad using the endpoint security framework."
+                                  value:TRUE];
+  [metricSet
+    addConstantIntegerWithName:@"/proc/birth_timestamp"
+                      helpText:@"Start time of this santad instance, in microseconds since epoch"
+                         value:(long long)(0x12345668910)];
+  // Add Metrics
+  SNTMetricCounter *c = [metricSet counterWithName:@"/santa/events"
+                                        fieldNames:@[ @"rule_type" ]
+                                          helpText:@"Count of events on the host"];
+
+  [c incrementForFieldValues:@[ @"binary" ]];
+  [c incrementBy:2 forFieldValues:@[ @"certificate" ]];
+
+  SNTMetricInt64Gauge *g = [metricSet int64GaugeWithName:@"/santa/rules"
+                                              fieldNames:@[ @"rule_type" ]
+                                                helpText:@"Number of rules."];
+
+  [g set:1 forFieldValues:@[ @"binary" ]];
+  [g set:3 forFieldValues:@[ @"certificate" ]];
+
+  // Add Metrics with callback
+  SNTMetricInt64Gauge *virtualMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/virtual_size"
+                       fieldNames:@[]
+                         helpText:@"The virtual memory size of this process."];
+
+  SNTMetricInt64Gauge *residentMemoryGauge =
+    [metricSet int64GaugeWithName:@"/proc/memory/resident_size"
+                       fieldNames:@[]
+                         helpText:@"The resident set size of this process."];
+
+  [metricSet registerCallback:^(void) {
+    [virtualMemoryGauge set:987654321 forFieldValues:@[]];
+    [residentMemoryGauge set:123456789 forFieldValues:@[]];
+  }];
+
+  NSDictionary *expected = @{
+    @"root_labels" : @{@"hostname" : @"testHost", @"username" : @"testUser"},
+    @"metrics" : @{
+      @"/build/label" : @{
+        @"description" : @"Software version running.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : @"20210809.0.1"
+          } ]
+        }
+      },
+      @"/santa/events" : @{
+        @"description" : @"Count of events on the host",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:2],
+            },
+          ],
+        },
+      },
+      @"/santa/rules" : @{
+        @"description" : @"Number of rules.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"rule_type" : @[
+            @{
+              @"value" : @"binary",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:1],
+            },
+            @{
+              @"value" : @"certificate",
+              @"created" : [NSDate date],
+              @"last_updated" : [NSDate date],
+              @"data" : [NSNumber numberWithInt:3],
+            }
+          ]
+        },
+      },
+      @"/santa/using_endpoint_security_framework" : @{
+        @"description" : @"Is santad using the endpoint security framework.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithBool:YES]
+          } ]
+        }
+      },
+      @"/proc/birth_timestamp" : @{
+        @"description" : @"Start time of this santad instance, in microseconds since epoch",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithLong:1250999830800]
+          } ]
+        },
+      },
+      @"/proc/memory/virtual_size" : @{
+        @"description" : @"The virtual memory size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:987654321]
+          } ]
+        }
+      },
+      @"/proc/memory/resident_size" : @{
+        @"description" : @"The resident set size of this process.",
+        @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+        @"fields" : @{
+          @"" : @[ @{
+            @"value" : @"",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:123456789]
+          } ]
+        },
+      },
+    }
+  };
+
+  XCTAssertEqualObjects([metricSet export], expected);
+}
+@end
+
+@implementation SNTMetricSetHelperFunctionsTest
+- (void)testMakeMetricString {
+  NSArray<NSDictionary *> *tests = @[
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeUnknown],
+      @"expected" : @"SNTMetricTypeUnknown 0"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantBool],
+      @"expected" : @"SNTMetricTypeConstantBool"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantString],
+      @"expected" : @"SNTMetricTypeConstantString"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantInt64],
+      @"expected" : @"SNTMetricTypeConstantInt64"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeConstantDouble],
+      @"expected" : @"SNTMetricTypeConstantDouble"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeBool],
+      @"expected" : @"SNTMetricTypeGaugeBool"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeString],
+      @"expected" : @"SNTMetricTypeGaugeString"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeInt64],
+      @"expected" : @"SNTMetricTypeGaugeInt64"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeGaugeDouble],
+      @"expected" : @"SNTMetricTypeGaugeDouble"
+    },
+    @{
+      @"input" : [NSNumber numberWithInt:SNTMetricTypeCounter],
+      @"expected" : @"SNTMetricTypeCounter"
+    }
+  ];
+
+  for (NSDictionary *test in tests) {
+    NSString *output = SNTMetricMakeStringFromMetricType([test[@"input"] integerValue]);
+    XCTAssertEqualObjects(test[@"expected"], output, @"expected %@ got %@", test[@"expected"],
+                          output);
+  }
+}
+
+- (void)testEnsureMetricsWithMultipleFieldNamesSerializeOnce {
+  SNTMetricSet *metricSet = [[SNTMetricSet alloc] initWithHostname:@"testHost"
+                                                          username:@"testUser"];
+
+  SNTMetricCounter *c =
+    [metricSet counterWithName:@"/santa/events"
+                    fieldNames:@[ @"client", @"event_type" ]
+                      helpText:@"Count of events on the host for a given ES client"];
+  [c incrementBy:1 forFieldValues:@[ @"device_manager", @"auth_mount" ]];
+
+  NSDictionary *expected = @{
+    @"/santa/events" : @{
+      @"description" : @"Count of events on the host for a given ES client",
+      @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+      @"fields" : @{
+        @"client,event_type" : @[
+          @{
+            @"value" : @"device_manager,auth_mount",
+            @"created" : [NSDate date],
+            @"last_updated" : [NSDate date],
+            @"data" : [NSNumber numberWithInt:1],
+          },
+        ],
+      },
+    },
+  };
+
+  NSDictionary *got = [metricSet export][@"metrics"];
+  XCTAssertEqualObjects(expected, got, @"metrics do not match expected");
+}
+@end

Source/common/SNTRule.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -19,12 +19,12 @@
 ///
 ///  Represents a Rule.
 ///
-@interface SNTRule : NSObject<NSSecureCoding>
+@interface SNTRule : NSObject <NSSecureCoding>
 
 ///
 ///  The hash of the object this rule is for
 ///
-@property(copy) NSString *shasum;
+@property(copy) NSString *identifier;
 
 ///
 ///  The state of this rule
@@ -41,6 +41,11 @@
 ///
 @property(copy) NSString *customMsg;
 
