santactl sync: add config option to enable legacy zlib content encoding (#522)

* fix SNTLoggingKernel BUILD rule (#518)

* release: split out santa-driver.kext

* release: update ci

* remove ipa script rule

* update ci

.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: CI
+on:
+  push:
+    paths-ignore:
+      - 'docs/**'
+    branches:
+      - '*'
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: macos-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build Userspace
+      run: bazel build --apple_generate_dsym -c opt :release
+    - name: Build Driver
+      run: bazel build --apple_generate_dsym -c opt :release_driver
+    - name: Test
+      run: bazel test :unit_tests

.travis.yml

@@ -1,15 +0,0 @@
----
-os: osx
-osx_image: xcode11
-language: objective-c
-sudo: false
-
-addons:
-  homebrew:
-    taps: bazelbuild/tap
-    packages: bazelbuild/tap/bazel
-    update: true
-
-script:
- - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug
- - bazel test :unit_tests --show_progress_rate_limit=30.0 --test_output=errors --color=no --verbose_failures --sandbox_debug

BUILD

@@ -78,7 +78,6 @@ genrule(
     name = "release",
     srcs = [
         "//Source/santa:Santa",
-        "//Source/santa_driver",
         "Conf/install.sh",
         "Conf/uninstall.sh",
         "Conf/com.google.santa.bundleservice.plist",
@@ -97,9 +96,9 @@ genrule(
         echo "Please add '-c opt' flag to bazel invocation"
         """,
         ":opt_build": """
-      # Extract santa_driver.zip and Santa.zip
+      # Extract Santa.zip
       for SRC in $(SRCS); do
-        if [ "$$(basename $${SRC})" == "santa_driver.zip" -o "$$(basename $${SRC})" == "Santa.zip" ]; then
+        if [ "$$(basename $${SRC})" == "Santa.zip" ]; then
           mkdir -p $(@D)/binaries
           unzip -q $${SRC} -d $(@D)/binaries >/dev/null
         fi
@@ -116,10 +115,6 @@ genrule(
       # Gather together the dSYMs. Throw an error if no dSYMs were found
       for SRC in $(SRCS); do
         case $${SRC} in
-          *santa-driver.kext.dSYM*Info.plist)
-            mkdir -p $(@D)/dsym
-            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
-            ;;
           *santad.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
@@ -162,6 +157,55 @@ genrule(
     heuristic_label_expansion = 0,
 )
 
+genrule(
+    name = "release_driver",
+    srcs = [
+        "//Source/santa_driver",
+    ],
+    outs = ["santa-driver-" + SANTA_VERSION + ".tar.gz"],
+    cmd = select({
+        "//conditions:default": """
+        echo "ERROR: Trying to create a release tarball without optimization."
+        echo "Please add '-c opt' flag to bazel invocation"
+        """,
+        ":opt_build": """
+      # Extract santa_driver.zip
+      for SRC in $(SRCS); do
+        if [ "$$(basename $${SRC})" == "santa_driver.zip" ]; then
+          mkdir -p $(@D)/binaries
+          unzip -q $${SRC} -d $(@D)/binaries >/dev/null
+        fi
+      done
+
+      # Gather together the dSYMs. Throw an error if no dSYMs were found
+      for SRC in $(SRCS); do
+        case $${SRC} in
+          *santa-driver.kext.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santa-driver.kext.dSYM
+            ;;
+        esac
+      done
+
+      # Cause a build failure if the dSYMs are missing.
+      if [[ ! -d "$(@D)/dsym" ]]; then
+        echo "dsym dir missing: Did you forget to use --apple_generate_dsym?"
+        echo "This flag is required for the 'release' target."
+        exit 1
+      fi
+
+      # Update all the timestamps to now. Bazel avoids timestamps to allow
+      # builds to be hermetic and cacheable but for releases we want the
+      # timestamps to be more-or-less correct.
+      find $(@D)/{binaries,dsym} -exec touch {} \\;
+
+      # Create final output tar
+      tar -C $(@D) -czpf $(@) binaries dsym
+    """,
+    }),
+    heuristic_label_expansion = 0,
+)
+
 test_suite(
     name = "unit_tests",
     tests = [

CONTRIBUTING.md

@@ -13,18 +13,15 @@ approved it, but you must do it before we can put your code into our codebase.
 
