Version bump to 1.13

* santactl: don't watch for config changes

* bump version

.travis.yml

@@ -8,6 +8,7 @@ addons:
   homebrew:
     taps: bazelbuild/tap
     packages: bazelbuild/tap/bazel
+    update: true
 
 script:
  - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug

BUILD

@@ -130,6 +130,10 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
             ;;
+          *com.google.santa.daemon.systemextension.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
+            ;;
         esac
       done
 

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -13,24 +13,15 @@
 mkdir -p /usr/local/bin
 /bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-if [ $(uname -r | cut -d'.' -f1) -ge 19 ]; then
-  # Running on 10.15+
-  echo "Santa postinstall: running on 10.15+"
-  /bin/rm -rf /Library/Extensions/santa-driver.kext
-  /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
-else
-  # Running on <10.15
-  /bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-fi
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-if [[ -z "$user" ]]; then
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-  exit 0
-fi
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -19,11 +19,13 @@
 /bin/launchctl remove com.google.santasync
 /bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
 /bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
 /bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/install.sh

@@ -31,10 +31,10 @@ fi
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santa
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
@@ -48,34 +48,28 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/mkdir -p /var/db/santa
 
 /bin/cp -r ${BINARIES}/Santa.app /Applications
+/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
 
 /bin/mkdir -p /usr/local/bin
 /bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
 
 /bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
 /bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Only copy the kext and load santad if running pre-10.15
-if [ $(uname -r | cut -d'.' -f1) -lt 19 ]; then
-  /bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
-  /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
-  /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
-else
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-fi
+# Load com.google.santa.daemon
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
 # Load GUI agent if someone is logged in.
-if [[ -n "$GUI_USER" ]]; then
-  /bin/launchctl asuser ${GUI_USER} \
-  /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
-fi
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Podfile.lock

@@ -11,7 +11,7 @@ PODS:
     - MOLAuthenticatingURLSession (~> 2.4)
   - MOLXPCConnection (1.2):
     - MOLCodesignChecker (~> 1.9)
-  - OCMock (3.4.3)
+  - OCMock (3.5)
 
 DEPENDENCIES:
   - FMDB
@@ -39,7 +39,7 @@ SPEC CHECKSUMS:
   MOLCodesignChecker: b0d5db9d2f9bd94e0fd093891a5d40e5ad77cbc0
   MOLFCMClient: 2bfbacd45cc11e1ca3c077e97b80401c4e4a54f1
   MOLXPCConnection: c27af5cb1c43b18319698b0e568a8ddc2fc1e306
-  OCMock: 43565190abc78977ad44a61c0d20d7f0784d35ab
+  OCMock: 4ab4577fc941af31f4a0398f6e7e230cf21fc72a
 
 PODFILE CHECKSUM: d03767a9915896232523962c98d9ff7294aec2b7
 

Santa.xcodeproj/project.pbxproj

@@ -10,7 +10,6 @@
 		0D9F577C2342650F005D9AA8 /* SNTPrefixTree.cc in Sources */ = {isa = PBXBuildFile; fileRef = C7658B022322B84F00F36578 /* SNTPrefixTree.cc */; };
 		59502195B2982225D3706DCE /* libPods-santabundleservice.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 2A55D73A235850B9FA991865 /* libPods-santabundleservice.a */; };
 		AD3736AF78C41A962C26D429 /* libPods-Santa.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C3E743944A9D77423AA1534 /* libPods-Santa.a */; };
-		B5AE6BB811766CA492133559 /* libPods-santad.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 3700D40B536CA7F626B76156 /* libPods-santad.a */; };
 		C71E472F22F0F97B00921CD9 /* com.google.santa.daemon in CopyFiles */ = {isa = PBXBuildFile; fileRef = C779C4E622F0F51400EE2541 /* com.google.santa.daemon */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		C71E473122F0FAA100921CD9 /* com.google.santa.daemon.systemextension in CopyFiles */ = {isa = PBXBuildFile; fileRef = C7A8308022F0F81F00F856AC /* com.google.santa.daemon.systemextension */; settings = {ATTRIBUTES = (CodeSignOnCopy, RemoveHeadersOnCopy, ); }; };
 		C72ED2B62324962400255555 /* SNTEndpointSecurityManager.mm in Sources */ = {isa = PBXBuildFile; fileRef = C72ED2B52324962400255555 /* SNTEndpointSecurityManager.mm */; };
@@ -110,6 +109,7 @@
 		C7F5C1AF233E72CF00A3F7FD /* SNTBundleService.m in Sources */ = {isa = PBXBuildFile; fileRef = C7658AF22322B84F00F36578 /* SNTBundleService.m */; };
 		C7F5C1B0233E735E00A3F7FD /* santabundleservice in CopyFiles */ = {isa = PBXBuildFile; fileRef = C7F5C1A7233E72BC00A3F7FD /* santabundleservice */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		D28CA4C618C62392319BB642 /* libPods-santactl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = B7714ABC7F247685608DACE7 /* libPods-santactl.a */; };
+		D698C8C9E47554577ED4939F /* libPods-com.google.santa.daemon.a in Frameworks */ = {isa = PBXBuildFile; fileRef = C05F6AD95EB704B20828BDA1 /* libPods-com.google.santa.daemon.a */; };
 		F5F5D1EF2AF051FEA97A3A59 /* libPods-sysx.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 91FF0B4E62F1E90A88478993 /* libPods-sysx.a */; };
 /* End PBXBuildFile section */
 
