santactl status: add last successful rule sync date (#139)

* santactl status: add last successful rule sync date

.gitignore

@@ -1,6 +1,6 @@
 .DS_Store
 Build
-Dist
+santa-*
 Pods
 Santa.xcodeproj/xcuserdata
 Santa.xcodeproj/project.xcworkspace

.travis.yml

@@ -1,12 +1,14 @@
 ---
 language: objective-c
-cache: cocoapods
+cache:
+  - bundler
+  - cocoapods
 sudo: false
 osx_image: xcode7
 
 before_install:
- - gem install activesupport
  - gem install cocoapods xcpretty
+ - pod setup >/dev/null
 
 script:
  - xcodebuild -workspace Santa.xcworkspace -scheme All -derivedDataPath build build test CODE_SIGN_IDENTITY='' | xcpretty -sc && exit ${PIPESTATUS[0]}

CONTRIBUTING.md

@@ -29,8 +29,8 @@ rake tests:kernel  # only necessary if you're changing the kext code
 
 All code submissions should try to match the surrounding code.  Wherever possible,
 code should adhere to either the
-[Google Objective-C Style Guide](http://google-styleguide.googlecode.com/svn/trunk/objcguide.xml)
-or the [Google C++ Style Guide](http://google-styleguide.googlecode.com/svn/trunk/cppguide.html).
+[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
+or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
 
 ### The small print
 Contributions made by corporations are covered by a different agreement than

Conf/Package/Makefile

@@ -82,3 +82,4 @@ myclean:
 	@rm -f com.google.santad.plist
 	@rm -f com.google.santagui.plist
 	@rm -f install.sh
+	@rm -f uninstall.sh

Conf/Package/postinstall

@@ -18,7 +18,8 @@ sleep 1
 sleep 1
 
 # Create hopefully useful symlink for santactl
-/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
+mkdir -p /usr/local/bin
+/bin/ln -sf /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin/santactl
 
 user=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -z "$user" ]] && exit 0

Conf/install.sh

@@ -36,6 +36,7 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 # Copy new files.
 /bin/cp -r ${SOURCE}/binaries/santa-driver.kext /Library/Extensions
 /bin/cp -r ${SOURCE}/binaries/Santa.app /Applications
+mkdir -p /usr/local/bin
 /bin/ln -s /Library/Extensions/santa-driver.kext/Contents/MacOS/santactl /usr/local/bin
 
 /bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons

Conf/uninstall.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Uninstalls Santa from the boot volume, clearing up everything but logs/configs.
+# Unloads the kernel extension, services, and deletes component files.
+# If a user is logged in, also unloads the GUI agent.
+
+[ "$EUID" != 0 ] && printf "%s\n" "This requires running as root/sudo." && exit 1
+
+/bin/launchctl remove com.google.santad
+sleep 1
+/sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
+user=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
+# and to clean out the log config, although it won't write after wiping the binary
+/usr/bin/killall -HUP syslogd
+# delete artifacts on-disk
+/bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
+/bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
+/bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /usr/local/bin/santactl # just a symlink
+#uncomment to remove the config file and all databases, log files
+#/bin/rm -rf /var/db/santa
+#/bin/rm -f /var/log/santa*
+exit 0

Podfile

@@ -7,34 +7,43 @@ target :Santa do
   pod 'MOLCodesignChecker'
 end
 
-target :santactl do
+target :santad do
+  pod 'FMDB'
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
-  pod 'FMDB'
 end
 
-target :santad do
+target :santactl do
+  pod 'FMDB'
+  pod 'MOLAuthenticatingURLSession'
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
-  pod 'FMDB'
-
-  post_install do |installer|
-    installer.pods_project.targets.each do |target|
-      target.build_configurations.each do |config|
-        if config.name != 'Release' then
-          break
-        end
-
-        config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
-        config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
-      end
-    end
-  end
+  pod 'MOLFCMClient'
 end
 
 target :LogicTests do
   pod 'FMDB'
+  pod 'MOLAuthenticatingURLSession'
   pod 'MOLCertificate'
   pod 'MOLCodesignChecker'
   pod 'OCMock'
 end
+
+post_install do |installer|
+  installer.pods_project.targets.each do |target|
+    target.build_configurations.each do |config|
+      if config.name != 'Release' then
+        break
+      end
+
+      # This is necessary to get FMDB to not NSLog stuff.
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ''
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] <<= "NDEBUG=1"
+
+      # Enable more compiler optimizations.
+      config.build_settings['GCC_OPTIMIZATION_LEVEL'] = 'fast'
+      config.build_settings['LLVM_LTO'] = 'YES'
+    end
+  end
+end
+

Podfile.lock

@@ -1,22 +1,32 @@
 PODS:
-  - FMDB (2.6):
-    - FMDB/standard (= 2.6)
-  - FMDB/standard (2.6)
-  - MOLCertificate (1.3)
-  - MOLCodesignChecker (1.4):
+  - FMDB (2.6.2):
+    - FMDB/standard (= 2.6.2)
+  - FMDB/standard (2.6.2)
+  - MOLAuthenticatingURLSession (2.1):
+    - MOLCertificate (~> 1.5)
+  - MOLCertificate (1.5)
+  - MOLCodesignChecker (1.5):
     - MOLCertificate (~> 1.3)
-  - OCMock (3.2.2)
+  - MOLFCMClient (1.1):
+    - MOLAuthenticatingURLSession (~> 2.1)
+  - OCMock (3.3.1)
 
 DEPENDENCIES:
   - FMDB
+  - MOLAuthenticatingURLSession
   - MOLCertificate
   - MOLCodesignChecker
+  - MOLFCMClient
   - OCMock
 
 SPEC CHECKSUMS:
-  FMDB: c1968bab3ab0aed38f66cb778ae1e7fa9a652b6e
-  MOLCertificate: a776221906b5a46dd1bd749d0682bef3ee68c1f5
-  MOLCodesignChecker: 34e60cc6beadabfb4762b6e5087e12837774f85f
-  OCMock: 18c9b7e67d4c2770e95bb77a9cc1ae0c91fe3835
+  FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
+  MOLAuthenticatingURLSession: 2f0fd35f641bc857ee1b026021dbd759955adaa3
+  MOLCertificate: c39cae866d24d36fbc78032affff83d401b5384a
+  MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
+  MOLFCMClient: f1684219facbffdb060ff4ab18b1825bcd4c75bc
+  OCMock: f3f61e6eaa16038c30caa5798c5e49d3307b6f22
 
-COCOAPODS: 0.39.0
+PODFILE CHECKSUM: b20628b5933f54525daf0dcc5534512b1cb134c8
+
+COCOAPODS: 1.0.1

README.md

@@ -7,7 +7,7 @@ Santa  [![Build Status](https://travis-ci.org/google/santa.png?branch=master)](h
 </a>
 </p>
 
-Santa is a binary whitelisting/blacklisting system for OS X. It consists of
+Santa is a binary whitelisting/blacklisting system for macOS. It consists of
 a kernel extension that monitors for executions, a userland daemon that makes
 execution decisions based on the contents of a SQLite database, a GUI agent that
 notifies the user in case of a block decision and a command-line utility for
@@ -16,25 +16,53 @@ managing the system and synchronizing the database with a server.
 Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
 and finishing up a security audit.
 
-Santa is named because it keeps track of binaries that are naughty and nice.
+It is named Santa because it keeps track of binaries that are naughty or nice.
 
 Santa is a project of Google's Macintosh Operations Team.
 
-Features
+Admin-Related Features
 ========
 
-* Multiple modes: MONITOR and LOCKDOWN. In MONITOR mode all binaries except
-those marked as blacklisted will be allowed to run, whilst being logged and
-recorded in the database. In LOCKDOWN mode, only whitelisted binaries are
+* Multiple modes: In the default MONITOR mode, all binaries except
+those marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only whitelisted binaries are
 allowed to run.
 
-* Codesign listing: Binaries can be whitelisted/blacklisted by their signing
-certificate, so you can trust/block all binaries by a given publisher. The
-binary will only be whitelisted by certificate if its signature validates
-correctly. However, a decision for a binary will override a decision for a
-certificate; i.e. you can whitelist a certificate while blacklisting a binary
-signed by that certificate or vice-versa.
+* Event logging: When the kext is loaded, all binary launches are logged.
+When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
+* Certificate-based rules, with override levels: Instead of relying on a binaries hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
+certificate. You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates. A
+binary can only be whitelisted by its certificate if its signature validates
+correctly, but a rule for a binaries fingerprint will override a decision for a
+certificate; i.e. you can whitelist a certificate while blacklisting a binary
+signed with that certificate, or vice-versa.
+
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature as Managed Client for OS X's (the precursor to configuration profiles, which used the same implementation mechanism) Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and doesn't rely on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
+
+* Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct separate cert than other Google apps.
+
+Intentions and Expectations
+===========================
+No single system or process will stop *all* attacks, or provide 100% security.
+Santa is written with the intention of helping protect users from themselves.
+People often download malware and trust it, giving the malware credentials, or
+allowing unknown software to exfiltrate more data about your system. As a
+centrally managed component, Santa can help stop the spread of malware among a
+larger fleet of machines. Independently, Santa can aid in analyzing what is
+running on your computer.
+
+Santa is part of a defense-in-depth strategy, and you should continue to protect
+hosts in whatever other ways you see fit.
+
+Get Help
+========
+
+If you have questions or otherwise need help getting started, the
+[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
+great place. Please consult the [wiki](https://github.com/google/santa/wiki) and [issues](https://github.com/google/santa/issues) as well.
+
+Security and Performance-Related Features
+============
 * In-kernel caching: whitelisted binaries are cached in the kernel so the
 processing required to make a request is only done if the binary
 isn't already cached.
@@ -44,42 +72,17 @@ daemon, the GUI agent and the command-line utility) communicate with each other
 using XPC and check that their signing certificates are identical before any
 communication is accepted.
 
-* Event logging: all executions processed by the userland agent are logged and
-all unknown or denied binaries are also stored in the database for upload to a
-server.
-
 * Kext uses only KPIs: the kernel extension only uses provided kernel
 programming interfaces to do its job. This means that the kext code should
 continue to work across OS versions.
 
-Intentions and Expectations
-===========================
-No single system or process will stop *all* attacks, or provide 100% security.
-Santa is written with the intention of helping protect users from themselves.
-People often download malware and trust it, giving the malware credentials, or
-allowing unknown software to exfiltrate more data about your system. As a
-centrally managed component, Santa can help stop the spread of malware among a
-larger fleet of machines. Additionally, Santa can aid in analyzing what is
-running in your fleet.
-
-Santa is part of a defense-in-depth strategy, and you should continue to protect
-hosts in whatever other ways you see fit.
-
-Get Help
-========
-
-If you have questions or need help getting started, the
-[santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is the
-best place to start.
-
 Known Issues
 ============
 Santa is not yet a 1.0 and we have some known issues to be aware of:
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
-dynamic libraries loaded with dlopen, libraries on disk that have been replaced or
-libraries loaded using `DYLD_INSERT_LIBRARIES`. We are working on also protecting
-against these avenues of attack.
+dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or
+libraries loaded using `DYLD_INSERT_LIBRARIES`. As of version 0.9.1 we *do* address [__PAGEZERO missing issues](b87482e) that were exploited in some versions of macOS. We are working on also protecting against similar avenues of attack.
 
 * Kext communication security: the kext will only accept a connection from a
 single client at a time and said client must be running as root. We haven't yet
@@ -89,9 +92,8 @@ found a good way to ensure the kext only accepts connections from a valid client
 only the root user can read/write it. We're considering approaches to secure
 this further.
 
-* Sync client: the command-line client includes a command to synchronize with a
-management server, including the uploading of events that have occurred on the
-machine and to download new rules. We're still very heavily working on this
+* Sync client: The `santactl` command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the
+machine and downloads new rules. We're still very heavily working on this
 server (which is AppEngine-based and will be open-sourced in the future), so the
 sync client code is unfinished. It does show the 'API' that we're expecting to
 use so if you'd like to write your own management server, feel free to look at
@@ -104,7 +106,7 @@ of temporary generated scripts, which we can't possibly whitelist and not doing
 so would cause problems. We're happy to revisit this (or at least make it an
 option) if it would be useful to others.
 
-* Documentation: There currently isn't any.
+* Documentation: This is currently limited.
 
 * Tests: There aren't enough of them.
 
@@ -119,6 +121,9 @@ A tool like Santa doesn't really lend itself to screenshots, so here's a video i
 
