github/santa
1
1
Fork 0
mirror of https://github.com/google/santa.git synced 2026-01-15 09:17:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:2022.9
Branches Tags
github:main github:feature/ancestry
github:2024.9 github:2024.8 github:2024.7 github:2024.6 github:2024.5 github:2024.4 github:2024.3 github:2024.2 github:2024.1 github:2023.10 github:2023.9 github:2023.8 github:2023.7 github:2023.6 github:2023.5 github:2023.4 github:2023.3 github:2023.2 github:2023.1 github:2022.11 github:2022.10 github:2022.9 github:2022.8 github:2022.7 github:2022.6 github:2022.5 github:2022.4 github:2022.3 github:2022.2 github:2022.1 github:2021.8 github:2021.7 github:2021.5 github:2021.3 github:2021.2 github:2021.1 github:1.17 github:1.16 github:1.15 github:1.14 github:1.13 github:1.12 github:1.11 github:1.10 github:1.9 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4 github:1.3 github:1.1 github:1.0.3 github:0.9.33 github:0.9.32 github:0.9.31 github:0.9.31-notarized github:0.9.30 github:0.9.29 github:0.9.28 github:0.9.27 github:0.9.26 github:0.9.25 github:0.9.24 github:0.9.23 github:0.9.22 github:0.9.21 github:0.9.20 github:0.9.19 github:0.9.18 github:0.9.17d0 github:0.9.17 github:0.9.16 github:0.9.15 github:0.9.14 github:0.9.13 github:0.9.12 github:0.9.11 github:0.9.10 github:0.9.9 github:0.9.8 github:0.9.7 github:0.9.6 github:0.9.5 github:0.9.4 github:0.9.3 github:0.9.2 github:0.9.1 github:0.9 github:0.8.9 github:0.8.8 github:0.8.7 github:0.8.6 github:0.8.5 github:0.8.4 github:0.8.3 github:0.8.2 github:0.8.1 github:0.8 github:0.7.1 github:0.7
...
compare: github:2023.1
Branches Tags
github:main github:feature/ancestry
github:2024.9 github:2024.8 github:2024.7 github:2024.6 github:2024.5 github:2024.4 github:2024.3 github:2024.2 github:2024.1 github:2023.10 github:2023.9 github:2023.8 github:2023.7 github:2023.6 github:2023.5 github:2023.4 github:2023.3 github:2023.2 github:2023.1 github:2022.11 github:2022.10 github:2022.9 github:2022.8 github:2022.7 github:2022.6 github:2022.5 github:2022.4 github:2022.3 github:2022.2 github:2022.1 github:2021.8 github:2021.7 github:2021.5 github:2021.3 github:2021.2 github:2021.1 github:1.17 github:1.16 github:1.15 github:1.14 github:1.13 github:1.12 github:1.11 github:1.10 github:1.9 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4 github:1.3 github:1.1 github:1.0.3 github:0.9.33 github:0.9.32 github:0.9.31 github:0.9.31-notarized github:0.9.30 github:0.9.29 github:0.9.28 github:0.9.27 github:0.9.26 github:0.9.25 github:0.9.24 github:0.9.23 github:0.9.22 github:0.9.21 github:0.9.20 github:0.9.19 github:0.9.18 github:0.9.17d0 github:0.9.17 github:0.9.16 github:0.9.15 github:0.9.14 github:0.9.13 github:0.9.12 github:0.9.11 github:0.9.10 github:0.9.9 github:0.9.8 github:0.9.7 github:0.9.6 github:0.9.5 github:0.9.4 github:0.9.3 github:0.9.2 github:0.9.1 github:0.9 github:0.8.9 github:0.8.8 github:0.8.7 github:0.8.6 github:0.8.5 github:0.8.4 github:0.8.3 github:0.8.2 github:0.8.1 github:0.8 github:0.7.1 github:0.7

90 Commits
2022.9 ... 2023.1

Author SHA1 Message Date
Russell Hancox
dcbbc33e5e Revert "Configurator: Apply config updates in non-daemon processes (#1003)" (#1008) 
This reverts commit 1e88b88ee6.
 2023-01-20 13:30:06 -05:00
Matt W
ebe5166d77 Prevent recursive reconnect attempts (#1005) 2023-01-19 10:03:15 -05:00
Matt W
6e5a530df5 Low hanging fruit perf changes (#1004) 
* Some minor changes for some easy perf wins based on trace info

* Manually track buffer offsets in File writer

* Add metrics tests

* Call members from appropriate shared object
 2023-01-18 15:14:48 -05:00
Russell Hancox
1e88b88ee6 Configurator: Apply config updates in non-daemon processes (#1003) 2023-01-18 10:00:39 -05:00
Nick Gregory
2d74f36ddb Reconnect to santametrics service on failure (#1001) 
* Reconnect to santametrics service on failure

* use logging macros
 2023-01-12 10:41:36 -05:00
Matt W
3a3564f36b Add watch item state to santactl status (#1000) 
* Add method to get WatchItems state

* Update santactl status with watch items state

* Update status label

* PR feedback - add missing dispatch_group_leave
 2023-01-12 10:38:12 -05:00
Matt W
d3c7cbbcc3 Rename type aliases (#999) 2023-01-11 11:30:11 -05:00
Matt W
1ff6967934 Support configuring signing IDs for process exceptions (#998) 2023-01-11 09:42:32 -05:00
Matt W
53877f6114 Adopt new FS Access Auth config format and policy application logic (#994) 
* WIP parsing new watch item config format

* Change WatchItemPolicy param order. Define policy default constants.

* rename write_only policy member to allow_read_access

* WIP parsing new config format, WatchItemsTest all pass

* Restructured process config parsing. Added tons of tests.

* Abstract NSError creation to a function

* Better errors. Bubble up NSErrors to reduce duplicate messages. More Tests.

* Validate min string lengths. Add a bunch more tests.

* Adopt new policy process logic and add tests

* Address PR feedback
 2023-01-10 16:40:13 -05:00
Matt W
8c50af4041 Add policy version and name to basic string serializer (#997) 2023-01-10 13:17:21 -05:00
Russell Hancox
d0d4508f77 docs: Fix deployment/configuration doc (#996) 2023-01-10 09:23:52 -05:00
Matt W
df3aac5baf Change name of santa config keys for file access monitoring (#995) 2023-01-09 21:08:57 -05:00
Nick Gregory
e289056e5e lower fuzz case timeout to 5s (#993) 2023-01-09 12:28:45 -05:00
Matt W
4adad2ecfa More event type support (#992) 
* Add truncate and create support

* Add metrics support
 2023-01-06 12:51:40 -05:00
Matt W
dc1a3c27c2 Add more event coverage in the file access client (#991) 
* Support more file access protection event types

* Update tests for new events and method signatures

* lint

* Add metrics for new event types

* Add support for LINK event

* Fix spacing
 2023-01-05 13:03:21 -05:00
Nick Gregory
a2f8030482 Fuzz embedded plist reading (#990) 
* fuzz embedded plist reading

* remove newline

* consolidate size checking

* brackets

Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
 2023-01-03 14:22:31 -05:00
Matt W
338a4f738f Opportunistically use ES cache when possible (#989) 
* WIP fixing up ES cacheability in file access client

* Removed old code from before simplification

* Add more tests
 2023-01-03 14:09:21 -05:00
Nick Gregory
845d72eebd Fix nightly run cron specification (#986) 2022-12-28 17:36:54 -05:00
Nick Gregory
ca81270bff Fix SNTFileInfo Fuzzing (#985) 
* fix SNTFileInfo fd leak

* auto poweroff VM after fuzzing

* lint
 2022-12-27 16:20:32 -05:00
Matt W
42cf1b232a Adopt new ES APIs to watch target paths in tamper client (#984) 2022-12-22 16:49:25 -05:00
Nick Gregory
57285c48dd use new public api for booting VM into recoveryOS (#983) 2022-12-22 16:27:38 -05:00
Nick Gregory
2279cd8662 Run fuzzing in a VM (#982) 
* run fuzzing in a vm

* no use cleaning up since each VM is pristine
 2022-12-22 13:52:46 -05:00
Nick Gregory
9423beecc8 fix spinloop when no override config is specified (#981) 2022-12-22 13:51:46 -05:00
Pete Markowsky
b18d4a0e30 Fix SNTFileInfoTest for macOS 13 (#977) 
* Fix SNTFileInfoTest for macOS 13
 2022-12-22 10:37:22 -05:00
Russell Hancox
290ebed15e Allstar: Add fuzzing artifact (#980) 2022-12-22 09:13:53 -05:00
Matt W
435868aa7a Add build targets, lint (#978) 2022-12-21 22:56:20 -05:00
Nick Gregory
2e3952a31d Revitalize Fuzzing (#976) 
* snapshot using rules_fuzzing, but this probably wont work because nothing supports objc

* working fuzz

* clean up

* install libclang_rt.fuzzer_osx automatically; add to CI

* retain corpus

* restore old fuzzing stuff

* corpus

* move fuzz to separate timed action

* review
 2022-12-21 15:29:07 -05:00
Matt W
60f53bc20a Adopt new ES APIs to monitor target paths (#975) 
* WIP begin adopting new ES APIs inverting target mute paths

* Track subscription status so as not to unnecessarily enable/disable

* Properly chain call to invert target mute paths. Fix using wrong Message obj.

* Add base client tests

* Support compiling on older platforms

* More changes to support compiling on older platforms

* Only enable watch items periodic task on macOS 13

* Add more asserts to test

* Disable ES caching for now

* lint
 2022-12-20 21:15:01 -05:00
Russell Hancox
fec3766da4 Project: Upgrade MOLAuthenticatingURLSession to v3.1 (#974) 2022-12-19 15:12:09 -05:00
Matt W
ae63055f34 Fix golden test data for macOS 13 (#972) 2022-12-19 14:47:06 -05:00
Russell Hancox
e5a0c3c1c0 sync: Fix deduplication in reachability handler (#973) 2022-12-19 14:42:18 -05:00
Matt W
5680c69164 Address policy consistency issues (#971) 
* Change FindPolicyForPath to operate on vector of inputs

* Adopt new interface to find all policies simultaneously

* Fix tests to use new FindPoliciesForPath signature
 2022-12-19 14:20:05 -05:00
Nick Gregory
8a978c1e75 Update LICENSE for VM code (#970) 2022-12-16 12:21:49 -05:00
Matt W
6aa7c9ba86 Fix import issues (#969) 
* Fix import issues

* lint
 2022-12-15 16:10:26 -05:00
Matt W
6adef6a714 Track path types for current/new watch items (#968) 
* Move WatchItemPolicy to its own header. Add path type enum.

* When tracking current/new paths, also track path types

* lint
 2022-12-15 15:44:47 -05:00
Nick Gregory
1d8c105257 absl_guarded_by (#967) 2022-12-15 13:34:32 -05:00
Matt W
e2d7cf04fc Fix under retain (#966) 2022-12-15 12:50:59 -05:00
Nick Gregory
9d448071f7 Lint the E2E start-vm Python script (#965) 
* appease the linter

* add python to the lint script
 2022-12-14 17:37:56 -05:00
Nick Gregory
cd6c0e7120 Introduce end-to-end testing (#919) 
* initial e2e work

* switch to entitlements property instead of codesignopts hack

* bring moroz patches in

* go ahead and switch to upstream

* lint

* no need to install gcs every time

* codeowners

* add comments

* move to new e2e workflow

* rename e2e workflow
 2022-12-14 11:15:55 -05:00
Matt W
ec5e8177fb Serialize File Access events (#964) 
* WIP skeleton code for file access event serialization

* Added basic string serializer for file access event

* Added proto string serializer for file access event
 2022-12-14 11:04:37 -05:00
Russell Hancox
8e10c103cb santad: Flush cache when StaticRules are changed (#963) 2022-12-13 16:57:13 -05:00
Matt W
db6c14ea10 Enrich file access events, prepare for logging (#962) 
* WIP refactor file access class to setup logging

* Combined GetPathTarget1 and 2, added some tests.

* Change method name to not be abbrv.

* Remove unnecessary includes

* PR feedback: fix missing path sep, add comments

* Fix test issue
 2022-12-12 16:37:47 -05:00
Matt W
4a4f1a971c Fix issue where wrong variable was used (#961) 2022-12-09 15:07:30 -05:00
Matt W
c5c82a18ff Dynamically enable/disable FS Access client based on config (#959) 
* WIP Dynamic watch item config loading. Dynamic event handler protocol.

* Clients can now register with WatchItems to be enabled/disabled

* Handle dynamic fs monitor config add/modify/delete, dynamic enable/disable clients

* Update WatchItemsTest to use new constructor

* Better check handling value changes

* Add missing mock config value to fix integration test
 2022-12-09 11:54:54 -05:00
Russell Hancox
f702c7a281 Tests: Fix SNTEndpointSecurityFileAccessAuthorizerTest (#958) 2022-12-08 15:46:51 -05:00
Russell Hancox
958ef52698 Config: In debug builds, allow config to be overriden from a plist file. (#957) 2022-12-08 15:07:59 -05:00
Matt W
068ec885b2 pemdas (#955) 
* pemdas

* lint
 2022-12-07 17:07:05 -05:00
Matt W
e572f047c0 Import fix (#953) 2022-12-07 14:07:13 -05:00
Matt W
b904a329d9 FS Access Config Version, Policy decision enums (#951) 
* Add policy version to config. Return policy decision as enum.

* Check EnableBadSignatureProtection config when evaluating instigating procs

* Draft proto update for file access

* Revert "Draft proto update for file access"

This reverts commit 5d7e9a9e03.

* Change return type to work around OCMock partial mocking issues

* lint
 2022-12-07 13:33:35 -05:00
Matt W
d19343bccd Draft proto for new FileAccess log (#952) 
* Draft proto for new FileAccess log

* Update Source/common/santa.proto

Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>

Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
 2022-12-07 13:06:47 -05:00
Matt W
09cd78d756 Initial work for File Access Authorizer Client (#949) 
* WIP Initial work for new fs watcher client

* WIP basic working mechanics of applying policy to OPEN events

* WIP now support allowing access based on cdhash

* WIP lint fix

* WIP check instigator cdhash and cert hash against policy

* WIP Fix test issue in base ES client class

* WIP Fix test issue in water items test

* Added secondary lookup cache for cert hashes and fallback lookups

* Adopt new SantaVnode name

* Adopt min macOS 11. Adopt new SantaCacheHasher for SantaVnode.

* Rename the es client to FileAccessAuthorizer

* Added some more tests

* Added MockLogger and a lot more tests.

* Removed currently unused subscriptions. Don't enable FS client by default

* lint

* lint after rebase

* Use strtoul for hex string conversion. Update comments.

* PR feedback
 2022-12-06 19:52:32 -05:00
Russell Hancox
f169b69944 santad: Change workaround for glob header with blocks, free glob-allocated memory (#948) 2022-12-05 15:52:17 -05:00
Russell Hancox
40f9872c54 Tests: Fix some assertions comparing strings (#947) 2022-12-05 12:54:04 -05:00
Matt W
5718f2e582 Watch items (#937) 
* WIP started work on parsing config

* WIP Basics of parsing config and generating new policy

* WIP Reapplying config updates functionally complete. Needs a lot more tests.

* Test cleanup, added using decl for watch items tree type

* More WatchItems tests and test polishing.

* Remove test print function. Formatting.

* Commented use of __BLOCKS__ undef

* Return a shared_ptr from factory

* Change WatchItemsPolicy to store sets instead of vectors

* Remove unnecessary WatchItem, replace with string

* Typo

* Update error messages to not make it sound like parse errors are recoverable
 2022-12-01 13:41:05 -05:00
Liam Nicholson
04fd742114 Include SD Card Mounting in the USB Block Functionality (#938) 2022-12-01 10:25:54 -05:00
Matt W
194a3a6d4a Remove SNTCommon (#945) 
* Move santa_action_t to SNTCommonEnums and rename to SNTAction

* Move likely and unlikely macros to a new BranchPrediction header

* Remove SNTCommon.h. Move SantaVnode to its own header.

* Add SantaVnodeHash

* Fix build deps
 2022-12-01 09:14:54 -05:00
Matt W
e1dc50fb36 Drop macOS 10.15 (#944) 
* Drop macOS 10.15 support

* lint
 2022-11-29 20:20:48 -05:00
Matt W
9ff2f0d631 Swtich from task_info to libproc for system resource info (#939) 
* Swtich from task_info to libproc for system resource info

* Fix return value

* Convert nanos to seconds

* Make GetTimebase static. Expose NanosToMachTime.

* Abstract return or GetTaskInfo to new type.
 2022-11-29 16:50:37 -05:00
Matt W
85058ec290 Rename santa_vnode_id_t to SantaVnode (#943) 
* Rename santa_vnode_id_t to SantaVnode. Add factory.

* Change types of SantaVnode to match stat(2)
 2022-11-28 23:45:14 -05:00
Russell Hancox
6e90673f71 docs: Update keyserver address in SECURITY (#941) 2022-11-28 19:35:02 -05:00
Russell Hancox
a58cee908f docs: Fix typo in sync-protocol, h/t to @maxwbuckley (#940) 2022-11-28 17:21:45 -05:00
Russell Hancox
80b26955b4 GUI: Fix distributed notifications in silent mode (#936) 2022-11-16 09:53:56 -05:00
Matt W
6a84023548 Prefix tree updates (#931) 
* WIP Rename SNTPrefixTree to PrefixTree

* WIP Implement the new PrefixTree and tests

* Add Unit type. Fix build and tests.

* lint

* Make NodeCount accessor for tests

* Updated comments
 2022-11-14 13:16:49 +00:00
Russell Hancox
e70acefb5c Docs: Fix type of {allowed,blocked}_path_regex keys in preflight (#934) 2022-11-07 15:36:10 -05:00
Matt W
41c918ee87 Don't add messages when accumulated bytes exceeds threshold (#932) 
* Don't add messages when accumulated bytes exceeds threshold

* Add a leniency factor

* lint
 2022-11-07 12:24:49 -05:00
Matt W
1adb6d2726 Update spool to flush on size thresholds instead of batch counts (#930) 2022-11-03 14:55:51 -04:00
Matt W
8c531a256b metrics and logging cleanup (#928) 
* Metrics and ambiguous log cleanup

* Fix test
 2022-11-01 14:47:49 +00:00
Russell Hancox
5829363733 GUI: Fix EnableSilentMode key (#927) 2022-11-01 10:11:21 -04:00
Pete Markowsky
379f283c62 Update Known Limitations for USB Mass Storage Blocking (#924) 
* Updated known limitations.
 2022-10-28 20:21:38 -04:00
Matt W
2082345c02 Change order that ES clients are enabled (#923) 2022-10-29 00:15:26 +00:00
Matt W
dd8f81a60e Fix issue in test that would crash on some platforms (#922) 2022-10-28 20:14:53 -04:00
Matt W
8ccb0813f1 More import fixes (#921) 
* More import fixes

* lint
 2022-10-28 15:57:01 -04:00
Matt W
b24e7e42bf Event metrics (#918) 
* WIP. Record event count and processing time metrics. Tests don't currently build.

* Updated tests

* Fix field names

* Remove unused target

* formatting

* Cleanup from PR comments
 2022-10-28 14:25:07 -04:00
Pete Markowsky
4821ebebd5 Fix: duplicates bug in SNTMetricSet when using multiple fields (#920) 
Fix duplicates bug in SNTMetricSet when using multiple fields names.

This also fixes the santactl metric command and golden files for tests.
 2022-10-28 13:50:08 -04:00
Matt W
efeaa82618 Fix issue with transposed remount/banned block messages (#917) 2022-10-26 20:54:17 -04:00
videlanicolas
3f3de02644 USB: usbBlockMessage is not being used. (#915) 2022-10-26 17:42:49 -04:00
Matt W
f6c9456ea7 Fix some more includes (#914) 2022-10-25 16:52:19 -04:00
Matt W
2aaff051c8 Various changes to fix import (#913) 2022-10-25 16:16:44 -04:00
Matt W
2df7e91c87 Change include to import (#912) 2022-10-24 11:56:02 -04:00
Matt W
37644acd01 Update build docs. Fixes #910 (#911) 2022-10-24 09:55:37 -04:00
Matt W
899ca89e23 Proto minimization (#909) 
* Create Light variants of File and ProcessInfo messages to reduce disk/wire byte counts

* Updated golden test data
 2022-10-21 19:48:37 -04:00
Matt W
e7281f1c55 Spool writer (#908) 
* Spool writer and santactl command to print proto file

* Make valid JSON for multiple paths. Can now create proto/spool logger. Updated logger tests.

* Make fsspool writer and fsspool log batch writer injectable

* Add spool writer tests

* Updated help text for santactl printlog

* Include file cleanup

* Fix dispatch source destruction

* Change config keys for the new Spool writer

* Spool settings now configurable

* Fix param order

* Remove some test sleeps related to control flow
 2022-10-21 16:43:12 -04:00
Matt W
bf0ca24ae7 Machine id proto (#907) 
* Add MachineID to all BasicString serialized log messages

* machine_id now a top level proto field

* Remove commented code
 2022-10-19 10:51:38 -04:00
np5
4fe8b7908f sync: Fix USB blocking config sync (#890) 2022-10-18 10:01:20 -04:00
Matt W
a8dd332402 Update include paths and add include guard (#905) 2022-10-14 17:58:36 -04:00
Matt W
6631b0a8e3 More import fixes (#904) 
* Layering check disable

* workaround for layering issue
 2022-10-14 17:20:20 -04:00
Matt W
07e09db608 Import fixes (#902) 
* Apply clang-format to cc files

* Modify binaryproto namespace

* Add more required includes

* Add proto includes

* Assert message parsing succeeds in test

* Add optional keyword to proto fields to track presence. TESTS BROKEN.

* Update golden test data
 2022-10-14 15:51:53 -04:00
Matt W
d041a48c97 Fsspool adopt (#900) 
* Added fsspool library, tests

* Cleanup

* Remove extra visibility from BUILD file

* Import foundation so the linter doesn't complain
 2022-10-13 20:47:52 -04:00
Matt W
1683e09cc8 Proto serializer (#897) 
* Initial proto serializer with close event

* Define move ctors for enriched types, delete copy ctors

* More event proto serialization. Commonized proto test code.

* Started work serializing exec event. Added serializer utilities.

* More progress serializing exec event

* Add mroe test data. Test restructure to permit fine grained mocking.

* Env/FD ES types now wrapped in EndpointSecurityAPI. Added calls to proto serializer.

* Add fd type names to proto

* Version compat. Script and Working Dir encoding.

* Add process start time

* Serialize Link event

* Add null check, mainly to fix tests

* Handle versioned expectations

* Each test now build msg in callbacks to set better expectations

* Serialize rename event and tests

* Serialize unlink event and tests

* Serialize allowlist and bundle events. Add utilities tests.

* Formatting

* Disk event proto serialization and tests

* Fix test only issues

* Rename santa_new.proto to santa.proto

* Change fd type int and string to an enum

* Proto namespace now versioned

* Added comments to proto schema

* Add proto support to indicate if fd list truncated
 2022-10-13 13:52:41 -04:00
Ivan Tadeu Ferreira Antunes Filho
d6c73e0c6c common: Make SNTCommonEnums a textual header (#896) 
This change fixes -wunused-variable warnings. The header is not valid by itself and should be declared as a textual header rather than as a header.
 2022-10-03 13:15:33 -04:00
272 changed files with 18462 additions and 1831 deletions
Expand all files Collapse all files

1
.allstar/binary_artifacts.yaml
View File

@@ -1,5 +1,6 @@
# Ignore reason: These crafted binaries are used in tests
ignorePaths:
- Fuzzing/common/MachOParse_corpus/ret0
- Source/common/testdata/bad_pagezero
- Source/common/testdata/missing_pagezero
- Source/common/testdata/missing_pagezero

9
.bazelrc
View File

@@ -6,6 +6,9 @@ build --copt=-Wno-error=deprecated-declarations
build --per_file_copt=.*\.mm\$@-std=c++17
build --cxxopt=-std=c++17
build --copt=-DSANTA_OPEN_SOURCE=1
build --cxxopt=-DSANTA_OPEN_SOURCE=1
build:asan --strip=never
build:asan --copt="-Wno-macro-redefined"
build:asan --copt="-D_FORTIFY_SOURCE=0"
@@ -14,3 +17,9 @@ build:asan --copt="-fno-omit-frame-pointer"
build:asan --copt="-fsanitize=address"
build:asan --copt="-DADDRESS_SANITIZER"
build:asan --linkopt="-fsanitize=address"
build:fuzz --copt="-Wno-macro-redefined"
build:fuzz --copt="-D_FORTIFY_SOURCE=0"
build:fuzz --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing//fuzzing/engines:libfuzzer
build:fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=libfuzzer
build:fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=asan

10
.github/workflows/ci.yml vendored
View File

@@ -24,18 +24,18 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [macos-10.15, macos-11, macos-12]
os: [macos-11, macos-12]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- name: Build Userspace
run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
- uses: actions/checkout@v2
- name: Build Userspace
run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
unit_tests:
strategy:
fail-fast: false
matrix:
os: [macos-10.15, macos-11, macos-12]
os: [macos-11, macos-12]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2

2
.github/workflows/continuous.yml vendored
View File

@@ -1,7 +1,7 @@
name: continuous
on:
schedule:
- cron: '* 10 * * *' # Every day at 10:00 UTC
- cron: '0 10 * * *' # Every day at 10:00 UTC
workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
jobs:

41
.github/workflows/e2e.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
name: E2E
on: workflow_dispatch
jobs:
start_vm:
runs-on: e2e-host
steps:
- uses: actions/checkout@v2
- name: Start VM
run: python3 Testing/integration/actions/start_vm.py macOS_12.bundle.tar.gz
integration:
runs-on: e2e-vm
env:
VM_PASSWORD: ${{ secrets.VM_PASSWORD }}
steps:
- uses: actions/checkout@v2
- name: Install configuration profile
run: bazel run //Testing/integration:install_profile -- Testing/integration/configs/default.mobileconfig
- name: Add homebrew to PATH
run: echo "/opt/homebrew/bin/" >> $GITHUB_PATH
- name: Build, install, and start moroz
run: |
bazel build @com_github_groob_moroz//cmd/moroz:moroz
cp bazel-bin/external/com_github_groob_moroz/cmd/moroz/moroz_/moroz /tmp/moroz
/tmp/moroz -configs="$GITHUB_WORKSPACE/Testing/integration/configs/moroz_default/global.toml" -use-tls=false &
- name: Build, install, and sync santa
run: |
bazel run :reload --define=SANTA_BUILD_TYPE=adhoc
bazel run //Testing/integration:allow_sysex
sudo santactl sync --debug
- name: Run integration test binaries
run: bazel test //Testing/integration:integration_tests
- name: Test config changes
run: ./Testing/integration/test_config_changes.sh
- name: Test sync server changes
run: ./Testing/integration/test_sync_changes.sh
- name: Poweroff
if: ${{ always() }}
run: sudo shutdown -h +1

35
.github/workflows/fuzz.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Fuzzing
on:
schedule:
- cron: '0 6 * * *' # Every day at 6:00 UTC
workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
jobs:
start_vm:
runs-on: e2e-host
steps:
- uses: actions/checkout@v2
- name: Start VM
run: python3 Testing/integration/actions/start_vm.py macOS_13.bundle.tar.gz
fuzz:
runs-on: e2e-vm
steps:
- uses: actions/checkout@v2
- name: Setup libfuzzer
run: Fuzzing/install_libclang_fuzzer.sh
- name: Fuzz
run: |
for target in $(bazel query 'kind(fuzzing_launcher, //Fuzzing:all)'); do
bazel run --config=fuzz $target -- -- -max_len=32768 -runs=1000000 -timeout=5
done
- name: Upload crashes
uses: actions/upload-artifact@v1
if: failure()
with:
name: artifacts
path: /tmp/fuzzing/artifacts
- name: Poweroff VM
if: ${{ always() }}
run: sudo shutdown -h +1

