santa-driver: Fix some new Xcode 12 warnings (#502)

The ossharedptr-misuse warning is generated from within system headers and I couldn't
find a simple way to prevent that other than disabling the warning entirely. We don't
use OSSharedPtr directly anyway.

README.md

@@ -154,8 +154,8 @@ protect hosts in whatever other ways you see fit.
 A tool like Santa doesn't really lend itself to screenshots, so here's a video
 instead.
 
-<p align="center"> <img src="https://zippy.gfycat.com/MadFatalAmphiuma.gif"
-alt="Santa Block Video" /> </p>
+
+<p align="center"> <img src="https://thumbs.gfycat.com/MadFatalAmphiuma-small.gif" alt="Santa Block Video" /> </p>
 
 # Kext Signing
 Kernel extensions on macOS 10.9 and later must be signed using an Apple-provided

Source/common/BUILD

@@ -10,6 +10,7 @@ objc_library(
     hdrs = ["SNTBlockMessage.h"],
     deps = [
         ":SNTConfigurator",
+        ":SNTLogging",
         ":SNTStoredEvent",
     ],
 )
@@ -21,6 +22,7 @@ objc_library(
     defines = ["SANTAGUI"],
     deps = [
         ":SNTConfigurator",
+        ":SNTLogging",
         ":SNTStoredEvent",
     ],
 )
@@ -46,7 +48,6 @@ objc_library(
     hdrs = ["SNTConfigurator.h"],
     deps = [
         ":SNTCommonEnums",
-        ":SNTLogging",
         ":SNTStrengthify",
         ":SNTSystemInfo",
     ],
@@ -82,6 +83,7 @@ objc_library(
     name = "SNTLogging",
     srcs = ["SNTLogging.m"],
     hdrs = ["SNTLogging.h"],
+    deps = [":SNTConfigurator"],
 )
 
 cc_library(

Source/common/SNTBlockMessage.m

@@ -17,6 +17,7 @@
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
 
 @implementation SNTBlockMessage
 
@@ -106,6 +107,9 @@
 + (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
+  NSString *hostname = [SNTSystemInfo longHostname];
+  NSString *uuid = [SNTSystemInfo hardwareUUID];
+  NSString *serial = [SNTSystemInfo serialNumber];
   NSString *formatStr = config.eventDetailURL;
   if (!formatStr.length) return nil;
 
@@ -122,6 +126,18 @@
     formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
                                                      withString:config.machineID];
   }
+  if (hostname.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%"
+                                                     withString:hostname];
+  }
+  if (uuid.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%"
+                                                     withString:uuid];
+  }
+  if (serial.length) {
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%"
+                                                     withString:serial];
+  }
 
   return [NSURL URLWithString:formatStr];
 }

Source/common/SNTConfigurator.h

@@ -191,6 +191,9 @@
 ///  %file_sha%    -- SHA-256 of the file that was blocked.
 ///  %machine_id%  -- ID of the machine.
 ///  %username%    -- executing user.
+///  %serial%      -- System's serial number.
+///  %uuid%        -- System's UUID.
+///  %hostname%    -- System's full hostname.
 ///
 ///  @note: This is not an NSURL because the format-string parsing is done elsewhere.
 ///
@@ -317,6 +320,17 @@
 ///
 @property(readonly, nonatomic) BOOL enableForkAndExitLogging;
 
+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
+///
+///  If true, debug logging will be enabled for all Santa components. Defaults to false.
+///  Passing --debug as an executable argument will enable debug logging for that specific component.
+///
+@property(readonly, nonatomic) BOOL enableDebugLogging;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfigurator.m

@@ -16,7 +16,6 @@
 
 #include <sys/stat.h>
 
-#import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStrengthify.h"
 #import "Source/common/SNTSystemInfo.h"
 
@@ -24,13 +23,16 @@
 /// A NSUserDefaults object set to use the com.google.santa suite.
 @property(readonly, nonatomic) NSUserDefaults *defaults;
 