 Building
 ========
+Firstly, make sure you're using Xcode 7.3.1 as currently we do not support
+building with Xcode 8.
+
 ```sh
 git clone https://github.com/google/santa
 cd santa
@@ -136,7 +141,7 @@ and for security-reasons parts of Santa will not operate properly if not signed.
 
 Kext Signing
 ============
-Kernel extensions on OS X 10.9 and later must be signed using an Apple-provided
+Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided
 Developer ID certificate with a kernel extension flag. Without it, the only way
 to load an extension is to enable kext-dev-mode or disable SIP, depending on the
 OS version.

Rakefile

@@ -1,7 +1,6 @@
 WORKSPACE           = 'Santa.xcworkspace'
 DEFAULT_SCHEME      = 'All'
 OUTPUT_PATH         = 'Build'
-DIST_PATH           = 'Dist'
 BINARIES            = ['Santa.app', 'santa-driver.kext']
 DSYMS               = ['Santa.app.dSYM', 'santa-driver.kext.dSYM', 'santad.dSYM', 'santactl.dSYM']
 XCPRETTY_DEFAULTS   = '-sc'
@@ -56,7 +55,7 @@ desc "Clean"
 task :clean => :init do
   puts "Cleaning"
   FileUtils.rm_rf(OUTPUT_PATH)
-  FileUtils.rm_rf(DIST_PATH)
+  xcodebuild("-scheme All clean")
 end
 
 # Build
@@ -111,24 +110,26 @@ task :dist do
   Rake::Task['clean'].invoke()
   Rake::Task['build:build'].invoke("Release")
 
-  FileUtils.rm_rf(DIST_PATH)
+  dist_path = "santa-#{`defaults read #{xcodebuilddir}/Release/santa-driver.kext/Contents/Info.plist CFBundleVersion`.strip}"
 
-  FileUtils.mkdir_p("#{DIST_PATH}/binaries")
-  FileUtils.mkdir_p("#{DIST_PATH}/conf")
-  FileUtils.mkdir_p("#{DIST_PATH}/dsym")
+  FileUtils.rm_rf(dist_path)
+
+  FileUtils.mkdir_p("#{dist_path}/binaries")
+  FileUtils.mkdir_p("#{dist_path}/conf")
+  FileUtils.mkdir_p("#{dist_path}/dsym")
 
   BINARIES.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{DIST_PATH}/binaries")
+    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/binaries")
   end
 
   DSYMS.each do |x|
-    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{DIST_PATH}/dsym")
+    FileUtils.cp_r("#{xcodebuilddir}/Release/#{x}", "#{dist_path}/dsym")
   end
 
 
-  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{DIST_PATH}/conf")}
+  Dir.glob("Conf/*") {|x| File.directory?(x) or FileUtils.cp(x, "#{dist_path}/conf")}
 
-  puts "Distribution folder created"
+  puts "Distribution folder #{dist_path} created"
 end
 
 # Tests

Santa.xcodeproj/xcshareddata/xcschemes/All.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -26,7 +26,9 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES">
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      codeCoverageEnabled = "YES"
+      enableAddressSanitizer = "YES">
       <Testables>
          <TestableReference
             skipped = "NO">

Santa.xcodeproj/xcshareddata/xcschemes/KernelTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Santa.xcodeproj/xcshareddata/xcschemes/LogicTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Santa.xcodeproj/xcshareddata/xcschemes/Santa.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Santa.xcodeproj/xcshareddata/xcschemes/santa-driver.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Santa.xcodeproj/xcshareddata/xcschemes/santactl.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Santa.xcodeproj/xcshareddata/xcschemes/santad.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0700"
+   LastUpgradeVersion = "0730"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"

Source/SantaGUI/Resources/AboutWindow.xib

@@ -37,7 +37,7 @@
                         <rect key="frame" x="18" y="65" width="444" height="60"/>
                         <textFieldCell key="cell" sendsActionOnEndEditing="YES" alignment="center" id="CcT-ul-1eA">
                             <font key="font" metaFont="system"/>
-                            <string key="title">Santa is an application whitelisting system for OS X.
+                            <string key="title">Santa is an application whitelisting system for macOS.
 
 There are no user-configurable settings.</string>
                             <color key="textColor" name="controlTextColor" catalog="System" colorSpace="catalog"/>

Source/SantaGUI/Resources/MessageWindow.xib

@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="9532" systemVersion="15E65" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="10117" systemVersion="15G31" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES">
     <dependencies>
         <deployment identifier="macosx"/>
         <development version="6300" identifier="xcode"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="9532"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="10117"/>
     </dependencies>
     <objects>
         <customObject id="-2" userLabel="File's Owner" customClass="SNTMessageWindowController">
@@ -321,7 +321,7 @@ DQ
                             <constraint firstAttribute="width" constant="110" id="6Uh-Bd-N64"/>
                             <constraint firstAttribute="height" constant="22" id="GH6-nw-6rD"/>
                         </constraints>
-                        <buttonCell key="cell" type="roundTextured" title="Dismiss" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
+                        <buttonCell key="cell" type="roundTextured" title="Ignore" bezelStyle="texturedRounded" alignment="center" state="on" borderStyle="border" imageScaling="proportionallyDown" inset="2" id="XR6-Xa-gP4">
                             <behavior key="behavior" pushIn="YES" lightByBackground="YES" lightByGray="YES"/>
                             <font key="font" metaFont="system"/>
                             <string key="keyEquivalent" base64-UTF8="YES">
@@ -424,7 +424,7 @@ DQ
             <connections>
                 <outlet property="initialFirstResponder" destination="kiB-jZ-69S" id="I96-dS-lq5"/>
             </connections>
-            <point key="canvasLocation" x="112.5" y="302.5"/>
+            <point key="canvasLocation" x="302.5" y="304.5"/>
         </window>
     </objects>
     <resources>

Source/SantaGUI/SNTAccessibleTextField.h

@@ -14,7 +14,7 @@
 
 /**
    An NSTextField subclass that provides an accessiblity label equal to:
-   (self.toolTip + self.stringValue) where available. It also sets the 
+   (self.toolTip + self.stringValue) where available. It also sets the
    accessibilityRoleDescription to "label".
 */
 @interface SNTAccessibleTextField : NSTextField

Source/SantaGUI/SNTAppDelegate.m

@@ -37,8 +37,8 @@
   [self setupMenu];
 
   self.configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
-                                                            handler:^{
-    [[SNTConfigurator configurator] reloadConfigData];
+                                                            handler:^(unsigned long data) {
+    if (! (data & DISPATCH_VNODE_ATTRIB)) [[SNTConfigurator configurator] reloadConfigData];
   }];
 
   self.notificationManager = [[SNTNotificationManager alloc] init];

Source/SantaGUI/SNTMessageWindowController.m

@@ -17,6 +17,7 @@
 #import <SecurityInterface/SFCertificatePanel.h>
 
 #import "MOLCertificate.h"
+#import "SNTBlockMessage.h"
 #import "SNTConfigurator.h"
 #import "SNTFileInfo.h"
 #import "SNTMessageWindow.h"
@@ -111,18 +112,9 @@
 }
 
 - (IBAction)openEventDetails:(id)sender {
-  SNTConfigurator *config = [SNTConfigurator configurator];
-
-  NSString *formatStr = config.eventDetailURL;
-  formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                                   withString:self.event.fileSHA256];
-  formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
-                                                   withString:self.event.executingUser];
-  formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
-                                                   withString:config.machineID];
-
+  NSURL *url = [SNTBlockMessage eventDetailURLForEvent:self.event];
   [self closeWindow:sender];
-  [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:formatStr]];
+  [[NSWorkspace sharedWorkspace] openURL:url];
 }
 
 #pragma mark Generated properties
@@ -131,7 +123,7 @@
   if (![key isEqualToString:@"event"]) {
     return [NSSet setWithObject:@"event"];
   } else {
-    return nil;
+    return [NSSet set];
   }
 }
 
@@ -150,39 +142,8 @@
 }
 
 - (NSAttributedString *)attributedCustomMessage {
-  NSString *htmlHeader = @"<html><head><style>"
-                         @"body {"
-                         @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
-                         @"  font-size: 13px;"
-                         @"  color: #666;"
-                         @"  text-align: center;"
-                         @"}"
-                         @"</style></head><body>";
-  NSString *htmlFooter = @"</body></html>";
-
-  NSString *message;
-  if (self.customMessage.length) {
-    message = self.customMessage;
-  } else if (self.event.decision == SNTEventStateBlockUnknown) {
-    message = [[SNTConfigurator configurator] unknownBlockMessage];
-    if (!message) {
-      message = @"The following application has been blocked from executing<br />"
-                @"because its trustworthiness cannot be determined.";
-    }
-  } else {
-    message = [[SNTConfigurator configurator] bannedBlockMessage];
-    if (!message) {
-      message = @"The following application has been blocked from executing<br />"
-                @"because it has been deemed malicious.";
-    }
-  }
-
-  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
-
-  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
-  NSAttributedString *returnStr = [[NSAttributedString alloc] initWithHTML:htmlData
-                                                        documentAttributes:NULL];
-  return returnStr;
+  return [SNTBlockMessage attributedBlockMessageForEvent:self.event
+                                           customMessage:self.customMessage];
 }
 
 @end

Source/SantaGUI/SNTNotificationManager.m

@@ -14,6 +14,8 @@
 
 #import "SNTNotificationManager.h"
 
+#import "SNTBlockMessage.h"
+#import "SNTConfigurator.h"
 #import "SNTLogging.h"
 #import "SNTStoredEvent.h"
 
@@ -54,6 +56,7 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
 - (void)updateSilenceDate:(NSDate *)date forHash:(NSString *)hash {
   NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
   NSMutableDictionary *d = [[ud objectForKey:silencedNotificationsKey] mutableCopy];
+  if (!d) d = [NSMutableDictionary dictionary];
   if (date) {
     d[hash] = date;
   } else {
@@ -64,6 +67,30 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
 
 #pragma mark SNTNotifierXPC protocol method
 
+- (void)postClientModeNotification:(SNTClientMode)clientmode {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  NSString *customMsg;
+  switch (clientmode) {
+    case SNTClientModeMonitor:
+      un.informativeText = @"Switching into Monitor mode";
+      customMsg = [[SNTConfigurator configurator] modeNotificationMonitor];
+      customMsg = [SNTBlockMessage stringFromHTML:customMsg];
+      if (customMsg.length) un.informativeText = customMsg;
+      break;
+    case SNTClientModeLockdown:
+      un.informativeText = @"Switching into Lockdown mode";
+      customMsg = [[SNTConfigurator configurator] modeNotificationLockdown];
+      customMsg = [SNTBlockMessage stringFromHTML:customMsg];
+      if (customMsg.length) un.informativeText = customMsg;
+      break;
+    default:
+      return;
+  }
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
+
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
   // See if this binary is already in the list of pending notifications.
   NSPredicate *predicate =
@@ -108,4 +135,12 @@ static NSString * const silencedNotificationsKey = @"SilencedNotifications";
   });
 }
 
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message {
+  NSUserNotification *un = [[NSUserNotification alloc] init];
+  un.title = @"Santa";
+  un.hasActionButton = NO;
+  un.informativeText = message ?: @"Requested application can now be run";
+  [[NSUserNotificationCenter defaultUserNotificationCenter] deliverNotification:un];
+}
+
 @end

Source/common/SNTBlockMessage.h

@@ -0,0 +1,41 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@class SNTStoredEvent;
+
+@interface SNTBlockMessage : NSObject
+
+///
+///  Return a message suitable for presenting to the user.
+///  Uses either the configured message depending on the event type or a custom message
+///  if the rule that blocked this file included one.
+///
+///  In SantaGUI this will return an NSAttributedString with links and formatting included
+///  while for santad all HTML will be properly stripped.
+///
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage;
+
+///
+///  Return a URL generated from the EventDetailURL configuration key
+///  after replacing templates in the URL with values from the event.
+///
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event;
+
+///
+///  Strip HTML from a string, replacing <br /> with newline.
+///
++ (NSString *)stringFromHTML:(NSString *)html;
+
+@end

Source/common/SNTBlockMessage.m

@@ -0,0 +1,127 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTBlockMessage.h"
+
+#import "SNTConfigurator.h"
+#import "SNTLogging.h"
+#import "SNTStoredEvent.h"
+
+@implementation SNTBlockMessage
+
++ (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
+                                         customMessage:(NSString *)customMessage {
+  NSString *htmlHeader = @"<html><head><style>"
+      @"body {"
+      @"  font-family: 'Lucida Grande', 'Helvetica', sans-serif;"
+      @"  font-size: 13px;"
+      @"  color: #666;"
+      @"  text-align: center;"
+      @"}"
+      @"</style></head><body>";
+  NSString *htmlFooter = @"</body></html>";
+
+  NSString *message;
+  if (customMessage.length) {
+    message = customMessage;
+  } else if (event.decision == SNTEventStateBlockUnknown) {
+    message = [[SNTConfigurator configurator] unknownBlockMessage];
+    if (!message) {
+      message = @"The following application has been blocked from executing<br />"
+                @"because its trustworthiness cannot be determined.";
+    }
+  } else {
+    message = [[SNTConfigurator configurator] bannedBlockMessage];
+    if (!message) {
+      message = @"The following application has been blocked from executing<br />"
+                @"because it has been deemed malicious.";
+    }
+  }
+
+  NSString *fullHTML = [NSString stringWithFormat:@"%@%@%@", htmlHeader, message, htmlFooter];
+
+#ifdef NSAppKitVersionNumber10_0
+  NSData *htmlData = [fullHTML dataUsingEncoding:NSUTF8StringEncoding];
+  return [[NSAttributedString alloc] initWithHTML:htmlData documentAttributes:NULL];
+#else
+  NSString *strippedHTML = [self stringFromHTML:fullHTML];
+  if (!strippedHTML) {
+    return [[NSAttributedString alloc] initWithString:@"This binary has been blocked."];
+  }
+  return [[NSAttributedString alloc] initWithString:strippedHTML];
+#endif
+}
+
++ (NSString *)stringFromHTML:(NSString *)html {
+  NSError *error;
+  NSXMLDocument *xml = [[NSXMLDocument alloc] initWithXMLString:html options:0 error:&error];
+
+  if (!xml && error.code == NSXMLParserEmptyDocumentError) {
+    html = [NSString stringWithFormat:@"<html><body>%@</body></html>", html];
+    xml = [[NSXMLDocument alloc] initWithXMLString:html options:0 error:&error];
+    if (!xml) return html;
+  }
+
+  // Strip any HTML tags out of the message. Also remove any content inside <style> tags and
+  // replace <br> elements with a newline.
+  NSString *stripXslt = @"<?xml version='1.0' encoding='utf-8'?>"
+      @"<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'"
+      @"                              xmlns:xhtml='http://www.w3.org/1999/xhtml'>"
+      @"<xsl:output method='text'/>"
+      @"<xsl:template match='br'><xsl:text>\n</xsl:text></xsl:template>"
+      @"<xsl:template match='style'/>"
+      @"</xsl:stylesheet>";
+  NSData *data = [xml objectByApplyingXSLTString:stripXslt arguments:NULL error:&error];
+  if (error || ![data isKindOfClass:[NSData class]]) {
+    return html;
+  }
+  return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
+}
+
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  NSString *formatStr, *versionStr;
+  if (config.eventDetailBundleURL.length && event.fileBundleID) {
+    formatStr = config.eventDetailBundleURL;
+    versionStr = event.fileBundleVersion;
+    if (!versionStr) versionStr = event.fileBundleVersionString;
+
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_id%"
+                                                     withString:event.fileBundleID];
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%bundle_ver%"
+                                                     withString:versionStr];
+  } else {
+    formatStr = config.eventDetailURL;
+  }
+
+  if (!formatStr.length) return nil;
+
+  if (event.fileSHA256) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
+                                                     withString:event.fileSHA256];
+  }
+  if (event.executingUser) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
+                                                     withString:event.executingUser];
+  }
+  if (config.machineID) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
+                                                     withString:config.machineID];
+  }
+
+  return [NSURL URLWithString:formatStr];
+}
+
+@end

Source/common/SNTCommonEnums.h

@@ -41,19 +41,25 @@ typedef NS_ENUM(NSInteger, SNTClientMode) {
 };
 
 typedef NS_ENUM(NSInteger, SNTEventState) {
-  SNTEventStateUnknown,
+  // Bits 0-15 bits store non-decision types
+  SNTEventStateUnknown = 0,
+  SNTEventStateBundleBinary = 1,
 
-  SNTEventStateAllowUnknown = 1,
-  SNTEventStateAllowBinary = 2,
-  SNTEventStateAllowCertificate = 3,
-  SNTEventStateAllowScope = 4,
+  // Bits 16-23 store deny decision types
+  SNTEventStateBlockUnknown = 1 << 16,
+  SNTEventStateBlockBinary = 1 << 17,
+  SNTEventStateBlockCertificate = 1 << 18,
+  SNTEventStateBlockScope = 1 << 19,
 
-  SNTEventStateBlockUnknown = 5,
-  SNTEventStateBlockBinary = 6,
-  SNTEventStateBlockCertificate = 7,
-  SNTEventStateBlockScope = 8,
+  // Bits 24-31 store allow decision types
+  SNTEventStateAllowUnknown = 1 << 24,
+  SNTEventStateAllowBinary = 1 << 25,
+  SNTEventStateAllowCertificate = 1 << 26,
+  SNTEventStateAllowScope = 1 << 27,
 
-  SNTEventStateRelatedBinary = 9,
+  // Block and Allow masks
+  SNTEventStateBlock = 0xFF << 16,
+  SNTEventStateAllow = 0xFF << 24
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleTableError) {

Source/common/SNTConfigurator.h

@@ -75,18 +75,24 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 ///  When the user gets a block notification, a button can be displayed which will
 ///  take them to a web page with more information about that event.
+///  There are two properties, one for individual binaries and one for binaries that are part
+///  of a bundle. If the latter is not set the former will be used.
+///
 ///  This property contains a kind of format string to be turned into the URL to send them to.
 ///  The following sequences will be replaced in the final URL:
 ///
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
+///  %bundle_id%   -- bundle id of the binary, if applicable.
+///  %bundle_ver%  -- bundle version of the binary, if applicable.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
 ///  If this item isn't set, the Open Event button will not be displayed.
 ///
 @property(readonly, nonatomic) NSString *eventDetailURL;
+@property(readonly, nonatomic) NSString *eventDetailBundleURL;
 
 ///
 ///  Related to the above property, this string represents the text to show on the button.
@@ -106,6 +112,18 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property(readonly, nonatomic) NSString *bannedBlockMessage;
 
+///
+///  The notification text to display when the client goes into MONITOR mode.
+///  Defaults to "Switching into Monitor mode"
+///
+@property(readonly, nonatomic) NSString *modeNotificationMonitor;
+
+///
+///  The notification text to display when the client goes into LOCKDOWN mode.
+///  Defaults to "Switching into Lockdown mode"
+///
+@property(readonly, nonatomic) NSString *modeNotificationLockdown;
+
 #pragma mark - Sync Settings
 
 ///
@@ -125,9 +143,14 @@ extern NSString *const kDefaultConfigFilePath;
 @property(readonly, nonatomic) NSString *machineOwner;
 
 ///
-///  The last date of successful sync.
+///  The last date of a successful full sync.
 ///
-@property(nonatomic) NSDate *syncLastSuccess;
+@property(nonatomic) NSDate *fullSyncLastSuccess;
+
+///
+///  The last date of a successful rule sync.
+///
+@property(nonatomic) NSDate *ruleSyncLastSuccess;
 
 ///
 ///  If YES a clean sync is required.

Source/common/SNTConfigurator.m

@@ -44,12 +44,16 @@ static NSString *const kEnablePageZeroProtectionKey = @"EnablePageZeroProtection
 
 static NSString *const kMoreInfoURLKey = @"MoreInfoURL";
 static NSString *const kEventDetailURLKey = @"EventDetailURL";
+static NSString *const kEventDetailBundleURLKey = @"EventDetailBundleURL";
 static NSString *const kEventDetailTextKey = @"EventDetailText";
 static NSString *const kUnknownBlockMessage = @"UnknownBlockMessage";
 static NSString *const kBannedBlockMessage = @"BannedBlockMessage";
+static NSString *const kModeNotificationMonitor = @"ModeNotificationMonitor";
+static NSString *const kModeNotificationLockdown = @"ModeNotificationLockdown";
 
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
-static NSString *const kSyncLastSuccess = @"SyncLastSuccess";
+static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
+static NSString *const kRuleSyncLastSuccess = @"RuleSyncLastSuccess";
 static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
@@ -97,7 +101,13 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
-  NSInteger cm = [self.configData[kClientModeKey] longValue];
+  NSInteger cm = SNTClientModeUnknown;
+
+  id mode = self.configData[kClientModeKey];
+  if ([mode respondsToSelector:@selector(longLongValue)]) {
+    cm = (NSInteger)[mode longLongValue];
+  }
+
   if (cm == SNTClientModeMonitor || cm == SNTClientModeLockdown) {
     return (SNTClientMode)cm;
   } else {
@@ -192,6 +202,10 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kEventDetailURLKey];
 }
 
+- (NSString *)eventDetailBundleURL {
+  return self.configData[kEventDetailBundleURLKey];
+}
+
 - (NSString *)eventDetailText {
   return self.configData[kEventDetailTextKey];
 }
@@ -204,6 +218,14 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kBannedBlockMessage];
 }
 
+- (NSString *)modeNotificationMonitor {
+  return self.configData[kModeNotificationMonitor];
+}
+
+- (NSString *)modeNotificationLockdown {
+  return self.configData[kModeNotificationLockdown];
+}
+
 - (NSURL *)syncBaseURL {
   NSString *urlStr = self.configData[kSyncBaseURLKey];
   if (urlStr) {
@@ -238,12 +260,22 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
   return self.configData[kServerAuthRootsFileKey];
 }
 
-- (NSDate *)syncLastSuccess {
-  return self.configData[kSyncLastSuccess];
+- (NSDate *)fullSyncLastSuccess {
+  return self.configData[kFullSyncLastSuccess];
 }
 
-- (void)setSyncLastSuccess:(NSDate *)syncLastSuccess {
-  self.configData[kSyncLastSuccess] = syncLastSuccess;
+- (void)setFullSyncLastSuccess:(NSDate *)fullSyncLastSuccess {
+  self.configData[kFullSyncLastSuccess] = fullSyncLastSuccess;
+  [self saveConfigToDisk];
+  self.ruleSyncLastSuccess = fullSyncLastSuccess;
+}
+
+- (NSDate *)ruleSyncLastSuccess {
+  return self.configData[kRuleSyncLastSuccess];
+}
+
+- (void)setRuleSyncLastSuccess:(NSDate *)ruleSyncLastSuccess {
+  self.configData[kRuleSyncLastSuccess] = ruleSyncLastSuccess;
   [self saveConfigToDisk];
 }
 
@@ -303,7 +335,8 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
                                             options:NSDataReadingMappedIfSafe
                                               error:&error];
   if (error) {
-    LOGE(@"Could not read configuration file: %@", [error localizedDescription]);
+    LOGE(@"Could not read configuration file: %@, replacing.", [error localizedDescription]);
+    [self saveConfigToDisk];
     return;
   }
 
@@ -313,7 +346,8 @@ static NSString *const kMachineIDPlistKeyKey = @"MachineIDKey";
                                                  format:NULL
                                                   error:&error];
   if (error) {
-    LOGE(@"Could not parse configuration file: %@", [error localizedDescription]);
+    LOGE(@"Could not parse configuration file: %@, replacing.", [error localizedDescription]);
+    [self saveConfigToDisk];
     return;
   }
 

Source/common/SNTFileInfo.h

@@ -84,6 +84,11 @@
 ///
 - (BOOL)isDylib;
 
+///
+///  @return YES if this file is a bundle executable (QuickLook/Spotlight plugin, etc.)
+///
+- (BOOL)isBundle;
+
 ///
 ///  @return YES if this file is a kernel extension.
 ///

Source/common/SNTFileInfo.m

@@ -76,7 +76,17 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return nil;
     }
 
-    _fileHandle = [NSFileHandle fileHandleForReadingAtPath:_path];
+    int fd = open([_path UTF8String], O_RDONLY | O_CLOEXEC);
+    if (fd < 0) {
+      if (error) {
+        NSString *errStr = [NSString stringWithFormat:@"Unable to open file: %s", strerror(errno)];
+        *error = [NSError errorWithDomain:@"com.google.santa.fileinfo"
+                                     code:280
+                                 userInfo:@{NSLocalizedDescriptionKey : errStr}];
+      }
+      return nil;
+    }
+    _fileHandle = [[NSFileHandle alloc] initWithFileDescriptor:fd closeOnDealloc:YES];
 
     struct stat fileStat;
     fstat(_fileHandle.fileDescriptor, &fileStat);
@@ -102,7 +112,9 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 #pragma mark Hashing
 
 - (void)hashSHA1:(NSString **)sha1 SHA256:(NSString **)sha256 {
-  const int chunkSize = 4096;
+  const int MAX_CHUNK_SIZE = 256 * 1024;  // 256 KB
+  const size_t chunkSize = _fileSize > MAX_CHUNK_SIZE ? MAX_CHUNK_SIZE : _fileSize;
+  char chunk[chunkSize];
 
   CC_SHA1_CTX c1;
   CC_SHA256_CTX c256;
@@ -110,46 +122,59 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   if (sha1) CC_SHA1_Init(&c1);
   if (sha256) CC_SHA256_Init(&c256);
 
-  for (uint64_t offset = 0; offset < self.fileSize; offset += chunkSize) {
-    @autoreleasepool {
-      int readSize = 0;
-      if (offset + chunkSize > self.fileSize) {
-        readSize = (int)(self.fileSize - offset);
-      } else {
-        readSize = chunkSize;
-      }
+  int fd = self.fileHandle.fileDescriptor;
 
-      NSData *chunk = [self safeSubdataWithRange:NSMakeRange(offset, readSize)];
-      if (!chunk) {
-        if (sha1) CC_SHA1_Final(NULL, &c1);
-        if (sha256) CC_SHA256_Final(NULL, &c256);
-        return;
-      }
+  fcntl(fd, F_RDAHEAD, 1);
+  struct radvisory radv;
+  radv.ra_offset = 0;
+  const int MAX_ADVISORY_READ = 10 * 1024 * 1024;
+  radv.ra_count = (int)_fileSize < MAX_ADVISORY_READ ? (int)_fileSize : MAX_ADVISORY_READ;
+  fcntl(fd, F_RDADVISE, &radv);
+  ssize_t bytesRead;
 
-      if (sha1) CC_SHA1_Update(&c1, chunk.bytes, readSize);
-      if (sha256) CC_SHA256_Update(&c256, chunk.bytes, readSize);
+  for (uint64_t offset = 0; offset < _fileSize;) {
+    bytesRead = pread(fd, chunk, chunkSize, offset);
+    if (bytesRead > 0) {
+      if (sha1) CC_SHA1_Update(&c1, chunk, (CC_LONG)bytesRead);
+      if (sha256) CC_SHA256_Update(&c256, chunk, (CC_LONG)bytesRead);
+      offset += bytesRead;
+    } else if (bytesRead == -1 && errno == EINTR) {
+      continue;
+    } else {
+      return;
     }
   }
 
+  // We turn off Read Ahead that we turned on
+  fcntl(fd, F_RDAHEAD, 0);
   if (sha1) {
-    unsigned char dgst[CC_SHA1_DIGEST_LENGTH];
-    CC_SHA1_Final(dgst, &c1);
-
-    NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
-    for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; ++i) {
-      [buf appendFormat:@"%02x", (unsigned char)dgst[i]];
-    }
-    *sha1 = [buf copy];
+    unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+    CC_SHA1_Final(digest, &c1);
+    NSString *const SHA1FormatString =
+        @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
+    *sha1 = [[NSString alloc]
+        initWithFormat:SHA1FormatString, digest[0], digest[1], digest[2],
+                       digest[3], digest[4], digest[5], digest[6], digest[7],
+                       digest[8], digest[9], digest[10], digest[11], digest[12],
+                       digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19]];
   }
   if (sha256) {
-    unsigned char dgst[CC_SHA256_DIGEST_LENGTH];
-    CC_SHA256_Final(dgst, &c256);
+    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
+    CC_SHA256_Final(digest, &c256);
+    NSString *const SHA256FormatString =
+        @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+         "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x";
 
-    NSMutableString *buf = [[NSMutableString alloc] initWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
-    for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; ++i) {
-      [buf appendFormat:@"%02x", (unsigned char)dgst[i]];
-    }
-    *sha256 = [buf copy];
+    *sha256 = [[NSString alloc]
+        initWithFormat:SHA256FormatString, digest[0], digest[1], digest[2],
+                       digest[3], digest[4], digest[5], digest[6], digest[7],
+                       digest[8], digest[9], digest[10], digest[11], digest[12],
+                       digest[13], digest[14], digest[15], digest[16],
+                       digest[17], digest[18], digest[19], digest[20],
+                       digest[21], digest[22], digest[23], digest[24],
+                       digest[25], digest[26], digest[27], digest[28],
+                       digest[29], digest[30], digest[31]];
   }
 }
 
@@ -171,22 +196,26 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   return [self.machHeaders allKeys];
 }
 
-- (BOOL)isExecutable {
+- (uint32_t)machFileType {
   struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_EXECUTE) return YES;
-  return NO;
+  if (mach_header) return mach_header->filetype;
+  return -1;
+}
+
+- (BOOL)isExecutable {
+  return [self machFileType] == MH_EXECUTE;
 }
 
 - (BOOL)isDylib {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_DYLIB) return YES;
-  return NO;
+  return [self machFileType] == MH_DYLIB;
+}
+
+- (BOOL)isBundle {
+  return [self machFileType] == MH_BUNDLE;
 }
 
 - (BOOL)isKext {
-  struct mach_header *mach_header = [self firstMachHeader];
-  if (mach_header && mach_header->filetype == MH_KEXT_BUNDLE) return YES;
-  return NO;
+  return [self machFileType] == MH_KEXT_BUNDLE;
 }
 
 - (BOOL)isMachO {
@@ -199,18 +228,18 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 
 - (BOOL)isScript {
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(0, 2)] bytes];
-  return (strncmp("#!", magic, 2) == 0);
+  return (magic && memcmp("#!", magic, 2) == 0);
 }
 
 - (BOOL)isXARArchive {
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(0, 4)] bytes];
-  return (strncmp("xar!", magic, 4) == 0);
+  return (magic && memcmp("xar!", magic, 4) == 0);
 }
 
 - (BOOL)isDMG {
   NSUInteger last512 = self.fileSize - 512;
   const char *magic = (const char *)[[self safeSubdataWithRange:NSMakeRange(last512, 4)] bytes];
-  return (magic && strncmp("koly", magic, 4) == 0);
+  return (magic && memcmp("koly", magic, 4) == 0);
 }
 
 #pragma mark Page Zero
@@ -230,7 +259,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   if (!lcData) return NO;
 
   // This code assumes the __PAGEZERO is always the first load-command in the file.
-  // Given that the OS X ABI says "the static linker creates a __PAGEZERO segment
+  // Given that the macOS ABI says "the static linker creates a __PAGEZERO segment
   // as the first segment of an executable file." this should be OK.
   struct load_command *lc = (struct load_command *)[lcData bytes];
   if (lc->cmd == LC_SEGMENT) {
@@ -273,9 +302,10 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     // Check that the full path is at least 4-levels deep:
     // e.g: /Calendar.app/Contents/MacOS/Calendar
     NSArray *pathComponents = [self.path pathComponents];
-    if ([pathComponents count] < 4) return nil;
+    NSUInteger pathComponentsCount = pathComponents.count;
+    if (pathComponentsCount < 4) return nil;
 
-    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, [pathComponents count] - 3)];
+    pathComponents = [pathComponents subarrayWithRange:NSMakeRange(0, pathComponentsCount - 3)];
     NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
     if (bndl && [bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) self.bundleRef = bndl;
   }
@@ -310,7 +340,8 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 }
 
 - (NSString *)bundleName {
-  return [[self.infoPlist objectForKey:@"CFBundleName"] description];
+  return [[self.infoPlist objectForKey:@"CFBundleDisplayName"] description] ?:
+         [[self.infoPlist objectForKey:@"CFBundleName"] description];
 }
 
 - (NSString *)bundleVersion {
@@ -370,7 +401,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *fatHeader = [self safeSubdataWithRange:range];
     struct fat_header *fh = (struct fat_header *)[fatHeader bytes];
 
-    if (fatHeader && (fh->magic == FAT_MAGIC || fh->magic == FAT_CIGAM)) {
+    if (fatHeader && (fh->magic == FAT_CIGAM || fh->magic == FAT_MAGIC)) {
       int nfat_arch = OSSwapBigToHostInt32(fh->nfat_arch);
       range = NSMakeRange(sizeof(struct fat_header), sizeof(struct fat_arch) * nfat_arch);
       NSMutableData *fatArchs = [[self safeSubdataWithRange:range] mutableCopy];
@@ -444,7 +475,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     if (!cmdData) return nil;
     struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
     if (lc->cmd == LC_SEGMENT || lc->cmd == LC_SEGMENT_64) {
-      if (strncmp(lc->segname, "__TEXT", 6) == 0) {
+      if (memcmp(lc->segname, "__TEXT", 6) == 0) {
         nsects = lc->nsects;
         offset += sz_segment;
         break;
@@ -458,7 +489,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
     NSData *sectData = [self safeSubdataWithRange:NSMakeRange(offset, sz_section)];
     if (!sectData) return nil;
     struct section_64 *sect = (struct section_64 *)[sectData bytes];
-    if (sect && strncmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
+    if (sect && memcmp(sect->sectname, "__info_plist", 12) == 0 && sect->size < 2000000) {
       NSData *plistData = [self safeSubdataWithRange:NSMakeRange(sect->offset, sect->size)];
       if (!plistData) return nil;
       NSDictionary *plist;
@@ -503,7 +534,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
 ///  is not the one who downloaded the file.
 ///
 - (NSDictionary *)quarantineData {
-  if (!self.quarantineDict && self.fileOwnerHomeDir) {
+  if (!self.quarantineDict && self.fileOwnerHomeDir && NSURLQuarantinePropertiesKey) {
     self.quarantineDict = (NSDictionary *)[NSNull null];
 
     NSURL *url = [NSURL fileURLWithPath:self.path];

Source/common/SNTFileWatcher.h

@@ -14,7 +14,7 @@
 
 ///
 ///  Simple file watching class using dispatch sources. Will automatically
-///  reload the watch if the file is deleted. Will continue watching for
+///  reload the watch if the file is deleted and continue watching for
 ///  events until deallocated.
 ///
 @interface SNTFileWatcher : NSObject
@@ -24,11 +24,10 @@
 ///  Initializes the watcher and begins watching for modifications.
 ///
 ///  @param filePath the file to watch.
-///  @param handler the handler to call when changes happen.
+///  @param handler the handler to call when changes happen. The argument to the block is the
+///      type of change that happened as a bitmask to be compared with DISPATCH_VNODE_* constants.
 ///
-///  @note Shortly after the file has been opened and monitoring has begun, the provided handler
-///  will be called.
-///
-- (instancetype)initWithFilePath:(NSString *)filePath handler:(void (^)(void))handler;
+- (nonnull instancetype)initWithFilePath:(nonnull NSString *)filePath
+                                 handler:(nonnull void (^)(unsigned long))handler;
 
 @end

Source/common/SNTFileWatcher.m

@@ -14,13 +14,13 @@
 
 #import "SNTFileWatcher.h"
 
+#import "SNTStrengthify.h"
+
 @interface SNTFileWatcher ()
 @property NSString *filePath;
-@property dispatch_source_t monitoringSource;
+@property(strong) void (^handler)(unsigned long);
 
-@property(strong) void (^eventHandler)(void);
-@property(strong) void (^internalEventHandler)(void);
-@property(strong) void (^internalCancelHandler)(void);
+@property dispatch_source_t source;
 @end
 
 @implementation SNTFileWatcher
@@ -30,15 +30,13 @@
   return nil;
 }
 
-- (instancetype)initWithFilePath:(NSString *)filePath handler:(void (^)(void))handler {
+- (instancetype)initWithFilePath:(nonnull NSString *)filePath
+                         handler:(nonnull void (^)(unsigned long))handler {
   self = [super init];
   if (self) {
     _filePath = filePath;
-    _eventHandler = handler;
-
-    if (!_filePath || !_eventHandler) return nil;
-
-    [self beginWatchingFile];
+    _handler = handler;
+    [self startWatchingFile];
   }
   return self;
 }
@@ -47,57 +45,49 @@
   [self stopWatchingFile];
 }
 
-- (void)beginWatchingFile {
-  __weak __typeof(self) weakSelf = self;
-  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_WRITE |
-              DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_RENAME);
+- (void)startWatchingFile {
   dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0);
+  int mask = (DISPATCH_VNODE_DELETE | DISPATCH_VNODE_RENAME |
+              DISPATCH_VNODE_WRITE | DISPATCH_VNODE_EXTEND | DISPATCH_VNODE_ATTRIB);
 
-  self.internalEventHandler = ^{
-    unsigned long l = dispatch_source_get_data(weakSelf.monitoringSource);
-    if (l & DISPATCH_VNODE_DELETE || l & DISPATCH_VNODE_RENAME) {
-      if (weakSelf.monitoringSource) dispatch_source_cancel(weakSelf.monitoringSource);
-    } else {
-      weakSelf.eventHandler();
+  dispatch_async(queue, ^{
+    int fd = -1;
+    while ((fd = open([self.filePath fileSystemRepresentation], O_EVTONLY | O_CLOEXEC)) < 0) {
+      usleep(200000);  // wait 200ms
     }
-  };
+    self.source = dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
 
-  self.internalCancelHandler = ^{
-    int fd;
+    WEAKIFY(self);
 
-    if (weakSelf.monitoringSource) {
-      fd = (int)dispatch_source_get_handle(weakSelf.monitoringSource);
+    dispatch_source_set_event_handler(self.source, ^{
+      STRONGIFY(self);
+      unsigned long data = dispatch_source_get_data(self.source);
+      self.handler(data);
+      if (data & DISPATCH_VNODE_DELETE || data & DISPATCH_VNODE_RENAME) {
+        [self stopWatchingFile];
+        [self startWatchingFile];
+      }
+      sleep(2);
+    });
+
+    dispatch_source_set_registration_handler(self.source, ^{
+      STRONGIFY(self);
+      self.handler(0);
+    });
+
+    dispatch_source_set_cancel_handler(self.source, ^{
       close(fd);
-    }
+    });
 
-    const char *filePathCString = [weakSelf.filePath fileSystemRepresentation];
-    while ((fd = open(filePathCString, O_EVTONLY)) < 0) {
-      usleep(1000);
-    }
-
-    weakSelf.monitoringSource =
-        dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, fd, mask, queue);
-    dispatch_source_set_event_handler(weakSelf.monitoringSource, weakSelf.internalEventHandler);