429
.pylintrc Normal file
View File

@@ -0,0 +1,429 @@
# This Pylint rcfile contains a best-effort configuration to uphold the
# best-practices and style described in the Google Python style guide:
# https://google.github.io/styleguide/pyguide.html
#
# Its canonical open-source location is:
# https://google.github.io/styleguide/pylintrc
[MASTER]
# Files or directories to be skipped. They should be base names, not paths.
ignore=third_party
# Files or directories matching the regex patterns are skipped. The regex
# matches against base names, not paths.
ignore-patterns=
# Pickle collected data for later comparisons.
persistent=no
# List of plugins (as comma separated values of python modules names) to load,
# usually to register additional checkers.
load-plugins=
# Use multiple processes to speed up Pylint.
jobs=4
# Allow loading of arbitrary C extensions. Extensions are imported into the
# active Python interpreter and may run arbitrary code.
unsafe-load-any-extension=no
[MESSAGES CONTROL]
# Only show warnings with the listed confidence levels. Leave empty to show
# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
confidence=
# Enable the message, report, category or checker with the given id(s). You can
# either give multiple identifier separated by comma (,) or put this option
# multiple time (only on the command line, not in the configuration file where
# it should appear only once). See also the "--disable" option for examples.
#enable=
# Disable the message, report, category or checker with the given id(s). You
# can either give multiple identifiers separated by comma (,) or put this
# option multiple times (only on the command line, not in the configuration
# file where it should appear only once).You can also use "--disable=all" to
# disable everything first and then reenable specific checks. For example, if
# you want to run only the similarities checker, you can use "--disable=all
# --enable=similarities". If you want to run only the classes checker, but have
# no Warning level messages displayed, use"--disable=all --enable=classes
# --disable=W"
disable=abstract-method,
apply-builtin,
arguments-differ,
attribute-defined-outside-init,
backtick,
bad-option-value,
basestring-builtin,
buffer-builtin,
c-extension-no-member,
consider-using-enumerate,
cmp-builtin,
cmp-method,
coerce-builtin,
coerce-method,
delslice-method,
div-method,
duplicate-code,
eq-without-hash,
execfile-builtin,
file-builtin,
filter-builtin-not-iterating,
fixme,
getslice-method,
global-statement,
hex-method,
idiv-method,
implicit-str-concat,
import-error,
import-self,
import-star-module-level,
inconsistent-return-statements,
input-builtin,
intern-builtin,
invalid-str-codec,
locally-disabled,
long-builtin,
long-suffix,
map-builtin-not-iterating,
misplaced-comparison-constant,
missing-function-docstring,
metaclass-assignment,
next-method-called,
next-method-defined,
no-absolute-import,
no-else-break,
no-else-continue,
no-else-raise,
no-else-return,
no-init, # added
no-member,
no-name-in-module,
no-self-use,
nonzero-method,
oct-method,
old-division,
old-ne-operator,
old-octal-literal,
old-raise-syntax,
parameter-unpacking,
print-statement,
raising-string,
range-builtin-not-iterating,
raw_input-builtin,
rdiv-method,
reduce-builtin,
relative-import,
reload-builtin,
round-builtin,
setslice-method,
signature-differs,
standarderror-builtin,
suppressed-message,
sys-max-int,
too-few-public-methods,
too-many-ancestors,
too-many-arguments,
too-many-boolean-expressions,
too-many-branches,
too-many-instance-attributes,
too-many-locals,
too-many-nested-blocks,
too-many-public-methods,
too-many-return-statements,
too-many-statements,
trailing-newlines,
unichr-builtin,
unicode-builtin,
unnecessary-pass,
unpacking-in-except,
useless-else-on-loop,
useless-object-inheritance,
useless-suppression,
using-cmp-argument,
wrong-import-order,
xrange-builtin,
zip-builtin-not-iterating,
[REPORTS]
# Set the output format. Available formats are text, parseable, colorized, msvs
# (visual studio) and html. You can also give a reporter class, eg
# mypackage.mymodule.MyReporterClass.
output-format=text
# Tells whether to display a full report or only the messages
reports=no
# Python expression which should return a note less than 10 (10 is the highest
# note). You have access to the variables errors warning, statement which
# respectively contain the number of errors / warnings messages and the total
# number of statements analyzed. This is used by the global evaluation report
# (RP0004).
evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
# Template used to display messages. This is a python new-style format string
# used to format the message information. See doc for all details
#msg-template=
[BASIC]
# Good variable names which should always be accepted, separated by a comma
good-names=main,_
# Bad variable names which should always be refused, separated by a comma
bad-names=
# Colon-delimited sets of names that determine each other's naming style when
# the name regexes allow several styles.
name-group=
# Include a hint for the correct naming format with invalid-name
include-naming-hint=no
# List of decorators that produce properties, such as abc.abstractproperty. Add
# to this list to register other decorators that produce valid properties.
property-classes=abc.abstractproperty,cached_property.cached_property,cached_property.threaded_cached_property,cached_property.cached_property_with_ttl,cached_property.threaded_cached_property_with_ttl
# Regular expression matching correct function names
function-rgx=^(?:(?P<exempt>setUp|tearDown|setUpModule|tearDownModule)|(?P<camel_case>_?[A-Z][a-zA-Z0-9]*)|(?P<snake_case>_?[a-z][a-z0-9_]*))$
# Regular expression matching correct variable names
variable-rgx=^[a-z][a-z0-9_]*$
# Regular expression matching correct constant names
const-rgx=^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$
# Regular expression matching correct attribute names
attr-rgx=^_{0,2}[a-z][a-z0-9_]*$
# Regular expression matching correct argument names
argument-rgx=^[a-z][a-z0-9_]*$
# Regular expression matching correct class attribute names
class-attribute-rgx=^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$
# Regular expression matching correct inline iteration names
inlinevar-rgx=^[a-z][a-z0-9_]*$
# Regular expression matching correct class names
class-rgx=^_?[A-Z][a-zA-Z0-9]*$
# Regular expression matching correct module names
module-rgx=^(_?[a-z][a-z0-9_]*|__init__)$
# Regular expression matching correct method names
method-rgx=(?x)^(?:(?P<exempt>_[a-z0-9_]+__|runTest|setUp|tearDown|setUpTestCase|tearDownTestCase|setupSelf|tearDownClass|setUpClass|(test|assert)_*[A-Z0-9][a-zA-Z0-9_]*|next)|(?P<camel_case>_{0,2}[A-Z][a-zA-Z0-9_]*)|(?P<snake_case>_{0,2}[a-z][a-z0-9_]*))$
# Regular expression which should only match function or class names that do
# not require a docstring.
no-docstring-rgx=(__.*__|main|test.*|.*test|.*Test)$
# Minimum line length for functions/classes that require docstrings, shorter
# ones are exempt.
docstring-min-length=10
[TYPECHECK]
# List of decorators that produce context managers, such as
# contextlib.contextmanager. Add to this list to register other decorators that
# produce valid context managers.
contextmanager-decorators=contextlib.contextmanager,contextlib2.contextmanager
# Tells whether missing members accessed in mixin class should be ignored. A
# mixin class is detected if its name ends with "mixin" (case insensitive).
ignore-mixin-members=yes
# List of module names for which member attributes should not be checked
# (useful for modules/projects where namespaces are manipulated during runtime
# and thus existing member attributes cannot be deduced by static analysis. It
# supports qualified module names, as well as Unix pattern matching.
ignored-modules=
# List of class names for which member attributes should not be checked (useful
# for classes with dynamically set attributes). This supports the use of
# qualified names.
ignored-classes=optparse.Values,thread._local,_thread._local
# List of members which are set dynamically and missed by pylint inference
# system, and so shouldn't trigger E1101 when accessed. Python regular
# expressions are accepted.
generated-members=
[FORMAT]
# Maximum number of characters on a single line.
max-line-length=80
# TODO(https://github.com/PyCQA/pylint/issues/3352): Direct pylint to exempt
# lines made too long by directives to pytype.
# Regexp for a line that is allowed to be longer than the limit.
ignore-long-lines=(?x)(
^\s*(\#\ )?<?https?://\S+>?$|
^\s*(from\s+\S+\s+)?import\s+.+$)
# Allow the body of an if to be on the same line as the test if there is no
# else.
single-line-if-stmt=yes
# Maximum number of lines in a module
max-module-lines=99999
# String used as indentation unit. The internal Google style guide mandates 2
# spaces. Google's externaly-published style guide says 4, consistent with
# PEP 8. Here, we use 2 spaces, for conformity with many open-sourced Google
# projects (like TensorFlow).
indent-string=' '
# Number of spaces of indent required inside a hanging or continued line.
indent-after-paren=4
# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
expected-line-ending-format=
[MISCELLANEOUS]
# List of note tags to take in consideration, separated by a comma.
notes=TODO
[STRING]
# This flag controls whether inconsistent-quotes generates a warning when the
# character used as a quote delimiter is used inconsistently within a module.
check-quote-consistency=yes
[VARIABLES]
# Tells whether we should check for unused import in __init__ files.
init-import=no
# A regular expression matching the name of dummy variables (i.e. expectedly
# not used).
dummy-variables-rgx=^\*{0,2}(_$|unused_|dummy_)
# List of additional names supposed to be defined in builtins. Remember that
# you should avoid to define new builtins when possible.
additional-builtins=
# List of strings which can identify a callback function by name. A callback
# name must start or end with one of those strings.
callbacks=cb_,_cb
# List of qualified module names which can have objects that can redefine
# builtins.
redefining-builtins-modules=six,six.moves,past.builtins,future.builtins,functools
[LOGGING]
# Logging modules to check that the string format arguments are in logging
# function parameter format
logging-modules=logging,absl.logging,tensorflow.io.logging
[SIMILARITIES]
# Minimum lines number of a similarity.
min-similarity-lines=4
# Ignore comments when computing similarities.
ignore-comments=yes
# Ignore docstrings when computing similarities.
ignore-docstrings=yes
# Ignore imports when computing similarities.
ignore-imports=no
[SPELLING]
# Spelling dictionary name. Available dictionaries: none. To make it working
# install python-enchant package.
spelling-dict=
# List of comma separated words that should not be checked.
spelling-ignore-words=
# A path to a file that contains private dictionary; one word per line.
spelling-private-dict-file=
# Tells whether to store unknown words to indicated private dictionary in
# --spelling-private-dict-file option instead of raising a message.
spelling-store-unknown-words=no
[IMPORTS]
# Deprecated modules which should not be used, separated by a comma
deprecated-modules=regsub,
TERMIOS,
Bastion,
rexec,
sets
# Create a graph of every (i.e. internal and external) dependencies in the
# given file (report RP0402 must not be disabled)
import-graph=
# Create a graph of external dependencies in the given file (report RP0402 must
# not be disabled)
ext-import-graph=
# Create a graph of internal dependencies in the given file (report RP0402 must
# not be disabled)
int-import-graph=
# Force import order to recognize a module as part of the standard
# compatibility libraries.
known-standard-library=
# Force import order to recognize a module as part of a third party library.
known-third-party=enchant, absl
# Analyse import fallback blocks. This can be used to support both Python 2 and
# 3 compatible code, which means that the block might have code that exists
# only in one or another interpreter, leading to false positives when analysed.
analyse-fallback-blocks=no
[CLASSES]
# List of method names used to declare (i.e. assign) instance attributes.
defining-attr-methods=__init__,
__new__,
setUp
# List of member names, which should be excluded from the protected access
# warning.
exclude-protected=_asdict,
_fields,
_replace,
_source,
_make
# List of valid names for the first argument in a class method.
valid-classmethod-first-arg=cls,
class_
# List of valid names for the first argument in a metaclass class method.
valid-metaclass-classmethod-first-arg=mcs
[EXCEPTIONS]
# Exceptions that will emit a warning when being caught. Defaults to
# "Exception"
overgeneral-exceptions=StandardError,
Exception,
BaseException

1
CODEOWNERS Normal file
View File

@@ -0,0 +1 @@
* @google/macendpoints

11
Fuzzing/BUILD Normal file
View File

@@ -0,0 +1,11 @@
load("fuzzing.bzl", "objc_fuzz_test")
objc_fuzz_test(
name = "MachOParse",
srcs = ["common/MachOParse.mm"],
corpus = glob(["common/MachOParse_corpus/*"]),
linkopts = ["-lsqlite3"],
deps = [
"//Source/common:SNTFileInfo",
],
)

40
Fuzzing/common/MachOParse.mm Normal file
View File

@@ -0,0 +1,40 @@
#import <Foundation/Foundation.h>
#include <libproc.h>
#include <stddef.h>
#include <stdint.h>
#import "Source/common/SNTFileInfo.h"
int get_num_fds() {
return proc_pidinfo(getpid(), PROC_PIDLISTFDS, 0, NULL, 0) / PROC_PIDLISTFD_SIZE;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
static NSString *tmpPath =
[NSTemporaryDirectory() stringByAppendingPathComponent:[[NSUUID UUID] UUIDString]];
int num_fds_pre = get_num_fds();
@autoreleasepool {
NSData *input = [NSData dataWithBytesNoCopy:(void *)data length:size freeWhenDone:false];
[input writeToFile:tmpPath atomically:false];
NSError *error;
SNTFileInfo *fi = [[SNTFileInfo alloc] initWithResolvedPath:tmpPath error:&error];
if (!fi || error != nil) {
NSLog(@"Error: %@", error);
return -1;
}
// Mach-O Parsing
[fi architectures];
[fi isMissingPageZero];
[fi infoPlist];
}
if (num_fds_pre != get_num_fds()) {
abort();
}
return 0;
}

BIN
Fuzzing/common/MachOParse_corpus/ret0 Normal file
View File

Binary file not shown.

20
Fuzzing/fuzzing.bzl Normal file
View File

@@ -0,0 +1,20 @@
"""Utilities for fuzzing Santa"""
load("@rules_fuzzing//fuzzing:cc_defs.bzl", "cc_fuzz_test")
def objc_fuzz_test(name, srcs, deps, corpus, linkopts = [], **kwargs):
native.objc_library(
name = "%s_lib" % name,
srcs = srcs,
deps = deps,
**kwargs
)
cc_fuzz_test(
name = name,
deps = [
"%s_lib" % name,
],
linkopts = linkopts,
corpus = corpus,
)

14
Fuzzing/install_libclang_fuzzer.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Xcode doesn't include the fuzzer runtime, but the one LLVM ships is compatible with Apple clang.
set -uexo pipefail
CLANG_VERSION=$(clang --version | head -n 1 | cut -d' ' -f 4)
DST_PATH="$(xcode-select -p)/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a"
if [ -f ${DST_PATH} ]; then
exit 0;
fi
curl -O -L https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin.tar.xz
tar xvf clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin.tar.xz clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a
cp clang+llvm-${CLANG_VERSION}-x86_64-apple-darwin/lib/clang/${CLANG_VERSION}/lib/darwin/libclang_rt.fuzzer_osx.a ${DST_PATH}

4
Fuzzing/libFuzzer/.gitignore vendored
View File

@@ -1,4 +0,0 @@
bin
llvm-*.src
llvm-*.src.tar.xz

109
Fuzzing/libFuzzer/build.sh
View File

@@ -1,109 +0,0 @@
#!/usr/bin/env bash
LLVM_VERSION='5.0.1'
LLVM_COMPILERRT_TARBALL_NAME="llvm-${LLVM_VERSION}.src.tar.xz"
LLVM_COMPILERRT_SRC_FOLDER_NAME=`echo "${LLVM_COMPILERRT_TARBALL_NAME}" | cut -d '.' -f 1-4`
LLVM_COMPILERRT_TARBALL_URL="http://releases.llvm.org/${LLVM_VERSION}/${LLVM_COMPILERRT_TARBALL_NAME}"
LIBFUZZER_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
LOG_FILE=`mktemp`
main() {
echo "libFuzzer build script"
echo " > Checking dependencies..."
checkDependencies || return 1
echo " > Entering libFuzzer folder..."
cd "${LIBFUZZER_FOLDER}" > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "Failed to enter the libFuzzer folder: ${LIBFUZZER_FOLDER}"
return 1
fi
if [ ! -f "${LLVM_COMPILERRT_TARBALL_NAME}" ] ; then
echo " > Downloading the LLVM tarball..."
curl "${LLVM_COMPILERRT_TARBALL_URL}" -o "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
dumpLogFile "Failed to download the LLVM tarball"
return 1
fi
else
echo " > An existing LLVM tarball was found"
fi
if [ -d "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" ] ; then
echo " > Deleting existing LLVM folder..."
rm -rf "${LLVM_COMPILERRT_SRC_FOLDER_NAME}" > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
dumpLogFile "Failed to delete the existing source folder"
return 1
fi
fi
echo " > Extracting the LLVM tarball..."
tar xf "${LLVM_COMPILERRT_TARBALL_NAME}" > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
rm "${LLVM_COMPILERRT_TARBALL_NAME}" "${LLVM_COMPILERRT_SRC_FOLDER_NAME}"
dumpLogFile "Failed to extract the LLVM tarball"
return 1
fi
if [ -d "bin" ] ; then
echo " > Deleting existing bin folder..."
rm -rf "bin" > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
dumpLogFile "Failed to delete the existing bin folder"
return 1
fi
fi
mkdir "bin" > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
dumpLogFile "Failed to create the bin folder"
return 1
fi
echo " > Building libFuzzer..."
( cd "bin" && "../${LLVM_COMPILERRT_SRC_FOLDER_NAME}/lib/Fuzzer/build.sh" ) > "${LOG_FILE}" 2>&1
if [ $? -ne 0 ] ; then
dumpLogFile "Failed to build the library"
return 1
fi
printf "\nFinished building libFuzzer\n"
rm "${LOG_FILE}"
return 0
}
checkDependencies() {
executable_list=( "clang++" "curl" "tar" )
for executable in "${executable_list[@]}" ; do
which "${executable}" > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "The following program was not found: ${executable}"
return 1
fi
done
return 0
}
dumpLogFile() {
if [ $# -eq 1 ] ; then
local message="$1"
else
local message="An error has occurred"
fi
printf "${message}\n"
printf "Log file follows\n===\n"
cat "${LOG_FILE}"
printf "\n===\n"
rm "${LOG_FILE}"
}
main $@
exit $?

11
Fuzzing/santad/src/checkCacheForVnodeID.mm
View File

@@ -20,6 +20,7 @@
#import "SNTCommandController.h"
#import "SNTRule.h"
#import "SNTXPCControlInterface.h"
#import "Source/common/SNTCommonEnums.h"
extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size) {
if (size > 16) {
@@ -28,7 +29,7 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
return 1;
}
santa_vnode_id_t vnodeID = {};
SantaVnode vnodeID = {};
std::memcpy(&vnodeID, data, size);
MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
@@ -41,14 +42,14 @@ extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t *data, std::size_t size
[[daemonConn remoteObjectProxy]
checkCacheForVnodeID:vnodeID
withReply:^(santa_action_t action) {
if (action == ACTION_RESPOND_ALLOW) {
withReply:^(SNTAction action) {
if (action == SNTActionRespondAllow) {
std::cerr << "File exists in [whitelist] kernel cache" << std::endl;
;
} else if (action == ACTION_RESPOND_DENY) {
} else if (action == SNTActionRespondDeny) {
std::cerr << "File exists in [blacklist] kernel cache" << std::endl;
;
} else if (action == ACTION_UNSET) {
} else if (action == SNTActionUnset) {
std::cerr << "File does not exist in cache" << std::endl;
;
}

10
LICENSE
View File

@@ -200,3 +200,13 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
------------------
Files: Testing/integration/VM/*
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4
SECURITY.md
View File

@@ -7,6 +7,6 @@ whichever comes first.
To report vulnerabilities to us privately, please e-mail `santa-team@google.com`.
If you want to encrypt your e-mail, you can use our GPG key `0x92AFE41DAB49BBB6`
available on pool.sks-keyservers.net:
available on keyserver.ubuntu.com:
`gpg --keyserver pool.sks-keyservers.net --recv-key 0x92AFE41DAB49BBB6`
`gpg --keyserver keyserver.ubuntu.com --recv-key 0x92AFE41DAB49BBB6`

107
Source/common/BUILD
View File

@@ -1,5 +1,5 @@
load("//:helper.bzl", "santa_unit_test")
load("@rules_proto_grpc//objc:defs.bzl", "objc_proto_library")
load("@rules_cc//cc:defs.bzl", "cc_proto_library")
package(
default_visibility = ["//:santa_package_group"],
@@ -16,26 +16,67 @@ proto_library(
],
)
objc_proto_library(
name = "santa_objc_proto",
copts = ["-fno-objc-arc"],
non_arc_srcs = ["Santa.pbobjc.m"],
protos = [":santa_proto"],
cc_proto_library(
name = "santa_cc_proto",
deps = [":santa_proto"],
)
# Note: Simple wrapper for a `cc_proto_library` target which cannot be directly
# depended upon by an `objc_library` target.
cc_library(
name = "santa_cc_proto_library_wrapper",
hdrs = ["santa_proto_include_wrapper.h"],
deps = [
":santa_cc_proto",
],
)
objc_library(
name = "SystemResources",
srcs = ["SystemResources.mm"],
hdrs = ["SystemResources.h"],
deps = [
":SNTLogging",
],
)
cc_library(
name = "SantaCache",
hdrs = ["SantaCache.h"],
deps = ["//Source/common:SNTCommon"],
deps = [":BranchPrediction"],
)
santa_unit_test(
name = "SantaCacheTest",
srcs = [
"SantaCache.h",
"SantaCacheTest.mm",
srcs = ["SantaCacheTest.mm"],
deps = [
":SantaCache",
],
)
objc_library(
name = "BranchPrediction",
hdrs = ["BranchPrediction.h"],
)
objc_library(
name = "SantaVnode",
hdrs = ["SantaVnode.h"],
)
objc_library(
name = "Platform",
hdrs = ["Platform.h"],
)
objc_library(
name = "SantaVnodeHash",
srcs = ["SantaVnodeHash.mm"],
hdrs = ["SantaVnodeHash.h"],
deps = [
":SantaCache",
":SantaVnode",
],
deps = ["//Source/common:SNTCommon"],
)
objc_library(
@@ -66,11 +107,11 @@ objc_library(
objc_library(
name = "SNTCachedDecision",
srcs = ["SNTCachedDecision.m"],
srcs = ["SNTCachedDecision.mm"],
hdrs = ["SNTCachedDecision.h"],
deps = [
":SNTCommon",
":SNTCommonEnums",
":SantaVnode",
],
)
@@ -85,7 +126,7 @@ objc_library(
objc_library(
name = "SNTCommonEnums",
hdrs = ["SNTCommonEnums.h"],
textual_hdrs = ["SNTCommonEnums.h"],
)
objc_library(
@@ -134,15 +175,6 @@ objc_library(
],
)
cc_library(
name = "SNTCommon",
hdrs = ["SNTCommon.h"],
defines = [
"TARGET_OS_OSX",
"TARGET_OS_MAC",
],
)
objc_library(
name = "SNTLogging",
srcs = ["SNTLogging.m"],
@@ -150,12 +182,18 @@ objc_library(
deps = [":SNTConfigurator"],
)
cc_library(
name = "SNTPrefixTree",
srcs = ["SNTPrefixTree.cc"],
hdrs = ["SNTPrefixTree.h"],
copts = ["-std=c++11"],
deps = [":SNTLogging"],
objc_library(
name = "PrefixTree",
hdrs = ["PrefixTree.h"],
deps = [
":SNTLogging",
"@com_google_absl//absl/synchronization",
],
)
objc_library(
name = "Unit",
hdrs = ["Unit.h"],
)
objc_library(
@@ -273,11 +311,11 @@ objc_library(
srcs = ["SNTXPCUnprivilegedControlInterface.m"],
hdrs = ["SNTXPCUnprivilegedControlInterface.h"],
deps = [
":SNTCommon",
":SNTCommonEnums",
":SNTRule",
":SNTStoredEvent",
":SNTXPCBundleServiceInterface",
":SantaVnode",
"@MOLCertificate",
"@MOLXPCConnection",
],
@@ -299,9 +337,9 @@ santa_unit_test(
)
santa_unit_test(
name = "SNTPrefixTreeTest",
srcs = ["SNTPrefixTreeTest.mm"],
deps = [":SNTPrefixTree"],
name = "PrefixTreeTest",
srcs = ["PrefixTreeTest.mm"],
deps = [":PrefixTree"],
)
santa_unit_test(
@@ -323,11 +361,11 @@ santa_unit_test(
test_suite(
name = "unit_tests",
tests = [
":PrefixTreeTest",
":SNTCachedDecisionTest",
":SNTFileInfoTest",
":SNTKVOManagerTest",
":SNTMetricSetTest",
":SNTPrefixTreeTest",
":SNTRuleTest",
":SantaCacheTest",
],
@@ -343,6 +381,7 @@ objc_library(
"bsm",
],
deps = [
":SystemResources",
"@OCMock",
"@com_google_googletest//:gtest",
],

22
Source/common/BranchPrediction.h Normal file
View File

@@ -0,0 +1,22 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__BRANCHPREDICTION_H
#define SANTA__COMMON__BRANCHPREDICTION_H
// Helpful macros to use when the the outcome is largely known
#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#endif

34
Source/common/Platform.h Normal file
View File

@@ -0,0 +1,34 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__PLATFORM_H
#define SANTA__COMMON__PLATFORM_H
#include <Availability.h>
#if defined(MAC_OS_VERSION_12_0) && \
MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
#define HAVE_MACOS_12 1
#else
#define HAVE_MACOS_12 0
#endif
#if defined(MAC_OS_VERSION_13_0) && \
MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_13_0
#define HAVE_MACOS_13 1
#else
#define HAVE_MACOS_13 0
#endif
#endif

302
Source/common/PrefixTree.h Normal file
View File

@@ -0,0 +1,302 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__PREFIXTREE_H
#define SANTA__COMMON__PREFIXTREE_H
#include <sys/syslimits.h>
#include <optional>
#import "Source/common/SNTLogging.h"
#include "absl/synchronization/mutex.h"
#if SANTA_PREFIX_TREE_DEBUG
#define DEBUG_LOG LOGD
#else
#define DEBUG_LOG(format, ...) // NOP
#endif
namespace santa::common {
template <typename ValueT>
class PrefixTree {
private:
// Forward declaration
enum class NodeType;
class TreeNode;
public:
PrefixTree(uint32_t max_depth = PATH_MAX)
: root_(new TreeNode()), max_depth_(max_depth), node_count_(0) {}
~PrefixTree() { PruneLocked(root_); }
bool InsertPrefix(const char *s, ValueT value) {
absl::MutexLock lock(&lock_);
return InsertLocked(s, value, NodeType::kPrefix);
}
bool InsertLiteral(const char *s, ValueT value) {
absl::MutexLock lock(&lock_);
return InsertLocked(s, value, NodeType::kLiteral);
}
bool HasPrefix(const char *input) {
absl::ReaderMutexLock lock(&lock_);
return HasPrefixLocked(input);
}
std::optional<ValueT> LookupLongestMatchingPrefix(const char *input) {
if (!input) {
return std::nullopt;
}
absl::ReaderMutexLock lock(&lock_);
return LookupLongestMatchingPrefixLocked(input);
}
void Reset() {
absl::MutexLock lock(&lock_);
PruneLocked(root_);
root_ = new TreeNode();
node_count_ = 0;
}
#if SANTA_PREFIX_TREE_DEBUG
void Print() {
char buf[max_depth_ + 1];
memset(buf, 0, sizeof(buf));
absl::ReaderMutexLock lock(&lock_);
PrintLocked(root_, buf, 0);
}
uint32_t NodeCount() {
absl::ReaderMutexLock lock(&lock_);
return node_count_;
}
#endif
private:
ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_)
bool InsertLocked(const char *input, ValueT value, NodeType node_type) {
const char *p = input;
TreeNode *node = root_;
while (*p) {
uint8_t cur_byte = (uint8_t)*p;
TreeNode *child_node = node->children_[cur_byte];
if (!child_node) {
// Current node doesn't exist...
// Create the rest of the nodes in the tree for the given string
// Keep a pointer to where this new branch starts from. If the
// input length exceeds max_depth, the new branch will need to
// be pruned.
TreeNode *branch_start_node = node;
uint8_t branch_start_byte = (uint8_t)*p;
do {
TreeNode *new_node = new TreeNode();
node->children_[cur_byte] = new_node;
node = new_node;
node_count_++;
// Check current depth...
if (p - input >= max_depth_) {
// Attempted to add a string that exceeded max depth
// Prune tree from start of this new branch
PruneLocked(branch_start_node->children_[branch_start_byte]);
branch_start_node->children_[branch_start_byte] = nullptr;
return false;
}
cur_byte = (uint8_t) * ++p;
} while (*p);
node->node_type_ = node_type;
node->value_ = value;
return true;
} else if (*(p + 1) == '\0') {
// Current node exists and we're at the end of our input...
// Note: The current node's data will be overwritten
// Only increment node count if the previous node type wasn't already a
// prefix or literal type (in which case it was already counted)
if (child_node->node_type_ == NodeType::kInner) {
node_count_++;
}
child_node->node_type_ = node_type;
child_node->value_ = value;
return true;
}
node = child_node;
p++;
}
// Should only get here when input is an empty string
return false;
}
ABSL_SHARED_LOCKS_REQUIRED(lock_)
bool HasPrefixLocked(const char *input) {
TreeNode *node = root_;
const char *p = input;
while (*p) {
node = node->children_[(uint8_t)*p++];
if (!node) {
break;
}
if (node->node_type_ == NodeType::kPrefix ||
(*p == '\0' && node->node_type_ == NodeType::kLiteral)) {
return true;
}
}
return false;
}
ABSL_SHARED_LOCKS_REQUIRED(lock_)
std::optional<ValueT> LookupLongestMatchingPrefixLocked(const char *input) {
TreeNode *node = root_;
TreeNode *match = nullptr;
const char *p = input;
while (*p) {
node = node->children_[(uint8_t)*p++];
if (!node) {
break;
}
if (node->node_type_ == NodeType::kPrefix ||
(*p == '\0' && node->node_type_ == NodeType::kLiteral)) {
match = node;
}
}
return match ? std::make_optional<ValueT>(match->value_) : std::nullopt;
}
ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_)
void PruneLocked(TreeNode *target) {
if (!target) {
return;
}
// For deep trees, a recursive approach will generate too many stack frames.
// Since the depth of the tree is configurable, err on the side of caution
// and use a "stack" to walk the tree in a non-recursive manner.
TreeNode **stack = new TreeNode *[node_count_ + 1];
if (!stack) {
LOGE(@"Unable to prune tree!");
return;
}
uint32_t count = 0;
// Seed the "stack" with a starting node.
stack[count++] = target;
// Start at the target node and walk the tree to find and delete all the
// sub-nodes.
while (count) {
TreeNode *node = stack[--count];
for (int i = 0; i < 256; ++i) {
if (!node->children_[i]) {
continue;
}
stack[count++] = node->children_[i];
}
delete node;
--node_count_;
}
delete[] stack;
}
#if SANTA_PREFIX_TREE_DEBUG
ABSL_SHARED_LOCKS_REQUIRED(lock_)
void PrintLocked(TreeNode *node, char *buf, uint32_t depth) {
for (size_t i = 0; i < 256; i++) {
TreeNode *cur_node = node->children_[i];
if (cur_node) {
buf[depth] = i;
if (cur_node->node_type_ != NodeType::kInner) {
printf("\t%s (type: %s)\n", buf,
cur_node->node_type_ == NodeType::kPrefix ? "prefix" : "literal");
}
PrintLocked(cur_node, buf, depth + 1);
buf[depth] = '\0';
}
}
}
#endif
enum class NodeType {
kInner = 0,
kPrefix,
kLiteral,
};
///
/// TreeNode is a wrapper class that represents one byte.
/// 1 node can represent a whole ASCII character.
/// For example a pointer to the 'A' node will be stored at children[0x41].
/// It takes 1-4 nodes to represent a UTF-8 encoded Unicode character.
///
/// The path for "/🤘" would look like this:
/// children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4]
/// -> children[0x98]
///
/// The path for "/dev" is:
/// children[0x2f] -> children[0x64] -> children[0x65] -> children[0x76]
///
/// Lookups of children are O(1).
///
/// Having the nodes represented by a smaller width, such as a nibble (1/2
/// byte), would drastically decrease the memory footprint but would double
/// required dereferences.
///
/// TODO(bur): Potentially convert this into a full on radix tree.
///
class TreeNode {
public:
TreeNode() : children_(), node_type_(NodeType::kInner) {}
~TreeNode() = default;
TreeNode *children_[256];
PrefixTree::NodeType node_type_;
ValueT value_;
};
TreeNode *root_;
const uint32_t max_depth_;
uint32_t node_count_ ABSL_GUARDED_BY(lock_);
absl::Mutex lock_;
};
} // namespace santa::common
#endif