+///
+///  A custom URL to take the user to when this binary is blocked from executing.
+///
+@property(copy) NSString *customURL;
+
 ///
 ///  The time when this rule was last retrieved from the rules database, if rule is transitive.
 ///  Stored as number of seconds since 00:00:00 UTC on 1 January 2001.
@@ -50,23 +55,33 @@
 ///
 ///  Designated initializer.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg
-                     timestamp:(NSUInteger)timestamp;
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg
+                         timestamp:(NSUInteger)timestamp;
 
 ///
 ///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg;
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg;
+
+///
+///  Initialize with a dictionary received from a sync server.
+///
+- (instancetype)initWithDictionary:(NSDictionary *)dict;
 
 ///
 ///  Sets timestamp of rule to the current time.
 ///
 - (void)resetTimestamp;
 
+///
+///  Returns a dictionary representation of the rule.
+///
+- (NSDictionary *)dictionaryRepresentation;
+
 @end

Source/common/SNTRule.m

@@ -14,20 +14,101 @@
 
 #import "Source/common/SNTRule.h"
 
-@interface SNTRule()
+#include <CommonCrypto/CommonCrypto.h>
+#include <os/base.h>
+
+#import "Source/common/SNTSyncConstants.h"
+
+// https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/
+static const NSUInteger kExpectedTeamIDLength = 10;
+
+@interface SNTRule ()
 @property(readwrite) NSUInteger timestamp;
 @end
 
 @implementation SNTRule
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg
-                     timestamp:(NSUInteger)timestamp {
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg
+                         timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
-    _shasum = shasum;
+    if (identifier.length == 0) {
+      return nil;
+    }
+
+    NSCharacterSet *nonHex =
+      [[NSCharacterSet characterSetWithCharactersInString:@"0123456789abcdef"] invertedSet];
+    NSCharacterSet *nonUppercaseAlphaNumeric = [[NSCharacterSet
+      characterSetWithCharactersInString:@"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"] invertedSet];
+
+    switch (type) {
+      case SNTRuleTypeBinary: OS_FALLTHROUGH;
+      case SNTRuleTypeCertificate: {
+        // For binary and certificate rules, force the hash identifier to be lowercase hex.
+        identifier = [identifier lowercaseString];
+
+        identifier = [identifier stringByTrimmingCharactersInSet:nonHex];
+        if (identifier.length != (CC_SHA256_DIGEST_LENGTH * 2)) {
+          return nil;
+        }
+
+        break;
+      }
+
+      case SNTRuleTypeTeamID: {
+        // TeamIDs are always [0-9A-Z], so enforce that the identifier is uppercase
+        identifier =
+          [[identifier uppercaseString] stringByTrimmingCharactersInSet:nonUppercaseAlphaNumeric];
+        if (identifier.length != kExpectedTeamIDLength) {
+          return nil;
+        }
+
+        break;
+      }
+
+      case SNTRuleTypeSigningID: {
+        // SigningID rules are a combination of `TeamID:SigningID`. The TeamID should
+        // be forced to be uppercase, but because very loose rules exist for SigningIDs,
+        // their case will be kept as-is. However, platform binaries are expected to
+        // have the hardcoded string "platform" as the team ID and the case will be left
+        // as is.
+        NSArray *sidComponents = [identifier componentsSeparatedByString:@":"];
+        if (!sidComponents || sidComponents.count < 2) {
+          return nil;
+        }
+
+        // The first component is the TeamID
+        NSString *teamID = sidComponents[0];
+
+        if (![teamID isEqualToString:@"platform"]) {
+          teamID =
+            [[teamID uppercaseString] stringByTrimmingCharactersInSet:nonUppercaseAlphaNumeric];
+          if (teamID.length != kExpectedTeamIDLength) {
+            return nil;
+          }
+        }
+
+        // The rest of the components are the Signing ID since ":" a legal character.
+        // Join all but the last element of the components to rebuild the SigningID.
+        NSString *signingID = [[sidComponents
+          subarrayWithRange:NSMakeRange(1, sidComponents.count - 1)] componentsJoinedByString:@":"];
+        if (signingID.length == 0) {
+          return nil;
+        }
+
+        identifier = [NSString stringWithFormat:@"%@:%@", teamID, signingID];
+        break;
+      }
+
+      default: {
+        break;
+      }
+    }
+
+    _identifier = identifier;
     _state = state;
     _type = type;
     _customMsg = customMsg;
@@ -36,28 +117,87 @@
   return self;
 }
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg {
-  self = [self initWithShasum:shasum
-                        state:state
-                         type:type
-                    customMsg:customMsg
-                    timestamp:0];
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg {
+  self = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg timestamp:0];
   // Initialize timestamp to current time if rule is transitive.
-  if (self && state == SNTRuleStateWhitelistTransitive) {
+  if (self && state == SNTRuleStateAllowTransitive) {
     [self resetTimestamp];
   }
   return self;
 }
 
+// Converts rule information downloaded from the server into a SNTRule.  Because any information
+// not recorded by SNTRule is thrown away here, this method is also responsible for dealing with
+// the extra bundle rule information (bundle_hash & rule_count).
+- (instancetype)initWithDictionary:(NSDictionary *)dict {
+  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
+
+  NSString *identifier = dict[kRuleIdentifier];
+  if (![identifier isKindOfClass:[NSString class]] || !identifier.length) {
+    identifier = dict[kRuleSHA256];
+  }
+  if (![identifier isKindOfClass:[NSString class]] || !identifier.length) return nil;
+
+  NSString *policyString = dict[kRulePolicy];
+  SNTRuleState state;
+  if (![policyString isKindOfClass:[NSString class]]) return nil;
+  if ([policyString isEqual:kRulePolicyAllowlist] ||
+      [policyString isEqual:kRulePolicyAllowlistDeprecated]) {
+    state = SNTRuleStateAllow;
+  } else if ([policyString isEqual:kRulePolicyAllowlistCompiler] ||
+             [policyString isEqual:kRulePolicyAllowlistCompilerDeprecated]) {
+    state = SNTRuleStateAllowCompiler;
+  } else if ([policyString isEqual:kRulePolicyBlocklist] ||
+             [policyString isEqual:kRulePolicyBlocklistDeprecated]) {
+    state = SNTRuleStateBlock;
+  } else if ([policyString isEqual:kRulePolicySilentBlocklist] ||
+             [policyString isEqual:kRulePolicySilentBlocklistDeprecated]) {
+    state = SNTRuleStateSilentBlock;
+  } else if ([policyString isEqual:kRulePolicyRemove]) {
+    state = SNTRuleStateRemove;
+  } else {
+    return nil;
+  }
+
+  NSString *ruleTypeString = dict[kRuleType];
+  SNTRuleType type;
+  if (![ruleTypeString isKindOfClass:[NSString class]]) return nil;
+  if ([ruleTypeString isEqual:kRuleTypeBinary]) {
+    type = SNTRuleTypeBinary;
+  } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
+    type = SNTRuleTypeCertificate;
+  } else if ([ruleTypeString isEqual:kRuleTypeTeamID]) {
+    type = SNTRuleTypeTeamID;
+  } else if ([ruleTypeString isEqual:kRuleTypeSigningID]) {
+    type = SNTRuleTypeSigningID;
+  } else {
+    return nil;
+  }
+
+  NSString *customMsg = dict[kRuleCustomMsg];
+  if (![customMsg isKindOfClass:[NSString class]] || customMsg.length == 0) {
+    customMsg = nil;
+  }
+
+  NSString *customURL = dict[kRuleCustomURL];
+  if (![customURL isKindOfClass:[NSString class]] || customURL.length == 0) {
+    customURL = nil;
+  }
+
+  SNTRule *r = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg];
+  r.customURL = customURL;
+  return r;
+}
 