-    dispatch_source_set_cancel_handler(weakSelf.monitoringSource, weakSelf.internalCancelHandler);
-    dispatch_resume(weakSelf.monitoringSource);
-
-    weakSelf.eventHandler();
-  };
-
-  dispatch_async(queue, self.internalCancelHandler);
+    dispatch_resume(self.source);
+  });
 }
 
 - (void)stopWatchingFile {
-  if (!self.monitoringSource) return;
-
-  int fd = (int)dispatch_source_get_handle(self.monitoringSource);
-  dispatch_source_set_event_handler_f(self.monitoringSource, NULL);
-  dispatch_source_set_cancel_handler(self.monitoringSource, ^{
-    close(fd);
-  });
-
-  dispatch_source_cancel(self.monitoringSource);
-  self.monitoringSource = nil;
+  if (!self.source) return;
+  dispatch_source_set_event_handler_f(self.source, NULL);
+  dispatch_source_cancel(self.source);
+  self.source = nil;
 }
 
 @end

Source/common/SNTKernelCommon.h

@@ -28,6 +28,10 @@
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
 
+// Branch prediction
+#define likely(x)   __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
 // List of methods supported by the driver.
 enum SantaDriverMethods {
   kSantaUserClientOpen,
@@ -35,6 +39,7 @@ enum SantaDriverMethods {
   kSantaUserClientDenyBinary,
   kSantaUserClientClearCache,
   kSantaUserClientCacheCount,
+  kSantaUserClientCheckCache,
 
   // Any methods supported by the driver should be added above this line to
   // ensure this remains the count of methods.

Source/common/SNTLogging.h

@@ -21,6 +21,8 @@
 
 #ifdef KERNEL
 
+#include <IOKit/IOLib.h>
+
 #ifdef DEBUG
 #define LOGD(...) IOLog("D santa-driver: " __VA_ARGS__); IOLog("\n")
 #else  // DEBUG

Source/common/SNTLogging.m

@@ -52,7 +52,7 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
 
   va_list args;
   va_start(args, format);
-  NSString *s = [[NSString alloc] initWithFormat:format arguments:args];
+  NSMutableString *s = [[NSMutableString alloc] initWithFormat:format arguments:args];
   va_end(args);
 
   if (useSyslog) {
@@ -86,6 +86,8 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
 
     asl_log(client, NULL, syslogLevel, "%s %s: %s", levelName, binaryName, [s UTF8String]);
   } else {
-    fprintf(destination, "%s\n", [s UTF8String]);
+    [s appendString:@"\n"];
+    size_t len = [s lengthOfBytesUsingEncoding:NSUTF8StringEncoding];
+    fwrite([s UTF8String], len, 1, destination);
   }
 }

Source/common/SNTStoredEvent.h

@@ -20,7 +20,7 @@
 @interface SNTStoredEvent : NSObject<NSSecureCoding>
 
 ///
-///  An index for this event, empty unless the event came from the database.
+///  An index for this event, randomly generated during initialization.
 ///
 @property NSNumber *idx;
 
@@ -35,10 +35,16 @@
 @property NSString *filePath;
 
 ///
-///  If the executed file was part of the bundle, this is the CFBundleName.
+///  If the executed file was part of the bundle, this is the CFBundleDisplayName, if it exists
+///  or the CFBundleName if not.
 ///
 @property NSString *fileBundleName;
 
+///
+///  If the executed file was part of the bundle, this is the path to the bundle.
+///
+@property NSString *fileBundlePath;
+
 ///
 ///  If the executed file was part of the bundle, this is the CFBundleID.
 ///

Source/common/SNTStoredEvent.m

@@ -34,6 +34,7 @@
   ENCODE(self.filePath, @"filePath");
 
   ENCODE(self.fileBundleName, @"fileBundleName");
+  ENCODE(self.fileBundlePath, @"fileBundlePath");
   ENCODE(self.fileBundleID, @"fileBundleID");
   ENCODE(self.fileBundleVersion, @"fileBundleVersion");
   ENCODE(self.fileBundleVersionString, @"fileBundleVersionString");
@@ -56,6 +57,14 @@
   ENCODE(self.quarantineAgentBundleID, @"quarantineAgentBundleID");
 }
 
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _idx = @(arc4random());
+  }
+  return self;
+}
+
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
@@ -64,6 +73,7 @@
     _filePath = DECODE(NSString, @"filePath");
 
     _fileBundleName = DECODE(NSString, @"fileBundleName");
+    _fileBundlePath = DECODE(NSString, @"fileBundlePath");
     _fileBundleID = DECODE(NSString, @"fileBundleID");
     _fileBundleVersion = DECODE(NSString, @"fileBundleVersion");
     _fileBundleVersionString = DECODE(NSString, @"fileBundleVersionString");

Source/common/SNTXPCConnection.h

@@ -40,12 +40,12 @@
   @code
    [conn.remoteObjectProxy selectorInRemoteInterface];
   @endcode
- 
+
   One advantage of the way that SNTXPCConnection works over using NSXPCConnection directly is that
   from the client-side once the resume method has finished, the connection is either valid or the
   invalidation handler will be called. Ordinarily, the connection doesn't actually get made until
   the first message is sent across it.
- 
+
   @note messages are always delivered on a background thread!
 */
 @interface SNTXPCConnection : NSObject<NSXPCListenerDelegate>
@@ -79,7 +79,7 @@
 
 /**
   Call when the properties of the object have been set-up and you're ready for connections.
- 
+
   For clients, this call can take up to 2s to complete for connection to finish establishing though
   in basically all cases it will actually complete in a few milliseconds.
 */
@@ -97,7 +97,7 @@
 
 /**
   A proxy to the object at the other end of the connection. (client)
- 
+
   @note If the connection to the server failed, this will be nil, so you can safely send messages
   and rely on the invalidationHandler for handling the failure.
 */

Source/common/SNTXPCConnection.m

@@ -30,7 +30,7 @@
   has one of these objects created which accept the message in the protocol
   and call the block provided during creation before replying.
 
-  This allows the server to reset the connection's exporteed interface and
+  This allows the server to reset the connection's exported interface and
   object to the correct values after the client has sent the establishment message.
 */
 @interface SNTXPCConnectionInterface : NSObject<SNTXPCConnectionProtocol>
@@ -45,10 +45,10 @@
 @end
 
 @interface SNTXPCConnection ()
+@property NSXPCInterface *validationInterface;
+
 /// The XPC listener (server only).
 @property NSXPCListener *listenerObject;
-/// Array of accepted connections (server only).
-@property NSMutableArray *acceptedConnections;
 
 /// The current connection object (client only).
 @property NSXPCConnection *currentConnection;
@@ -62,7 +62,8 @@
   self = [super init];
   if (self) {
     _listenerObject = listener;
-    _acceptedConnections = [NSMutableArray array];
+    _validationInterface =
+        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
   }
   return self;
 }
@@ -76,6 +77,8 @@
   if (self) {
     _currentConnection = [[NSXPCConnection alloc] initWithListenerEndpoint:listener];
     if (!_currentConnection) return nil;
+    _validationInterface =
+        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
   }
   return self;
 }
@@ -86,6 +89,8 @@
     NSXPCConnectionOptions options = (privileged ? NSXPCConnectionPrivileged : 0);
     _currentConnection = [[NSXPCConnection alloc] initWithMachServiceName:name options:options];
     if (!_currentConnection) return nil;
+    _validationInterface =
+        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
   }
   return self;
 }
@@ -107,8 +112,7 @@
     // Set-up the connection with the remote interface set to the validation interface,
     // send a message to the listener to finish establishing the connection
     dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-    self.currentConnection.remoteObjectInterface =
-        [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
+    self.currentConnection.remoteObjectInterface = self.validationInterface;
     self.currentConnection.interruptionHandler = self.invalidationHandler;
     self.currentConnection.invalidationHandler = self.invalidationHandler;
     [self.currentConnection resume];
@@ -139,7 +143,6 @@
   // The client passed the code signature check, now we need to resume the listener and
   // return YES so that the client can send the connectWithReply message. Once the client does
   // we reset the connection's exportedInterface and exportedObject.
-
   SNTXPCConnectionInterface *ci = [[SNTXPCConnectionInterface alloc] init];
   WEAKIFY(self);
   WEAKIFY(connection);
@@ -147,25 +150,17 @@
     STRONGIFY(self)
     STRONGIFY(connection);
     [connection suspend];
-    [self.acceptedConnections addObject:connection];
-
-    WEAKIFY(connection);
     connection.invalidationHandler = connection.interruptionHandler = ^{
-      STRONGIFY(connection);
-      [self.acceptedConnections removeObject:connection];
       if (self.invalidationHandler) self.invalidationHandler();
     };
-
     connection.exportedInterface = self.exportedInterface;
     connection.exportedObject = self.exportedObject;
-
     [connection resume];
 
     // The connection is now established.
     if (self.acceptedHandler) self.acceptedHandler();
   };
-  connection.exportedInterface =
-      [NSXPCInterface interfaceWithProtocol:@protocol(SNTXPCConnectionProtocol)];
+  connection.exportedInterface = self.validationInterface;
   connection.exportedObject = ci;
   [connection resume];
 
@@ -173,7 +168,8 @@
 }
 
 - (id)remoteObjectProxy {
-  if (self.currentConnection.remoteObjectInterface) {
+  if (self.currentConnection.remoteObjectInterface &&
+      self.currentConnection.remoteObjectInterface != self.validationInterface) {
     return [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *error) {
       [self.currentConnection invalidate];
     }];
@@ -188,10 +184,6 @@
     [self.currentConnection invalidate];
     self.currentConnection = nil;
   } else if (self.listenerObject) {
-    for (NSXPCConnection *conn in self.acceptedConnections) {
-      [conn invalidate];
-    }
-    [self.acceptedConnections removeAllObjects];
     [self.listenerObject invalidate];
   }
 }

Source/common/SNTXPCControlInterface.h

@@ -12,7 +12,11 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <MOLCertificate/MOLCertificate.h>
+
+#import "SNTCachedDecision.h"
 #import "SNTCommonEnums.h"
+#import "SNTKernelCommon.h"
 
 @class SNTRule;
 @class SNTStoredEvent;
@@ -28,6 +32,7 @@
 ///
 - (void)cacheCount:(void (^)(int64_t))reply;
 - (void)flushCache:(void (^)(BOOL))reply;
+- (void)checkCacheForVnodeID:(uint64_t)vnodeID withReply:(void (^)(santa_action_t))reply;
 
 ///
 ///  Database ops
@@ -36,11 +41,28 @@
 - (void)databaseRuleAddRules:(NSArray *)rules
                   cleanSlate:(BOOL)cleanSlate
                        reply:(void (^)(NSError *error))reply;
-
 - (void)databaseEventCount:(void (^)(int64_t count))reply;
-- (void)databaseEventForSHA256:(NSString *)sha256 reply:(void (^)(SNTStoredEvent *))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
+- (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
+                  certificateSHA256:(NSString *)certificateSHA256
+                              reply:(void (^)(SNTRule *))reply;
+///
+///  Decision ops
+///
+
+///
+///  @param filePath A Path to the file, can be nil.
+///  @param fileSHA256 The pre-calculated SHA256 hash for the file, can be nil. If nil the hash will
+///                    be calculated by this method from the filePath.
+///  @param signingCertificate A MOLCertificate object, can be nil.
+///  @note If fileInfo and signingCertificate are both passed in, the most specific rule will be
+///        returned. Binary rules take precedence over cert rules.
+///
+- (void)decisionForFilePath:(NSString *)filePath
+                 fileSHA256:(NSString *)fileSHA256
+         signingCertificate:(MOLCertificate *)signingCertificate
+                      reply:(void (^)(SNTEventState))reply;
 
 ///
 ///  Config ops
@@ -48,8 +70,10 @@
 - (void)watchdogInfo:(void (^)(uint64_t, uint64_t, double, double))reply;
 - (void)clientMode:(void (^)(SNTClientMode))reply;
 - (void)setClientMode:(SNTClientMode)mode reply:(void (^)())reply;
-- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
+- (void)xsrfToken:(void (^)(NSString *))reply;
+- (void)setXsrfToken:(NSString *)token reply:(void (^)())reply;
 - (void)setSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
+- (void)setRuleSyncLastSuccess:(NSDate *)date reply:(void (^)())reply;
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)())reply;
 - (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;
@@ -59,6 +83,14 @@
 ///
 - (void)setNotificationListener:(NSXPCListenerEndpoint *)listener;
 
+///
+///  Syncd Ops
+///
+- (void)setSyncdListener:(NSXPCListenerEndpoint *)listener;
+- (void)setNextSyncInterval:(uint64_t)seconds reply:(void (^)())reply;
+- (void)pushNotifications:(void (^)(BOOL))reply;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message reply:(void (^)())reply;
+
 @end
 
 @interface SNTXPCControlInterface : NSObject

Source/common/SNTXPCNotifierInterface.h

@@ -12,11 +12,15 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import "SNTCommonEnums.h"
+
 @class SNTStoredEvent;
 
 /// Protocol implemented by SantaGUI and utilized by santad
 @protocol SNTNotifierXPC
 - (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message;
+- (void)postClientModeNotification:(SNTClientMode)clientmode;
+- (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message;
 @end
 
 @interface SNTXPCNotifierInterface : NSObject

Source/common/SNTXPCSyncdInterface.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2016 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,21 +12,23 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#ifndef SANTA__SANTA_DRIVER__SANTAPIDANDPPID_H
-#define SANTA__SANTA_DRIVER__SANTAPIDANDPPID_H
+#import "SNTCommonEnums.h"
 
-#include <libkern/c++/OSObject.h>
+@class SNTStoredEvent;
+
+/// Protocol implemented by santactl and utilized by santad
+@protocol SNTSyncdXPC
+- (void)postEventToSyncServer:(SNTStoredEvent *)event;
+- (void)rescheduleSyncSecondsFromNow:(uint64_t)seconds;
+- (void)isFCMListening:(void (^)(BOOL))reply;
+@end
+
+@interface SNTXPCSyncdInterface : NSObject
 
 ///
-///  An OSObject wrapper around a PID and PPID.
-///  Only OSObject subclasses can be inserted into an OSDictionary.
+///  Returns an initialized NSXPCInterface for the SNTSyncdXPC protocol.
+///  Ensures any methods that accept custom classes as arguments are set-up before returning
 ///
-class SantaPIDAndPPID : public OSObject {
-  OSDeclareDefaultStructors(SantaPIDAndPPID)
++ (NSXPCInterface *)syncdInterface;
 
- public:
-  pid_t pid;
-  pid_t ppid;
-};
-
-#endif  // SANTA__SANTA_DRIVER__SANTAPIDANDPPID_H
+@end

Source/common/SNTXPCSyncdInterface.m

@@ -0,0 +1,23 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTXPCSyncdInterface.h"
+
+@implementation SNTXPCSyncdInterface
+
++ (NSXPCInterface *)syncdInterface {
+  return [NSXPCInterface interfaceWithProtocol:@protocol(SNTSyncdXPC)];
+}
+
+@end

Source/santa-driver/SantaCache.h

@@ -0,0 +1,271 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#ifndef SANTA__SANTA_DRIVER__SANTACACHE_H
+#define SANTA__SANTA_DRIVER__SANTACACHE_H
+
+#include <libkern/OSAtomic.h>
+#include <libkern/OSTypes.h>
+#include <stdint.h>
+#include <sys/cdefs.h>
+
+#include "SNTKernelCommon.h"
+
+#ifdef KERNEL
+#include <IOKit/IOLib.h>
+#else // KERNEL
+// Support for unit testing.
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#define panic(args...) printf(args); printf("\n"); abort()
+#define IOMalloc malloc
+#define IOMallocAligned(sz, alignment) malloc(sz);
+#define IOFree(addr, sz) free(addr)
+#define IOFreeAligned(addr, sz) free(addr)
+#define OSTestAndSet OSAtomicTestAndSet
+#define OSTestAndClear(bit, addr) OSAtomicTestAndClear(bit, addr) == 0
+#define OSIncrementAtomic(addr) OSAtomicIncrement64((volatile int64_t *)addr)
+#define OSDecrementAtomic(addr) OSAtomicDecrement64((volatile int64_t *)addr)
+#endif // KERNEL
+
+/**
+  A somewhat simple, concurrent linked-list hash table intended for use in IOKit kernel extensions.
+  Maps 64-bit unsigned integer keys to values.
+
+  Enforces a maximum size by clearing all entries if a new value
+  is added that would go over the maximum size declared at creation.
+
+  The number of buckets is calculated as `maximum_size` / `per_bucket`
+  rounded up to the next power of 2. Locking is done per-bucket.
+*/
+template<class T> class SantaCache {
+ public:
+  /**
+    Initialize a newly created cache.
+
+    @param maximum_size The maximum number of entries in this cache. Once this
+        number is reached all the entries will be purged.
+    @param per_bucket The target number of entries in each bucket when cache is full.
+        A higher number will result in better performance but higher memory usage.
+        Cannot be higher than 64 to try and ensure buckets don't overflow.
+  */
+  SantaCache(uint64_t maximum_size = 10000, uint8_t per_bucket = 5) {
+    if (unlikely(per_bucket < 1)) per_bucket = 1;
+    if (unlikely(per_bucket > 64)) per_bucket = 64;
+    max_size_ = maximum_size;
+    bucket_count_ = 1 << (32 - __builtin_clz(
+        ((uint32_t)max_size_ / per_bucket) - 1));
+    buckets_ = (struct bucket *)IOMalloc(bucket_count_ * sizeof(struct bucket));
+    bzero(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Clear and free memory
+  */
+  ~SantaCache() {
+    clear();
+    IOFree(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Get an element from the cache. Returns zero_ if item doesn't exist.
+  */
+  T get(uint64_t key) {
+    struct bucket *bucket = &buckets_[hash(key)];
+    lock(bucket);
+    struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+    while (entry != nullptr) {
+      if (entry->key == key) {
+        T val = entry->value;
+        unlock(bucket);
+        return val;
+      }
+      entry = entry->next;
+    }
+    unlock(bucket);
+    return zero_;
+  }
+
+  /**
+    Set an element in the cache.
+
+    @note If the cache is full when this is called, this will empty the cache before
+    inserting the new value.
+
+    @return if an existing value was replaced, the previous value, otherwise zero_
+  */
+  T set(uint64_t key, T value) {
+    struct bucket *bucket = &buckets_[hash(key)];
+    lock(bucket);
+    struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+    struct entry *previous_entry = nullptr;
+    while (entry != nullptr) {
+      if (entry->key == key) {
+        T existing_value = entry->value;
+        entry->value = value;
+
+        if (value == zero_) {
+          if (previous_entry != nullptr) {
+            previous_entry->next = entry->next;
+          } else {
+            bucket->head = (struct entry *)((uintptr_t)entry->next + 1);
+          }
+          IOFreeAligned(entry, sizeof(struct entry));
+          OSDecrementAtomic(&count_);
+        }
+
+        unlock(bucket);
+        return existing_value;
+      }
+      previous_entry = entry;
+      entry = entry->next;
+    }
+
+    // If value is zero_, we're clearing but there's nothing to clear
+    // so we don't need to do anything else.
+    if (value == zero_) {
+      unlock(bucket);
+      return zero_;
+    }
+
+    // Check that adding this new item won't take the cache over its maximum size.
+    if (count_ + 1 > max_size_) {
+      unlock(bucket);
+      lock(&clear_bucket_);
+      // Check again in case clear has already run while waiting for lock
+      if (count_ + 1 > max_size_) {
+        clear();
+      }
+      lock(bucket);
+      unlock(&clear_bucket_);
+    }
+
+    // Allocate a new entry, set the key and value, then set the next pointer as the current
+    // first entry in the bucket then make this new entry the first in the bucket.
+    struct entry *new_entry = (struct entry *)IOMallocAligned(sizeof(struct entry), 2);
+    new_entry->key = key;
+    new_entry->value = value;
+    new_entry->next = (struct entry *)((uintptr_t)bucket->head - 1);
+    bucket->head = (struct entry *)((uintptr_t)new_entry + 1);
+    OSIncrementAtomic(&count_);
+
+    unlock(bucket);
+    return zero_;
+  }
+
+  /**
+    An alias for `set(key, zero_)`
+  */
+  inline void remove(uint64_t key) {
+    set(key, zero_);
+  }
+
+  /**
+    Remove all entries and free bucket memory.
+  */
+  void clear() {
+    for (uint32_t i = 0; i < bucket_count_; ++i) {
+      struct bucket *bucket = &buckets_[i];
+      // We grab the lock so nothing can use this bucket while we're erasing it
+      // and never release it. It'll be 'released' when the bzero call happens
+      // at the end of this function.
+      lock(bucket);
+
+      // Free the bucket's entries, if there are any.
+      struct entry *entry = (struct entry *)((uintptr_t)bucket->head - 1);
+      while (entry != nullptr) {
+        struct entry *next_entry = entry->next;
+        IOFreeAligned(entry, sizeof(struct entry));
+        entry = next_entry;
+      }
+    }
+
+    // Reset cache count, no atomicity needed as we hold all the bucket locks.
+    count_ = 0;
+
+    // This resets all of the bucket counts and locks. Releasing the locks for
+    // each bucket isn't really atomic here but each bucket will be zero'd
+    // before the lock is released as the lock is the last thing in a bucket.
+    bzero(buckets_, bucket_count_ * sizeof(struct bucket));
+  }
+
+  /**
+    Return number of entries currently in cache.
+  */
+  inline uint64_t count() const {
+    return count_;
+  }
+
+ private:
+  struct entry {
+    uint64_t key;
+    T value;
+    struct entry *next;
+  };
+
+  struct bucket {
+    // The least significant bit of this pointer is always 0 (due to alignment),
+    // so we utilize that bit as the lock for the bucket.
+    struct entry *head;
+  };
+
+  /**
+    Lock a bucket. Spins until the lock is acquired.
+  */
+  inline void lock(struct bucket *bucket) const {
+    while (OSTestAndSet(7, (volatile uint8_t *)&bucket->head));
+  }
+
+  /**
+    Unlock a bucket. Panics if the lock wasn't locked.
+  */
+  inline void unlock(struct bucket *bucket) const {
+    if (unlikely(OSTestAndClear(7, (volatile uint8_t *)&bucket->head))) {
+      panic("SantaCache::unlock(): Tried to unlock an unlocked lock");
+    }
+  }
+
+  uint64_t count_ = 0;
+
+  uint64_t max_size_;
+  uint32_t bucket_count_;
+
+  struct bucket *buckets_;
+
+  /**
+    Holder for a 'zero' entry for the current type
+  */
+  T zero_ = {};
+
+  /**
+    Special bucket used when automatically clearing due to size
+    to prevent two threads trying to clear at the same time and
+    getting stuck.
+  */
+  struct bucket clear_bucket_ = {};
+
+  /**
+    Hash a key to determine which bucket it belongs in.
+
+    Multiplicative hash using a prime near to the golden ratio, per Knuth.
+    This seems to have good bucket distribution generally and for the range of
+    values we expect to see.
+  */
+  inline uint64_t hash(uint64_t input) const {
+    return (input * 11400714819323198549ul) % bucket_count_;
+  }
+};
+
+#endif // SANTA__SANTA_DRIVER__SANTACACHE_H

Source/santa-driver/SantaCachedDecision.cc

@@ -1,31 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#include "SantaCachedDecision.h"
-
-OSDefineMetaClassAndStructors(SantaCachedDecision, OSObject);
-
-uint64_t SantaCachedDecision::getMicrosecs() const {
-  return microsecs_;
-}
-
-santa_action_t SantaCachedDecision::getAction() const {
-  return action_;
-}
-
-void SantaCachedDecision::setAction(
-    const santa_action_t action, const uint64_t microsecs) {
-  action_ = action;
-  microsecs_ = microsecs;
-}

Source/santa-driver/SantaCachedDecision.h

@@ -1,44 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#ifndef SANTA__SANTA_DRIVER__SANTACACHEDDECISION_H
-#define SANTA__SANTA_DRIVER__SANTACACHEDDECISION_H
-
-#include <libkern/c++/OSObject.h>
-
-#include "SNTKernelCommon.h"
-
-///
-///  An OSObject subclass to store a @c santa_action_t and a timestamp.
-///  Only OSObject subclasses can be inserted into an OSDictionary.
-///
-class SantaCachedDecision : public OSObject {
-  OSDeclareDefaultStructors(SantaCachedDecision)
-
- public:
-  // Returns the time the action was last set.
-  uint64_t getMicrosecs() const;
-
-  // Returns the set action.
-  santa_action_t getAction() const;
-
-  // Sets the acion and receive time.
-  void setAction(const santa_action_t action, const uint64_t microsecs);
-
- private:
-  santa_action_t action_;
-  uint64_t microsecs_;
-};
-
-#endif  // SANTA__SANTA_DRIVER__SANTACACHEDDECISIONWRAPPER_H

Source/santa-driver/SantaDecisionManager.cc

@@ -24,40 +24,33 @@ bool SantaDecisionManager::init() {
 
   sdm_lock_grp_attr_ = lck_grp_attr_alloc_init();
   sdm_lock_grp_ = lck_grp_alloc_init("santa-locks", sdm_lock_grp_attr_);
-
   sdm_lock_attr_ = lck_attr_alloc_init();
 
   decision_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
   log_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
-  cached_decisions_lock_ = lck_rw_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
-  vnode_pid_map_lock_ = lck_rw_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
 
-  cached_decisions_ = OSDictionary::withCapacity(1000);
-  vnode_pid_map_ = OSDictionary::withCapacity(1000);
+  decision_cache_ = new SantaCache<uint64_t>(10000, 2);
+  vnode_pid_map_ = new SantaCache<uint64_t>(2000, 5);
 
-  decision_dataqueue_ = IOSharedDataQueue::withEntries(kMaxDecisionQueueEvents,
-                                                       sizeof(santa_message_t));
+  decision_dataqueue_ = IOSharedDataQueue::withEntries(
+      kMaxDecisionQueueEvents, sizeof(santa_message_t));
   if (!decision_dataqueue_) return kIOReturnNoMemory;
 
-  log_dataqueue_ = IOSharedDataQueue::withEntries(kMaxLogQueueEvents,
-                                                  sizeof(santa_message_t));
+  log_dataqueue_ = IOSharedDataQueue::withEntries(
+      kMaxLogQueueEvents, sizeof(santa_message_t));
   if (!log_dataqueue_) return kIOReturnNoMemory;
 
   client_pid_ = 0;
 
+  ts_ = { .tv_sec = kRequestLoopSleepMilliseconds / 1000,
+          .tv_nsec = kRequestLoopSleepMilliseconds % 1000 * 1000000 };
+
   return true;
 }
 
 void SantaDecisionManager::free() {
-  if (cached_decisions_lock_) {
-    lck_rw_free(cached_decisions_lock_, sdm_lock_grp_);
-    cached_decisions_lock_ = nullptr;
-  }
-
-  if (vnode_pid_map_lock_) {
-    lck_rw_free(vnode_pid_map_lock_, sdm_lock_grp_);
-    vnode_pid_map_lock_ = nullptr;
-  }
+  delete decision_cache_;
+  delete vnode_pid_map_;
 
   if (decision_dataqueue_lock_) {
     lck_mtx_free(decision_dataqueue_lock_, sdm_lock_grp_);
@@ -86,8 +79,6 @@ void SantaDecisionManager::free() {
 
   OSSafeReleaseNULL(decision_dataqueue_);
   OSSafeReleaseNULL(log_dataqueue_);
-  OSSafeReleaseNULL(cached_decisions_);
-  OSSafeReleaseNULL(vnode_pid_map_);
 
   super::free();
 }
@@ -97,12 +88,12 @@ void SantaDecisionManager::free() {
 void SantaDecisionManager::ConnectClient(pid_t pid) {
   if (!pid) return;
 
+  client_pid_ = pid;
+
   // Any decisions made while the daemon wasn't
   // connected should be cleared
   ClearCache();
 
-  client_pid_ = pid;
-
   failed_decision_queue_requests_ = 0;
   failed_log_queue_requests_ = 0;
 }
@@ -136,6 +127,7 @@ void SantaDecisionManager::DisconnectClient(bool itDied) {
 }
 
 bool SantaDecisionManager::ClientConnected() const {
+  if (client_pid_ <= 0) return false;
   auto p = proc_find(client_pid_);
   auto is_exiting = false;
   if (p) {
@@ -168,14 +160,12 @@ IOMemoryDescriptor *SantaDecisionManager::GetLogMemoryDescriptor() const {
 #pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
-  vnode_listener_ = kauth_listen_scope(KAUTH_SCOPE_VNODE,
-                                       vnode_scope_callback,
-                                       reinterpret_cast<void *>(this));
+  vnode_listener_ = kauth_listen_scope(
+      KAUTH_SCOPE_VNODE, vnode_scope_callback, reinterpret_cast<void *>(this));
   if (!vnode_listener_) return kIOReturnInternalError;
 
-  fileop_listener_ = kauth_listen_scope(KAUTH_SCOPE_FILEOP,
-                                        fileop_scope_callback,
-                                        reinterpret_cast<void *>(this));
+  fileop_listener_ = kauth_listen_scope(
+      KAUTH_SCOPE_FILEOP, fileop_scope_callback, reinterpret_cast<void *>(this));
   if (!fileop_listener_) return kIOReturnInternalError;
 
   LOGD("Listeners started.");
@@ -206,131 +196,88 @@ kern_return_t SantaDecisionManager::StopListener() {
 #pragma mark Cache Management
 
 void SantaDecisionManager::AddToCache(
-    const char *identifier, santa_action_t decision, uint64_t microsecs) {
-  if (cached_decisions_->getCount() > kMaxCacheSize) {
-    // This could be made a _lot_ smarter, say only removing entries older
-    // than a certain time period. However, with a kMaxCacheSize set
-    // sufficiently large and a kMaxAllowCacheTimeMilliseconds set
-    // sufficiently low, this should only ever occur if someone is purposefully
-    // trying to make the cache grow.
-    LOGI("Cache too large, flushing.");
-    ClearCache();
+    uint64_t identifier, santa_action_t decision, uint64_t microsecs) {
+  // Decision is stored in upper 8 bits, timestamp in remaining 56.
+  uint64_t val = ((uint64_t)decision << 56) | (microsecs & 0xFFFFFFFFFFFFFF);
+
+  // If a previous entry was not found and the new entry is not `REQUEST_BINARY`, remove the
+  // existing entry. This is to prevent adding an ALLOW to the cache after a write has occurred.
+  if (decision_cache_->set(identifier, val) == 0 && decision != ACTION_REQUEST_BINARY) {
+    decision_cache_->remove(identifier);
   }
 
-  if (decision == ACTION_REQUEST_BINARY) {
-    auto pending = new SantaCachedDecision();
-    pending->setAction(ACTION_REQUEST_BINARY, 0);
-    lck_rw_lock_exclusive(cached_decisions_lock_);
-    cached_decisions_->setObject(identifier, pending);
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-    pending->release();  // it was retained when added to the dictionary
-  } else {
-    lck_rw_lock_exclusive(cached_decisions_lock_);
-    auto pending = OSDynamicCast(
-        SantaCachedDecision, cached_decisions_->getObject(identifier));
-    if (pending) {
-      pending->setAction(decision, microsecs);
-    }
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-  }
+  wakeup((void *)identifier);
 }
 
-void SantaDecisionManager::CacheCheck(const char *identifier) {
-  lck_rw_lock_shared(cached_decisions_lock_);
-  auto shouldInvalidate = (cached_decisions_->getObject(identifier) != nullptr);
-  if (shouldInvalidate) {
-    if (!lck_rw_lock_shared_to_exclusive(cached_decisions_lock_)) {
-      // shared_to_exclusive will return false if a previous reader upgraded
-      // and if that happens the lock will have been unlocked. If that happens,
-      // which is rare, relock exclusively.
-      lck_rw_lock_exclusive(cached_decisions_lock_);
-    }
-    cached_decisions_->removeObject(identifier);
-    lck_rw_unlock_exclusive(cached_decisions_lock_);
-  } else {
-    lck_rw_unlock_shared(cached_decisions_lock_);
-  }
+void SantaDecisionManager::RemoveFromCache(uint64_t identifier) {
+  decision_cache_->remove(identifier);
+  wakeup((void *)identifier);
 }
 
 uint64_t SantaDecisionManager::CacheCount() const {
-  return cached_decisions_->getCount();
+  return decision_cache_->count();
 }
 
 void SantaDecisionManager::ClearCache() {
-  lck_rw_lock_exclusive(cached_decisions_lock_);
-  cached_decisions_->flushCollection();
-  lck_rw_unlock_exclusive(cached_decisions_lock_);
+  decision_cache_->clear();
 }
 
 #pragma mark Decision Fetching
 
-santa_action_t SantaDecisionManager::GetFromCache(const char *identifier) {
+santa_action_t SantaDecisionManager::GetFromCache(uint64_t identifier) {
   auto result = ACTION_UNSET;
   uint64_t decision_time = 0;
 
-  lck_rw_lock_shared(cached_decisions_lock_);
-  SantaCachedDecision *cached_decision = OSDynamicCast(
-      SantaCachedDecision, cached_decisions_->getObject(identifier));
-  if (cached_decision) {
-    result = cached_decision->getAction();
-    decision_time = cached_decision->getMicrosecs();
-  }
-  lck_rw_unlock_shared(cached_decisions_lock_);
+  uint64_t cache_val = decision_cache_->get(identifier);
+  if (cache_val == 0) return result;
+
+  // Decision is stored in upper 8 bits, timestamp in remaining 56.
+  result = (santa_action_t)(cache_val >> 56);
+  decision_time = (cache_val & ~(0xFF00000000000000));
 
   if (RESPONSE_VALID(result)) {
-    auto diff_time = GetCurrentUptime();
-
-    if (result == ACTION_RESPOND_ALLOW) {
-      if ((kMaxAllowCacheTimeMilliseconds * 1000) > diff_time) {
-        diff_time = 0;
-      } else {
-        diff_time -= (kMaxAllowCacheTimeMilliseconds * 1000);
-      }
-    } else if (result == ACTION_RESPOND_DENY) {
+    if (result == ACTION_RESPOND_DENY) {
+      auto diff_time = GetCurrentUptime();
       if ((kMaxDenyCacheTimeMilliseconds * 1000) > diff_time) {
         diff_time = 0;
       } else {
         diff_time -= (kMaxDenyCacheTimeMilliseconds * 1000);
       }
-    }
-
-    if (decision_time < diff_time) {
-      lck_rw_lock_exclusive(cached_decisions_lock_);
-      cached_decisions_->removeObject(identifier);
-      lck_rw_unlock_exclusive(cached_decisions_lock_);
-      return ACTION_UNSET;
+      if (decision_time < diff_time) {
+        decision_cache_->remove(identifier);
+        return ACTION_UNSET;
+      }
     }
   }
 
   return result;
 }
 
-santa_action_t SantaDecisionManager::GetFromDaemon(
-    santa_message_t *message, const char *vnode_id_str) {
+santa_action_t SantaDecisionManager::GetFromDaemon(santa_message_t *message, uint64_t identifier) {
   auto return_action = ACTION_UNSET;
 
+#ifdef DEBUG
+  clock_sec_t secs = 0;
+  clock_usec_t microsecs = 0;
+  clock_get_system_microtime(&secs, &microsecs);
+  uint64_t uptime = (secs * 1000000) + microsecs;
+#endif
+
   // Wait for the daemon to respond or die.
   do {
-    // Add pending request to cache.
-    AddToCache(vnode_id_str, ACTION_REQUEST_BINARY, 0);
+    // Add pending request to cache, to be replaced by daemon with actual response
+    AddToCache(identifier, ACTION_REQUEST_BINARY, 0);
 
     // Send request to daemon...
     if (!PostToDecisionQueue(message)) {
-      OSIncrementAtomic(&failed_decision_queue_requests_);
-      if (failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
-        LOGE("Failed to queue more than %d requests, killing daemon",
-             kMaxDecisionQueueFailures);
-        proc_signal(client_pid_, SIGKILL);
-        client_pid_ = 0;
-      }
       LOGE("Failed to queue request for %s.", message->path);
-      CacheCheck(vnode_id_str);
+      RemoveFromCache(identifier);
       return ACTION_ERROR;
     }
 
     do {
-      IOSleep(kRequestLoopSleepMilliseconds);
-      return_action = GetFromCache(vnode_id_str);
+      msleep((void *)message->vnode_id, NULL, 0, "", &ts_);
+      return_action = GetFromCache(identifier);
     } while (return_action == ACTION_REQUEST_BINARY && ClientConnected());
   } while (!RESPONSE_VALID(return_action) && ClientConnected());
 
@@ -338,25 +285,40 @@ santa_action_t SantaDecisionManager::GetFromDaemon(
   if (!RESPONSE_VALID(return_action)) {
     LOGE("Daemon process did not respond correctly. Allowing executions "
          "until it comes back. Executable path: %s", message->path);
-    CacheCheck(vnode_id_str);
+    RemoveFromCache(identifier);
     return ACTION_ERROR;
   }
 
+#ifdef DEBUG
+  clock_get_system_microtime(&secs, &microsecs);
+  LOGD("Decision time: %4lldms (%s)",
+       (((secs * 1000000) + microsecs) - uptime) / 1000, message->path);
+#endif
+
   return return_action;
 }
 
 santa_action_t SantaDecisionManager::FetchDecision(
     const kauth_cred_t cred,
     const vnode_t vp,
-    const uint64_t vnode_id,
-    const char *vnode_id_str) {
-  if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
+    const uint64_t vnode_id) {
+  while (true) {
+    if (!ClientConnected()) return ACTION_RESPOND_ALLOW;
 
-  // Check to see if item is in cache
-  auto return_action = GetFromCache(vnode_id_str);
+    // Check to see if item is in cache
+    auto return_action = GetFromCache(vnode_id);
 
-  // If item was in cache return it.
-  if (RESPONSE_VALID(return_action)) return return_action;
+    // If item was in cache with a valid response, return it.
+    // If item is in cache but hasn't received a response yet, sleep for a bit.
+    // If item is not in cache, break out of loop to send request to daemon.
+    if (RESPONSE_VALID(return_action)) {
+      return return_action;
+    } else if (return_action == ACTION_REQUEST_BINARY) {
+      msleep((void *)vnode_id, NULL, 0, "", &ts_);
+    } else {
+      break;
+    }
+  }
 
   // Get path
   char path[MAXPATHLEN];
@@ -365,12 +327,12 @@ santa_action_t SantaDecisionManager::FetchDecision(
     path[0] = '\0';
   }
 
-  auto message = NewMessage();
+  auto message = NewMessage(cred);
   strlcpy(message->path, path, sizeof(message->path));
   message->action = ACTION_REQUEST_BINARY;
   message->vnode_id = vnode_id;
   proc_name(message->ppid, message->pname, sizeof(message->pname));
-  return_action = GetFromDaemon(message, vnode_id_str);
+  auto return_action = GetFromDaemon(message, vnode_id);
   delete message;
   return return_action;
 }
@@ -380,6 +342,14 @@ santa_action_t SantaDecisionManager::FetchDecision(
 bool SantaDecisionManager::PostToDecisionQueue(santa_message_t *message) {
   lck_mtx_lock(decision_dataqueue_lock_);
   auto kr = decision_dataqueue_->enqueue(message, sizeof(santa_message_t));
+  if (!kr) {
+    if (++failed_decision_queue_requests_ > kMaxDecisionQueueFailures) {
+      LOGE("Failed to queue more than %d decision requests, killing daemon",
+           kMaxDecisionQueueFailures);
+      proc_signal(client_pid_, SIGKILL);
+      client_pid_ = 0;
+    }
+  }
   lck_mtx_unlock(decision_dataqueue_lock_);
   return kr;
 }
@@ -388,7 +358,7 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
   lck_mtx_lock(log_dataqueue_lock_);
   auto kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   if (!kr) {
-    if (OSCompareAndSwap(0, 1, &failed_log_queue_requests_)) {
+    if (failed_log_queue_requests_++ == 0) {
       LOGW("Dropping log queue messages");
     }
     // If enqueue failed, pop an item off the queue and try again.
@@ -396,7 +366,9 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
     log_dataqueue_->dequeue(0, &dataSize);
     kr = log_dataqueue_->enqueue(message, sizeof(santa_message_t));
   } else {
-    OSCompareAndSwap(1, 0, &failed_log_queue_requests_);
+    if (failed_log_queue_requests_ > 0) {
+      failed_log_queue_requests_--;
+    }
   }
   lck_mtx_unlock(log_dataqueue_lock_);
   return kr;
@@ -418,22 +390,17 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
                                         const vfs_context_t ctx,
                                         const vnode_t vp,
                                         int *errno) {
-  // Only operate on regular files (not directories, symlinks, etc.).
-  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
-
-  // Get ID for the vnode and convert it to a string.
+  // Get ID for the vnode
   auto vnode_id = GetVnodeIDForVnode(ctx, vp);
-  char vnode_str[MAX_VNODE_ID_STR];
-  snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
 
   // Fetch decision
-  auto returnedAction = FetchDecision(cred, vp, vnode_id, vnode_str);
+  auto returnedAction = FetchDecision(cred, vp, vnode_id);
 
   // If file has dirty blocks, remove from cache and deny. This would usually
   // be the case if a file has been written to and flushed but not yet
   // closed.
   if (vnode_hasdirtyblks(vp)) {
-    CacheCheck(vnode_str);
+    RemoveFromCache(vnode_id);