224
Source/common/PrefixTreeTest.mm Normal file
View File

@@ -0,0 +1,224 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import <XCTest/XCTest.h>
#define SANTA_PREFIX_TREE_DEBUG 1
#include "Source/common/PrefixTree.h"
using santa::common::PrefixTree;
@interface PrefixTreeTest : XCTestCase
@end
@implementation PrefixTreeTest
- (void)testBasic {
PrefixTree<int> tree;
XCTAssertFalse(tree.HasPrefix("/foo/bar/baz"));
XCTAssertFalse(tree.HasPrefix("/foo/bar.txt"));
XCTAssertFalse(tree.HasPrefix("/baz"));
XCTAssertTrue(tree.InsertPrefix("/foo", 12));
XCTAssertTrue(tree.InsertPrefix("/bar", 34));
XCTAssertTrue(tree.InsertLiteral("/foo/bar", 56));
// Re-inserting something that exists is allowed
XCTAssertTrue(tree.InsertLiteral("/foo", 78));
XCTAssertTrue(tree.InsertPrefix("/foo", 56));
XCTAssertTrue(tree.HasPrefix("/foo/bar/baz"));
XCTAssertTrue(tree.HasPrefix("/foo/bar.txt"));
XCTAssertFalse(tree.HasPrefix("/baz"));
// Empty strings are not supported
XCTAssertFalse(tree.InsertLiteral("", 0));
XCTAssertFalse(tree.InsertPrefix("", 0));
}
- (void)testHasPrefix {
PrefixTree<int> tree;
XCTAssertTrue(tree.InsertPrefix("/foo", 0));
XCTAssertTrue(tree.InsertLiteral("/bar", 0));
XCTAssertTrue(tree.InsertLiteral("/baz", 0));
XCTAssertTrue(tree.InsertLiteral("/qaz", 0));
// Check that a tree with a matching prefix is successful
XCTAssertTrue(tree.HasPrefix("/foo.txt"));
// This shouldn't succeed because `/bar` `/baz` and `qaz` are literals
XCTAssertFalse(tree.HasPrefix("/bar.txt"));
XCTAssertFalse(tree.HasPrefix("/baz.txt"));
XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
// Now change `/bar` to a prefix type and retest HasPrefix
// `/bar.txt` should now succeed, but `/baz.txt` should still not pass
XCTAssertTrue(tree.InsertPrefix("/bar", 0));
XCTAssertTrue(tree.HasPrefix("/bar.txt"));
XCTAssertFalse(tree.HasPrefix("/baz.txt"));
XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
// Insert a new prefix string to allow `/baz.txt` to have a valid prefix
XCTAssertTrue(tree.InsertPrefix("/b", 0));
XCTAssertTrue(tree.HasPrefix("/baz.txt"));
XCTAssertFalse(tree.HasPrefix("/qaz.txt"));
// An exact match on a literal allows HasPrefix to succeed
XCTAssertTrue(tree.InsertLiteral("/qaz.txt", 0));
XCTAssertTrue(tree.HasPrefix("/qaz.txt"));
}
- (void)testLookupLongestMatchingPrefix {
PrefixTree<int> tree;
XCTAssertTrue(tree.InsertPrefix("/foo", 12));
XCTAssertTrue(tree.InsertPrefix("/bar", 34));
XCTAssertTrue(tree.InsertPrefix("/foo/bar.txt", 56));
std::optional<int> value;
// Matching exact prefix
value = tree.LookupLongestMatchingPrefix("/foo");
XCTAssertEqual(value.value_or(0), 12);
// Ensure changing node type works as expected
// Literals must match exactly.
value = tree.LookupLongestMatchingPrefix("/foo/bar.txt.tmp");
XCTAssertEqual(value.value_or(0), 56);
XCTAssertTrue(tree.InsertLiteral("/foo/bar.txt", 90));
value = tree.LookupLongestMatchingPrefix("/foo/bar.txt.tmp");
XCTAssertEqual(value.value_or(0), 12);
// Inserting over an exiting node returns the new value
XCTAssertTrue(tree.InsertPrefix("/foo", 78));
value = tree.LookupLongestMatchingPrefix("/foo");
XCTAssertEqual(value.value_or(0), 78);
// No matching prefix
value = tree.LookupLongestMatchingPrefix("/asdf");
XCTAssertEqual(value.value_or(0), 0);
}
- (void)testNodeCounts {
const uint32_t maxDepth = 100;
PrefixTree<int> tree(100);
XCTAssertEqual(tree.NodeCount(), 0);
// Start with a small string
XCTAssertTrue(tree.InsertPrefix("asdf", 0));
XCTAssertEqual(tree.NodeCount(), 4);
// Add a couple more characters to the existing string
XCTAssertTrue(tree.InsertPrefix("asdfgh", 0));
XCTAssertEqual(tree.NodeCount(), 6);
// Inserting a string that exceeds max depth doesn't increase node count
XCTAssertFalse(tree.InsertPrefix(std::string(maxDepth + 10, 'A').c_str(), 0));
XCTAssertEqual(tree.NodeCount(), 6);
// Add a new string that is a prefix of an existing string
// This should increment the count by one since a new terminal node exists
XCTAssertTrue(tree.InsertPrefix("as", 0));
XCTAssertEqual(tree.NodeCount(), 7);
// Re-inserting onto an existing node shouldn't modify the count
tree.InsertLiteral("as", 0);
tree.InsertPrefix("as", 0);
XCTAssertEqual(tree.NodeCount(), 7);
}
- (void)testReset {
// Ensure resetting a tree removes all content
PrefixTree<int> tree;
tree.Reset();
XCTAssertEqual(tree.NodeCount(), 0);
XCTAssertTrue(tree.InsertPrefix("asdf", 0));
XCTAssertTrue(tree.InsertPrefix("qwerty", 0));
XCTAssertTrue(tree.HasPrefix("asdf"));
XCTAssertTrue(tree.HasPrefix("qwerty"));
XCTAssertEqual(tree.NodeCount(), 10);
tree.Reset();
XCTAssertFalse(tree.HasPrefix("asdf"));
XCTAssertFalse(tree.HasPrefix("qwerty"));
XCTAssertEqual(tree.NodeCount(), 0);
}
- (void)testComplexValues {
class Foo {
public:
Foo(int x) : x_(x) {}
int X() { return x_; }
private:
int x_;
};
PrefixTree<std::shared_ptr<Foo>> tree;
XCTAssertTrue(tree.InsertPrefix("foo", std::make_shared<Foo>(123)));
XCTAssertTrue(tree.InsertPrefix("bar", std::make_shared<Foo>(456)));
std::optional<std::shared_ptr<Foo>> value;
value = tree.LookupLongestMatchingPrefix("foo");
XCTAssertTrue(value.has_value() && value->get()->X() == 123);
value = tree.LookupLongestMatchingPrefix("bar");
XCTAssertTrue(value.has_value() && value->get()->X() == 456);
value = tree.LookupLongestMatchingPrefix("asdf");
XCTAssertFalse(value.has_value());
}
- (void)testThreading {
uint32_t count = 4096;
auto t = new PrefixTree<int>(count * (uint32_t)[NSUUID UUID].UUIDString.length);
NSMutableArray *UUIDs = [NSMutableArray arrayWithCapacity:count];
for (int i = 0; i < count; ++i) {
[UUIDs addObject:[NSUUID UUID].UUIDString];
}
__block BOOL stop = NO;
// Create a bunch of background noise.
dispatch_async(dispatch_get_global_queue(0, 0), ^{
for (uint64_t i = 0; i < UINT64_MAX; ++i) {
dispatch_async(dispatch_get_global_queue(0, 0), ^{
t->HasPrefix([UUIDs[i % count] UTF8String]);
});
if (stop) return;
}
});
// Fill up the tree.
dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
XCTAssertEqual(t->InsertPrefix([UUIDs[i] UTF8String], 0), true);
});
// Make sure every leaf byte is found.
dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
XCTAssertTrue(t->HasPrefix([UUIDs[i] UTF8String]));
});
stop = YES;
}
@end

4
Source/common/SNTCachedDecision.h
View File

@@ -15,8 +15,8 @@
#import <EndpointSecurity/EndpointSecurity.h>
#import <Foundation/Foundation.h>
#import "Source/common/SNTCommon.h"
#import "Source/common/SNTCommonEnums.h"
#import "Source/common/SantaVnode.h"
@class MOLCertificate;
@@ -27,7 +27,7 @@
- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile;
@property santa_vnode_id_t vnodeId;
@property SantaVnode vnodeId;
@property SNTEventState decision;
@property NSString *decisionExtra;
@property NSString *sha256;

4
Source/common/SNTCachedDecision.m → Source/common/SNTCachedDecision.mm
View File

@@ -1,3 +1,4 @@
/// Copyright 2015-2022 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,8 +20,7 @@
- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile {
self = [super init];
if (self) {
_vnodeId.fsid = (uint64_t)esFile->stat.st_dev;
_vnodeId.fileid = esFile->stat.st_ino;
_vnodeId = SantaVnode::VnodeForFile(esFile);
}
return self;
}

2
Source/common/SNTCachedDecisionTest.mm
View File

@@ -24,7 +24,7 @@
- (void)testSNTCachedDecisionInit {
// Ensure the vnodeId field is properly set from the es_file_t
struct stat sb = MakeStat(1234, 5678);
struct stat sb = MakeStat();
es_file_t file = MakeESFile("foo", sb);
SNTCachedDecision *cd = [[SNTCachedDecision alloc] initWithEndpointSecurityFile:&file];

59
Source/common/SNTCommon.h
View File

@@ -1,59 +0,0 @@
/// Copyright 2015-2022 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
///
/// Common defines between daemon <-> client
///
#ifndef SANTA__COMMON__COMMON_H
#define SANTA__COMMON__COMMON_H
#include <stdint.h>
#include <sys/param.h>
// Branch prediction
#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
typedef enum {
ACTION_UNSET,
// REQUESTS
// If an operation is awaiting a cache decision from a similar operation
// currently being processed, it will poll about every 5 ms for an answer.
ACTION_REQUEST_BINARY,
// RESPONSES
ACTION_RESPOND_ALLOW,
ACTION_RESPOND_DENY,
ACTION_RESPOND_ALLOW_COMPILER,
} santa_action_t;
#define RESPONSE_VALID(x) \
(x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY || \
x == ACTION_RESPOND_ALLOW_COMPILER)
// Struct to manage vnode IDs
typedef struct santa_vnode_id_t {
uint64_t fsid;
uint64_t fileid;
#ifdef __cplusplus
bool operator==(const santa_vnode_id_t &rhs) const {
return fsid == rhs.fsid && fileid == rhs.fileid;
}
#endif
} santa_vnode_id_t;
#endif // SANTA__COMMON__COMMON_H

28
Source/common/SNTCommonEnums.h
View File

@@ -19,6 +19,23 @@
/// The integer values are also stored in the database and so shouldn't be changed.
///
typedef NS_ENUM(NSInteger, SNTAction) {
SNTActionUnset,
// REQUESTS
// If an operation is awaiting a cache decision from a similar operation
// currently being processed, it will poll about every 5 ms for an answer.
SNTActionRequestBinary,
// RESPONSES
SNTActionRespondAllow,
SNTActionRespondDeny,
SNTActionRespondAllowCompiler,
};
#define RESPONSE_VALID(x) \
(x == SNTActionRespondAllow || x == SNTActionRespondDeny || x == SNTActionRespondAllowCompiler)
typedef NS_ENUM(NSInteger, SNTRuleType) {
SNTRuleTypeUnknown,
@@ -118,6 +135,17 @@ typedef NS_ENUM(NSInteger, SNTMetricFormatType) {
SNTMetricFormatTypeMonarchJSON,
};
#ifdef __cplusplus
enum class FileAccessPolicyDecision {
kNoPolicy,
kDenied,
kDeniedInvalidSignature,
kAllowed,
kAllowedReadAccess,
kAllowedAuditOnly,
};
#endif
static const char *kSantaDPath =
"/Applications/Santa.app/Contents/Library/SystemExtensions/"
"com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon";

69
Source/common/SNTConfigurator.h
View File

@@ -183,10 +183,10 @@
/// SNTEventLogTypeSyslog "syslog": Sent to ASL or ULS (if built with the 10.12 SDK or later).
/// SNTEventLogTypeFilelog "file": Sent to a file on disk. Use eventLogPath to specify a path.
/// SNTEventLogTypeNull "null": Logs nothing
/// SNTEventLogTypeProtobuf "protobuf": (BETA) Sent to a file on disk, using maildir format. Use
/// mailDirectory to specify a path. Use mailDirectoryFileSizeThresholdKB,
/// mailDirectorySizeThresholdMB and mailDirectoryEventMaxFlushTimeSec to configure
/// additional maildir format settings.
/// SNTEventLogTypeProtobuf "protobuf": (BETA) Sent to a file on disk, using a maildir-like
/// format. Use spoolDirectory to specify a path. Use spoolDirectoryFileSizeThresholdKB,
/// spoolDirectorySizeThresholdMB and spoolDirectoryEventMaxFlushTimeSec to configure
/// additional settings.
/// Defaults to SNTEventLogTypeFilelog.
/// For mobileconfigs use EventLogType as the key and syslog or filelog strings as the value.
///
@@ -203,40 +203,57 @@
@property(readonly, nonatomic) NSString *eventLogPath;
///
/// If eventLogType is set to protobuf, mailDirectory will provide the base path used for
/// saving logs using the maildir format.
/// Defaults to /var/db/santa/mail.
/// If eventLogType is set to protobuf, spoolDirectory will provide the base path used for
/// saving logs using a maildir-like format.
/// Defaults to /var/db/santa/spool.
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) NSString *mailDirectory;
@property(readonly, nonatomic) NSString *spoolDirectory;
///
/// If eventLogType is set to protobuf, mailDirectoryFileSizeThresholdKB sets the per-file size
/// limit for files saved in the mailDirectory.
/// If eventLogType is set to protobuf, spoolDirectoryFileSizeThresholdKB sets the per-file size
/// limit for files saved in the spoolDirectory.
/// Defaults to 250.
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) NSUInteger spoolDirectoryFileSizeThresholdKB;
///
/// If eventLogType is set to protobuf, spoolDirectorySizeThresholdMB sets the total size
/// limit for all files saved in the spoolDirectory.
/// Defaults to 100.
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) NSUInteger mailDirectoryFileSizeThresholdKB;
@property(readonly, nonatomic) NSUInteger spoolDirectorySizeThresholdMB;
///
/// If eventLogType is set to protobuf, mailDirectorySizeThresholdMB sets the total size
/// limit for all files saved in the mailDirectory.
/// Defaults to 500.
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) NSUInteger mailDirectorySizeThresholdMB;
///
/// If eventLogType is set to protobuf, mailDirectoryEventMaxFlushTimeSec sets the maximum amount
/// If eventLogType is set to protobuf, spoolDirectoryEventMaxFlushTimeSec sets the maximum amount
/// of time an event will be stored in memory before being written to disk.
/// Defaults to 5.0.
/// Defaults to 15.0.
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) float mailDirectoryEventMaxFlushTimeSec;
@property(readonly, nonatomic) float spoolDirectoryEventMaxFlushTimeSec;
///
/// If set, contains the path to the filesystem access policy config plist.
///
/// @note: This property is KVO compliant, but is only read once at santad startup.
///
@property(readonly, nonatomic) NSString *fileAccessPolicyPlist;
///
/// If fileAccessPolicyPlist is set, fileAccessPolicyUpdateIntervalSec
/// sets the number of seconds between times that the configuration file is
/// re-read and policies reconstructed.
/// Defaults to 600 seconds (10 minutes)
///
/// @note: This property is KVO compliant, but should only be read once at santad startup.
///
@property(readonly, nonatomic) uint32_t fileAccessPolicyUpdateIntervalSec;
///
/// Enabling this appends the Santa machine ID to the end of each log line. If nothing
@@ -379,12 +396,6 @@
///
@property(nonatomic) NSArray<NSString *> *remountUSBMode;
///
/// When `blockUSBMount` is set, this is the message shown to the user when a device is blocked
/// If this message is not configured, a reasonable default is provided.
///
@property(readonly, nonatomic) NSString *usbBlockMessage;
///
/// If set, this over-rides the default machine ID used for syncing.
///

148
Source/common/SNTConfigurator.m
View File

@@ -45,6 +45,10 @@
/// The hard-coded path to the sync state file.
NSString *const kSyncStateFilePath = @"/var/db/santa/sync-state.plist";
#ifdef DEBUG
NSString *const kConfigOverrideFilePath = @"/var/db/santa/config-overrides.plist";
#endif
/// The domain used by mobileconfig.
static NSString *const kMobileConfigDomain = @"com.google.santa";
@@ -88,10 +92,13 @@ static NSString *const kFileChangesPrefixFiltersKey = @"FileChangesPrefixFilters
static NSString *const kEventLogType = @"EventLogType";
static NSString *const kEventLogPath = @"EventLogPath";
static NSString *const kMailDirectory = @"MailDirectory";
static NSString *const kMailDirectoryFileSizeThresholdKB = @"MailDirectoryFileSizeThresholdKB";
static NSString *const kMailDirectorySizeThresholdMB = @"MailDirectorySizeThresholdMB";
static NSString *const kMailDirectoryEventMaxFlushTimeSec = @"MailDirectoryEventMaxFlushTimeSec";
static NSString *const kSpoolDirectory = @"SpoolDirectory";
static NSString *const kSpoolDirectoryFileSizeThresholdKB = @"SpoolDirectoryFileSizeThresholdKB";
static NSString *const kSpoolDirectorySizeThresholdMB = @"SpoolDirectorySizeThresholdMB";
static NSString *const kSpoolDirectoryEventMaxFlushTimeSec = @"SpoolDirectoryEventMaxFlushTimeSec";
static NSString *const kFileAccessPolicyPlist = @"FileAccessPolicyPlist";
static NSString *const kFileAccessPolicyUpdateIntervalSec = @"FileAccessPolicyUpdateIntervalSec";
static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration";
@@ -172,7 +179,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
kRemountUSBModeKey : array,
kEnablePageZeroProtectionKey : number,
kEnableBadSignatureProtectionKey : number,
kEnableSilentModeKey : string,
kEnableSilentModeKey : number,
kAboutTextKey : string,
kMoreInfoURLKey : string,
kEventDetailURLKey : string,
@@ -200,10 +207,12 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
kMachineIDPlistKeyKey : string,
kEventLogType : string,
kEventLogPath : string,
kMailDirectory : string,
kMailDirectoryFileSizeThresholdKB : number,
kMailDirectorySizeThresholdMB : number,
kMailDirectoryEventMaxFlushTimeSec : number,
kSpoolDirectory : string,
kSpoolDirectoryFileSizeThresholdKB : number,
kSpoolDirectorySizeThresholdMB : number,
kSpoolDirectoryEventMaxFlushTimeSec : number,
kFileAccessPolicyPlist : string,
kFileAccessPolicyUpdateIntervalSec : number,
kEnableMachineIDDecoration : number,
kEnableForkAndExitLogging : number,
kIgnoreOtherEndpointSecurityClients : number,
@@ -391,19 +400,27 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingMailDirectory {
+ (NSSet *)keyPathsForValuesAffectingSpoolDirectory {
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingMailDirectoryFileSizeThresholdKB {
+ (NSSet *)keyPathsForValuesAffectingSpoolDirectoryFileSizeThresholdKB {
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingMailDirectorySizeThresholdMB {
+ (NSSet *)keyPathsForValuesAffectingSpoolDirectorySizeThresholdMB {
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingMailDirectoryEventMaxFlushTimeSec {
+ (NSSet *)keyPathsForValuesAffectingSpoolDirectoryEventMaxFlushTimeSec {
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingFileAccessPolicyPlist {
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingFileAccessPolicyUpdateIntervalSec {
return [self configStateSet];
}
@@ -468,15 +485,15 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
}
+ (NSSet *)keyPathsForValuesAffectingRemountUSBMode {
return [self configStateSet];
return [self syncAndConfigStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingRemountUSBBlockMessage {
return [self syncAndConfigStateSet];
return [self configStateSet];
}
+ (NSSet *)keyPathsForValuesAffectingUsbBlockMessage {
return [self syncAndConfigStateSet];
return [self configStateSet];
}
#pragma mark Public Interface
@@ -577,7 +594,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
}
- (NSArray<NSString *> *)remountUSBMode {
NSArray<NSString *> *args = self.configState[kRemountUSBModeKey];
NSArray<NSString *> *args = self.syncState[kRemountUSBModeKey];
if (!args) {
args = (NSArray<NSString *> *)self.configState[kRemountUSBModeKey];
}
for (id arg in args) {
if (![arg isKindOfClass:[NSString class]]) {
return nil;
@@ -760,26 +780,36 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
return self.configState[kEventLogPath] ?: @"/var/db/santa/santa.log";
}
- (NSString *)mailDirectory {
return self.configState[kMailDirectory] ?: @"/var/db/santa/mail";
- (NSString *)spoolDirectory {
return self.configState[kSpoolDirectory] ?: @"/var/db/santa/spool";
}
- (NSUInteger)mailDirectoryFileSizeThresholdKB {
return self.configState[kMailDirectoryFileSizeThresholdKB]
? [self.configState[kMailDirectoryFileSizeThresholdKB] unsignedIntegerValue]
- (NSUInteger)spoolDirectoryFileSizeThresholdKB {
return self.configState[kSpoolDirectoryFileSizeThresholdKB]
? [self.configState[kSpoolDirectoryFileSizeThresholdKB] unsignedIntegerValue]
: 250;
}
- (NSUInteger)spoolDirectorySizeThresholdMB {
return self.configState[kSpoolDirectorySizeThresholdMB]
? [self.configState[kSpoolDirectorySizeThresholdMB] unsignedIntegerValue]
: 100;
}
- (NSUInteger)mailDirectorySizeThresholdMB {
return self.configState[kMailDirectorySizeThresholdMB]
? [self.configState[kMailDirectorySizeThresholdMB] unsignedIntegerValue]
: 500;
- (float)spoolDirectoryEventMaxFlushTimeSec {
return self.configState[kSpoolDirectoryEventMaxFlushTimeSec]
? [self.configState[kSpoolDirectoryEventMaxFlushTimeSec] floatValue]
: 15.0;
}
- (float)mailDirMaxFlushTime {
return self.configState[kMailDirectoryEventMaxFlushTimeSec]
? [self.configState[kMailDirectoryEventMaxFlushTimeSec] floatValue]
: 5.0;
- (NSString *)fileAccessPolicyPlist {
return self.configState[kFileAccessPolicyPlist];
}
- (uint32_t)fileAccessPolicyUpdateIntervalSec {
return self.configState[kFileAccessPolicyUpdateIntervalSec]
? [self.configState[kFileAccessPolicyUpdateIntervalSec] unsignedIntValue]
: 60 * 10;
}
- (BOOL)enableMachineIDDecoration {
@@ -855,8 +885,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
}
- (BOOL)blockUSBMount {
NSNumber *number = self.configState[kBlockUSBMountKey];
return number ? [number boolValue] : NO;
NSNumber *n = self.syncState[kBlockUSBMountKey];
if (n) return [n boolValue];
return [self.configState[kBlockUSBMountKey] boolValue];
}
///
@@ -987,6 +1019,18 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
forcedConfig[key] = [self expressionForPattern:pattern];
}
}
#ifdef DEBUG
NSDictionary *overrides = [NSDictionary dictionaryWithContentsOfFile:kConfigOverrideFilePath];
for (NSString *key in overrides) {
id obj = overrides[key];
if (![obj isKindOfClass:self.forcedConfigKeyTypes[key]]) continue;
forcedConfig[key] = obj;
if (self.forcedConfigKeyTypes[key] == [NSRegularExpression class]) {
NSString *pattern = [obj isKindOfClass:[NSString class]] ? obj : nil;
forcedConfig[key] = [self expressionForPattern:pattern];
}
}
#endif
return forcedConfig;
}
@@ -1003,12 +1047,50 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
selector:@selector(defaultsChanged:)
name:NSUserDefaultsDidChangeNotification
object:nil];
#ifdef DEBUG
dispatch_async(dispatch_get_global_queue(QOS_CLASS_UTILITY, 0), ^{
[self watchOverridesFile];
});
#endif
}
#ifdef DEBUG
- (void)watchOverridesFile {
while (![[NSFileManager defaultManager] fileExistsAtPath:kConfigOverrideFilePath]) {
[NSThread sleepForTimeInterval:0.2];
}
[self defaultsChanged:nil];
int descriptor = open([kConfigOverrideFilePath fileSystemRepresentation], O_EVTONLY);
if (descriptor < 0) {
return;
}
dispatch_source_t source =
dispatch_source_create(DISPATCH_SOURCE_TYPE_VNODE, descriptor,
DISPATCH_VNODE_WRITE | DISPATCH_VNODE_RENAME | DISPATCH_VNODE_DELETE,
dispatch_get_global_queue(QOS_CLASS_UTILITY, 0));
dispatch_source_set_event_handler(source, ^{
dispatch_async(dispatch_get_main_queue(), ^{
[self defaultsChanged:nil];
});
unsigned long events = dispatch_source_get_data(source);
if ((events & DISPATCH_VNODE_DELETE) || (events & DISPATCH_VNODE_RENAME)) {
dispatch_source_cancel(source);
}
});
dispatch_source_set_cancel_handler(source, ^{
close(descriptor);
[self watchOverridesFile];
});
dispatch_resume(source);
}
#endif
- (void)defaultsChanged:(void *)v {
SEL handleChange = @selector(handleChange);
[NSObject cancelPreviousPerformRequestsWithTarget:self selector:handleChange object:nil];
[self performSelector:handleChange withObject:nil afterDelay:5.0f];
[self performSelector:handleChange withObject:nil afterDelay:1.0f];
}
///

9
Source/common/SNTFileInfo.m
View File

@@ -572,6 +572,10 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
NSData *cmdData = [self safeSubdataWithRange:NSMakeRange(offset, sz_segment)];
if (!cmdData) return nil;
if (((struct load_command *)[cmdData bytes])->cmdsize < sizeof(struct load_command)) {
return nil;
}
if (is64) {
struct segment_command_64 *lc = (struct segment_command_64 *)[cmdData bytes];
if (lc->cmd == LC_SEGMENT_64 && memcmp(lc->segname, "__TEXT", 6) == 0) {
@@ -642,7 +646,10 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
///
- (NSData *)safeSubdataWithRange:(NSRange)range {
@try {
if ((range.location + range.length) > self.fileSize) return nil;
NSUInteger size;
if (__builtin_add_overflow(range.location, range.length, &size) || size > self.fileSize) {
return nil;
}
[self.fileHandle seekToFileOffset:range.location];
NSData *d = [self.fileHandle readDataOfLength:range.length];
if (d.length != range.length) return nil;

12
Source/common/SNTFileInfoTest.m
View File

@@ -34,7 +34,12 @@
- (void)testPathStandardizing {
SNTFileInfo *sut = [[SNTFileInfo alloc] initWithPath:@"/Applications/Safari.app"];
XCTAssertNotNil(sut);
XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
if (@available(macOS 13.0, *)) {
XCTAssertEqualObjects(sut.path, @"/System/Volumes/Preboot/Cryptexes/App/System/Applications/"
@"Safari.app/Contents/MacOS/Safari");
} else {
XCTAssertEqualObjects(sut.path, @"/Applications/Safari.app/Contents/MacOS/Safari");
}
sut = [[SNTFileInfo alloc] initWithPath:@"../../../../../../../../../../../../../../../bin/ls"];
XCTAssertEqualObjects(sut.path, @"/bin/ls");
@@ -90,6 +95,11 @@
}
- (void)testKext {
// Skip this test on macOS 13 as KEXTs have moved into the kernelcache.
if (@available(macOS 13.0, *)) {
return;
}
SNTFileInfo *sut = [[SNTFileInfo alloc]
initWithPath:@"/System/Library/Extensions/AppleAPIC.kext/Contents/MacOS/AppleAPIC"];

