santactl: sanitize rule payload (#450)

* santactl: sanitize rule payload

* version bump

Conf/Package/postinstall

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Load the kernel extension, santad, sync client
+# Load com.google.santa.daemon and com.google.santa.bundleservice
 # If a user is logged in, also load the GUI agent.
 # If the target volume is not /, do nothing
 
@@ -13,24 +13,15 @@
 mkdir -p /usr/local/bin
 /bin/ln -sf /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin/santactl
 
-if [ $(uname -r | cut -d'.' -f1) -ge 19 ]; then
-  # Running on 10.15+
-  echo "Santa postinstall: running on 10.15+"
-  /bin/rm -rf /Library/Extensions/santa-driver.kext
-  /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
-else
-  # Running on <10.15
-  /bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
-fi
+# Load com.google.santa.daemon, its main has logic to handle loading the kext
+# or relaunching itself as a SystemExtension.
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-if [[ -z "$user" ]]; then
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-  exit 0
-fi
-/bin/launchctl asuser ${user} /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load /Library/LaunchAgents/com.google.santa.plist
 exit 0

Conf/Package/preinstall

@@ -19,11 +19,13 @@
 /bin/launchctl remove com.google.santasync
 /bin/rm -f /Library/LaunchDaemons/com.google.santasync.plist
 /bin/rm -rf /Applications/Santa.app
+/bin/rm -rf /Library/Extensions/santa-driver.kext
 
 /bin/sleep 1
 
-user=$(/usr/bin/stat -f '%u' /dev/console)
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santagui
-[[ -n "$user" ]] && /bin/launchctl asuser ${user} /bin/launchctl remove com.google.santa
+GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 exit 0

Conf/install.sh

@@ -31,10 +31,10 @@ fi
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 # Unload GUI agent if someone is logged in.
+[[ -n "${GUI_USER}" ]] && \
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santagui
 [[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santagui
-[[ -n "$GUI_USER" ]] && \
-  /bin/launchctl asuser ${GUI_USER} /bin/launchctl remove com.google.santa
+  /bin/launchctl asuser "${GUI_USER}" /bin/launchctl remove com.google.santa
 
 # Cleanup cruft from old versions
 /bin/launchctl remove com.google.santasync >/dev/null 2>&1
@@ -48,34 +48,28 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/mkdir -p /var/db/santa
 
 /bin/cp -r ${BINARIES}/Santa.app /Applications
+/bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
 
 /bin/mkdir -p /usr/local/bin
 /bin/ln -s /Applications/Santa.app/Contents/MacOS/santactl /usr/local/bin 2>/dev/null
 
 /bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
 /bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd
 
-# Only copy the kext and load santad if running pre-10.15
-if [ $(uname -r | cut -d'.' -f1) -lt 19 ]; then
-  /bin/cp -r ${BINARIES}/santa-driver.kext /Library/Extensions
-  /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
-  /bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
-else
-  /Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
-fi
+# Load com.google.santa.daemon
+/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
 
-# Load the bundle service
+# Load com.google.santa.bundleservice
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
 # Load GUI agent if someone is logged in.
-if [[ -n "$GUI_USER" ]]; then
-  /bin/launchctl asuser ${GUI_USER} \
-  /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
-fi
+[[ -z "${GUI_USER}" ]] && exit 0
 
+/bin/launchctl asuser "${GUI_USER}" /bin/launchctl load -w /Library/LaunchAgents/com.google.santa.plist
 exit 0

Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

@@ -82,7 +82,8 @@
     NSDictionary *requestDict = cursor ? @{kCursor : cursor} : @{};
     NSDictionary *response = [self performRequest:[self requestWithDictionary:requestDict]];
 
-    if (![response isKindOfClass:[NSDictionary class]]) {
+    if (![response isKindOfClass:[NSDictionary class]] ||
+        ![response[kRules] isKindOfClass:[NSArray class]]) {
       return nil;
     }
 

Source/santad/SNTApplication.m

@@ -325,11 +325,6 @@ void diskDisappearedCallback(DADiskRef disk, void *context) {
     BOOL old = [change[oldKey] isKindOfClass:[NSNumber class]] ? [change[oldKey] boolValue] : NO;
     if (old == NO && new == YES) {
       LOGI(@"EnableSystemExtension changed NO -> YES");
-      NSTask *t = [[NSTask alloc] init];
-      t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
-      t.arguments = @[ @"--load-system-extension" ];
-      [t launch];
-      [t waitUntilExit];
       LOGI(@"The penultimate exit.");
       exit(0);
     }

Source/santad/main.m

@@ -96,11 +96,21 @@ void cleanup() {
   [fm removeItemAtPath:@"/Library/LaunchDaemons/com.google.santad.plist" error:NULL];
   [SNTDriverManager unloadDriver];
   [fm removeItemAtPath:@"/Library/Extensions/santa-driver.kext" error:NULL];
+
+  LOGI(@"loading com.google.santa.daemon as a SystemExtension");
   NSTask *t = [[NSTask alloc] init];
+  t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
+  t.arguments = @[ @"--load-system-extension" ];
+  [t launch];
+  [t waitUntilExit];
+
+  t = [[NSTask alloc] init];
   t.launchPath = @"/bin/launchctl";
   t.arguments = @[ @"remove", @"com.google.santad" ];
   [t launch];
   [t waitUntilExit];
+
+  // This exit will likely never be called because the above launchctl command kill us.
   exit(0);
 }
 

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.7"
+SANTA_VERSION = "1.10"