     returnedAction = ACTION_RESPOND_DENY;
   }
 
@@ -441,13 +408,11 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
     case ACTION_RESPOND_ALLOW: {
       auto proc = vfs_context_proc(ctx);
       if (proc) {
-        auto pidWrapper = new SantaPIDAndPPID;
-        pidWrapper->pid = proc_pid(proc);
-        pidWrapper->ppid = proc_ppid(proc);
-        lck_rw_lock_exclusive(vnode_pid_map_lock_);
-        vnode_pid_map_->setObject(vnode_str, pidWrapper);
-        lck_rw_unlock_exclusive(vnode_pid_map_lock_);
-        pidWrapper->release();
+        pid_t pid = proc_pid(proc);
+        pid_t ppid = proc_ppid(proc);
+        // pid_t is 32-bit; pid is in upper 32 bits, ppid in lower.
+        uint64_t val = ((uint64_t)pid << 32) | (ppid & 0xFFFFFFFF);
+        vnode_pid_map_->set(vnode_id, val);
       }
       return KAUTH_RESULT_ALLOW;
     }
@@ -465,33 +430,26 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
 void SantaDecisionManager::FileOpCallback(
     const kauth_action_t action, const vnode_t vp,
     const char *path, const char *new_path) {
+  if (!ClientConnected() || proc_selfpid() == client_pid_) return;
+
   if (vp) {
     auto context = vfs_context_create(nullptr);
     auto vnode_id = GetVnodeIDForVnode(context, vp);
     vfs_context_rele(context);
 
     if (action == KAUTH_FILEOP_CLOSE) {
-      char vnode_id_str[MAX_VNODE_ID_STR];
-      snprintf(vnode_id_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-      CacheCheck(vnode_id_str);
+      RemoveFromCache(vnode_id);
     } else if (action == KAUTH_FILEOP_EXEC) {
-      auto message = NewMessage();
+      auto message = NewMessage(nullptr);
       message->vnode_id = vnode_id;
       message->action = ACTION_NOTIFY_EXEC;
       strlcpy(message->path, path, sizeof(message->path));
-
-      char vnode_str[MAX_VNODE_ID_STR];
-      snprintf(vnode_str, MAX_VNODE_ID_STR, "%llu", vnode_id);
-
-      lck_rw_lock_shared(vnode_pid_map_lock_);
-      auto pidWrapper = OSDynamicCast(
-          SantaPIDAndPPID, vnode_pid_map_->getObject(vnode_str));
-      if (pidWrapper) {
-        message->pid = pidWrapper->pid;
-        message->ppid = pidWrapper->ppid;
+      uint64_t val = vnode_pid_map_->get(vnode_id);
+      if (val) {
+        // pid_t is 32-bit, so pid is in upper 32 bits, ppid in lower.
+        message->pid = (val >> 32);
+        message->ppid = (val & ~0xFFFFFFFF00000000);
       }
-      lck_rw_unlock_shared(vnode_pid_map_lock_);
-
       PostToLogQueue(message);
       delete message;
       return;
@@ -500,9 +458,8 @@ void SantaDecisionManager::FileOpCallback(
 
   // Filter out modifications to locations that are definitely
   // not useful or made by santad.
-  if (proc_selfpid() != client_pid_ &&
-      !strprefix(path, "/.") && !strprefix(path, "/dev")) {
-    auto message = NewMessage();
+  if (!strprefix(path, "/.") && !strprefix(path, "/dev")) {
+    auto message = NewMessage(nullptr);
     strlcpy(message->path, path, sizeof(message->path));
     if (new_path) strlcpy(message->newpath, new_path, sizeof(message->newpath));
     proc_name(message->pid, message->pname, sizeof(message->pname));
@@ -523,7 +480,9 @@ void SantaDecisionManager::FileOpCallback(
       case KAUTH_FILEOP_DELETE:
         message->action = ACTION_NOTIFY_DELETE;
         break;
-      default: delete message; return;
+      default:
+        delete message;
+        return;
     }
 
     PostToLogQueue(message);
@@ -539,14 +498,16 @@ extern "C" int fileop_scope_callback(
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
+  if (unlikely(sdm == nullptr)) {
+    LOGE("fileop_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
   vnode_t vp = nullptr;
   char *path = nullptr;
   char *new_path = nullptr;
 
   switch (action) {
-    case KAUTH_FILEOP_CLOSE:
-      if (!(arg2 & KAUTH_FILEOP_CLOSE_MODIFIED)) return KAUTH_RESULT_DEFER;
-    // Intentional fall-through
     case KAUTH_FILEOP_DELETE:
     case KAUTH_FILEOP_EXEC:
       vp = reinterpret_cast<vnode_t>(arg0);
@@ -573,20 +534,35 @@ extern "C" int fileop_scope_callback(
 extern "C" int vnode_scope_callback(
     kauth_cred_t credential, void *idata, kauth_action_t action,
     uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) {
-  if (action & KAUTH_VNODE_ACCESS ||
-      !(action & KAUTH_VNODE_EXECUTE) ||
-      idata == nullptr) {
-    return KAUTH_RESULT_DEFER;
-  }
-
   auto sdm = OSDynamicCast(
       SantaDecisionManager, reinterpret_cast<OSObject *>(idata));
 
-  sdm->IncrementListenerInvocations();
-  int result = sdm->VnodeCallback(credential,
-                                  reinterpret_cast<vfs_context_t>(arg0),
-                                  reinterpret_cast<vnode_t>(arg1),
-                                  reinterpret_cast<int *>(arg3));
-  sdm->DecrementListenerInvocations();
-  return result;
+  if (unlikely(sdm == nullptr)) {
+    LOGE("vnode_scope_callback called with no decision manager");
+    return KAUTH_RESULT_DEFER;
+  }
+
+  vnode_t vp = reinterpret_cast<vnode_t>(arg1);
+
+  // We only care about regular files.
+  if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
+
+  if ((action & KAUTH_VNODE_EXECUTE) && !(action & KAUTH_VNODE_ACCESS)) {
+    sdm->IncrementListenerInvocations();
+    int result = sdm->VnodeCallback(credential,
+                                    reinterpret_cast<vfs_context_t>(arg0),
+                                    vp,
+                                    reinterpret_cast<int *>(arg3));
+    sdm->DecrementListenerInvocations();
+    return result;
+  } else if (action & KAUTH_VNODE_WRITE_DATA) {
+    sdm->IncrementListenerInvocations();
+    char path[MAXPATHLEN];
+    int pathlen = MAXPATHLEN;
+    vn_getpath(vp, path, &pathlen);
+    sdm->FileOpCallback(KAUTH_FILEOP_CLOSE, vp, path, nullptr);
+    sdm->DecrementListenerInvocations();
+  }
+
+  return KAUTH_RESULT_DEFER;
 }

Source/santa-driver/SantaDecisionManager.h

@@ -24,10 +24,9 @@
 #include <sys/proc.h>
 #include <sys/vnode.h>
 
+#include "SantaCache.h"
 #include "SNTKernelCommon.h"
 #include "SNTLogging.h"
-#include "SantaCachedDecision.h"
-#include "SantaPIDAndPPID.h"
 
 ///
 ///  SantaDecisionManager is responsible for intercepting Vnode execute actions
@@ -40,178 +39,166 @@ class SantaDecisionManager : public OSObject {
   OSDeclareDefaultStructors(SantaDecisionManager);
 
  public:
-  ///  Used for initialization after instantiation. Required because
-  ///  constructors cannot throw inside kernel-space.
+  /// Used for initialization after instantiation.
   bool init() override;
 
-  ///  Called automatically when retain count drops to 0.
+  /// Called automatically when retain count drops to 0.
   void free() override;
 
-  ///  Called by SantaDriverClient during connection to provide the shared
-  ///  dataqueue memory to the client.
+  /**
+    Called by SantaDriverClient during connection to provide the shared
+    dataqueue memory to the client for the decision queue.
+  */
   IOMemoryDescriptor *GetDecisionMemoryDescriptor() const;
+
+  /**
+    Called by SantaDriverClient during connection to provide the shared
+    dataqueue memory to the client for the logging queue.
+  */
   IOMemoryDescriptor *GetLogMemoryDescriptor() const;
 
-  ///  Called by SantaDriverClient when a client connects to the decision queue,
-  ///  providing the pid of the client process.
+  /**
+    Called by SantaDriverClient when a client connects to the decision queue,
+    providing the pid of the client process.
+  */
   void ConnectClient(pid_t pid);
 
-  ///  Called by SantaDriverClient when a client disconnects
+  /// Called by SantaDriverClient when a client disconnects
   void DisconnectClient(bool itDied = false);
 
-  ///  Returns whether a client is currently connected or not.
+  /// Returns whether a client is currently connected or not.
   bool ClientConnected() const;
 
-  ///  Sets the Mach port for notifying the decision queue.
+  /// Sets the Mach port for notifying the decision queue.
   void SetDecisionPort(mach_port_t port);
 
-  ///  Sets the Mach port for notifying the log queue.
+  /// Sets the Mach port for notifying the log queue.
   void SetLogPort(mach_port_t port);
 
-  ///  Starts the kauth listeners.
+  /// Starts the kauth listeners.
   kern_return_t StartListener();
 
-  ///  Stops the kauth listeners. After stopping new callback requests,
-  ///  waits until all current invocations have finished before clearing the
-  ///  cache and returning.
+  /**
+    Stops the kauth listeners. After stopping new callback requests, waits until all
+    current invocations have finished before clearing the cache and returning.
+  */
   kern_return_t StopListener();
 
-  ///  Adds a decision to the cache, with a timestamp.
-  void AddToCache(const char *identifier,
+  /// Adds a decision to the cache, with a timestamp.
+  void AddToCache(uint64_t identifier,
                   const santa_action_t decision,
                   const uint64_t microsecs = GetCurrentUptime());
 
-  ///  Checks to see if a given identifier is in the cache and removes it.
-  void CacheCheck(const char *identifier);
+  ///  Fetches a response from the cache, first checking to see if the entry has expired.
+  santa_action_t GetFromCache(uint64_t identifier);
 
-  ///  Returns the number of entries in the cache.
+  /// Checks to see if a given identifier is in the cache and removes it.
+  void RemoveFromCache(uint64_t identifier);
+
+  /// Returns the number of entries in the cache.
   uint64_t CacheCount() const;
 
-  ///  Clears the cache.
+  /// Clears the cache.
   void ClearCache();
 
-  ///  Increments the count of active callbacks pending.
+  /// Increments the count of active callbacks pending.
   void IncrementListenerInvocations();
 
-  ///  Decrements the count of active callbacks pending.
+  /// Decrements the count of active callbacks pending.
   void DecrementListenerInvocations();
 
-  ///
-  ///  Vnode Callback
-  ///  @param cred The kauth credential for this request.
-  ///  @param ctx The VFS context for this request.
-  ///  @param vp The Vnode for this request.
-  ///  @param errno A pointer to return an errno style error.
-  ///  @return int A valid KAUTH_RESULT_*.
-  ///
+  /**
+    Vnode Callback
+
+    @param cred The kauth credential for this request.
+    @param ctx The VFS context for this request.
+    @param vp The Vnode for this request.
+    @param errno A pointer to return an errno style error.
+    @return int A valid KAUTH_RESULT_*.
+  */
   int VnodeCallback(const kauth_cred_t cred, const vfs_context_t ctx,
                     const vnode_t vp, int *errno);
-  ///
-  ///  FileOp Callback
-  ///  @param action The performed action
-  ///  @param vp The Vnode for this request. May be nullptr.
-  ///  @param path The path being operated on.
-  ///  @param new_path The target path for moves and links.
-  ///
+  /**
+    FileOp Callback
+
+    @param action The performed action
+    @param vp The Vnode for this request. May be nullptr.
+    @param path The path being operated on.
+    @param new_path The target path for moves and links.
+  */
   void FileOpCallback(kauth_action_t action, const vnode_t vp,
                       const char *path, const char *new_path);
 
  protected:
-  ///
-  ///  The maximum number of milliseconds a cached deny message should be
-  ///  considered valid.
-  ///
+  /**
+    While waiting for a response from the daemon, this is the maximum number of
+    milliseconds to sleep for before checking the cache for a response.
+  */
+  static const uint32_t kRequestLoopSleepMilliseconds = 1000;
+
+  /// The maximum number of milliseconds a cached deny message should be considered valid.
   static const uint64_t kMaxDenyCacheTimeMilliseconds = 500;
 
-  ///
-  ///  The maximum number of milliseconds a cached allow message should be
-  ///  considered valid.
-  ///
-  static const uint64_t kMaxAllowCacheTimeMilliseconds = 1000 * 60 * 60 * 24;
-
-  ///
-  ///  While waiting for a response from the daemon, this is the number of
-  ///  milliseconds to sleep for before checking the cache for a response.
-  ///
-  static const uint32_t kRequestLoopSleepMilliseconds = 10;
-
-  ///
-  ///  Maximum number of entries in the in-kernel cache.
-  ///
+  /// Maximum number of entries in the in-kernel cache.
   static const uint32_t kMaxCacheSize = 10000;
 
-  ///
-  ///  Maximum number of PostToDecisionQueue failures to allow.
-  ///
+  /// Maximum number of PostToDecisionQueue failures to allow.
   static const uint32_t kMaxDecisionQueueFailures = 10;
 
-  ///
-  ///  The maximum number of messages can be kept in
-  ///  the decision data queue at any time.
-  ///
+  /// The maximum number of messages can be kept in the decision data queue at any time.
   static const uint32_t kMaxDecisionQueueEvents = 512;
 
-  ///
-  ///  The maximum number of messages can be kept
-  ///  in the logging data queue at any time.
-  ///
-  static const uint32_t kMaxLogQueueEvents = 1024;
+  /// The maximum number of messages can be kept in the logging data queue at any time.
+  static const uint32_t kMaxLogQueueEvents = 2048;
 
-  ///  Fetches a response from the cache, first checking to see if the
-  ///  entry has expired.
-  santa_action_t GetFromCache(const char *identifier);
+  /**
+    Fetches a response from the daemon. Handles both daemon death
+    and failure to post messages to the daemon.
 
-  ///  Fetches a response from the daemon. Handles both daemon death
-  ///  and failure to post messages to the daemon.
-  ///
-  ///  @param message The message to send to the daemon
-  ///  @param identifier The vnode ID string for this request
-  ///  @return santa_action_t The response for this request
-  ///
-  santa_action_t GetFromDaemon(santa_message_t *message,
-                               const char *identifier);
+    @param message The message to send to the daemon
+    @param identifier The vnode ID string for this request
+    @return santa_action_t The response for this request
+  */
+  santa_action_t GetFromDaemon(santa_message_t *message, uint64_t identifier);
 
-  ///
-  ///  Fetches an execution decision for a file, first using the cache and then
-  ///  by sending a message to the daemon and waiting until a response arrives.
-  ///  If a daemon isn't connected, will allow execution and cache, logging
-  ///  the path to the executed file.
-  ///
-  ///  @param cred The credential for this request.
-  ///  @param vp The Vnode for this request.
-  ///  @param vnode_id The ID for this vnode.
-  ///  @param vnode_id_str A string representation of the above ID.
-  ///
-  santa_action_t FetchDecision(const kauth_cred_t cred,
-                               const vnode_t vp,
-                               const uint64_t vnode_id,
-                               const char *vnode_id_str);
+  /**
+    Fetches an execution decision for a file, first using the cache and then
+    by sending a message to the daemon and waiting until a response arrives.
+    If a daemon isn't connected, will allow execution and cache, logging
+    the path to the executed file.
 
-  ///
-  ///  Posts the requested message to the decision data queue.
-  ///
-  ///  @param message The message to send
-  ///  @return bool true if sending was successful.
-  ///
+    @param cred The credential for this request.
+    @param vp The Vnode for this request.
+    @param vnode_id The ID for this vnode.
+    @return santa_action_t The response for this request
+  */
+  santa_action_t FetchDecision(
+      const kauth_cred_t cred, const vnode_t vp, const uint64_t vnode_id);
+
+  /**
+    Posts the requested message to the decision data queue.
+
+    @param message The message to send
+    @return bool true if sending was successful.
+  */
   bool PostToDecisionQueue(santa_message_t *message);
 
-  ///
-  ///  Posts the requested message to the logging data queue.
-  ///
-  ///  @param message The message to send
-  ///  @return bool true if sending was successful.
-  ///
+  /**
+    Posts the requested message to the logging data queue.
+
+    @param message The message to send
+    @return bool true if sending was successful.
+  */
   bool PostToLogQueue(santa_message_t *message);
 
-  ///
-  ///  Fetches the vnode_id for a given vnode.
-  ///
-  ///  @param ctx The VFS context to use.
-  ///  @param vp The Vnode to get the ID for
-  ///  @return uint64_t The Vnode ID as a 64-bit unsigned int.
-  ///
-  static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx,
-                                            const vnode_t vp) {
+  /**
+    Fetches the vnode_id for a given vnode.
+
+    @param ctx The VFS context to use.
+    @param vp The Vnode to get the ID for
+    @return uint64_t The Vnode ID as a 64-bit unsigned int.
+  */
+  static inline uint64_t GetVnodeIDForVnode(const vfs_context_t ctx, const vnode_t vp) {
     struct vnode_attr vap;
     VATTR_INIT(&vap);
     VATTR_WANTED(&vap, va_fsid);
@@ -220,21 +207,35 @@ class SantaDecisionManager : public OSObject {
     return (((uint64_t)vap.va_fsid << 32) | vap.va_fileid);
   }
 
-  ///
-  ///  Creates a new santa_message_t with some fields pre-filled.
-  ///
-  static inline santa_message_t *NewMessage() {
+  /**
+    Creates a new santa_message_t with some fields pre-filled.
+
+    @param credential The kauth_cred_t for this action, if available.
+           If nullptr, will get the credential for the current process.
+  */
+  static inline santa_message_t *NewMessage(kauth_cred_t credential) {
+    bool should_release = false;
+    if (credential == nullptr) {
+      credential = kauth_cred_get_with_ref();
+      should_release = true;
+    }
+
     auto message = new santa_message_t;
-    message->uid = kauth_getuid();
-    message->gid = kauth_getgid();
+    message->uid = kauth_cred_getuid(credential);
+    message->gid = kauth_cred_getgid(credential);
     message->pid = proc_selfpid();
     message->ppid = proc_selfppid();
+
+    if (should_release) {
+      kauth_cred_unref(&credential);
+    }
+
     return message;
   }
 
-  ///
-  ///  Returns the current system uptime in microseconds
-  ///
+  /**
+    Returns the current system uptime in microseconds
+  */
   static inline uint64_t GetCurrentUptime() {
     clock_sec_t sec;
     clock_usec_t usec;
@@ -243,22 +244,20 @@ class SantaDecisionManager : public OSObject {
   }
 
  private:
+  SantaCache<uint64_t> *decision_cache_;
+  SantaCache<uint64_t> *vnode_pid_map_;
+
   lck_grp_t *sdm_lock_grp_;
   lck_grp_attr_t *sdm_lock_grp_attr_;
-
   lck_attr_t *sdm_lock_attr_;
-  lck_rw_t *cached_decisions_lock_;
+
   lck_mtx_t *decision_dataqueue_lock_;
   lck_mtx_t *log_dataqueue_lock_;
-  lck_rw_t *vnode_pid_map_lock_;
-
-  OSDictionary *cached_decisions_;
-  OSDictionary *vnode_pid_map_;
 
   IOSharedDataQueue *decision_dataqueue_;
   IOSharedDataQueue *log_dataqueue_;
-  int32_t failed_decision_queue_requests_;
-  int32_t failed_log_queue_requests_;
+  uint32_t failed_decision_queue_requests_;
+  uint32_t failed_log_queue_requests_;
 
   int32_t listener_invocations_;
 
@@ -266,34 +265,48 @@ class SantaDecisionManager : public OSObject {
 
   kauth_listener_t vnode_listener_;
   kauth_listener_t fileop_listener_;
+
+  struct timespec ts_;
 };
 
-///
-///  The kauth callback function for the Vnode scope
-///  @param actor's credentials
-///  @param data that was passed when the listener was registered
-///  @param action that was requested
-///  @param VFS context
-///  @param Vnode being operated on
-///  @param Parent Vnode. May be nullptr.
-///  @param Pointer to an errno-style error.
-///
-extern "C" int vnode_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+/**
+  The kauth callback function for the Vnode scope
 
-///
-///  The kauth callback function for the FileOp scope
-///  @param actor's credentials
-///  @param data that was passed when the listener was registered
-///  @param action that was requested
-///  @param depends on action, usually the vnode ref.
-///  @param depends on action.
-///  @param depends on action, usually 0.
-///  @param depends on action, usually 0.
-///
+  @param actor's credentials
+  @param data that was passed when the listener was registered
+  @param action that was requested
+  @param VFS context
+  @param Vnode being operated on
+  @param Parent Vnode. May be nullptr.
+  @param Pointer to an errno-style error.
+*/
+extern "C" int vnode_scope_callback(
+    kauth_cred_t credential,
+    void *idata,
+    kauth_action_t action,
+    uintptr_t arg0,
+    uintptr_t arg1,
+    uintptr_t arg2,
+    uintptr_t arg3);
+
+/**
+  The kauth callback function for the FileOp scope
+
+  @param actor's credentials
+  @param data that was passed when the listener was registered
+  @param action that was requested
+  @param depends on action, usually the vnode ref.
+  @param depends on action.
+  @param depends on action, usually 0.
+  @param depends on action, usually 0.
+*/
 extern "C" int fileop_scope_callback(
-    kauth_cred_t credential, void *idata, kauth_action_t action,
-    uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3);
+    kauth_cred_t credential,
+    void *idata,
+    kauth_action_t action,
+    uintptr_t arg0,
+    uintptr_t arg1,
+    uintptr_t arg2,
+    uintptr_t arg3);
 
 #endif  // SANTA__SANTA_DRIVER__SANTADECISIONMANAGER_H

Source/santa-driver/SantaDriverClient.cc

@@ -110,87 +110,74 @@ IOReturn SantaDriverClient::clientMemoryForType(
 
 #pragma mark Callable Methods
 
-IOReturn SantaDriverClient::open() {
-  if (isInactive()) return kIOReturnNotAttached;
+IOReturn SantaDriverClient::open(
+    OSObject *target,
+    void *reference,
+    IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  if (!myProvider->open(this)) {
+  if (me->isInactive()) return kIOReturnNotAttached;
+  if (!me->myProvider->open(me)) {
     LOGW("A second client tried to connect.");
     return kIOReturnExclusiveAccess;
   }
 
-  return kIOReturnSuccess;
-}
-
-IOReturn SantaDriverClient::static_open(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->open();
-}
-
-IOReturn SantaDriverClient::allow_binary(const uint64_t vnode_id) {
-  char vnode_id_str[21];
-  snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_ALLOW);
+  LOGI("Client connected.");
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_allow_binary(
-    SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::allow_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->allow_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
-
-IOReturn SantaDriverClient::deny_binary(const uint64_t vnode_id) {
-  char vnode_id_str[21];
-  snprintf(vnode_id_str, sizeof(vnode_id_str), "%llu", vnode_id);
-  decisionManager->AddToCache(vnode_id_str, ACTION_RESPOND_DENY);
+  const uint64_t vnode_id = static_cast<const uint64_t>(*arguments->scalarInput);
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_ALLOW);
 
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_deny_binary(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  if (arguments->scalarInput == nullptr) return kIOReturnBadArgument;
+IOReturn SantaDriverClient::deny_binary(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
 
-  return target->deny_binary(
-      static_cast<const uint64_t>(*arguments->scalarInput));
-}
+  const uint64_t vnode_id = static_cast<const uint64_t>(*arguments->scalarInput);
+  me->decisionManager->AddToCache(vnode_id, ACTION_RESPOND_DENY);
 
-IOReturn SantaDriverClient::clear_cache() {
-  decisionManager->ClearCache();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_clear_cache(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->clear_cache();
-}
+IOReturn SantaDriverClient::clear_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  me->decisionManager->ClearCache();
 
-IOReturn SantaDriverClient::cache_count(uint64_t *output) {
-  *output = decisionManager->CacheCount();
   return kIOReturnSuccess;
 }
 
-IOReturn SantaDriverClient::static_cache_count(
-    com_google_SantaDriverClient *target,
-    void *reference,
-    IOExternalMethodArguments *arguments) {
-  if (!target) return kIOReturnBadArgument;
-  return target->cache_count(&(arguments->scalarOutput[0]));
+IOReturn SantaDriverClient::cache_count(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  arguments->scalarOutput[0] = me->decisionManager->CacheCount();
+  return kIOReturnSuccess;
+}
+
+IOReturn SantaDriverClient::check_cache(
+    OSObject *target, void *reference, IOExternalMethodArguments *arguments) {
+  SantaDriverClient *me = OSDynamicCast(SantaDriverClient, target);
+  if (!me) return kIOReturnBadArgument;
+
+  uint64_t input = *arguments->scalarInput;
+  arguments->scalarOutput[0] = me->decisionManager->GetFromCache(input);
+
+  return kIOReturnSuccess;
 }
 
 #pragma mark Method Resolution
@@ -203,60 +190,23 @@ IOReturn SantaDriverClient::externalMethod(
     void *reference) {
   ///  Array of methods callable by clients. The order of these must match the
   ///  order of the items in SantaDriverMethods in SNTKernelCommon.h
-  IOExternalMethodDispatch sMethods[kSantaUserClientNMethods] = {
-    {
-      reinterpret_cast<IOExternalMethodAction>(&SantaDriverClient::static_open),
-      0,  // input scalar
-      0,  // input struct
-      0,  // output scalar
-      0   // output struct
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_allow_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_deny_binary),
-      1,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_clear_cache),
-      0,
-      0,
-      0,
-      0
-    },
-    {
-      reinterpret_cast<IOExternalMethodAction>(
-          &SantaDriverClient::static_cache_count),
-      0,
-      0,
-      1,
-      0
-    }
+  static IOExternalMethodDispatch sMethods[kSantaUserClientNMethods] = {
+    // Function ptr, input scalar count, input struct size, output scalar count, output struct size
+    { &SantaDriverClient::open, 0, 0, 0, 0 },
+    { &SantaDriverClient::allow_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::deny_binary, 1, 0, 0, 0 },
+    { &SantaDriverClient::clear_cache, 0, 0, 0, 0 },
+    { &SantaDriverClient::cache_count, 0, 0, 1, 0 },
+    { &SantaDriverClient::check_cache, 1, 0, 1, 0 }
   };
 
-  if (selector < static_cast<UInt32>(kSantaUserClientNMethods)) {
-    dispatch = &(sMethods[selector]);
-    if (!target) target = this;
-  } else {
+  if (selector > static_cast<UInt32>(kSantaUserClientNMethods)) {
     return kIOReturnBadArgument;
   }
 
-  return super::externalMethod(selector,
-                               arguments,
-                               dispatch,
-                               target,
-                               reference);
+  dispatch = &(sMethods[selector]);
+  if (!target) target = this;
+  return super::externalMethod(selector, arguments, dispatch, target, reference);
 }
 
 #undef super

Source/santa-driver/SantaDriverClient.h

@@ -72,44 +72,33 @@ class com_google_SantaDriverClient : public IOUserClient {
 
   ///
   ///  The userpsace callable methods are below. Each method corresponds
-  ///  to an entry in SantaDriverMethods. Each method has a static version
-  ///  which just calls the method on the provided target.
+  ///  to an entry in SantaDriverMethods.
   ///
 
   ///  Called during client connection.
-  IOReturn open();
-  static IOReturn static_open(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn open(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to allow a binary.
-  IOReturn allow_binary(uint64_t vnode_id);
-  static IOReturn static_allow_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn allow_binary(
+      OSObject *target, void *reference,IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to deny a binary.
-  IOReturn deny_binary(uint64_t vnode_id);
-  static IOReturn static_deny_binary(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn deny_binary(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to empty the cache.
-  IOReturn clear_cache();
-  static IOReturn static_clear_cache(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn clear_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
   ///  The daemon calls this to find out how many items are in the cache
-  IOReturn cache_count(uint64_t *output);
-  static IOReturn static_cache_count(
-      com_google_SantaDriverClient *target,
-      void *reference,
-      IOExternalMethodArguments *arguments);
+  static IOReturn cache_count(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
+
+  ///  The daemon calls this to find out the status of a vnode_id in the cache.
+  ///  Output will be a santa_action_t.
+  static IOReturn check_cache(
+      OSObject *target, void *reference, IOExternalMethodArguments *arguments);
 
  private:
   com_google_SantaDriver *myProvider;

Source/santactl/Commands/SNTCommandCheckCache.m

@@ -0,0 +1,71 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandController.h"
+
+#import "SNTLogging.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+#include <sys/stat.h>
+
+@interface SNTCommandCheckCache : NSObject<SNTCommand>
+@end
+
+@implementation SNTCommandCheckCache
+
+#ifdef DEBUG
+REGISTER_COMMAND_NAME(@"checkcache")
+#endif
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return YES;
+}
+
++ (NSString *)shortHelpText {
+  return @"Prints the status of a file in the kernel cache.";
+}
+
++ (NSString *)longHelpText {
+  return (@"Checks the in-kernel cache for desired file.\n"
+          @"Returns 0 if successful, 1 otherwise");
+}
+
++ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+  uint64_t vnodeID = [self vnodeIDForFile:arguments.firstObject];
+  [[daemonConn remoteObjectProxy] checkCacheForVnodeID:vnodeID withReply:^(santa_action_t action) {
+    if (action == ACTION_RESPOND_ALLOW) {
+      LOGI(@"File exists in [whitelist] kernel cache");
+      exit(0);
+    } else if (action == ACTION_RESPOND_DENY) {
+      LOGI(@"File exists in [blacklist] kernel cache");
+      exit(0);
+    } else if (action == ACTION_UNSET) {
+      LOGE(@"File does not exist in cache");
+      exit(1);
+    }
+  }];
+}
+
++ (uint64_t)vnodeIDForFile:(NSString *)path {
+  struct stat fstat = {};
+  stat(path.fileSystemRepresentation, &fstat);
+  return (((uint64_t)fstat.st_dev << 32) | fstat.st_ino);
+}
+
+@end

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -0,0 +1,629 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandController.h"
+
+#import <MOLCertificate/MOLCertificate.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
+
+#import "SNTCachedDecision.h"
+#import "SNTFileInfo.h"
+#import "SNTLogging.h"
+#import "SNTRule.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+// file info keys
+static NSString *const kPath = @"Path";
+static NSString *const kBundleName = @"Bundle Name";
+static NSString *const kBundleVersion = @"Bundle Version";
+static NSString *const kBundleVersionStr = @"Bundle Version Str";
+static NSString *const kDownloadReferrerURL = @"Download Referrer URL";
+static NSString *const kDownloadURL = @"Download URL";
+static NSString *const kDownloadTimestamp = @"Download Timestamp";
+static NSString *const kDownloadAgent = @"Download Agent";
+static NSString *const kType = @"Type";
+static NSString *const kPageZero = @"Page Zero";
+static NSString *const kCodeSigned = @"Code-signed";
+static NSString *const kRule = @"Rule";
+static NSString *const kSigningChain = @"Signing Chain";
+
+// signing chain keys
+static NSString *const kCommonName = @"Common Name";
+static NSString *const kOrganization = @"Organization";
+static NSString *const kOrganizationalUnit = @"Organizational Unit";
+static NSString *const kValidFrom = @"Valid From";
+static NSString *const kValidUntil = @"Valid Until";
+
+// shared file info & signing chain keys
+static NSString *const kSHA256 = @"SHA-256";
+static NSString *const kSHA1 = @"SHA-1";
+
+// global json output flag
+static BOOL json = NO;
+
+BOOL PrettyOutput() {
+  static int tty = 0;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    tty = isatty(STDOUT_FILENO);
+  });
+  return (tty && !json);
+}
+
+#pragma mark SNTCommandFileInfo
+
+@interface SNTCommandFileInfo : NSObject<SNTCommand>
+
+@property(nonatomic) SNTXPCConnection *daemonConn;
+@property(nonatomic) SNTFileInfo *fileInfo;
+@property(nonatomic) MOLCodesignChecker *csc;
+
+// file path used for object initialization
+@property(readonly, nonatomic) NSString *filePath;
+
+// Block type to be used with propertyMap values
+typedef id (^SNTAttributeBlock)(SNTCommandFileInfo *);
+
+// on read generated properties
+@property(readonly, copy, nonatomic) SNTAttributeBlock path;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha256;
+@property(readonly, copy, nonatomic) SNTAttributeBlock sha1;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleName;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleVersion;
+@property(readonly, copy, nonatomic) SNTAttributeBlock bundleShortVersionString;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadReferrerURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadURL;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadTimestamp;
+@property(readonly, copy, nonatomic) SNTAttributeBlock downloadAgent;
+@property(readonly, copy, nonatomic) SNTAttributeBlock type;
+@property(readonly, copy, nonatomic) SNTAttributeBlock pageZero;
+@property(readonly, copy, nonatomic) SNTAttributeBlock codeSigned;
+@property(readonly, copy, nonatomic) SNTAttributeBlock rule;
+@property(readonly, copy, nonatomic) SNTAttributeBlock signingChain;
+
+// Mapping between property string keys and SNTAttributeBlocks
+@property(nonatomic) NSMutableDictionary<NSString *, SNTAttributeBlock> *propertyMap;
+
+// Common Date Formatter
+@property(nonatomic) NSDateFormatter *dateFormatter;
+
+// Block Helpers
+- (NSString *)humanReadableFileType:(SNTFileInfo *)fi;
+
+@end
+
+@implementation SNTCommandFileInfo
+
+REGISTER_COMMAND_NAME(@"fileinfo")
+
+- (instancetype)initWithFilePath:(NSString *)filePath
+                daemonConnection:(SNTXPCConnection *)daemonConn {
+  self = [super init];
+  if (self) {
+    _filePath = filePath;
+    _daemonConn = daemonConn;
+    _dateFormatter = [[NSDateFormatter alloc] init];
+    _dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
+    _propertyMap = @{ kPath : self.path,
+                      kSHA256 : self.sha256,
+                      kSHA1 : self.sha1,
+                      kBundleName : self.bundleName,
+                      kBundleVersion : self.bundleVersion,
+                      kBundleVersionStr : self.bundleVersionStr,
+                      kDownloadReferrerURL : self.downloadReferrerURL,
+                      kDownloadURL : self.downloadURL,
+                      kDownloadTimestamp : self.downloadTimestamp,
+                      kDownloadAgent : self.downloadAgent,
+                      kType : self.type,
+                      kPageZero : self.pageZero,
+                      kCodeSigned : self.codeSigned,
+                      kRule : self.rule,
+                      kSigningChain : self.signingChain }.mutableCopy;
+  }
+  return self;
+}
+
+#pragma mark property getters
+
+- (SNTFileInfo *)fileInfo {
+  if (!_fileInfo) {
+    _fileInfo = [[SNTFileInfo alloc] initWithPath:self.filePath];
+    if (!_fileInfo) {
+      fprintf(stderr, "\rInvalid or empty file: %s\n", self.filePath.UTF8String);
+    }
+  }
+  return _fileInfo;
+}
+
+- (SNTAttributeBlock)path {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.path;
+  };
+}
+
+- (SNTAttributeBlock)sha256 {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.SHA256;
+  };
+}
+
+- (SNTAttributeBlock)sha1 {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.SHA1;
+  };
+}
+
+- (SNTAttributeBlock)bundleName {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.bundleName;
+  };
+}
+
+- (SNTAttributeBlock)bundleVersion {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.bundleVersion;
+  };
+}
+
+- (SNTAttributeBlock)bundleVersionStr {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.bundleShortVersionString;
+  };
+}
+
+- (SNTAttributeBlock)downloadReferrerURL {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.quarantineRefererURL;
+  };
+}
+
+- (SNTAttributeBlock)downloadURL {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.quarantineDataURL;
+  };
+}
+
+- (SNTAttributeBlock)downloadTimestamp {
+  return ^id (SNTCommandFileInfo *fi) {
+    return [fi.dateFormatter stringFromDate:fi.fileInfo.quarantineTimestamp];
+  };
+}
+
+- (SNTAttributeBlock)downloadAgent {
+  return ^id (SNTCommandFileInfo *fi) {
+    return fi.fileInfo.quarantineAgentBundleID;
+  };
+}
+
+- (SNTAttributeBlock)type {
+  return ^id (SNTCommandFileInfo *fi) {
+    NSArray *archs = [fi.fileInfo architectures];
+    if (archs.count == 0) {
+      return [fi humanReadableFileType:fi.fileInfo];
+    }
+    return [NSString stringWithFormat:@"%@ (%@)",
+               [fi humanReadableFileType:fi.fileInfo], [archs componentsJoinedByString:@", "]];
+  };
+}
+
+- (SNTAttributeBlock)pageZero {
+  return ^id (SNTCommandFileInfo *fi) {
+    if ([fi.fileInfo isMissingPageZero]) {
+      return @"__PAGEZERO segment missing/bad!";
+    }
+    return nil;
+  };
+}
+
+- (SNTAttributeBlock)codeSigned {
+  return ^id (SNTCommandFileInfo *fi) {
+    NSError *error;
+    fi.csc = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.filePath error:&error];
+    if (error) {
+      switch (error.code) {
+        case errSecCSUnsigned:
+          return @"No";
+        case errSecCSSignatureFailed:
+        case errSecCSStaticCodeChanged:
+        case errSecCSSignatureNotVerifiable:
+        case errSecCSSignatureUnsupported:
+          return @"Yes, but code/signature changed/unverifiable";
+        case errSecCSResourceDirectoryFailed:
+        case errSecCSResourceNotSupported:
+        case errSecCSResourceRulesInvalid:
+        case errSecCSResourcesInvalid:
+        case errSecCSResourcesNotFound:
+        case errSecCSResourcesNotSealed:
+          return @"Yes, but resources invalid";
+        case errSecCSReqFailed:
+        case errSecCSReqInvalid:
+        case errSecCSReqUnsupported:
+          return @"Yes, but failed requirement validation";
+        case errSecCSInfoPlistFailed:
+          return @"Yes, but can't validate as Info.plist is missing";
+        default: {
+          return [NSString stringWithFormat:@"Yes, but failed to validate (%ld)", error.code];
+        }
+      }
+    } else if (fi.csc.signatureFlags & kSecCodeSignatureAdhoc) {
+      return @"Yes, but ad-hoc";
+    } else {
+      return @"Yes";
+    }
+  };
+}
+
+- (SNTAttributeBlock)rule {
+  return ^id (SNTCommandFileInfo *fi) {
+    __block SNTEventState s;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+      [fi.daemonConn resume];
+    });
+    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+    if (!fi.csc) {
+      NSError *error;
+      fi.csc = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.path(fi) error:&error];
+    }
+    [[fi.daemonConn remoteObjectProxy] decisionForFilePath:fi.path(fi)
+                                                fileSHA256:fi.propertyMap[kSHA256](fi)
+                                        signingCertificate:fi.csc.leafCertificate
+                                                     reply:^(SNTEventState state) {
+      if (state) s = state;
+      dispatch_semaphore_signal(sema);
+    }];
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+      return @"Cannot communicate with daemon";
