santactl: don't watch for config changes (#453)

* santactl: don't watch for config changes

* bump version

.travis.yml

@@ -8,6 +8,7 @@ addons:
   homebrew:
     taps: bazelbuild/tap
     packages: bazelbuild/tap/bazel
+    update: true
 
 script:
  - bazel build :release --show_progress_rate_limit=30.0 -c opt --apple_generate_dsym --color=no --verbose_failures --sandbox_debug

BUILD

@@ -130,6 +130,10 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
             ;;
+          *com.google.santa.daemon.systemextension.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
+            ;;
         esac
       done
 

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -13,24 +13,15 @@
 mkdir -p /usr/local/bin
 /bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-if [ $(uname -r | cut -d'.' -f1) -ge 19 ]; then
-  # Running on 10.15+
-  echo "Santa postinstall: running on 10.15+"
-  /bin/rm -rf /Library/Extensions/santa-driver.kext
-  /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
-else
-  # Running on <10.15
-  /bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-fi
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-if [[ -z "$user" ]]; then
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-  exit 0
-fi
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -19,11 +19,13 @@
 /bin/launchctl remove com.google.santasync
 /bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
 /bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
 /bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/install.sh

@@ -31,10 +31,10 @@ fi
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santa
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
@@ -48,34 +48,28 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/mkdir -p /var/db/santa
 
 /bin/cp -r ${BINARIES}/Santa.app /Applications
+/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
 
 /bin/mkdir -p /usr/local/bin
 /bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
 
 /bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
 /bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Only copy the kext and load santad if running pre-10.15
-if [ $(uname -r | cut -d'.' -f1) -lt 19 ]; then
-  /bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
-  /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
-  /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
-else
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-fi
+# Load com.google.santa.daemon
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
 # Load GUI agent if someone is logged in.
-if [[ -n "$GUI_USER" ]]; then
-  /bin/launchctl asuser ${GUI_USER} \
-  /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
-fi
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Santa.xcodeproj/project.pbxproj

@@ -1256,7 +1256,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 052CCA75535669B953A31D6D /* Pods-santactl.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1274,7 +1274,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 0A60226B8B4F01BE817BAAA3 /* Pods-santactl.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1405,7 +1405,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1429,7 +1429,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1452,7 +1452,7 @@
 			baseConfigurationReference = 4E28DBA012524ABF55F8300C /* Pods-com.google.santa.daemon.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1471,7 +1471,7 @@
 			baseConfigurationReference = E734E4FECEAA502AFF104E71 /* Pods-com.google.santa.daemon.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1490,7 +1490,7 @@
 			baseConfigurationReference = D7360306D7CFDD179D003266 /* Pods-sysx.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1511,7 +1511,7 @@
 			baseConfigurationReference = C05543B3701F50CA798B4B11 /* Pods-sysx.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1530,7 +1530,7 @@
 		C7D35DE02322C902000C5EB4 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1550,7 +1550,7 @@
 		C7D35DE12322C902000C5EB4 /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1571,7 +1571,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = D4808D8635FB5E8E5F4637BB /* Pods-santabundleservice.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1586,7 +1586,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = FE1F7C320CAEA468FAAC05B0 /* Pods-santabundleservice.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;

Source/common/SNTConfigurator.m

@@ -611,8 +611,9 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }
 
 - (void)startWatchingDefaults {
-  // Only santad should listen.
-  if (geteuid() != 0) return;
+  // Only com.google.santa.daemon should listen.
+  NSString *processName = [[NSProcessInfo processInfo] processName];
+  if (![processName isEqualToString:@"com.google.santa.daemon"]) return;
   [[NSNotificationCenter defaultCenter] addObserver:self
                                            selector:@selector(defaultsChanged:)
                                                name:NSUserDefaultsDidChangeNotification

Source/santactl/Commands/sync/SNTCommandSync.m

@@ -38,8 +38,9 @@ REGISTER_COMMAND_NAME(@"sync")
   return YES;
 }
 
+// Connect to santad while we are root, so that we pass the XPC authentication.
 + (BOOL)requiresDaemonConn {
-  return NO;
+  return YES;
 }
 
 + (NSString *)shortHelpText {
@@ -55,9 +56,6 @@ REGISTER_COMMAND_NAME(@"sync")
 }
 