 #pragma mark NSSecureCoding
 
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wobjc-literal-conversion"
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
 
 + (BOOL)supportsSecureCoding {
@@ -65,25 +205,64 @@
 }
 
 - (void)encodeWithCoder:(NSCoder *)coder {
-  ENCODE(self.shasum, @"shasum");
+  ENCODE(self.identifier, @"identifier");
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
+  ENCODE(self.customURL, @"customurl");
   ENCODE(@(self.timestamp), @"timestamp");
 }
 
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
-    _shasum = DECODE(NSString, @"shasum");
+    _identifier = DECODE(NSString, @"identifier");
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
+    _customURL = DECODE(NSString, @"customurl");
     _timestamp = [DECODE(NSNumber, @"timestamp") unsignedIntegerValue];
   }
   return self;
 }
 
+- (NSString *)ruleStateToPolicyString:(SNTRuleState)state {
+  switch (state) {
+    case SNTRuleStateAllow: return kRulePolicyAllowlist;
+    case SNTRuleStateAllowCompiler: return kRulePolicyAllowlistCompiler;
+    case SNTRuleStateBlock: return kRulePolicyBlocklist;
+    case SNTRuleStateSilentBlock: return kRulePolicySilentBlocklist;
+    case SNTRuleStateRemove: return kRulePolicyRemove;
+    case SNTRuleStateAllowTransitive: return @"AllowTransitive";
+    // This should never be hit. But is here for completion.
+    default: return @"Unknown";
+  }
+}
+
+- (NSString *)ruleTypeToString:(SNTRuleType)ruleType {
+  switch (ruleType) {
+    case SNTRuleTypeBinary: return kRuleTypeBinary;
+    case SNTRuleTypeCertificate: return kRuleTypeCertificate;
+    case SNTRuleTypeTeamID: return kRuleTypeTeamID;
+    case SNTRuleTypeSigningID: return kRuleTypeSigningID;
+    // This should never be hit. If we have rule types of Unknown then there's a
+    // coding error somewhere.
+    default: return @"Unknown";
+  }
+}
+
+// Returns an NSDictionary representation of the rule. Primarily use for
+// exporting rules.
+- (NSDictionary *)dictionaryRepresentation {
+  return @{
+    kRuleIdentifier : self.identifier,
+    kRulePolicy : [self ruleStateToPolicyString:self.state],
+    kRuleType : [self ruleTypeToString:self.type],
+    kRuleCustomMsg : self.customMsg ?: @"",
+    kRuleCustomURL : self.customURL ?: @""
+  };
+}
+
 #undef DECODE
 #undef ENCODE
 #pragma clang diagnostic pop
@@ -92,24 +271,25 @@
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTRule class]]) return NO;
   SNTRule *o = other;
-  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+  return ([self.identifier isEqual:o.identifier] && self.state == o.state && self.type == o.type);
 }
 
 - (NSUInteger)hash {
   NSUInteger prime = 31;
   NSUInteger result = 1;
-  result = prime * result + [self.shasum hash];
+  result = prime * result + [self.identifier hash];
   result = prime * result + self.state;
   result = prime * result + self.type;
   return result;
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld, Timestamp: %lu",
-             self.shasum, self.state, self.type, (unsigned long)self.timestamp];
+  return [NSString
+    stringWithFormat:@"SNTRule: Identifier: %@, State: %ld, Type: %ld, Timestamp: %lu",
+                     self.identifier, self.state, self.type, (unsigned long)self.timestamp];
 }
 
-# pragma mark Last-access Timestamp
+#pragma mark Last-access Timestamp
 
 - (void)resetTimestamp {
   self.timestamp = (NSUInteger)[[NSDate date] timeIntervalSinceReferenceDate];