@@ -189,12 +189,13 @@
 		18183794C94BAEAD167B12EC /* Pods-santad.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santad.debug.xcconfig"; path = "Target Support Files/Pods-santad/Pods-santad.debug.xcconfig"; sourceTree = "<group>"; };
 		24CDFD218D8B35E34895AA6A /* libPods-santaxpcproxy.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santaxpcproxy.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		2A55D73A235850B9FA991865 /* libPods-santabundleservice.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santabundleservice.a"; sourceTree = BUILT_PRODUCTS_DIR; };
-		3700D40B536CA7F626B76156 /* libPods-santad.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santad.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		4C3E743944A9D77423AA1534 /* libPods-Santa.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Santa.a"; sourceTree = BUILT_PRODUCTS_DIR; };
+		4E28DBA012524ABF55F8300C /* Pods-com.google.santa.daemon.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-com.google.santa.daemon.debug.xcconfig"; path = "Target Support Files/Pods-com.google.santa.daemon/Pods-com.google.santa.daemon.debug.xcconfig"; sourceTree = "<group>"; };
 		7AF15DF785BAA0EAB0BE340D /* Pods-santad.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santad.release.xcconfig"; path = "Target Support Files/Pods-santad/Pods-santad.release.xcconfig"; sourceTree = "<group>"; };
 		91FF0B4E62F1E90A88478993 /* libPods-sysx.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-sysx.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		B7714ABC7F247685608DACE7 /* libPods-santactl.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santactl.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		C05543B3701F50CA798B4B11 /* Pods-sysx.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-sysx.release.xcconfig"; path = "Target Support Files/Pods-sysx/Pods-sysx.release.xcconfig"; sourceTree = "<group>"; };
+		C05F6AD95EB704B20828BDA1 /* libPods-com.google.santa.daemon.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-com.google.santa.daemon.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		C72ED2B3232495CC00255555 /* SNTEventProvider.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTEventProvider.h; sourceTree = "<group>"; };
 		C72ED2B42324962400255555 /* SNTEndpointSecurityManager.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SNTEndpointSecurityManager.h; sourceTree = "<group>"; };
 		C72ED2B52324962400255555 /* SNTEndpointSecurityManager.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = SNTEndpointSecurityManager.mm; sourceTree = "<group>"; };
@@ -369,6 +370,7 @@
 		D7360306D7CFDD179D003266 /* Pods-sysx.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-sysx.debug.xcconfig"; path = "Target Support Files/Pods-sysx/Pods-sysx.debug.xcconfig"; sourceTree = "<group>"; };
 		D979E8ECE019FB93D1D381E7 /* Pods-santaxpcproxy.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santaxpcproxy.release.xcconfig"; path = "Target Support Files/Pods-santaxpcproxy/Pods-santaxpcproxy.release.xcconfig"; sourceTree = "<group>"; };
 		E6D38874F31422095E853E99 /* Pods-Santa.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.debug.xcconfig"; path = "Target Support Files/Pods-Santa/Pods-Santa.debug.xcconfig"; sourceTree = "<group>"; };
+		E734E4FECEAA502AFF104E71 /* Pods-com.google.santa.daemon.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-com.google.santa.daemon.release.xcconfig"; path = "Target Support Files/Pods-com.google.santa.daemon/Pods-com.google.santa.daemon.release.xcconfig"; sourceTree = "<group>"; };
 		EDF64F091E796EC4013F5499 /* Pods-santaxpcproxy.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santaxpcproxy.debug.xcconfig"; path = "Target Support Files/Pods-santaxpcproxy/Pods-santaxpcproxy.debug.xcconfig"; sourceTree = "<group>"; };