11
Source/common/SNTMetricSet.m
View File

@@ -280,15 +280,12 @@ NSString *SNTMetricMakeStringFromMetricType(SNTMetricType metricType) {
if (_fieldNames.count == 0) {
metricDict[@"fields"][@""] = @[ [self encodeMetricValueForFieldValues:@[]] ];
} else {
for (NSString *fieldName in _fieldNames) {
NSMutableArray *fieldVals = [[NSMutableArray alloc] init];
NSMutableArray *fieldVals = [[NSMutableArray alloc] init];
for (NSArray<NSString *> *fieldValues in _metricsForFieldValues) {
[fieldVals addObject:[self encodeMetricValueForFieldValues:fieldValues]];
}
metricDict[@"fields"][fieldName] = fieldVals;
for (NSArray<NSString *> *fieldValues in _metricsForFieldValues) {
[fieldVals addObject:[self encodeMetricValueForFieldValues:fieldValues]];
}
metricDict[@"fields"][[_fieldNames componentsJoinedByString:@","]] = fieldVals;
}
return metricDict;
}

31
Source/common/SNTMetricSetTest.m
View File

@@ -672,4 +672,35 @@
output);
}
}
- (void)testEnsureMetricsWithMultipleFieldNamesSerializeOnce {
SNTMetricSet *metricSet = [[SNTMetricSet alloc] initWithHostname:@"testHost"
username:@"testUser"];
SNTMetricCounter *c =
[metricSet counterWithName:@"/santa/events"
fieldNames:@[ @"client", @"event_type" ]
helpText:@"Count of events on the host for a given ES client"];
[c incrementBy:1 forFieldValues:@[ @"device_manager", @"auth_mount" ]];
NSDictionary *expected = @{
@"/santa/events" : @{
@"description" : @"Count of events on the host for a given ES client",
@"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
@"fields" : @{
@"client,event_type" : @[
@{
@"value" : @"device_manager,auth_mount",
@"created" : [NSDate date],
@"last_updated" : [NSDate date],
@"data" : [NSNumber numberWithInt:1],
},
],
},
},
};
NSDictionary *got = [metricSet export][@"metrics"];
XCTAssertEqualObjects(expected, got, @"metrics do not match expected");
}
@end

227
Source/common/SNTPrefixTree.cc
View File

@@ -1,227 +0,0 @@
/// Copyright 2018 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include "Source/common/SNTPrefixTree.h"
#include <string.h>
#include <mutex>
#define LOGD(format, ...) // NOP
#define LOGE(format, ...) // NOP
#define lck_rw_lock_shared(l) pthread_rwlock_rdlock(&l)
#define lck_rw_unlock_shared(l) pthread_rwlock_unlock(&l)
#define lck_rw_lock_exclusive(l) pthread_rwlock_wrlock(&l)
#define lck_rw_unlock_exclusive(l) pthread_rwlock_unlock(&l)
#define lck_rw_lock_shared_to_exclusive(l) \
({ \
pthread_rwlock_unlock(&l); \
false; \
})
#define lck_rw_lock_exclusive_to_shared(l) \
({ \
pthread_rwlock_unlock(&l); \
pthread_rwlock_rdlock(&l); \
})
#define lck_mtx_lock(l) l->lock()
#define lck_mtx_unlock(l) l->unlock()
SNTPrefixTree::SNTPrefixTree(uint32_t max_nodes) {
root_ = new SantaPrefixNode();
node_count_ = 0;
max_nodes_ = max_nodes;
pthread_rwlock_init(&spt_lock_, nullptr);
spt_add_lock_ = new std::mutex;
}
IOReturn SNTPrefixTree::AddPrefix(const char *prefix, uint64_t *node_count) {
// Serialize requests to AddPrefix. Otherwise one AddPrefix thread could
// overwrite whole branches of another. HasPrefix is still free to read the
// tree, until AddPrefix needs to modify it.
lck_mtx_lock(spt_add_lock_);
// Don't allow an empty prefix.
if (prefix[0] == '\0') return kIOReturnBadArgument;
LOGD("Trying to add prefix: %s", prefix);
// Enforce max tree depth.
size_t len = strnlen(prefix, max_nodes_);
// Grab a shared lock until a new branch is required.
lck_rw_lock_shared(spt_lock_);
SantaPrefixNode *node = root_;
for (size_t i = 0; i < len; ++i) {
// If there is a node in the path that is considered a prefix, stop adding.
// For our purposes we only care about the shortest path that matches.
if (node->isPrefix) break;
// Only process a byte at a time.
uint8_t value = (uint8_t)prefix[i];
// Create the child if it does not exist.
if (!node->children[value]) {
// Upgrade the shared lock.
// If the upgrade fails, the shared lock is released.
if (!lck_rw_lock_shared_to_exclusive(spt_lock_)) {
// Grab a new exclusive lock.
lck_rw_lock_exclusive(spt_lock_);
}
// Is there enough room for the rest of the prefix?
if ((node_count_ + (len - i)) > max_nodes_) {
LOGE("Prefix tree is full, can not add: %s", prefix);
if (node_count) *node_count = node_count_;
lck_rw_unlock_exclusive(spt_lock_);
lck_mtx_unlock(spt_add_lock_);
return kIOReturnNoResources;
}
// Create the rest of the prefix.
while (i < len) {
value = (uint8_t)prefix[i++];
SantaPrefixNode *new_node = new SantaPrefixNode();
node->children[value] = new_node;
++node_count_;
node = new_node;
}
// This is the end, mark the node as a prefix.
LOGD("Added prefix: %s", prefix);
node->isPrefix = true;
// Downgrade the exclusive lock
lck_rw_lock_exclusive_to_shared(spt_lock_);
} else if (i + 1 == len) {
// If the child does exist and it is the end...
// Set the new, higher prefix and prune the now dead nodes.
if (!lck_rw_lock_shared_to_exclusive(spt_lock_)) {
lck_rw_lock_exclusive(spt_lock_);
}
PruneNode(node->children[value]);
SantaPrefixNode *new_node = new SantaPrefixNode();
new_node->isPrefix = true;
node->children[value] = new_node;
++node_count_;
LOGD("Added prefix: %s", prefix);
lck_rw_lock_exclusive_to_shared(spt_lock_);
}
// Get ready for the next iteration.
node = node->children[value];
}
if (node_count) *node_count = node_count_;
lck_rw_unlock_shared(spt_lock_);
lck_mtx_unlock(spt_add_lock_);
return kIOReturnSuccess;
}
bool SNTPrefixTree::HasPrefix(const char *string) {
lck_rw_lock_shared(spt_lock_);
auto found = false;
SantaPrefixNode *node = root_;
// A well formed tree will always break this loop. Even if string doesn't
// terminate.
const char *p = string;
while (*p) {
// Only process a byte at a time.
node = node->children[(uint8_t)*p++];
// If it doesn't exist in the tree, no match.
if (!node) break;
// If it does exist, is it a prefix?
if (node->isPrefix) {
found = true;
break;
}
}
lck_rw_unlock_shared(spt_lock_);
return found;
}
void SNTPrefixTree::Reset() {
lck_rw_lock_exclusive(spt_lock_);
PruneNode(root_);
root_ = new SantaPrefixNode();
node_count_ = 0;
lck_rw_unlock_exclusive(spt_lock_);
}
void SNTPrefixTree::PruneNode(SantaPrefixNode *target) {
if (!target) return;
// For deep trees, a recursive approach will generate too many stack frames.
// Make a "stack" and walk the tree.
auto stack = new SantaPrefixNode *[node_count_ + 1];
if (!stack) {
LOGE("Unable to prune tree!");
return;
}
auto count = 0;
// Seed the "stack" with a starting node.
stack[count++] = target;
// Start at the target node and walk the tree to find and delete all the
// sub-nodes.
while (count) {
auto node = stack[--count];
for (int i = 0; i < 256; ++i) {
if (!node->children[i]) continue;
stack[count++] = node->children[i];
}
delete node;
--node_count_;
}
delete[] stack;
}
SNTPrefixTree::~SNTPrefixTree() {
lck_rw_lock_exclusive(spt_lock_);
PruneNode(root_);
root_ = nullptr;
lck_rw_unlock_exclusive(spt_lock_);
pthread_rwlock_destroy(&spt_lock_);
}

91
Source/common/SNTPrefixTree.h
View File

@@ -1,91 +0,0 @@
/// Copyright 2018 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H
#define SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H
#include <IOKit/IOReturn.h>
#include <sys/param.h>
// Support for unit testing.
#include <pthread.h>
#include <stdint.h>
#include <mutex>
///
/// SantaPrefixTree is a simple prefix tree implementation.
/// Operations are thread safe.
///
class SNTPrefixTree {
public:
// Add a prefix to the tree.
// Optionally pass node_count to get the number of nodes after the add.
IOReturn AddPrefix(const char *, uint64_t *node_count = nullptr);
// Check if the tree has a prefix for string.
bool HasPrefix(const char *string);
// Reset the tree.
void Reset();
SNTPrefixTree(uint32_t max_nodes = kDefaultMaxNodes);
~SNTPrefixTree();
private:
///
/// SantaPrefixNode is a wrapper class that represents one byte.
/// 1 node can represent a whole ASCII character.
/// For example a pointer to the 'A' node will be stored at children[0x41].
/// It takes 1-4 nodes to represent a UTF-8 encoded Unicode character.
///
/// The path for "/🤘" would look like this:
/// children[0x2f] -> children[0xf0] -> children[0x9f] -> children[0xa4]
/// -> children[0x98]
///
/// The path for "/dev" is:
/// children[0x2f] -> children[0x64] -> children[0x65] -> children[0x76]
///
/// Lookups of children are O(1).
///
/// Having the nodes represented by a smaller width, such as a nibble (1/2
/// byte), would drastically decrease the memory footprint but would double
/// required dereferences.
///
/// TODO(bur): Potentially convert this into a full on radix tree.
///
class SantaPrefixNode {
public:
bool isPrefix;
SantaPrefixNode *children[256];
};
// PruneNode will remove the passed in node from the tree.
// The passed in node and all subnodes will be deleted.
// It is the caller's responsibility to reset the pointer to this node (held
// by the parent). If the tree is in use grab the exclusive lock.
void PruneNode(SantaPrefixNode *);
SantaPrefixNode *root_;
// Each node takes up ~2k, assuming MAXPATHLEN is 1024 max out at ~2MB.
static const uint32_t kDefaultMaxNodes = MAXPATHLEN;
uint32_t max_nodes_;
uint32_t node_count_;
pthread_rwlock_t spt_lock_;
std::mutex *spt_add_lock_;
};
#endif /* SANTA__SANTA_DRIVER__SANTAPREFIXTREE_H */

73
Source/common/SNTPrefixTreeTest.mm
View File

@@ -1,73 +0,0 @@
/// Copyright 2018 Google Inc. All rights reserved.
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import <XCTest/XCTest.h>
#include "Source/common/SNTPrefixTree.h"
@interface SNTPrefixTreeTest : XCTestCase
@end
@implementation SNTPrefixTreeTest
- (void)testAddAndHas {
auto t = SNTPrefixTree();
XCTAssertFalse(t.HasPrefix("/private/var/tmp/file1"));
t.AddPrefix("/private/var/tmp/");
XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
}
- (void)testReset {
auto t = SNTPrefixTree();
t.AddPrefix("/private/var/tmp/");
XCTAssertTrue(t.HasPrefix("/private/var/tmp/file1"));
t.Reset();
XCTAssertFalse(t.HasPrefix("/private/var/tmp/file1"));
}
- (void)testThreading {
uint32_t count = 4096;
auto t = new SNTPrefixTree(count * (uint32_t)[NSUUID UUID].UUIDString.length);
NSMutableArray *UUIDs = [NSMutableArray arrayWithCapacity:count];
for (int i = 0; i < count; ++i) {
[UUIDs addObject:[NSUUID UUID].UUIDString];
}
__block BOOL stop = NO;
// Create a bunch of background noise.
dispatch_async(dispatch_get_global_queue(0, 0), ^{
for (uint64_t i = 0; i < UINT64_MAX; ++i) {
dispatch_async(dispatch_get_global_queue(0, 0), ^{
t->HasPrefix([UUIDs[i % count] UTF8String]);
});
if (stop) return;
}
});
// Fill up the tree.
dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
XCTAssertEqual(t->AddPrefix([UUIDs[i] UTF8String]), kIOReturnSuccess);
});
// Make sure every leaf byte is found.
dispatch_apply(count, dispatch_get_global_queue(0, 0), ^(size_t i) {
XCTAssertTrue(t->HasPrefix([UUIDs[i] UTF8String]));
});
stop = YES;
}
@end

5
Source/common/SNTXPCUnprivilegedControlInterface.h
View File

@@ -15,8 +15,8 @@
#import <Foundation/Foundation.h>
#import <MOLCertificate/MOLCertificate.h>
#import "Source/common/SNTCommon.h"
#import "Source/common/SNTCommonEnums.h"
#import "Source/common/SantaVnode.h"
@class SNTRule;
@class SNTStoredEvent;
@@ -31,7 +31,7 @@
/// Cache Ops
///
- (void)cacheCounts:(void (^)(uint64_t rootCache, uint64_t nonRootCache))reply;
- (void)checkCacheForVnodeID:(santa_vnode_id_t)vnodeID withReply:(void (^)(santa_action_t))reply;
- (void)checkCacheForVnodeID:(SantaVnode)vnodeID withReply:(void (^)(SNTAction))reply;
///
/// Database ops
@@ -63,6 +63,7 @@
/// Config ops
///
- (void)watchdogInfo:(void (^)(uint64_t, uint64_t, double, double))reply;
- (void)watchItemsState:(void (^)(BOOL, uint64_t, NSString *, NSString *, NSTimeInterval))reply;
- (void)clientMode:(void (^)(SNTClientMode))reply;
- (void)fullSyncLastSuccess:(void (^)(NSDate *))reply;
- (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply;

2
Source/common/SantaCache.h
View File

@@ -25,7 +25,7 @@
#include <cstdlib>
#include <cstring>
#include "Source/common/SNTCommon.h"
#include "Source/common/BranchPrediction.h"
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"

40
Source/common/SantaVnode.h Normal file
View File

@@ -0,0 +1,40 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__SANTAVNODE_H
#define SANTA__COMMON__SANTAVNODE_H
#include <EndpointSecurity/EndpointSecurity.h>
#include <sys/types.h>
// Struct to manage vnode IDs
typedef struct SantaVnode {
dev_t fsid;
ino_t fileid;
#ifdef __cplusplus
bool operator==(const SantaVnode &rhs) const {
return fsid == rhs.fsid && fileid == rhs.fileid;
}
static inline SantaVnode VnodeForFile(const es_file_t *es_file) {
return SantaVnode{
.fsid = es_file->stat.st_dev,
.fileid = es_file->stat.st_ino,
};
}
#endif
} SantaVnode;
#endif

24
Source/common/SantaVnodeHash.h Normal file
View File

@@ -0,0 +1,24 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__SANTAVNODEHASH_H
#define SANTA__COMMON__SANTAVNODEHASH_H
#include "Source/common/SantaCache.h"
#include "Source/common/SantaVnode.h"
template <>
uint64_t SantaCacheHasher<SantaVnode>(SantaVnode const &t);
#endif

20
Source/common/SantaVnodeHash.mm Normal file
View File

@@ -0,0 +1,20 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include "Source/common/SantaVnodeHash.h"
template <>
uint64_t SantaCacheHasher<SantaVnode>(SantaVnode const &t) {
return (SantaCacheHasher<uint64_t>(t.fsid) << 1) ^ SantaCacheHasher<uint64_t>(t.fileid);
}

41
Source/common/SystemResources.h Normal file
View File

@@ -0,0 +1,41 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__SYSTEMRESOURCES_H
#define SANTA__COMMON__SYSTEMRESOURCES_H
#import <Foundation/Foundation.h>
#include <mach/mach_time.h>
#include <sys/cdefs.h>
#include <sys/proc_info.h>
#include <optional>
struct SantaTaskInfo {
uint64_t virtual_size;
uint64_t resident_size;
uint64_t total_user_nanos;
uint64_t total_system_nanos;
};
// Convert mach absolute time to nanoseconds
uint64_t MachTimeToNanos(uint64_t mach_time);
// Convert nanoseconds to mach absolute time
uint64_t NanosToMachTime(uint64_t nanos);
// Get the result of proc_pidinfo with the PROC_PIDTASKINFO flavor
std::optional<SantaTaskInfo> GetTaskInfo();
#endif

68
Source/common/SystemResources.mm Normal file
View File

@@ -0,0 +1,68 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include "Source/common/SystemResources.h"
#include <dispatch/dispatch.h>
#include <libproc.h>
#include <mach/kern_return.h>
#include <unistd.h>
#include <optional>
#include "Source/common/SNTLogging.h"
static mach_timebase_info_data_t GetTimebase() {
static dispatch_once_t once_token;
static mach_timebase_info_data_t timebase;
dispatch_once(&once_token, ^{
if (mach_timebase_info(&timebase) != KERN_SUCCESS) {
// This shouldn't fail. Assume transitory and exit the program.
// Hopefully fixes itself on restart...
LOGE(@"Failed to get timebase info. Exiting.");
exit(EXIT_FAILURE);
}
});
return timebase;
}
uint64_t MachTimeToNanos(uint64_t mach_time) {
mach_timebase_info_data_t timebase = GetTimebase();
return mach_time * timebase.numer / timebase.denom;
}
uint64_t NanosToMachTime(uint64_t nanos) {
mach_timebase_info_data_t timebase = GetTimebase();
return nanos * timebase.denom / timebase.numer;
}
std::optional<SantaTaskInfo> GetTaskInfo() {
struct proc_taskinfo pti;
if (proc_pidinfo(getpid(), PROC_PIDTASKINFO, 0, &pti, PROC_PIDTASKINFO_SIZE) <
PROC_PIDTASKINFO_SIZE) {
LOGW(@"Unable to get system resource information");
return std::nullopt;
}
return SantaTaskInfo{
.virtual_size = pti.pti_virtual_size,
.resident_size = pti.pti_resident_size,
.total_user_nanos = MachTimeToNanos(pti.pti_total_user),
.total_system_nanos = MachTimeToNanos(pti.pti_total_system),
};
}

19
Source/common/TestUtils.h
View File

@@ -23,7 +23,7 @@
#include <sys/stat.h>
#define NOBODY_UID ((unsigned int)-2)
#define NOBODY_GID ((unsigned int)-2)
#define NOGROUP_GID ((unsigned int)-1)
// Bubble up googletest expectation failures to XCTest failures
#define XCTBubbleMockVerifyAndClearExpectations(mock) \
@@ -38,6 +38,10 @@
// Pretty print C++ string match errors
#define XCTAssertCppStringEqual(got, want) XCTAssertCStringEqual((got).c_str(), (want).c_str())
#define XCTAssertSemaTrue(s, sec, m) \
XCTAssertEqual( \
0, dispatch_semaphore_wait((s), dispatch_time(DISPATCH_TIME_NOW, (sec)*NSEC_PER_SEC)), m)
// Helper to ensure at least `ms` milliseconds are slept, even if the sleep
// function returns early due to interrupts.
void SleepMS(long ms);
@@ -47,9 +51,18 @@ enum class ActionType {
Notify,
};
//
// Helpers to construct various ES structs
//
audit_token_t MakeAuditToken(pid_t pid, pid_t pidver);
struct stat MakeStat(ino_t ino, dev_t devno = 0);
/// Construct a `struct stat` buffer with each member having a unique value.
/// @param offset An optional offset to be added to each member. useful when
/// a test has multiple stats and you'd like for them each to have different
/// values across the members.
struct stat MakeStat(int offset = 0);
es_string_token_t MakeESStringToken(const char *s);
es_file_t MakeESFile(const char *path, struct stat sb = {});
es_process_t MakeESProcess(es_file_t *file, audit_token_t tok = {}, audit_token_t parent_tok = {});
@@ -57,4 +70,6 @@ es_message_t MakeESMessage(es_event_type_t et, es_process_t *proc,
ActionType action_type = ActionType::Notify,
uint64_t future_deadline_ms = 100000);
uint32_t MaxSupportedESMessageVersionForCurrentOS();
#endif

63
Source/common/TestUtils.mm
View File

@@ -18,6 +18,8 @@
#include <dispatch/dispatch.h>
#include <mach/mach_time.h>
#include <time.h>
#include <uuid/uuid.h>
#include "Source/common/SystemResources.h"
audit_token_t MakeAuditToken(pid_t pid, pid_t pidver) {
return audit_token_t{
@@ -25,9 +27,9 @@ audit_token_t MakeAuditToken(pid_t pid, pid_t pidver) {
{
0,
NOBODY_UID,
NOBODY_GID,
NOGROUP_GID,
NOBODY_UID,
NOBODY_GID,
NOGROUP_GID,
(unsigned int)pid,
0,
(unsigned int)pidver,
@@ -35,10 +37,24 @@ audit_token_t MakeAuditToken(pid_t pid, pid_t pidver) {
};
}
struct stat MakeStat(ino_t ino, dev_t devno) {
struct stat MakeStat(int offset) {
return (struct stat){
.st_dev = devno,
.st_ino = ino,
.st_dev = 1 + offset,
.st_mode = (mode_t)(2 + offset),
.st_nlink = (nlink_t)(3 + offset),
.st_ino = (uint64_t)(4 + offset),
.st_uid = NOBODY_UID,
.st_gid = NOGROUP_GID,
.st_rdev = 5 + offset,
.st_atimespec = {.tv_sec = 100 + offset, .tv_nsec = 200 + offset},
.st_mtimespec = {.tv_sec = 101 + offset, .tv_nsec = 21 + offset},
.st_ctimespec = {.tv_sec = 102 + offset, .tv_nsec = 202 + offset},
.st_birthtimespec = {.tv_sec = 103 + offset, .tv_nsec = 203 + offset},
.st_size = 6 + offset,
.st_blocks = 7 + offset,
.st_blksize = 8 + offset,
.st_flags = (uint32_t)(9 + offset),
.st_gen = (uint32_t)(10 + offset),
};
}
@@ -62,38 +78,53 @@ es_process_t MakeESProcess(es_file_t *file, audit_token_t tok, audit_token_t par
.audit_token = tok,
.ppid = audit_token_to_pid(parent_tok),
.original_ppid = audit_token_to_pid(parent_tok),
.group_id = 111,
.session_id = 222,
.is_platform_binary = true,
.is_es_client = true,
.executable = file,
.parent_audit_token = parent_tok,
};
}
static uint64_t AddMillisToMachTime(uint64_t ms, uint64_t machTime) {
static dispatch_once_t onceToken;
static mach_timebase_info_data_t timebase;
dispatch_once(&onceToken, ^{
mach_timebase_info(&timebase);
});
// Convert given machTime to nanoseconds
uint64_t nanoTime = machTime * timebase.numer / timebase.denom;
uint64_t nanoTime = MachTimeToNanos(machTime);
// Add the ms offset
nanoTime += (ms * NSEC_PER_MSEC);
// Convert back to machTime
return nanoTime * timebase.denom / timebase.numer;
return NanosToMachTime(nanoTime);
}
uint32_t MaxSupportedESMessageVersionForCurrentOS() {
// Note: ES message v3 was only in betas.
if (@available(macOS 13.0, *)) {
return 6;
} else if (@available(macOS 12.3, *)) {
return 5;
} else if (@available(macOS 11.0, *)) {
return 4;
} else if (@available(macOS 10.15.4, *)) {
return 2;
} else {
return 1;
}
}
es_message_t MakeESMessage(es_event_type_t et, es_process_t *proc, ActionType action_type,
uint64_t future_deadline_ms) {
return es_message_t{
es_message_t es_msg = {
.deadline = AddMillisToMachTime(future_deadline_ms, mach_absolute_time()),
.process = proc,
.action_type =
(action_type == ActionType::Notify) ? ES_ACTION_TYPE_NOTIFY : ES_ACTION_TYPE_AUTH,
.event_type = et,
};
es_msg.version = MaxSupportedESMessageVersionForCurrentOS();
return es_msg;
}
void SleepMS(long ms) {

24
Source/common/Unit.h Normal file
View File

@@ -0,0 +1,24 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON__UNIT_H
#define SANTA__COMMON__UNIT_H
namespace santa::common {
struct Unit {};
} // namespace santa::common
#endif