 Before you start working on a larger contribution, you should get in touch with
 us first through the [issue tracker](https://github.com/google/santa/issues)
-with your idea so that we can help out and possibly guide you. Coordinating up 
-front makes it much easier to avoid frustration later on.
+with your idea so that we can help out and possibly guide you. Co-ordinating
+large changes ahead of time can avoid frustration later on.
 
 ### Code reviews
-All submissions, including submissions by project members, require review. We
-use GitHub pull requests for this purpose. It's also a good idea to run the
-tests beforehand, which you can do with the following commands:
+All submissions - including submissions by project members - require review. We
+use GitHub pull requests for this purpose. GitHub will automatically run the
+tests when you mail your pull request and a proper review won't be started until
+the tests are complete and passing.
 
-```sh
-rake tests:logic
-rake tests:kernel  # only necessary if you're changing the kext code
-```
 ### Code Style
 
 All code submissions should try to match the surrounding code.  Wherever possible,

Podfile.lock

@@ -23,7 +23,7 @@ DEPENDENCIES:
   - OCMock
 
 SPEC REPOS:
-  https://github.com/cocoapods/specs.git:
+  https://github.com/CocoaPods/Specs.git:
     - FMDB
     - MOLAuthenticatingURLSession
     - MOLCertificate
@@ -43,4 +43,4 @@ SPEC CHECKSUMS:
 
 PODFILE CHECKSUM: d03767a9915896232523962c98d9ff7294aec2b7
 
-COCOAPODS: 1.7.5
+COCOAPODS: 1.10.0

README.md

@@ -1,9 +1,4 @@
-# Santa [![Build Status][build-status-img]][build-status-link] [![Documentation Status][doc-status-img]][doc-status-link]
-
-[build-status-img]: https://travis-ci.org/google/santa.png?branch=master
-[build-status-link]: https://travis-ci.org/google/santa
-[doc-status-img]: https://readthedocs.org/projects/santa/badge/?version=latest
-[doc-status-link]: https://santa.readthedocs.io/en/latest/?badge=latest
+# Santa ![CI](https://github.com/google/santa/workflows/CI/badge.svg?branch=main)
 
 <p align="center">
     <img src="./Source/santa/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
@@ -145,6 +140,9 @@ protect hosts in whatever other ways you see fit.
     * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A
       centralized service that pulls data from multiple sources and deploy
       configurations to multiple services.
+    * [Zercurity](https://github.com/zercurity/zercurity) - A dockerized service 
+      for managing and monitoring applications across a large fleet utilizing 
+      Santa + Osquery.
 
 * Alternatively, `santactl` can configure rules locally (without a sync
   server).

Santa.xcodeproj/project.pbxproj

@@ -115,6 +115,8 @@
 		C7FA384824B6169400D192F9 /* SNTLogging.m in Sources */ = {isa = PBXBuildFile; fileRef = C7658AD82322B84F00F36578 /* SNTLogging.m */; };
 		C7FA384924B6169400D192F9 /* SNTStoredEvent.m in Sources */ = {isa = PBXBuildFile; fileRef = C7658ADC2322B84F00F36578 /* SNTStoredEvent.m */; };
 		C7FA384A24B6169400D192F9 /* SNTXPCSyncServiceInterface.m in Sources */ = {isa = PBXBuildFile; fileRef = C7FA383724B60FF800D192F9 /* SNTXPCSyncServiceInterface.m */; };
+		C7FACBFA25646FE500CCB198 /* SNTConfigurator.m in Sources */ = {isa = PBXBuildFile; fileRef = C7658ACD2322B84F00F36578 /* SNTConfigurator.m */; };
+		C7FACC0225646FEB00CCB198 /* SNTSystemInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = C7658AD12322B84F00F36578 /* SNTSystemInfo.m */; };
 		D28CA4C618C62392319BB642 /* libPods-santactl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = B7714ABC7F247685608DACE7 /* libPods-santactl.a */; };
 		D698C8C9E47554577ED4939F /* libPods-com.google.santa.daemon.a in Frameworks */ = {isa = PBXBuildFile; fileRef = C05F6AD95EB704B20828BDA1 /* libPods-com.google.santa.daemon.a */; };
 		F5F5D1EF2AF051FEA97A3A59 /* libPods-sysx.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 91FF0B4E62F1E90A88478993 /* libPods-sysx.a */; };
@@ -1341,7 +1343,9 @@
 				C7CDA6FC233E73D80013622B /* SNTFileInfo.m in Sources */,
 				C7CDA6FF233E80160013622B /* SNTLogging.m in Sources */,
 				C7CDA6FD233E73E40013622B /* SNTStoredEvent.m in Sources */,
+				C7FACBFA25646FE500CCB198 /* SNTConfigurator.m in Sources */,
 				C7CDA6FE233E73ED0013622B /* SNTXPCNotifierInterface.m in Sources */,
+				C7FACC0225646FEB00CCB198 /* SNTSystemInfo.m in Sources */,
 				C7F5C1AE233E72CC00A3F7FD /* main.m in Sources */,
 				C7F5C1AF233E72CF00A3F7FD /* SNTBundleService.m in Sources */,
 			);
@@ -1453,7 +1457,6 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.11;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
-				ONLY_ACTIVE_ARCH = YES;
 				SDKROOT = macosx;
 			};
 			name = Debug;