 		FE1F7C320CAEA468FAAC05B0 /* Pods-santabundleservice.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santabundleservice.release.xcconfig"; path = "Target Support Files/Pods-santabundleservice/Pods-santabundleservice.release.xcconfig"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
@@ -396,7 +398,7 @@
 			files = (
 				C72ED2BC232584C100255555 /* libbsm.tbd in Frameworks */,
 				C72ED2B82324A2FA00255555 /* libEndpointSecurity.tbd in Frameworks */,
-				B5AE6BB811766CA492133559 /* libPods-santad.a in Frameworks */,
+				D698C8C9E47554577ED4939F /* libPods-com.google.santa.daemon.a in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -767,11 +769,11 @@
 				C72ED2B9232584AA00255555 /* libauditd.tbd */,
 				C72ED2B72324A2FA00255555 /* libEndpointSecurity.tbd */,
 				4C3E743944A9D77423AA1534 /* libPods-Santa.a */,
-				3700D40B536CA7F626B76156 /* libPods-santad.a */,
 				91FF0B4E62F1E90A88478993 /* libPods-sysx.a */,
 				24CDFD218D8B35E34895AA6A /* libPods-santaxpcproxy.a */,
 				2A55D73A235850B9FA991865 /* libPods-santabundleservice.a */,
 				B7714ABC7F247685608DACE7 /* libPods-santactl.a */,
+				C05F6AD95EB704B20828BDA1 /* libPods-com.google.santa.daemon.a */,
 			);
 			name = Frameworks;
 			sourceTree = "<group>";
@@ -791,6 +793,8 @@
 				FE1F7C320CAEA468FAAC05B0 /* Pods-santabundleservice.release.xcconfig */,
 				052CCA75535669B953A31D6D /* Pods-santactl.debug.xcconfig */,
 				0A60226B8B4F01BE817BAAA3 /* Pods-santactl.release.xcconfig */,
+				4E28DBA012524ABF55F8300C /* Pods-com.google.santa.daemon.debug.xcconfig */,
+				E734E4FECEAA502AFF104E71 /* Pods-com.google.santa.daemon.release.xcconfig */,
 			);
 			path = Pods;
 			sourceTree = "<group>";
@@ -1036,7 +1040,7 @@
 			outputFileListPaths = (
 			);
 			outputPaths = (
-				"$(DERIVED_FILE_DIR)/Pods-santad-checkManifestLockResult.txt",
+				"$(DERIVED_FILE_DIR)/Pods-com.google.santa.daemon-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
@@ -1252,7 +1256,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 052CCA75535669B953A31D6D /* Pods-santactl.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1270,7 +1274,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 0A60226B8B4F01BE817BAAA3 /* Pods-santactl.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1401,7 +1405,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1425,7 +1429,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1445,10 +1449,10 @@
 		};
 		C779C4EB22F0F51400EE2541 /* Debug */ = {
 			isa = XCBuildConfiguration;
-			baseConfigurationReference = 18183794C94BAEAD167B12EC /* Pods-santad.debug.xcconfig */;
+			baseConfigurationReference = 4E28DBA012524ABF55F8300C /* Pods-com.google.santa.daemon.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1464,10 +1468,10 @@
 		};
 		C779C4EC22F0F51400EE2541 /* Release */ = {
 			isa = XCBuildConfiguration;
-			baseConfigurationReference = 7AF15DF785BAA0EAB0BE340D /* Pods-santad.release.xcconfig */;
+			baseConfigurationReference = E734E4FECEAA502AFF104E71 /* Pods-com.google.santa.daemon.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1486,7 +1490,7 @@
 			baseConfigurationReference = D7360306D7CFDD179D003266 /* Pods-sysx.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1507,7 +1511,7 @@
 			baseConfigurationReference = C05543B3701F50CA798B4B11 /* Pods-sysx.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1526,7 +1530,7 @@
 		C7D35DE02322C902000C5EB4 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1546,7 +1550,7 @@
 		C7D35DE12322C902000C5EB4 /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1567,7 +1571,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = D4808D8635FB5E8E5F4637BB /* Pods-santabundleservice.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1582,7 +1586,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = FE1F7C320CAEA468FAAC05B0 /* Pods-santabundleservice.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;