Source/common/SNTRuleTest.m

@@ -0,0 +1,288 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTSyncConstants.h"
+
+#import "Source/common/SNTRule.h"
+
+@interface SNTRuleTest : XCTestCase
+@end
+
+@implementation SNTRuleTest
+
+- (void)testInitWithDictionaryValid {
+  SNTRule *sut;
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier,
+                        @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
+  XCTAssertEqual(sut.type, SNTRuleTypeBinary);
+  XCTAssertEqual(sut.state, SNTRuleStateAllow);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"sha256" : @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670",
+    @"policy" : @"BLOCKLIST",
+    @"rule_type" : @"CERTIFICATE",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier,
+                        @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
+  XCTAssertEqual(sut.type, SNTRuleTypeCertificate);
+  XCTAssertEqual(sut.state, SNTRuleStateBlock);
+
+  // Ensure a Binary and Certificate rules properly convert identifiers to lowercase.
+  for (NSString *ruleType in @[ @"BINARY", @"CERTIFICATE" ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : @"B7C1E3FD640C5F211C89B02C2C6122F78CE322AA5C56EB0BB54BC422A8F8B670",
+      @"policy" : @"BLOCKLIST",
+      @"rule_type" : ruleType,
+    }];
+    XCTAssertNotNil(sut);
+    XCTAssertEqualObjects(sut.identifier,
+                          @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
+  }
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ABCDEFGHIJ",
+    @"policy" : @"SILENT_BLOCKLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateSilentBlock);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670",
+    @"policy" : @"ALLOWLIST_COMPILER",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier,
+                        @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
+  XCTAssertEqual(sut.type, SNTRuleTypeBinary);
+  XCTAssertEqual(sut.state, SNTRuleStateAllowCompiler);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ABCDEFGHIJ",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateRemove);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ABCDEFGHIJ",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+    @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
+  XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
+  XCTAssertEqual(sut.state, SNTRuleStateAllow);
+  XCTAssertEqualObjects(sut.customMsg, @"A custom block message");
+  XCTAssertEqualObjects(sut.customURL, @"https://example.com");
+
+  // TeamIDs must be 10 chars in length
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"A",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNil(sut);
+
+  // TeamIDs must be only alphanumeric chars
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ßßßßßßßßßß",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNil(sut);
+
+  // TeamIDs are converted to uppercase
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"abcdefghij",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
+
+  // SigningID tests
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ABCDEFGHIJ:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ:com.example");
+  XCTAssertEqual(sut.type, SNTRuleTypeSigningID);
+  XCTAssertEqual(sut.state, SNTRuleStateRemove);
+
+  // Invalid SingingID tests:
+  for (NSString *ident in @[
+         @":com.example",     // missing team ID
+         @"ABCDEFGHIJ:",      // missing signing ID
+         @"ABC:com.example",  // Invalid team id
+         @":",                // missing team and signing IDs
+         @"",                 // empty string
+       ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : ident,
+      @"policy" : @"REMOVE",
+      @"rule_type" : @"SIGNINGID",
+    }];
+    XCTAssertNil(sut);
+  }
+
+  // Signing ID with lower team ID has case fixed up
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"abcdefghij:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ:com.example");
+
+  // Signing ID with lower platform team ID is left alone
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"platform:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"platform:com.example");
+
+  // Signing ID can contain the TID:SID delimiter character (":")
+  for (NSString *ident in @[
+         @"ABCDEFGHIJ:com:",
+         @"ABCDEFGHIJ:com:example",
+         @"ABCDEFGHIJ::",
+         @"ABCDEFGHIJ:com:example:with:more:components:",
+       ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : ident,
+      @"policy" : @"ALLOWLIST",
+      @"rule_type" : @"SIGNINGID",
+    }];
+    XCTAssertNotNil(sut);
+    XCTAssertEqualObjects(sut.identifier, ident);
+  }
+}
+
+- (void)testInitWithDictionaryInvalid {
+  SNTRule *sut;
+
+  sut = [[SNTRule alloc] initWithDictionary:@{}];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670",
+  }];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"an-identifier",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670",
+    @"policy" : @"OTHERPOLICY",
+    @"rule_type" : @"BINARY",
+  }];
+  XCTAssertNil(sut);
+
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"an-identifier",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"OTHER_RULE_TYPE",
+  }];
+  XCTAssertNil(sut);
+}
+
+- (void)testRuleDictionaryRepresentation {
+  NSDictionary *expectedTeamID = @{
+    @"identifier" : @"ABCDEFGHIJ",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+    @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
+  };
+
+  SNTRule *sut = [[SNTRule alloc] initWithDictionary:expectedTeamID];
+  NSDictionary *dict = [sut dictionaryRepresentation];
+  XCTAssertEqualObjects(expectedTeamID, dict);
+
+  NSDictionary *expectedBinary = @{
+    @"identifier" : @"84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6",
+    @"policy" : @"BLOCKLIST",
+    @"rule_type" : @"BINARY",
+    @"custom_msg" : @"",
+    @"custom_url" : @"",
+  };
+
+  sut = [[SNTRule alloc] initWithDictionary:expectedBinary];
+  dict = [sut dictionaryRepresentation];
+
+  XCTAssertEqualObjects(expectedBinary, dict);
+}
+
+- (void)testRuleStateToPolicyString {
+  NSDictionary *expected = @{
+    @"identifier" : @"84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"BINARY",
+    @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
+  };
+
+  SNTRule *sut = [[SNTRule alloc] initWithDictionary:expected];
+  sut.state = SNTRuleStateBlock;
+  XCTAssertEqualObjects(kRulePolicyBlocklist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateSilentBlock;
+  XCTAssertEqualObjects(kRulePolicySilentBlocklist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateAllow;
+  XCTAssertEqualObjects(kRulePolicyAllowlist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateAllowCompiler;
+  XCTAssertEqualObjects(kRulePolicyAllowlistCompiler, [sut dictionaryRepresentation][kRulePolicy]);
+  // Invalid states
+  sut.state = SNTRuleStateRemove;
+  XCTAssertEqualObjects(kRulePolicyRemove, [sut dictionaryRepresentation][kRulePolicy]);
+}
+
+/*
+- (void)testRuleTypeToString {
+  SNTRule *sut = [[SNTRule alloc] init];
+  XCTAssertEqual(kRuleTypeBinary, [sut ruleTypeToString:@""]);//SNTRuleTypeBinary]);
+  XCTAssertEqual(kRuleTypeCertificate,[sut ruleTypeToString:SNTRuleTypeCertificate]);
+  XCTAssertEqual(kRuleTypeTeamID, [sut ruleTypeToString:SNTRuleTypeTeamID]);
+  XCTAssertEqual(kRuleTypeSigningID,[sut ruleTypeToString:SNTRuleTypeSigningID]);
+}*/
+
+@end

Source/common/SNTStoredEvent.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -19,7 +19,7 @@
 ///
 ///  Represents an event stored in the database.
 ///
-@interface SNTStoredEvent : NSObject<NSSecureCoding>
+@interface SNTStoredEvent : NSObject <NSSecureCoding>
 
 ///
 ///  An index for this event, randomly generated during initialization.
@@ -95,6 +95,16 @@
 ///
 @property NSArray *signingChain;
 
+///
+/// If the executed file was signed, this is the Team ID if present in the signature information.
+///
+@property NSString *teamID;
+
+///
+/// If the executed file was signed, this is the Signing ID if present in the signature information.
+///
+@property NSString *signingID;
+
 ///
 ///  The user who executed the binary.
 ///

Source/common/SNTStoredEvent.m

@@ -21,11 +21,12 @@
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wobjc-literal-conversion"
 
-#define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
 #define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
-#define DECODEARRAY(cls, key) \
-    [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
-                            forKey:key]
+#define DECODEARRAY(cls, key)                                                             \
+  [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [cls class], nil] \
+                          forKey:key]
 
 + (BOOL)supportsSecureCoding {
   return YES;
@@ -48,6 +49,8 @@
   ENCODE(self.fileBundleVersionString, @"fileBundleVersionString");
 
   ENCODE(self.signingChain, @"signingChain");
+  ENCODE(self.teamID, @"teamID");
+  ENCODE(self.signingID, @"signingID");
 
