santad: Fix transitive rules when using the sysx cache feature (#540)

This fixes transitive allowlisting when `EnableSysxCache` is turned on, reduces the deadline timer to fire 5s before the ES deadline, remaps our DEBUG logs to NOTICE so they can be more easily seen in Console and prevents transitive rules being created for paths under /dev/.

CONTRIBUTING.md

@@ -1,34 +0,0 @@
-Want to contribute? Great! First, read this page (including the small print at the end).
-
-### Before you contribute
-Before we can use your code, you must sign the
-[Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual)
-(CLA), which you can do online. The CLA is necessary mainly because you own the
-copyright to your changes, even after your contribution becomes part of our
-codebase, so we need your permission to use and distribute your code. We also
-need to be sure of various other things—for instance that you'll tell us if you
-know that your code infringes on other people's patents. You don't have to sign
-the CLA until after you've submitted your code for review and a member has
-approved it, but you must do it before we can put your code into our codebase.
-
-Before you start working on a larger contribution, you should get in touch with
-us first through the [issue tracker](https://github.com/google/santa/issues)
-with your idea so that we can help out and possibly guide you. Co-ordinating
-large changes ahead of time can avoid frustration later on.
-
-### Code reviews
-All submissions - including submissions by project members - require review. We
-use GitHub pull requests for this purpose. GitHub will automatically run the
-tests when you mail your pull request and a proper review won't be started until
-the tests are complete and passing.
-
-### Code Style
-
-All code submissions should try to match the surrounding code.  Wherever possible,
-code should adhere to either the
-[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
-or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
-
-### The small print
-Contributions made by corporations are covered by a different agreement than
-the one above, the [Software Grant and Corporate Contributor License Agreement](https://developers.google.com/open-source/cla/corporate).

CONTRIBUTING.md

@@ -0,0 +1 @@
+docs/development/contributing.md

Source/common/SNTFileInfo.m

@@ -362,7 +362,7 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
   while (pathComponents.count > 1) {
     NSBundle *bndl = [NSBundle bundleWithPath:[NSString pathWithComponents:pathComponents]];
     if ([bndl objectForInfoDictionaryKey:@"CFBundleIdentifier"]) {
-      if (!ancestor ||
+      if ((!ancestor && bndl.bundlePath.pathExtension.length) ||
           [[self allowedAncestorExtensions] containsObject:bndl.bundlePath.pathExtension]) {
         bundle = bndl;
       }

Source/common/SNTLogging.m

@@ -88,7 +88,10 @@ void logMessage(LogLevel level, FILE *destination, NSString *format, ...) {
         break;
       case LOG_LEVEL_DEBUG:
         levelName = "D";
-        syslogLevel = ASL_LEVEL_DEBUG;
+        // Log debug messages at the same ASL level as INFO.
+        // While it would make sense to use DEBUG, watching debug-level logs
+        // in Console means enabling all debug logs, which is absurdly noisy.
+        syslogLevel = ASL_LEVEL_NOTICE;
         break;
     }
 

Source/santa_driver/BUILD

@@ -1,13 +1,13 @@
-licenses(["notice"])
-
 load(
     "@build_bazel_rules_apple//apple:macos.bzl",
     "macos_command_line_application",
     "macos_kernel_extension",
 )
-load("//:helper.bzl", "run_command", "santa_unit_test")
+load("//:helper.bzl", "run_command")
 load("//:version.bzl", "SANTA_VERSION")
 
+licenses(["notice"])
+
 cc_library(
     name = "santa_driver_lib",
     srcs = [

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -337,6 +337,7 @@ static void reachabilityHandler(
 #pragma mark syncing chain
 
 - (void)preflight {
+  LOGD(@"Preflight starting");
   SNTCommandSyncState *syncState = [self createSyncState];
   SNTCommandSyncPreflight *p = [[SNTCommandSyncPreflight alloc] initWithState:syncState];
   if ([p sync]) {
@@ -373,6 +374,7 @@ static void reachabilityHandler(
 }
 