Source/common/BUILD

@@ -149,6 +149,7 @@ objc_library(
     srcs = ["SNTXPCControlInterface.m"],
     hdrs = ["SNTXPCControlInterface.h"],
     deps = [
+        ":SNTConfigurator",
         ":SNTStoredEvent",
         ":SNTXPCUnprivilegedControlInterface",
         "@MOLXPCConnection",

Source/common/SNTConfigurator.h

@@ -164,6 +164,15 @@
 ///
 @property(readonly, nonatomic) BOOL enableMachineIDDecoration;
 
+///
+///  Use the bundled SystemExtension on macOS 10.15+, defaults to YES.
+///  Disable to continue using the bundled KEXT.
+///  This is a one way switch, if this is ever true on macOS 10.15+ the KEXT will be deleted.
+///  This gives admins control over the timing of switching to the SystemExtension. The intended use case is to have an MDM deliver
+///  the requisite SystemExtension and TCC profiles before attempting to load.
+///
+@property(readonly, nonatomic) BOOL enableSystemExtension;
+
 #pragma mark - GUI Settings
 
 ///

Source/common/SNTConfigurator.m

@@ -76,6 +76,8 @@ static NSString *const kEventLogPath = @"EventLogPath";
 
 static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration";
 
+static NSString *const kEnableSystemExtension = @"EnableSystemExtension";
+
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
 static NSString *const kEnableTransitiveWhitelistingKey = @"EnableTransitiveWhitelisting";
@@ -137,6 +139,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kEventLogType : string,
       kEventLogPath : string,
       kEnableMachineIDDecoration : number,
+      kEnableSystemExtension : number,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
@@ -303,6 +306,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self syncAndConfigStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingEnableSystemExtension {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -508,6 +515,17 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return number ? [number boolValue] : NO;
 }
 
+- (BOOL)enableSystemExtension {
+  if (@available(macOS 10.15, *)) {
+    NSFileManager *fm = [NSFileManager defaultManager];
+    if (![fm fileExistsAtPath:@"/Library/Extensions/santa-driver.kext"]) return YES;
+    NSNumber *number = self.configState[kEnableSystemExtension];
+    return number ? [number boolValue] : YES;
+  } else {
+    return NO;
+  }
+}
+
 #pragma mark Private
 
 ///
@@ -593,8 +611,9 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 - (void)startWatchingDefaults {
-  // Only santad should listen.
-  if (geteuid() != 0) return;
+  // Only com.google.santa.daemon should listen.
+  NSString *processName = [[NSProcessInfo processInfo] processName];
+  if (![processName isEqualToString:@"com.google.santa.daemon"]) return;
   [[NSNotificationCenter defaultCenter] addObserver:self
                                            selector:@selector(defaultsChanged:)
                                                name:NSUserDefaultsDidChangeNotification

Source/common/SNTLogging.m

@@ -39,20 +39,14 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   dispatch_once(&pred, ^{
     binaryName = [[NSProcessInfo processInfo] processName];
 
-    if (@available(macOS 10.15, *)) {
-      if ([binaryName isEqualToString:@"com.google.santa.daemon"]) {
-        useSyslog = YES;
-        pthread_key_create(&syslogKey, syslogClientDestructor);
-      }
-    }
-
     // If debug logging is enabled, the process must be restarted.
     if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
       logLevel = LOG_LEVEL_DEBUG;
     }
 
     // If requested, redirect output to syslog.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"]) {
+    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--syslog"] ||
+        [binaryName isEqualToString:@"com.google.santa.daemon"]) {
       useSyslog = YES;
       pthread_key_create(&syslogKey, syslogClientDestructor);
     }

Source/common/SNTXPCControlInterface.m

@@ -17,6 +17,8 @@
 #import <MOLCodesignChecker/MOLCodesignChecker.h>
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
+#import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTRule.h"
 #import "Source/common/SNTStoredEvent.h"
 
@@ -25,7 +27,7 @@ NSString *const kBundleID = @"com.google.santa.daemon";
 @implementation SNTXPCControlInterface
 