Source/common/BUILD

@@ -1,9 +1,9 @@
+load("//:helper.bzl", "santa_unit_test")
+
 package(default_visibility = ["//:santa_package_group"])
 
 licenses(["notice"])  # Apache 2.0
 
-load("//:helper.bzl", "santa_unit_test")
-
 objc_library(
     name = "SNTBlockMessage",
     srcs = ["SNTBlockMessage.m"],
@@ -37,7 +37,7 @@ objc_library(
     ],
 )
 
-cc_library(
+objc_library(
     name = "SNTCommonEnums",
     hdrs = ["SNTCommonEnums.h"],
 )
@@ -77,6 +77,11 @@ cc_library(
 cc_library(
     name = "SNTLoggingKernel",
     hdrs = ["SNTLogging.h"],
+    copts = [
+        "-mkernel",
+        "-I__BAZEL_XCODE_SDKROOT__/System/Library/Frameworks/Kernel.framework/Headers",
+    ],
+    defines = ["KERNEL"],
 )
 
 objc_library(

Source/common/SNTBlockMessage.m

@@ -127,16 +127,13 @@
                                                      withString:config.machineID];
   }
   if (hostname.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%"
-                                                     withString:hostname];
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%" withString:hostname];
   }
   if (uuid.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%"
-                                                     withString:uuid];
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%" withString:uuid];
   }
   if (serial.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%"
-                                                     withString:serial];
+    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%" withString:serial];
   }
 
   return [NSURL URLWithString:formatStr];

Source/common/SNTConfigurator.h

@@ -321,7 +321,8 @@
 @property(readonly, nonatomic) BOOL enableForkAndExitLogging;
 
 ///
-///  If true, ignore actions from other endpoint security clients. Defaults to false. This only applies when running as a sysx.
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only
+///  applies when running as a sysx.
 ///
 @property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
 
@@ -331,6 +332,14 @@
 ///
 @property(readonly, nonatomic) BOOL enableDebugLogging;
 
+///
+///  If true, compressed requests from "santactl sync" will set "Content-Encoding" to "zlib"
+///  instead of the new default "deflate". If syncing with Upvote deployed at commit 0b4477d
+///  or below, set this option to true.
+///  Defaults to false.
+///
+@property(readonly, nonatomic) BOOL enableBackwardsCompatibleContentEncoding;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfigurator.m

@@ -84,6 +84,7 @@ static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging";
 static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients";
 static NSString *const kEnableDebugLogging = @"EnableDebugLogging";
 
+static NSString *const kEnableBackwardsCompatibleContentEncoding = @"EnableBackwardsCompatibleContentEncoding";
 