 - (void)eventUploadWithSyncState:(SNTCommandSyncState *)syncState {
+  LOGD(@"Event upload starting");
   SNTCommandSyncEventUpload *p = [[SNTCommandSyncEventUpload alloc] initWithState:syncState];
   if ([p sync]) {
     LOGD(@"Event upload complete");
@@ -384,6 +386,7 @@ static void reachabilityHandler(
 }
 
 - (void)ruleDownloadWithSyncState:(SNTCommandSyncState *)syncState {
+  LOGD(@"Rule download starting");
   SNTCommandSyncRuleDownload *p = [[SNTCommandSyncRuleDownload alloc] initWithState:syncState];
   if ([p sync]) {
     LOGD(@"Rule download complete");
@@ -395,6 +398,7 @@ static void reachabilityHandler(
 }
 
 - (void)postflightWithSyncState:(SNTCommandSyncState *)syncState {
+  LOGD(@"Postflight starting");
   SNTCommandSyncPostflight *p = [[SNTCommandSyncPostflight alloc] initWithState:syncState];
   if ([p sync]) {
     LOGD(@"Postflight complete");

Source/santactl/Commands/sync/SNTCommandSyncStage.m

@@ -83,20 +83,33 @@
 - (NSDictionary *)performRequest:(NSURLRequest *)request timeout:(NSTimeInterval)timeout {
   NSHTTPURLResponse *response;
   NSError *error;
-  NSData *data = [self performRequest:request timeout:timeout response:&response error:&error];
+  NSData *data;
 
-  // If the original request failed, attempt to get a new XSRF token and try again.
-  // Unfortunately some servers cause NSURLSession to return 'client cert required' or
-  // 'could not parse response' when a 403 occurs and SSL cert auth is enabled.
-  if ((response.statusCode == 403 ||
-       error.code == NSURLErrorClientCertificateRequired ||
-       error.code == NSURLErrorCannotParseResponse) &&
-      [self fetchXSRFToken]) {
-    NSMutableURLRequest *mutableRequest = [request mutableCopy];
-    [mutableRequest setValue:self.syncState.xsrfToken forHTTPHeaderField:kXSRFToken];
-    return [self performRequest:mutableRequest timeout:timeout];
+  for (int attempt = 1; attempt < 6; ++attempt) {
+    if (attempt > 1) {
+      struct timespec ts = {.tv_sec = (attempt * 2)};
+      nanosleep(&ts, NULL);
+    }
+
+    LOGD(@"Performing request, attempt %d", attempt);
+    data = [self performRequest:request timeout:timeout response:&response error:&error];
+    if (response.statusCode == 200) break;
+
+    // If the original request failed because of an auth error, attempt to get a new XSRF token and
+    // try again. Unfortunately some servers cause NSURLSession to return 'client cert required' or
+    // 'could not parse response' when a 403 occurs and SSL cert auth is enabled.
+    if ((response.statusCode == 403 ||
+         error.code == NSURLErrorClientCertificateRequired ||
+         error.code == NSURLErrorCannotParseResponse) &&
+        [self fetchXSRFToken]) {
+      NSMutableURLRequest *mutableRequest = [request mutableCopy];
+      [mutableRequest setValue:self.syncState.xsrfToken forHTTPHeaderField:kXSRFToken];
+      request = mutableRequest;
+      continue;
+    }
   }
 
+  // If the final attempt resulted in an error, log the error and return nil.
   if (response.statusCode != 200) {
     long code;
     NSString *errStr;

Source/santad/EventProviders/SNTCachingEndpointSecurityManager.mm

@@ -17,7 +17,7 @@
 #import "Source/common/SantaCache.h"
 #import "Source/common/SNTLogging.h"
 
-#include <atomic>
+#include <bsm/libbsm.h>
 #include <EndpointSecurity/EndpointSecurity.h>
 
 uint64_t GetCurrentUptime() {
@@ -28,7 +28,6 @@ template<> uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const& t
 }
 
 @implementation SNTCachingEndpointSecurityManager {
-  std::atomic<bool> _compilerPIDs[PID_MAX];
   SantaCache<santa_vnode_id_t, uint64_t> *_decisionCache;
 }
 