-// Keys and expected value types.
+/// Keys and expected value types.
 @property(readonly, nonatomic) NSDictionary *syncServerKeyTypes;
 @property(readonly, nonatomic) NSDictionary *forcedConfigKeyTypes;
 
 /// Holds the configurations from a sync server and mobileconfig.
 @property NSMutableDictionary *syncState;
 @property NSMutableDictionary *configState;
+
+/// Was --debug passed as an argument to this process?
+@property(readonly, nonatomic) BOOL debugFlag;
 @end
 
 @implementation SNTConfigurator
@@ -79,6 +81,9 @@ static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration"
 static NSString *const kEnableSystemExtension = @"EnableSystemExtension";
 
 static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging";
+static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients";
+static NSString *const kEnableDebugLogging = @"EnableDebugLogging";
+
 
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
@@ -152,11 +157,14 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kEnableMachineIDDecoration : number,
       kEnableSystemExtension : number,
       kEnableForkAndExitLogging : number,
+      kIgnoreOtherEndpointSecurityClients : number,
+      kEnableDebugLogging: number,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
     _configState = [self readForcedConfig];
     _syncState = [self readSyncStateFromDisk] ?: [NSMutableDictionary dictionary];
+    _debugFlag = [[NSProcessInfo processInfo].arguments containsObject:@"--debug"];
     [self startWatchingDefaults];
   }
   return self;
@@ -326,6 +334,14 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingIgnoreOtherEndpointSecurityClients {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEnableDebugLogging {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -345,8 +361,6 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 - (void)setSyncServerClientMode:(SNTClientMode)newMode {
   if (newMode == SNTClientModeMonitor || newMode == SNTClientModeLockdown) {
     [self updateSyncStateForKey:kClientModeKey value:@(newMode)];
-  } else {
-    LOGW(@"Ignoring request to change client mode to %ld", newMode);
   }
 }
 
@@ -409,7 +423,6 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   NSArray *filters = self.configState[kFileChangesPrefixFiltersKey];
   for (id filter in filters) {
     if (![filter isKindOfClass:[NSString class]]) {
-      LOGE(@"Ignoring FileChangesPrefixFilters: array contains a non-string %@", filter);
       return nil;
     }
   }
@@ -420,7 +433,6 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   NSString *urlString = self.configState[kSyncBaseURLKey];
   if (![urlString hasSuffix:@"/"]) urlString = [urlString stringByAppendingString:@"/"];
   NSURL *url = [NSURL URLWithString:urlString];
-  if (urlString && !url) LOGW(@"SyncBaseURL is not a valid URL!");
   return url;
 }
 
@@ -570,6 +582,16 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return number ? [number boolValue] : NO;
 }
 
+- (BOOL)ignoreOtherEndpointSecurityClients {
+  NSNumber *number = self.configState[kIgnoreOtherEndpointSecurityClients];
+  return number ? [number boolValue] : NO;
+}
+
+- (BOOL)enableDebugLogging {
+  NSNumber *number = self.configState[kEnableDebugLogging];
+  return [number boolValue] || self.debugFlag;
+}
+
 #pragma mark Private
 
 ///

Source/common/SNTLogging.m

@@ -14,6 +14,8 @@
 
 #import "Source/common/SNTLogging.h"
 
+#import "Source/common/SNTConfigurator.h"
+
 #import <asl.h>
 #import <pthread.h>
 
@@ -39,8 +41,7 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
   dispatch_once(&pred, ^{
     binaryName = [[NSProcessInfo processInfo] processName];
 
-    // If debug logging is enabled, the process must be restarted.
-    if ([[[NSProcessInfo processInfo] arguments] containsObject:@"--debug"]) {
+    if ([SNTConfigurator configurator].enableDebugLogging) {
       logLevel = LOG_LEVEL_DEBUG;
     }
 