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
@@ -131,7 +132,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kBlockedPathRegexKey : re,
       kBlockedPathRegexKeyDeprecated : re,
       kEnablePageZeroProtectionKey : number,
-      kEnableBadSignatureProtectionKey: number,
+      kEnableBadSignatureProtectionKey : number,
       kMoreInfoURLKey : string,
       kEventDetailURLKey : string,
       kEventDetailTextKey : string,
@@ -144,7 +145,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kClientAuthCertificatePasswordKey : string,
       kClientAuthCertificateCNKey : string,
       kClientAuthCertificateIssuerKey : string,
-      kServerAuthRootsDataKey  : data,
+      kServerAuthRootsDataKey : data,
       kServerAuthRootsFileKey : string,
       kMachineOwnerKey : string,
       kMachineIDKey : string,
@@ -158,7 +159,8 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kEnableSystemExtension : number,
       kEnableForkAndExitLogging : number,
       kIgnoreOtherEndpointSecurityClients : number,
-      kEnableDebugLogging: number,
+      kEnableDebugLogging : number,
+      kEnableBackwardsCompatibleContentEncoding : number,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
@@ -342,6 +344,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingEnableBackwardsCompatibleContentEncoding {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -592,6 +598,11 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [number boolValue] || self.debugFlag;
 }
 
+- (BOOL)enableBackwardsCompatibleContentEncoding {
+  NSNumber *number = self.configState[kEnableBackwardsCompatibleContentEncoding];
+  return number ? [number boolValue] : NO;
+}
+
 #pragma mark Private
 
 ///

Source/common/SNTKernelCommon.h

@@ -16,11 +16,12 @@
 /// Common defines between kernel <-> userspace
 ///
 
-#include <sys/param.h>
-
 #ifndef SANTA__COMMON__KERNELCOMMON_H
 #define SANTA__COMMON__KERNELCOMMON_H
 
+#include <stdint.h>
+#include <sys/param.h>
+
 // Defines the name of the userclient class and the driver bundle ID.
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
@@ -118,6 +119,7 @@ typedef struct {
   uid_t uid;
   gid_t gid;
   pid_t pid;
+  int pidversion;
   pid_t ppid;
   char path[MAXPATHLEN];
   char newpath[MAXPATHLEN];

Source/santa/BUILD

@@ -1,11 +1,11 @@
+load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
+
 licenses(["notice"])  # Apache 2.0
 
 exports_files([
     "Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-256.png",
 ])
 
-load("@build_bazel_rules_apple//apple:macos.bzl", "macos_application")
-
 objc_library(
     name = "SantaGUI_lib",
     srcs = [

Source/santa_driver/BUILD

@@ -1,4 +1,4 @@
-licenses(["notice"])  # Apache 2.0
+licenses(["notice"])
 
 load(
     "@build_bazel_rules_apple//apple:macos.bzl",

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -482,6 +482,9 @@ static void reachabilityHandler(
   syncState.daemonConn = self.daemonConn;
   syncState.daemon = self.daemon;
 
+  syncState.compressedContentEncoding =
+      config.enableBackwardsCompatibleContentEncoding ? @"zlib" : @"deflate";
+
   dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC));
   return syncState;
 }

Source/santactl/Commands/sync/SNTCommandSyncPreflight.m

@@ -106,16 +106,16 @@
 
   // Don't let these go too low
   NSUInteger FCMIntervalValue = [resp[kFCMFullSyncInterval] unsignedIntegerValue];
-  self.syncState.FCMFullSyncInterval =
-      (FCMIntervalValue < kDefaultFullSyncInterval) ? kDefaultFCMFullSyncInterval : FCMIntervalValue;
+  self.syncState.FCMFullSyncInterval = (FCMIntervalValue < kDefaultFullSyncInterval)
+                                           ? kDefaultFCMFullSyncInterval
+                                           : FCMIntervalValue;
   FCMIntervalValue = [resp[kFCMGlobalRuleSyncDeadline] unsignedIntegerValue];
   self.syncState.FCMGlobalRuleSyncDeadline =
-      (FCMIntervalValue < 60) ?  kDefaultFCMGlobalRuleSyncDeadline : FCMIntervalValue;
+      (FCMIntervalValue < 60) ? kDefaultFCMGlobalRuleSyncDeadline : FCMIntervalValue;
 
   // Check if our sync interval has changed
   NSUInteger intervalValue = [resp[kFullSyncInterval] unsignedIntegerValue];
-  self.syncState.fullSyncInterval =
-      (intervalValue < 60) ? kDefaultFullSyncInterval : intervalValue;
+  self.syncState.fullSyncInterval = (intervalValue < 60) ? kDefaultFullSyncInterval : intervalValue;
 
   if ([resp[kClientMode] isEqual:kClientModeMonitor]) {
     self.syncState.clientMode = SNTClientModeMonitor;