546
Source/common/santa.proto
View File

@@ -11,135 +11,529 @@ import "google/protobuf/timestamp.proto";
option objc_class_prefix = "SNTPB";
package santa;
package santa.pb.v1;
message ProcessInfo {
// User ID and associated username
message UserInfo {
optional int32 uid = 1;
optional string name = 2;
}
// Group ID and associated group name
message GroupInfo {
optional int32 gid = 1;
optional string name = 2;
}
// A process is uniquely identified on macOS by its pid and pidversion
message ProcessID {
optional int32 pid = 1;
optional int32 pidversion = 2;
optional int32 ppid = 3;
optional int32 uid = 4;
optional string user = 5;
optional int32 gid = 6;
optional string group = 7;
}
message FileModification {
enum Action {
ACTION_UNKNOWN = 0;
ACTION_DELETE = 1;
ACTION_EXCHANGE = 2;
ACTION_LINK = 3;
ACTION_RENAME = 4;
ACTION_WRITE = 5;
// Code signature information
message CodeSignature {
// The code directory hash identifies a specific version of a program
optional bytes cdhash = 1;
// The signing id of the code signature
optional string signing_id = 2;
// The team id of the code signature
optional string team_id = 3;
}
// Stat information for a file
// Mimics data from `stat(2)`
message Stat {
optional int32 dev = 1;
optional uint32 mode = 2;
optional uint32 nlink = 3;
optional uint64 ino = 4;
optional UserInfo user = 5;
optional GroupInfo group = 6;
optional int32 rdev = 7;
optional google.protobuf.Timestamp access_time = 8;
optional google.protobuf.Timestamp modification_time = 9;
optional google.protobuf.Timestamp change_time = 10;
optional google.protobuf.Timestamp birth_time = 11;
optional int64 size = 12;
optional int64 blocks = 13;
optional int32 blksize = 14;
optional uint32 flags = 15;
optional int32 gen = 16;
}
// Hash value and metadata describing hash algorithm used
message Hash {
enum HashAlgo {
HASH_ALGO_UNKNOWN = 0;
HASH_ALGO_SHA256 = 1;
}
optional Action action = 1;
optional string path = 2;
optional string newpath = 3;
optional string process = 4;
optional string process_path = 5;
optional ProcessInfo process_info = 6;
optional string machine_id = 7;
optional HashAlgo type = 1;
optional string hash = 2;
}
// File information
message FileInfo {
// File path
optional string path = 1;
// Whether or not the path is truncated
optional bool truncated = 2;
// Stat information
optional Stat stat = 3;
// Hash of file contents
optional Hash hash = 4;
}
// Light variant of `FileInfo` message to help minimize on-disk/on-wire sizes
message FileInfoLight {
// File path
optional string path = 1;
// Whether or not the path is truncated
optional bool truncated = 2;
}
// File descriptor information
message FileDescriptor {
// Enum types gathered from `<sys/proc_info.h>`
enum FDType {
FD_TYPE_UNKNOWN = 0;
FD_TYPE_ATALK = 1;
FD_TYPE_VNODE = 2;
FD_TYPE_SOCKET = 3;
FD_TYPE_PSHM = 4;
FD_TYPE_PSEM = 5;
FD_TYPE_KQUEUE = 6;
FD_TYPE_PIPE = 7;
FD_TYPE_FSEVENTS = 8;
FD_TYPE_NETPOLICY = 9;
FD_TYPE_CHANNEL = 10;
FD_TYPE_NEXUS = 11;
}
// File descriptor value
optional int32 fd = 1;
// Type of file object
optional FDType fd_type = 2;
// Unique id of the pipe for correlation with other file descriptors
// pointing to the same or other end of the same pipe
// Note: Only valid when `fd_type` is `FD_TYPE_PIPE`
optional uint64 pipe_id = 3;
}
// Process information
message ProcessInfo {
// Process ID of the process
optional ProcessID id = 1;
// Process ID of the parent process
optional ProcessID parent_id = 2;
// Process ID of the process responsible for this one
optional ProcessID responsible_id = 3;
// Original parent ID, remains stable in the event a process is reparented
optional int32 original_parent_pid = 4;
// Process group id the process belongs to
optional int32 group_id = 5;
// Session id the process belongs to
optional int32 session_id = 6;
// Effective user/group info
optional UserInfo effective_user = 7;
optional GroupInfo effective_group = 8;
// Real user/group info
optional UserInfo real_user = 9;
optional GroupInfo real_group = 10;
// Whether or not the process was signed with Apple certificates
optional bool is_platform_binary = 11;
// Whether or not the process is an ES client
optional bool is_es_client = 12;
// Code signature information for the process
optional CodeSignature code_signature = 13;
// Codesigning flags for the process (from `<Kernel/kern/cs_blobs.h>`)
optional uint32 cs_flags = 14;
// File information for the executable backing this process
optional FileInfo executable = 15;
// File information for the associated TTY
optional FileInfoLight tty = 16;
// Time the process was started
optional google.protobuf.Timestamp start_time = 17;
}
// Light variant of ProcessInfo message to help minimize on-disk/on-wire sizes
message ProcessInfoLight {
// Process ID of the process
optional ProcessID id = 1;
// Process ID of the parent process
optional ProcessID parent_id = 2;
// Original parent ID, remains stable in the event a process is reparented
optional int32 original_parent_pid = 3;
// Process group id the process belongs to
optional int32 group_id = 4;
// Session id the process belongs to
optional int32 session_id = 5;
// Effective user/group info
optional UserInfo effective_user = 6;
optional GroupInfo effective_group = 7;
// Real user/group info
optional UserInfo real_user = 8;
optional GroupInfo real_group = 9;
// File information for the executable backing this process
optional FileInfoLight executable = 10;
}
// Certificate information
message CertificateInfo {
// Hash of the certificate data
optional Hash hash = 1;
// Common name used in the certificate
optional string common_name = 2;
}
// Information about a process execution event
message Execution {
// The process that executed the new image (e.g. the process that called
// `execve(2)` or `posix_spawn(2)``)
optional ProcessInfoLight instigator = 1;
// Process info for the newly formed execution
optional ProcessInfo target = 2;
// Script file information
// Only valid when a script was executed directly and not as an argument to
// an interpreter (e.g. `./foo.sh`, not `/bin/sh ./foo.sh`)
optional FileInfo script = 3;
// The current working directory of the `target` at exec time
optional FileInfo working_directory = 4;
// List of process arguments
repeated string args = 5;
// List of environment variables
repeated string envs = 6;
// List of file descriptors
repeated FileDescriptor fds = 7;
// Whether or not the list of `fds` is complete or contains partial info
optional bool fd_list_truncated = 8;
// Whether or not the target execution was allowed
enum Decision {
DECISION_UNKNOWN = 0;
DECISION_ALLOW = 1;
DECISION_DENY = 2;
}
optional Decision decision = 9;
// The policy applied when determining the decision
enum Reason {
REASON_UNKNOWN = 0;
REASON_BINARY = 1;
REASON_CERT = 2;
REASON_COMPILER = 3;
REASON_NOT_RUNNING = 4;
REASON_PENDING_TRANSITIVE = 5;
REASON_SCOPE = 6;
REASON_TEAM_ID = 7;
REASON_TRANSITIVE = 8;
REASON_LONG_PATH = 9;
REASON_NOT_RUNNING = 10;
}
optional Reason reason = 10;
// The mode Santa was in when the decision was applied
enum Mode {
MODE_UNKNOWN = 0;
MODE_LOCKDOWN = 1;
MODE_MONITOR = 2;
}
optional Mode mode = 11;
optional Decision decision = 1;
optional Reason reason = 2;
optional string explain = 3;
optional string sha256 = 4;
optional string cert_sha256 = 5;
optional string cert_cn = 6;
optional string quarantine_url = 7;
optional ProcessInfo process_info = 8;
optional Mode mode = 9;
optional string path = 10;
optional string original_path = 11;
repeated string args = 12;
optional string machine_id = 13;
optional string team_id = 14;
// Certificate information for the target executable
optional CertificateInfo certificate_info = 12;
// Additional Santa metadata
optional string explain = 13;
// Information known to LaunchServices about the target executable file
optional string quarantine_url = 14;
// The original path on disk of the target executable
// Applies when executables are translocated
optional string original_path = 15;
}
message DiskAppeared {
optional string mount = 1;
optional string volume = 2;
optional string bsd_name = 3;
optional string fs = 4;
optional string model = 5;
optional string serial = 6;
optional string bus = 7;
optional string dmg_path = 8;
optional string appearance = 9;
// Information about a fork event
message Fork {
// The forking process
optional ProcessInfoLight instigator = 1;
// The newly formed child process
optional ProcessInfoLight child = 2;
}
message DiskDisappeared {
optional string mount = 1;
optional string volume = 2;
optional string bsd_name = 3;
// Information about an exit event
message Exit {
// The process that is exiting
optional ProcessInfoLight instigator = 1;
// Exit status code information
message Exited {
optional int32 exit_status = 1;
}
// Signal code
message Signaled {
optional int32 signal = 1;
}
// Information on how/why the process exited
oneof ExitType {
Exited exited = 2;
Signaled signaled = 3;
Signaled stopped = 4;
}
}
// Information about an open event
message Open {
// The process that is opening the file
optional ProcessInfoLight instigator = 1;
// The file being opened
optional FileInfo target = 2;
// Bitmask of flags used to open the file
// Note: Represents the mask applied by the kernel, not the typical `open(2)`
// flags (e.g. FREAD, FWRITE instead of O_RDONLY, O_RDWR, etc...)
optional int32 flags = 3;
}
// Information about a close event
message Close {
// The process closing the file
optional ProcessInfoLight instigator = 1;
// The file being closed
optional FileInfo target = 2;
// Whether or not the file was written to
optional bool modified = 3;
}
// Information about an exchagedata event
// This event is not applicable to all filesystems (notably APFS)
message Exchangedata {
// The process that is exchanging the data
optional ProcessInfoLight instigator = 1;
// File information for the two files in the exchangedata operation
optional FileInfo file1 = 2;
optional FileInfo file2 = 3;
}
// Information about a rename event
message Rename {
// The process renaming the file
optional ProcessInfoLight instigator = 1;
// The source file being renamed
optional FileInfo source = 2;
// The target path when the rename is complete
optional string target = 3;
// Whether or not the target path previously existed
optional bool target_existed = 4;
}
// Information about an unlink event
message Unlink {
// The process deleting the file
optional ProcessInfoLight instigator = 1;
// The file being deleted
optional FileInfo target = 2;
}
// Information about a link event
message Link {
// The process performing the link
optional ProcessInfoLight instigator = 1;
// The source file being linked
optional FileInfo source = 2;
// The path of the new link
optional string target = 3;
}
// Information about when disks are added or removed
message Disk {
// Whether the disk just appeared or disappeared from the system
enum Action {
ACTION_UNKNOWN = 0;
ACTION_APPEARED = 1;
ACTION_DISAPPEARED = 2;
}
optional Action action = 1;
// Volume path
optional string mount = 2;
// Volume name
optional string volume = 3;
// Media BSD name
optional string bsd_name = 4;
// Kind of volume
optional string fs = 5;
// Device vendor and model information
optional string model = 6;
// Serial number of the device
optional string serial = 7;
// Device protocol
optional string bus = 8;
// Path of the DMG
optional string dmg_path = 9;
// Time device appeared/disappeared
optional google.protobuf.Timestamp appearance = 10;
}
// Information emitted when Santa captures bundle information
message Bundle {
// This is the hash of the file within the bundle that triggered the event
optional string sha256 = 1;
optional Hash file_hash = 1;
// This is the hash of the hashes of all executables in the bundle
optional string bundle_hash = 2;
optional Hash bundle_hash = 2;
// Name of the bundle
optional string bundle_name = 3;
// Bundle identifier
optional string bundle_id = 4;
// Bundle path
optional string bundle_path = 5;
// Path of the file within the bundle that triggered the event
optional string path = 6;
}
message Fork {
optional ProcessInfo process_info = 1;
}
message Exit {
optional ProcessInfo process_info = 1;
}
// Information for a transitive allowlist rule
message Allowlist {
optional int32 pid = 1;
optional int32 pidversion = 2;
optional string path = 3;
optional string sha256 = 4;
// The process that caused the allowlist rule to be generated
optional ProcessInfoLight instigator = 1;
// The file the new allowlist rule applies to
optional FileInfo target = 2;
}
message SantaMessage {
google.protobuf.Timestamp event_time = 1;
// Information about access to a watched path
message FileAccess {
// The process that attempted to access the watched path
optional ProcessInfo instigator = 1;
oneof message {
FileModification file_modification = 2;
Execution execution = 3;
DiskAppeared disk_appeared = 4;
DiskDisappeared disk_disappeared = 5;
Bundle bundle = 6;
Fork fork = 7;
Exit exit = 8;
Allowlist allowlist = 9;
// The path that was accessed
optional FileInfoLight target = 2;
// The version of the policy when the decision was made
optional string policy_version = 3;
// The name of the specific policy that triggered this log
optional string policy_name = 4;
// The event type that attempted to access the watched path
enum AccessType {
ACCESS_TYPE_UNKNOWN = 0;
ACCESS_TYPE_OPEN = 1;
ACCESS_TYPE_RENAME = 2;
ACCESS_TYPE_UNLINK = 3;
ACCESS_TYPE_LINK = 4;
ACCESS_TYPE_CLONE = 5;
ACCESS_TYPE_EXCHANGEDATA = 6;
ACCESS_TYPE_COPYFILE = 7;
ACCESS_TYPE_CREATE = 8;
ACCESS_TYPE_TRUNCATE = 9;
}
optional AccessType access_type = 5;
// Whether the operation was allowed or denied and why
enum PolicyDecision {
POLICY_DECISION_UNKNOWN = 0;
POLICY_DECISION_DENIED = 1;
POLICY_DECISION_DENIED_INVALID_SIGNATURE = 2;
POLICY_DECISION_ALLOWED_AUDIT_ONLY = 3;
}
optional PolicyDecision policy_decision = 6;
}
// A message encapsulating a single event
message SantaMessage {
// Machine ID of the host emitting this log
// Only valid when EnableMachineIDDecoration configuration option is set
optional string machine_id = 1;
// Timestamp when the event occurred
optional google.protobuf.Timestamp event_time = 2;
// Timestamp when Santa finished processing the event
optional google.protobuf.Timestamp processed_time = 3;
// Event type being described by this message
oneof event {
Execution execution = 10;
Fork fork = 11;
Exit exit = 12;
Close close = 13;
Rename rename = 14;
Unlink unlink = 15;
Link link = 16;
Exchangedata exchangedata = 17;
Disk disk = 18;
Bundle bundle = 19;
Allowlist allowlist = 20;
FileAccess file_access = 21;
};
}
message SantaMessageBatch {
repeated SantaMessage messages = 1;
}
message LogBatch {

20
Source/common/santa_proto_include_wrapper.h Normal file
View File

@@ -0,0 +1,20 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__COMMON_SANTA_PROTO_INCLUDE_WRAPPER_H
#define SANTA__COMMON_SANTA_PROTO_INCLUDE_WRAPPER_H
#include "Source/common/santa.pb.h"
#endif

2
Source/gui/BUILD
View File

@@ -85,7 +85,7 @@ macos_application(
"//conditions:default": None,
}),
infoplists = ["Info.plist"],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
provisioning_profile = select({
"//:adhoc_build": None,
"//conditions:default": "//profiles:santa_dev",

15
Source/gui/SNTNotificationManager.m
View File

@@ -92,10 +92,16 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
}
- (void)queueMessage:(SNTMessageWindowController *)pendingMsg {
NSString *messageHash = [pendingMsg messageHash];
// Post a distributed notification, regardless of queue state.
[self postDistributedNotification:pendingMsg];
// If GUI is in silent mode or if there's already a notification queued for
// this message, don't do anything else.
if ([SNTConfigurator configurator].enableSilentMode) return;
if ([self notificationAlreadyQueued:pendingMsg]) return;
// See if this message is silenced.
// See if this message has been user-silenced.
NSString *messageHash = [pendingMsg messageHash];
NSUserDefaults *ud = [NSUserDefaults standardUserDefaults];
NSDate *silenceDate = [ud objectForKey:silencedNotificationsKey][messageHash];
if ([silenceDate isKindOfClass:[NSDate class]]) {
@@ -114,7 +120,6 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
pendingMsg.delegate = self;
[self.pendingNotifications addObject:pendingMsg];
[self postDistributedNotification:pendingMsg];
if (!self.currentWindowController) {
[self showQueuedWindow];
@@ -315,8 +320,6 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
}
- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
if ([SNTConfigurator configurator].enableSilentMode) return;
if (!event) {
LOGI(@"Error: Missing event object in message received from daemon!");
return;
@@ -329,8 +332,6 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
}
- (void)postUSBBlockNotification:(SNTDeviceEvent *)event withCustomMessage:(NSString *)message {
if ([SNTConfigurator configurator].enableSilentMode) return;
if (!event) {
LOGI(@"Error: Missing event object in message received from daemon!");
return;

2
Source/gui/SNTNotificationManagerTest.m
View File

@@ -12,8 +12,6 @@
/// See the License for the specific language governing permissions and
/// limitations under the License.
// #import <MOLCertificate/MOLCertificate.h>
// #import <MOLCodesignChecker/MOLCodesignChecker.h>
#import <OCMock/OCMock.h>
#import <XCTest/XCTest.h>

40
Source/gui/main.m
View File

@@ -62,28 +62,24 @@ int main(int argc, const char *argv[]) {
sysxOperation = @(2);
}
if (sysxOperation) {
if (@available(macOS 10.15, *)) {
NSString *e = [SNTXPCControlInterface systemExtensionID];
dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
OSSystemExtensionRequest *req;
if (sysxOperation.intValue == 1) {
NSLog(@"Requesting SystemExtension activation");
req = [OSSystemExtensionRequest activationRequestForExtension:e queue:q];
} else if (sysxOperation.intValue == 2) {
NSLog(@"Requesting SystemExtension deactivation");
req = [OSSystemExtensionRequest deactivationRequestForExtension:e queue:q];
}
if (req) {
SNTSystemExtensionDelegate *ed = [[SNTSystemExtensionDelegate alloc] init];
req.delegate = ed;
[[OSSystemExtensionManager sharedManager] submitRequest:req];
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60), q, ^{
exit(1);
});
[[NSRunLoop mainRunLoop] run];
}
} else {
exit(1);
NSString *e = [SNTXPCControlInterface systemExtensionID];
dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);
OSSystemExtensionRequest *req;
if (sysxOperation.intValue == 1) {
NSLog(@"Requesting SystemExtension activation");
req = [OSSystemExtensionRequest activationRequestForExtension:e queue:q];
} else if (sysxOperation.intValue == 2) {
NSLog(@"Requesting SystemExtension deactivation");
req = [OSSystemExtensionRequest deactivationRequestForExtension:e queue:q];
}
if (req) {
SNTSystemExtensionDelegate *ed = [[SNTSystemExtensionDelegate alloc] init];
req.delegate = ed;
[[OSSystemExtensionManager sharedManager] submitRequest:req];
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60), q, ^{
exit(1);
});
[[NSRunLoop mainRunLoop] run];
}
}

2
Source/santabundleservice/BUILD
View File

@@ -34,7 +34,7 @@ macos_command_line_application(
"--options library,kill,runtime",
],
infoplists = ["Info.plist"],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
provisioning_profile = select({
"//:adhoc_build": None,
"//conditions:default": "//profiles:santa_dev",

36
Source/santactl/BUILD
View File

@@ -7,13 +7,36 @@ package(
default_visibility = ["//:santa_package_group"],
)
objc_library(
name = "santactl_cmd",
srcs = [
"SNTCommand.m",
"SNTCommandController.m",
],
hdrs = [
"SNTCommand.h",
"SNTCommandController.h",
],
deps = [
"//Source/common:SNTXPCControlInterface",
"@MOLXPCConnection",
],
)
objc_library(
name = "SNTCommandPrintLog",
srcs = ["Commands/SNTCommandPrintLog.mm"],
deps = [
":santactl_cmd",
"//Source/common:SNTLogging",
"//Source/common:santa_cc_proto_library_wrapper",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:binaryproto_cc_proto_library_wrapper",
],
)
objc_library(
name = "santactl_lib",
srcs = [
"SNTCommand.h",
"SNTCommand.m",
"SNTCommandController.h",
"SNTCommandController.m",
"main.m",
"Commands/SNTCommandFileInfo.m",
"Commands/SNTCommandRule.m",
@@ -33,8 +56,9 @@ objc_library(
sdk_dylibs = ["libz"],
sdk_frameworks = ["IOKit"],
deps = [
":SNTCommandPrintLog",
":santactl_cmd",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTDropRootPrivs",
@@ -66,7 +90,7 @@ macos_command_line_application(
"--options library,kill,runtime",
],
infoplists = ["Info.plist"],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
provisioning_profile = select({
"//:adhoc_build": None,
"//conditions:default": "//profiles:santa_dev",

16
Source/santactl/Commands/SNTCommandCheckCache.m
View File

@@ -49,30 +49,30 @@ REGISTER_COMMAND_NAME(@"checkcache")
}
- (void)runWithArguments:(NSArray *)arguments {
santa_vnode_id_t vnodeID = [self vnodeIDForFile:arguments.firstObject];
SantaVnode vnodeID = [self vnodeIDForFile:arguments.firstObject];
[[self.daemonConn remoteObjectProxy]
checkCacheForVnodeID:vnodeID
withReply:^(santa_action_t action) {
if (action == ACTION_RESPOND_ALLOW) {
withReply:^(SNTAction action) {
if (action == SNTActionRespondAllow) {
LOGI(@"File exists in [allowlist] kernel cache");
exit(0);
} else if (action == ACTION_RESPOND_DENY) {
} else if (action == SNTActionRespondDeny) {
LOGI(@"File exists in [blocklist] kernel cache");
exit(0);
} else if (action == ACTION_RESPOND_ALLOW_COMPILER) {
} else if (action == SNTActionRespondAllowCompiler) {
LOGI(@"File exists in [allowlist compiler] kernel cache");
exit(0);
} else if (action == ACTION_UNSET) {
} else if (action == SNTActionUnset) {
LOGE(@"File does not exist in cache");
exit(1);
}
}];
}
- (santa_vnode_id_t)vnodeIDForFile:(NSString *)path {
- (SantaVnode)vnodeIDForFile:(NSString *)path {
struct stat fstat = {};
stat(path.fileSystemRepresentation, &fstat);
santa_vnode_id_t ret = {.fsid = fstat.st_dev, .fileid = fstat.st_ino};
SantaVnode ret = {.fsid = fstat.st_dev, .fileid = fstat.st_ino};
return ret;
}

28
Source/santactl/Commands/SNTCommandMetrics.m
View File

@@ -68,14 +68,34 @@ REGISTER_COMMAND_NAME(@"metrics")
for (NSString *fieldName in metric[@"fields"]) {
for (NSDictionary *field in metric[@"fields"][fieldName]) {
const char *fieldNameStr = [fieldName cStringUsingEncoding:NSUTF8StringEncoding];
const char *fieldValueStr = [field[@"value"] cStringUsingEncoding:NSUTF8StringEncoding];
const char *createdStr = [field[@"created"] UTF8String];
const char *lastUpdatedStr = [field[@"last_updated"] UTF8String];
const char *data = [[NSString stringWithFormat:@"%@", field[@"data"]] UTF8String];
if (strlen(fieldNameStr) > 0) {
printf(" %-25s | %s=%s\n", "Field", fieldNameStr, fieldValueStr);
NSArray<NSString *> *fields = [fieldName componentsSeparatedByString:@","];
NSArray<NSString *> *fieldValues = [field[@"value"] componentsSeparatedByString:@","];
if (fields.count != fieldValues.count) {
fprintf(stderr, "metric %s has a different number of field names and field values",
[fieldName UTF8String]);
continue;
}
NSString *fieldDisplayString = @"";
if (fields.count >= 1 && fields[0].length) {
for (int i = 0; i < fields.count; i++) {
fieldDisplayString = [fieldDisplayString
stringByAppendingString:[NSString
stringWithFormat:@"%@=%@", fields[i], fieldValues[i]]];
if (i < fields.count - 1) {
fieldDisplayString = [fieldDisplayString stringByAppendingString:@","];
}
}
}
if (![fieldDisplayString isEqualToString:@""]) {
printf(" %-25s | %s\n", "Field", [fieldDisplayString UTF8String]);
}
printf(" %-25s | %s\n", "Created", createdStr);

131
Source/santactl/Commands/SNTCommandPrintLog.mm Normal file
View File

@@ -0,0 +1,131 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import <Foundation/Foundation.h>
#include <google/protobuf/util/json_util.h>
#include <stdlib.h>
#include <iostream>
#include <string>
#include "Source/common/SNTLogging.h"
#include "Source/common/santa_proto_include_wrapper.h"
#import "Source/santactl/SNTCommand.h"
#import "Source/santactl/SNTCommandController.h"
#include "Source/santad/Logs/EndpointSecurity/Writers/FSSpool/binaryproto_proto_include_wrapper.h"
#include "google/protobuf/any.pb.h"
using google::protobuf::util::JsonPrintOptions;
using google::protobuf::util::MessageToJsonString;
using santa::fsspool::binaryproto::LogBatch;
namespace pbv1 = ::santa::pb::v1;
@interface SNTCommandPrintLog : SNTCommand <SNTCommandProtocol>
@end
@implementation SNTCommandPrintLog
REGISTER_COMMAND_NAME(@"printlog")
+ (BOOL)requiresRoot {
return NO;
}
+ (BOOL)requiresDaemonConn {
return NO;
}
+ (NSString *)shortHelpText {
return @"Prints the contents of Santa protobuf log files as JSON.";
}
+ (NSString *)longHelpText {
return @"Prints the contents of serialized Santa protobuf logs as JSON.\n"
@"Multiple paths can be provided. The output is a list of all the \n"
@"SantaMessage entries per-file. E.g.: \n"
@" [\n"
@" [\n"
@" ... file 1 contents ...\n"
@" ],\n"
@" [\n"
@" ... file N contents ...\n"
@" ]\n"
@" ]";
}
- (void)runWithArguments:(NSArray *)arguments {
JsonPrintOptions options;
options.always_print_enums_as_ints = false;
options.always_print_primitive_fields = true;
options.preserve_proto_field_names = true;
options.add_whitespace = true;
for (int argIdx = 0; argIdx < [arguments count]; argIdx++) {
NSString *path = arguments[argIdx];
int fd = open([path UTF8String], O_RDONLY);
if (fd == -1) {
LOGE(@"Failed to open '%@': errno: %d: %s", path, errno, strerror(errno));
continue;
}
LogBatch logBatch;
bool ret = logBatch.ParseFromFileDescriptor(fd);
close(fd);
if (!ret) {
LOGE(@"Failed to parse '%@'", path);
continue;
}
if (argIdx != 0) {
std::cout << ",";
} else {
// Print the opening outer JSON array
std::cout << "[";
}
std::cout << "\n[\n";
int numRecords = logBatch.records_size();
for (int i = 0; i < numRecords; i++) {
const google::protobuf::Any &any = logBatch.records(i);
::pbv1::SantaMessage santaMsg;
if (!any.UnpackTo(&santaMsg)) {
LOGE(@"Failed to unpack Any proto to SantaMessage in file '%@'", path);
break;
}
if (i != 0) {
std::cout << ",\n";
}
std::string json;
if (!MessageToJsonString(santaMsg, &json, options).ok()) {
LOGE(@"Unable to convert message to JSON in file: '%@'", path);
}
std::cout << json;
}
std::cout << "]" << std::flush;
if (argIdx == ([arguments count] - 1)) {
// Print the closing outer JSON array
std::cout << "]\n";
}
}
exit(EXIT_SUCCESS);
}
@end

49
Source/santactl/Commands/SNTCommandStatus.m
View File

@@ -158,6 +158,26 @@ REGISTER_COMMAND_NAME(@"status")
dispatch_group_leave(group);
}];
__block BOOL watchItemsEnabled = NO;
__block uint64_t watchItemsRuleCount = 0;
__block NSString *watchItemsPolicyVersion = nil;
__block NSString *watchItemsConfigPath = nil;
__block NSTimeInterval watchItemsLastUpdateEpoch = 0;
dispatch_group_enter(group);
[[self.daemonConn remoteObjectProxy]
watchItemsState:^(BOOL enabled, uint64_t ruleCount, NSString *policyVersion,
NSString *configPath, NSTimeInterval lastUpdateEpoch) {
watchItemsEnabled = enabled;
if (enabled) {
watchItemsRuleCount = ruleCount;
watchItemsPolicyVersion = policyVersion;
watchItemsConfigPath = configPath;
watchItemsLastUpdateEpoch = lastUpdateEpoch;
}
dispatch_group_leave(group);
}];
// Wait a maximum of 5s for stats collected from daemon to arrive.
if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
fprintf(stderr, "Failed to retrieve some stats from daemon\n\n");
@@ -170,6 +190,10 @@ REGISTER_COMMAND_NAME(@"status")
NSString *ruleSyncLastSuccessStr =
[dateFormatter stringFromDate:ruleSyncLastSuccess] ?: fullSyncLastSuccessStr;
NSString *watchItemsLastUpdateStr =
[dateFormatter stringFromDate:[NSDate dateWithTimeIntervalSince1970:watchItemsLastUpdateEpoch]]
?: @"Never";
NSString *syncURLStr = configurator.syncBaseURL.absoluteString;
BOOL exportMetrics = configurator.exportMetrics;
@@ -212,6 +236,22 @@ REGISTER_COMMAND_NAME(@"status")
},
} mutableCopy];
NSDictionary *watchItems;
if (watchItemsEnabled) {
watchItems = @{
@"enabled" : @(watchItemsEnabled),
@"rule_count" : @(watchItemsRuleCount),
@"policy_version" : watchItemsPolicyVersion,
@"config_path" : watchItemsConfigPath,
@"last_policy_update" : watchItemsLastUpdateStr ?: @"null",
};
} else {
watchItems = @{
@"enabled" : @(watchItemsEnabled),
};
}
stats[@"watch_items"] = watchItems;
stats[@"cache"] = @{
@"root_cache_count" : @(rootCacheCount),
@"non_root_cache_count" : @(nonRootCacheCount),
@@ -251,6 +291,15 @@ REGISTER_COMMAND_NAME(@"status")
printf(" %-25s | %lld\n", "Rules", staticRuleCount);
}
printf(">>> Watch Items\n");
printf(" %-25s | %s\n", "Enabled", (watchItemsEnabled ? "Yes" : "No"));
if (watchItemsEnabled) {
printf(" %-25s | %s\n", "Policy Version", watchItemsPolicyVersion.UTF8String);
printf(" %-25s | %llu\n", "Rule Count", watchItemsRuleCount);
printf(" %-25s | %s\n", "Config Path", watchItemsConfigPath.UTF8String);
printf(" %-25s | %s\n", "Last Policy Update", watchItemsLastUpdateStr.UTF8String);
}
if (syncURLStr) {
printf(">>> Sync Info\n");
printf(" %-25s | %s\n", "Sync Server", [syncURLStr UTF8String]);

1
Source/santactl/Commands/SNTCommandVersion.m
View File

@@ -15,7 +15,6 @@
#import <Foundation/Foundation.h>
#import <MOLXPCConnection/MOLXPCConnection.h>
#import "Source/common/SNTCommon.h"
#import "Source/common/SNTCommonEnums.h"
#import "Source/common/SNTConfigurator.h"
#import "Source/common/SNTFileInfo.h"

10
Source/santactl/Commands/testdata/metrics-prettyprint.json vendored
View File

@@ -38,18 +38,18 @@
"type" : 9,
"description" : "Count of process exec events on the host",
"fields" : {
"rule_type" : [
"rule_type,client" : [
{
"created" : "2021-09-16T21:07:34.826Z",
"last_updated" : "2021-09-16T21:07:34.826Z",
"value" : "binary",
"data" : 1
"value" : "certificate,authorizer",
"data" : 2
},
{
"created" : "2021-09-16T21:07:34.826Z",
"last_updated" : "2021-09-16T21:07:34.826Z",
"value" : "certificate",
"data" : 2
"value" : "binary,authorizer",
"data" : 1
}
]
}

10
Source/santactl/Commands/testdata/metrics-prettyprint.txt vendored
View File

@@ -30,14 +30,14 @@
Metric Name | /santa/events
Description | Count of process exec events on the host
Type | SNTMetricTypeCounter
Field | rule_type=binary
Created | 2021-09-16T21:07:34.826Z
Last Updated | 2021-09-16T21:07:34.826Z
Data | 1
Field | rule_type=certificate
Field | rule_type=certificate,client=authorizer
Created | 2021-09-16T21:07:34.826Z
Last Updated | 2021-09-16T21:07:34.826Z
Data | 2
Field | rule_type=binary,client=authorizer
Created | 2021-09-16T21:07:34.826Z
Last Updated | 2021-09-16T21:07:34.826Z
Data | 1
Metric Name | /santa/using_endpoint_security_framework
Description | Is santad using the endpoint security framework