   ENCODE(self.executingUser, @"executingUser");
   ENCODE(self.occurrenceDate, @"occurrenceDate");
@@ -92,10 +95,12 @@
     _fileBundleVersionString = DECODE(NSString, @"fileBundleVersionString");
 
     _signingChain = DECODEARRAY(MOLCertificate, @"signingChain");
+    _teamID = DECODE(NSString, @"teamID");
+    _signingID = DECODE(NSString, @"signingID");
 
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");
-    _decision = (SNTEventState)[DECODE(NSNumber, @"decision") intValue];
+    _decision = (SNTEventState)[DECODE(NSNumber, @"decision") unsignedLongLongValue];
     _pid = DECODE(NSNumber, @"pid");
     _ppid = DECODE(NSNumber, @"ppid");
     _parentName = DECODE(NSString, @"parentName");
@@ -129,7 +134,7 @@
 
 - (NSString *)description {
   return
-      [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
+    [NSString stringWithFormat:@"SNTStoredEvent[%@] with SHA-256: %@", self.idx, self.fileSHA256];
 }
 
 #pragma clang diagnostic pop

Source/common/SNTStrengthify.h

@@ -1,4 +1,4 @@
-/// Copyright 2016 Google Inc. All rights reserved.
+/// Copyright 2016-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,11 +12,14 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#define STRONGIFY(var) \
-  _Pragma("clang diagnostic push") \
+// clang-format off
+
+#define STRONGIFY(var)                             \
+  _Pragma("clang diagnostic push")                 \
   _Pragma("clang diagnostic ignored \"-Wshadow\"") \
-  __strong __typeof(var) var = (Weak_##var); \
+  __strong __typeof(var) var = (Weak_##var);   \
   _Pragma("clang diagnostic pop")
 
-#define WEAKIFY(var) \
-  __weak __typeof(var) Weak_##var = (var);
+#define WEAKIFY(var) __weak __typeof(var) Weak_##var = (var);
+
+// clang-format on

Source/common/SNTSyncConstants.h

@@ -14,13 +14,15 @@
 
 #import <Foundation/Foundation.h>
 
-extern NSString *const kXSRFToken;
+extern NSString *const kDefaultXSRFTokenHeader;
+extern NSString *const kXSRFTokenHeader;
 
 extern NSString *const kSerialNumber;
 extern NSString *const kHostname;
 extern NSString *const kSantaVer;
 extern NSString *const kOSVer;
 extern NSString *const kOSBuild;
+extern NSString *const kModelIdentifier;
 extern NSString *const kPrimaryUser;
 extern NSString *const kRequestCleanSync;
 extern NSString *const kBatchSize;
@@ -28,20 +30,32 @@ extern NSString *const kUploadLogsURL;
 extern NSString *const kClientMode;
 extern NSString *const kClientModeMonitor;
 extern NSString *const kClientModeLockdown;
-extern NSString *const kCleanSync;
-extern NSString *const kWhitelistRegex;
-extern NSString *const kBlacklistRegex;
+extern NSString *const kBlockUSBMount;
+extern NSString *const kRemountUSBMode;
+extern NSString *const kCleanSyncDeprecated;
+extern NSString *const kSyncType;
+extern NSString *const kAllowedPathRegex;
+extern NSString *const kAllowedPathRegexDeprecated;
+extern NSString *const kBlockedPathRegex;
+extern NSString *const kBlockedPathRegexDeprecated;
 extern NSString *const kBinaryRuleCount;
 extern NSString *const kCertificateRuleCount;
 extern NSString *const kCompilerRuleCount;
 extern NSString *const kTransitiveRuleCount;
+extern NSString *const kTeamIDRuleCount;
+extern NSString *const kSigningIDRuleCount;
+extern NSString *const kFullSyncInterval;
 extern NSString *const kFCMToken;
 extern NSString *const kFCMFullSyncInterval;
 extern NSString *const kFCMGlobalRuleSyncDeadline;
 extern NSString *const kEnableBundles;
-extern NSString *const kEnableBundles_OLD;
-extern NSString *const kEnableTransitiveWhitelisting;
-extern NSString *const kEnableTransitiveWhitelisting_OLD;
+extern NSString *const kEnableBundlesDeprecated;
+extern NSString *const kEnableTransitiveRules;
+extern NSString *const kEnableTransitiveRulesDeprecated;
+extern NSString *const kEnableTransitiveRulesSuperDeprecated;
+extern NSString *const kEnableAllEventUpload;
+extern NSString *const kDisableUnknownEventUpload;
+extern NSString *const kOverrideFileAccessAction;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;
@@ -54,10 +68,14 @@ extern NSString *const kDecisionAllowUnknown;
 extern NSString *const kDecisionAllowBinary;
 extern NSString *const kDecisionAllowCertificate;
 extern NSString *const kDecisionAllowScope;
+extern NSString *const kDecisionAllowTeamID;
+extern NSString *const kDecisionAllowSigningID;
 extern NSString *const kDecisionBlockUnknown;
 extern NSString *const kDecisionBlockBinary;
 extern NSString *const kDecisionBlockCertificate;
 extern NSString *const kDecisionBlockScope;
+extern NSString *const kDecisionBlockTeamID;
+extern NSString *const kDecisionBlockSigningID;
 extern NSString *const kDecisionUnknown;
 extern NSString *const kDecisionBundleBinary;
 extern NSString *const kLoggedInUsers;
@@ -81,6 +99,8 @@ extern NSString *const kCertOrg;
 extern NSString *const kCertOU;
 extern NSString *const kCertValidFrom;
 extern NSString *const kCertValidUntil;
+extern NSString *const kTeamID;
+extern NSString *const kSigningID;
 extern NSString *const kQuarantineDataURL;
 extern NSString *const kQuarantineRefererURL;
 extern NSString *const kQuarantineTimestamp;
@@ -89,16 +109,24 @@ extern NSString *const kEventUploadBundleBinaries;
 
 extern NSString *const kRules;
 extern NSString *const kRuleSHA256;
+extern NSString *const kRuleIdentifier;
 extern NSString *const kRulePolicy;
-extern NSString *const kRulePolicyWhitelist;
-extern NSString *const kRulePolicyWhitelistCompiler;
-extern NSString *const kRulePolicyBlacklist;
-extern NSString *const kRulePolicySilentBlacklist;
+extern NSString *const kRulePolicyAllowlist;
+extern NSString *const kRulePolicyAllowlistDeprecated;
+extern NSString *const kRulePolicyAllowlistCompiler;
+extern NSString *const kRulePolicyAllowlistCompilerDeprecated;
+extern NSString *const kRulePolicyBlocklist;
+extern NSString *const kRulePolicyBlocklistDeprecated;
+extern NSString *const kRulePolicySilentBlocklist;
+extern NSString *const kRulePolicySilentBlocklistDeprecated;
 extern NSString *const kRulePolicyRemove;
 extern NSString *const kRuleType;
 extern NSString *const kRuleTypeBinary;
 extern NSString *const kRuleTypeCertificate;
+extern NSString *const kRuleTypeTeamID;
+extern NSString *const kRuleTypeSigningID;
 extern NSString *const kRuleCustomMsg;
+extern NSString *const kRuleCustomURL;
 extern NSString *const kCursor;
 
 extern NSString *const kBackoffInterval;
@@ -110,6 +138,9 @@ extern NSString *const kLogSync;
 
 extern const NSUInteger kDefaultEventBatchSize;
 