+    } else {
+      NSMutableString *output =
+          (SNTEventStateAllow & s) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+      switch (s) {
+        case SNTEventStateAllowUnknown:
+        case SNTEventStateBlockUnknown:
+          [output appendString:@" (Unknown)"];
+          break;
+        case SNTEventStateAllowBinary:
+        case SNTEventStateBlockBinary:
+          [output appendString:@" (Binary)"];
+          break;
+        case SNTEventStateAllowCertificate:
+        case SNTEventStateBlockCertificate:
+          [output appendString:@" (Certificate)"];
+          break;
+        case SNTEventStateAllowScope:
+        case SNTEventStateBlockScope:
+          [output appendString:@" (Scope)"];
+          break;
+        default:
+          output = @"None".mutableCopy;
+          break;
+      }
+      if (PrettyOutput()) {
+        if ((SNTEventStateAllow & s)) {
+          [output insertString:@"\033[32m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else if ((SNTEventStateBlock & s)) {
+          [output insertString:@"\033[31m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        } else {
+          [output insertString:@"\033[33m" atIndex:0];
+          [output appendString:@"\033[0m"];
+        }
+      }
+      return output.copy;
+    }
+  };
+}
+
+- (SNTAttributeBlock)signingChain {
+  return ^id (SNTCommandFileInfo *fi) {
+    if (!fi.csc) {
+      NSError *error;
+      fi.csc = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.filePath error:&error];
+    }
+    if (fi.csc.certificates.count) {
+      NSMutableArray *certs = [[NSMutableArray alloc] initWithCapacity:fi.csc.certificates.count];
+      [fi.csc.certificates enumerateObjectsUsingBlock:^(MOLCertificate *c, unsigned long idx,
+                                                        BOOL *stop) {
+        [certs addObject:@{ kSHA256 : c.SHA256 ?: @"null",
+                            kSHA1 : c.SHA1 ?: @"null",
+                            kCommonName : c.commonName ?: @"null",
+                            kOrganization : c.orgName ?: @"null",
+                            kOrganizationalUnit : c.orgUnit ?: @"null",
+                            kValidFrom : [fi.dateFormatter stringFromDate:c.validFrom] ?: @"null",
+                            kValidUntil : [fi.dateFormatter stringFromDate:c.validUntil]
+                                ?: @"null"
+                          }];
+      }];
+      return certs;
+    }
+    return nil;
+  };
+}
+
+- (NSString *)humanReadableFileType:(SNTFileInfo *)fi {
+  if ([fi isScript]) return @"Script";
+  if ([fi isExecutable]) return @"Executable";
+  if ([fi isDylib]) return @"Dynamic Library";
+  if ([fi isBundle]) return @"Bundle/Plugin";
+  if ([fi isKext]) return @"Kernel Extension";
+  if ([fi isXARArchive]) return @"XAR Archive";
+  if ([fi isDMG]) return @"Disk Image";
+  return @"Unknown";
+}
+
+#pragma mark SNTCommand protocol methods
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return NO;
+}
+
++ (NSString *)shortHelpText {
+  return @"Prints information about a file.";
+}
+
++ (NSString *)longHelpText {
+  return [NSString stringWithFormat:
+             @"The details provided will be the same ones Santa uses to make a decision\n"
+             @"about executables. This includes SHA-256, SHA-1, code signing information and\n"
+             @"the type of file."
+             @"\n"
+             @"Usage: santactl fileinfo [options] [file-paths]\n"
+             @"    --json: output in json format\n"
+             @"    --key: search and return this one piece of information\n"
+             @"           valid Keys:\n"
+             @"%@\n"
+             @"           valid keys when using --cert-index:\n"
+             @"%@\n"
+             @"    --cert-index: an integer corresponding to a certificate of the signing chain\n"
+             @"                  1 for the leaf certificate\n"
+             @"                  -1 for the root certificate\n"
+             @"                  2 and up for the intermediates / root\n"
+             @"\n"
+             @"Examples: santactl fileinfo --cert-index 1 --key SHA-256 --json /usr/bin/yes\n"
+             @"          santactl fileinfo --key SHA-256 --json /usr/bin/yes\n"
+             @"          santactl fileinfo /usr/bin/yes /bin/*\n",
+             [self printKeyArray:[self fileInfoKeys]],
+             [self printKeyArray:[self signingChainKeys]]];
+}
+
++ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+  if (!arguments.count) [self printErrorUsageAndExit:@"No arguments"];
+
+  NSString *key;
+  NSNumber *certIndex;
+  NSArray *filePaths;
+
+  [self parseArguments:arguments
+                forKey:&key
+             certIndex:&certIndex
+            jsonOutput:&json
+             filePaths:&filePaths];
+
+  // Only access outputHashes from the outputHashesQueue
+  __block NSMutableArray *outputHashes = [[NSMutableArray alloc] initWithCapacity:filePaths.count];
+  dispatch_group_t outputHashesGroup = dispatch_group_create();
+  dispatch_queue_t outputHashesQueue =
+      dispatch_queue_create("com.google.santa.outputhashes", DISPATCH_QUEUE_SERIAL);
+
+  __block NSOperationQueue *hashQueue = [[NSOperationQueue alloc] init];
+  hashQueue.maxConcurrentOperationCount = 15;
+
+  __block NSUInteger hashed = 0;
+
+  [filePaths enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
+    NSBlockOperation *hashOperation = [NSBlockOperation blockOperationWithBlock:^{
+      if (PrettyOutput()) printf("\rCalculating %lu/%lu", ++hashed, filePaths.count);
+
+      SNTCommandFileInfo *fi = [[self alloc] initWithFilePath:obj daemonConnection:daemonConn];
+      if (!fi.fileInfo) return;
+
+      __block NSMutableDictionary *outputHash = [[NSMutableDictionary alloc] init];
+
+      if (key && !certIndex) {
+        SNTAttributeBlock block = fi.propertyMap[key];
+        outputHash[key] = block(fi);
+      } else if (certIndex) {
+        NSArray *signingChain = fi.signingChain(fi);
+        if (key) {
+          if ([certIndex isEqual:@(-1)]) {
+            outputHash[key] = signingChain.lastObject[key];
+          } else {
+            if (certIndex.unsignedIntegerValue - 1 < signingChain.count) {
+              outputHash[key] = signingChain[certIndex.unsignedIntegerValue - 1][key];
+            }
+          }
+        } else {
+          if ([certIndex isEqual:@(-1)]) {
+            outputHash[kSigningChain] = @[ signingChain.lastObject ?: @{} ];
+          } else {
+            NSMutableArray *indexedCert = [NSMutableArray arrayWithCapacity:signingChain.count];
+            [signingChain enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
+              if (certIndex.unsignedIntegerValue - 1 == idx) {
+                [indexedCert addObject:obj];
+              } else {
+                [indexedCert addObject:[NSNull null]];
+              }
+            }];
+            if (indexedCert.count) outputHash[kSigningChain] = indexedCert;
+          }
+        }
+      } else {
+        NSString *sha1, *sha256;
+        [fi.fileInfo hashSHA1:&sha1 SHA256:&sha256];
+        fi.propertyMap[kSHA1] = ^id (SNTCommandFileInfo *fi) { return sha1; };
+        fi.propertyMap[kSHA256] = ^id (SNTCommandFileInfo *fi) { return sha256; };
+        [fi.propertyMap enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+          SNTAttributeBlock block = obj;
+          outputHash[key] = block(fi);
+        }];
+      }
+      if (outputHash.count) {
+        dispatch_group_async(outputHashesGroup, outputHashesQueue, ^{
+          [outputHashes addObject:outputHash];
+        });
+      }
+    }];
+    
+    hashOperation.qualityOfService = NSQualityOfServiceUserInitiated;
+    [hashQueue addOperation:hashOperation];
+  }];
+
+  // Wait for all the calculating threads to finish
+  [hashQueue waitUntilAllOperationsAreFinished];
+
+  // Clear the "Calculating ..." indicator if present
+  if (PrettyOutput()) printf("\33[2K\r");
+
+  // Wait for all the writes to the outputHashes to finish
+  dispatch_group_wait(outputHashesGroup, DISPATCH_TIME_FOREVER);
+
+  if (outputHashes.count) [self printOutputHashes:outputHashes];
+  exit(0);
+}
+
+#pragma mark FileInfo helper methods
+
++ (NSArray *)fileInfoKeys {
+  return @[ kPath, kSHA256, kSHA1, kBundleName, kBundleVersion, kBundleVersionStr,
+            kDownloadReferrerURL, kDownloadURL, kDownloadTimestamp, kDownloadAgent,
+            kType, kPageZero, kCodeSigned, kRule, kSigningChain ];
+}
+
++ (NSArray *)signingChainKeys {
+  return @[ kSHA256, kSHA1, kCommonName, kOrganization, kOrganizationalUnit, kValidFrom,
+            kValidUntil ];
+}
+
++ (NSString *)printKeyArray:(NSArray *)array {
+  __block NSMutableString *string = [[NSMutableString alloc] init];
+  [array enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
+    [string appendString:[NSString stringWithFormat:@"                       \"%@\"\n", obj]];
+  }];
+  return string;
+}
+
++ (void)printErrorUsageAndExit:(NSString *)error {
+  printf("%s\n\n", [error UTF8String]);
+  printf("%s\n", [[self longHelpText] UTF8String]);
+  exit(1);
+}
+
++ (void)parseArguments:(NSArray *)args
+                forKey:(NSString **)key
+             certIndex:(NSNumber **)certIndex
+            jsonOutput:(BOOL *)jsonOutput
+             filePaths:(NSArray **)filePaths {
+  __block NSMutableArray *paths = [[NSMutableArray alloc] init];
+  [args enumerateObjectsUsingBlock:^(NSString *obj, NSUInteger idx, BOOL *stop) {
+    if ([obj caseInsensitiveCompare:@"--json"] == NSOrderedSame) {
+      *jsonOutput = YES;
+    } else if ([obj caseInsensitiveCompare:@"--cert-index"] == NSOrderedSame) {
+      if (++idx > args.count - 1 || [args[idx] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--cert-index requires an argument"];
+      }
+      *certIndex = @([args[idx] integerValue]);
+    } else if ([obj caseInsensitiveCompare:@"--key"] == NSOrderedSame) {
+      if (++idx > args.count - 1 || [args[idx] hasPrefix:@"--"]) {
+        [self printErrorUsageAndExit:@"\n--key requires an argument"];
+      }
+      *key = args[idx];
+    } else if ([@([obj integerValue]) isEqual:*certIndex] || [obj isEqual:*key]) {
+      return;
+    } else {
+      [paths addObject:args[idx]];
+    }
+  }];
+  if (*key && !*certIndex && ![self.fileInfoKeys containsObject:*key]) {
+    [self printErrorUsageAndExit:
+        [NSString stringWithFormat:@"\n\"%@\" is an invalid key", *key]];
+  } else if (*key && *certIndex && ![self.signingChainKeys containsObject:*key]) {
+    [self printErrorUsageAndExit:
+        [NSString stringWithFormat:@"\n\"%@\" is an invalid key when using --cert-index", *key]];
+  } else if ([@(0) isEqual:*certIndex]) {
+    [self printErrorUsageAndExit:@"\n0 is an invalid --cert-index\n  --cert-index is 1 indexed"];
+  }
+  if (!paths.count) [self printErrorUsageAndExit:@"\nat least one file-path is needed"];
+  *filePaths = paths.copy;
+}
+
++ (void)printOutputHashes:(NSArray *)outputHashes {
+  if (json) {
+    id object = (outputHashes.count > 1) ? outputHashes : outputHashes.firstObject;
+    if (!object) return;
+    NSData *jsonData = [NSJSONSerialization dataWithJSONObject:object
+                                                       options:NSJSONWritingPrettyPrinted
+                                                         error:NULL];
+    printf("%s\n", [[NSString alloc] initWithData:jsonData
+                                         encoding:NSUTF8StringEncoding].UTF8String);
+    return;
+  }
+
+  [outputHashes enumerateObjectsUsingBlock:^(id outputHash, NSUInteger idx, BOOL *stop) {
+    if ([outputHash count] == 1) {
+      return [self printValueFromOutputHash:outputHash];
+    }
+    [self.fileInfoKeys enumerateObjectsUsingBlock:^(id key, NSUInteger idx, BOOL *stop) {
+      [self printValueForKey:key fromOutputHash:outputHash];
+    }];
+    printf("\n");
+  }];
+}
+
++ (void)printValueForKey:(NSString *)key fromOutputHash:(NSDictionary *)outputHash {
+  id value = outputHash[key];
+  if (!value) return;
+  if ([key isEqualToString:kSigningChain]) {
+    return [self printSigningChain:value];
+  }
+  printf("%-21s: %s\n", [key UTF8String], [value UTF8String]);
+}
+
++ (void)printValueFromOutputHash:(NSDictionary *)outputHash {
+  if ([[[outputHash allKeys] firstObject] isEqualToString:kSigningChain]) {
+    return [self printSigningChain:[[outputHash allValues] firstObject]];
+  }
+  printf("%s\n", [[[outputHash allValues] firstObject] UTF8String]);
+}
+
++ (void)printSigningChain:(NSArray *)signingChain {
+  if (!signingChain) return;
+  printf("%s:\n", kSigningChain.UTF8String);
+  __block int i = 0;
+  [signingChain enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
+    if ([obj isEqual:[NSNull null]]) return;
+    if (i++) printf("\n");
+    printf("    %2lu. %-20s: %s\n", idx + 1, kSHA256.UTF8String,
+        ((NSString *)obj[kSHA256]).UTF8String);
+    printf("        %-20s: %s\n", kSHA1.UTF8String,
+        ((NSString *)obj[kSHA1]).UTF8String);
+    printf("        %-20s: %s\n", kCommonName.UTF8String,
+        ((NSString *)obj[kCommonName]).UTF8String);
+    printf("        %-20s: %s\n", kOrganization.UTF8String,
+        ((NSString *)obj[kOrganization]).UTF8String);
+    printf("        %-20s: %s\n", kOrganizationalUnit.UTF8String,
+        ((NSString *)obj[kOrganizationalUnit]).UTF8String);
+    printf("        %-20s: %s\n", kValidFrom.UTF8String,
+        ((NSString *)obj[kValidFrom]).UTF8String);
+    printf("        %-20s: %s\n", kValidUntil.UTF8String,
+        ((NSString *)obj[kValidUntil]).UTF8String);
+  }];
+}
+
+@end

Source/santactl/Commands/SNTCommandFlushCache.m

@@ -23,7 +23,9 @@
 
 @implementation SNTCommandFlushCache
 
+#ifdef DEBUG
 REGISTER_COMMAND_NAME(@"flushcache")
+#endif
 
 + (BOOL)requiresRoot {
   return YES;

Source/santactl/Commands/SNTCommandRule.m

@@ -121,6 +121,10 @@ REGISTER_COMMAND_NAME(@"rule")
 
   if (path) {
     SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:path];
+    if (!fi.path) {
+      [self printErrorUsageAndExit:@"Provided path was not a plain file"];
+    }
+
     if (newRule.type == SNTRuleTypeBinary) {
       newRule.shasum = fi.SHA256;
     } else if (newRule.type == SNTRuleTypeCertificate) {

Source/santactl/Commands/SNTCommandStatus.m

@@ -102,9 +102,18 @@ REGISTER_COMMAND_NAME(@"status")
   NSString *syncURLStr = [[[SNTConfigurator configurator] syncBaseURL] absoluteString];
   NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
   dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
-  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] syncLastSuccess];
+  NSDate *lastSyncSuccess = [[SNTConfigurator configurator] fullSyncLastSuccess];
   NSString *lastSyncSuccessStr = [dateFormatter stringFromDate:lastSyncSuccess] ?: @"Never";
+  NSDate *lastRuleSyncSuccess = [[SNTConfigurator configurator] ruleSyncLastSuccess];
+  NSString *lastRuleSyncSuccessStr =
+      [dateFormatter stringFromDate:lastRuleSyncSuccess] ?: lastSyncSuccessStr;
   BOOL syncCleanReqd = [[SNTConfigurator configurator] syncCleanRequired];
+  __block BOOL pushNotifications;
+  dispatch_group_enter(group);
+  [[daemonConn remoteObjectProxy] pushNotifications:^(BOOL response) {
+    pushNotifications = response;
+    dispatch_group_leave(group);
+  }];
 
   // Wait a maximum of 5s for stats collected from daemon to arrive.
   if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
@@ -114,7 +123,7 @@ REGISTER_COMMAND_NAME(@"status")
   if ([arguments containsObject:@"--json"]) {
     NSDictionary *stats = @{
       @"daemon" : @{
-        @"mode" : clientMode,
+        @"mode" : clientMode ?: @"null",
         @"file_logging" : @(fileLogging),
         @"watchdog_cpu_events" : @(cpuEvents),
         @"watchdog_ram_events" : @(ramEvents),
@@ -130,9 +139,11 @@ REGISTER_COMMAND_NAME(@"status")
         @"events_pending_upload" : @(eventCount),
       },
       @"sync" : @{
-        @"server" : syncURLStr,
+        @"server" : syncURLStr ?: @"null",
         @"clean_required" : @(syncCleanReqd),
-        @"last_successful" : lastSyncSuccessStr
+        @"last_successful_full" : lastSyncSuccessStr ?: @"null",
+        @"last_successful_rule" : lastRuleSyncSuccessStr ?: @"null",
+        @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected"
       },
     };
     NSData *statsData = [NSJSONSerialization dataWithJSONObject:stats
@@ -142,22 +153,25 @@ REGISTER_COMMAND_NAME(@"status")
     printf("%s\n", [statsStr UTF8String]);
   } else {
     printf(">>> Daemon Info\n");
-    printf("  %-22s | %s\n", "Mode", [clientMode UTF8String]);
-    printf("  %-22s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
-    printf("  %-22s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
-    printf("  %-22s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
+    printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
+    printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
+    printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
+    printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
     printf(">>> Kernel Info\n");
-    printf("  %-22s | %lld\n", "Kernel cache count", cacheCount);
+    printf("  %-25s | %lld\n", "Kernel cache count", cacheCount);
     printf(">>> Database Info\n");
-    printf("  %-22s | %lld\n", "Binary Rules", binaryRuleCount);
-    printf("  %-22s | %lld\n", "Certificate Rules", certRuleCount);
-    printf("  %-22s | %lld\n", "Events Pending Upload", eventCount);
+    printf("  %-25s | %lld\n", "Binary Rules", binaryRuleCount);
+    printf("  %-25s | %lld\n", "Certificate Rules", certRuleCount);
+    printf("  %-25s | %lld\n", "Events Pending Upload", eventCount);
 
     if (syncURLStr) {
       printf(">>> Sync Info\n");
-      printf("  %-22s | %s\n", "Sync Server", [syncURLStr UTF8String]);
-      printf("  %-22s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
-      printf("  %-22s | %s\n", "Last Successful Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);
+      printf("  %-25s | %s\n", "Clean Sync Required", (syncCleanReqd ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Last Successful Full Sync", [lastSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Last Successful Rule Sync", [lastRuleSyncSuccessStr UTF8String]);
+      printf("  %-25s | %s\n", "Push Notifications",
+             (pushNotifications ? "Connected" : "Disconnected"));
     }
   }
 

Source/santactl/Commands/sync/SNTCommandSync.m

@@ -0,0 +1,110 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandController.h"
+
+#import "SNTCommandSyncManager.h"
+#import "SNTConfigurator.h"
+#import "SNTDropRootPrivs.h"
+#import "SNTLogging.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+@interface SNTCommandSync : NSObject<SNTCommand>
+@property SNTXPCConnection *listener;
+@property SNTCommandSyncManager *syncManager;
+@end
+
+@implementation SNTCommandSync
+
+REGISTER_COMMAND_NAME(@"sync")
+
+#pragma mark SNTCommand protocol methods
+
++ (BOOL)requiresRoot {
+  return NO;
+}
+
++ (BOOL)requiresDaemonConn {
+  return NO;
+}
+
++ (NSString *)shortHelpText {
+  return @"Synchronizes Santa with a configured server.";
+}
+
++ (NSString *)longHelpText {
+  return (@"If Santa is configured to synchronize with a a server, "
+          @"this is the command used for syncing.\n\n"
+          @"Options:\n"
+          @"  --clean: Perform a clean sync, erasing all existing rules and requesting a"
+          @"           clean sync from the server.");
+}
+
++ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
+  // Ensure we have no privileges
+  if (!DropRootPrivileges()) {
+    LOGE(@"Failed to drop root privileges. Exiting.");
+    exit(1);
+  }
+
+  SNTCommandSync *s = [[self alloc] init];
+  [daemonConn resume];
+  BOOL daemon = [arguments containsObject:@"--daemon"];
+  s.syncManager = [[SNTCommandSyncManager alloc] initWithDaemonConnection:daemonConn
+                                                                 isDaemon:daemon];
+
+  // Dropping root privileges to the 'nobody' user causes the default NSURLCache to throw
+  // sandbox errors, which are benign but annoying. This line disables the cache entirely.
+  [NSURLCache setSharedURLCache:[[NSURLCache alloc] initWithMemoryCapacity:0
+                                                              diskCapacity:0
+                                                                  diskPath:nil]];
+
+  if (!s.syncManager.daemon) return [s.syncManager fullSync];
+  [s syncdWithDaemonConnection:daemonConn];
+}
+
+#pragma mark daemon methods
+
+- (void)syncdWithDaemonConnection:(SNTXPCConnection *)daemonConn {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+  // Create listener for return connection from daemon.
+  NSXPCListener *listener = [NSXPCListener anonymousListener];
+  self.listener = [[SNTXPCConnection alloc] initServerWithListener:listener];
+  self.listener.exportedInterface = [SNTXPCSyncdInterface syncdInterface];
+  self.listener.exportedObject = self.syncManager;
+  self.listener.acceptedHandler = ^{
+    LOGD(@"santad <--> santactl connections established");
+    dispatch_semaphore_signal(sema);
+  };
+  self.listener.invalidationHandler = ^{
+    // If santad is unloaded kill santactl
+    LOGD(@"exiting");
+    exit(0);
+  };
+  [self.listener resume];
+
+  // Tell daemon to connect back to the above listener.
+  [[daemonConn remoteObjectProxy] setSyncdListener:listener.endpoint];
+
+  // Now wait for the connection to come in.
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    [self performSelectorInBackground:@selector(syncdWithDaemonConnection:) withObject:daemonConn];
+  }
+
+  [self.syncManager fullSyncSecondsFromNow:15];
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncConstants.h

@@ -12,10 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-extern NSString *const kURLPreflight;
-extern NSString *const kURLEventUpload;
-extern NSString *const kURLRuleDownload;
-extern NSString *const kURLPostflight;
+extern NSString *const kXSRFToken;
 
 extern NSString *const kSerialNumber;
 extern NSString *const kHostname;
@@ -32,6 +29,9 @@ extern NSString *const kClientModeLockdown;
 extern NSString *const kCleanSync;
 extern NSString *const kWhitelistRegex;
 extern NSString *const kBlacklistRegex;
+extern NSString *const kBinaryRuleCount;
+extern NSString *const kCertificateRuleCount;
+extern NSString *const kFCMToken;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;
@@ -49,10 +49,11 @@ extern NSString *const kDecisionBlockBinary;
 extern NSString *const kDecisionBlockCertificate;
 extern NSString *const kDecisionBlockScope;
 extern NSString *const kDecisionUnknown;
-extern NSString *const kDecisionRelatedBinary;
+extern NSString *const kDecisionBundleBinary;
 extern NSString *const kLoggedInUsers;
 extern NSString *const kCurrentSessions;
 extern NSString *const kFileBundleID;
+extern NSString *const kFileBundlePath;
 extern NSString *const kFileBundleName;
 extern NSString *const kFileBundleVersion;
 extern NSString *const kFileBundleShortVersionString;
@@ -70,6 +71,7 @@ extern NSString *const kQuarantineDataURL;
 extern NSString *const kQuarantineRefererURL;
 extern NSString *const kQuarantineTimestamp;
 extern NSString *const kQuarantineAgentBundleID;
+extern NSString *const kEventUploadBundleBinaries;
 
 extern NSString *const kLogUploadField;
 
@@ -87,3 +89,8 @@ extern NSString *const kRuleCustomMsg;
 extern NSString *const kCursor;
 
 extern NSString *const kBackoffInterval;
+
+extern NSString *const kFullSync;
+extern NSString *const kRuleSync;
+extern NSString *const kConfigSync;
+extern NSString *const kLogSync;

Source/santactl/Commands/sync/SNTCommandSyncConstants.m

@@ -14,10 +14,7 @@
 
 #import "SNTCommandSyncConstants.h"
 
-NSString *const kURLPreflight = @"preflight/";
-NSString *const kURLEventUpload = @"eventupload/";
-NSString *const kURLRuleDownload = @"ruledownload/";
-NSString *const kURLPostflight = @"postflight/";
+NSString *const kXSRFToken = @"X-XSRF-TOKEN";
 
 NSString *const kSerialNumber = @"serial_num";
 NSString *const kHostname = @"hostname";
@@ -34,6 +31,9 @@ NSString *const kClientModeLockdown = @"LOCKDOWN";
 NSString *const kCleanSync = @"clean_sync";
 NSString *const kWhitelistRegex = @"whitelist_regex";
 NSString *const kBlacklistRegex = @"blacklist_regex";
+NSString *const kBinaryRuleCount = @"binary_rule_count";
+NSString *const kCertificateRuleCount = @"certificate_rule_count";
+NSString *const kFCMToken = @"fcm_token";
 
 NSString *const kEvents = @"events";
 NSString *const kFileSHA256 = @"file_sha256";
@@ -51,10 +51,11 @@ NSString *const kDecisionBlockBinary = @"BLOCK_BINARY";
 NSString *const kDecisionBlockCertificate = @"BLOCK_CERTIFICATE";
 NSString *const kDecisionBlockScope = @"BLOCK_SCOPE";
 NSString *const kDecisionUnknown = @"UNKNOWN";
-NSString *const kDecisionRelatedBinary = @"RELATED_BINARY";
+NSString *const kDecisionBundleBinary = @"BUNDLE_BINARY";
 NSString *const kLoggedInUsers = @"logged_in_users";
 NSString *const kCurrentSessions = @"current_sessions";
 NSString *const kFileBundleID = @"file_bundle_id";
+NSString *const kFileBundlePath = @"file_bundle_path";
 NSString *const kFileBundleName = @"file_bundle_name";
 NSString *const kFileBundleVersion = @"file_bundle_version";
 NSString *const kFileBundleShortVersionString = @"file_bundle_version_string";
@@ -72,6 +73,7 @@ NSString *const kQuarantineDataURL = @"quarantine_data_url";
 NSString *const kQuarantineRefererURL = @"quarantine_referer_url";
 NSString *const kQuarantineTimestamp = @"quarantine_timestamp";
 NSString *const kQuarantineAgentBundleID = @"quarantine_agent_bundle_id";
+NSString *const kEventUploadBundleBinaries = @"event_upload_bundle_binaries";
 
 NSString *const kLogUploadField = @"files";
 
@@ -89,3 +91,8 @@ NSString *const kRuleCustomMsg = @"custom_msg";
 NSString *const kCursor = @"cursor";
 
 NSString *const kBackoffInterval = @"backoff";
+
+NSString *const kFullSync = @"full_sync";
+NSString *const kRuleSync = @"rule_sync";
+NSString *const kConfigSync = @"config_sync";
+NSString *const kLogSync = @"log_sync";

Source/santactl/Commands/sync/SNTCommandSyncEventUpload.h

@@ -12,14 +12,12 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncState;
-@class SNTXPCConnection;
+#import "SNTCommandSyncStage.h"
 
-@interface SNTCommandSyncPreflight : NSObject
+@interface SNTCommandSyncEventUpload : SNTCommandSyncStage
 
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler;
+- (BOOL)uploadEvents:(NSArray *)events;
+
+- (BOOL)syncBundleEvents;
 
 @end

Source/santactl/Commands/sync/SNTCommandSyncEventUpload.m

@@ -0,0 +1,233 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncEventUpload.h"
+
+#include "SNTLogging.h"
+
+#import "MOLCertificate.h"
+#import "MOLCodesignChecker.h"
+#import "NSData+Zlib.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTFileInfo.h"
+#import "SNTStoredEvent.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+@implementation SNTCommandSyncEventUpload
+
+- (NSURL *)stageURL {
+  NSString *stageName = [@"eventupload" stringByAppendingFormat:@"/%@", self.syncState.machineID];
+  return [NSURL URLWithString:stageName relativeToURL:self.syncState.syncBaseURL];
+}
+
+- (BOOL)sync {
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+  [[self.daemonConn remoteObjectProxy] databaseEventsPending:^(NSArray *events) {
+    if (events.count) {
+      [self uploadEvents:events];
+    }
+    dispatch_semaphore_signal(sema);
+  }];
+  return (dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER) == 0);
+}
+
+- (BOOL)syncBundleEvents {
+  NSMutableArray *newEvents = [NSMutableArray array];
+  for (NSString *bundlePath in [NSSet setWithArray:self.syncState.bundleBinaryRequests]) {
+    __block NSArray *relatedBinaries;
+    __block BOOL shouldCancel = NO;
+    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
+      relatedBinaries = [self findRelatedBinaries:bundlePath shouldCancel:&shouldCancel];
+      dispatch_semaphore_signal(sema);
+    });
+
+    // Give the search up to 5m to run
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 300))) {
+      LOGD(@"Timed out while searching for related binaries at path %@", bundlePath);
+      shouldCancel = YES;
+    } else {
+      [newEvents addObjectsFromArray:relatedBinaries];
+    }
+  }
+  return [self uploadEvents:newEvents];
+}
+
+- (BOOL)uploadEvents:(NSArray *)events {
+  NSMutableArray *uploadEvents = [[NSMutableArray alloc] init];
+
+  NSMutableSet *eventIds = [NSMutableSet setWithCapacity:events.count];
+  for (SNTStoredEvent *event in events) {
+    [uploadEvents addObject:[self dictionaryForEvent:event]];
+    if (event.idx) [eventIds addObject:event.idx];
+    if (uploadEvents.count >= self.syncState.eventBatchSize) break;
+  }
+
+  NSDictionary *r = [self performRequest:[self requestWithDictionary:@{ kEvents: uploadEvents }]];
+  if (!r) return NO;
+
+  // Keep track of bundle search requests
+  self.syncState.bundleBinaryRequests = r[kEventUploadBundleBinaries];
+
+  LOGI(@"Uploaded %lu events", uploadEvents.count);
+
+  // Remove event IDs. For Bundle Events the ID is 0 so nothing happens.
+  [[self.daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:[eventIds allObjects]];
+
+  // See if there are any events remaining to upload
+  if (uploadEvents.count < events.count) {
+    NSRange nextEventsRange = NSMakeRange(uploadEvents.count, events.count - uploadEvents.count);
+    NSArray *nextEvents = [events subarrayWithRange:nextEventsRange];
+    return [self uploadEvents:nextEvents];
+  }
+
+  return YES;
+}
+
+- (NSDictionary *)dictionaryForEvent:(SNTStoredEvent *)event {
+#define ADDKEY(dict, key, value) if (value) dict[key] = value
+  NSMutableDictionary *newEvent = [NSMutableDictionary dictionary];
+
+  ADDKEY(newEvent, kFileSHA256, event.fileSHA256);
+  ADDKEY(newEvent, kFilePath, [event.filePath stringByDeletingLastPathComponent]);
+  ADDKEY(newEvent, kFileName, [event.filePath lastPathComponent]);
+  ADDKEY(newEvent, kExecutingUser, event.executingUser);
+  ADDKEY(newEvent, kExecutionTime, @([event.occurrenceDate timeIntervalSince1970]));
+  ADDKEY(newEvent, kLoggedInUsers, event.loggedInUsers);
+  ADDKEY(newEvent, kCurrentSessions, event.currentSessions);
+
+  switch (event.decision) {
+    case SNTEventStateAllowUnknown: ADDKEY(newEvent, kDecision, kDecisionAllowUnknown); break;
+    case SNTEventStateAllowBinary: ADDKEY(newEvent, kDecision, kDecisionAllowBinary); break;
+    case SNTEventStateAllowCertificate:
+      ADDKEY(newEvent, kDecision, kDecisionAllowCertificate);
+      break;
+    case SNTEventStateAllowScope: ADDKEY(newEvent, kDecision, kDecisionAllowScope); break;
+    case SNTEventStateBlockUnknown: ADDKEY(newEvent, kDecision, kDecisionBlockUnknown); break;
+    case SNTEventStateBlockBinary: ADDKEY(newEvent, kDecision, kDecisionBlockBinary); break;
+    case SNTEventStateBlockCertificate:
+      ADDKEY(newEvent, kDecision, kDecisionBlockCertificate);
+      break;
+    case SNTEventStateBlockScope: ADDKEY(newEvent, kDecision, kDecisionBlockScope); break;
+    case SNTEventStateBundleBinary: ADDKEY(newEvent, kDecision, kDecisionBundleBinary); break;
+    default: ADDKEY(newEvent, kDecision, kDecisionUnknown);
+  }
+
+  ADDKEY(newEvent, kFileBundleID, event.fileBundleID);
+  ADDKEY(newEvent, kFileBundlePath, event.fileBundlePath);
+  ADDKEY(newEvent, kFileBundleName, event.fileBundleName);
+  ADDKEY(newEvent, kFileBundleVersion, event.fileBundleVersion);
+  ADDKEY(newEvent, kFileBundleShortVersionString, event.fileBundleVersionString);
+
+  ADDKEY(newEvent, kPID, event.pid);
+  ADDKEY(newEvent, kPPID, event.ppid);
+  ADDKEY(newEvent, kParentName, event.parentName);
+
+  ADDKEY(newEvent, kQuarantineDataURL, event.quarantineDataURL);
+  ADDKEY(newEvent, kQuarantineRefererURL, event.quarantineRefererURL);
+  ADDKEY(newEvent, kQuarantineTimestamp, @([event.quarantineTimestamp timeIntervalSince1970]));
+  ADDKEY(newEvent, kQuarantineAgentBundleID, event.quarantineAgentBundleID);
+
+  NSMutableArray *signingChain = [NSMutableArray arrayWithCapacity:event.signingChain.count];
+  for (NSUInteger i = 0; i < event.signingChain.count; ++i) {
+    MOLCertificate *cert = [event.signingChain objectAtIndex:i];
+
+    NSMutableDictionary *certDict = [NSMutableDictionary dictionary];
+    ADDKEY(certDict, kCertSHA256, cert.SHA256);
+    ADDKEY(certDict, kCertCN, cert.commonName);
+    ADDKEY(certDict, kCertOrg, cert.orgName);
+    ADDKEY(certDict, kCertOU, cert.orgUnit);
+    ADDKEY(certDict, kCertValidFrom, @([cert.validFrom timeIntervalSince1970]));
+    ADDKEY(certDict, kCertValidUntil, @([cert.validUntil timeIntervalSince1970]));
+
+    [signingChain addObject:certDict];
+  }
+  newEvent[kSigningChain] = signingChain;
+
+  return newEvent;
+#undef ADDKEY
+}
+
+/**
+  Find binaries within a bundle given the bundle's path. Will run until completion, however long
+  that might be. Search is done within the bundle concurrently, using up to 25 threads at once.
+
+  @param path, the path to begin searching underneath
+  @param shouldCancel, if YES, the search is cancelled part way through.
+  @return array of SNTStoredEvent's
+*/
+- (NSArray *)findRelatedBinaries:(NSString *)path shouldCancel:(BOOL *)shouldCancel {
+  // For storing the generated events, with a simple lock for writing.
+  NSMutableArray *relatedEvents = [NSMutableArray array];
+  NSLock *relatedEventsLock = [[NSLock alloc] init];
+
+  // Limit the number of threads that can process files at once to keep CPU usage down.
+  dispatch_semaphore_t sema = dispatch_semaphore_create(25);
+
+  // Group the processing into a single group so we can wait on the whole group at the end.
+  dispatch_group_t group = dispatch_group_create();
+
+  NSDirectoryEnumerator *dirEnum = [[NSFileManager defaultManager] enumeratorAtPath:path];
+  while (1) {
+    @autoreleasepool {
+      if (*shouldCancel) break;
+      NSString *file = [dirEnum nextObject];
+      if (!file) break;
+      if ([dirEnum fileAttributes][NSFileType] != NSFileTypeRegular) continue;
+
+      // Wait for a processing thread to become available
+      dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
+
+      dispatch_group_async(group,
+                           dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0),
+                           ^{
+        @autoreleasepool {
+          NSString *newFile = [path stringByAppendingPathComponent:file];
+          SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:newFile];
+          if (!fi.isExecutable) {
+            dispatch_semaphore_signal(sema);
+            return;
+          }
+
+          SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+          se.filePath = fi.path;
+          se.fileSHA256 = fi.SHA256;
+          se.decision = SNTEventStateBundleBinary;
+          se.fileBundleID = fi.bundleIdentifier;
+          se.fileBundleName = fi.bundleName;
+          se.fileBundlePath = fi.bundlePath;
+          se.fileBundleVersion = fi.bundleVersion;
+          se.fileBundleVersionString = fi.bundleShortVersionString;
+
+          MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:se.filePath];
+          se.signingChain = cs.certificates;
+
+          [relatedEventsLock lock];
+          [relatedEvents addObject:se];
+          [relatedEventsLock unlock];
+
+          dispatch_semaphore_signal(sema);
+        }
+      });
+    }
+  }
+
+  dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+
+  return relatedEvents;
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncLogUpload.h

@@ -12,6 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-#include "SantaPIDAndPPID.h"
+#import "SNTCommandSyncStage.h"
 
-OSDefineMetaClassAndStructors(SantaPIDAndPPID, OSObject);
+@interface SNTCommandSyncLogUpload : SNTCommandSyncStage
+@end

Source/santactl/Commands/sync/SNTCommandSyncLogUpload.m

@@ -15,49 +15,40 @@
 #import "SNTCommandSyncLogUpload.h"
 
 #import "NSData+Zlib.h"
-
-#include "SNTLogging.h"
-
 #import "SNTCommandSyncConstants.h"
 #import "SNTCommandSyncState.h"
 #import "SNTCommonEnums.h"
+#import "SNTLogging.h"
 
 @implementation SNTCommandSyncLogUpload
 
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = syncState.uploadLogURL;
-  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
-  [req setHTTPMethod:@"POST"];
-  NSString *boundary = @"----santa-sync-upload-boundary";
+- (NSString *)stageName {
+  return @"logupload";
+}
 
+- (NSURL *)stageURL {
+  return self.syncState.uploadLogURL;
+}
+
+- (BOOL)sync {
+  NSMutableURLRequest *req = [self requestWithDictionary:nil];
+
+  NSString *boundary = @"----santa-sync-upload-boundary";
   NSString *contentType =
       [NSString stringWithFormat:@"multipart/form-data; charset=UTF-8; boundary=%@", boundary];
   [req setValue:contentType forHTTPHeaderField:@"Content-Type"];
 
   NSArray *logsToUpload = [self logsToUpload];
+  [req setHTTPBody:[self requestBodyWithLogs:logsToUpload andBoundary:boundary]];
 
-  // Upload the logs
-  [[session uploadTaskWithRequest:req
-                         fromData:[self requestBodyWithLogs:logsToUpload andBoundary:boundary]
-                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
-      long statusCode = [(NSHTTPURLResponse *)response statusCode];
-      if (statusCode != 200) {
-        LOGE(@"HTTP Response: %ld %@",
-             statusCode,
-             [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-        LOGD(@"%@", error);
-        handler(NO);
-      } else {
-        LOGI(@"Uploaded %lu logs", [logsToUpload count]);
-        handler(YES);
-      }
-  }] resume];
+  NSDictionary *d = [self performRequest:req];
+  if (!d) return NO;
+
+  LOGI(@"Uploaded %lu logs", logsToUpload.count);
+  return YES;
 }
 
-+ (NSData *)requestBodyWithLogs:(NSArray *)logsToUpload andBoundary:(NSString *)boundary {
+- (NSData *)requestBodyWithLogs:(NSArray *)logsToUpload andBoundary:(NSString *)boundary {
   // Prepare the body of the request, encoded as a multipart/form-data.
   // Along the way, gzip the individual log files and append .gz to their filenames.
   NSMutableData *reqBody = [[NSMutableData alloc] init];
@@ -80,7 +71,7 @@
   return reqBody;
 }
 
-+ (NSArray *)logsToUpload {
+- (NSArray *)logsToUpload {
   // General logs
   NSMutableArray *logsToUpload = [@[ @"/var/log/santa.log",
                                      @"/var/log/system.log" ] mutableCopy];

Source/santactl/Commands/sync/SNTCommandSyncManager.h

@@ -0,0 +1,53 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTXPCSyncdInterface.h"
+
+@class SNTXPCConnection;
+
+///
+///  Handles push notifications and periodic syncing with a sync server.
+///
+@interface SNTCommandSyncManager : NSObject<SNTSyncdXPC>
+
+@property(readonly, nonatomic) BOOL daemon;
+
+///
+///  Use the designated initializer initWithDaemonConnection:isDaemon:
+///
+- (instancetype)init NS_UNAVAILABLE;
+
+///
+///  Designated initializer.
+///
+///  @param daemonConn A connection to santad.
+///  @param daemon Set to YES if periodic syncing should occur.
+///                Set to NO if a single sync should be performed. NO is default.
+///
+- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn
+                                isDaemon:(BOOL)daemon NS_DESIGNATED_INITIALIZER;
+
+///
+///  Perform a full sync immediately. Non-blocking.
+///  If a full sync is already running new requests will be dropped.
+///
+- (void)fullSync;
+
+///