281
Source/santad/BUILD
View File

@@ -23,6 +23,7 @@ objc_library(
hdrs = ["DataLayer/SNTRuleTable.h"],
deps = [
":SNTDatabaseTable",
"//Source/common:Platform",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
@@ -34,6 +35,37 @@ objc_library(
],
)
objc_library(
name = "WatchItemPolicy",
hdrs = ["DataLayer/WatchItemPolicy.h"],
)
objc_library(
name = "WatchItems",
srcs = ["DataLayer/WatchItems.mm"],
hdrs = ["DataLayer/WatchItems.h"],
deps = [
":SNTEndpointSecurityEventHandler",
":WatchItemPolicy",
"//Source/common:PrefixTree",
"//Source/common:SNTLogging",
"//Source/common:Unit",
],
)
santa_unit_test(
name = "WatchItemsTest",
srcs = ["DataLayer/WatchItemsTest.mm"],
deps = [
":WatchItemPolicy",
":WatchItems",
"//Source/common:PrefixTree",
"//Source/common:TestUtils",
"//Source/common:Unit",
"@OCMock",
],
)
objc_library(
name = "SNTEventTable",
srcs = ["DataLayer/SNTEventTable.m"],
@@ -62,19 +94,21 @@ objc_library(
hdrs = ["EventProviders/SNTEndpointSecurityEventHandler.h"],
deps = [
":EndpointSecurityMessage",
"//Source/common:SNTCommon",
":Metrics",
":WatchItemPolicy",
],
)
objc_library(
name = "SNTApplicationCoreMetrics",
srcs = ["SNTApplicationCoreMetrics.m"],
srcs = ["SNTApplicationCoreMetrics.mm"],
hdrs = ["SNTApplicationCoreMetrics.h"],
deps = [
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTMetricSet",
"//Source/common:SNTSystemInfo",
"//Source/common:SystemResources",
],
)
@@ -117,7 +151,6 @@ objc_library(
":SNTDecisionCache",
":SNTRuleTable",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTFileInfo",
"//Source/common:SNTLogging",
@@ -160,7 +193,6 @@ objc_library(
hdrs = ["SNTPolicyProcessor.h"],
deps = [
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTFileInfo",
@@ -185,9 +217,9 @@ objc_library(
":SNTPolicyProcessor",
":SNTRuleTable",
":SNTSyncdQueue",
"//Source/common:BranchPrediction",
"//Source/common:SNTBlockMessage",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTDropRootPrivs",
@@ -196,6 +228,7 @@ objc_library(
"//Source/common:SNTMetricSet",
"//Source/common:SNTRule",
"//Source/common:SNTStoredEvent",
"//Source/common:SantaVnode",
"@MOLCodesignChecker",
],
)
@@ -208,6 +241,8 @@ objc_library(
":EndpointSecurityClient",
":EndpointSecurityEnrichedTypes",
":EndpointSecurityMessage",
":Metrics",
":WatchItemPolicy",
],
)
@@ -220,10 +255,13 @@ objc_library(
":EndpointSecurityClient",
":EndpointSecurityEnrichedTypes",
":EndpointSecurityMessage",
":Metrics",
":SNTEndpointSecurityClientBase",
"//Source/common:SNTCommon",
":WatchItemPolicy",
"//Source/common:BranchPrediction",
"//Source/common:SNTConfigurator",
"//Source/common:SNTLogging",
"//Source/common:SystemResources",
],
)
@@ -238,11 +276,13 @@ objc_library(
":EndpointSecurityEnricher",
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":Metrics",
":SNTCompilerController",
":SNTEndpointSecurityClient",
":SNTEndpointSecurityEventHandler",
"//Source/common:PrefixTree",
"//Source/common:SNTLogging",
"//Source/common:SNTPrefixTree",
"//Source/common:Unit",
],
)
@@ -254,8 +294,10 @@ objc_library(
":EndpointSecurityAPI",
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":Metrics",
":SNTEndpointSecurityClient",
":SNTEndpointSecurityEventHandler",
":WatchItemPolicy",
"//Source/common:SNTLogging",
],
)
@@ -270,14 +312,44 @@ objc_library(
":EndpointSecurityEnrichedTypes",
":EndpointSecurityEnricher",
":EndpointSecurityMessage",
":Metrics",
":SNTCompilerController",
":SNTEndpointSecurityClient",
":SNTEndpointSecurityEventHandler",
":SNTExecutionController",
"//Source/common:BranchPrediction",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTLogging",
],
)
objc_library(
name = "SNTEndpointSecurityFileAccessAuthorizer",
srcs = ["EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm"],
hdrs = ["EventProviders/SNTEndpointSecurityFileAccessAuthorizer.h"],
deps = [
":EndpointSecurityAPI",
":EndpointSecurityEnrichedTypes",
":EndpointSecurityEnricher",
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":Metrics",
":SNTDecisionCache",
":SNTEndpointSecurityClient",
":SNTEndpointSecurityEventHandler",
":WatchItemPolicy",
":WatchItems",
"//Source/common:Platform",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SantaCache",
"//Source/common:SantaVnode",
"//Source/common:SantaVnodeHash",
"@MOLCertificate",
"@MOLCodesignChecker",
],
)
objc_library(
name = "SNTEndpointSecurityDeviceManager",
srcs = ["EventProviders/SNTEndpointSecurityDeviceManager.mm"],
@@ -287,6 +359,7 @@ objc_library(
":EndpointSecurityAPI",
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":Metrics",
":SNTEndpointSecurityClient",
":SNTEndpointSecurityEventHandler",
"//Source/common:SNTDeviceEvent",
@@ -301,9 +374,11 @@ objc_library(
deps = [
":EndpointSecurityAPI",
":EndpointSecurityClient",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTLogging",
"//Source/common:SantaCache",
"//Source/common:SantaVnode",
"//Source/common:SantaVnodeHash",
],
)
@@ -330,6 +405,22 @@ objc_library(
name = "EndpointSecuritySerializer",
srcs = ["Logs/EndpointSecurity/Serializers/Serializer.mm"],
hdrs = ["Logs/EndpointSecurity/Serializers/Serializer.h"],
deps = [
":EndpointSecurityEnrichedTypes",
":EndpointSecurityMessage",
":SNTDecisionCache",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
],
)
objc_library(
name = "EndpointSecuritySerializerUtilities",
srcs = ["Logs/EndpointSecurity/Serializers/Utilities.mm"],
hdrs = ["Logs/EndpointSecurity/Serializers/Utilities.h"],
sdk_dylibs = [
"bsm",
],
deps = [
":EndpointSecurityEnrichedTypes",
":EndpointSecurityMessage",
@@ -366,6 +457,7 @@ objc_library(
":EndpointSecurityAPI",
":EndpointSecuritySanitizableString",
":EndpointSecuritySerializer",
":EndpointSecuritySerializerUtilities",
":SNTDecisionCache",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTConfigurator",
@@ -374,6 +466,23 @@ objc_library(
],
)
objc_library(
name = "EndpointSecuritySerializerProtobuf",
srcs = ["Logs/EndpointSecurity/Serializers/Protobuf.mm"],
hdrs = ["Logs/EndpointSecurity/Serializers/Protobuf.h"],
deps = [
":EndpointSecurityAPI",
":EndpointSecuritySerializer",
":EndpointSecuritySerializerUtilities",
":SNTDecisionCache",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTConfigurator",
"//Source/common:SNTLogging",
"//Source/common:SNTStoredEvent",
"//Source/common:santa_cc_proto_library_wrapper",
],
)
objc_library(
name = "EndpointSecurityWriter",
hdrs = ["Logs/EndpointSecurity/Writers/Writer.h"],
@@ -394,6 +503,21 @@ objc_library(
hdrs = ["Logs/EndpointSecurity/Writers/File.h"],
deps = [
":EndpointSecurityWriter",
"//Source/common:BranchPrediction",
],
)
objc_library(
name = "EndpointSecurityWriterSpool",
srcs = ["Logs/EndpointSecurity/Writers/Spool.mm"],
hdrs = ["Logs/EndpointSecurity/Writers/Spool.h"],
deps = [
":EndpointSecurityWriter",
"//Source/common:SNTLogging",
"//Source/common:santa_cc_proto_library_wrapper",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:fsspool",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:fsspool_log_batch_writer",
"@com_google_absl//absl/strings",
],
)
@@ -417,9 +541,11 @@ objc_library(
":EndpointSecuritySerializer",
":EndpointSecuritySerializerBasicString",
":EndpointSecuritySerializerEmpty",
":EndpointSecuritySerializerProtobuf",
":EndpointSecurityWriter",
":EndpointSecurityWriterFile",
":EndpointSecurityWriterNull",
":EndpointSecurityWriterSpool",
":EndpointSecurityWriterSyslog",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTLogging",
@@ -436,6 +562,7 @@ objc_library(
hdrs = ["EventProviders/EndpointSecurity/Message.h"],
deps = [
":EndpointSecurityClient",
":WatchItemPolicy",
],
)
@@ -451,6 +578,8 @@ objc_library(
deps = [
":EndpointSecurityClient",
":EndpointSecurityMessage",
":WatchItemPolicy",
"//Source/common:Platform",
],
)
@@ -467,6 +596,7 @@ objc_library(
":SNTPolicyProcessor",
":SNTRuleTable",
":SNTSyncdQueue",
":WatchItems",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
@@ -508,20 +638,24 @@ objc_library(
":Metrics",
":SNTCompilerController",
":SNTDaemonControlController",
":SNTDecisionCache",
":SNTEndpointSecurityAuthorizer",
":SNTEndpointSecurityDeviceManager",
":SNTEndpointSecurityFileAccessAuthorizer",
":SNTEndpointSecurityRecorder",
":SNTEndpointSecurityTamperResistance",
":SNTExecutionController",
":SNTNotificationQueue",
":SNTSyncdQueue",
":WatchItems",
"//Source/common:PrefixTree",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTKVOManager",
"//Source/common:SNTLogging",
"//Source/common:SNTPrefixTree",
"//Source/common:SNTXPCNotifierInterface",
"//Source/common:SNTXPCSyncServiceInterface",
"//Source/common:Unit",
"@MOLXPCConnection",
],
)
@@ -543,10 +677,14 @@ objc_library(
":SNTNotificationQueue",
":SNTRuleTable",
":SNTSyncdQueue",
":WatchItems",
"//Source/common:PrefixTree",
"//Source/common:SNTConfigurator",
"//Source/common:SNTLogging",
"//Source/common:SNTPrefixTree",
"//Source/common:SNTMetricSet",
"//Source/common:SNTXPCControlInterface",
"//Source/common:SNTXPCUnprivilegedControlInterface",
"//Source/common:Unit",
"@MOLXPCConnection",
],
)
@@ -567,7 +705,9 @@ objc_library(
":SantadDeps",
"//Source/common:SNTConfigurator",
"//Source/common:SNTLogging",
"//Source/common:SNTMetricSet",
"//Source/common:SNTXPCControlInterface",
"//Source/common:SystemResources",
],
)
@@ -587,7 +727,7 @@ macos_bundle(
}),
infoplists = ["Info.plist"],
linkopts = ["-execute"],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
provisioning_profile = select({
"//:adhoc_build": None,
"//conditions:default": "//profiles:daemon_dev",
@@ -612,6 +752,18 @@ objc_library(
":EndpointSecurityAPI",
":EndpointSecurityClient",
":EndpointSecurityMessage",
":WatchItemPolicy",
"@com_google_googletest//:gtest",
],
)
objc_library(
name = "MockLogger",
testonly = 1,
hdrs = ["Logs/EndpointSecurity/MockLogger.h"],
deps = [
":EndpointSecurityLogger",
":EndpointSecurityMessage",
"@com_google_googletest//:gtest",
],
)
@@ -648,6 +800,7 @@ santa_unit_test(
"EndpointSecurity",
],
deps = [
"//Source/common:Platform",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
@@ -666,7 +819,7 @@ santa_unit_test(
data = [
"//Source/santad/testdata:binaryrules_testdata",
],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
sdk_dylibs = [
"bsm",
"EndpointSecurity",
@@ -677,6 +830,7 @@ santa_unit_test(
tags = ["exclusive"],
deps = [
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTDatabaseController",
":SNTEndpointSecurityAuthorizer",
@@ -693,9 +847,9 @@ santa_unit_test(
santa_unit_test(
name = "SNTApplicationCoreMetricsTest",
srcs = [
"SNTApplicationCoreMetricsTest.m",
"SNTApplicationCoreMetricsTest.mm",
],
minimum_os_version = "10.15",
minimum_os_version = "11.0",
deps = [
":SNTApplicationCoreMetrics",
"//Source/common:SNTCommonEnums",
@@ -720,6 +874,19 @@ santa_unit_test(
],
)
santa_unit_test(
name = "EndpointSecuritySerializerUtilitiesTest",
srcs = ["Logs/EndpointSecurity/Serializers/UtilitiesTest.mm"],
deps = [
":EndpointSecurityMessage",
":EndpointSecuritySerializerUtilities",
":MockEndpointSecurityAPI",
"//Source/common:TestUtils",
"@OCMock",
"@com_google_googletest//:gtest",
],
)
santa_unit_test(
name = "EndpointSecuritySerializerBasicStringTest",
srcs = ["Logs/EndpointSecurity/Serializers/BasicStringTest.mm"],
@@ -745,6 +912,31 @@ santa_unit_test(
],
)
santa_unit_test(
name = "EndpointSecuritySerializerProtobufTest",
srcs = ["Logs/EndpointSecurity/Serializers/ProtobufTest.mm"],
data = [
"//Source/santad/testdata:protobuf_json_testdata",
],
deps = [
":EndpointSecurityEnrichedTypes",
":EndpointSecurityEnricher",
":EndpointSecurityMessage",
":EndpointSecuritySerializer",
":EndpointSecuritySerializerProtobuf",
":MockEndpointSecurityAPI",
":SNTDecisionCache",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTStoredEvent",
"//Source/common:TestUtils",
"//Source/common:santa_cc_proto_library_wrapper",
"@OCMock",
"@com_google_googletest//:gtest",
],
)
santa_unit_test(
name = "AuthResultCacheTest",
srcs = ["EventProviders/AuthResultCacheTest.mm"],
@@ -754,7 +946,7 @@ santa_unit_test(
deps = [
":AuthResultCache",
":MockEndpointSecurityAPI",
"//Source/common:SNTCommon",
"//Source/common:SantaVnode",
"//Source/common:TestUtils",
"@OCMock",
"@com_google_googletest//:gtest",
@@ -785,6 +977,17 @@ santa_unit_test(
],
)
santa_unit_test(
name = "EndpointSecurityWriterSpoolTest",
srcs = ["Logs/EndpointSecurity/Writers/SpoolTest.mm"],
deps = [
":EndpointSecurityWriterSpool",
"//Source/common:TestUtils",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:fsspool",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:fsspool_log_batch_writer",
],
)
santa_unit_test(
name = "EndpointSecurityLoggerTest",
srcs = ["Logs/EndpointSecurity/LoggerTest.mm"],
@@ -799,9 +1002,11 @@ santa_unit_test(
":EndpointSecuritySerializer",
":EndpointSecuritySerializerBasicString",
":EndpointSecuritySerializerEmpty",
":EndpointSecuritySerializerProtobuf",
":EndpointSecurityWriter",
":EndpointSecurityWriterFile",
":EndpointSecurityWriterNull",
":EndpointSecurityWriterSpool",
":EndpointSecurityWriterSyslog",
":MockEndpointSecurityAPI",
"//Source/common:SNTCommonEnums",
@@ -854,6 +1059,8 @@ santa_unit_test(
srcs = ["MetricsTest.mm"],
deps = [
":Metrics",
"//Source/common:SNTMetricSet",
"//Source/common:TestUtils",
"@OCMock",
],
)
@@ -869,7 +1076,6 @@ santa_unit_test(
":SNTDecisionCache",
":SNTRuleTable",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTRule",
"//Source/common:TestUtils",
@@ -888,8 +1094,10 @@ santa_unit_test(
":EndpointSecurityClient",
":EndpointSecurityEnrichedTypes",
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTEndpointSecurityClient",
":WatchItemPolicy",
"//Source/common:TestUtils",
"@OCMock",
"@com_google_googletest//:gtest",
@@ -912,7 +1120,6 @@ santa_unit_test(
":SNTExecutionController",
":SNTRuleTable",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTCommon",
"//Source/common:SNTCommonEnums",
"//Source/common:SNTConfigurator",
"//Source/common:SNTFileInfo",
@@ -935,16 +1142,44 @@ santa_unit_test(
":AuthResultCache",
":EndpointSecurityClient",
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTCompilerController",
":SNTEndpointSecurityAuthorizer",
":SNTExecutionController",
"//Source/common:SNTCommonEnums",
"//Source/common:TestUtils",
"@OCMock",
"@com_google_googletest//:gtest",
],
)
santa_unit_test(
name = "SNTEndpointSecurityFileAccessAuthorizerTest",
srcs = ["EventProviders/SNTEndpointSecurityFileAccessAuthorizerTest.mm"],
sdk_dylibs = [
"EndpointSecurity",
],
deps = [
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":MockEndpointSecurityAPI",
":MockLogger",
":SNTDecisionCache",
":SNTEndpointSecurityFileAccessAuthorizer",
":WatchItemPolicy",
":WatchItems",
"//Source/common:Platform",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTConfigurator",
"//Source/common:TestUtils",
"@MOLCertificate",
"@MOLCodesignChecker",
"@OCMock",
"@com_google_googletest//:gtest",
],
)
santa_unit_test(
name = "SNTEndpointSecurityTamperResistanceTest",
srcs = ["EventProviders/SNTEndpointSecurityTamperResistanceTest.mm"],
@@ -954,8 +1189,10 @@ santa_unit_test(
deps = [
":EndpointSecurityClient",
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTEndpointSecurityTamperResistance",
":WatchItemPolicy",
"//Source/common:SNTLogging",
"//Source/common:TestUtils",
"@OCMock",
@@ -976,10 +1213,13 @@ santa_unit_test(
":EndpointSecurityEnricher",
":EndpointSecurityLogger",
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTCompilerController",
":SNTEndpointSecurityRecorder",
"//Source/common:PrefixTree",
"//Source/common:TestUtils",
"//Source/common:Unit",
"@OCMock",
"@com_google_googletest//:gtest",
],
@@ -997,6 +1237,7 @@ santa_unit_test(
":DiskArbitrationTestLib",
":EndpointSecurityClient",
":EndpointSecurityMessage",
":Metrics",
":MockEndpointSecurityAPI",
":SNTEndpointSecurityDeviceManager",
"//Source/common:SNTConfigurator",
@@ -1038,7 +1279,10 @@ test_suite(
":EndpointSecuritySanitizableStringTest",
":EndpointSecuritySerializerBasicStringTest",
":EndpointSecuritySerializerEmptyTest",
":EndpointSecuritySerializerProtobufTest",
":EndpointSecuritySerializerUtilitiesTest",
":EndpointSecurityWriterFileTest",
":EndpointSecurityWriterSpoolTest",
":MetricsTest",
":SNTApplicationCoreMetricsTest",
":SNTCompilerControllerTest",
@@ -1046,12 +1290,15 @@ test_suite(
":SNTEndpointSecurityAuthorizerTest",
":SNTEndpointSecurityClientTest",
":SNTEndpointSecurityDeviceManagerTest",
":SNTEndpointSecurityFileAccessAuthorizerTest",
":SNTEndpointSecurityRecorderTest",
":SNTEndpointSecurityTamperResistanceTest",
":SNTEventTableTest",
":SNTExecutionControllerTest",
":SNTRuleTableTest",
":SantadTest",
":WatchItemsTest",
"//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:fsspool_test",
],
visibility = ["//:santa_package_group"],
)

3
Source/santad/DataLayer/SNTRuleTable.m
View File

@@ -18,6 +18,7 @@
#import <MOLCertificate/MOLCertificate.h>
#import <MOLCodesignChecker/MOLCodesignChecker.h>
#import "Source/common/Platform.h"
#import "Source/common/SNTCachedDecision.h"
#import "Source/common/SNTConfigurator.h"
#import "Source/common/SNTFileInfo.h"
@@ -36,7 +37,7 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
// instead we use the following preprocessor macros to conditionally compile these API. The
// drawback here is that if a pre-macOS 12 SDK is used to build Santa and it is then deployed
// on macOS 12 or later, the dynamic mute set will not be computed.
#if defined(MAC_OS_VERSION_12_0) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
#if HAVE_MACOS_12
// Create a temporary ES client in order to grab the default set of muted paths.
// TODO(mlw): Reorganize this code so that a temporary ES client doesn't need to be created
es_client_t *client = NULL;

95
Source/santad/DataLayer/WatchItemPolicy.h Normal file
View File

@@ -0,0 +1,95 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__SANTAD__DATALAYER_WATCHITEMPOLICY_H
#define SANTA__SANTAD__DATALAYER_WATCHITEMPOLICY_H
#include <Kernel/kern/cs_blobs.h>
#include <string>
#include <string_view>
#include <vector>
namespace santa::santad::data_layer {
enum class WatchItemPathType {
kPrefix,
kLiteral,
};
static constexpr WatchItemPathType kWatchItemPolicyDefaultPathType =
WatchItemPathType::kLiteral;
static constexpr bool kWatchItemPolicyDefaultAllowReadAccess = false;
static constexpr bool kWatchItemPolicyDefaultAuditOnly = true;
struct WatchItemPolicy {
struct Process {
Process(std::string bp, std::string sid, std::string ti,
std::vector<uint8_t> cdh, std::string ch)
: binary_path(bp),
signing_id(sid),
team_id(ti),
cdhash(std::move(cdh)),
certificate_sha256(ch) {}
bool operator==(const Process &other) const {
return binary_path == other.binary_path &&
signing_id == other.signing_id && team_id == other.team_id &&
cdhash == other.cdhash &&
certificate_sha256 == other.certificate_sha256;
}
bool operator!=(const Process &other) const { return !(*this == other); }
std::string binary_path;
std::string signing_id;
std::string team_id;
std::vector<uint8_t> cdhash;
std::string certificate_sha256;
};
WatchItemPolicy(std::string_view n, std::string_view p,
WatchItemPathType pt = kWatchItemPolicyDefaultPathType,
bool ara = kWatchItemPolicyDefaultAllowReadAccess,
bool ao = kWatchItemPolicyDefaultAuditOnly,
std::vector<Process> procs = {})
: name(n),
path(p),
path_type(pt),
allow_read_access(ara),
audit_only(ao),
processes(std::move(procs)) {}
bool operator==(const WatchItemPolicy &other) const {
return name == other.name && path == other.path &&
path_type == other.path_type &&
allow_read_access == other.allow_read_access &&
audit_only == other.audit_only && processes == other.processes;
}
bool operator!=(const WatchItemPolicy &other) const {
return !(*this == other);
}
std::string name;
std::string path;
WatchItemPathType path_type;
bool allow_read_access;
bool audit_only;
std::vector<Process> processes;
};
} // namespace santa::santad::data_layer
#endif

118
Source/santad/DataLayer/WatchItems.h Normal file
View File

@@ -0,0 +1,118 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#ifndef SANTA__SANTAD__DATALAYER_WATCHITEMS_H
#define SANTA__SANTAD__DATALAYER_WATCHITEMS_H
#include <CommonCrypto/CommonDigest.h>
#import <Foundation/Foundation.h>
#include <dispatch/dispatch.h>
#include <array>
#include <memory>
#include <optional>
#include <set>
#include <string>
#include <utility>
#include <vector>
#include "Source/common/PrefixTree.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
extern NSString *const kWatchItemConfigKeyVersion;
extern NSString *const kWatchItemConfigKeyWatchItems;
extern NSString *const kWatchItemConfigKeyPaths;
extern NSString *const kWatchItemConfigKeyPathsPath;
extern NSString *const kWatchItemConfigKeyPathsIsPrefix;
extern NSString *const kWatchItemConfigKeyOptions;
extern NSString *const kWatchItemConfigKeyOptionsAllowReadAccess;
extern NSString *const kWatchItemConfigKeyOptionsAuditOnly;
extern NSString *const kWatchItemConfigKeyProcesses;
extern NSString *const kWatchItemConfigKeyProcessesBinaryPath;
extern NSString *const kWatchItemConfigKeyProcessesCertificateSha256;
extern NSString *const kWatchItemConfigKeyProcessesSigningID;
extern NSString *const kWatchItemConfigKeyProcessesTeamID;
extern NSString *const kWatchItemConfigKeyProcessesCDHash;
// Forward declarations
namespace santa::santad::data_layer {
class WatchItemsPeer;
}
namespace santa::santad::data_layer {
struct WatchItemsState {
uint64_t rule_count;
NSString *policy_version;
NSString *config_path;
NSTimeInterval last_config_load_epoch;
};
class WatchItems : public std::enable_shared_from_this<WatchItems> {
public:
using VersionAndPolicies =
std::pair<std::string, std::vector<std::optional<std::shared_ptr<WatchItemPolicy>>>>;
using WatchItemsTree = santa::common::PrefixTree<std::shared_ptr<WatchItemPolicy>>;
// Factory
static std::shared_ptr<WatchItems> Create(NSString *config_path,
uint64_t reapply_config_frequency_secs);
WatchItems(NSString *config_path_, dispatch_queue_t q, dispatch_source_t timer_source,
void (^periodic_task_complete_f)(void) = nullptr);
~WatchItems();
void BeginPeriodicTask();
void RegisterClient(id<SNTEndpointSecurityDynamicEventHandler> client);
void SetConfigPath(NSString *config_path);
VersionAndPolicies FindPolciesForPaths(const std::vector<std::string_view> &paths);
std::optional<WatchItemsState> State();
friend class santa::santad::data_layer::WatchItemsPeer;
private:
NSDictionary *ReadConfig();
NSDictionary *ReadConfigLocked() ABSL_SHARED_LOCKS_REQUIRED(lock_);
void ReloadConfig(NSDictionary *new_config);
void UpdateCurrentState(std::unique_ptr<WatchItemsTree> new_tree,
std::set<std::pair<std::string, WatchItemPathType>> &&new_monitored_paths,
NSDictionary *new_config);
bool BuildPolicyTree(const std::vector<std::shared_ptr<WatchItemPolicy>> &watch_items,
WatchItemsTree &tree,
std::set<std::pair<std::string, WatchItemPathType>> &paths);
NSString *config_path_;
dispatch_queue_t q_;
dispatch_source_t timer_source_;
void (^periodic_task_complete_f_)(void);
absl::Mutex lock_;
std::unique_ptr<WatchItemsTree> watch_items_ ABSL_GUARDED_BY(lock_);
NSDictionary *current_config_ ABSL_GUARDED_BY(lock_);
NSTimeInterval last_update_time_ ABSL_GUARDED_BY(lock_);
std::set<std::pair<std::string, WatchItemPathType>> currently_monitored_paths_
ABSL_GUARDED_BY(lock_);
std::string policy_version_ ABSL_GUARDED_BY(lock_);
std::set<id<SNTEndpointSecurityDynamicEventHandler>> registerd_clients_ ABSL_GUARDED_BY(lock_);
bool periodic_task_started_ = false;
};
} // namespace santa::santad::data_layer
#endif