+extern NSString *const kPostflightRulesReceived;
+extern NSString *const kPostflightRulesProcessed;
+
 ///
 ///  kDefaultFullSyncInterval
 ///  kDefaultFCMFullSyncInterval
@@ -118,6 +149,5 @@ extern const NSUInteger kDefaultEventBatchSize;
 ///  Are represented in seconds
 ///
 extern const NSUInteger kDefaultFullSyncInterval;
-extern const NSUInteger kDefaultFCMFullSyncInterval;
-extern const NSUInteger kDefaultFCMGlobalRuleSyncDeadline;
-
+extern const NSUInteger kDefaultPushNotificationsFullSyncInterval;
+extern const NSUInteger kDefaultPushNotificationsGlobalRuleSyncDeadline;

Source/common/SNTSyncConstants.m

@@ -12,38 +12,51 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#import "SNTCommandSyncConstants.h"
+#import "Source/common/SNTSyncConstants.h"
 
-NSString *const kXSRFToken = @"X-XSRF-TOKEN";
+NSString *const kDefaultXSRFTokenHeader = @"X-XSRF-TOKEN";
+NSString *const kXSRFTokenHeader = @"X-XSRF-TOKEN-HEADER";
 
 NSString *const kSerialNumber = @"serial_num";
 NSString *const kHostname = @"hostname";
 NSString *const kSantaVer = @"santa_version";
 NSString *const kOSVer = @"os_version";
 NSString *const kOSBuild = @"os_build";
+NSString *const kModelIdentifier = @"model_identifier";
 NSString *const kPrimaryUser = @"primary_user";
 NSString *const kRequestCleanSync = @"request_clean_sync";
 NSString *const kBatchSize = @"batch_size";
 NSString *const kUploadLogsURL = @"upload_logs_url";
 NSString *const kClientMode = @"client_mode";
+NSString *const kBlockUSBMount = @"block_usb_mount";
+NSString *const kRemountUSBMode = @"remount_usb_mode";
 NSString *const kClientModeMonitor = @"MONITOR";
 NSString *const kClientModeLockdown = @"LOCKDOWN";
-NSString *const kCleanSync = @"clean_sync";
-NSString *const kWhitelistRegex = @"whitelist_regex";
-NSString *const kBlacklistRegex = @"blacklist_regex";
+NSString *const kCleanSyncDeprecated = @"clean_sync";
+NSString *const kSyncType = @"sync_type";
+NSString *const kAllowedPathRegex = @"allowed_path_regex";
+NSString *const kAllowedPathRegexDeprecated = @"whitelist_regex";
+NSString *const kBlockedPathRegex = @"blocked_path_regex";
+NSString *const kBlockedPathRegexDeprecated = @"blacklist_regex";
 NSString *const kBinaryRuleCount = @"binary_rule_count";
 NSString *const kCertificateRuleCount = @"certificate_rule_count";
 NSString *const kCompilerRuleCount = @"compiler_rule_count";
 NSString *const kTransitiveRuleCount = @"transitive_rule_count";
+NSString *const kTeamIDRuleCount = @"teamid_rule_count";
+NSString *const kSigningIDRuleCount = @"signingid_rule_count";
+NSString *const kFullSyncInterval = @"full_sync_interval";
 NSString *const kFCMToken = @"fcm_token";
 NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
 NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";
+NSString *const kOverrideFileAccessAction = @"override_file_access_action";
 
-// NOTE: Both of the _OLD values will be removed at some indeterminate point in the future.
 NSString *const kEnableBundles = @"enable_bundles";
-NSString *const kEnableBundles_OLD = @"bundles_enabled";
-NSString *const kEnableTransitiveWhitelisting = @"enabled_transitive_whitelisting";
-NSString *const kEnableTransitiveWhitelisting_OLD = @"transitive_whitelisting_enabled";
+NSString *const kEnableBundlesDeprecated = @"bundles_enabled";
+NSString *const kEnableTransitiveRules = @"enable_transitive_rules";
+NSString *const kEnableTransitiveRulesDeprecated = @"enabled_transitive_whitelisting";
+NSString *const kEnableTransitiveRulesSuperDeprecated = @"transitive_whitelisting_enabled";
+NSString *const kEnableAllEventUpload = @"enable_all_event_upload";
+NSString *const kDisableUnknownEventUpload = @"disable_unknown_event_upload";
 
 NSString *const kEvents = @"events";
 NSString *const kFileSHA256 = @"file_sha256";
@@ -56,10 +69,14 @@ NSString *const kDecisionAllowUnknown = @"ALLOW_UNKNOWN";
 NSString *const kDecisionAllowBinary = @"ALLOW_BINARY";
 NSString *const kDecisionAllowCertificate = @"ALLOW_CERTIFICATE";
 NSString *const kDecisionAllowScope = @"ALLOW_SCOPE";
+NSString *const kDecisionAllowTeamID = @"ALLOW_TEAMID";
+NSString *const kDecisionAllowSigningID = @"ALLOW_SIGNINGID";
 NSString *const kDecisionBlockUnknown = @"BLOCK_UNKNOWN";
 NSString *const kDecisionBlockBinary = @"BLOCK_BINARY";
 NSString *const kDecisionBlockCertificate = @"BLOCK_CERTIFICATE";
 NSString *const kDecisionBlockScope = @"BLOCK_SCOPE";
+NSString *const kDecisionBlockTeamID = @"BLOCK_TEAMID";
+NSString *const kDecisionBlockSigningID = @"BLOCK_SIGNINGID";
 NSString *const kDecisionUnknown = @"UNKNOWN";
 NSString *const kDecisionBundleBinary = @"BUNDLE_BINARY";
 NSString *const kLoggedInUsers = @"logged_in_users";
@@ -83,6 +100,8 @@ NSString *const kCertOrg = @"org";
 NSString *const kCertOU = @"ou";
 NSString *const kCertValidFrom = @"valid_from";
 NSString *const kCertValidUntil = @"valid_until";
+NSString *const kTeamID = @"team_id";
+NSString *const kSigningID = @"signing_id";
 NSString *const kQuarantineDataURL = @"quarantine_data_url";
 NSString *const kQuarantineRefererURL = @"quarantine_referer_url";
 NSString *const kQuarantineTimestamp = @"quarantine_timestamp";
@@ -91,16 +110,24 @@ NSString *const kEventUploadBundleBinaries = @"event_upload_bundle_binaries";
 