+///  Perform a full sync seconds from now. Non-blocking.
+///  If a full sync is already running new requests will be dropped.
+///
+- (void)fullSyncSecondsFromNow:(uint64_t)seconds;
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -0,0 +1,475 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncManager.h"
+
+#import <SystemConfiguration/SystemConfiguration.h>
+
+#import <MOLAuthenticatingURLSession.h>
+#import <MOLFCMClient/MOLFCMClient.h>
+
+#import "SNTConfigurator.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncEventUpload.h"
+#import "SNTCommandSyncLogUpload.h"
+#import "SNTCommandSyncPostflight.h"
+#import "SNTCommandSyncPreflight.h"
+#import "SNTCommandSyncRuleDownload.h"
+#import "SNTCommandSyncState.h"
+#import "SNTLogging.h"
+#import "SNTStrengthify.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+#import "SNTXPCSyncdInterface.h"
+
+// Syncing time constants
+const uint64_t kFullSyncInterval = 600;
+const uint64_t kFullSyncFCMInterval = 14400;
+const uint64_t kGlobalRuleSyncLeeway = 600;
+
+@interface SNTCommandSyncManager () {
+  SCNetworkReachabilityRef _reachability;
+}
+@property(nonatomic) dispatch_source_t fullSyncTimer;
+@property(nonatomic) dispatch_source_t ruleSyncTimer;
+@property(nonatomic) NSCache *dispatchLock;
+@property(nonatomic) NSCache *ruleSyncCache;
+@property MOLFCMClient *FCMClient;
+@property(nonatomic) SNTXPCConnection *daemonConn;
+@property BOOL targetedRuleSync;
+@property(nonatomic) BOOL reachable;
+@end
+
+// Called when the network state changes
+static void reachabilityHandler(
+    SCNetworkReachabilityRef target, SCNetworkReachabilityFlags flags, void *info) {
+  SNTCommandSyncManager *commandSyncManager = (__bridge SNTCommandSyncManager *)info;
+  // Only call the setter when there is a change. This will filter out the redundant calls to this
+  // callback whenever the network interface states change.
+  if (commandSyncManager.reachable != (flags & kSCNetworkReachabilityFlagsReachable)) {
+    commandSyncManager.reachable = (flags & kSCNetworkReachabilityFlagsReachable);
+  }
+}
+
+@implementation SNTCommandSyncManager
+
+#pragma mark init
+
+- (instancetype)initWithDaemonConnection:(SNTXPCConnection *)daemonConn isDaemon:(BOOL)daemon {
+  self = [super init];
+  if (self) {
+    _daemonConn = daemonConn;
+    _daemon = daemon;
+    _fullSyncTimer = [self createSyncTimerWithBlock:^{
+      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kFullSyncFCMInterval];
+      if (![[SNTConfigurator configurator] syncBaseURL]) return;
+      [self lockAction:kFullSync];
+      [self preflight];
+      [self unlockAction:kFullSync];
+    }];
+    _ruleSyncTimer = [self createSyncTimerWithBlock:^{
+      dispatch_source_set_timer(self.ruleSyncTimer,
+                                DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, 0);
+      if (![[SNTConfigurator configurator] syncBaseURL]) return;
+      [self lockAction:kRuleSync];
+      SNTCommandSyncState *syncState = [self createSyncState];
+      syncState.targetedRuleSync = self.targetedRuleSync;
+      syncState.ruleSyncCache = self.ruleSyncCache;
+      SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
+      if ([p sync]) {
+        LOGD(@"Rule download complete");
+      } else {
+        LOGE(@"Rule download failed");
+      }
+      self.targetedRuleSync = NO;
+      [self unlockAction:kRuleSync];
+    }];
+    _dispatchLock = [[NSCache alloc] init];
+    _ruleSyncCache = [[NSCache alloc] init];
+  }
+  return self;
+}
+
+#pragma mark SNTSyncdXPC protocol methods
+
+- (void)postEventToSyncServer:(SNTStoredEvent *)event {
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc]
+                                     initWithState:[self createSyncState]];
+  if (event && [p uploadEvents:@[event]]) {
+    LOGD(@"Event upload complete");
+  } else {
+    LOGE(@"Event upload failed");
+  }
+}
+
+- (void)rescheduleSyncSecondsFromNow:(uint64_t)seconds {
+  [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:seconds];
+}
+
+- (void)isFCMListening:(void (^)(BOOL))reply {
+  reply((self.FCMClient.FCMToken != nil));
+}
+
+#pragma mark push notification methods
+
+- (void)listenForPushNotificationsWithSyncState:(SNTCommandSyncState *)syncState {
+  if ([self.FCMClient.FCMToken isEqualToString:syncState.FCMToken]) {
+    LOGD(@"Continue with the current FCMToken");
+    return;
+  }
+
+  LOGD(@"Start listening for push notifications");
+
+  WEAKIFY(self);
+
+  [self.FCMClient disconnect];
+  NSString *machineID = syncState.machineID;
+  self.FCMClient = [[MOLFCMClient alloc] initWithFCMToken:syncState.FCMToken
+                                     sessionConfiguration:syncState.session.configuration.copy
+                                           messageHandler:^(NSDictionary *message) {
+    if (!message || [message isEqual:@{}]) return;
+      STRONGIFY(self);
+      LOGD(@"%@", message);
+      [self.FCMClient acknowledgeMessage:message];
+      [self processFCMMessage:message withMachineID:machineID];
+  }];
+
+  self.FCMClient.connectionErrorHandler = ^(NSError *error) {
+    STRONGIFY(self);
+    LOGE(@"FCM connection error: %@", error);
+    [self.FCMClient disconnect];
+    self.FCMClient = nil;
+    [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kFullSyncInterval];
+  };
+  
+  self.FCMClient.loggingBlock = ^(NSString *log) {
+    LOGD(@"%@", log);
+  };
+  
+  [self.FCMClient connect];
+}
+
+- (void)processFCMMessage:(NSDictionary *)FCMmessage withMachineID:(NSString *)machineID {
+  NSData *entryData;
+
+  // Sort through the entries in the FCM message.
+  for (NSDictionary *entry in FCMmessage[@"data"]) {
+    if ([entry[@"key"] isEqualToString:@"blob"]) {
+      entryData = [entry[@"value"] dataUsingEncoding:NSUTF8StringEncoding];
+      break;
+    }
+  }
+
+  if (!entryData) {
+    LOGD(@"Push notification message is not in the expected format...dropping message");
+    return;
+  }
+
+  NSError *error;
+  NSDictionary *actionMessage = [NSJSONSerialization JSONObjectWithData:entryData
+                                                                options:NSJSONReadingAllowFragments
+                                                                  error:&error];
+  if (!actionMessage) {
+    LOGD(@"Unable to parse push notification message value: %@", error);
+    return;
+  }
+
+  // Store the file name and hash in a cache. When the rule is actually added, use the cache
+  // to build a user notification.
+  NSString *fileHash = actionMessage[@"file_hash"];
+  NSString *fileName = actionMessage[@"file_name"];
+  if (fileName && fileHash) {
+    [self.ruleSyncCache setObject:fileName forKey:fileHash];
+  }
+
+  NSString *action = actionMessage[@"action"];
+  if (action) {
+    LOGD(@"Push notification action: %@ received", action);
+  } else {
+    LOGD(@"Push notification message contains no action");
+  }
+
+  if ([action isEqualToString:kFullSync]) {
+    [self fullSync];
+  } else if ([action isEqualToString:kRuleSync]) {
+    NSString *targetMachineID = actionMessage[@"target_host_id"];
+    if (![targetMachineID isKindOfClass:[NSNull class]] &&
+        [targetMachineID.lowercaseString isEqualToString:machineID.lowercaseString]) {
+      self.targetedRuleSync = YES;
+      [self ruleSync];
+    } else {
+      uint32_t delaySeconds = arc4random_uniform(kGlobalRuleSyncLeeway);
+      LOGD(@"Staggering rule download, %u second delay for this machine", delaySeconds);
+      [self ruleSyncSecondsFromNow:delaySeconds];
+    }
+  } else if ([action isEqualToString:kConfigSync]) {
+    [self fullSync];
+  } else if ([action isEqualToString:kLogSync]) {
+    [self fullSync];
+  } else {
+    LOGD(@"Unrecognised action: %@", action);
+  }
+}
+
+#pragma mark sync timer control
+
+- (void)fullSync {
+  [self fullSyncSecondsFromNow:0];
+}
+
+- (void)fullSyncSecondsFromNow:(uint64_t)seconds {
+  if (![self checkLockAction:kFullSync]) {
+    LOGD(@"%@ in progress, dropping reschedule request", kFullSync);
+    return;
+  }
+  [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:seconds];
+}
+
+- (void)ruleSync {
+  [self ruleSyncSecondsFromNow:0];
+}
+
+- (void)ruleSyncSecondsFromNow:(uint64_t)seconds {
+  if (![self checkLockAction:kRuleSync]) {
+    LOGD(@"%@ in progress, dropping reschedule request", kRuleSync);
+    return;
+  }
+  [self rescheduleTimerQueue:self.ruleSyncTimer secondsFromNow:seconds];
+}
+
+- (void)rescheduleTimerQueue:(dispatch_source_t)timerQueue secondsFromNow:(uint64_t)seconds {
+  uint64_t interval = seconds * NSEC_PER_SEC;
+  uint64_t leeway = (seconds * 0.5) * NSEC_PER_SEC;
+  dispatch_source_set_timer(timerQueue, dispatch_walltime(NULL, interval), interval, leeway);
+}
+
+#pragma mark syncing chain
+
+- (void)preflight {
+  SNTCommandSyncState *syncState = [self createSyncState];
+  SNTCommandSyncPreflight *p = [[SNTCommandSyncPreflight alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Preflight complete");
+
+    // Clean up reachability if it was started for a non-network error
+    [self stopReachability];
+
+    // Start listening for push notifications with a full sync every kFullSyncFCMInterval or
+    // revert to full syncing every kFullSyncInterval.
+    if (syncState.daemon && syncState.FCMToken) {
+      [self listenForPushNotificationsWithSyncState:syncState];
+    } else if (syncState.daemon) {
+      LOGD(@"FCMToken not provided. Sync every %llu min.", kFullSyncInterval / 60);
+      [self.FCMClient disconnect];
+      self.FCMClient = nil;
+      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kFullSyncInterval];
+    }
+
+    if (syncState.uploadLogURL) {
+      return [self logUploadWithSyncState:syncState];
+    } else {
+      return [self eventUploadWithSyncState:syncState];
+    }
+  } else {
+    if (!syncState.daemon) {
+      LOGE(@"Preflight failed, aborting run");
+      exit(1);
+    }
+    LOGE(@"Preflight failed, will try again once %@ is reachable",
+         [[SNTConfigurator configurator] syncBaseURL].absoluteString);
+    [self startReachability];
+  }
+}
+
+- (void)logUploadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncLogUpload *p = [[SNTCommandSyncLogUpload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Log upload complete");
+  } else {
+    LOGE(@"Log upload failed, continuing anyway");
+  }
+  return [self eventUploadWithSyncState:syncState];
+}
+
+- (void)eventUploadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Event upload complete");
+    return [self ruleDownloadWithSyncState:syncState];
+  } else {
+    LOGE(@"Event upload failed, aborting run");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+- (void)ruleDownloadWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Rule download complete");
+    if (syncState.bundleBinaryRequests.count) {
+      return [self eventUploadBundleBinariesWithSyncState:syncState];
+    }
+    return [self postflightWithSyncState:syncState];
+  } else {
+    LOGE(@"Rule download failed, aborting run");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+- (void)eventUploadBundleBinariesWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
+  if ([p syncBundleEvents]) {
+    LOGD(@"Event upload for bundle binaries complete");
+  } else {
+    LOGW(@"Event upload for bundle binary search failed");
+  }
+  return [self postflightWithSyncState:syncState];
+}
+
+- (void)postflightWithSyncState:(SNTCommandSyncState *)syncState {
+  SNTCommandSyncPostflight *p = [[SNTCommandSyncPostflight alloc] initWithState:syncState];
+  if ([p sync]) {
+    LOGD(@"Postflight complete");
+    LOGI(@"Sync completed successfully");
+    if (!syncState.daemon) exit(0);
+  } else {
+    LOGE(@"Postflight failed");
+    if (!syncState.daemon) exit(1);
+  }
+}
+
+#pragma mark internal helpers
+
+- (dispatch_source_t)createSyncTimerWithBlock:(void (^)())block {
+  dispatch_source_t timerQueue = dispatch_source_create(
+      DISPATCH_SOURCE_TYPE_TIMER, 0, 0,
+      dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+  dispatch_source_set_event_handler(timerQueue, block);
+  dispatch_resume(timerQueue);
+  return timerQueue;
+}
+
+- (SNTCommandSyncState *)createSyncState {
+  // Gather some data needed during some sync stages
+  SNTCommandSyncState *syncState = [[SNTCommandSyncState alloc] init];
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  syncState.syncBaseURL = config.syncBaseURL;
+  if (syncState.syncBaseURL.absoluteString.length == 0) {
+    LOGE(@"Missing SyncBaseURL. Can't sync without it.");
+    if (!syncState.daemon) exit(1);
+  } else if (![syncState.syncBaseURL.scheme isEqual:@"https"]) {
+    LOGW(@"SyncBaseURL is not over HTTPS!");
+  }
+
+  syncState.machineID = config.machineID;
+  if (syncState.machineID.length == 0) {
+    LOGE(@"Missing Machine ID. Can't sync without it.");
+    if (!syncState.daemon) exit(1);
+  }
+
+  syncState.machineOwner = config.machineOwner;
+  if (syncState.machineOwner.length == 0) {
+    syncState.machineOwner = @"";
+    LOGW(@"Missing Machine Owner.");
+  }
+
+  [[self.daemonConn remoteObjectProxy] xsrfToken:^(NSString *token) {
+    syncState.xsrfToken = token;
+  }];
+
+  MOLAuthenticatingURLSession *authURLSession = [[MOLAuthenticatingURLSession alloc] init];
+  authURLSession.userAgent = @"santactl-sync/";
+  NSString *santactlVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
+  if (santactlVersion) {
+    authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
+  }
+  authURLSession.refusesRedirects = YES;
+  authURLSession.serverHostname = syncState.syncBaseURL.host;
+  authURLSession.loggingBlock = ^(NSString *line) {
+    LOGD(@"%@", line);
+  };
+
+  // Configure server auth
+  if ([config syncServerAuthRootsFile]) {
+    authURLSession.serverRootsPemFile = [config syncServerAuthRootsFile];
+  } else if ([config syncServerAuthRootsData]) {
+    authURLSession.serverRootsPemData = [config syncServerAuthRootsData];
+  }
+
+  // Configure client auth
+  if ([config syncClientAuthCertificateFile]) {
+    authURLSession.clientCertFile = [config syncClientAuthCertificateFile];
+    authURLSession.clientCertPassword = [config syncClientAuthCertificatePassword];
+  } else if ([config syncClientAuthCertificateCn]) {
+    authURLSession.clientCertCommonName = [config syncClientAuthCertificateCn];
+  } else if ([config syncClientAuthCertificateIssuer]) {
+    authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
+  }
+  
+  syncState.session = [authURLSession session];
+  syncState.daemonConn = self.daemonConn;
+  syncState.daemon = self.daemon;
+  
+  return syncState;
+}
+
+- (void)lockAction:(NSString *)action {
+  [self.dispatchLock setObject:@YES forKey:action];
+}
+
+- (void)unlockAction:(NSString *)action {
+  [self.dispatchLock removeObjectForKey:action];
+}
+
+- (BOOL)checkLockAction:(NSString *)action {
+  return ([self.dispatchLock objectForKey:action] == nil);
+}
+
+#pragma mark reachability methods
+
+- (void)setReachable:(BOOL)reachable {
+  _reachable = reachable;
+  if (reachable) {
+    [self stopReachability];
+    [self fullSync];
+  }
+}
+
+// Start listening for network state changes on a background thread
+- (void)startReachability {
+  if (_reachability) return;
+  const char *nodename = [[SNTConfigurator configurator] syncBaseURL].absoluteString.UTF8String;
+  _reachability = SCNetworkReachabilityCreateWithName(kCFAllocatorDefault, nodename);
+  SCNetworkReachabilityContext context = {
+    .info = (__bridge void *)self
+  };
+  if (SCNetworkReachabilitySetCallback(_reachability, reachabilityHandler, &context)) {
+    SCNetworkReachabilitySetDispatchQueue(
+        _reachability, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+  } else {
+    [self stopReachability];
+  }
+}
+
+// Stop listening for network state changes
+- (void)stopReachability {
+  if (_reachability) {
+    SCNetworkReachabilitySetDispatchQueue(_reachability, NULL);
+    CFRelease(_reachability);
+    _reachability = NULL;
+  }
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncPostflight.h

@@ -12,14 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncState;
-@class SNTXPCConnection;
-
-@interface SNTCommandSyncLogUpload : NSObject
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler;
+#import "SNTCommandSyncStage.h"
 
+@interface SNTCommandSyncPostflight : SNTCommandSyncStage
 @end

Source/santactl/Commands/sync/SNTCommandSyncPostflight.m

@@ -0,0 +1,82 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncPostflight.h"
+
+#include "SNTLogging.h"
+
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+@implementation SNTCommandSyncPostflight
+
+- (NSURL *)stageURL {
+  NSString *stageName = [@"postflight" stringByAppendingFormat:@"/%@", self.syncState.machineID];
+  return [NSURL URLWithString:stageName relativeToURL:self.syncState.syncBaseURL];
+}
+
+- (BOOL)sync {
+  NSDictionary *r = [self performRequest:[self requestWithDictionary:nil]];
+
+  dispatch_group_t group = dispatch_group_create();
+  void (^replyBlock)() = ^{
+    dispatch_group_leave(group);
+  };
+
+  // Set client mode if it changed
+  if (self.syncState.clientMode) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setClientMode:self.syncState.clientMode
+                                                 reply:replyBlock];
+  }
+
+  // Update backoff interval
+  NSString *backoffInterval = r[kBackoffInterval];
+  if (backoffInterval) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setNextSyncInterval:[backoffInterval intValue]
+                                                       reply:replyBlock];
+  }
+
+  // Remove clean sync flag if we did a clean sync
+  if (self.syncState.cleanSync) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setSyncCleanRequired:NO reply:replyBlock];
+  }
+
+  // Update whitelist/blacklist regexes
+  if (self.syncState.whitelistRegex) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setWhitelistPathRegex:self.syncState.whitelistRegex
+                                                         reply:replyBlock];
+  }
+  if (self.syncState.blacklistRegex) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setBlacklistPathRegex:self.syncState.blacklistRegex
+                                                         reply:replyBlock];
+  }
+
+  // Update last sync success
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] setSyncLastSuccess:[NSDate date] reply:replyBlock];
+
+  // Wait for dispatch group
+  dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
+
+  return YES;
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncPreflight.h

@@ -12,14 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
-@class SNTCommandSyncState;
-@class SNTXPCConnection;
-
-@interface SNTCommandSyncPostflight : NSObject
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler;
+#import "SNTCommandSyncStage.h"
 
+@interface SNTCommandSyncPreflight : SNTCommandSyncStage
 @end

Source/santactl/Commands/sync/SNTCommandSyncPreflight.m

@@ -0,0 +1,105 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncPreflight.h"
+
+#include "SNTKernelCommon.h"
+#include "SNTLogging.h"
+
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTConfigurator.h"
+#import "SNTSystemInfo.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+@implementation SNTCommandSyncPreflight
+
+- (NSURL *)stageURL {
+  NSString *stageName = [@"preflight" stringByAppendingFormat:@"/%@", self.syncState.machineID];
+  return [NSURL URLWithString:stageName relativeToURL:self.syncState.syncBaseURL];
+}
+
+- (BOOL)sync {
+  NSMutableDictionary *requestDict = [NSMutableDictionary dictionary];
+  requestDict[kSerialNumber] = [SNTSystemInfo serialNumber];
+  requestDict[kHostname] = [SNTSystemInfo longHostname];
+  requestDict[kOSVer] = [SNTSystemInfo osVersion];
+  requestDict[kOSBuild] = [SNTSystemInfo osBuild];
+  requestDict[kSantaVer] = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
+  requestDict[kPrimaryUser] = self.syncState.machineOwner;
+
+  dispatch_group_t group = dispatch_group_create();
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] databaseRuleCounts:^(int64_t binary, int64_t certificate) {
+    requestDict[kBinaryRuleCount] = @(binary);
+    requestDict[kCertificateRuleCount] = @(certificate);
+    dispatch_group_leave(group);
+  }];
+
+  dispatch_group_enter(group);
+  [[self.daemonConn remoteObjectProxy] clientMode:^(SNTClientMode cm) {
+    switch (cm) {
+      case SNTClientModeMonitor:
+        requestDict[kClientMode] = kClientModeMonitor; break;
+      case SNTClientModeLockdown:
+        requestDict[kClientMode] = kClientModeLockdown; break;
+      default: break;
+    }
+    dispatch_group_leave(group);
+  }];
+
+  dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC));
+
+  // If user requested it or we've never had a successful sync, try from a clean slate.
+  if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--clean"] ||
+      [[SNTConfigurator configurator] syncCleanRequired]) {
+    LOGD(@"Clean sync requested by user");
+    requestDict[kRequestCleanSync] = @YES;
+  }
+
+  NSURLRequest *req = [self requestWithDictionary:requestDict];
+  NSDictionary *resp = [self performRequest:req];
+
+  if (!resp) return NO;
+
+  self.syncState.FCMToken = resp[kFCMToken];
+
+  self.syncState.eventBatchSize = [resp[kBatchSize] intValue] ?: 50;
+
+  self.syncState.uploadLogURL = [NSURL URLWithString:resp[kUploadLogsURL]];
+
+  if ([resp[kClientMode] isEqual:kClientModeMonitor]) {
+    self.syncState.clientMode = SNTClientModeMonitor;
+  } else if ([resp[kClientMode] isEqual:kClientModeLockdown]) {
+    self.syncState.clientMode = SNTClientModeLockdown;
+  }
+
+  if ([resp[kWhitelistRegex] isKindOfClass:[NSString class]]) {
+    self.syncState.whitelistRegex = resp[kWhitelistRegex];
+  }
+
+  if ([resp[kBlacklistRegex] isKindOfClass:[NSString class]]) {
+    self.syncState.blacklistRegex = resp[kBlacklistRegex];
+  }
+
+  if ([resp[kCleanSync] boolValue]) {
+    LOGD(@"Clean sync requested by server");
+    self.syncState.cleanSync = YES;
+  }
+
+  return YES;
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.h

@@ -0,0 +1,18 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncStage.h"
+
+@interface SNTCommandSyncRuleDownload : SNTCommandSyncStage
+@end

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

@@ -0,0 +1,130 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncRuleDownload.h"
+
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTRule.h"
+#import "SNTXPCConnection.h"
+#import "SNTXPCControlInterface.h"
+
+#include "SNTLogging.h"
+
+@implementation SNTCommandSyncRuleDownload
+
+- (NSURL *)stageURL {
+  NSString *stageName = [@"ruledownload" stringByAppendingFormat:@"/%@", self.syncState.machineID];
+  return [NSURL URLWithString:stageName relativeToURL:self.syncState.syncBaseURL];
+}
+
+- (BOOL)sync {
+  self.syncState.downloadedRules = [NSMutableArray array];
+  return [self ruleDownloadWithCursor:nil];
+}
+
+- (BOOL)ruleDownloadWithCursor:(NSString *)cursor {
+  NSDictionary *requestDict = (cursor ? @{kCursor : cursor} : @{});
+
+  NSDictionary *resp = [self performRequest:[self requestWithDictionary:requestDict]];
+  if (!resp) return NO;
+
+  for (NSDictionary *rule in resp[kRules]) {
+    SNTRule *r = [self ruleFromDictionary:rule];
+    if (r) [self.syncState.downloadedRules addObject:r];
+  }
+
+  if (resp[kCursor]) {
+    return [self ruleDownloadWithCursor:resp[kCursor]];
+  }
+
+  if (!self.syncState.downloadedRules.count) return YES;
+
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+  __block NSError *error;
+  [[self.daemonConn remoteObjectProxy] databaseRuleAddRules:self.syncState.downloadedRules
+                                                 cleanSlate:self.syncState.cleanSync
+                                                      reply:^(NSError *e) {
+    error = e;
+    dispatch_semaphore_signal(sema);
+  }];
+  dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 300 * NSEC_PER_SEC));
+
+  if (error) {
+    LOGE(@"Failed to add rule(s) to database: %@", error.localizedDescription);
+    LOGD(@"Failure reason: %@", error.localizedFailureReason);
+    return NO;
+  }
+
+  sema = dispatch_semaphore_create(0);
+  [[self.daemonConn remoteObjectProxy] setRuleSyncLastSuccess:[NSDate date] reply:^{
+    dispatch_semaphore_signal(sema);
+  }];
+  dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
+
+  LOGI(@"Added %lu rules", self.syncState.downloadedRules.count);
+
+  if (self.syncState.targetedRuleSync) {
+    for (SNTRule *r in self.syncState.downloadedRules) {
+      NSString *fileName = [[self.syncState.ruleSyncCache objectForKey:r.shasum] copy];
+      [self.syncState.ruleSyncCache removeObjectForKey:r.shasum];
+      if (fileName) {
+        NSString *message = [NSString stringWithFormat:@"%@ can now be run", fileName];
+        [[self.daemonConn remoteObjectProxy]
+            postRuleSyncNotificationWithCustomMessage:message reply:^{}];
+      }
+    }
+  }
+
+  return YES;
+}
+
+- (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
+  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
+
+  SNTRule *newRule = [[SNTRule alloc] init];
+  newRule.shasum = dict[kRuleSHA256];
+  if (newRule.shasum.length != 64) return nil;
+
+  NSString *policyString = dict[kRulePolicy];
+  if ([policyString isEqual:kRulePolicyWhitelist]) {
+    newRule.state = SNTRuleStateWhitelist;
+  } else if ([policyString isEqual:kRulePolicyBlacklist]) {
+    newRule.state = SNTRuleStateBlacklist;
+  } else if ([policyString isEqual:kRulePolicySilentBlacklist]) {
+    newRule.state = SNTRuleStateSilentBlacklist;
+  } else if ([policyString isEqual:kRulePolicyRemove]) {
+    newRule.state = SNTRuleStateRemove;
+  } else {
+    return nil;
+  }
+
+  NSString *ruleTypeString = dict[kRuleType];
+  if ([ruleTypeString isEqual:kRuleTypeBinary]) {
+    newRule.type = SNTRuleTypeBinary;
+  } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
+    newRule.type = SNTRuleTypeCertificate;
+  } else {
+    return nil;
+  }
+
+  NSString *customMsg = dict[kRuleCustomMsg];
+  if (customMsg.length) {
+    newRule.customMsg = customMsg;
+  }
+
+  return newRule;
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncStage.h

@@ -0,0 +1,72 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+@class SNTCommandSyncState;
+@class SNTXPCConnection;
+
+@interface SNTCommandSyncStage : NSObject
+
+@property(readonly, nonnull) NSURLSession *urlSession;
+@property(readonly, nonnull) SNTCommandSyncState *syncState;
+@property(readonly, nonnull) SNTXPCConnection *daemonConn;
+
+/**
+  Initialize this stage. Designated initializer.
+
+  @param syncState A holder for state used across requests
+*/
+- (nullable instancetype)initWithState:(nonnull SNTCommandSyncState *)state NS_DESIGNATED_INITIALIZER;
+
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+/**
+  Performs this sync stage.
+
+  @return YES if sync was successful.
+*/
+- (BOOL)sync;
+
+/**
+  The URL for this stage.
+
+  @return The NSURL for this stage.
+*/
+- (nonnull NSURL *)stageURL;
+
+#pragma mark Internal Helpers
+
+/**
+  Creates an NSMutableURLRequest pointing at the URL for this stage and containing the JSON-encoded
+  data passed in as a dictionary.
+
+  @param dictionary The values to POST to the server.
+*/
+- (nullable NSMutableURLRequest *)requestWithDictionary:(nullable NSDictionary *)dictionary;
+
+/**
+  Perform the passed in request and attempt to parse the response as JSON into a dictionary.
+
+  @param request The request to perform
+  @param timeout The number of seconds to allow the request to run before timing out.
+
+  @return A populated dictionary if the response data was JSON, an empty dictionary if not and nil
+          if the request failed for any reason.
+*/
+- (nullable NSDictionary *)performRequest:(nonnull NSURLRequest *)request
+                                  timeout:(NSTimeInterval)timeout;
+
+/** Convenience version of performRequest:timeout: using a 30s timeout. */
+- (nullable NSDictionary *)performRequest:(nonnull NSURLRequest *)request;
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncStage.m

@@ -0,0 +1,196 @@
+/// Copyright 2016 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommandSyncStage.h"
+
+#import "NSData+Zlib.h"
+#import "SNTCommandSyncConstants.h"
+#import "SNTCommandSyncState.h"
+#import "SNTLogging.h"
+#import "SNTXPCControlInterface.h"
+#import "SNTXPCConnection.h"
+
+@interface SNTCommandSyncStage ()
+
+@property(readwrite) NSURLSession *urlSession;
+@property(readwrite) SNTCommandSyncState *syncState;
+@property(readwrite) SNTXPCConnection *daemonConn;
+@property BOOL xsrfFetched;
+
+@end
+
+@implementation SNTCommandSyncStage
+
+- (nullable instancetype)initWithState:(nonnull SNTCommandSyncState *)syncState {
+  self = [super init];
+  if (self) {
+    _syncState = syncState;
+    _urlSession = syncState.session;
+    _daemonConn = syncState.daemonConn;
+  }
+  return self;
+}
+
+- (BOOL)sync {
+  [self doesNotRecognizeSelector:_cmd]; __builtin_unreachable();
+}
+
+- (NSString *)stageURL {
+  [self doesNotRecognizeSelector:_cmd]; __builtin_unreachable();
+}
+
+- (NSMutableURLRequest *)requestWithDictionary:(NSDictionary *)dictionary {
+  NSData *requestBody = [NSData data];
+  if (dictionary) {
+    NSError *error;
+    requestBody = [NSJSONSerialization dataWithJSONObject:dictionary options:0 error:&error];
+    if (error) {
+      LOGD(@"Failed to encode JSON request: %@", error);
+      return nil;
+    }
+  }
+
+  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:[self stageURL]];
+  [req setHTTPMethod:@"POST"];
+  [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
+  [req setValue:self.syncState.xsrfToken forHTTPHeaderField:kXSRFToken];
+
+  NSData *compressed = [requestBody zlibCompressed];
+  if (compressed) {
+    requestBody = compressed;
+    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
+  }
+
+  [req setHTTPBody:requestBody];
+
+  return req;
+}
+
+- (NSDictionary *)performRequest:(NSURLRequest *)request timeout:(NSTimeInterval)timeout {
+  NSHTTPURLResponse *response;
+  NSError *error;
+  NSData *data = [self performRequest:request timeout:timeout response:&response error:&error];
+
+  // If the original request failed, attempt to get a new XSRF token and try again.
+  // Unfortunately some servers cause NSURLSession to return 'client cert required' or
+  // 'could not parse response' when a 403 occurs and SSL cert auth is enabled.
+  if ((response.statusCode == 403 ||
+       error.code == NSURLErrorClientCertificateRequired ||
+       error.code == NSURLErrorCannotParseResponse) &&
+      [self fetchXSRFToken]) {
+    NSMutableURLRequest *mutableRequest = [request mutableCopy];
+    [mutableRequest setValue:self.syncState.xsrfToken forHTTPHeaderField:kXSRFToken];
+    return [self performRequest:mutableRequest timeout:timeout];
+  }
+
+  if (response.statusCode != 200) {
+    long code;
+    NSString *errStr;
+    if (response.statusCode > 0) {
+      code = response.statusCode;
+      errStr = [NSHTTPURLResponse localizedStringForStatusCode:response.statusCode];
+    } else {
+      code = (long)error.code;
+      errStr = error.localizedDescription;
+    }
+    LOGE(@"HTTP Response: %ld %@", code, errStr);
+    return nil;
+  }
+
+  if (data.length == 0) return @{};
+
+  NSDictionary *dict = [NSJSONSerialization JSONObjectWithData:[self stripXssi:data]
+                                                       options:0
+                                                         error:&error];
+  if (error) LOGD(@"Failed to decode JSON response: %@", error);
+
+  return dict ?: @{};
+}
+
+- (NSDictionary *)performRequest:(NSURLRequest *)request {
+  return [self performRequest:request timeout:30];
+}
+
+#pragma mark Internal Helpers
+
+/**
+  Perform a data request and capture the returned data, response and error objects.
+
+  @param request, The request to perform
+  @param timeout, The number of seconds to wait before cancelling the request
+  @param response, Return the response details
+  @param error, Return the error details
+  @returns data, The HTTP body of the response
+*/
+- (NSData *)performRequest:(NSURLRequest *)request
+                   timeout:(NSTimeInterval)timeout
+                  response:(out NSHTTPURLResponse **)response
+                     error:(out NSError **)error {
+  __block NSData *_data;
+  __block NSHTTPURLResponse *_response;
+  __block NSError *_error;
+
+  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+  NSURLSessionDataTask *task = [self.urlSession dataTaskWithRequest:request
+                                                  completionHandler:^(NSData *data,
+                                                                      NSURLResponse *response,
+                                                                      NSError *error) {
+    if ([response isKindOfClass:[NSHTTPURLResponse class]]) {
+      _response = (NSHTTPURLResponse *)response;
+    }
+    _data = data;
+    _error = error;
+    dispatch_semaphore_signal(sema);
+  }];
+  [task resume];
+
+  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * timeout))) {
+    [task cancel];
+  }
+
+  if (response) *response = _response;
+  if (error) *error = _error;
+  return _data;
+}
+
+- (NSData *)stripXssi:(NSData *)data {
+  static const char xssi[3] = { ']', ')', '}' };
+  if (data.length < 3 || strncmp(data.bytes, xssi, 3)) return data;
+  return [data subdataWithRange:NSMakeRange(3, data.length - 3)];
+}
+
+- (BOOL)fetchXSRFToken {
+  BOOL success = NO;
+  if (!self.xsrfFetched) {  // only fetch token once per session
+    self.xsrfFetched = YES;
+    NSString *stageName = [@"xsrf" stringByAppendingFormat:@"/%@", self.syncState.machineID];
+    NSURL *u = [NSURL URLWithString:stageName relativeToURL:self.syncState.syncBaseURL];
+    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:u];
+    [request setHTTPMethod:@"POST"];
+    NSHTTPURLResponse *response;
+    [self performRequest:request timeout:10 response:&response error:NULL];
+    if (response.statusCode == 200) {
+      NSDictionary *headers = [response allHeaderFields];
+      [[self.daemonConn remoteObjectProxy] setXsrfToken:headers[kXSRFToken] reply:^{}];
+      self.syncState.xsrfToken = headers[kXSRFToken];
+      LOGD(@"Retrieved new XSRF token");
+      success = YES;
+    } else {
+      LOGD(@"Failed to retrieve XSRF token");
+    }
+  };
+  return success;
+}
+
+@end

Source/santactl/Commands/sync/SNTCommandSyncState.h

@@ -0,0 +1,71 @@
+/// Copyright 2015 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import "SNTCommonEnums.h"
+
+@class SNTXPCConnection;
+
+/// An instance of this class is passed to each stage of the sync process for storing data
+/// that might be needed in later stages.
+@interface SNTCommandSyncState : NSObject
+
+/// Configured session to use for requests.
+@property NSURLSession *session;
+
+/// Connection to the daemon control interface.
+@property SNTXPCConnection *daemonConn;
+
+/// The base API URL.
+@property NSURL *syncBaseURL;
+
+/// An XSRF token to send in the headers with each request.
+@property NSString *xsrfToken;
+
+/// A FCM token to subscribe to push notifications.
+@property(copy) NSString *FCMToken;
+
+/// Machine identifier and owner.
+@property(copy) NSString *machineID;
+@property(copy) NSString *machineOwner;
+
+/// Settings sent from server during preflight that are set during postflight.
+@property SNTClientMode clientMode;
+@property NSString *whitelistRegex;
+@property NSString *blacklistRegex;
+
+/// Clean sync flag, if True, all existing rules should be deleted before inserting any new rules.
+@property BOOL cleanSync;
+
+/// Batch size for uploading events.
+@property NSUInteger eventBatchSize;
+
+/// Log upload URL sent from server. If set, LogUpload phase needs to happen.
+@property NSURL *uploadLogURL;
+
+/// Array of bundle paths to find binaries for.
+@property NSArray *bundleBinaryRequests;
+
+/// Rules downloaded from server.
+@property NSMutableArray *downloadedRules;
+
+/// Returns YES if the santactl session is running as a daemon, returns NO otherwise.
+@property BOOL daemon;
+
+/// Returns YES if the session is targeted for this machine, returns NO otherwise.
+@property BOOL targetedRuleSync;
+
+/// Reference to the sync manager's ruleSyncCache. Used to lookup binary names for notifications.
+@property(weak) NSCache *ruleSyncCache;
+
+@end

Source/santactl/SNTCommandController.m

@@ -55,9 +55,12 @@ static NSMutableDictionary *registeredCommands;
 + (NSString *)helpForCommandWithName:(NSString *)commandName {
   Class<SNTCommand> command = registeredCommands[commandName];
   if (command) {
+    NSString *shortHelp = [command shortHelpText];
     NSString *longHelp = [command longHelpText];
     if (longHelp) {
       return [NSString stringWithFormat:@"Help for '%@':\n%@", commandName, longHelp];
+    } else if (shortHelp) {
+      return [NSString stringWithFormat:@"Help for '%@':\n%@", commandName, shortHelp];
     } else {
       return @"This command does not have any help information.";
     }
@@ -65,15 +68,16 @@ static NSMutableDictionary *registeredCommands;
   return nil;
 }
 
-+ (SNTXPCConnection *)connectToDaemon {
++ (SNTXPCConnection *)connectToDaemonRequired:(BOOL)required {
   SNTXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
 
-  daemonConn.invalidationHandler = ^{
-    printf("An error occurred communicating with the daemon, is it running?\n");
-    exit(1);
-  };
-
-  [daemonConn resume];
+  if (required) {
+    daemonConn.invalidationHandler = ^{
+      printf("An error occurred communicating with the daemon, is it running?\n");
+      exit(1);
+    };
+    [daemonConn resume];
+  }
   return daemonConn;
 }
 
@@ -89,11 +93,7 @@ static NSMutableDictionary *registeredCommands;
     exit(2);
   }
 
-  SNTXPCConnection *daemonConn;
-  if ([command requiresDaemonConn]) {
-    daemonConn = [self connectToDaemon];
-  }
-
+  SNTXPCConnection *daemonConn = [self connectToDaemonRequired:[command requiresDaemonConn]];
   [command runWithArguments:arguments daemonConnection:daemonConn];
 
   // The command is responsible for quitting.

Source/santactl/fileinfo/SNTCommandFileInfo.m

@@ -1,180 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandController.h"
-
-#include "SNTLogging.h"
-
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
-#import "SNTFileInfo.h"
-
-@interface SNTCommandFileInfo : NSObject<SNTCommand>
-@end
-
-@implementation SNTCommandFileInfo
-
-REGISTER_COMMAND_NAME(@"fileinfo")
-
-+ (BOOL)requiresRoot {
-  return NO;
-}
-
-+ (BOOL)requiresDaemonConn {
-  return NO;
-}
-
-+ (NSString *)shortHelpText {
-  return @"Prints information about a file.";
-}
-
-+ (NSString *)longHelpText {
-  return (@"The details provided will be the same ones Santa uses to make a decision\n"
-          @"about executables. This includes SHA-256, SHA-1, code signing information and\n"
-          @"the type of file.");
-}
-
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  NSString *filePath = [arguments firstObject];
-
-  if (!filePath) {
-    printf("Missing file path\n");
-    exit(1);
-  }
-
-  SNTFileInfo *fileInfo = [[SNTFileInfo alloc] initWithPath:filePath];
-  if (!fileInfo) {
-    printf("Invalid or empty file\n");
-    exit(1);
-  }
-
-  NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
-  dateFormatter.dateFormat = @"yyyy/MM/dd HH:mm:ss Z";
-
-  if (isatty(STDOUT_FILENO)) printf("Hashing...");
-  NSString *sha1, *sha256;