702
Source/santad/DataLayer/WatchItems.mm Normal file
View File

@@ -0,0 +1,702 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include "Source/santad/DataLayer/WatchItems.h"
#include <CommonCrypto/CommonDigest.h>
#include <Kernel/kern/cs_blobs.h>
#include <ctype.h>
#include <glob.h>
#include <objc/NSObjCRuntime.h>
#include <sys/syslimits.h>
#include <algorithm>
#include <cstddef>
#include <cstdlib>
#include <iterator>
#include <memory>
#include <optional>
#include <set>
#include <string>
#include <utility>
#include <variant>
#include <vector>
#import "Source/common/PrefixTree.h"
#import "Source/common/SNTLogging.h"
#import "Source/common/Unit.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
using santa::common::PrefixTree;
using santa::common::Unit;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::data_layer::WatchItemPolicy;
NSString *const kWatchItemConfigKeyVersion = @"Version";
NSString *const kWatchItemConfigKeyWatchItems = @"WatchItems";
NSString *const kWatchItemConfigKeyPaths = @"Paths";
NSString *const kWatchItemConfigKeyPathsPath = @"Path";
NSString *const kWatchItemConfigKeyPathsIsPrefix = @"IsPrefix";
NSString *const kWatchItemConfigKeyOptions = @"Options";
NSString *const kWatchItemConfigKeyOptionsAllowReadAccess = @"AllowReadAccess";
NSString *const kWatchItemConfigKeyOptionsAuditOnly = @"AuditOnly";
NSString *const kWatchItemConfigKeyProcesses = @"Processes";
NSString *const kWatchItemConfigKeyProcessesBinaryPath = @"BinaryPath";
NSString *const kWatchItemConfigKeyProcessesCertificateSha256 = @"CertificateSha256";
NSString *const kWatchItemConfigKeyProcessesSigningID = @"SigningID";
NSString *const kWatchItemConfigKeyProcessesTeamID = @"TeamID";
NSString *const kWatchItemConfigKeyProcessesCDHash = @"CDHash";
// https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/
static constexpr NSUInteger kMaxTeamIDLength = 10;
// Semi-arbitrary upper bound.
static constexpr NSUInteger kMaxSigningIDLength = 512;
// Semi-arbitrary minimum allowed reapplication frequency.
// Goal is to prevent a configuration setting that would cause too much
// churn rebuilding glob paths based on the state of the filesystem.
static constexpr uint64_t kMinReapplyConfigFrequencySecs = 15;
namespace santa::santad::data_layer {
// Type aliases
using ValidatorBlock = bool (^)(id, NSError **);
using PathAndTypePair = std::pair<std::string, WatchItemPathType>;
using PathList = std::vector<PathAndTypePair>;
using ProcessList = std::vector<WatchItemPolicy::Process>;
static void PopulateError(NSError **err, NSString *msg) {
if (err) {
*err = [NSError errorWithDomain:@"com.google.santa.watchitems"
code:0
userInfo:@{NSLocalizedDescriptionKey : msg}];
}
}
/// Ensure the given string has the expected length and only
/// contains valid hex digits
bool ConfirmValidHexString(NSString *str, size_t expected_length) {
if (str.length != expected_length) {
return false;
}
for (int i = 0; i < str.length; i++) {
if (!isxdigit([str characterAtIndex:i])) {
return false;
}
}
return true;
}
static std::vector<uint8_t> HexStringToBytes(NSString *str) {
if (!str) {
return std::vector<uint8_t>{};
}
std::vector<uint8_t> bytes;
bytes.reserve(str.length / 2);
char cur_byte[3];
cur_byte[2] = '\0';
for (int i = 0; i < str.length / 2; i++) {
cur_byte[0] = [str characterAtIndex:(i * 2)];
cur_byte[1] = [str characterAtIndex:(i * 2 + 1)];
bytes.push_back(std::strtoul(cur_byte, nullptr, 16));
}
return bytes;
}
// Given a length, returns a ValidatorBlock that confirms the
// string is a valid hex string of the given length.
ValidatorBlock HexValidator(NSUInteger expected_length) {
return ^bool(NSString *val, NSError **err) {
if (!ConfirmValidHexString(val, expected_length)) {
PopulateError(
err, [NSString stringWithFormat:@"Expected hex string of length %lu", expected_length]);
return false;
}
return true;
};
}
// Given a max length, returns a ValidatorBlock that confirms the
// string is a not longer than the max.
ValidatorBlock LenRangeValidator(NSUInteger min_length, NSUInteger max_length) {
return ^bool(NSString *val, NSError **err) {
if (val.length < min_length) {
PopulateError(err, [NSString stringWithFormat:@"Value too short. Got: %lu, Min: %lu",
val.length, min_length]);
return false;
} else if (val.length > max_length) {
PopulateError(err, [NSString stringWithFormat:@"Value too long. Got: %lu, Max: %lu",
val.length, max_length]);
return false;
}
return true;
};
}
/// Ensure the key exists (if required) and the value matches the expected type
bool VerifyConfigKey(NSDictionary *dict, const NSString *key, Class expected, NSError **err,
bool required = false, bool (^Validator)(id, NSError **) = nil) {
if (dict[key]) {
if (![dict[key] isKindOfClass:expected]) {
PopulateError(err, [NSString stringWithFormat:@"Expected type '%@' for key '%@' (got: %@)",
NSStringFromClass(expected), key,
NSStringFromClass([dict[key] class])]);
return false;
}
NSError *validator_err;
if (Validator && !Validator(dict[key], &validator_err)) {
PopulateError(err, [NSString stringWithFormat:@"Invalid content in key '%@': %@", key,
validator_err.localizedDescription]);
return false;
}
} else if (required) {
PopulateError(err, [NSString stringWithFormat:@"Missing required key '%@'", key]);
return false;
}
return true;
}
/// Ensure all values of the array key in the dictionary conform to the
/// expected type. If a Validator block is supplied, each item is also
/// subject to the custom validation method.
bool VerifyConfigKeyArray(NSDictionary *dict, NSString *key, Class expected, NSError **err,
bool (^Validator)(id, NSError **) = nil) {
if (!VerifyConfigKey(dict, key, [NSArray class], err)) {
return false;
}
__block bool success = true;
__block NSError *block_err;
[dict[key] enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
if (![obj isKindOfClass:expected]) {
success = false;
PopulateError(&block_err,
[NSString stringWithFormat:@"Expected all '%@' types in array key '%@'",
NSStringFromClass(expected), key]);
*stop = YES;
return;
}
NSError *validator_err;
if (Validator && !Validator(obj, &validator_err)) {
PopulateError(&block_err,
[NSString stringWithFormat:@"Invalid content in array key '%@': %@", key,
validator_err.localizedDescription]);
success = false;
*stop = YES;
return;
}
}];
if (!success && block_err) {
PopulateError(err, block_err.localizedDescription);
}
return success;
}
/// The `Paths` array can contain only `string` and `dict` types:
/// - For `string` types, the default path type `kDefaultPathType` is used
/// - For `dict` types, there is a required `Path` key. and an optional
/// `IsPrefix` key to set the path type to something other than the default
///
/// Example:
/// <array>
/// <string>/my/path</string>
/// <dict>
/// <key>Path</key>
/// <string>/another/partial/path</string>
/// <key>IsPrefix</key>
/// <true/>
/// </dict>
/// </array>
std::variant<Unit, PathList> VerifyConfigWatchItemPaths(NSArray<id> *paths, NSError **err) {
PathList path_list;
for (id path in paths) {
if ([path isKindOfClass:[NSDictionary class]]) {
NSDictionary *path_dict = (NSDictionary *)path;
if (!VerifyConfigKey(path_dict, kWatchItemConfigKeyPathsPath, [NSString class], err, true,
LenRangeValidator(1, PATH_MAX))) {
return Unit{};
}
NSString *path_str = path_dict[kWatchItemConfigKeyPathsPath];
WatchItemPathType path_type = kWatchItemPolicyDefaultPathType;
if (VerifyConfigKey(path_dict, kWatchItemConfigKeyPathsIsPrefix, [NSNumber class], err)) {
path_type = ([(NSNumber *)path_dict[kWatchItemConfigKeyPathsIsPrefix] boolValue] == NO
? WatchItemPathType::kLiteral
: WatchItemPathType::kPrefix);
} else {
return Unit{};
}
path_list.push_back({std::string(path_str.UTF8String, path_str.length), path_type});
} else if ([path isKindOfClass:[NSString class]]) {
if (!LenRangeValidator(1, PATH_MAX)(path, err)) {
PopulateError(err, [NSString stringWithFormat:@"Invalid path length: %@",
(err && *err) ? (*err).localizedDescription
: @"Unknown error"]);
return Unit{};
}
path_list.push_back({std::string(((NSString *)path).UTF8String, ((NSString *)path).length),
kWatchItemPolicyDefaultPathType});
} else {
PopulateError(
err, [NSString stringWithFormat:
@"%@ array item with invalid type. Expected 'dict' or 'string' (got: %@)",
kWatchItemConfigKeyPaths, NSStringFromClass([path class])]);
return Unit{};
}
}
if (path_list.size() == 0) {
PopulateError(err, [NSString stringWithFormat:@"No paths specified"]);
return Unit{};
}
return path_list;
}
/// The `Processes` array can only contain dictionaries. Each dictionary can
/// contain the attributes that describe a single process.
///
/// <array>
/// <dict>
/// <key>BinaryPath</key>
/// <string>AAAA</string>
/// <key>TeamID</key>
/// <string>BBBB</string>
/// </dict>
/// <dict>
/// <key>CertificateSha256</key>
/// <string>CCCC</string>
/// <key>CDHash</key>
/// <string>DDDD</string>
/// <key>SigningID</key>
/// <string>EEEE</string>
/// </dict>
/// </array>
std::variant<Unit, ProcessList> VerifyConfigWatchItemProcesses(NSDictionary *watch_item,
NSError **err) {
__block ProcessList proc_list;
if (!VerifyConfigKeyArray(
watch_item, kWatchItemConfigKeyProcesses, [NSDictionary class], err,
^bool(NSDictionary *process, NSError **err) {
if (!VerifyConfigKey(process, kWatchItemConfigKeyProcessesBinaryPath, [NSString class],
err, false, LenRangeValidator(1, PATH_MAX)) ||
!VerifyConfigKey(process, kWatchItemConfigKeyProcessesSigningID, [NSString class],
err, false, LenRangeValidator(1, kMaxSigningIDLength)) ||
!VerifyConfigKey(process, kWatchItemConfigKeyProcessesTeamID, [NSString class], err,
false, LenRangeValidator(kMaxTeamIDLength, kMaxTeamIDLength)) ||
!VerifyConfigKey(process, kWatchItemConfigKeyProcessesCDHash, [NSString class], err,
false, HexValidator(CS_CDHASH_LEN * 2)) ||
!VerifyConfigKey(process, kWatchItemConfigKeyProcessesCertificateSha256,
[NSString class], err, false,
HexValidator(CC_SHA256_DIGEST_LENGTH * 2))) {
PopulateError(err, @"Failed to verify key content");
return false;
}
// Ensure at least one attribute set
if (!process[kWatchItemConfigKeyProcessesBinaryPath] &&
!process[kWatchItemConfigKeyProcessesSigningID] &&
!process[kWatchItemConfigKeyProcessesTeamID] &&
!process[kWatchItemConfigKeyProcessesCDHash] &&
!process[kWatchItemConfigKeyProcessesCertificateSha256]) {
PopulateError(err, @"No valid attributes set in process dictionary");
return false;
}
proc_list.push_back(WatchItemPolicy::Process(
std::string([(process[kWatchItemConfigKeyProcessesBinaryPath] ?: @"") UTF8String]),
std::string([(process[kWatchItemConfigKeyProcessesSigningID] ?: @"") UTF8String]),
std::string([(process[kWatchItemConfigKeyProcessesTeamID] ?: @"") UTF8String]),
HexStringToBytes(process[kWatchItemConfigKeyProcessesCDHash]),
std::string(
[(process[kWatchItemConfigKeyProcessesCertificateSha256] ?: @"") UTF8String])));
return true;
})) {
return Unit{};
}
return proc_list;
}
/// Ensure that a given watch item conforms to expected structure
///
/// Example:
/// <dict>
/// <key>Paths</key>
/// <array>
/// ... See VerifyConfigWatchItemPaths for more details ...
/// </array>
/// <key>Options</key>
/// <dict>
/// <key>AllowReadAccess</key>
/// <false/>
/// <key>AuditOnly</key>
/// <false/>
/// </dict>
/// <key>Processes</key>
/// <array>
/// ... See VerifyConfigWatchItemProcesses for more details ...
/// </array>
/// </dict>
bool ParseConfigSingleWatchItem(NSString *name, NSDictionary *watch_item,
std::vector<std::shared_ptr<WatchItemPolicy>> &policies,
NSError **err) {
if (!VerifyConfigKey(watch_item, kWatchItemConfigKeyPaths, [NSArray class], err, true)) {
return false;
}
std::variant<Unit, PathList> path_list =
VerifyConfigWatchItemPaths(watch_item[kWatchItemConfigKeyPaths], err);
if (std::holds_alternative<Unit>(path_list)) {
return false;
}
if (!VerifyConfigKey(watch_item, kWatchItemConfigKeyOptions, [NSDictionary class], err)) {
return false;
}
NSDictionary *options = watch_item[kWatchItemConfigKeyOptions];
if (options) {
if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsAllowReadAccess, [NSNumber class],
err)) {
return false;
}
if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsAuditOnly, [NSNumber class], err)) {
return false;
}
}
bool allow_read_access = options[kWatchItemConfigKeyOptionsAllowReadAccess]
? [options[kWatchItemConfigKeyOptionsAllowReadAccess] boolValue]
: kWatchItemPolicyDefaultAllowReadAccess;
bool audit_only = options[kWatchItemConfigKeyOptionsAuditOnly]
? [options[kWatchItemConfigKeyOptionsAuditOnly] boolValue]
: kWatchItemPolicyDefaultAuditOnly;
std::variant<Unit, ProcessList> proc_list = VerifyConfigWatchItemProcesses(watch_item, err);
if (std::holds_alternative<Unit>(proc_list)) {
return false;
}
for (const PathAndTypePair &path_type_pair : std::get<PathList>(path_list)) {
policies.push_back(std::make_shared<WatchItemPolicy>(
[name UTF8String], path_type_pair.first, path_type_pair.second, allow_read_access, audit_only,
std::get<ProcessList>(proc_list)));
}
return true;
}
bool ParseConfig(NSDictionary *config, std::vector<std::shared_ptr<WatchItemPolicy>> &policies,
NSError **err) {
if (![config[kWatchItemConfigKeyVersion] isKindOfClass:[NSString class]]) {
PopulateError(err, [NSString stringWithFormat:@"Missing top level string key '%@'",
kWatchItemConfigKeyVersion]);
return false;
}
if ([(NSString *)config[kWatchItemConfigKeyVersion] length] == 0) {
PopulateError(err, [NSString stringWithFormat:@"Top level key '%@' has empty value",
kWatchItemConfigKeyVersion]);
return false;
}
if (config[kWatchItemConfigKeyWatchItems] &&
![config[kWatchItemConfigKeyWatchItems] isKindOfClass:[NSDictionary class]]) {
PopulateError(err, [NSString stringWithFormat:@"Top level key '%@' must be a dictionary",
kWatchItemConfigKeyWatchItems]);
return false;
}
NSDictionary *watch_items = config[kWatchItemConfigKeyWatchItems];
for (id key in watch_items) {
if (![key isKindOfClass:[NSString class]]) {
PopulateError(err,
[NSString stringWithFormat:@"Invalid %@ key %@: Expected type '%@' (got: %@)",
kWatchItemConfigKeyWatchItems, key,
NSStringFromClass([NSString class]),
NSStringFromClass([key class])]);
return false;
}
if ([(NSString *)key length] == 0) {
PopulateError(err, [NSString stringWithFormat:@"Invalid %@ key with length zero",
kWatchItemConfigKeyWatchItems]);
return false;
}
if (![watch_items[key] isKindOfClass:[NSDictionary class]]) {
PopulateError(
err,
[NSString stringWithFormat:@"Value type for watch item '%@' must be a dictionary (got %@)",
key, NSStringFromClass([watch_items[key] class])]);
return false;
}
if (!ParseConfigSingleWatchItem(key, watch_items[key], policies, err)) {
PopulateError(err, [NSString stringWithFormat:@"In watch item '%@': %@", key,
(err && *err) ? (*err).localizedDescription
: @"Unknown failure"]);
return false;
}
}
return true;
}
std::shared_ptr<WatchItems> WatchItems::Create(NSString *config_path,
uint64_t reapply_config_frequency_secs) {
if (reapply_config_frequency_secs < kMinReapplyConfigFrequencySecs) {
LOGW(@"Invalid watch item update interval provided: %llu. Min allowed: %llu",
reapply_config_frequency_secs, kMinReapplyConfigFrequencySecs);
return nullptr;
}
dispatch_queue_t q = dispatch_queue_create("com.google.santa.daemon.watch_items.q",
DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
dispatch_source_t timer_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, q);
dispatch_source_set_timer(timer_source, dispatch_time(DISPATCH_TIME_NOW, 0),
NSEC_PER_SEC * reapply_config_frequency_secs, 0);
return std::make_shared<WatchItems>(config_path, q, timer_source);
}
WatchItems::WatchItems(NSString *config_path, dispatch_queue_t q, dispatch_source_t timer_source,
void (^periodic_task_complete_f)(void))
: config_path_(config_path),
q_(q),
timer_source_(timer_source),
periodic_task_complete_f_(periodic_task_complete_f),
watch_items_(std::make_unique<WatchItemsTree>()) {}
WatchItems::~WatchItems() {
if (!periodic_task_started_ && timer_source_ != NULL) {
// The timer_source_ must be resumed to ensure it has a proper retain count before being
// destroyed. Additionally, it should first be cancelled to ensure the timer isn't ever
// fired (see man page for `dispatch_source_cancel(3)`).
dispatch_source_cancel(timer_source_);
dispatch_resume(timer_source_);
}
}
bool WatchItems::BuildPolicyTree(const std::vector<std::shared_ptr<WatchItemPolicy>> &watch_items,
PrefixTree<std::shared_ptr<WatchItemPolicy>> &tree,
std::set<std::pair<std::string, WatchItemPathType>> &paths) {
glob_t *g = (glob_t *)alloca(sizeof(glob_t));
for (const std::shared_ptr<WatchItemPolicy> &item : watch_items) {
int err = glob(item->path.c_str(), 0, nullptr, g);
if (err != 0 && err != GLOB_NOMATCH) {
LOGE(@"Failed to generate path names for watch item: %s", item->name.c_str());
return false;
}
for (size_t i = g->gl_offs; i < g->gl_pathc; i++) {
if (item->path_type == WatchItemPathType::kPrefix) {
tree.InsertPrefix(g->gl_pathv[i], item);
} else {
tree.InsertLiteral(g->gl_pathv[i], item);
}
paths.insert({g->gl_pathv[i], item->path_type});
}
globfree(g);
}
return true;
}
void WatchItems::RegisterClient(id<SNTEndpointSecurityDynamicEventHandler> client) {
absl::MutexLock lock(&lock_);
registerd_clients_.insert(client);
}
void WatchItems::UpdateCurrentState(
std::unique_ptr<PrefixTree<std::shared_ptr<WatchItemPolicy>>> new_tree,
std::set<std::pair<std::string, WatchItemPathType>> &&new_monitored_paths,
NSDictionary *new_config) {
absl::MutexLock lock(&lock_);
// The following conditions require updating the current config:
// 1. The current config doesn't exist but the new one does
// 2. The current config exists but the new one doesn't
// 3. The set of monitored paths changed
// 4. The configuration changed
if ((current_config_ != nil && new_config == nil) ||
(current_config_ == nil && new_config != nil) ||
(currently_monitored_paths_ != new_monitored_paths) ||
(new_config && ![current_config_ isEqualToDictionary:new_config])) {
std::vector<std::pair<std::string, WatchItemPathType>> paths_to_watch;
std::vector<std::pair<std::string, WatchItemPathType>> paths_to_stop_watching;
// New paths to watch are those that are in the new set, but not current
std::set_difference(new_monitored_paths.begin(), new_monitored_paths.end(),
currently_monitored_paths_.begin(), currently_monitored_paths_.end(),
std::back_inserter(paths_to_watch));
// Paths to stop watching are in the current set, but not new
std::set_difference(currently_monitored_paths_.begin(), currently_monitored_paths_.end(),
new_monitored_paths.begin(), new_monitored_paths.end(),
std::back_inserter(paths_to_stop_watching));
std::swap(watch_items_, new_tree);
std::swap(currently_monitored_paths_, new_monitored_paths);
current_config_ = new_config;
if (new_config) {
policy_version_ = [new_config[kWatchItemConfigKeyVersion] UTF8String];
} else {
policy_version_ = "";
}
last_update_time_ = [[NSDate date] timeIntervalSince1970];
for (const id<SNTEndpointSecurityDynamicEventHandler> &client : registerd_clients_) {
// Note: Enable clients on an async queue in case they perform any
// synchronous work that could trigger ES events. Otherwise they might
// trigger AUTH ES events that would attempt to re-enter this object and
// potentially deadlock.
dispatch_async(q_, ^{
[client watchItemsCount:currently_monitored_paths_.size()
newPaths:paths_to_watch
removedPaths:paths_to_stop_watching];
});
}
} else {
LOGD(@"No changes to set of watched paths.");
}
}
void WatchItems::ReloadConfig(NSDictionary *new_config) {
std::vector<std::shared_ptr<WatchItemPolicy>> new_policies;
auto new_tree = std::make_unique<PrefixTree<std::shared_ptr<WatchItemPolicy>>>();
std::set<std::pair<std::string, WatchItemPathType>> new_monitored_paths;
if (new_config) {
NSError *err;
if (!ParseConfig(new_config, new_policies, &err)) {
LOGE(@"Failed to parse watch item config: %@",
err ? err.localizedDescription : @"Unknown failure");
return;
}
if (!BuildPolicyTree(new_policies, *new_tree, new_monitored_paths)) {
LOGE(@"Failed to build new filesystem monitoring policy");
return;
}
}
UpdateCurrentState(std::move(new_tree), std::move(new_monitored_paths), new_config);
}
NSDictionary *WatchItems::ReadConfig() {
absl::ReaderMutexLock lock(&lock_);
return ReadConfigLocked();
}
NSDictionary *WatchItems::ReadConfigLocked() {
if (config_path_) {
return [NSDictionary dictionaryWithContentsOfFile:config_path_];
} else {
return nil;
}
}
void WatchItems::BeginPeriodicTask() {
if (periodic_task_started_) {
return;
}
std::weak_ptr<WatchItems> weak_watcher = weak_from_this();
dispatch_source_set_event_handler(timer_source_, ^{
std::shared_ptr<WatchItems> shared_watcher = weak_watcher.lock();
if (!shared_watcher) {
return;
}
shared_watcher->ReloadConfig(shared_watcher->ReadConfig());
if (shared_watcher->periodic_task_complete_f_) {
shared_watcher->periodic_task_complete_f_();
}
});
dispatch_resume(timer_source_);
periodic_task_started_ = true;
}
WatchItems::VersionAndPolicies WatchItems::FindPolciesForPaths(
const std::vector<std::string_view> &paths) {
absl::ReaderMutexLock lock(&lock_);
std::vector<std::optional<std::shared_ptr<WatchItemPolicy>>> policies;
for (const auto &path : paths) {
policies.push_back(watch_items_->LookupLongestMatchingPrefix(path.data()));
}
return {policy_version_, policies};
}
void WatchItems::SetConfigPath(NSString *config_path) {
// Acquire the lock to set the config path and read the config, but drop
// the lock before reloading the config
NSDictionary *config;
{
absl::MutexLock lock(&lock_);
config_path_ = config_path;
config = ReadConfigLocked();
}
ReloadConfig(config);
}
std::optional<WatchItemsState> WatchItems::State() {
absl::ReaderMutexLock lock(&lock_);
if (!current_config_) {
return std::nullopt;
}
WatchItemsState state = {
.rule_count = [current_config_[kWatchItemConfigKeyWatchItems] count],
.policy_version = [NSString stringWithUTF8String:policy_version_.c_str()],
.config_path = [config_path_ copy],
.last_config_load_epoch = last_update_time_,
};
return state;
}
} // namespace santa::santad::data_layer