Source/santa/BUILD

@@ -35,6 +35,7 @@ objc_library(
     deps = [
         "//Source/common:SNTBlockMessage_SantaGUI",
         "//Source/common:SNTConfigurator",
+        "//Source/common:SNTLogging",
         "//Source/common:SNTXPCControlInterface",
         "//Source/common:SNTXPCNotifierInterface",
         "@MOLCodesignChecker",

Source/santa_driver/BUILD

@@ -23,6 +23,7 @@ cc_library(
     copts = [
         "-mkernel",
         "-fapple-kext",
+        "-Wno-ossharedptr-misuse",
         "-I__BAZEL_XCODE_SDKROOT__/System/Library/Frameworks/Kernel.framework/Headers",
     ],
     defines = [

Source/santa_driver/SantaDecisionManager.cc

@@ -616,7 +616,7 @@ int SantaDecisionManager::VnodeCallback(const kauth_cred_t cred,
         pid_t pid = proc_pid(proc);
         pid_t ppid = proc_ppid(proc);
         // pid_t is 32-bit; pid is in upper 32 bits, ppid in lower.
-        uint64_t val = ((uint64_t)pid << 32) | (ppid & 0xFFFFFFFF);
+        uint64_t val = ((uint64_t)pid << 32) | ((uint64_t)ppid & 0xFFFFFFFF);
         vnode_pid_map_->set(vnode_id, val);
         if (returnedAction == ACTION_RESPOND_ALLOW_COMPILER && ppid != 0) {
           // Do some additional bookkeeping for compilers:
@@ -674,8 +674,8 @@ void SantaDecisionManager::FileOpCallback(
     uint64_t val = vnode_pid_map_->get(vnode_id);
     if (val) {
       // pid_t is 32-bit, so pid is in upper 32 bits, ppid in lower.
-      message->pid = (val >> 32);
-      message->ppid = (val & ~0xFFFFFFFF00000000);
+      message->pid = (pid_t)(val >> 32);
+      message->ppid = (pid_t)(val & ~0xFFFFFFFF00000000);
     }
 
     PostToLogQueue(message);
@@ -816,7 +816,7 @@ extern "C" int vnode_scope_callback(
   // We only care about regular files.
   if (vnode_vtype(vp) != VREG) return KAUTH_RESULT_DEFER;
 
-  if ((action & KAUTH_VNODE_EXECUTE) && !(action & KAUTH_VNODE_ACCESS)) {  // NOLINT
+  if ((action & (int)KAUTH_VNODE_EXECUTE) && !(action & (int)KAUTH_VNODE_ACCESS)) {
     sdm->IncrementListenerInvocations();
     int result = sdm->VnodeCallback(credential,
                                     reinterpret_cast<vfs_context_t>(arg0),
@@ -824,9 +824,9 @@ extern "C" int vnode_scope_callback(
                                     reinterpret_cast<int *>(arg3));
     sdm->DecrementListenerInvocations();
     return result;
-  } else if (action & KAUTH_VNODE_WRITE_DATA || action & KAUTH_VNODE_APPEND_DATA) {
+  } else if (action & (int)KAUTH_VNODE_WRITE_DATA || action & (int)KAUTH_VNODE_APPEND_DATA) {
     sdm->IncrementListenerInvocations();
-    if (!(action & KAUTH_VNODE_ACCESS)) {  // NOLINT
+    if (!(action & (int)KAUTH_VNODE_ACCESS)) {
       auto vnode_id = sdm->GetVnodeIDForVnode(reinterpret_cast<vfs_context_t>(arg0), vp);
       sdm->RemoveFromCache(vnode_id);
     }

Source/santactl/Commands/SNTCommandRule.m

@@ -96,13 +96,13 @@ REGISTER_COMMAND_NAME(@"rule")
   for (NSUInteger i = 0; i < arguments.count; ++i) {
     NSString *arg = arguments[i];
 