 + (NSString *)serviceID {
-  if (@available(macOS 10.15, *)) {
+  if ([[SNTConfigurator configurator] enableSystemExtension]) {
     MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf];
     // "teamid.com.google.santa.daemon.xpc"
     NSString *t = cs.signingInformation[@"teamid"];

Source/santa/SNTAppDelegate.m

@@ -16,8 +16,6 @@
 
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
-#import <SystemExtensions/SystemExtensions.h>
-
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStrengthify.h"
@@ -25,7 +23,7 @@
 #import "Source/santa/SNTAboutWindowController.h"
 #import "Source/santa/SNTNotificationManager.h"
 
-@interface SNTAppDelegate ()<OSSystemExtensionRequestDelegate>
+@interface SNTAppDelegate ()
 @property SNTAboutWindowController *aboutWindowController;
 @property SNTNotificationManager *notificationManager;
 @property MOLXPCConnection *daemonListener;
@@ -36,16 +34,6 @@
 #pragma mark App Delegate methods
 
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
-  if (@available(macOS 10.15, *)) {
-    LOGI(@"Requesting SystemExtension activation");
-    NSString *e = [SNTXPCControlInterface systemExtensionID];
-    dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
-    OSSystemExtensionRequest *req = [OSSystemExtensionRequest activationRequestForExtension:e
-                                                                                      queue:q];
-    req.delegate = self;
-    [[OSSystemExtensionManager sharedManager] submitRequest:req];
-  }
-
   [self setupMenu];
   self.notificationManager = [[SNTNotificationManager alloc] init];
 
@@ -135,33 +123,4 @@
   [NSApp setMainMenu:mainMenu];
 }
 
-#pragma mark OSSystemExtensionRequestDelegate
-
-- (OSSystemExtensionReplacementAction)request:(OSSystemExtensionRequest *)request
-                  actionForReplacingExtension:(OSSystemExtensionProperties *)old
-                                withExtension:(OSSystemExtensionProperties *)new
-    API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request for replacement", request.identifier);
-#ifdef DEBUG
-  return OSSystemExtensionReplacementActionReplace;
-#else
-  return [old.bundleVersion isEqualToString:new.bundleVersion]
-      ? OSSystemExtensionReplacementActionCancel : OSSystemExtensionReplacementActionReplace;
-#endif
-}
-
-- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request needs user approval", request.identifier);
-}
-
-- (void)request:(OSSystemExtensionRequest *)request
-    didFailWithError:(NSError *)error API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request did fail: %@", request.identifier, error);
-}
-
-- (void)request:(OSSystemExtensionRequest *)request
-    didFinishWithResult:(OSSystemExtensionRequestResult)result API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request did finish: %ld", request.identifier, (long)result);
-}
-
 @end

Source/santa/main.m

@@ -15,6 +15,7 @@
 #import <Cocoa/Cocoa.h>
 #import <SystemExtensions/SystemExtensions.h>
 
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTXPCControlInterface.h"
 #import "Source/santa/SNTAppDelegate.h"
 
@@ -66,6 +67,10 @@ int main(int argc, const char *argv[]) {
         dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
         OSSystemExtensionRequest *req;
         if (sysxOperation.intValue == 1) {
+          if (![[SNTConfigurator configurator] enableSystemExtension]) {
+            NSLog(@"EnableSystemExtension is disabled");
+            exit(1);
+          }
           NSLog(@"Requesting SystemExtension activation");
           req = [OSSystemExtensionRequest activationRequestForExtension:e queue:q];
         } else if (sysxOperation.intValue == 2) {

Source/santa_driver/SantaCache.h

@@ -29,7 +29,6 @@
 #include <cstdio>
 #include <cstdlib>
 #include <cstring>
-// TODO(rah): Consider templatizing these.
 #define panic(args...) printf(args); printf("\n"); abort()
 #define IOMallocAligned(sz, alignment) malloc(sz);
 #define IOFreeAligned(addr, sz) free(addr)
@@ -78,6 +77,7 @@ template<typename KeyT, typename ValueT> class SantaCache {
     if (unlikely(per_bucket > 64)) per_bucket = 64;
     max_size_ = maximum_size;
     bucket_count_ = (1 << (32 - __builtin_clz((((uint32_t)max_size_ / per_bucket) - 1) ?: 1)));
+    if (unlikely(bucket_count_ > UINT32_MAX)) bucket_count_ = UINT32_MAX;
     buckets_ = (struct bucket *)IOMallocAligned(bucket_count_ * sizeof(struct bucket), 2);
     bzero(buckets_, bucket_count_ * sizeof(struct bucket));
   }
@@ -197,6 +197,11 @@ template<typename KeyT, typename ValueT> class SantaCache {
     if (per_bucket_counts == nullptr || array_size == nullptr || start_bucket == nullptr) return;
 
