version bump (#455 )

Santa.app: don't request SystemExtension loading (#454 )
santactl: don't watch for config changes (#453 )
2026-01-15 01:08:12 -05:00 · 2020-03-17 16:27:40 -04:00 · 2020-03-17 16:23:48 -04:00 · 2020-03-16 18:40:36 -04:00 · 2020-02-27 15:16:40 -05:00 · 2020-02-26 15:13:51 -05:00
7 changed files with 30 additions and 71 deletions
--- a/Santa.xcodeproj/project.pbxproj
+++ b/Santa.xcodeproj/project.pbxproj
@@ -1256,7 +1256,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 052CCA75535669B953A31D6D /* Pods-santactl.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1274,7 +1274,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 0A60226B8B4F01BE817BAAA3 /* Pods-santactl.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1405,7 +1405,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1429,7 +1429,7 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = Source/santa/Santa.app.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1452,7 +1452,7 @@
 			baseConfigurationReference = 4E28DBA012524ABF55F8300C /* Pods-com.google.santa.daemon.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1471,7 +1471,7 @@
 			baseConfigurationReference = E734E4FECEAA502AFF104E71 /* Pods-com.google.santa.daemon.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1490,7 +1490,7 @@
 			baseConfigurationReference = D7360306D7CFDD179D003266 /* Pods-sysx.debug.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1511,7 +1511,7 @@
 			baseConfigurationReference = C05543B3701F50CA798B4B11 /* Pods-sysx.release.xcconfig */;
 			buildSettings = {
 				CODE_SIGN_ENTITLEMENTS = Source/santad/com.google.santa.daemon.systemextension.entitlements;
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
@@ -1530,7 +1530,7 @@
 		C7D35DE02322C902000C5EB4 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1550,7 +1550,7 @@
 		C7D35DE12322C902000C5EB4 /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1571,7 +1571,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = D4808D8635FB5E8E5F4637BB /* Pods-santabundleservice.debug.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
@@ -1586,7 +1586,7 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = FE1F7C320CAEA468FAAC05B0 /* Pods-santabundleservice.release.xcconfig */;
 			buildSettings = {
-				CODE_SIGN_IDENTITY = "Mac Developer";
+				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
 				DEVELOPMENT_TEAM = EQHXZ8M8AV;
--- a/Source/common/SNTConfigurator.m
+++ b/Source/common/SNTConfigurator.m
@@ -611,8 +611,9 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
 }

 - (void)startWatchingDefaults {
-  // Only santad should listen.
-  if (geteuid() != 0) return;
+  // Only com.google.santa.daemon should listen.
+  NSString *processName = [[NSProcessInfo processInfo] processName];
+  if (![processName isEqualToString:@"com.google.santa.daemon"]) return;
  [[NSNotificationCenter defaultCenter] addObserver:self
                                           selector:@selector(defaultsChanged:)
                                               name:NSUserDefaultsDidChangeNotification
--- a/Source/santa/SNTAppDelegate.m
+++ b/Source/santa/SNTAppDelegate.m
@@ -16,8 +16,6 @@

 #import <MOLXPCConnection/MOLXPCConnection.h>

-#import <SystemExtensions/SystemExtensions.h>
-
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStrengthify.h"
@@ -25,7 +23,7 @@
 #import "Source/santa/SNTAboutWindowController.h"
 #import "Source/santa/SNTNotificationManager.h"

-@interface SNTAppDelegate ()<OSSystemExtensionRequestDelegate>
+@interface SNTAppDelegate ()
@property SNTAboutWindowController *aboutWindowController;
@property SNTNotificationManager *notificationManager;
@property MOLXPCConnection *daemonListener;
@@ -36,10 +34,6 @@
 #pragma mark App Delegate methods

 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
-  if (@available(macOS 10.15, *)) {
-    [self loadSystemExtension];
-  }
-
  [self setupMenu];
  self.notificationManager = [[SNTNotificationManager alloc] init];

@@ -69,20 +63,6 @@
  return NO;
 }

- (void)loadSystemExtension API_AVAILABLE(macos(10.15)) {
-  if (![[SNTConfigurator configurator] enableSystemExtension]) {
-    LOGI(@"EnableSystemExtension is disabled");
-    return;
-  }
-  LOGI(@"Requesting SystemExtension activation");
-  NSString *e = [SNTXPCControlInterface systemExtensionID];
-  dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
-  OSSystemExtensionRequest *req = [OSSystemExtensionRequest activationRequestForExtension:e
-                                                                                    queue:q];
-  req.delegate = self;
-  [[OSSystemExtensionManager sharedManager] submitRequest:req];
-}
-
 #pragma mark Connection handling

 - (void)createDaemonConnection {
@@ -143,28 +123,4 @@
  [NSApp setMainMenu:mainMenu];
 }