-  [fileInfo hashSHA1:&sha1 SHA256:&sha256];
-  if (isatty(STDOUT_FILENO)) printf("\r");
-
-  [self printKey:@"Path" value:fileInfo.path];
-  [self printKey:@"SHA-256" value:sha256];
-  [self printKey:@"SHA-1" value:sha1];
-
-  if (fileInfo.bundlePath) {
-    [self printKey:@"Bundle Name" value:fileInfo.bundleName];
-    [self printKey:@"Bundle Version" value:fileInfo.bundleVersion];
-    [self printKey:@"Bundle Version Str" value:fileInfo.bundleShortVersionString];
-  }
-
-  if (fileInfo.quarantineDataURL) {
-    [self printKey:@"Download Referer URL" value:fileInfo.quarantineRefererURL];
-    [self printKey:@"Download URL" value:fileInfo.quarantineDataURL];
-    [self printKey:@"Download Timestamp"
-             value:[dateFormatter stringFromDate:fileInfo.quarantineTimestamp]];
-    [self printKey:@"Download Agent" value:fileInfo.quarantineAgentBundleID];
-  }
-
-  NSArray *archs = [fileInfo architectures];
-  if (archs.count == 0) {
-    [self printKey:@"Type" value:[self humanReadableFileType:fileInfo]];
-    exit(0);
-  }
-
-  NSString *s = [NSString stringWithFormat:@"%@ (%@)",
-                                           [self humanReadableFileType:fileInfo],
-                                           [archs componentsJoinedByString:@", "]];
-  [self printKey:@"Type" value:s];
-
-  if ([fileInfo isMissingPageZero]) {
-    [self printKey:@"Page Zero" value:@"__PAGEZERO segment missing/bad!"];
-  }
-
-  NSError *error;
-  MOLCodesignChecker *csc = [[MOLCodesignChecker alloc] initWithBinaryPath:filePath error:&error];
-  if (!error) {
-    [self printKey:@"Code-signed" value:@"Yes"];
-  } else {
-    switch (error.code) {
-      case errSecCSUnsigned:
-        [self printKey:@"Code-signed" value:@"No"];
-        break;
-      case errSecCSSignatureFailed:
-      case errSecCSStaticCodeChanged:
-      case errSecCSSignatureNotVerifiable:
-      case errSecCSSignatureUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but code/signatured changed/unverifiable"];
-        break;
-      case errSecCSResourceDirectoryFailed:
-      case errSecCSResourceNotSupported:
-      case errSecCSResourceRulesInvalid:
-      case errSecCSResourcesInvalid:
-      case errSecCSResourcesNotFound:
-      case errSecCSResourcesNotSealed:
-        [self printKey:@"Code-signed" value:@"Yes, but resources invalid"];
-        break;
-      case errSecCSReqFailed:
-      case errSecCSReqInvalid:
-      case errSecCSReqUnsupported:
-        [self printKey:@"Code-signed" value:@"Yes, but failed requirement validation"];
-        break;
-      case errSecCSInfoPlistFailed:
-        [self printKey:@"Code-signed" value:@"Yes, but can't validate as Info.plist is missing"];
-        break;
-      default: {
-        NSString *val = [NSString stringWithFormat:@"Yes, but failed to validate (%ld)",
-                                                   error.code];
-        [self printKey:@"Code-signed" value:val];
-        break;
-      }
-    }
-  }
-  if (csc.certificates.count) {
-    printf("Signing chain:\n");
-
-    [csc.certificates enumerateObjectsUsingBlock:^(MOLCertificate *c,
-                                                   unsigned long idx,
-                                                   BOOL *stop) {
-      printf("    %2lu. %-20s: %s\n", idx + 1, "SHA-256", [c.SHA256 UTF8String]);
-      printf("        %-20s: %s\n", "SHA-1", [c.SHA1 UTF8String]);
-      printf("        %-20s: %s\n", "Common Name", [c.commonName UTF8String]);
-      printf("        %-20s: %s\n", "Organization", [c.orgName UTF8String]);
-      printf("        %-20s: %s\n", "Organizational Unit", [c.orgUnit UTF8String]);
-      printf("        %-20s: %s\n", "Valid From",
-             [[dateFormatter stringFromDate:c.validFrom] UTF8String]);
-      printf("        %-20s: %s\n", "Valid Until",
-             [[dateFormatter stringFromDate:c.validUntil] UTF8String]);
-      printf("\n");
-    }];
-  }
-
-  exit(0);
-}
-
-+ (void)printKey:(NSString *)key value:(NSString *)value {
-  if (!key || !value) return;
-  printf("%-21s: %s\n", [key UTF8String], [value UTF8String]);
-}
-
-+ (NSString *)humanReadableFileType:(SNTFileInfo *)fi {
-  if ([fi isScript]) return @"Script";
-  if ([fi isXARArchive]) return @"XAR Archive";
-  if ([fi isDylib]) return @"Dynamic Library";
-  if ([fi isKext]) return @"Kernel Extension";
-  if ([fi isFat]) return @"Fat Binary";
-  if ([fi isMachO]) return @"Thin Binary";
-  if ([fi isDMG]) return @"Disk Image";
-  return @"Unknown";
-}
-
-@end

Source/santactl/sync/SNTAuthenticatingURLSession.h

@@ -1,84 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-///
-///  An authenticating NSURLSession, which can do both pinned verification of the SSL server
-///  and handle client certificate authentication from the keychain.
-///
-@interface SNTAuthenticatingURLSession : NSObject<NSURLSessionDelegate>
-
-///
-///  The underlying session. Pass this session to NSURLRequest methods.
-///
-@property(readonly, nonatomic) NSURLSession *session;
-
-///
-///  If set, this is the user-agent to send with requests, otherwise remains the default
-///  CFNetwork-based name.
-///
-@property(copy, nonatomic) NSString *userAgent;
-
-///
-///  If set to YES, this session refuses redirect requests. Defaults to NO.
-///
-@property(nonatomic) BOOL refusesRedirects;
-
-///
-///  If set, the server that we connect to _must_ match this string. Redirects to other
-///  hosts will not be allowed.
-///
-@property(copy, nonatomic) NSString *serverHostname;
-
-///
-///  This should be PEM data containing one or more certificates to use to verify the server's
-///  certificate chain. This will override the trusted roots in the System Roots.
-///
-@property(copy, nonatomic) NSData *serverRootsPemData;
-
-///
-///  If set and client certificate authentication is needed, the pkcs#12 file will be loaded
-///
-@property(copy, nonatomic) NSString *clientCertFile;
-
-///
-///  If set and client certificate authentication is needed, the password being used for
-///  loading the clientCertFile
-///
-@property(copy, nonatomic) NSString *clientCertPassword;
-
-///
-///  If set and client certificate authentication is needed, will search the keychain for a
-///  certificate matching this common name and use that for authentication
-///  @note Not case sensitive
-///  @note If multiple matching certificates are found, the first one is used.
-///  @note If this property is not set and neither is |clientCertIssuerCn|, the allowed issuers
-///  provided by the server will be used to find a matching certificate.
-///
-@property(copy, nonatomic) NSString *clientCertCommonName;
-
-///
-///  If set and client certificate authentication is needed, will search the keychain for a
-///  certificate issued by an issuer with this name and use that for authentication.
-///
-///  @note Not case sensitive
-///  @note If multiple matching certificates are found, the first one is used.
-///  @note If this property is not set and neither is |clientCertCommonName|, the allowed issuers
-///      provided by the server will be used to find a matching certificate.
-///
-@property(copy, nonatomic) NSString *clientCertIssuerCn;
-
-/// Designated initializer
-- (instancetype)initWithSessionConfiguration:(NSURLSessionConfiguration *)configuration;
-
-@end

Source/santactl/sync/SNTAuthenticatingURLSession.m

@@ -1,376 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTAuthenticatingURLSession.h"
-
-#import "MOLCertificate.h"
-#import "SNTDERDecoder.h"
-#import "SNTLogging.h"
-
-@interface SNTAuthenticatingURLSession ()
-@property(readwrite) NSURLSession *session;
-@property NSURLSessionConfiguration *sessionConfig;
-@end
-
-@implementation SNTAuthenticatingURLSession
-
-- (instancetype)initWithSessionConfiguration:(NSURLSessionConfiguration *)configuration {
-  self = [super init];
-  if (self) {
-    _sessionConfig = configuration;
-  }
-  return self;
-}
-
-- (instancetype)init {
-  NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration];
-  [config setTLSMinimumSupportedProtocol:kTLSProtocol12];
-  [config setHTTPShouldUsePipelining:YES];
-  return [self initWithSessionConfiguration:config];
-}
-
-#pragma mark Session Fetching
-
-- (NSURLSession *)session {
-  if (!_session) {
-    _session = [NSURLSession sessionWithConfiguration:self.sessionConfig
-                                             delegate:self
-                                        delegateQueue:nil];
-  }
-
-  return _session;
-}
-
-#pragma mark User Agent property
-
-- (NSString *)userAgent {
-  return self.sessionConfig.HTTPAdditionalHeaders[@"User-Agent"];
-}
-
-- (void)setUserAgent:(NSString *)userAgent {
-  NSMutableDictionary *addlHeaders = [self.sessionConfig.HTTPAdditionalHeaders mutableCopy];
-  if (!addlHeaders) addlHeaders = [NSMutableDictionary dictionary];
-  addlHeaders[@"User-Agent"] = userAgent;
-  self.sessionConfig.HTTPAdditionalHeaders = [addlHeaders copy];
-  _session = nil;
-}
-
-#pragma mark NSURLSessionDelegate methods
-
-- (void)URLSession:(NSURLSession *)session
-    didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
-      completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition,
-                                  NSURLCredential *credential))completionHandler {
-  NSURLProtectionSpace *protectionSpace = challenge.protectionSpace;
-
-  if (challenge.previousFailureCount > 0) {
-    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-    return;
-  }
-
-  if (self.serverHostname && ![self.serverHostname isEqual:protectionSpace.host]) {
-    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-    return;
-  }
-
-  if (![protectionSpace.protocol isEqual:NSURLProtectionSpaceHTTPS]) {
-    LOGE(@"%@ is not a secure protocol", protectionSpace.protocol);
-    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-    return;
-  }
-
-  if (!protectionSpace.receivesCredentialSecurely) {
-    LOGE(@"Secure authentication or protocol cannot be established.");
-    completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-    return;
-  }
-
-  NSString *authMethod = [protectionSpace authenticationMethod];
-
-  if (authMethod == NSURLAuthenticationMethodClientCertificate) {
-    NSURLCredential *cred = [self clientCredentialForProtectionSpace:protectionSpace];
-    if (cred) {
-      completionHandler(NSURLSessionAuthChallengeUseCredential, cred);
-      return;
-    } else {
-      LOGW(@"Server asked for client authentication but no usable client certificate found.");
-      completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
-      return;
-    }
-  } else if (authMethod == NSURLAuthenticationMethodServerTrust) {
-    NSURLCredential *cred = [self serverCredentialForProtectionSpace:protectionSpace];
-    if (cred) {
-      completionHandler(NSURLSessionAuthChallengeUseCredential, cred);
-      return;
-    } else {
-      LOGE(@"Unable to verify server identity.");
-      completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-      return;
-    }
-  }
-
-  completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
-}
-
-- (void)URLSession:(NSURLSession *)session
-                          task:(NSURLSessionTask *)task
-    willPerformHTTPRedirection:(NSHTTPURLResponse *)response
-                    newRequest:(NSURLRequest *)request
-             completionHandler:(void (^)(NSURLRequest *))completionHandler {
-  if (self.refusesRedirects) {
-    LOGD(@"Rejected redirection to: %@", request.URL);
-    [task cancel];  // without this, the connection hangs until timeout!?!
-    completionHandler(NULL);
-  } else {
-    completionHandler(request);
-  }
-}
-
-#pragma mark Private Helpers for URLSession:didReceiveChallenge:completionHandler:
-
-///
-///  Handles the process of locating a valid client certificate for authentication.
-///  Operates in one of four modes, depending on the configuration in config.plist
-///
-///  Mode 1: if syncClientAuthCertificateFile is set, use the identity in the pkcs file
-///  Mode 2: if syncClientAuthCertificateCn is set, look for an identity in the keychain with a
-///          matching common name and return it.
-///  Mode 3: if syncClientAuthCertificateIssuer is set, look for an identity in the keychain with a
-///          matching issuer common name and return it.
-///  Mode 4: use the list of issuer details sent down by the server to find an identity in the
-///          keychain.
-///
-///  If a valid identity cannot be found, returns nil.
-///
-- (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
-  __block OSStatus err = errSecSuccess;
-  __block SecIdentityRef foundIdentity = NULL;
-
-  if (self.clientCertFile) {
-    foundIdentity = [self identityFromFile:self.clientCertFile password:self.clientCertPassword];
-  } else {
-    CFArrayRef cfResults = NULL;
-    SecItemCopyMatching((__bridge CFDictionaryRef) @{
-      (id)kSecClass : (id)kSecClassCertificate,
-      (id)kSecReturnRef : @YES,
-      (id)kSecMatchLimit : (id)kSecMatchLimitAll
-    }, (CFTypeRef *)&cfResults);
-    NSArray *results = CFBridgingRelease(cfResults);
-
-    NSMutableArray *allCerts = [[MOLCertificate certificatesFromArray:results] mutableCopy];
-
-    if (self.clientCertCommonName) {
-      foundIdentity = [self identityByFilteringArray:allCerts
-                                          commonName:self.clientCertCommonName
-                                    issuerCommonName:nil
-                                   issuerCountryName:nil
-                                       issuerOrgName:nil
-                                       issuerOrgUnit:nil];
-    } else if (self.clientCertIssuerCn) {
-      foundIdentity = [self identityByFilteringArray:allCerts
-                                          commonName:nil
-                                    issuerCommonName:self.clientCertIssuerCn
-                                   issuerCountryName:nil
-                                       issuerOrgName:nil
-                                       issuerOrgUnit:nil];
-    } else {
-      for (NSData *allowedIssuer in protectionSpace.distinguishedNames) {
-        SNTDERDecoder *decoder = [[SNTDERDecoder alloc] initWithData:allowedIssuer];
-
-        if (!decoder) {
-          LOGW(@"Unable to decode allowed distinguished name.");
-          continue;
-        }
-
-        foundIdentity = [self identityByFilteringArray:allCerts
-                                            commonName:nil
-                                      issuerCommonName:decoder.commonName
-                                     issuerCountryName:decoder.countryName
-                                         issuerOrgName:decoder.organizationName
-                                         issuerOrgUnit:decoder.organizationalUnit];
-        if (foundIdentity) break;
-      }
-    }
-  }
-
-  if (foundIdentity) {
-    SecCertificateRef certificate = NULL;
-    err = SecIdentityCopyCertificate(foundIdentity, &certificate);
-    MOLCertificate *clientCert = [[MOLCertificate alloc] initWithSecCertificateRef:certificate];
-    if (certificate) CFRelease(certificate);
-    LOGD(@"Client Trust: Valid client identity %@.", clientCert);
-    NSURLCredential *cred =
-        [NSURLCredential credentialWithIdentity:foundIdentity
-                                   certificates:nil
-                                    persistence:NSURLCredentialPersistenceForSession];
-    return cred;
-  } else {
-    LOGD(@"Client Trust: No valid identity found.");
-    return nil;
-  }
-}
-
-///
-///  Handles the process of evaluating the server's certificate chain.
-///  Operates in one of three modes, depending on the configuration in config.plist
-///
-///  Mode 1: if syncServerAuthRootsData is set, evaluates the server's certificate chain contains
-///          one of the certificates in the PEM data in the config plist.
-///  Mode 2: if syncServerAuthRootsFile is set, evaluates the server's certificate chain contains
-///          one of the certificates in the PEM data in the file specified.
-///  Mode 3: evaluates the server's certificate chain is trusted by the keychain.
-///
-///  If the server's certificate chain does not evaluate for any reason, returns nil.
-///
-- (NSURLCredential *)serverCredentialForProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
-  SecTrustRef serverTrust = protectionSpace.serverTrust;
-  if (serverTrust == NULL) {
-    LOGD(@"Server Trust: No server trust information available");
-    return nil;
-  }
-
-  OSStatus err = errSecSuccess;
-
-  if (self.serverRootsPemData) {
-    NSString *pemStrings = [[NSString alloc] initWithData:self.serverRootsPemData
-                                                 encoding:NSASCIIStringEncoding];
-    NSArray *certs = [MOLCertificate certificatesFromPEM:pemStrings];
-
-    // Make a new array of the SecCertificateRef's from the MOLCertificate's.
-    NSMutableArray *certRefs = [[NSMutableArray alloc] initWithCapacity:certs.count];
-    for (MOLCertificate *cert in certs) {
-      [certRefs addObject:(id)cert.certRef];
-    }
-
-    // Set this array of certs as the anchors to trust.
-    err = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)certRefs);
-    if (err != errSecSuccess) {
-      LOGD(@"Server Trust: Could not set anchor certificates: %d", err);
-      return nil;
-    }
-  }
-
-  // Evaluate the server's cert chain.
-  SecTrustResultType result = kSecTrustResultInvalid;
-  err = SecTrustEvaluate(serverTrust, &result);
-  if (err != errSecSuccess) {
-    LOGD(@"Server Trust: Unable to evaluate certificate chain for server: %d", err);
-    return nil;
-  }
-
-  // Print details about the server's leaf certificate.
-  SecCertificateRef firstCert = SecTrustGetCertificateAtIndex(serverTrust, 0);
-  if (firstCert) {
-    MOLCertificate *cert = [[MOLCertificate alloc] initWithSecCertificateRef:firstCert];
-    LOGD(@"Server Trust: Server leaf cert: %@", cert);
-  }
-
-  // Having a trust level "unspecified" by the user is the usual result, described at
-  // https://developer.apple.com/library/mac/qa/qa1360
-  if (result != kSecTrustResultProceed && result != kSecTrustResultUnspecified) {
-    LOGD(@"Server Trust: Server isn't trusted. SecTrustResultType: %d", result);
-    return nil;
-  }
-
-  return [NSURLCredential credentialForTrust:serverTrust];
-}
-
-/**
-  Given an array of MOLCertificate objects and some properties, filter the array
-  repeatedly until an identity is found that fulfills the signing chain.
- */
-- (SecIdentityRef)identityByFilteringArray:(NSArray *)array
-                                commonName:(NSString *)commonName
-                          issuerCommonName:(NSString *)issuerCommonName
-                         issuerCountryName:(NSString *)issuerCountryName
-                             issuerOrgName:(NSString *)issuerOrgName
-                             issuerOrgUnit:(NSString *)issuerOrgUnit {
-  NSMutableArray *predicates = [NSMutableArray arrayWithCapacity:4];
-
-  if (commonName) {
-    [predicates addObject:[NSPredicate predicateWithFormat:@"SELF.commonName == %@",
-                                                           commonName]];
-  }
-  if (issuerCommonName) {
-    [predicates addObject:[NSPredicate predicateWithFormat:@"SELF.issuerCommonName == %@",
-                                                           issuerCommonName]];
-  }
-  if (issuerCountryName) {
-    [predicates addObject:[NSPredicate predicateWithFormat:@"SELF.issuerCountryName == %@",
-                                                           issuerCountryName]];
-  }
-  if (issuerOrgName) {
-    [predicates addObject:[NSPredicate predicateWithFormat:@"SELF.issuerOrgName == %@",
-                                                           issuerOrgName]];
-  }
-  if (issuerOrgUnit) {
-    [predicates addObject:[NSPredicate predicateWithFormat:@"SELF.issuerOrgUnit == %@",
-                                                           issuerOrgUnit]];
-  }
-
-  NSCompoundPredicate *andPreds = [NSCompoundPredicate andPredicateWithSubpredicates:predicates];
-
-  NSArray *filteredCerts = [array filteredArrayUsingPredicate:andPreds];
-  if (!filteredCerts.count) return NULL;
-
-  for (MOLCertificate *cert in filteredCerts) {
-    SecIdentityRef identityRef = NULL;
-    OSStatus status = SecIdentityCreateWithCertificate(NULL, cert.certRef, &identityRef);
-    if (status == errSecSuccess) {
-      return identityRef;
-    } else {
-      // Avoid infinite recursion from self-signed certs
-      if ((cert.commonName && [cert.commonName isEqual:cert.issuerCommonName]) &&
-          (cert.countryName && [cert.countryName isEqual:cert.issuerCountryName]) &&
-          (cert.orgName && [cert.orgName isEqual:cert.issuerOrgName]) &&
-          (cert.orgUnit && [cert.orgUnit isEqual:cert.issuerOrgUnit])) {
-        continue;
-      }
-
-      return [self identityByFilteringArray:array
-                                 commonName:nil
-                           issuerCommonName:cert.commonName
-                          issuerCountryName:cert.countryName
-                              issuerOrgName:cert.orgName
-                              issuerOrgUnit:cert.orgUnit];
-    }
-  }
-  return NULL;
-}
-
-- (SecIdentityRef)identityFromFile:(NSString *)file password:(NSString *)password {
-  NSError *error;
-  NSData *data = [NSData dataWithContentsOfFile:file options:0 error:&error];
-  if (error) {
-    LOGD(@"Client Trust: Couldn't open client certificate %@: %@",
-         self.clientCertFile,
-         [error localizedDescription]);
-    return nil;
-  }
-
-  NSDictionary *options = (password ? @{(__bridge id)kSecImportExportPassphrase : password} : @{});
-  CFArrayRef cfIdentities;
-  OSStatus err = SecPKCS12Import(
-      (__bridge CFDataRef)data, (__bridge CFDictionaryRef)options, &cfIdentities);
-  NSArray *identities = CFBridgingRelease(cfIdentities);
-
-  if (err != errSecSuccess) {
-    LOGD(@"Client Trust: Couldn't load client certificate %@: %d", self.clientCertFile, err);
-    return nil;
-  }
-
-  return (__bridge SecIdentityRef)identities[0][(__bridge id)kSecImportItemIdentity];
-}
-
-@end

Source/santactl/sync/SNTCommandSync.m

@@ -1,242 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandController.h"
-
-#import "SNTAuthenticatingURLSession.h"
-#import "SNTCommandSyncEventUpload.h"
-#import "SNTCommandSyncLogUpload.h"
-#import "SNTCommandSyncPostflight.h"
-#import "SNTCommandSyncPreflight.h"
-#import "SNTCommandSyncRuleDownload.h"
-#import "SNTCommandSyncState.h"
-#import "SNTConfigurator.h"
-#import "SNTDropRootPrivs.h"
-#import "SNTLogging.h"
-#import "SNTXPCConnection.h"
-#import "SNTXPCControlInterface.h"
-
-@interface SNTCommandSync : NSObject<SNTCommand>
-@property NSURLSession *session;
-@property SNTXPCConnection *daemonConn;
-@property SNTCommandSyncState *syncState;
-@end
-
-@implementation SNTCommandSync
-
-REGISTER_COMMAND_NAME(@"sync")
-
-+ (BOOL)requiresRoot {
-  return NO;
-}
-
-+ (BOOL)requiresDaemonConn {
-  return YES;
-}
-
-+ (NSString *)shortHelpText {
-  return @"Synchronizes Santa with a configured server.";
-}
-
-+ (NSString *)longHelpText {
-  return nil;
-}
-
-+ (void)runWithArguments:(NSArray *)arguments daemonConnection:(SNTXPCConnection *)daemonConn {
-  SNTConfigurator *config = [SNTConfigurator configurator];
-
-  // Ensure we have no privileges
-  if (!DropRootPrivileges()) {
-    LOGE(@"Failed to drop root privileges. Exiting.");
-    exit(1);
-  }
-
-  // Dropping root privileges to the 'nobody' user causes the default NSURLCache to throw
-  // sandbox errors, which are benign but annoying. This line disables the cache entirely.
-  [NSURLCache setSharedURLCache:[[NSURLCache alloc] initWithMemoryCapacity:0
-                                                              diskCapacity:0
-                                                                  diskPath:nil]];
-
-  SNTCommandSync *s = [[self alloc] init];
-
-  SNTAuthenticatingURLSession *authURLSession = [[SNTAuthenticatingURLSession alloc] init];
-
-  authURLSession.userAgent = @"santactl-sync/";
-  NSString *santactlVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
-  if (santactlVersion) {
-    authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
-  }
-  authURLSession.refusesRedirects = YES;
-
-  // Configure server auth
-  if ([config syncServerAuthRootsFile]) {
-    NSError *error = nil;
-
-    NSData *rootsData = [NSData dataWithContentsOfFile:[config syncServerAuthRootsFile]
-                                               options:0
-                                                 error:&error];
-    authURLSession.serverRootsPemData = rootsData;
-
-    if (!rootsData) {
-      LOGE(@"Couldn't open server root certificate file %@ with error: %@.",
-           [config syncServerAuthRootsFile],
-           [error localizedDescription]);
-      exit(1);
-    }
-  } else if ([config syncServerAuthRootsData]) {
-    authURLSession.serverRootsPemData = [config syncServerAuthRootsData];
-  }
-
-  // Configure client auth
-  if ([config syncClientAuthCertificateFile]) {
-    authURLSession.clientCertFile = [config syncClientAuthCertificateFile];
-    authURLSession.clientCertPassword = [config syncClientAuthCertificatePassword];
-  } else if ([config syncClientAuthCertificateCn]) {
-    authURLSession.clientCertCommonName = [config syncClientAuthCertificateCn];
-  } else if ([config syncClientAuthCertificateIssuer]) {
-    authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
-  }
-
-  s.session = [authURLSession session];
-  s.daemonConn = daemonConn;
-
-  // Gather some data needed during some sync stages
-  s.syncState = [[SNTCommandSyncState alloc] init];
-
-  s.syncState.syncBaseURL = config.syncBaseURL;
-  if (!s.syncState.syncBaseURL) {
-    LOGE(@"Missing SyncBaseURL. Can't sync without it.");
-    exit(1);
-  } else if (![s.syncState.syncBaseURL.scheme isEqual:@"https"]) {
-    LOGW(@"SyncBaseURL is not over HTTPS!");
-  }
-  authURLSession.serverHostname = s.syncState.syncBaseURL.host;
-
-  s.syncState.machineID = config.machineID;
-  if ([s.syncState.machineID length] == 0) {
-    LOGE(@"Missing Machine ID. Can't sync without it.");
-    exit(1);
-  }
-
-  s.syncState.machineOwner = config.machineOwner;
-  if ([s.syncState.machineOwner length] == 0) {
-    s.syncState.machineOwner = @"";
-    LOGW(@"Missing Machine Owner.");  
-  }
-
-  if ([arguments containsObject:@"singleevent"]) {
-    NSUInteger idx = [arguments indexOfObject:@"singleevent"];
-    idx++;
-    NSString *obj = arguments[idx];
-    if (obj.length != 64) {
-      LOGI(@"singleevent passed without SHA-256 as next argument");
-      exit(1);
-    }
-    [s eventUploadSingleEvent:obj];
-  } else {
-    [s preflight];
-  }
-}
-
-- (void)preflight {
-  [SNTCommandSyncPreflight performSyncInSession:self.session
-                                      syncState:self.syncState
-                                     daemonConn:self.daemonConn
-                              completionHandler:^(BOOL success) {
-      if (success) {
-        if (self.syncState.uploadLogURL) {
-          [self logUpload];
-        } else {
-          [self eventUpload];
-        }
-      } else {
-        LOGE(@"Preflight failed, aborting run");
-        exit(1);
-      }
-  }];
-}
-
-- (void)logUpload {
-  [SNTCommandSyncLogUpload performSyncInSession:self.session
-                                      syncState:self.syncState
-                                     daemonConn:self.daemonConn
-                              completionHandler:^(BOOL success) {
-      if (success) {
-      } else {
-        LOGE(@"Log upload failed, continuing anyway");
-      }
-      [self eventUpload];
-
-  }];
-}
-
-- (void)eventUpload {
-  [SNTCommandSyncEventUpload performSyncInSession:self.session
-                                        syncState:self.syncState
-                                       daemonConn:self.daemonConn
-                                completionHandler:^(BOOL success) {
-      if (success) {
-        [self ruleDownload];
-      } else {
-        LOGE(@"Event upload failed, aborting run");
-        exit(1);
-      }
-  }];
-}
-
-- (void)eventUploadSingleEvent:(NSString *)sha256 {
-  [SNTCommandSyncEventUpload uploadSingleEventWithSHA256:sha256
-                                                 session:self.session
-                                               syncState:self.syncState
-                                              daemonConn:self.daemonConn
-                                       completionHandler:^(BOOL success) {
-      if (success) {
-        exit(0);
-      } else {
-        LOGW(@"Event upload failed");
-        exit(1);
-      }
-  }];
-}
-
-- (void)ruleDownload {
-  [SNTCommandSyncRuleDownload performSyncInSession:self.session
-                                         syncState:self.syncState
-                                        daemonConn:self.daemonConn
-                                 completionHandler:^(BOOL success) {
-      if (success) {
-        [self postflight];
-      } else {
-        LOGE(@"Rule download failed, aborting run");
-        exit(1);
-      }
-  }];
-}
-
-- (void)postflight {
-  [SNTCommandSyncPostflight performSyncInSession:self.session
-                                       syncState:self.syncState
-                                      daemonConn:self.daemonConn
-                               completionHandler:^(BOOL success) {
-      if (success) {
-        LOGI(@"Sync completed successfully");
-        exit(0);
-      } else {
-        LOGE(@"Postflight failed");
-        exit(1);
-      }
-  }];
-}
-
-@end

Source/santactl/sync/SNTCommandSyncEventUpload.h

@@ -1,31 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-@class SNTCommandSyncState;
-@class SNTXPCConnection;
-
-@interface SNTCommandSyncEventUpload : NSObject
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler;
-
-+ (void)uploadSingleEventWithSHA256:(NSString *)SHA256
-                            session:(NSURLSession *)session
-                          syncState:(SNTCommandSyncState *)syncState
-                         daemonConn:(SNTXPCConnection *)daemonConn
-                  completionHandler:(void (^)(BOOL success))handler;
-
-@end

Source/santactl/sync/SNTCommandSyncEventUpload.m

@@ -1,275 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandSyncEventUpload.h"
-
-#include "SNTLogging.h"
-
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
-#import "NSData+Zlib.h"
-#import "SNTCommandSyncConstants.h"
-#import "SNTCommandSyncState.h"
-#import "SNTFileInfo.h"
-#import "SNTStoredEvent.h"
-#import "SNTXPCConnection.h"
-#import "SNTXPCControlInterface.h"
-
-@implementation SNTCommandSyncEventUpload
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[kURLEventUpload stringByAppendingString:syncState.machineID]
-                      relativeToURL:syncState.syncBaseURL];
-
-  [[daemonConn remoteObjectProxy] databaseEventsPending:^(NSArray *events) {
-    if ([events count] == 0) {
-      handler(YES);
-    } else {
-      [self uploadEventsFromArray:events
-                            toURL:url
-                        inSession:session
-                        batchSize:syncState.eventBatchSize
-                       daemonConn:daemonConn
-                completionHandler:handler];
-    }
-  }];
-}
-
-+ (void)uploadSingleEventWithSHA256:(NSString *)SHA256
-                            session:(NSURLSession *)session
-                          syncState:(SNTCommandSyncState *)syncState
-                         daemonConn:(SNTXPCConnection *)daemonConn
-                  completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[kURLEventUpload stringByAppendingString:syncState.machineID]
-                      relativeToURL:syncState.syncBaseURL];
-  [[daemonConn remoteObjectProxy] databaseEventForSHA256:SHA256 reply:^(SNTStoredEvent *event) {
-    if (!event) {
-      handler(YES);
-      return;
-    }
-
-    [self uploadEventsFromArray:@[ event ]
-                          toURL:url
-                      inSession:session
-                      batchSize:1
-                     daemonConn:daemonConn
-              completionHandler:handler];
-  }];
-}
-
-+ (void)uploadEventsFromArray:(NSArray *)events
-                        toURL:(NSURL *)url
-                    inSession:(NSURLSession *)session
-                    batchSize:(NSUInteger)batchSize
-                   daemonConn:(SNTXPCConnection *)daemonConn
-            completionHandler:(void (^)(BOOL success))handler {
-  NSMutableArray *uploadEvents = [[NSMutableArray alloc] init];
-
-  NSMutableArray *eventIds = [NSMutableArray arrayWithCapacity:events.count];
-  for (SNTStoredEvent *event in events) {
-    [uploadEvents addObject:[self dictionaryForEvent:event]];
-    [eventIds addObject:event.idx];
-
-    if (event.fileBundleID) {
-      NSArray *relatedBinaries = [self findRelatedBinaries:event];
-      [uploadEvents addObjectsFromArray:relatedBinaries];
-    }
-
-    if (eventIds.count >= batchSize) break;
-  }
-
-  NSDictionary *uploadReq = @{kEvents : uploadEvents};
-
-  NSData *requestBody;
-  @try {
-    requestBody = [NSJSONSerialization dataWithJSONObject:uploadReq options:0 error:nil];
-  } @catch (NSException *exception) {
-    LOGE(@"Failed to parse event(s) into JSON");
-    LOGD(@"Parsing error: %@", [exception reason]);
-  }
-
-  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
-  [req setHTTPMethod:@"POST"];
-  [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
-
-  NSData *compressed = [requestBody zlibCompressed];
-  if (compressed) {
-    requestBody = compressed;
-    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
-  }
-
-  [req setHTTPBody:requestBody];
-
-  [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
-                                                        NSURLResponse *response,
-                                                        NSError *error) {
-    long statusCode = [(NSHTTPURLResponse *)response statusCode];
-    if (statusCode != 200) {
-      LOGE(@"HTTP Response: %ld %@",
-           statusCode,
-           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-      LOGD(@"%@", error);
-      handler(NO);
-    } else {
-      LOGI(@"Uploaded %lu events", eventIds.count);
-
-      [[daemonConn remoteObjectProxy] databaseRemoveEventsWithIDs:eventIds];
-
-      NSArray *nextEvents = [events subarrayWithRange:NSMakeRange(eventIds.count,
-                                                                  events.count - eventIds.count)];
-      if (nextEvents.count == 0) {
-        handler(YES);
-      } else {
-        [self uploadEventsFromArray:nextEvents
-                              toURL:url
-                          inSession:session
-                          batchSize:batchSize
-                         daemonConn:daemonConn
-                  completionHandler:handler];
-      }
-    }
-  }] resume];
-}
-
-+ (NSDictionary *)dictionaryForEvent:(SNTStoredEvent *)event {
-#define ADDKEY(dict, key, value) if (value) dict[key] = value
-  NSMutableDictionary *newEvent = [NSMutableDictionary dictionary];
-
-  ADDKEY(newEvent, kFileSHA256, event.fileSHA256);
-  ADDKEY(newEvent, kFilePath, [event.filePath stringByDeletingLastPathComponent]);
-  ADDKEY(newEvent, kFileName, [event.filePath lastPathComponent]);
-  ADDKEY(newEvent, kExecutingUser, event.executingUser);
-  ADDKEY(newEvent, kExecutionTime, @([event.occurrenceDate timeIntervalSince1970]));
-  ADDKEY(newEvent, kLoggedInUsers, event.loggedInUsers);
-  ADDKEY(newEvent, kCurrentSessions, event.currentSessions);
-
-  switch (event.decision) {
-    case SNTEventStateAllowUnknown: ADDKEY(newEvent, kDecision, kDecisionAllowUnknown); break;
-    case SNTEventStateAllowBinary: ADDKEY(newEvent, kDecision, kDecisionAllowBinary); break;
-    case SNTEventStateAllowCertificate:
-      ADDKEY(newEvent, kDecision, kDecisionAllowCertificate);
-      break;
-    case SNTEventStateAllowScope: ADDKEY(newEvent, kDecision, kDecisionAllowScope); break;
-    case SNTEventStateBlockUnknown: ADDKEY(newEvent, kDecision, kDecisionBlockUnknown); break;
-    case SNTEventStateBlockBinary: ADDKEY(newEvent, kDecision, kDecisionBlockBinary); break;
-    case SNTEventStateBlockCertificate:
-      ADDKEY(newEvent, kDecision, kDecisionBlockCertificate);
-      break;
-    case SNTEventStateBlockScope: ADDKEY(newEvent, kDecision, kDecisionBlockScope); break;
-    case SNTEventStateRelatedBinary: ADDKEY(newEvent, kDecision, kDecisionRelatedBinary); break;
-    default: ADDKEY(newEvent, kDecision, kDecisionUnknown);
-  }
-
-  ADDKEY(newEvent, kFileBundleID, event.fileBundleID);
-  ADDKEY(newEvent, kFileBundleName, event.fileBundleName);
-  ADDKEY(newEvent, kFileBundleVersion, event.fileBundleVersion);
-  ADDKEY(newEvent, kFileBundleShortVersionString, event.fileBundleVersionString);
-
-  ADDKEY(newEvent, kPID, event.pid);
-  ADDKEY(newEvent, kPPID, event.ppid);
-  ADDKEY(newEvent, kParentName, event.parentName);
-
-  ADDKEY(newEvent, kQuarantineDataURL, event.quarantineDataURL);
-  ADDKEY(newEvent, kQuarantineRefererURL, event.quarantineRefererURL);
-  ADDKEY(newEvent, kQuarantineTimestamp, @([event.quarantineTimestamp timeIntervalSince1970]));
-  ADDKEY(newEvent, kQuarantineAgentBundleID, event.quarantineAgentBundleID);
-
-  NSMutableArray *signingChain = [NSMutableArray arrayWithCapacity:event.signingChain.count];
-  for (NSUInteger i = 0; i < event.signingChain.count; ++i) {
-    MOLCertificate *cert = [event.signingChain objectAtIndex:i];
-
-    NSMutableDictionary *certDict = [NSMutableDictionary dictionary];
-    ADDKEY(certDict, kCertSHA256, cert.SHA256);
-    ADDKEY(certDict, kCertCN, cert.commonName);
-    ADDKEY(certDict, kCertOrg, cert.orgName);
-    ADDKEY(certDict, kCertOU, cert.orgUnit);
-    ADDKEY(certDict, kCertValidFrom, @([cert.validFrom timeIntervalSince1970]));
-    ADDKEY(certDict, kCertValidUntil, @([cert.validUntil timeIntervalSince1970]));
-
-    [signingChain addObject:certDict];
-  }
-  newEvent[kSigningChain] = signingChain;
-
-  return newEvent;
-#undef ADDKEY
-}
-
-+ (NSArray *)findRelatedBinaries:(SNTStoredEvent *)event {
-  // Prevent processing the same bundle twice.
-  static NSMutableDictionary *previouslyProcessedBundles;
-  static dispatch_once_t onceToken;
-  dispatch_once(&onceToken, ^{
-    previouslyProcessedBundles = [NSMutableDictionary dictionary];
-  });
-  if (previouslyProcessedBundles[event.fileBundleID]) return nil;
-  previouslyProcessedBundles[event.fileBundleID] = @YES;
-
-  NSMutableArray *relatedEvents = [NSMutableArray array];
-
-  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-  __block BOOL shouldCancel = NO;
-  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
-    SNTFileInfo *originalFile = [[SNTFileInfo alloc] initWithPath:event.filePath];
-    NSString *bundlePath = originalFile.bundlePath;
-    originalFile = nil;  // release originalFile early.
-
-    NSDirectoryEnumerator *dirEnum = [[NSFileManager defaultManager] enumeratorAtPath:bundlePath];
-    NSString *file;
-
-    while (file = [dirEnum nextObject]) {
-      @autoreleasepool {
-        if (shouldCancel) break;
-        if ([dirEnum fileAttributes][NSFileType] != NSFileTypeRegular) continue;
-
-        file = [bundlePath stringByAppendingPathComponent:file];
-
-        // Don't record the binary that triggered this event as a related binary.
-        if ([file isEqual:event.filePath]) continue;
-