 NSString *const kRules = @"rules";
 NSString *const kRuleSHA256 = @"sha256";
+NSString *const kRuleIdentifier = @"identifier";
 NSString *const kRulePolicy = @"policy";
-NSString *const kRulePolicyWhitelist = @"WHITELIST";
-NSString *const kRulePolicyWhitelistCompiler = @"WHITELIST_COMPILER";
-NSString *const kRulePolicyBlacklist = @"BLACKLIST";
-NSString *const kRulePolicySilentBlacklist = @"SILENT_BLACKLIST";
+NSString *const kRulePolicyAllowlist = @"ALLOWLIST";
+NSString *const kRulePolicyAllowlistDeprecated = @"WHITELIST";
+NSString *const kRulePolicyAllowlistCompiler = @"ALLOWLIST_COMPILER";
+NSString *const kRulePolicyAllowlistCompilerDeprecated = @"WHITELIST_COMPILER";
+NSString *const kRulePolicyBlocklist = @"BLOCKLIST";
+NSString *const kRulePolicyBlocklistDeprecated = @"BLACKLIST";
+NSString *const kRulePolicySilentBlocklist = @"SILENT_BLOCKLIST";
+NSString *const kRulePolicySilentBlocklistDeprecated = @"SILENT_BLACKLIST";
 NSString *const kRulePolicyRemove = @"REMOVE";
 NSString *const kRuleType = @"rule_type";
 NSString *const kRuleTypeBinary = @"BINARY";
 NSString *const kRuleTypeCertificate = @"CERTIFICATE";
+NSString *const kRuleTypeTeamID = @"TEAMID";
+NSString *const kRuleTypeSigningID = @"SIGNINGID";
 NSString *const kRuleCustomMsg = @"custom_msg";
+NSString *const kRuleCustomURL = @"custom_url";
 NSString *const kCursor = @"cursor";
 
 NSString *const kBackoffInterval = @"backoff";
@@ -110,7 +137,10 @@ NSString *const kRuleSync = @"rule_sync";
 NSString *const kConfigSync = @"config_sync";
 NSString *const kLogSync = @"log_sync";
 
+NSString *const kPostflightRulesReceived = @"rules_received";
+NSString *const kPostflightRulesProcessed = @"rules_processed";
+
 const NSUInteger kDefaultEventBatchSize = 50;
 const NSUInteger kDefaultFullSyncInterval = 600;
-const NSUInteger kDefaultFCMFullSyncInterval = 14400;
-const NSUInteger kDefaultFCMGlobalRuleSyncDeadline = 600;
+const NSUInteger kDefaultPushNotificationsFullSyncInterval = 14400;
+const NSUInteger kDefaultPushNotificationsGlobalRuleSyncDeadline = 600;

Source/common/SNTSystemInfo.h

@@ -49,4 +49,9 @@
 ///
 + (NSString *)longHostname;
 
+///
+///  @return Model Identifier
+///
++ (NSString *)modelIdentifier;
+
 @end

Source/common/SNTSystemInfo.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -13,16 +13,20 @@
 ///    limitations under the License.
 
 #import "Source/common/SNTSystemInfo.h"
+#include <sys/sysctl.h>
 
 @implementation SNTSystemInfo
 
 + (NSString *)serialNumber {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+#pragma clang diagnostic pop
   if (!platformExpert) return nil;
 
   NSString *serial = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformSerialNumberKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -30,12 +34,15 @@
 }
 
 + (NSString *)hardwareUUID {
-  io_service_t platformExpert = IOServiceGetMatchingService(
-      kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+  io_service_t platformExpert =
+    IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
+#pragma clang diagnostic pop
   if (!platformExpert) return nil;
 
   NSString *uuid = CFBridgingRelease(IORegistryEntryCreateCFProperty(
-      platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
+    platformExpert, CFSTR(kIOPlatformUUIDKey), kCFAllocatorDefault, 0));
 
   IOObjectRelease(platformExpert);
 
@@ -60,11 +67,18 @@
   return @(hostname);
 }
 
++ (NSString *)modelIdentifier {
+  char model[32];
+  size_t len = 32;
+  sysctlbyname("hw.model", model, &len, NULL, 0);
+  return @(model);
+}
+
 #pragma mark - Internal
 
 + (NSDictionary *)_systemVersionDictionary {
-  return [NSDictionary
-      dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
+  return
+    [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/CoreServices/SystemVersion.plist"];
 }
 
 @end

Source/common/SNTXPCBundleServiceInterface.h

@@ -14,6 +14,8 @@
 
 #import <Foundation/Foundation.h>
 
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
 @class SNTStoredEvent;
 
 ///  A block that takes the calculated bundle hash, associated events and hashing time in ms.
@@ -25,7 +27,7 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 ///  @param listener The listener to connect back to the SantaGUI.
 ///
-- (void)setBundleNotificationListener:(NSXPCListenerEndpoint *)listener;
+- (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
 
 ///
 ///  Hash a bundle for an event. The SNTBundleHashBlock will be called with nil parameters if a
@@ -39,6 +41,12 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 - (void)hashBundleBinariesForEvent:(SNTStoredEvent *)event reply:(SNTBundleHashBlock)reply;
 
+///
+///  santabundleservice is launched on demand by launchd, call spindown to let santabundleservice
+///  know you are done with it.
+///
+- (void)spindown;
+
 @end
 
 @interface SNTXPCBundleServiceInterface : NSObject
@@ -52,6 +60,12 @@ typedef void (^SNTBundleHashBlock)(NSString *, NSArray<SNTStoredEvent *> *, NSNu
 ///
 ///  Returns the MachService ID for this service.
 ///
-+ (NSString *)serviceId;
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santabundleservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCBundleServiceInterface.m