Source/santactl/Commands/sync/SNTCommandSyncStage.m

@@ -70,7 +70,7 @@
   NSData *compressed = [requestBody zlibCompressed];
   if (compressed) {
     requestBody = compressed;
-    [req setValue:@"zlib" forHTTPHeaderField:@"Content-Encoding"];
+    [req setValue:self.syncState.compressedContentEncoding forHTTPHeaderField:@"Content-Encoding"];
   }
 
   [req setHTTPBody:requestBody];

Source/santactl/Commands/sync/SNTCommandSyncState.h

@@ -78,4 +78,8 @@
 /// Reference to the serial operation queue used for accessing allowlistNotifications.
 @property(weak) NSOperationQueue *allowlistNotificationQueue;
 
+/// The header value for ContentEncoding when sending compressed content.
+/// Either "deflate" (default) or "zlib".
+@property(copy) NSString *compressedContentEncoding;
+
 @end

Source/santad/EventProviders/SNTEndpointSecurityManager.mm

@@ -78,13 +78,16 @@
     es_client_t *client = NULL;
     es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) {
       pid_t pid = audit_token_to_pid(m->process->audit_token);
+      int pidversion = audit_token_to_pidversion(m->process->audit_token);
 
       // If enabled, skip any action generated from another endpoint security client.
       if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) {
         if (m->action_type == ES_ACTION_TYPE_AUTH) {
           es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
         }
-        LOGD(@"Skipping action from es_client pid: %d", pid);
+        if (self.selfPID != pid) {
+          LOGD(@"Skipping event type: 0x%x from es_client pid: %d", m->event_type, pid);
+        }
         return;
       }
 
@@ -117,6 +120,7 @@
             }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
+            sm.pidversion = pidversion;
             LOGI(@"CLOSE: creating a transitive rule: path=%s pid=%d", sm.path, sm.pid);
             self.decisionCallback(sm);
           }
@@ -138,6 +142,7 @@
             }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
+            sm.pidversion = pidversion;
             LOGI(@"RENAME: creating a transitive rule: path=%s pid=%d", sm.path, sm.pid);
             self.decisionCallback(sm);
           }
@@ -154,6 +159,7 @@
           santa_message_t sm = {};
           sm.action = ACTION_NOTIFY_EXIT;
           sm.pid = pid;
+          sm.pidversion = pidversion;
           sm.ppid = m->process->original_ppid;
           audit_token_t at = m->process->audit_token;
           sm.uid = audit_token_to_ruid(at);
@@ -171,6 +177,7 @@
           sm.ppid = m->event.fork.child->original_ppid;
           audit_token_t at = m->event.fork.child->audit_token;
           sm.pid = audit_token_to_pid(at);
+          sm.pidversion = audit_token_to_pidversion(at);
           sm.uid = audit_token_to_ruid(at);
           sm.gid = audit_token_to_rgid(at);
           dispatch_async(self.esNotifyQueue, ^{
@@ -385,6 +392,7 @@
   sm.uid = audit_token_to_ruid(targetProcess->audit_token);
   sm.gid = audit_token_to_rgid(targetProcess->audit_token);
   sm.pid = audit_token_to_pid(targetProcess->audit_token);
+  sm.pidversion = audit_token_to_pidversion(targetProcess->audit_token);
   sm.ppid = targetProcess->original_ppid;
   proc_name((m->event_type == ES_EVENT_TYPE_AUTH_EXEC) ? sm.ppid : sm.pid, sm.pname, 1024);
   callback(sm);
@@ -395,14 +403,14 @@
 
   self.decisionCallback = callback;
   es_event_type_t events[] = {
-    ES_EVENT_TYPE_AUTH_EXEC,
-    ES_EVENT_TYPE_AUTH_UNLINK,
-    ES_EVENT_TYPE_AUTH_RENAME,
-    ES_EVENT_TYPE_AUTH_KEXTLOAD,
+      ES_EVENT_TYPE_AUTH_EXEC,
+      ES_EVENT_TYPE_AUTH_UNLINK,
+      ES_EVENT_TYPE_AUTH_RENAME,
+      ES_EVENT_TYPE_AUTH_KEXTLOAD,
 