-    if ([arg caseInsensitiveCompare:@"--allowlist"] == NSOrderedSame ||
+    if ([arg caseInsensitiveCompare:@"--allow"] == NSOrderedSame ||
         [arg caseInsensitiveCompare:@"--whitelist"] == NSOrderedSame) {
       newRule.state = SNTRuleStateAllow;
-    } else if ([arg caseInsensitiveCompare:@"--blocklist"] == NSOrderedSame ||
+    } else if ([arg caseInsensitiveCompare:@"--block"] == NSOrderedSame ||
                [arg caseInsensitiveCompare:@"--blacklist"] == NSOrderedSame) {
       newRule.state = SNTRuleStateBlock;
-    } else if ([arg caseInsensitiveCompare:@"--silent-blocklist"] == NSOrderedSame ||
+    } else if ([arg caseInsensitiveCompare:@"--silent-block"] == NSOrderedSame ||
                [arg caseInsensitiveCompare:@"--silent-blacklist"] == NSOrderedSame) {
       newRule.state = SNTRuleStateSilentBlock;
     } else if ([arg caseInsensitiveCompare:@"--compiler"] == NSOrderedSame) {

Source/santactl/Commands/sync/SNTCommandSyncConstants.h

@@ -37,6 +37,7 @@ extern NSString *const kBinaryRuleCount;
 extern NSString *const kCertificateRuleCount;
 extern NSString *const kCompilerRuleCount;
 extern NSString *const kTransitiveRuleCount;
+extern NSString *const kFullSyncInterval;
 extern NSString *const kFCMToken;
 extern NSString *const kFCMFullSyncInterval;
 extern NSString *const kFCMGlobalRuleSyncDeadline;

Source/santactl/Commands/sync/SNTCommandSyncConstants.m

@@ -37,6 +37,7 @@ NSString *const kBinaryRuleCount = @"binary_rule_count";
 NSString *const kCertificateRuleCount = @"certificate_rule_count";
 NSString *const kCompilerRuleCount = @"compiler_rule_count";
 NSString *const kTransitiveRuleCount = @"transitive_rule_count";
+NSString *const kFullSyncInterval = @"full_sync_interval";
 NSString *const kFCMToken = @"fcm_token";
 NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
 NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -55,6 +55,8 @@ static NSString *const kFCMTargetHostIDKey = @"target_host_id";
 // allowlistNotificationQueue is used to serialize access to the allowlistNotifications dictionary.
 @property(nonatomic) NSOperationQueue *allowlistNotificationQueue;
 
+@property NSUInteger fullSyncInterval;
+
 @property NSUInteger FCMFullSyncInterval;
 @property NSUInteger FCMGlobalRuleSyncDeadline;
 @property NSUInteger eventBatchSize;
@@ -122,6 +124,7 @@ static void reachabilityHandler(
     _allowlistNotificationQueue = [[NSOperationQueue alloc] init];
     _allowlistNotificationQueue.maxConcurrentOperationCount = 1;  // make this a serial queue
 
+    _fullSyncInterval = kDefaultFullSyncInterval;
     _eventBatchSize = kDefaultEventBatchSize;
     _FCMFullSyncInterval = kDefaultFCMFullSyncInterval;
     _FCMGlobalRuleSyncDeadline = kDefaultFCMGlobalRuleSyncDeadline;
@@ -350,10 +353,11 @@ static void reachabilityHandler(
       self.FCMGlobalRuleSyncDeadline = syncState.FCMGlobalRuleSyncDeadline;
       [self listenForPushNotificationsWithSyncState:syncState];
     } else if (syncState.daemon) {
-      LOGD(@"FCMToken not provided. Sync every %lu min.", kDefaultFullSyncInterval / 60);
+      LOGD(@"FCMToken not provided. Sync every %lu min.", syncState.fullSyncInterval / 60);
       [self.FCMClient disconnect];
       self.FCMClient = nil;
-      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kDefaultFullSyncInterval];
+      self.fullSyncInterval = syncState.fullSyncInterval;
+      [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:self.fullSyncInterval];
     }
 
     return [self eventUploadWithSyncState:syncState];