@@ -22,15 +22,22 @@
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTBundleServiceXPC)];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(hashBundleBinariesForEvent:reply:)
-      argumentIndex:1
-            ofReply:YES];
+      forSelector:@selector(hashBundleBinariesForEvent:reply:)
+    argumentIndex:1
+          ofReply:YES];
 
   return r;
 }
 
-+ (NSString *)serviceId {
-  return @"com.google.santabs";
++ (NSString *)serviceID {
+  return @"com.google.santa.bundleservice";
+}
+
++ (MOLXPCConnection *)configuredConnection {
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
+                                                          privileged:YES];
+  c.remoteInterface = [self bundleServiceInterface];
+  return c;
 }
 
 @end

Source/common/SNTXPCControlInterface.h

@@ -20,7 +20,7 @@
 @protocol SNTDaemonControlXPC <SNTUnprivilegedDaemonControlXPC>
 
 ///
-///  Kernel ops
+///  Cache ops
 ///
 - (void)flushCache:(void (^)(BOOL))reply;
 
@@ -28,41 +28,63 @@
 ///  Database ops
 ///
 - (void)databaseRuleAddRules:(NSArray *)rules
-                  cleanSlate:(BOOL)cleanSlate
+                 ruleCleanup:(SNTRuleCleanup)cleanupType
                        reply:(void (^)(NSError *error))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
 - (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
                   certificateSHA256:(NSString *)certificateSHA256
+                             teamID:(NSString *)teamID
+                          signingID:(NSString *)signingID
                               reply:(void (^)(SNTRule *))reply;
+- (void)retrieveAllRules:(void (^)(NSArray<SNTRule *> *rules, NSError *error))reply;
 
 ///
 ///  Config ops
 ///
 - (void)setClientMode:(SNTClientMode)mode reply:(void (^)(void))reply;
-- (void)setXsrfToken:(NSString *)token reply:(void (^)(void))reply;
 - (void)setFullSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
 - (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)(void))reply;
-- (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
-- (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
-- (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setSyncTypeRequired:(SNTSyncType)syncType reply:(void (^)(void))reply;
+- (void)setAllowedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockUSBMount:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setRemountUSBMode:(NSArray *)remountUSBMode reply:(void (^)(void))reply;
 - (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
-- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setEnableTransitiveRules:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setEnableAllEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setDisableUnknownEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setOverrideFileAccessAction:(NSString *)action reply:(void (^)(void))reply;
 
 ///
 ///  Syncd Ops
 ///
-- (void)setSyncdListener:(NSXPCListenerEndpoint *)listener;
 - (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)(void))reply;
 
 @end
 
-@interface SNTXPCControlInterface : SNTXPCUnprivilegedControlInterface
+@interface SNTXPCControlInterface : NSObject
 
 ///
-///  Internal method used to initialize the control interface
+///  Returns the MachService ID for this service.
 ///
++ (NSString *)serviceID;
 
-+ (void)initializeControlInterface:(NSXPCInterface *)r;
+///
+///  Returns the SystemExtension ID for this service.
+///
++ (NSString *)systemExtensionID;
+
+///
+///  Returns an initialized NSXPCInterface for the SNTUnprivilegedDaemonControlXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
+///
++ (NSXPCInterface *)controlInterface;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santad.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
 
 @end

Source/common/SNTXPCControlInterface.m

@@ -14,29 +14,50 @@
 
 #import "Source/common/SNTXPCControlInterface.h"
 
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTRule.h"
 #import "Source/common/SNTStoredEvent.h"
 
+NSString *const kBundleID = @"com.google.santa.daemon";
+
 @implementation SNTXPCControlInterface
 
-+ (NSString *)serviceId {
-  return @"SantaXPCControl";
++ (NSString *)serviceID {
+#ifdef SANTAADHOC
+  // The mach service for an adhoc signed ES sysx uses the "endpoint-security" prefix instead of
+  // the teamid. In Santa's case it will be endpoint-security.com.google.santa.daemon.xpc.
+  return [NSString stringWithFormat:@"endpoint-security.%@.xpc", kBundleID];
+#else
+  MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf];
+  // "teamid.com.google.santa.daemon.xpc"
+  NSString *t = cs.signingInformation[@"teamid"];
+  return [NSString stringWithFormat:@"%@.%@.xpc", t, kBundleID];
+#endif
+}
+
++ (NSString *)systemExtensionID {
+  return kBundleID;
 }
 
 + (void)initializeControlInterface:(NSXPCInterface *)r {
-  [super initializeControlInterface:r];
-
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTStoredEvent class], nil]
-        forSelector:@selector(databaseEventsPending:)
-      argumentIndex:0
-            ofReply:YES];
+      forSelector:@selector(databaseEventsPending:)
+    argumentIndex:0
+          ofReply:YES];
 
   [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
-        forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
-      argumentIndex:0
-            ofReply:NO];
+      forSelector:@selector(databaseRuleAddRules:ruleCleanup:reply:)
+    argumentIndex:0
+          ofReply:NO];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
+      forSelector:@selector(retrieveAllRules:)
+    argumentIndex:0
+          ofReply:YES];
 }
 
 + (NSXPCInterface *)controlInterface {
@@ -47,7 +68,7 @@
 }
 
 + (MOLXPCConnection *)configuredConnection {
-  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceId]
+  MOLXPCConnection *c = [[MOLXPCConnection alloc] initClientWithName:[self serviceID]
                                                           privileged:YES];
   c.remoteInterface = [self controlInterface];
   return c;

Source/common/SNTXPCMetricServiceInterface.h

@@ -0,0 +1,50 @@
+/// Copyright 2021 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+#import <MOLXPCConnection/MOLXPCConnection.h>
+
+///  Protocol implemented by the metric service and utilized by santad
+///  exporting metrics to a monitoring system.
+@protocol SNTMetricServiceXPC
+
+///
+///  @param metrics The current metric/counter values serialized to an NSDictionary.
+///
+- (void)exportForMonitoring:(NSDictionary *)metrics;
+
+@end
+
+@interface SNTXPCMetricServiceInterface : NSObject
+
+///
+///  Returns an initialized NSXPCInterface for the SNTMetricServiceXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up
+///  before returning.
+///
++ (NSXPCInterface *)metricServiceInterface;
+
+///
+///  Returns the MachService ID for this service.
+///
++ (NSString *)serviceID;
+
+///
+///  Retrieve a pre-configured MOLXPCConnection for communicating with santametricservice.
+///  Connections just needs any handlers set and then can be resumed and used.
+///
++ (MOLXPCConnection *)configuredConnection;
+
+@end