-    // This is in the decision callback because it's used for detecting
-    // the exit of a 'compiler' used by transitive whitelisting.
-    ES_EVENT_TYPE_NOTIFY_EXIT,
+      // This is in the decision callback because it's used for detecting
+      // the exit of a 'compiler' used by transitive whitelisting.
+      ES_EVENT_TYPE_NOTIFY_EXIT,
   };
   es_return_t sret = es_subscribe(self.client, events, sizeof(events) / sizeof(es_event_type_t));
   if (sret != ES_RETURN_SUCCESS) LOGE(@"Unable to subscribe to auth events: %d", sret);

Source/santad/Logs/SNTSyslogEventLog.m

@@ -65,8 +65,8 @@
   char ppath[PATH_MAX] = "(null)";
   proc_pidpath(message.pid, ppath, PATH_MAX);
 
-  [outStr appendFormat:@"|pid=%d|ppid=%d|process=%s|processpath=%s|uid=%d|user=%@|gid=%d|group=%@",
-      message.pid, message.ppid, message.pname, ppath,
+  [outStr appendFormat:@"|pid=%d|pidversion=%d|ppid=%d|process=%s|processpath=%s|uid=%d|user=%@|gid=%d|group=%@",
+      message.pid, message.pidversion, message.ppid, message.pname, ppath,
       message.uid, [self nameForUID:message.uid],
       message.gid, [self nameForGID:message.gid]];
 
@@ -169,8 +169,8 @@
       mode = @"U"; break;
   }
 
-  [outLog appendFormat:@"|pid=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@|path=%@",
-      message.pid, message.ppid,
+  [outLog appendFormat:@"|pid=%d|pidversion=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@|path=%@",
+      message.pid, message.pidversion, message.ppid,
       message.uid, [self nameForUID:message.uid],
       message.gid, [self nameForGID:message.gid],
       mode, [self sanitizeString:@(message.path)]];
@@ -269,15 +269,15 @@
 }
 
 - (void)logFork:(santa_message_t)message {
-  NSString *s = [NSString stringWithFormat:@"action=FORK|pid=%d|ppid=%d|uid=%d|gid=%d",
-                    message.pid, message.ppid, message.uid, message.gid];
+  NSString *s = [NSString stringWithFormat:@"action=FORK|pid=%d|pidversion=%d|ppid=%d|uid=%d|gid=%d",
+                    message.pid, message.pidversion, message.ppid, message.uid, message.gid];
   [self writeLog:s];
 
 }
 
 - (void)logExit:(santa_message_t)message {
-  NSString *s = [NSString stringWithFormat:@"action=EXIT|pid=%d|ppid=%d|uid=%d|gid=%d",
-                    message.pid, message.ppid, message.uid, message.gid];
+  NSString *s = [NSString stringWithFormat:@"action=EXIT|pid=%d|pidversion=%d|ppid=%d|uid=%d|gid=%d",
+                    message.pid, message.pidversion, message.ppid, message.uid, message.gid];
   [self writeLog:s];
 }
 

Source/santad/SNTCompilerController.m

@@ -85,8 +85,8 @@
         LOGE(@"unable to add new transitive rule to database: %@", err.localizedDescription);
       } else {
         [self.eventLog
-            writeLog:[NSString stringWithFormat:@"action=ALLOWLIST|pid=%d|path=%s|sha256=%@",
-                                                message.pid, target, fi.SHA256]];
+            writeLog:[NSString stringWithFormat:@"action=ALLOWLIST|pid=%d|pidversion=%d|path=%s|sha256=%@",
+                                                message.pid, message.pidversion, target, fi.SHA256]];
       }
     }
   }

WORKSPACE

@@ -8,7 +8,7 @@ load("@bazel_tools//tools/build_defs/repo:git.bzl",
 git_repository(
     name = "build_bazel_rules_apple",
     remote = "https://github.com/bazelbuild/rules_apple.git",
-    tag = "0.20.0",
+    tag = "0.21.2",
 )
 
 load("@build_bazel_rules_apple//apple:repositories.bzl", "apple_rules_dependencies")

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.15"
+SANTA_VERSION = "1.17"