Source/santactl/Commands/sync/SNTCommandSyncPreflight.m

@@ -105,12 +105,17 @@
   self.syncState.FCMToken = resp[kFCMToken];
 
   // Don't let these go too low
-  NSUInteger value = [resp[kFCMFullSyncInterval] unsignedIntegerValue];
+  NSUInteger FCMIntervalValue = [resp[kFCMFullSyncInterval] unsignedIntegerValue];
   self.syncState.FCMFullSyncInterval =
-      (value < kDefaultFullSyncInterval) ? kDefaultFCMFullSyncInterval : value;
-  value = [resp[kFCMGlobalRuleSyncDeadline] unsignedIntegerValue];
+      (FCMIntervalValue < kDefaultFullSyncInterval) ? kDefaultFCMFullSyncInterval : FCMIntervalValue;
+  FCMIntervalValue = [resp[kFCMGlobalRuleSyncDeadline] unsignedIntegerValue];
   self.syncState.FCMGlobalRuleSyncDeadline =
-      (value < 60) ?  kDefaultFCMGlobalRuleSyncDeadline : value;
+      (FCMIntervalValue < 60) ?  kDefaultFCMGlobalRuleSyncDeadline : FCMIntervalValue;
+
+  // Check if our sync interval has changed
+  NSUInteger intervalValue = [resp[kFullSyncInterval] unsignedIntegerValue];
+  self.syncState.fullSyncInterval =
+      (intervalValue < 60) ? kDefaultFullSyncInterval : intervalValue;
 
   if ([resp[kClientMode] isEqual:kClientModeMonitor]) {
     self.syncState.clientMode = SNTClientModeMonitor;

Source/santactl/Commands/sync/SNTCommandSyncState.h

@@ -35,6 +35,10 @@
 /// An XSRF token to send in the headers with each request.
 @property NSString *xsrfToken;
 
+/// Full sync interval in seconds without FCM to update kDefaultFullSyncInterval => when FCM
+/// is not used, defaults to 10m.
+@property NSUInteger fullSyncInterval;
+
 /// An FCM token to subscribe to push notifications.
 @property(copy) NSString *FCMToken;
 

Source/santad/EventProviders/SNTEndpointSecurityManager.mm

@@ -77,10 +77,20 @@
 
     es_client_t *client = NULL;
     es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) {
+      pid_t pid = audit_token_to_pid(m->process->audit_token);
+
+      // If enabled, skip any action generated from another endpoint security client.
+      if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) {
+        if (m->action_type == ES_ACTION_TYPE_AUTH) {
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
+        }
+        LOGD(@"Skipping action from es_client pid: %d", pid);
+        return;
+      }
+
       // Perform the following checks on this serial queue.
       // Some checks are simple filters that avoid copying m.
       // However, the bulk of the work done here is to support transitive whitelisting.
-      pid_t pid = audit_token_to_pid(m->process->audit_token);
       switch (m->event_type) {
         case ES_EVENT_TYPE_NOTIFY_EXEC: {
           // Deny results are currently logged when ES_EVENT_TYPE_AUTH_EXEC posts a deny.
@@ -279,6 +289,7 @@
            audit_token_to_pid(m->process->audit_token) != self.selfPID) {
         LOGW(@"Preventing attempt to delete Santa databases!");
         es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
+        return;
       }
       es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
       return;
@@ -294,6 +305,20 @@
            audit_token_to_pid(m->process->audit_token) != self.selfPID) {
         LOGW(@"Preventing attempt to rename Santa databases!");
         es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
+        return;
+      }
+      es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
+      return;
+    }
+    case ES_EVENT_TYPE_AUTH_KEXTLOAD: {
+      es_string_token_t identifier = m->event.kextload.identifier;
+      NSString *ident = [[NSString alloc] initWithBytes:identifier.data
+                                                 length:identifier.length
+                                               encoding:NSUTF8StringEncoding];
+      if ([ident isEqualToString:@"com.google.santa-driver"]) {
+        LOGW(@"Preventing attempt to load Santa kext!");
+        es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
+        return;
       }
       es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
       return;
@@ -373,10 +398,14 @@
     ES_EVENT_TYPE_AUTH_EXEC,
     ES_EVENT_TYPE_AUTH_UNLINK,
     ES_EVENT_TYPE_AUTH_RENAME,
+    ES_EVENT_TYPE_AUTH_KEXTLOAD,
+
+    // This is in the decision callback because it's used for detecting
+    // the exit of a 'compiler' used by transitive whitelisting.
     ES_EVENT_TYPE_NOTIFY_EXIT,
   };
   es_return_t sret = es_subscribe(self.client, events, sizeof(events) / sizeof(es_event_type_t));
-  if (sret != ES_RETURN_SUCCESS) LOGE(@"Unable to subscribe ES_EVENT_TYPE_AUTH_EXEC: %d", sret);
+  if (sret != ES_RETURN_SUCCESS) LOGE(@"Unable to subscribe to auth events: %d", sret);
 