     uint64_t start = *start_bucket;
+    if (start >= bucket_count_) {
+      *start_bucket = 0;
+      return;
+    }
+
     uint16_t size = *array_size;
     if (start + size > bucket_count_) size = bucket_count_ - start;
 

Source/santa_driver/SantaCacheTest.mm

@@ -251,7 +251,7 @@ template<> uint64_t SantaCacheHasher<S>(S const& s) {
 }
 
 - (void)testStructKeys {
-  auto sut =  SantaCache<S, uint64_t>(10, 2);
+  auto sut = SantaCache<S, uint64_t>(10, 2);
 
   S s1 = {1024, 2048};
   S s2 = {4096, 8192};
@@ -265,4 +265,22 @@ template<> uint64_t SantaCacheHasher<S>(S const& s) {
   XCTAssertEqual(sut.get(s3), 30);
 }
 
+- (void)testBucketCounts {
+  auto sut = new SantaCache<uint64_t, uint64_t>(UINT16_MAX, 1);
+
+  // These tests verify that the bucket_counts() function can't be abused
+  // with integer {over,under}flow issues in the input or going out-of-bounds
+  // on the buckets array.
+  uint16_t size = 2048;
+  uint64_t start = (UINT64_MAX - 2047);
+  uint16_t per_bucket_counts[2048];
+  sut->bucket_counts(per_bucket_counts, &size, &start);
+  XCTAssertEqual(start, 0, @"Check a high start can't overflow");
+
+  size = UINT16_MAX;
+  start = UINT16_MAX - 1;
+  sut->bucket_counts(per_bucket_counts, &size, &start);
+  XCTAssertEqual(start, 0, @"Check a large size can't overflow");
+}
+
 @end

Source/santa_driver/SantaDecisionManager.cc

@@ -185,11 +185,17 @@ void SantaDecisionManager::SetLogPort(mach_port_t port) {
 }
 
 IOMemoryDescriptor *SantaDecisionManager::GetDecisionMemoryDescriptor() const {
-  return decision_dataqueue_->getMemoryDescriptor();
+  lck_mtx_lock(decision_dataqueue_lock_);
+  IOMemoryDescriptor *r = decision_dataqueue_->getMemoryDescriptor();
+  lck_mtx_unlock(decision_dataqueue_lock_);
+  return r;
 }
 
 IOMemoryDescriptor *SantaDecisionManager::GetLogMemoryDescriptor() const {
-  return log_dataqueue_->getMemoryDescriptor();
+  lck_mtx_lock(log_dataqueue_lock_);
+  IOMemoryDescriptor *r = log_dataqueue_->getMemoryDescriptor();
+  lck_mtx_unlock(log_dataqueue_lock_);
+  return r;
 }
 
 #pragma mark Listener Control

Source/santa_driver/SantaDriverClient.cc

@@ -293,7 +293,7 @@ IOReturn SantaDriverClient::externalMethod(
     { &SantaDriverClient::filemod_prefix_filter_reset, 0, 0, 0, 0 },
   };
 
-  if (selector > static_cast<UInt32>(kSantaUserClientNMethods)) {
+  if (selector >= static_cast<UInt32>(kSantaUserClientNMethods)) {
     return kIOReturnBadArgument;
   }
 

Source/santactl/Commands/SNTCommandStatus.m

@@ -84,10 +84,11 @@ REGISTER_COMMAND_NAME(@"status")
 
   BOOL fileLogging = ([[SNTConfigurator configurator] fileChangesRegex] != nil);
 