@@ -56,10 +55,20 @@ template<> uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const& t
     // If item is in cache but hasn't received a response yet, sleep for a bit.
     // If item is not in cache, break out of loop and forward request to callback.
     if (RESPONSE_VALID(return_action)) {
-      if (return_action == ACTION_RESPOND_ALLOW) {
-        es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
-      } else {
-        es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, false);
+      switch (return_action) {
+        case ACTION_RESPOND_ALLOW:
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
+          break;
+        case ACTION_RESPOND_ALLOW_COMPILER: {
+          pid_t pid = audit_token_to_pid(m->process->audit_token);
+          [self setIsCompilerPID:pid];
+          // Don't let ES cache compilers
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, false);
+          break;
+        }
+        default:
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, false);
+          break;
       }
       return YES;
     } else if (return_action == ACTION_REQUEST_BINARY || return_action == ACTION_RESPOND_ACK) {
@@ -70,7 +79,7 @@ template<> uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const& t
     }
   }
 
-  [self addToCache:vnode_id decision:ACTION_REQUEST_BINARY timeout:0];
+  [self addToCache:vnode_id decision:ACTION_REQUEST_BINARY currentTicks:0];
   return NO;
 }
 
@@ -79,24 +88,25 @@ template<> uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const& t
   es_respond_result_t ret;
   switch (action) {
     case ACTION_RESPOND_ALLOW_COMPILER:
-      if (sm.pid >= PID_MAX) {
-        LOGE(@"Unable to watch compiler pid=%d >= pid_max=%d", sm.pid, PID_MAX);
-      } else {
-        LOGD(@"Watching compiler pid=%d path=%s", sm.pid, sm.path);
-        self->_compilerPIDs[sm.pid].store(true);
-      }
-      // Allow the exec, but don't cache the decision so subsequent execs of the compiler get
-      // marked appropriately.
+      [self setIsCompilerPID:sm.pid];
+
+      // Allow the exec and cache in our internal cache but don't let ES cache, because then
+      // we won't see future execs of the compiler in order to record the PID.
+      [self addToCache:sm.vnode_id
+              decision:ACTION_RESPOND_ALLOW_COMPILER
+          currentTicks:GetCurrentUptime()];
       ret = es_respond_auth_result(self.client, (es_message_t *)sm.es_message,
                                    ES_AUTH_RESULT_ALLOW, false);
       break;
     case ACTION_RESPOND_ALLOW:
     case ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE:
-      [self addToCache:sm.vnode_id decision:ACTION_RESPOND_ALLOW timeout:GetCurrentUptime()];
+      [self addToCache:sm.vnode_id decision:ACTION_RESPOND_ALLOW currentTicks:GetCurrentUptime()];
       ret = es_respond_auth_result(self.client, (es_message_t *)sm.es_message,
                                    ES_AUTH_RESULT_ALLOW, true);
       break;
     case ACTION_RESPOND_DENY:
+      [self addToCache:sm.vnode_id decision:ACTION_RESPOND_DENY currentTicks:GetCurrentUptime()];
+      OS_FALLTHROUGH;
     case ACTION_RESPOND_TOOLONG:
       ret = es_respond_auth_result(self.client, (es_message_t *)sm.es_message,
                                    ES_AUTH_RESULT_DENY, false);
@@ -112,7 +122,7 @@ template<> uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const& t
 
 - (void)addToCache:(santa_vnode_id_t)identifier
           decision:(santa_action_t)decision
-           timeout:(uint64_t)microsecs {
+      currentTicks:(uint64_t)microsecs {
   switch (decision) {
     case ACTION_REQUEST_BINARY:
       _decisionCache->set(identifier, (uint64_t)ACTION_REQUEST_BINARY << 56, 0);

Source/santad/EventProviders/SNTEndpointSecurityManager.h

@@ -25,6 +25,10 @@ const pid_t PID_MAX = 99999;
 @interface SNTEndpointSecurityManager : NSObject<SNTEventProvider>
 - (santa_vnode_id_t)vnodeIDForFile:(es_file_t *)file;
 