 - (void)runWithArguments:(NSArray *)arguments {
-  // Connect to santad while we are root, so that we pass the XPC authentication
-  [self.daemonConn resume];
-
   // Ensure we have no privileges
   if (!DropRootPrivileges()) {
     LOGE(@"Failed to drop root privileges. Exiting.");

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

@@ -82,7 +82,8 @@
     NSDictionary *requestDict = cursor ? @{kCursor : cursor} : @{};
     NSDictionary *response = [self performRequest:[self requestWithDictionary:requestDict]];
 
-    if (![response isKindOfClass:[NSDictionary class]]) {
+    if (![response isKindOfClass:[NSDictionary class]] ||
+        ![response[kRules] isKindOfClass:[NSArray class]]) {
       return nil;
     }
 

Source/santad/EventProviders/SNTDriverManager.m

@@ -310,6 +310,8 @@ static void driverAppearedHandler(void *info, io_iterator_t iterator) {
 }
 
 - (void)fileModificationPrefixFilterAdd:(NSArray *)filters {
+  while (!self.connectionEstablished) usleep(100000); // 100ms
+
   uint64_t n = 0;
   uint32_t n_len = 1;
 
@@ -334,6 +336,8 @@ static void driverAppearedHandler(void *info, io_iterator_t iterator) {
         LOGE(@"Prefix filter tree is full!");
         return;
       }
+    } else {
+      LOGI(@"Added prefix filter: %s", buffer);
     }
   }
 }

Source/santad/SNTApplication.m

@@ -93,12 +93,14 @@
         break;
     }
 
-    // The filter is reset when santad disconnects from the driver.
-    // Add the default filters.
-    [_eventProvider fileModificationPrefixFilterAdd:@[ @"/.", @"/dev/" ]];
+    dispatch_async(dispatch_get_global_queue(QOS_CLASS_BACKGROUND, 0), ^{
+      // The filter is reset when santad disconnects from the driver.
+      // Add the default filters.
+      [self.eventProvider fileModificationPrefixFilterAdd:@[ @"/.", @"/dev/" ]];
 
-    // TODO(bur): Add KVO handling for fileChangesPrefixFilters.
-    [_eventProvider fileModificationPrefixFilterAdd:[configurator fileChangesPrefixFilters]];
+      // TODO(bur): Add KVO handling for fileChangesPrefixFilters.
+      [self.eventProvider fileModificationPrefixFilterAdd:[configurator fileChangesPrefixFilters]];
+    });
 
     self.notQueue = [[SNTNotificationQueue alloc] init];
     SNTSyncdQueue *syncdQueue = [[SNTSyncdQueue alloc] init];
@@ -323,11 +325,6 @@ void diskDisappearedCallback(DADiskRef disk, void *context) {
     BOOL old = [change[oldKey] isKindOfClass:[NSNumber class]] ? [change[oldKey] boolValue] : NO;
     if (old == NO && new == YES) {
       LOGI(@"EnableSystemExtension changed NO -> YES");
-      NSTask *t = [[NSTask alloc] init];
-      t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
-      t.arguments = @[ @"--load-system-extension" ];
-      [t launch];
-      [t waitUntilExit];
       LOGI(@"The penultimate exit.");
       exit(0);
     }

Source/santad/main.m

@@ -96,11 +96,21 @@ void cleanup() {
   [fm removeItemAtPath:@"/Library/LaunchDaemons/com.google.santad.plist" error:NULL];
   [SNTDriverManager unloadDriver];
   [fm removeItemAtPath:@"/Library/Extensions/santa-driver.kext" error:NULL];
+
+  LOGI(@"loading com.google.santa.daemon as a SystemExtension");
   NSTask *t = [[NSTask alloc] init];
+  t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
+  t.arguments = @[ @"--load-system-extension" ];
+  [t launch];
+  [t waitUntilExit];
+
+  t = [[NSTask alloc] init];
   t.launchPath = @"/bin/launchctl";
   t.arguments = @[ @"remove", @"com.google.santad" ];
   [t launch];
   [t waitUntilExit];
+
+  // This exit will likely never be called because the above launchctl command kill us.
   exit(0);
 }
 

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.4"
+SANTA_VERSION = "1.11"