+  SNTConfigurator *configurator = [SNTConfigurator configurator];
+
   // Kext status
   __block uint64_t rootCacheCount = -1, nonRootCacheCount = -1;
-  if (@available(macOS 10.15, *)) {
-  } else {
+  if (![configurator enableSystemExtension]) {
     dispatch_group_enter(group);
     [[self.daemonConn remoteObjectProxy] cacheCounts:^(uint64_t rootCache, uint64_t nonRootCache) {
       rootCacheCount = rootCache;
@@ -205,8 +206,7 @@ REGISTER_COMMAND_NAME(@"status")
         @"transitive_whitelisting" : @(transitiveWhitelistingEnabled),
       },
     } mutableCopy];
-    if (@available(macOS 10.15, *)) {
-    } else {
+    if (![configurator enableSystemExtension]) {
       stats[@"kernel"] = @{
         @"root_cache_count" : @(rootCacheCount),
         @"non_root_cache_count": @(nonRootCacheCount),
@@ -224,8 +224,7 @@ REGISTER_COMMAND_NAME(@"status")
     printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
     printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
     printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
-    if (@available(macOS 10.15, *)) {
-    } else {
+    if (![configurator enableSystemExtension]) {
       printf(">>> Kernel Info\n");
       printf("  %-25s | %lld\n", "Root cache count", rootCacheCount);
       printf("  %-25s | %lld\n", "Non-root cache count", nonRootCacheCount);

Source/santactl/Commands/SNTCommandVersion.m

@@ -17,6 +17,7 @@
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
 #import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTFileInfo.h"
 #import "Source/common/SNTKernelCommon.h"
 #import "Source/santactl/SNTCommand.h"
@@ -70,7 +71,7 @@ REGISTER_COMMAND_NAME(@"version")
 }
 
 - (NSString *)santaKextVersion {
-  if (@available(macOS 10.15, *)) {
+  if ([[SNTConfigurator configurator] enableSystemExtension]) {
     return @"un-needed (SystemExtension being used)";
   }
 

Source/santactl/Commands/sync/SNTCommandSync.m

@@ -38,8 +38,9 @@ REGISTER_COMMAND_NAME(@"sync")
   return YES;
 }
 
+// Connect to santad while we are root, so that we pass the XPC authentication.
 + (BOOL)requiresDaemonConn {
-  return NO;
+  return YES;
 }
 
 + (NSString *)shortHelpText {
@@ -55,9 +56,6 @@ REGISTER_COMMAND_NAME(@"sync")
 }
 
 - (void)runWithArguments:(NSArray *)arguments {
-  // Connect to santad while we are root, so that we pass the XPC authentication
-  [self.daemonConn resume];
-
   // Ensure we have no privileges
   if (!DropRootPrivileges()) {
     LOGE(@"Failed to drop root privileges. Exiting.");

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

@@ -82,7 +82,8 @@
     NSDictionary *requestDict = cursor ? @{kCursor : cursor} : @{};
     NSDictionary *response = [self performRequest:[self requestWithDictionary:requestDict]];
 
-    if (![response isKindOfClass:[NSDictionary class]]) {
+    if (![response isKindOfClass:[NSDictionary class]] ||
+        ![response[kRules] isKindOfClass:[NSArray class]]) {
       return nil;
     }
 

Source/santad/EventProviders/SNTDriverManager.m

@@ -310,6 +310,8 @@ static void driverAppearedHandler(void *info, io_iterator_t iterator) {
 }
 
 - (void)fileModificationPrefixFilterAdd:(NSArray *)filters {
+  while (!self.connectionEstablished) usleep(100000); // 100ms
+
   uint64_t n = 0;
   uint32_t n_len = 1;
 
@@ -334,6 +336,8 @@ static void driverAppearedHandler(void *info, io_iterator_t iterator) {
         LOGE(@"Prefix filter tree is full!");
         return;
       }
+    } else {
+      LOGI(@"Added prefix filter: %s", buffer);
     }
   }
 }

Source/santad/SNTApplication.m

@@ -54,8 +54,11 @@
 - (instancetype)init {
   self = [super init];
   if (self) {
+    SNTConfigurator *configurator = [SNTConfigurator configurator];
+
+    // Choose an event logger.
     // Locate and connect to driver / SystemExtension
-    if (@available(macOS 10.15, *)) {
+    if ([configurator enableSystemExtension]) {
       LOGI(@"Using EndpointSecurity as event provider.");
       _eventProvider = [[SNTEndpointSecurityManager alloc] init];
     } else {
@@ -80,8 +83,7 @@
       return nil;
     }
 