   // There's a gap between creating a client and subscribing to events. Creating the client
   // triggers a cache flush automatically but any events that happen in this gap could be allowed
@@ -397,7 +426,7 @@
     ES_EVENT_TYPE_NOTIFY_FORK,
   };
   es_return_t sret = es_subscribe(self.client, events, sizeof(events) / sizeof(es_event_type_t));
-  if (sret != ES_RETURN_SUCCESS) LOGE(@"Unable to subscribe ES_EVENT_TYPE_NOTIFY_EXEC: %d", sret);
+  if (sret != ES_RETURN_SUCCESS) LOGE(@"Unable to subscribe to notify events: %d", sret);
 }
 
 - (int)postAction:(santa_action_t)action forMessage:(santa_message_t)sm

WORKSPACE

@@ -8,7 +8,7 @@ load("@bazel_tools//tools/build_defs/repo:git.bzl",
 git_repository(
     name = "build_bazel_rules_apple",
     remote = "https://github.com/bazelbuild/rules_apple.git",
-    tag = "0.19.0",
+    tag = "0.20.0",
 )
 
 load("@build_bazel_rules_apple//apple:repositories.bzl", "apple_rules_dependencies")
@@ -19,7 +19,7 @@ apple_rules_dependencies()
 git_repository(
     name = "MOLAuthenticatingURLSession",
     remote = "https://github.com/google/macops-molauthenticatingurlsession.git",
-    tag = "v2.8",
+    tag = "v2.9",
 )
 
 git_repository(

docs/deployment/configuration.md

@@ -52,6 +52,9 @@ This property contains a kind of format string to be turned into the URL to send
 | %file_sha%   | SHA-256 of the file that was blocked     |
 | %machine_id% | ID of the machine                        |
 | %username%   | The executing user                       |
+| %serial%     | System's serial number                   |
+| %uuid%       | System's UUID                            |
+| %hostname%   | System's full hostname                   |
 
 For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
 
@@ -167,6 +170,7 @@ Configuration profiles have a `.mobileconfig` file extension. There are many way
 | upload_logs_url**              | String     | If set, the endpoint to send Santa's current logs. No default. |
 | allowed_path_regex             | String     | Same as the "Local Configuration" AllowedPathRegex. No default. |
 | blocked_path_regex             | String     | Same as the "Local Configuration" BlockedPathRegex. No default. |
+| full_sync_interval*            | Integer    | The max time to wait before performing a full sync with the server. Defaults to 600 secs (10 minutes) if not set. |
 | fcm_token*                     | String     | The FCM token used by Santa to listen for FCM messages. Unique for every machine. No default. |
 | fcm_full_sync_interval*        | Integer    | The full sync interval if a fcm_token is set. Defaults to  14400 secs (4 hours). |
 | fcm_global_rule_sync_deadline* | Integer    | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.14"
+SANTA_VERSION = "1.15"