+- (BOOL)isCompilerPID:(pid_t)pid;
+- (void)setIsCompilerPID:(pid_t)pid;
+- (void)setNotCompilerPID:(pid_t)pid;
+
 @property(readonly, nonatomic) es_client_t *client;
 
 @end

Source/santad/EventProviders/SNTEndpointSecurityManager.mm

@@ -25,7 +25,9 @@
 #include <libproc.h>
 
 
-@interface SNTEndpointSecurityManager ()
+@interface SNTEndpointSecurityManager () {
+  std::atomic<bool> _compilerPIDs[PID_MAX];
+}
 
 @property(nonatomic) SNTPrefixTree *prefixTree;
 @property(nonatomic, copy) void (^decisionCallback)(santa_message_t);
@@ -36,9 +38,7 @@
 
 @end
 
-@implementation SNTEndpointSecurityManager {
-  std::atomic<bool> _compilerPIDs[PID_MAX];
-}
+@implementation SNTEndpointSecurityManager
 
 - (instancetype)init API_AVAILABLE(macos(10.15)) {
   self = [super init];
@@ -107,7 +107,7 @@
           [self removeCacheEntryForVnodeID:[self vnodeIDForFile:m->event.close.target]];
 
           // Create a transitive rule if the file was modified by a running compiler
-          if (pid && pid < PID_MAX && self->_compilerPIDs[pid].load()) {
+          if ([self isCompilerPID:pid]) {
             santa_message_t sm = {};
             BOOL truncated = [self populateBufferFromESFile:m->event.close.target
                                                      buffer:sm.path
@@ -117,6 +117,9 @@
                    sm.path, pid);
               break;
             }
+            if ([@(sm.path) hasPrefix:@"/dev/"]) {
+              break;
+            }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
             sm.pidversion = pidversion;
@@ -129,7 +132,7 @@
         }
         case ES_EVENT_TYPE_NOTIFY_RENAME: {
           // Create a transitive rule if the file was renamed by a running compiler
-          if (pid && pid < PID_MAX && self->_compilerPIDs[pid].load()) {
+          if ([self isCompilerPID:pid]) {
             santa_message_t sm = {};
             BOOL truncated = [self populateRenamedNewPathFromESMessage:m->event.rename
                                                                 buffer:sm.path
@@ -139,6 +142,9 @@
                    sm.path, pid);
               break;
             }
+            if ([@(sm.path) hasPrefix:@"/dev/"]) {
+              break;
+            }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
             sm.pidversion = pidversion;
@@ -151,7 +157,7 @@
         }
         case ES_EVENT_TYPE_NOTIFY_EXIT: {
           // Update the set of running compiler PIDs
-          if (pid && pid < PID_MAX) self->_compilerPIDs[pid].store(false);
+          [self setNotCompilerPID:pid];
 
           // Skip the standard pipeline and just log.
           if (![config enableForkAndExitLogging]) return;
@@ -191,15 +197,12 @@
 
       switch (m->action_type) {
         case ES_ACTION_TYPE_AUTH: {
-          // Create a timer to deny the execution 2 seconds before the deadline,
+          // Create a timer to deny the execution 5 seconds before the deadline,
           // if a response hasn't already been sent. This block will still be enqueued if
-          // the the deadline - 2 secs is < DISPATCH_TIME_NOW.
-          // As of 10.15.2, a typical deadline is 60 seconds.
-          // TODO(bur/rah): Possibly cache decisions made after the deadline. Currently a
-          // large enough binary will never be allowed to execute. This should be a rare edge case;
-          // it's probably not worth adding a caching layer just for this.
+          // the the deadline - 5 secs is < DISPATCH_TIME_NOW.
+          // As of 10.15.5, a typical deadline is 60 seconds.
           auto responded = std::make_shared<std::atomic<bool>>(false);
-          dispatch_after(dispatch_time(m->deadline, NSEC_PER_SEC * -2), self.esAuthQueue, ^(void) {
+          dispatch_after(dispatch_time(m->deadline, NSEC_PER_SEC * -5), self.esAuthQueue, ^(void) {
             if (responded->load()) return;
             LOGE(@"Deadline reached: deny pid=%d ret=%d",
                  pid, es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, false));
@@ -449,12 +452,8 @@
   es_respond_result_t ret;
   switch (action) {
     case ACTION_RESPOND_ALLOW_COMPILER:
-      if (sm.pid >= PID_MAX) {
-        LOGE(@"Unable to watch compiler pid=%d >= pid_max=%d", sm.pid, PID_MAX);
-      } else {
-        LOGD(@"Watching compiler pid=%d path=%s", sm.pid, sm.path);
-        self->_compilerPIDs[sm.pid].store(true);
-      }
+      [self setIsCompilerPID:sm.pid];
+
       // Allow the exec, but don't cache the decision so subsequent execs of the compiler get
       // marked appropriately.
       ret = es_respond_auth_result(self.client, (es_message_t *)sm.es_message,
@@ -567,4 +566,23 @@
   };
 }
 