-    // Choose an event logger.
-    SNTConfigurator *configurator = [SNTConfigurator configurator];
+
     switch ([configurator eventLogType]) {
       case SNTEventLogTypeSyslog:
         _eventLog = [[SNTSyslogEventLog alloc] init];
@@ -91,12 +93,14 @@
         break;
     }
 
-    // The filter is reset when santad disconnects from the driver.
-    // Add the default filters.
-    [_eventProvider fileModificationPrefixFilterAdd:@[ @"/.", @"/dev/" ]];
+    dispatch_async(dispatch_get_global_queue(QOS_CLASS_BACKGROUND, 0), ^{
+      // The filter is reset when santad disconnects from the driver.
+      // Add the default filters.
+      [self.eventProvider fileModificationPrefixFilterAdd:@[ @"/.", @"/dev/" ]];
 
-    // TODO(bur): Add KVO handling for fileChangesPrefixFilters.
-    [_eventProvider fileModificationPrefixFilterAdd:[configurator fileChangesPrefixFilters]];
+      // TODO(bur): Add KVO handling for fileChangesPrefixFilters.
+      [self.eventProvider fileModificationPrefixFilterAdd:[configurator fileChangesPrefixFilters]];
+    });
 
     self.notQueue = [[SNTNotificationQueue alloc] init];
     SNTSyncdQueue *syncdQueue = [[SNTSyncdQueue alloc] init];
@@ -124,6 +128,12 @@
                    forKeyPath:NSStringFromSelector(@selector(blacklistPathRegex))
                       options:bits
                       context:NULL];
+    if (![configurator enableSystemExtension]) {
+      [configurator addObserver:self
+                     forKeyPath:NSStringFromSelector(@selector(enableSystemExtension))
+                        options:bits
+                        context:NULL];
+    }
 
     // Establish XPC listener for Santa and santactl connections
     SNTDaemonControlController *dc =
@@ -310,6 +320,14 @@ void diskDisappearedCallback(DADiskRef disk, void *context) {
       LOGI(@"Changed [white|black]list regex, flushing cache");
       [self.eventProvider flushCacheNonRootOnly:NO];
     }
+  } else if ([keyPath isEqualToString:NSStringFromSelector(@selector(enableSystemExtension))]) {
+    BOOL new = [change[newKey] isKindOfClass:[NSNumber class]] ? [change[newKey] boolValue] : NO;
+    BOOL old = [change[oldKey] isKindOfClass:[NSNumber class]] ? [change[oldKey] boolValue] : NO;
+    if (old == NO && new == YES) {
+      LOGI(@"EnableSystemExtension changed NO -> YES");
+      LOGI(@"The penultimate exit.");
+      exit(0);
+    }
   }
 }
 

Source/santad/main.m

@@ -15,6 +15,7 @@
 #import <Foundation/Foundation.h>
 
 #import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/santad/EventProviders/SNTDriverManager.h"
 #import "Source/santad/SNTApplication.h"
@@ -95,11 +96,21 @@ void cleanup() {
   [fm removeItemAtPath:@"/Library/LaunchDaemons/com.google.santad.plist" error:NULL];
   [SNTDriverManager unloadDriver];
   [fm removeItemAtPath:@"/Library/Extensions/santa-driver.kext" error:NULL];
+
+  LOGI(@"loading com.google.santa.daemon as a SystemExtension");
   NSTask *t = [[NSTask alloc] init];
+  t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
+  t.arguments = @[ @"--load-system-extension" ];
+  [t launch];
+  [t waitUntilExit];
+
+  t = [[NSTask alloc] init];
   t.launchPath = @"/bin/launchctl";
   t.arguments = @[ @"remove", @"com.google.santad" ];
   [t launch];
   [t waitUntilExit];
+
+  // This exit will likely never be called because the above launchctl command kill us.
   exit(0);
 }
 
@@ -119,7 +130,7 @@ int main(int argc, const char *argv[]) {
     LOGI(@"Started, version %@", infoDict[@"CFBundleVersion"]);
 
     // Handle the case of macOS < 10.15 updating to >= 10.15.
-    if (@available(macOS 10.15, *)) {
+    if ([[SNTConfigurator configurator] enableSystemExtension]) {
       if ([pi.arguments.firstObject isEqualToString:@(kSantaDPath)]) cleanup();
     }
 

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.1"
+SANTA_VERSION = "1.13"