-        SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:file];
-        if (fi.isExecutable) {
-          SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
-          se.filePath = fi.path;
-          se.fileSHA256 = fi.SHA256;
-          se.decision = SNTEventStateRelatedBinary;
-          se.fileBundleID = event.fileBundleID;
-          se.fileBundleName = event.fileBundleName;
-          se.fileBundleVersion = event.fileBundleVersion;
-          se.fileBundleVersionString = event.fileBundleVersionString;
-
-          MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithBinaryPath:se.filePath];
-          se.signingChain = cs.certificates;
-
-          [relatedEvents addObject:[self dictionaryForEvent:se]];
-        }
-      }
-    }
-
-    dispatch_semaphore_signal(sema);
-  });
-
-  // Give the search up to 5s per event to run.
-  // This might need tweaking if it seems to slow down syncing or misses too much to be useful.
-  if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
-    shouldCancel = YES;
-    LOGD(@"Timed out while searching for related events. Bundle ID: %@", event.fileBundleID);
-  }
-
-  return relatedEvents;
-}
-
-@end

Source/santactl/sync/SNTCommandSyncPostflight.m

@@ -1,70 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandSyncPostflight.h"
-
-#include "SNTLogging.h"
-
-#import "SNTCommandSyncConstants.h"
-#import "SNTCommandSyncState.h"
-#import "SNTXPCConnection.h"
-#import "SNTXPCControlInterface.h"
-
-@implementation SNTCommandSyncPostflight
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[kURLPostflight stringByAppendingString:syncState.machineID]
-                      relativeToURL:syncState.syncBaseURL];
-  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
-  [req setHTTPMethod:@"POST"];
-
-  [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
-                                                        NSURLResponse *response,
-                                                        NSError *error) {
-    long statusCode = [(NSHTTPURLResponse *)response statusCode];
-    if (statusCode != 200) {
-      LOGE(@"HTTP Response: %ld %@",
-           statusCode,
-           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-      LOGD(@"%@", error);
-      handler(NO);
-    } else {
-      NSDictionary *r = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
-
-      if (syncState.newClientMode) {
-        [[daemonConn remoteObjectProxy] setClientMode:syncState.newClientMode reply:^{}];
-      }
-
-      NSString *backoffInterval = r[kBackoffInterval];
-      if (backoffInterval) {
-        [[daemonConn remoteObjectProxy] setNextSyncInterval:[backoffInterval intValue] reply:^{}];
-      }
-
-      if (syncState.cleanSync) {
-        [[daemonConn remoteObjectProxy] setSyncCleanRequired:NO reply:^{}];
-      }
-
-      // Update last sync success
-      [[daemonConn remoteObjectProxy] setSyncLastSuccess:[NSDate date] reply:^{}];
-
-      handler(YES);
-    }
-  }] resume];
-}
-
-
-@end

Source/santactl/sync/SNTCommandSyncPreflight.m

@@ -1,106 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandSyncPreflight.h"
-
-#include "SNTKernelCommon.h"
-#include "SNTLogging.h"
-
-#import "NSData+Zlib.h"
-#import "SNTCommandSyncConstants.h"
-#import "SNTCommandSyncState.h"
-#import "SNTConfigurator.h"
-#import "SNTSystemInfo.h"
-#import "SNTXPCConnection.h"
-#import "SNTXPCControlInterface.h"
-
-@implementation SNTCommandSyncPreflight
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[kURLPreflight stringByAppendingString:syncState.machineID]
-                      relativeToURL:syncState.syncBaseURL];
-
-  NSMutableDictionary *requestDict = [NSMutableDictionary dictionary];
-  requestDict[kSerialNumber] = [SNTSystemInfo serialNumber];
-  requestDict[kHostname] = [SNTSystemInfo shortHostname];
-  requestDict[kSantaVer] = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
-  requestDict[kOSVer] = [SNTSystemInfo osVersion];
-  requestDict[kOSBuild] = [SNTSystemInfo osBuild];
-  requestDict[kPrimaryUser] = syncState.machineOwner;
-
-  // If user requested it or we've never had a successful sync, try from a clean slate.
-  if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--clean"] ||
-      [[SNTConfigurator configurator] syncCleanRequired]) {
-    requestDict[kRequestCleanSync] = @YES;
-  }
-
-  NSData *requestBody = [NSJSONSerialization dataWithJSONObject:requestDict
-                                                        options:0
-                                                          error:nil];
-
-  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
-  [req setHTTPMethod:@"POST"];
-  [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
-
-  NSData *compressed = [requestBody zlibCompressed];
-  if (compressed) {
-    requestBody = compressed;
-    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
-  }
-
-  [req setHTTPBody:requestBody];
-
-  [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
-                                                        NSURLResponse *response,
-                                                        NSError *error) {
-    long statusCode = [(NSHTTPURLResponse *)response statusCode];
-    if (statusCode != 200) {
-      LOGE(@"HTTP Response: %ld %@",
-           statusCode,
-           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-      LOGD(@"%@", error);
-      handler(NO);
-    } else {
-      NSDictionary *r = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
-
-      syncState.eventBatchSize = [r[kBatchSize] intValue];
-      syncState.uploadLogURL = [NSURL URLWithString:r[kUploadLogsURL]];
-
-      if ([r[kClientMode] isEqual:kClientModeMonitor]) {
-        syncState.newClientMode = SNTClientModeMonitor;
-      } else if ([r[kClientMode] isEqual:kClientModeLockdown]) {
-        syncState.newClientMode = SNTClientModeLockdown;
-      }
-
-      if ([r[kWhitelistRegex] isKindOfClass:[NSString class]]) {
-        [[daemonConn remoteObjectProxy] setWhitelistPathRegex:r[kWhitelistRegex] reply:^{}];
-      }
-
-      if ([r[kBlacklistRegex] isKindOfClass:[NSString class]]) {
-        [[daemonConn remoteObjectProxy] setBlacklistPathRegex:r[kBlacklistRegex] reply:^{}];
-      }
-
-      if ([r[kCleanSync] boolValue]) {
-        syncState.cleanSync = YES;
-      }
-
-      handler(YES);
-    }
-  }] resume];
-}
-
-@end

Source/santactl/sync/SNTCommandSyncRuleDownload.m

@@ -1,149 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommandSyncRuleDownload.h"
-
-#import "SNTCommandSyncConstants.h"
-#import "SNTCommandSyncState.h"
-#import "SNTRule.h"
-#import "SNTXPCConnection.h"
-#import "SNTXPCControlInterface.h"
-
-#include "SNTLogging.h"
-
-@implementation SNTCommandSyncRuleDownload
-
-+ (void)performSyncInSession:(NSURLSession *)session
-                   syncState:(SNTCommandSyncState *)syncState
-                  daemonConn:(SNTXPCConnection *)daemonConn
-           completionHandler:(void (^)(BOOL success))handler {
-  NSURL *url = [NSURL URLWithString:[kURLRuleDownload stringByAppendingString:syncState.machineID]
-                      relativeToURL:syncState.syncBaseURL];
-  [self ruleDownloadWithCursor:nil
-                           url:url
-                       session:session
-                     syncState:syncState
-                    daemonConn:daemonConn
-             completionHandler:handler];
-}
-
-+ (void)ruleDownloadWithCursor:(NSString *)cursor
-                           url:(NSURL *)url
-                       session:(NSURLSession *)session
-                     syncState:(SNTCommandSyncState *)syncState
-                    daemonConn:(SNTXPCConnection *)daemonConn
-             completionHandler:(void (^)(BOOL success))handler {
-  NSDictionary *requestDict = (cursor ? @{kCursor : cursor} : @{});
-
-  if (!syncState.downloadedRules) {
-    syncState.downloadedRules = [NSMutableArray array];
-  }
-
-  NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
-  [req setHTTPBody:[NSJSONSerialization dataWithJSONObject:requestDict
-                                                   options:0
-                                                     error:nil]];
-  [req setHTTPMethod:@"POST"];
-  [req setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
-  [[session dataTaskWithRequest:req completionHandler:^(NSData *data,
-                                                        NSURLResponse *response,
-                                                        NSError *error) {
-    long statusCode = [(NSHTTPURLResponse *)response statusCode];
-    if (statusCode != 200) {
-      LOGE(@"HTTP Response: %ld %@",
-           statusCode,
-           [[NSHTTPURLResponse localizedStringForStatusCode:statusCode] capitalizedString]);
-      LOGD(@"%@", error);
-      handler(NO);
-    } else {
-      NSDictionary *resp = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
-      if (!resp) {
-        LOGE(@"Failed to decode server's response");
-        handler(NO);
-        return;
-      }
-
-      NSArray *receivedRules = resp[kRules];
-      for (NSDictionary *rule in receivedRules) {
-        SNTRule *r = [self ruleFromDictionary:rule];
-        if (r) [syncState.downloadedRules addObject:r];
-      }
-
-      if (resp[kCursor]) {
-        [self ruleDownloadWithCursor:resp[kCursor]
-                                 url:url
-                             session:session
-                           syncState:syncState
-                          daemonConn:daemonConn
-                   completionHandler:handler];
-      } else {
-        if (syncState.downloadedRules.count) {
-          [[daemonConn remoteObjectProxy] databaseRuleAddRules:syncState.downloadedRules
-                                                    cleanSlate:syncState.cleanSync
-                                                         reply:^(NSError *error) {
-            if (!error) {
-              LOGI(@"Added %lu rule(s)", syncState.downloadedRules.count);
-              handler(YES);
-            } else {
-              LOGE(@"Failed to add rule(s) to database: %@", error.localizedDescription);
-              LOGD(@"Failure reason: %@", error.localizedFailureReason);
-              handler(NO);
-            }
-          }];
-        } else {
-          handler(YES);
-        }
-      }
-    }
-  }] resume];
-}
-
-+ (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
-  if (![dict isKindOfClass:[NSDictionary class]]) return nil;
-
-  SNTRule *newRule = [[SNTRule alloc] init];
-  newRule.shasum = dict[kRuleSHA256];
-  if (newRule.shasum.length != 64) return nil;
-
-  NSString *policyString = dict[kRulePolicy];
-  if ([policyString isEqual:kRulePolicyWhitelist]) {
-    newRule.state = SNTRuleStateWhitelist;
-  } else if ([policyString isEqual:kRulePolicyBlacklist]) {
-    newRule.state = SNTRuleStateBlacklist;
-  } else if ([policyString isEqual:kRulePolicySilentBlacklist]) {
-    newRule.state = SNTRuleStateSilentBlacklist;
-  } else if ([policyString isEqual:kRulePolicyRemove]) {
-    newRule.state = SNTRuleStateRemove;
-  } else {
-    return nil;
-  }
-
-  NSString *ruleTypeString = dict[kRuleType];
-  if ([ruleTypeString isEqual:kRuleTypeBinary]) {
-    newRule.type = SNTRuleTypeBinary;
-  } else if ([ruleTypeString isEqual:kRuleTypeCertificate]) {
-    newRule.type = SNTRuleTypeCertificate;
-  } else {
-    return nil;
-  }
-
-  NSString *customMsg = dict[kRuleCustomMsg];
-  if (customMsg.length) {
-    newRule.customMsg = customMsg;
-  }
-
-  return newRule;
-}
-
-@end

Source/santactl/sync/SNTCommandSyncState.h

@@ -1,44 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTCommonEnums.h"
-
-/// An instance of this class is passed to each stage of the sync process for storing data
-/// that might be needed in later stages.
-@interface SNTCommandSyncState : NSObject
-
-/// The base API URL
-@property NSURL *syncBaseURL;
-
-/// Machine identifier and owner
-@property(copy) NSString *machineID;
-@property(copy) NSString *machineOwner;
-
-/// Clean sync flag, sent from server. If True, all existing rules
-/// should be deleted before inserting any new rules.
-@property BOOL cleanSync;
-
-/// New client mode sent from server
-@property SNTClientMode newClientMode;
-
-/// Batch size for uploading events, sent from server
-@property int32_t eventBatchSize;
-
-/// Log upload URL sent from server
-@property NSURL *uploadLogURL;
-
-/// Rules downloaded from server
-@property NSMutableArray *downloadedRules;
-
-@end

Source/santactl/sync/SNTDERDecoder.h

@@ -1,35 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-///
-/// This is a simple ASN.1 decoder that utilizes Apple's SecAsn1Decode
-/// to parse the @c distinguishedNames property of NSURLProtectionSpace.
-///
-@interface SNTDERDecoder : NSObject
-
-@property(readonly) NSString *commonName;
-@property(readonly) NSString *organizationName;
-@property(readonly) NSString *organizationalUnit;
-@property(readonly) NSString *countryName;
-
-///
-///  Designated initializer.
-///
-///  @param data one of the objects in the
-///      NSURLProtectionSpace.distinguishedNames array
-///  @return nil if decoding fails to find any expected objects
-///
-- (instancetype)initWithData:(NSData *)data;
-
-@end

Source/santactl/sync/SNTDERDecoder.m

@@ -1,217 +0,0 @@
-/// Copyright 2015 Google Inc. All rights reserved.
-///
-/// Licensed under the Apache License, Version 2.0 (the "License");
-/// you may not use this file except in compliance with the License.
-/// You may obtain a copy of the License at
-///
-///    http://www.apache.org/licenses/LICENSE-2.0
-///
-///    Unless required by applicable law or agreed to in writing, software
-///    distributed under the License is distributed on an "AS IS" BASIS,
-///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-///    See the License for the specific language governing permissions and
-///    limitations under the License.
-
-#import "SNTDERDecoder.h"
-
-#import <Security/SecAsn1Coder.h>
-#import <Security/SecAsn1Templates.h>
-
-@interface SNTDERDecoder ()
-@property NSDictionary *decodedObjects;
-@end
-
-@implementation SNTDERDecoder
-
-#pragma mark Init
-
-- (instancetype)initWithData:(NSData *)data {
-  self = [super init];
-  if (self) {
-    if (!data) return nil;
-
-    _decodedObjects = [self decodeData:data];
-    if (!_decodedObjects || [_decodedObjects count] == 0) return nil;
-  }
-  return self;
-}
-
-- (instancetype)init {
-  [self doesNotRecognizeSelector:_cmd];
-  return nil;
-}
-
-- (NSString *)description {
-  return [NSString stringWithFormat:@"/C=%@/O=%@/OU=%@/CN=%@",
-                                    self.countryName,
-                                    self.organizationName,
-                                    self.organizationalUnit,
-                                    self.commonName];
-}
-
-#pragma mark Accessors
-
-- (NSString *)commonName {
-  return self.decodedObjects[(__bridge id)kSecOIDCommonName];
-}
-
-- (NSString *)organizationName {
-  return self.decodedObjects[(__bridge id)kSecOIDOrganizationName];
-}
-
-- (NSString *)organizationalUnit {
-  return self.decodedObjects[(__bridge id)kSecOIDOrganizationalUnitName];
-}
-
-- (NSString *)countryName {
-  return self.decodedObjects[(__bridge id)kSecOIDCountryName];
-}
-
-#pragma mark Private
-
-/**
- * The DER data provided by NSURLProtectionSpace.distinguishedNames looks like
- * this:
- *
- * SEQUENCE {
- *   SET {
- *     SEQUENCE {
- *       OBJECT IDENTIFIER (2 5 4 6)
- *       PrintableString 'US'
- *     }
- *   }
- *   SET {
- *     SEQUENCE {
- *       OBJECT IDENTIFIER (2 5 4 10)
- *       PrintableString 'Megaco Inc'
- *     }
- *   }
- * }
- *
- * This method assumes the passed in data will be in that format. If it isn't,
- * the DER decoding will fail and this method will return nil.
- **/
-- (NSDictionary *)decodeData:(NSData *)data {
-  typedef struct {
-    SecAsn1Oid oid;
-    SecAsn1Item value;
-  } OIDKeyValue;
-
-  static const SecAsn1Template kOIDValueTemplate[] = {
-      {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OIDKeyValue)},
-      {SEC_ASN1_OBJECT_ID, offsetof(OIDKeyValue, oid), NULL, 0},
-      {SEC_ASN1_ANY_CONTENTS, offsetof(OIDKeyValue, value), NULL, 0},
-      {0, 0, NULL, 0}};
-
-  typedef struct {
-    OIDKeyValue **vals;
-  } OIDKeyValueList;
-
-  static const SecAsn1Template kSetOfOIDValueTemplate[] = {
-      {SEC_ASN1_SET_OF, 0, kOIDValueTemplate, sizeof(OIDKeyValueList)},
-      {0, 0, NULL, 0}};
-
-  typedef struct {
-    OIDKeyValueList **lists;
-  } OIDKeyValueListSeq;
-
-  static const SecAsn1Template kSequenceOfSetOfOIDValueTemplate[] = {
-      {SEC_ASN1_SEQUENCE_OF, 0, kSetOfOIDValueTemplate, sizeof(OIDKeyValueListSeq)},
-      {0, 0, NULL, 0}};
-
-  OSStatus err = errSecSuccess;
-  SecAsn1CoderRef coder;
-
-  err = SecAsn1CoderCreate(&coder);
-  if (err != errSecSuccess) return nil;
-
-  OIDKeyValueListSeq a;
-  err = SecAsn1Decode(coder,
-                      data.bytes,
-                      data.length,
-                      kSequenceOfSetOfOIDValueTemplate,
-                      &a);
-  if (err != errSecSuccess) {
-    SecAsn1CoderRelease(coder);
-    return nil;
-  }
-
-  // The data is decoded but now it's in a number of embedded structs.
-  // Massage that into a nice dictionary of OID->String pairs.
-  NSMutableDictionary *dict = [NSMutableDictionary dictionary];
-  OIDKeyValueList *anAttr;
-  for (NSUInteger i = 0; (anAttr = a.lists[i]); ++i) {
-    OIDKeyValue *keyValue = anAttr->vals[0];
-
-    // Sanity check
-    if (keyValue->value.Length > data.length) {
-      SecAsn1CoderRelease(coder);
-      return nil;
-    }
-
-    // Get the string value. First try creating as a UTF-8 string. If that fails,
-    // fallback to trying as an ASCII string. If it still doesn't work, continue on
-    // to the next value.
-    NSString *valueString;
-    valueString = [[NSString alloc] initWithBytes:keyValue->value.Data
-                                           length:keyValue->value.Length
-                                         encoding:NSUTF8StringEncoding];
-    if (!valueString) {
-      valueString = [[NSString alloc] initWithBytes:keyValue->value.Data
-                                             length:keyValue->value.Length
-                                           encoding:NSASCIIStringEncoding];
-    }
-    if (!valueString) continue;
-
-    // The OID is still encoded, so we need to decode it.
-    NSString *objectId = [SNTDERDecoder decodeOIDWithBytes:keyValue->oid.Data
-                                                    length:keyValue->oid.Length];
-
-    // Add to the dictionary
-    dict[objectId] = valueString;
-  }
-
-  SecAsn1CoderRelease(coder);
-  return dict;
-}
-
-/**
- * Decodes an ASN.1 Object Identifier into a string separated by periods.
- * See http://msdn.microsoft.com/en-us/library/bb540809(v=vs.85).aspx for
- * details of the encoding.
- **/
-+ (NSString *)decodeOIDWithBytes:(unsigned char *)bytes length:(NSUInteger)length {
-  NSMutableArray *objectId = [NSMutableArray array];
-  BOOL inVariableLengthByte = NO;
-  NSUInteger variableLength = 0;
-  for (NSUInteger i = 0; i < length; ++i) {
-    if (i == 0) {
-      // The first byte is actually two values, the top 4 bits are the first value * 40
-      // and the bottom 4 bits are the second value.
-      [objectId addObject:@((NSUInteger)bytes[i] / 40)];
-      [objectId addObject:@((NSUInteger)bytes[i] % 40)];
-    } else {
-      // The remaining bytes are encoded with Variable Length Quantity.
-      unsigned char byte = bytes[i];
-      if (byte & 0x80) {
-        inVariableLengthByte = YES;
-
-        NSUInteger a = (NSUInteger)(byte & ~0x80);
-        variableLength = variableLength << 7;
-        variableLength += a;
-      } else if (inVariableLengthByte) {
-        NSUInteger a = (NSUInteger)(byte & ~0x80);
-        variableLength = variableLength << 7;
-        variableLength += a;
-        inVariableLengthByte = NO;
-        [objectId addObject:@(variableLength)];
-        variableLength = 0;
-      } else {
-        [objectId addObject:@((NSUInteger)byte)];
-      }
-    }
-  }
-  return [objectId componentsJoinedByString:@"."];
-}
-
-@end

Source/santad/DataLayer/SNTEventTable.h

@@ -44,15 +44,6 @@
 ///
 - (NSUInteger)pendingEventsCount;
 
-///
-///  Retrieve an event from the database with a given SHA-256. If multiple events
-///  exist for the same SHA-256, just the first is returned.
-///
-///  @param sha256 a SHA-256 of the binary to return an event for.
-///  @return a single SNTStoredEvent.
-///
-- (SNTStoredEvent *)pendingEventForSHA256:(NSString *)sha256;
-
 ///
 ///  Delete a single event from the database using its index.
 ///

Source/santad/DataLayer/SNTEventTable.m

@@ -15,7 +15,6 @@
 #import "SNTEventTable.h"
 
 #import "MOLCertificate.h"
-#import "SNTLogging.h"
 #import "SNTStoredEvent.h"
 
 @implementation SNTEventTable
@@ -66,13 +65,26 @@
     newVersion = 2;
   }
 
+  if (version < 3) {
+    // Clean-up: Disable AUTOINCREMENT on idx column
+    [db executeUpdate:@"CREATE TABLE 'events_tmp' ("
+                      @"'idx' INTEGER PRIMARY KEY,"
+                      @"'filesha256' TEXT NOT NULL,"
+                      @"'eventdata' BLOB);"];
+    [db executeUpdate:@"INSERT INTO events_tmp SELECT * FROM events"];
+    [db executeUpdate:@"DROP TABLE events"];
+    [db executeUpdate:@"ALTER TABLE events_tmp RENAME TO events"];
+    newVersion = 3;
+  }
+
   return newVersion;
 }
 
 #pragma mark Loading / Storing
 
 - (BOOL)addStoredEvent:(SNTStoredEvent *)event {
-  if (!event.fileSHA256 ||
+  if (!event.idx ||
+      !event.fileSHA256 ||
       !event.filePath ||
       !event.occurrenceDate ||
       !event.decision) return NO;
@@ -86,8 +98,9 @@
 
   __block BOOL success = NO;
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
-    success = [db executeUpdate:@"INSERT INTO 'events' (filesha256, eventdata) VALUES (?, ?)",
-                                event.fileSHA256, eventData];
+    success = [db executeUpdate:@"INSERT INTO 'events' (idx, filesha256, eventdata)"
+                                @"VALUES (?, ?, ?)",
+                                event.idx, event.fileSHA256, eventData];
   }];
 
   return success;
@@ -103,26 +116,6 @@
   return eventsPending;
 }
 
-- (SNTStoredEvent *)pendingEventForSHA256:(NSString *)sha256 {
-  __block SNTStoredEvent *storedEvent;
-
-  [self inDatabase:^(FMDatabase *db) {
-    FMResultSet *rs =
-        [db executeQuery:@"SELECT * FROM events WHERE filesha256=? LIMIT 1;", sha256];
-
-    if ([rs next]) {
-      storedEvent = [self eventFromResultSet:rs];
-      if (!storedEvent) {
-        [db executeUpdate:@"DELETE FROM events WHERE idx=?", [rs objectForColumnName:@"idx"]];
-      }
-    }
-
-    [rs close];
-  }];
-
-  return storedEvent;
-}
-
 - (NSArray *)pendingEvents {
   NSMutableArray *pendingEvents = [[NSMutableArray alloc] init];
 
@@ -152,7 +145,7 @@
 
   @try {
     event = [NSKeyedUnarchiver unarchiveObjectWithData:eventData];
-    event.idx = @([rs intForColumn:@"idx"]);
+    event.idx = event.idx ?: @((uint32_t)[rs intForColumn:@"idx"]);
   } @catch (NSException *exception) {
   }
 

Source/santad/DataLayer/SNTRuleTable.h

@@ -39,14 +39,11 @@
 - (NSUInteger)certificateRuleCount;
 
 ///
-///  @return Rule for binary with given SHA-256
+///  @return Rule for binary or certificate with given SHA-256. The binary rule will be returned
+///          if it exists. If not, the certificate rule will be returned if it exists.
 ///
-- (SNTRule *)binaryRuleForSHA256:(NSString *)SHA256;
-
-///
-///  @return Rule for certificate with  given SHA-256
-///
-- (SNTRule *)certificateRuleForSHA256:(NSString *)SHA256;
+- (SNTRule *)ruleForBinarySHA256:(NSString *)binarySHA256
+               certificateSHA256:(NSString *)certificateSHA256;
 
 ///
 ///  Add an array of rules to the database. The rules will be added within a transaction and the

Source/santad/DataLayer/SNTRuleTable.m

@@ -29,7 +29,7 @@
 
 - (uint32_t)initializeDatabase:(FMDatabase *)db fromVersion:(uint32_t)version {
   // Lock this database from other processes
-  [db executeQuery:@"PRAGMA locking_mode = EXCLUSIVE;"];
+  [[db executeQuery:@"PRAGMA locking_mode = EXCLUSIVE;"] close];
 
   uint32_t newVersion = 0;
 
@@ -40,8 +40,6 @@
                       @"'type' INTEGER NOT NULL, "
                       @"'custommsg' TEXT"
                       @")"];
-    [db executeUpdate:@"CREATE VIEW binrules AS SELECT * FROM rules WHERE type=1"];
-    [db executeUpdate:@"CREATE VIEW certrules AS SELECT * FROM rules WHERE type=2"];
     [db executeUpdate:@"CREATE UNIQUE INDEX rulesunique ON rules (shasum, type)"];
 
     [[SNTConfigurator configurator] setSyncCleanRequired:YES];
@@ -49,6 +47,12 @@
     newVersion = 1;
   }
 
+  if (version < 2) {
+    [db executeUpdate:@"DROP VIEW IF EXISTS binrules"];
+    [db executeUpdate:@"DROP VIEW IF EXISTS certrules"];
+    newVersion = 2;
+  }
+
   // Save hashes of the signing certs for launchd and santad.
   // Used to ensure rules for them are not removed.
   self.santadCertSHA = [[[[MOLCodesignChecker alloc] initWithSelf] leafCertificate] SHA256];
@@ -57,11 +61,11 @@
   // Ensure the certificates used to sign the running launchd/santad are whitelisted.
   // If they weren't previously and the database is not new, log an error.
   int ruleCount = [db intForQuery:@"SELECT COUNT(*)"
-                                  @"FROM certrules "
-                                  @"WHERE (shasum=? OR shasum=?) AND state=?",
+                                  @"FROM rules "
+                                  @"WHERE (shasum=? OR shasum=?) AND state=? AND type=2",
                       self.santadCertSHA, self.launchdCertSHA, @(SNTRuleStateWhitelist)];
   if (ruleCount != 2) {
-    if (version > 0) LOGE(@"Started without launchd/santad certificate rules in place!");    
+    if (version > 0) LOGE(@"Started without launchd/santad certificate rules in place!");
     [db executeUpdate:@"INSERT INTO rules (shasum, state, type) VALUES (?, ?, ?)",
         self.santadCertSHA, @(SNTRuleStateWhitelist), @(SNTRuleTypeCertificate)];
     [db executeUpdate:@"INSERT INTO rules (shasum, state, type) VALUES (?, ?, ?)",
@@ -84,7 +88,7 @@
 - (NSUInteger)binaryRuleCount {
   __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
-    count = [db longForQuery:@"SELECT COUNT(*) FROM binrules"];
+    count = [db longForQuery:@"SELECT COUNT(*) FROM rules WHERE type=1"];
   }];
   return count;
 }
@@ -92,7 +96,7 @@
 - (NSUInteger)certificateRuleCount {
   __block NSUInteger count = 0;
   [self inDatabase:^(FMDatabase *db) {
-    count = [db longForQuery:@"SELECT COUNT(*) FROM certrules"];
+    count = [db longForQuery:@"SELECT COUNT(*) FROM rules WHERE type=2"];
   }];
   return count;
 }
@@ -108,25 +112,15 @@
   return rule;
 }
 
-- (SNTRule *)certificateRuleForSHA256:(NSString *)SHA256 {
+- (SNTRule *)ruleForBinarySHA256:(NSString *)binarySHA256
+               certificateSHA256:(NSString *)certificateSHA256 {
   __block SNTRule *rule;
-
+ 
   [self inDatabase:^(FMDatabase *db) {
-    FMResultSet *rs = [db executeQuery:@"SELECT * FROM certrules WHERE shasum=? LIMIT 1", SHA256];
-    if ([rs next]) {
-      rule = [self ruleFromResultSet:rs];
-    }
-    [rs close];
-  }];
-
-  return rule;
-}
-
-- (SNTRule *)binaryRuleForSHA256:(NSString *)SHA256 {
-  __block SNTRule *rule;
-
-  [self inDatabase:^(FMDatabase *db) {
-    FMResultSet *rs = [db executeQuery:@"SELECT * FROM binrules WHERE shasum=? LIMIT 1", SHA256];
+    FMResultSet *rs =
+        [db executeQuery:
+            @"SELECT * FROM rules WHERE (shasum=? and type=1) OR (shasum=? AND type=2) LIMIT 1",
+            binarySHA256, certificateSHA256];
     if ([rs next]) {
       rule = [self ruleFromResultSet:rs];
     }
@@ -149,12 +143,12 @@
   [self inTransaction:^(FMDatabase *db, BOOL *rollback) {
     // Protect rules for santad/launchd certificates.
     NSPredicate *p = [NSPredicate predicateWithFormat:
-                                      @"(SELF.shasum = %@ OR SELF.shasum = %@) AND SELF.type = %d",
-                                      self.santadCertSHA, self.launchdCertSHA, SNTRuleTypeCertificate];
+                         @"(SELF.shasum = %@ OR SELF.shasum = %@) AND SELF.type = %d",
+                         self.santadCertSHA, self.launchdCertSHA, SNTRuleTypeCertificate];
     NSArray *requiredHashes = [rules filteredArrayUsingPredicate:p];
     p = [NSPredicate predicateWithFormat:@"SELF.state == %d", SNTRuleStateWhitelist];
     NSArray *requiredHashesWhitelist = [requiredHashes filteredArrayUsingPredicate:p];
-    if ((cleanSlate && requiredHashesWhitelist.count != 2) ||
+    if ((cleanSlate && requiredHashesWhitelist.count < 2) ||
         (requiredHashes.count != requiredHashesWhitelist.count)) {
       LOGE(@"Received request to remove whitelist for launchd/santad certificates.");
       [self fillError:error code:SNTRuleTableErrorMissingRequiredRule message:nil];

Source/santad/SNTApplication.m

@@ -14,6 +14,7 @@
 
 #import "SNTApplication.h"
 
+#import <DiskArbitration/DiskArbitration.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -22,6 +23,7 @@
 #import "SNTDaemonControlController.h"
 #import "SNTDatabaseController.h"
 #import "SNTDriverManager.h"
+#import "SNTDropRootPrivs.h"
 #import "SNTEventLog.h"
 #import "SNTEventTable.h"
 #import "SNTExecutionController.h"
@@ -29,10 +31,12 @@
 #import "SNTLogging.h"
 #import "SNTNotificationQueue.h"
 #import "SNTRuleTable.h"
+#import "SNTSyncdQueue.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
 
 @interface SNTApplication ()
+@property DASessionRef diskArbSession;
 @property SNTDriverManager *driverManager;
 @property SNTEventLog *eventLog;
 @property SNTExecutionController *execController;
@@ -66,11 +70,18 @@
     }
 
     SNTNotificationQueue *notQueue = [[SNTNotificationQueue alloc] init];
+    SNTSyncdQueue *syncdQueue = [[SNTSyncdQueue alloc] init];
 
-    // Establish XPC listener for santactl connections
+    // Restart santactl if it goes down
+    syncdQueue.invalidationHandler = ^{
+      [self startSyncd];
+    };
+    
+    // Establish XPC listener for Santa and santactl connections
     SNTDaemonControlController *dc = [[SNTDaemonControlController alloc] init];
     dc.driverManager = _driverManager;
     dc.notQueue = notQueue;
+    dc.syncdQueue = syncdQueue;
 
     _controlConnection =
         [[SNTXPCConnection alloc] initServerWithName:[SNTXPCControlInterface serviceId]];
@@ -78,12 +89,43 @@
     _controlConnection.exportedObject = dc;
     [_controlConnection resume];
 
-    _configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath handler:^{
-      [[SNTConfigurator configurator] reloadConfigData];
+    __block SNTClientMode origMode = [[SNTConfigurator configurator] clientMode];
+    __block NSURL *origSyncURL = [[SNTConfigurator configurator] syncBaseURL];
+    _configFileWatcher = [[SNTFileWatcher alloc] initWithFilePath:kDefaultConfigFilePath
+                                                          handler:^(unsigned long data) {
+      if (data & DISPATCH_VNODE_ATTRIB) {
+        const char *cPath = [kDefaultConfigFilePath fileSystemRepresentation];
+        struct stat fileStat;
+        stat(cPath, &fileStat);
+        int mask = S_IRWXU | S_IRWXG | S_IRWXO;
+        int desired = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
+        if (fileStat.st_uid != 0 || fileStat.st_gid != 0 || (fileStat.st_mode & mask) != desired) {
+          LOGD(@"Config file permissions changed, fixing.");
+          chown(cPath, 0, 0);
+          chmod(cPath, desired);
+        }
+      } else {
+        LOGD(@"Config file changed, reloading.");
+        [[SNTConfigurator configurator] reloadConfigData];
 
-      // Ensure config file remains root:wheel 0644
-      chown([kDefaultConfigFilePath fileSystemRepresentation], 0, 0);
-      chmod([kDefaultConfigFilePath fileSystemRepresentation], 0644);
+        // Flush cache if client just went into lockdown.
+        SNTClientMode newMode = [[SNTConfigurator configurator] clientMode];
+        if (origMode != newMode) {
+          origMode = newMode;
+          if (newMode == SNTClientModeLockdown) {
+            LOGI(@"Changed client mode, flushing cache.");
+            [self.driverManager flushCache];
+          }
+        }
+
+        // Start santactl if the syncBaseURL changed from nil --> somthing
+        NSURL *syncURL = [[SNTConfigurator configurator] syncBaseURL];
+        if (!origSyncURL && syncURL) {
+          origSyncURL = syncURL;
+          LOGI(@"SyncBaseURL added, starting santactl.");
+          [self startSyncd];
+        }
+      }
     }];
 
     _eventLog = [[SNTEventLog alloc] init];
@@ -93,43 +135,61 @@
                                                                   ruleTable:ruleTable
                                                                  eventTable:eventTable
                                                               notifierQueue:notQueue
+                                                                 syncdQueue:syncdQueue
                                                                    eventLog:_eventLog];
+    // Start up santactl as a daemon if a sync server exists.
+    [self startSyncd];
+
     if (!_execController) return nil;
   }
 
   return self;
 }
 
+- (void)startSyncd {
+  if (![[SNTConfigurator configurator] syncBaseURL]) return;
+
+  if (fork() == 0) {
+    // Ensure we have no privileges
+    if (!DropRootPrivileges()) {
+      _exit(EPERM);
+    }
+    _exit(execl(kSantaCtlPath, kSantaCtlPath, "sync", "--daemon", "--syslog", NULL));
+  }
+}
+
 - (void)start {
   LOGI(@"Connected to driver, activating.");
 
   [self performSelectorInBackground:@selector(beginListeningForDecisionRequests) withObject:nil];
   [self performSelectorInBackground:@selector(beginListeningForLogRequests) withObject:nil];
+  [self performSelectorInBackground:@selector(beginListeningForDiskMounts) withObject:nil];
 }
 
 - (void)beginListeningForDecisionRequests {
   dispatch_queue_t exec_queue = dispatch_queue_create(
       "com.google.santad.execution_queue", DISPATCH_QUEUE_CONCURRENT);
-  dispatch_set_target_queue(exec_queue, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0));
+  dispatch_set_target_queue(
+      exec_queue, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0));
 
   [self.driverManager listenForDecisionRequests:^(santa_message_t message) {
     @autoreleasepool {
-      switch (message.action) {
-        case ACTION_REQUEST_SHUTDOWN: {
-          LOGI(@"Driver requested a shutdown");
-          exit(0);
+      dispatch_async(exec_queue, ^{
+        switch (message.action) {
+          case ACTION_REQUEST_SHUTDOWN: {
+            LOGI(@"Driver requested a shutdown");
+            exit(0);
+          }
+          case ACTION_REQUEST_BINARY: {
+            [_execController validateBinaryWithMessage:message];
+            break;
+          }
+          default: {
+            LOGE(@"Received decision request without a valid action: %d", message.action);
+            exit(1);
+          }
         }
-        case ACTION_REQUEST_BINARY: {
-          dispatch_async(exec_queue, ^{
-            [self.execController validateBinaryWithMessage:message];
-          });
-          break;
-        }
-        default: {
-          LOGE(@"Received decision request without a valid action: %d", message.action);
-          exit(1);
-        }
-      }
+      });
     }
   }];
 }
@@ -138,37 +198,74 @@
   dispatch_queue_t log_queue = dispatch_queue_create(
       "com.google.santad.log_queue", DISPATCH_QUEUE_CONCURRENT);
   dispatch_set_target_queue(
-      log_queue, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_LOW, 0));
+      log_queue, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0));
+
+  // Limit number of threads the queue can create.
+  dispatch_semaphore_t concurrencyLimiter = dispatch_semaphore_create(15);
 
   [self.driverManager listenForLogRequests:^(santa_message_t message) {
     @autoreleasepool {
-      switch (message.action) {
-        case ACTION_NOTIFY_DELETE:
-        case ACTION_NOTIFY_EXCHANGE:
-        case ACTION_NOTIFY_LINK:
-        case ACTION_NOTIFY_RENAME:
-        case ACTION_NOTIFY_WRITE: {
-          dispatch_async(log_queue, ^{
+      dispatch_semaphore_wait(concurrencyLimiter, DISPATCH_TIME_FOREVER);
+      dispatch_async(log_queue, ^{
+        switch (message.action) {
+          case ACTION_NOTIFY_DELETE:
+          case ACTION_NOTIFY_EXCHANGE:
+          case ACTION_NOTIFY_LINK:
+          case ACTION_NOTIFY_RENAME:
+          case ACTION_NOTIFY_WRITE: {
             NSRegularExpression *re = [[SNTConfigurator configurator] fileChangesRegex];
             NSString *path = @(message.path);
             if ([re numberOfMatchesInString:path options:0 range:NSMakeRange(0, path.length)]) {
-              [self.eventLog logFileModification:message];
+              [_eventLog logFileModification:message];
             }
-          });
-          break;
+            break;
+          }
+          case ACTION_NOTIFY_EXEC: {
+            [_eventLog logAllowedExecution:message];
+            break;
+          }
+          default:
+            LOGE(@"Received log request without a valid action: %d", message.action);
+            break;
         }
-        case ACTION_NOTIFY_EXEC: {
-          dispatch_async(log_queue, ^{
-            [self.eventLog logAllowedExecution:message];
-          });
-          break;
-        }
-        default:
-          LOGE(@"Received log request without a valid action: %d", message.action);
-          break;
-      }
+        dispatch_semaphore_signal(concurrencyLimiter);
+      });
     }
   }];
 }
 
+- (void)beginListeningForDiskMounts {
+  dispatch_queue_t disk_queue = dispatch_queue_create(
+      "com.google.santad.disk_queue", DISPATCH_QUEUE_SERIAL);
+
+  _diskArbSession = DASessionCreate(NULL);
+  DASessionSetDispatchQueue(_diskArbSession, disk_queue);
+
+  DARegisterDiskAppearedCallback(
+      _diskArbSession, NULL, diskAppearedCallback, (__bridge void *)self);
+  DARegisterDiskDescriptionChangedCallback(
+      _diskArbSession, NULL, NULL, diskDescriptionChangedCallback, (__bridge void *)self);
+  DARegisterDiskDisappearedCallback(
+      _diskArbSession, NULL, diskDisappearedCallback, (__bridge void *)self);
+}
+
+void diskAppearedCallback(DADiskRef disk, void *context) {
+  SNTApplication *app = (__bridge SNTApplication *)context;
+  NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
+  [app.eventLog logDiskAppeared:props];
+}
+
+void diskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *context) {
+  SNTApplication *app = (__bridge SNTApplication *)context;
+  NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
+  if (props[@"DAVolumePath"]) [app.eventLog logDiskAppeared:props];
+}
+
+void diskDisappearedCallback(DADiskRef disk, void *context) {
+  SNTApplication *app = (__bridge SNTApplication *)context;
+  NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
+  [app.eventLog logDiskDisappeared:props];
+}
+
+
 @end

Source/santad/SNTDaemonControlController.h

@@ -16,6 +16,7 @@
 
 @class SNTDriverManager;
 @class SNTNotificationQueue;
+@class SNTSyncdQueue;
 
 ///
 ///  SNTDaemonControlController handles all of the RPCs from santactl
@@ -24,5 +25,6 @@
 
 @property SNTDriverManager *driverManager;
 @property SNTNotificationQueue *notQueue;
+@property SNTSyncdQueue *syncdQueue;
 
 @end