+- (BOOL)isCompilerPID:(pid_t)pid {
+  return (pid && pid < PID_MAX && self->_compilerPIDs[pid].load());
+}
+
+- (void)setIsCompilerPID:(pid_t)pid {
+  if (pid < 1) {
+    LOGE(@"Unable to watch compiler pid=%d", pid);
+  } else if (pid >= PID_MAX) {
+    LOGE(@"Unable to watch compiler pid=%d >= PID_MAX(%d)", pid, PID_MAX);
+  } else {
+    self->_compilerPIDs[pid].store(true);
+    LOGD(@"Watching compiler pid=%d", pid);
+  }
+}
+
+- (void)setNotCompilerPID:(pid_t)pid {
+  if (pid && pid < PID_MAX) self->_compilerPIDs[pid].store(false);
+}
+
 @end

docs/deployment/configuration.md

@@ -175,7 +175,7 @@ Configuration profiles have a `.mobileconfig` file extension. There are many way
 | fcm_full_sync_interval*        | Integer    | The full sync interval if a fcm_token is set. Defaults to  14400 secs (4 hours). |
 | fcm_global_rule_sync_deadline* | Integer    | The max time to wait before performing a rule sync when a global rule sync FCM message is received. This allows syncing to be staggered for global events to avoid spikes in server load. Defaults to 600 secs (10 min). |
 | enable_bundles*                | Bool       | If set to `True` the bundle scanning feature is enabled. Defaults to `False`. |
-| enabled_transitive_rules       | Bool       | If set to `True` the transitive rule feature is enabled. Defaults to `False`. |
+| enable_transitive_rules        | Bool       | If set to `True` the transitive rule feature is enabled. Defaults to `False`. |
 
 *Held only in memory. Not persistent upon process restart.
 

docs/deployment/notificationsettings.santa.example.mobileconfig

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>NotificationSettings</key>
+			<array>
+				<dict>
+					<key>AlertType</key>
+					<integer>1</integer>
+					<key>BadgesEnabled</key>
+					<true/>
+					<key>BundleIdentifier</key>
+					<string>com.google.santa</string>
+					<key>CriticalAlertEnabled</key>
+					<true/>
+					<key>NotificationsEnabled</key>
+					<true/>
+					<key>ShowInLockScreen</key>
+					<true/>
+					<key>ShowInNotificationCenter</key>
+					<true/>
+					<key>SoundsEnabled</key>
+					<false/>
+				</dict>
+			</array>
+			<key>PayloadDisplayName</key>
+			<string>Notifications Payload</string>
+			<key>PayloadIdentifier</key>
+			<string>com.google.santa.notificationsettings.F1817DA0-0044-43DD-9540-36EBC60FDA8F</string>
+			<key>PayloadOrganization</key>
+			<string></string>
+			<key>PayloadType</key>
+			<string>com.apple.notificationsettings</string>
+			<key>PayloadUUID</key>
+			<string>510236AE-D7F8-4131-A4CA-5CC930C51866</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>Configures your Mac to automatically enable Notifications settings for Santa</string>
+	<key>PayloadDisplayName</key>
+	<string>Santa Notifications settings</string>
+	<key>PayloadEnabled</key>
+	<true/>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa.notificationsettings.069CA123-6129-46A5-8FD1-49322E5A5755</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>069CA123-6129-46A5-8FD1-49322E5A5755</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>

docs/details/santactl.md

@@ -8,8 +8,8 @@ This may be the most complex part of Santa. It does two types of work:
     can also inspect individual files. When running without a sync server it
     also a supported method of managing the rules database.
 