-#pragma mark OSSystemExtensionRequestDelegate
-
- (OSSystemExtensionReplacementAction)request:(OSSystemExtensionRequest *)request
-                  actionForReplacingExtension:(OSSystemExtensionProperties *)old
-                                withExtension:(OSSystemExtensionProperties *)new
-    API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request for replacement", request.identifier);
-  return OSSystemExtensionReplacementActionReplace;
-}
-
- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request needs user approval", request.identifier);
-}
-
- (void)request:(OSSystemExtensionRequest *)request
-    didFailWithError:(NSError *)error API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request did fail: %@", request.identifier, error);
-}
-
- (void)request:(OSSystemExtensionRequest *)request
-    didFinishWithResult:(OSSystemExtensionRequestResult)result API_AVAILABLE(macos(10.15)) {
-  LOGI(@"SystemExtension \"%@\" request did finish: %ld", request.identifier, (long)result);
-}
-
@end
--- a/Source/santactl/Commands/sync/SNTCommandSync.m
+++ b/Source/santactl/Commands/sync/SNTCommandSync.m
@@ -38,8 +38,9 @@ REGISTER_COMMAND_NAME(@"sync")
  return YES;
 }

+// Connect to santad while we are root, so that we pass the XPC authentication.
 + (BOOL)requiresDaemonConn {
-  return NO;
+  return YES;
 }

 + (NSString *)shortHelpText {
@@ -55,9 +56,6 @@ REGISTER_COMMAND_NAME(@"sync")
 }

 - (void)runWithArguments:(NSArray *)arguments {
-  // Connect to santad while we are root, so that we pass the XPC authentication
-  [self.daemonConn resume];
-
  // Ensure we have no privileges
  if (!DropRootPrivileges()) {
    LOGE(@"Failed to drop root privileges. Exiting.");
--- a/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m
+++ b/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m
@@ -82,7 +82,8 @@
    NSDictionary *requestDict = cursor ? @{kCursor : cursor} : @{};
    NSDictionary *response = [self performRequest:[self requestWithDictionary:requestDict]];

-    if (![response isKindOfClass:[NSDictionary class]]) {
+    if (![response isKindOfClass:[NSDictionary class]] ||
+        ![response[kRules] isKindOfClass:[NSArray class]]) {
      return nil;
    }

--- a/Source/santad/main.m
+++ b/Source/santad/main.m
@@ -96,18 +96,21 @@ void cleanup() {
  [fm removeItemAtPath:@"/Library/LaunchDaemons/com.google.santad.plist" error:NULL];
  [SNTDriverManager unloadDriver];
  [fm removeItemAtPath:@"/Library/Extensions/santa-driver.kext" error:NULL];
+
+  LOGI(@"loading com.google.santa.daemon as a SystemExtension");
  NSTask *t = [[NSTask alloc] init];
+  t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
+  t.arguments = @[ @"--load-system-extension" ];
+  [t launch];
+  [t waitUntilExit];
+
+  t = [[NSTask alloc] init];
  t.launchPath = @"/bin/launchctl";
  t.arguments = @[ @"remove", @"com.google.santad" ];
  [t launch];
  [t waitUntilExit];

-  LOGI(@"loading com.google.santa.daemon as a SystemExtension");
-  t = [[NSTask alloc] init];
-  t.launchPath = [@(kSantaAppPath) stringByAppendingString:@"/Contents/MacOS/Santa"];
-  t.arguments = @[ @"--load-system-extension" ];
-  [t launch];
-  [t waitUntilExit];
+  // This exit will likely never be called because the above launchctl command kill us.
  exit(0);
 }

--- a/version.bzl
+++ b/version.bzl
@@ -1,3 +1,3 @@
 """The version for all Santa components."""

-SANTA_VERSION = "1.8"
+SANTA_VERSION = "1.12"
Author	SHA1	Message	Date
Tom Burgin	d9ebb4e3db	version bump (#455 )	2020-03-17 16:27:40 -04:00
Tom Burgin	e6aaf2f198	Santa.app: don't request SystemExtension loading (#454 )	2020-03-17 16:23:48 -04:00
Tom Burgin	1c3757d4ab	santactl: don't watch for config changes (#453 ) * santactl: don't watch for config changes * bump version	2020-03-16 18:40:36 -04:00
Tom Burgin	4346bb29c2	santactl: sanitize rule payload (#450 ) * santactl: sanitize rule payload * version bump	2020-02-27 15:16:40 -05:00
Tom Burgin	09655df8fc	com.google.santa.daemon: reorder cleanup() (#448 ) * com.google.santa.daemon: reorder cleanup() * version bump	2020-02-26 15:13:51 -05:00