-The details of santactl's syncing functionality are covered in the syncing.md
-document. This document will cover the status work that santactl performs.
+The details of santactl's syncing functionality are covered in [introduction/syncing-overview.md](syncing-overview.md).
+This document will cover the status work that santactl performs.
 
 ##### status
 

docs/development/contributing.md

@@ -0,0 +1,34 @@
+Want to contribute? Great! First, read this page (including the small print at the end).
+
+### Before you contribute
+Before we can use your code, you must sign the
+[Google Individual Contributor License Agreement](https://developers.google.com/open-source/cla/individual)
+(CLA), which you can do online. The CLA is necessary mainly because you own the
+copyright to your changes, even after your contribution becomes part of our
+codebase, so we need your permission to use and distribute your code. We also
+need to be sure of various other things—for instance that you'll tell us if you
+know that your code infringes on other people's patents. You don't have to sign
+the CLA until after you've submitted your code for review and a member has
+approved it, but you must do it before we can put your code into our codebase.
+
+Before you start working on a larger contribution, you should get in touch with
+us first through the [issue tracker](https://github.com/google/santa/issues)
+with your idea so that we can help out and possibly guide you. Co-ordinating
+large changes ahead of time can avoid frustration later on.
+
+### Code reviews
+All submissions - including submissions by project members - require review. We
+use GitHub pull requests for this purpose. GitHub will automatically run the
+tests when you mail your pull request and a proper review won't be started until
+the tests are complete and passing.
+
+### Code Style
+
+All code submissions should try to match the surrounding code.  Wherever possible,
+code should adhere to either the
+[Google Objective-C Style Guide](https://google.github.io/styleguide/objcguide.xml)
+or the [Google C++ Style Guide](https://google.github.io/styleguide/cppguide.html).
+
+### The small print
+Contributions made by corporations are covered by a different agreement than
+the one above, the [Software Grant and Corporate Contributor License Agreement](https://developers.google.com/open-source/cla/corporate).

docs/index.md

@@ -9,7 +9,7 @@ contribute.
 The following documents give an overview of how Santa accomplishes binary
 authorization at the enterprise scale.
 
-- [Binary Authorization](introduction/binary-authorization.md): How Santa makes allow or deny decisions for any `execve()` taking place.
+- [Binary Authorization](introduction/binary-authorization-overview.md): How Santa makes allow or deny decisions for any `execve()` taking place.
 - [Syncing](introduction/syncing-overview.md): How configuration and rules are applied from a sync server.
 
 #### Deployment
@@ -19,7 +19,7 @@ authorization at the enterprise scale.
 #### Development
 
 * [Building Santa](development/building.md): How to build and load Santa for testing on a development machine.
-* [Contributing](../CONTRIBUTING.md): How to contribute a bug fix or new feature to Santa.
+* [Contributing](development/contributing.md): How to contribute a bug fix or new feature to Santa.
 
 #### Details
 
@@ -43,7 +43,6 @@ Additional documentation on the concepts that support the operation of the main
 * [events](details/events.md): Represents an `execve()` that was blocked, or would have been blocked, depending on the mode.
 * [rules](details/rules.md): Represents allow or deny decisions for a given `execve()`. Can either be a binary's SHA-256 hash or a leaf code-signing certificate's SHA-256 hash.
 * [scopes](details/scopes.md): The level at which an `execve()` was allowed or denied from taking place.
-* [syncing](introduction/syncing-overview.md): How Santa communicates with a TLS server for configuration, rules and event uploading.
 * [ipc](details/ipc.md): How all the components of Santa communicate.
   duction/syncing-overview.
 * [logs](details/logs.md): What and where Santa logs.

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "2021.1"
+SANTA_VERSION = "2021.3"