807
Source/santad/DataLayer/WatchItemsTest.mm Normal file
View File

@@ -0,0 +1,807 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include <CommonCrypto/CommonDigest.h>
#import <Foundation/Foundation.h>
#include <Kernel/kern/cs_blobs.h>
#import <XCTest/XCTest.h>
#include <dispatch/dispatch.h>
#include <sys/syslimits.h>
#include <unistd.h>
#include <algorithm>
#include <iostream>
#include <map>
#include <memory>
#include <variant>
#include <vector>
#include "Source/common/TestUtils.h"
#import "Source/common/Unit.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/DataLayer/WatchItems.h"
using santa::common::Unit;
using santa::santad::data_layer::kWatchItemPolicyDefaultAllowReadAccess;
using santa::santad::data_layer::kWatchItemPolicyDefaultAuditOnly;
using santa::santad::data_layer::kWatchItemPolicyDefaultPathType;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::data_layer::WatchItemPolicy;
using santa::santad::data_layer::WatchItems;
using santa::santad::data_layer::WatchItemsState;
namespace santatest {
using PathAndTypePair = std::pair<std::string, WatchItemPathType>;
using PathList = std::vector<PathAndTypePair>;
using ProcessList = std::vector<WatchItemPolicy::Process>;
} // namespace santatest
namespace santa::santad::data_layer {
extern bool ParseConfig(NSDictionary *config,
std::vector<std::shared_ptr<WatchItemPolicy>> &policies, NSError **err);
extern bool ParseConfigSingleWatchItem(NSString *name, NSDictionary *watch_item,
std::vector<std::shared_ptr<WatchItemPolicy>> &policies,
NSError **err);
extern std::variant<Unit, santatest::PathList> VerifyConfigWatchItemPaths(NSArray<id> *paths,
NSError **err);
extern std::variant<Unit, santatest::ProcessList> VerifyConfigWatchItemProcesses(
NSDictionary *watch_item, NSError **err);
class WatchItemsPeer : public WatchItems {
public:
using WatchItems::ReloadConfig;
using WatchItems::WatchItems;
};
} // namespace santa::santad::data_layer
using santa::santad::data_layer::ParseConfig;
using santa::santad::data_layer::ParseConfigSingleWatchItem;
using santa::santad::data_layer::VerifyConfigWatchItemPaths;
using santa::santad::data_layer::VerifyConfigWatchItemProcesses;
using santa::santad::data_layer::WatchItemsPeer;
static constexpr std::string_view kBadPolicyName("__BAD_NAME__");
static constexpr std::string_view kBadPolicyPath("__BAD_PATH__");
static constexpr std::string_view kVersion("v0.1");
static std::shared_ptr<WatchItemPolicy> MakeBadPolicy() {
return std::make_shared<WatchItemPolicy>(kBadPolicyName, kBadPolicyPath);
}
static NSMutableDictionary *WrapWatchItemsConfig(NSDictionary *config) {
return [@{@"Version" : @(kVersion.data()), @"WatchItems" : [config mutableCopy]} mutableCopy];
}
static NSString *RepeatedString(NSString *str, NSUInteger len) {
return [@"" stringByPaddingToLength:len withString:str startingAtIndex:0];
}
@interface WatchItemsTest : XCTestCase
@property NSFileManager *fileMgr;
@property NSString *testDir;
@property NSMutableArray *dirStack;
@property dispatch_queue_t q;
@end
@implementation WatchItemsTest
- (void)setUp {
self.dirStack = [[NSMutableArray alloc] init];
self.fileMgr = [NSFileManager defaultManager];
self.testDir =
[NSString stringWithFormat:@"%@santa-watchitems-%d", NSTemporaryDirectory(), getpid()];
XCTAssertTrue([self.fileMgr createDirectoryAtPath:self.testDir
withIntermediateDirectories:YES
attributes:nil
error:nil]);
self.q = dispatch_queue_create(NULL, DISPATCH_QUEUE_SERIAL);
XCTAssertNotNil(self.q);
}
- (void)tearDown {
XCTAssertTrue([self.fileMgr removeItemAtPath:self.testDir error:nil]);
}
- (void)pushd:(NSString *)path withRoot:(NSString *)root {
NSString *dir = [NSString pathWithComponents:@[ root, path ]];
NSString *origCwd = [self.fileMgr currentDirectoryPath];
XCTAssertNotNil(origCwd);
XCTAssertTrue([self.fileMgr changeCurrentDirectoryPath:dir]);
[self.dirStack addObject:origCwd];
}
- (void)pushd:(NSString *)dir {
[self pushd:dir withRoot:self.testDir];
}
- (void)popd {
NSString *dir = [self.dirStack lastObject];
XCTAssertTrue([self.fileMgr changeCurrentDirectoryPath:dir]);
[self.dirStack removeLastObject];
}
- (void)createTestDirStructure:(NSArray *)fs rootedAt:(NSString *)root {
NSString *origCwd = [self.fileMgr currentDirectoryPath];
XCTAssertNotNil(origCwd);
XCTAssertTrue([self.fileMgr changeCurrentDirectoryPath:root]);
for (id item in fs) {
if ([item isKindOfClass:[NSString class]]) {
XCTAssertTrue([self.fileMgr createFileAtPath:item contents:nil attributes:nil]);
} else if ([item isKindOfClass:[NSDictionary class]]) {
for (id dir in item) {
XCTAssertTrue([item[dir] isKindOfClass:[NSArray class]]);
XCTAssertTrue([self.fileMgr createDirectoryAtPath:dir
withIntermediateDirectories:NO
attributes:nil
error:nil]);
[self createTestDirStructure:item[dir] rootedAt:dir];
}
} else {
XCTFail("Unexpected dir structure item: %@: %@", item, [item class]);
}
}
XCTAssertTrue([self.fileMgr changeCurrentDirectoryPath:origCwd]);
}
- (void)createTestDirStructure:(NSArray *)fs {
[self createTestDirStructure:fs rootedAt:self.testDir];
}
- (void)testReloadScenarios {
[self createTestDirStructure:@[
@{
@"a" : @[ @"f1", @"f2" ],
},
@{
@"b" : @[ @"f1" ],
},
]];
NSDictionary *allFilesPolicy = @{kWatchItemConfigKeyPaths : @[ @"*" ]};
NSDictionary *configAllFilesOriginal =
WrapWatchItemsConfig(@{@"all_files_orig" : allFilesPolicy});
NSDictionary *configAllFilesRename =
WrapWatchItemsConfig(@{@"all_files_rename" : allFilesPolicy});
WatchItems::VersionAndPolicies policies;
std::vector<std::string_view> f1Path = {"f1"};
std::vector<std::string_view> f2Path = {"f2"};
// Changes in config dictionary will update policy info even if the
// filesystem didn't change.
{
WatchItemsPeer watchItems(nil, NULL, NULL);
[self pushd:@"a"];
watchItems.ReloadConfig(configAllFilesOriginal);
policies = watchItems.FindPolciesForPaths(f1Path);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
"all_files_orig");
watchItems.ReloadConfig(configAllFilesRename);
policies = watchItems.FindPolciesForPaths(f1Path);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
"all_files_rename");
policies = watchItems.FindPolciesForPaths(f1Path);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
"all_files_rename");
[self popd];
}
// Changes to fileystem structure are reflected when a config is reloaded
{
WatchItemsPeer watchItems(nil, NULL, NULL);
[self pushd:@"a"];
watchItems.ReloadConfig(configAllFilesOriginal);
[self popd];
policies = watchItems.FindPolciesForPaths(f2Path);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
"all_files_orig");
[self pushd:@"b"];
watchItems.ReloadConfig(configAllFilesOriginal);
[self popd];
policies = watchItems.FindPolciesForPaths(f2Path);
XCTAssertFalse(policies.second[0].has_value());
}
}
- (void)testPeriodicTask {
// Ensure watch item policy memory is properly handled
[self createTestDirStructure:@[ @"f1", @"f2", @"weird1" ]];
NSDictionary *fFiles = @{
kWatchItemConfigKeyPaths : @[ @{
kWatchItemConfigKeyPathsPath : @"f?",
kWatchItemConfigKeyPathsIsPrefix : @(NO),
} ]
};
NSDictionary *weirdFiles = @{
kWatchItemConfigKeyPaths : @[ @{
kWatchItemConfigKeyPathsPath : @"weird?",
kWatchItemConfigKeyPathsIsPrefix : @(NO),
} ]
};
NSString *configFile = @"config.plist";
NSDictionary *firstConfig = WrapWatchItemsConfig(@{@"f_files" : fFiles});
NSDictionary *secondConfig =
WrapWatchItemsConfig(@{@"f_files" : fFiles, @"weird_files" : weirdFiles});
dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
const uint64 periodicFlushMS = 1000;
dispatch_source_set_timer(timer, dispatch_time(DISPATCH_TIME_NOW, 0),
NSEC_PER_MSEC * periodicFlushMS, 0);
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
auto watchItems = std::make_shared<WatchItemsPeer>(configFile, self.q, timer, ^{
dispatch_semaphore_signal(sema);
});
// Move into the base test directory and write the config to disk
[self pushd:@""];
XCTAssertTrue([firstConfig writeToFile:configFile atomically:YES]);
std::vector<std::string_view> f1Path = {"f1"};
std::vector<std::string_view> weird1Path = {"weird1"};
// Ensure no policy has been loaded yet
XCTAssertFalse(watchItems->FindPolciesForPaths(f1Path).second[0].has_value());
XCTAssertFalse(watchItems->FindPolciesForPaths(weird1Path).second[0].has_value());
// Begin the periodic task
watchItems->BeginPeriodicTask();
// The first run of the task starts immediately
// Wait for the first iteration and check for the expected policy
XCTAssertSemaTrue(sema, 5, "Periodic task did not complete within expected window");
XCTAssertTrue(watchItems->FindPolciesForPaths(f1Path).second[0].has_value());
XCTAssertFalse(watchItems->FindPolciesForPaths(weird1Path).second[0].has_value());
// Write the config update
XCTAssertTrue([secondConfig writeToFile:configFile atomically:YES]);
// Wait for the new config to be loaded and check for the new expected policies
XCTAssertSemaTrue(sema, 5, "Periodic task did not complete within expected window");
XCTAssertTrue(watchItems->FindPolciesForPaths(f1Path).second[0].has_value());
XCTAssertTrue(watchItems->FindPolciesForPaths(weird1Path).second[0].has_value());
[self popd];
}
- (void)testPolicyLookup {
// Test multiple, more comprehensive policies before/after config reload
[self createTestDirStructure:@[
@{
@"foo" : @[ @"bar.txt", @"bar.txt.tmp" ],
@"baz" : @[ @{@"qaz" : @[]} ],
},
@"f1",
]];
NSMutableDictionary *config = WrapWatchItemsConfig(@{
@"foo_subdir" : @{
kWatchItemConfigKeyPaths : @[ @{
kWatchItemConfigKeyPathsPath : @"./foo",
kWatchItemConfigKeyPathsIsPrefix : @(YES),
} ]
}
});
WatchItemsPeer watchItems(nil, NULL, NULL);
WatchItems::VersionAndPolicies policies;
// Resultant vector is same size as input vector
// Initially nothing should be in the map
std::vector<std::string_view> paths = {};
XCTAssertEqual(watchItems.FindPolciesForPaths(paths).second.size(), 0);
paths.push_back("./foo");
XCTAssertEqual(watchItems.FindPolciesForPaths(paths).second.size(), 1);
XCTAssertFalse(watchItems.FindPolciesForPaths(paths).second[0].has_value());
paths.push_back("./baz");
XCTAssertEqual(watchItems.FindPolciesForPaths(paths).second.size(), 2);
// Load the initial config
[self pushd:@""];
watchItems.ReloadConfig(config);
[self popd];
{
// Test expected values with the inital policy
const std::map<std::vector<std::string_view>, std::string_view> pathToPolicyName = {
{{"./foo"}, "foo_subdir"},
{{"./foo/bar.txt.tmp"}, "foo_subdir"},
{{"./foo/bar.txt"}, "foo_subdir"},
{{"./does/not/exist"}, kBadPolicyName},
};
for (const auto &kv : pathToPolicyName) {
policies = watchItems.FindPolciesForPaths(kv.first);
XCTAssertCStringEqual(policies.first.data(), kVersion.data());
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
kv.second.data());
}
// Test multiple lookup
policies = watchItems.FindPolciesForPaths({"./foo", "./does/not/exist"});
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(), "foo_subdir");
XCTAssertFalse(policies.second[1].has_value());
}
// Add a new policy and reload the config
NSDictionary *barTxtFilePolicy = @{
kWatchItemConfigKeyPaths : @[ @{
kWatchItemConfigKeyPathsPath : @"./foo/bar.txt",
kWatchItemConfigKeyPathsIsPrefix : @(NO),
} ]
};
[config[@"WatchItems"] setObject:barTxtFilePolicy forKey:@"bar_txt"];
// Load the updated config
[self pushd:@""];
watchItems.ReloadConfig(config);
[self popd];
{
// Test expected values with the updated policy
const std::map<std::vector<std::string_view>, std::string_view> pathToPolicyName = {
{{"./foo"}, "foo_subdir"},
{{"./foo/bar.txt.tmp"}, "foo_subdir"},
{{"./foo/bar.txt"}, "bar_txt"},
{{"./does/not/exist"}, kBadPolicyName},
};
for (const auto &kv : pathToPolicyName) {
policies = watchItems.FindPolciesForPaths(kv.first);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
kv.second.data());
}
}
// Add a catch-all policy that should only affect the previously non-matching path
NSDictionary *catchAllFilePolicy = @{
kWatchItemConfigKeyPaths : @[ @{
kWatchItemConfigKeyPathsPath : @".",
kWatchItemConfigKeyPathsIsPrefix : @(YES),
} ]
};
[config[@"WatchItems"] setObject:catchAllFilePolicy forKey:@"dot_everything"];
// Load the updated config
[self pushd:@""];
watchItems.ReloadConfig(config);
[self popd];
{
// Test expected values with the catch-all policy
const std::map<std::vector<std::string_view>, std::string_view> pathToPolicyName = {
{{"./foo"}, "foo_subdir"},
{{"./foo/bar.txt.tmp"}, "foo_subdir"},
{{"./foo/bar.txt"}, "bar_txt"},
{{"./does/not/exist"}, "dot_everything"},
};
for (const auto &kv : pathToPolicyName) {
policies = watchItems.FindPolciesForPaths(kv.first);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
kv.second.data());
}
}
// Now remove the foo_subdir rule, previous matches should fallback to the catch-all
[config[@"WatchItems"] removeObjectForKey:@"foo_subdir"];
[self pushd:@""];
watchItems.ReloadConfig(config);
[self popd];
{
// Test expected values with the foo_subdir policy removed
const std::map<std::vector<std::string_view>, std::string_view> pathToPolicyName = {
{{"./foo"}, "dot_everything"},
{{"./foo/bar.txt.tmp"}, "dot_everything"},
{{"./foo/bar.txt"}, "bar_txt"},
{{"./does/not/exist"}, "dot_everything"},
};
for (const auto &kv : pathToPolicyName) {
policies = watchItems.FindPolciesForPaths(kv.first);
XCTAssertCStringEqual(policies.second[0].value_or(MakeBadPolicy())->name.c_str(),
kv.second.data());
}
}
}
- (void)testVerifyConfigWatchItemPaths {
std::variant<Unit, santatest::PathList> path_list;
NSError *err;
// Test no paths specified
path_list = VerifyConfigWatchItemPaths(@[], &err);
XCTAssertTrue(std::holds_alternative<Unit>(path_list));
// Test invalid types in paths array
path_list = VerifyConfigWatchItemPaths(@[ @(0) ], &err);
XCTAssertTrue(std::holds_alternative<Unit>(path_list));
// Test path array with long string
path_list = VerifyConfigWatchItemPaths(@[ RepeatedString(@"A", PATH_MAX + 1) ], &err);
XCTAssertTrue(std::holds_alternative<Unit>(path_list));
// Test path array dictionary with missing required key
path_list = VerifyConfigWatchItemPaths(@[ @{@"FakePath" : @"A"} ], &err);
XCTAssertTrue(std::holds_alternative<Unit>(path_list));
// Test path array dictionary with long string
path_list = VerifyConfigWatchItemPaths(
@[ @{kWatchItemConfigKeyPathsPath : RepeatedString(@"A", PATH_MAX + 1)} ], &err);
XCTAssertTrue(std::holds_alternative<Unit>(path_list));
// Test path array dictionary with default path type
path_list = VerifyConfigWatchItemPaths(@[ @{kWatchItemConfigKeyPathsPath : @"A"} ], &err);
XCTAssertTrue(std::holds_alternative<santatest::PathList>(path_list));
XCTAssertEqual(std::get<santatest::PathList>(path_list).size(), 1);
XCTAssertCStringEqual(std::get<santatest::PathList>(path_list)[0].first.c_str(), "A");
XCTAssertEqual(std::get<santatest::PathList>(path_list)[0].second,
kWatchItemPolicyDefaultPathType);
// Test path array dictionary with custom path type
path_list = VerifyConfigWatchItemPaths(
@[ @{kWatchItemConfigKeyPathsPath : @"A", kWatchItemConfigKeyPathsIsPrefix : @(YES)} ], &err);
XCTAssertTrue(std::holds_alternative<santatest::PathList>(path_list));
XCTAssertEqual(std::get<santatest::PathList>(path_list).size(), 1);
XCTAssertCStringEqual(std::get<santatest::PathList>(path_list)[0].first.c_str(), "A");
XCTAssertEqual(std::get<santatest::PathList>(path_list)[0].second, WatchItemPathType::kPrefix);
}
- (void)testVerifyConfigWatchItemProcesses {
std::variant<Unit, santatest::ProcessList> proc_list;
NSError *err;
// Non-existent process list parses successfully, but has no items
proc_list = VerifyConfigWatchItemProcesses(@{}, &err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 0);
// Process list fails to parse if contains non-array type
proc_list = VerifyConfigWatchItemProcesses(@{kWatchItemConfigKeyProcesses : @""}, &err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
proc_list = VerifyConfigWatchItemProcesses(@{kWatchItemConfigKeyProcesses : @(0)}, &err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
proc_list = VerifyConfigWatchItemProcesses(@{kWatchItemConfigKeyProcesses : @{}}, &err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
proc_list = VerifyConfigWatchItemProcesses(@{kWatchItemConfigKeyProcesses : @[]}, &err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
// Test a process dictionary with no valid attributes set
proc_list = VerifyConfigWatchItemProcesses(@{kWatchItemConfigKeyProcesses : @[ @{} ]}, &err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test BinaryPath length limits
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesBinaryPath : RepeatedString(@"A", PATH_MAX + 1)} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test valid BinaryPath
proc_list = VerifyConfigWatchItemProcesses(
@{kWatchItemConfigKeyProcesses : @[ @{kWatchItemConfigKeyProcessesBinaryPath : @"mypath"} ]},
&err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 1);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("mypath", "", "", {}, ""));
// Test SigningID length limits
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesSigningID : RepeatedString(@"A", 513)} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test valid SigningID
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesSigningID : @"com.google.test"} ]
},
&err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 1);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("", "com.google.test", "", {}, ""));
// Test TeamID length limits
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesTeamID : @"LongerThanExpectedTeamID"} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test valid TeamID
proc_list = VerifyConfigWatchItemProcesses(
@{kWatchItemConfigKeyProcesses : @[ @{kWatchItemConfigKeyProcessesTeamID : @"myvalidtid"} ]},
&err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 1);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("", "", "myvalidtid", {}, ""));
// Test CDHash length limits
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesCDHash : RepeatedString(@"A", CS_CDHASH_LEN * 2 + 1)} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test CDHash hex-only
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses :
@[ @{kWatchItemConfigKeyProcessesCDHash : RepeatedString(@"Z", CS_CDHASH_LEN * 2)} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test valid CDHash
NSString *cdhash = RepeatedString(@"A", CS_CDHASH_LEN * 2);
std::vector<uint8_t> cdhashBytes(cdhash.length / 2);
std::fill(cdhashBytes.begin(), cdhashBytes.end(), 0xAA);
proc_list = VerifyConfigWatchItemProcesses(
@{kWatchItemConfigKeyProcesses : @[ @{kWatchItemConfigKeyProcessesCDHash : cdhash} ]}, &err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 1);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("", "", "", cdhashBytes, ""));
// Test Cert Hash length limits
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses : @[ @{
kWatchItemConfigKeyProcessesCertificateSha256 :
RepeatedString(@"A", CC_SHA256_DIGEST_LENGTH * 2 + 1)
} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test Cert Hash hex-only
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses : @[ @{
kWatchItemConfigKeyProcessesCertificateSha256 :
RepeatedString(@"Z", CC_SHA256_DIGEST_LENGTH * 2)
} ]
},
&err);
XCTAssertTrue(std::holds_alternative<Unit>(proc_list));
// Test valid Cert Hash
NSString *certHash = RepeatedString(@"A", CC_SHA256_DIGEST_LENGTH * 2);
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses : @[ @{kWatchItemConfigKeyProcessesCertificateSha256 : certHash} ]
},
&err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 1);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("", "", "", {}, [certHash UTF8String]));
// Test valid multiple attributes, multiple procs
proc_list = VerifyConfigWatchItemProcesses(@{
kWatchItemConfigKeyProcesses : @[
@{
kWatchItemConfigKeyProcessesBinaryPath : @"mypath1",
kWatchItemConfigKeyProcessesSigningID : @"com.google.test1",
kWatchItemConfigKeyProcessesTeamID : @"validtid_1",
kWatchItemConfigKeyProcessesCDHash : cdhash,
kWatchItemConfigKeyProcessesCertificateSha256 : certHash,
},
@{
kWatchItemConfigKeyProcessesBinaryPath : @"mypath2",
kWatchItemConfigKeyProcessesSigningID : @"com.google.test2",
kWatchItemConfigKeyProcessesTeamID : @"validtid_2",
kWatchItemConfigKeyProcessesCDHash : cdhash,
kWatchItemConfigKeyProcessesCertificateSha256 : certHash,
},
]
},
&err);
XCTAssertTrue(std::holds_alternative<santatest::ProcessList>(proc_list));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list).size(), 2);
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[0],
WatchItemPolicy::Process("mypath1", "com.google.test1", "validtid_1", cdhashBytes,
[certHash UTF8String]));
XCTAssertEqual(std::get<santatest::ProcessList>(proc_list)[1],
WatchItemPolicy::Process("mypath2", "com.google.test2", "validtid_2", cdhashBytes,
[certHash UTF8String]));
}
- (void)testParseConfig {
NSError *err;
std::vector<std::shared_ptr<WatchItemPolicy>> policies;
// Ensure top level keys must exist and be correct types
XCTAssertFalse(ParseConfig(@{}, policies, &err));
XCTAssertFalse(ParseConfig(@{kWatchItemConfigKeyVersion : @(0)}, policies, &err));
XCTAssertFalse(ParseConfig(@{kWatchItemConfigKeyVersion : @{}}, policies, &err));
XCTAssertFalse(ParseConfig(@{kWatchItemConfigKeyVersion : @[]}, policies, &err));
XCTAssertFalse(ParseConfig(@{kWatchItemConfigKeyVersion : @""}, policies, &err));
XCTAssertFalse(ParseConfig(
@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @""}, policies, &err));
XCTAssertFalse(ParseConfig(
@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @[]}, policies, &err));
XCTAssertFalse(ParseConfig(
@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @(0)}, policies, &err));
// Minimally successful configs without watch items
XCTAssertTrue(ParseConfig(@{kWatchItemConfigKeyVersion : @"1"}, policies, &err));
XCTAssertTrue(ParseConfig(
@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @{}}, policies, &err));
// Ensure constraints on watch items entries match expectations
XCTAssertFalse(ParseConfig(
@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @{@(0) : @(0)}}, policies,
&err));
XCTAssertFalse(
ParseConfig(@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @{@"" : @{}}},
policies, &err));
XCTAssertFalse(
ParseConfig(@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @{@"1" : @[]}},
policies, &err));
XCTAssertFalse(
ParseConfig(@{kWatchItemConfigKeyVersion : @"1", kWatchItemConfigKeyWatchItems : @{@"1" : @{}}},
policies, &err));
// Minimally successful config with watch item
XCTAssertTrue(ParseConfig(@{
kWatchItemConfigKeyVersion : @"1",
kWatchItemConfigKeyWatchItems : @{@"1" : @{kWatchItemConfigKeyPaths : @[ @"asdf" ]}}
},
policies, &err));
}
- (void)testParseConfigSingleWatchItem {
std::vector<std::shared_ptr<WatchItemPolicy>> policies;
NSError *err;
// There must be valid Paths in a watch item
XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{}, policies, &err));
XCTAssertFalse(
ParseConfigSingleWatchItem(@"", @{kWatchItemConfigKeyPaths : @[ @"" ]}, policies, &err));
XCTAssertTrue(
ParseConfigSingleWatchItem(@"", @{kWatchItemConfigKeyPaths : @[ @"a" ]}, policies, &err));
// Empty options are fine
XCTAssertTrue(ParseConfigSingleWatchItem(
@"", @{kWatchItemConfigKeyPaths : @[ @"a" ], kWatchItemConfigKeyOptions : @{}}, policies,
&err));
// If an Options key exist, it must be a dictionary type
XCTAssertFalse(ParseConfigSingleWatchItem(
@"", @{kWatchItemConfigKeyPaths : @[ @"a" ], kWatchItemConfigKeyOptions : @[]}, policies,
&err));
XCTAssertFalse(ParseConfigSingleWatchItem(
@"", @{kWatchItemConfigKeyPaths : @[ @"a" ], kWatchItemConfigKeyOptions : @""}, policies,
&err));
XCTAssertFalse(ParseConfigSingleWatchItem(
@"", @{kWatchItemConfigKeyPaths : @[ @"a" ], kWatchItemConfigKeyOptions : @(0)}, policies,
&err));
// Options keys must be valid types
XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{
kWatchItemConfigKeyPaths : @[ @"a" ],
kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAllowReadAccess : @""}
},
policies, &err));
XCTAssertTrue(ParseConfigSingleWatchItem(@"", @{
kWatchItemConfigKeyPaths : @[ @"a" ],
kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAllowReadAccess : @(0)}
},
policies, &err));
XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{
kWatchItemConfigKeyPaths : @[ @"a" ],
kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAuditOnly : @""}
},
policies, &err));
XCTAssertTrue(ParseConfigSingleWatchItem(@"", @{
kWatchItemConfigKeyPaths : @[ @"a" ],
kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAuditOnly : @(0)}
},
policies, &err));
// If processes are specified, they must be valid format
// Note: Full tests in `testVerifyConfigWatchItemProcesses`
XCTAssertFalse(ParseConfigSingleWatchItem(
@"", @{kWatchItemConfigKeyPaths : @[ @"a" ], kWatchItemConfigKeyProcesses : @""}, policies,
&err));
// Test the policy vector is populated as expected
// Test default options with no processes
policies.clear();
XCTAssertTrue(
ParseConfigSingleWatchItem(@"rule", @{kWatchItemConfigKeyPaths : @[ @"a" ]}, policies, &err));
XCTAssertEqual(policies.size(), 1);
XCTAssertEqual(*policies[0].get(), WatchItemPolicy("rule", "a", kWatchItemPolicyDefaultPathType,
kWatchItemPolicyDefaultAllowReadAccess,
kWatchItemPolicyDefaultAuditOnly, {}));
// Test multiple paths, options, and processes
policies.clear();
std::vector<WatchItemPolicy::Process> procs = {
WatchItemPolicy::Process("pa", "", "", {}, ""),
WatchItemPolicy::Process("pb", "", "", {}, ""),
};
XCTAssertTrue(ParseConfigSingleWatchItem(@"rule", @{
kWatchItemConfigKeyPaths :
@[ @"a", @{kWatchItemConfigKeyPathsPath : @"b", kWatchItemConfigKeyPathsIsPrefix : @(YES)} ],
kWatchItemConfigKeyOptions : @{
kWatchItemConfigKeyOptionsAllowReadAccess : @(YES),
kWatchItemConfigKeyOptionsAuditOnly : @(NO)
},
kWatchItemConfigKeyProcesses : @[
@{kWatchItemConfigKeyProcessesBinaryPath : @"pa"},
@{kWatchItemConfigKeyProcessesBinaryPath : @"pb"}
]
},
policies, &err));
XCTAssertEqual(policies.size(), 2);
XCTAssertEqual(*policies[0].get(),
WatchItemPolicy("rule", "a", kWatchItemPolicyDefaultPathType, true, false, procs));
XCTAssertEqual(*policies[1].get(),
WatchItemPolicy("rule", "b", WatchItemPathType::kPrefix, true, false, procs));
}
- (void)testState {
NSString *configPath = @"my_config_path";
NSTimeInterval startTime = [[NSDate date] timeIntervalSince1970];
NSMutableDictionary *config = WrapWatchItemsConfig(@{
@"rule1" : @{kWatchItemConfigKeyPaths : @[ @"abc" ]},
@"rule2" : @{kWatchItemConfigKeyPaths : @[ @"xyz" ]}
});
WatchItemsPeer watchItems(configPath, NULL, NULL);
// If no policy yet exists, nullopt is returned
std::optional<WatchItemsState> optionalState = watchItems.State();
XCTAssertFalse(optionalState.has_value());
watchItems.ReloadConfig(config);
optionalState = watchItems.State();
XCTAssertTrue(optionalState.has_value());
WatchItemsState state = optionalState.value();
XCTAssertEqual(state.rule_count, [config[kWatchItemConfigKeyWatchItems] count]);
XCTAssertCStringEqual(state.policy_version.UTF8String, kVersion.data());
XCTAssertEqual(state.config_path, configPath);
XCTAssertGreaterThanOrEqual(state.last_config_load_epoch, startTime);
}
@end

15
Source/santad/EventProviders/AuthResultCache.h
View File

@@ -21,8 +21,9 @@
#include <sys/stat.h>
#include <memory>
#import "Source/common/SNTCommon.h"
#import "Source/common/SNTCommonEnums.h"
#include "Source/common/SantaCache.h"
#import "Source/common/SantaVnode.h"
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
namespace santa::santad::event_providers {
@@ -49,20 +50,20 @@ class AuthResultCache {
AuthResultCache(const AuthResultCache &other) = delete;
AuthResultCache &operator=(const AuthResultCache &other) = delete;
virtual bool AddToCache(const es_file_t *es_file, santa_action_t decision);
virtual bool AddToCache(const es_file_t *es_file, SNTAction decision);
virtual void RemoveFromCache(const es_file_t *es_file);
virtual santa_action_t CheckCache(const es_file_t *es_file);
virtual santa_action_t CheckCache(santa_vnode_id_t vnode_id);
virtual SNTAction CheckCache(const es_file_t *es_file);
virtual SNTAction CheckCache(SantaVnode vnode_id);
virtual void FlushCache(FlushCacheMode mode);
virtual NSArray<NSNumber *> *CacheCounts();
private:
virtual SantaCache<santa_vnode_id_t, uint64_t> *CacheForVnodeID(santa_vnode_id_t vnode_id);
virtual SantaCache<SantaVnode, uint64_t> *CacheForVnodeID(SantaVnode vnode_id);
SantaCache<santa_vnode_id_t, uint64_t> *root_cache_;
SantaCache<santa_vnode_id_t, uint64_t> *nonroot_cache_;
SantaCache<SantaVnode, uint64_t> *root_cache_;
SantaCache<SantaVnode, uint64_t> *nonroot_cache_;
std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI> esapi_;
uint64_t root_devno_;

63
Source/santad/EventProviders/AuthResultCache.mm
View File

@@ -19,37 +19,25 @@
#include <time.h>
#import "Source/common/SNTLogging.h"
#import "Source/common/SantaVnodeHash.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
using santa::santad::event_providers::endpoint_security::Client;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
template <>
uint64_t SantaCacheHasher<santa_vnode_id_t>(santa_vnode_id_t const &t) {
return (SantaCacheHasher<uint64_t>(t.fsid) << 1) ^ SantaCacheHasher<uint64_t>(t.fileid);
}
namespace santa::santad::event_providers {
static inline santa_vnode_id_t VnodeForFile(const es_file_t *es_file) {
return santa_vnode_id_t{
.fsid = (uint64_t)es_file->stat.st_dev,
.fileid = es_file->stat.st_ino,
};
}
static inline uint64_t GetCurrentUptime() {
return clock_gettime_nsec_np(CLOCK_MONOTONIC);
}
// Decision is stored in upper 8 bits, timestamp in remaining 56.
static inline uint64_t CacheableAction(santa_action_t action,
uint64_t timestamp = GetCurrentUptime()) {
static inline uint64_t CacheableAction(SNTAction action, uint64_t timestamp = GetCurrentUptime()) {
return ((uint64_t)action << 56) | (timestamp & 0xFFFFFFFFFFFFFF);
}
static inline santa_action_t ActionFromCachedValue(uint64_t cachedValue) {
return (santa_action_t)(cachedValue >> 56);
static inline SNTAction ActionFromCachedValue(uint64_t cachedValue) {
return (SNTAction)(cachedValue >> 56);
}
static inline uint64_t TimestampFromCachedValue(uint64_t cachedValue) {
@@ -59,8 +47,8 @@ static inline uint64_t TimestampFromCachedValue(uint64_t cachedValue) {
AuthResultCache::AuthResultCache(std::shared_ptr<EndpointSecurityAPI> esapi,
uint64_t cache_deny_time_ms)
: esapi_(esapi), cache_deny_time_ns_(cache_deny_time_ms * NSEC_PER_MSEC) {
root_cache_ = new SantaCache<santa_vnode_id_t, uint64_t>();
nonroot_cache_ = new SantaCache<santa_vnode_id_t, uint64_t>();
root_cache_ = new SantaCache<SantaVnode, uint64_t>();
nonroot_cache_ = new SantaCache<SantaVnode, uint64_t>();
struct stat sb;
if (stat("/", &sb) == 0) {
@@ -78,17 +66,17 @@ AuthResultCache::~AuthResultCache() {
delete nonroot_cache_;
}
bool AuthResultCache::AddToCache(const es_file_t *es_file, santa_action_t decision) {
santa_vnode_id_t vnode_id = VnodeForFile(es_file);
SantaCache<santa_vnode_id_t, uint64_t> *cache = CacheForVnodeID(vnode_id);
bool AuthResultCache::AddToCache(const es_file_t *es_file, SNTAction decision) {
SantaVnode vnode_id = SantaVnode::VnodeForFile(es_file);
SantaCache<SantaVnode, uint64_t> *cache = CacheForVnodeID(vnode_id);
switch (decision) {
case ACTION_REQUEST_BINARY:
return cache->set(vnode_id, CacheableAction(ACTION_REQUEST_BINARY, 0), 0);
case ACTION_RESPOND_ALLOW: OS_FALLTHROUGH;
case ACTION_RESPOND_ALLOW_COMPILER: OS_FALLTHROUGH;
case ACTION_RESPOND_DENY:
case SNTActionRequestBinary:
return cache->set(vnode_id, CacheableAction(SNTActionRequestBinary, 0), 0);
case SNTActionRespondAllow: OS_FALLTHROUGH;
case SNTActionRespondAllowCompiler: OS_FALLTHROUGH;
case SNTActionRespondDeny:
return cache->set(vnode_id, CacheableAction(decision),
CacheableAction(ACTION_REQUEST_BINARY, 0));
CacheableAction(SNTActionRequestBinary, 0));
default:
// This is a programming error. Bail.
LOGE(@"Invalid cache value, exiting.");
@@ -97,37 +85,36 @@ bool AuthResultCache::AddToCache(const es_file_t *es_file, santa_action_t decisi
}
void AuthResultCache::RemoveFromCache(const es_file_t *es_file) {
santa_vnode_id_t vnode_id = VnodeForFile(es_file);
SantaVnode vnode_id = SantaVnode::VnodeForFile(es_file);
CacheForVnodeID(vnode_id)->remove(vnode_id);
}
santa_action_t AuthResultCache::CheckCache(const es_file_t *es_file) {
return CheckCache(VnodeForFile(es_file));
SNTAction AuthResultCache::CheckCache(const es_file_t *es_file) {
return CheckCache(SantaVnode::VnodeForFile(es_file));
}
santa_action_t AuthResultCache::CheckCache(santa_vnode_id_t vnode_id) {
SantaCache<santa_vnode_id_t, uint64_t> *cache = CacheForVnodeID(vnode_id);
SNTAction AuthResultCache::CheckCache(SantaVnode vnode_id) {
SantaCache<SantaVnode, uint64_t> *cache = CacheForVnodeID(vnode_id);
uint64_t cached_val = cache->get(vnode_id);
if (cached_val == 0) {
return ACTION_UNSET;
return SNTActionUnset;
}
santa_action_t result = ActionFromCachedValue(cached_val);
SNTAction result = ActionFromCachedValue(cached_val);
if (result == ACTION_RESPOND_DENY) {
if (result == SNTActionRespondDeny) {
uint64_t expiry_time = TimestampFromCachedValue(cached_val) + cache_deny_time_ns_;
if (expiry_time < GetCurrentUptime()) {
cache->remove(vnode_id);
return ACTION_UNSET;
return SNTActionUnset;
}
}
return result;
}
SantaCache<santa_vnode_id_t, uint64_t> *AuthResultCache::CacheForVnodeID(
santa_vnode_id_t vnode_id) {
SantaCache<SantaVnode, uint64_t> *AuthResultCache::CacheForVnodeID(SantaVnode vnode_id) {
return (vnode_id.fsid == root_devno_ || root_devno_ == 0) ? root_cache_ : nonroot_cache_;
}

83
Source/santad/EventProviders/AuthResultCacheTest.mm
View File

@@ -22,7 +22,7 @@
#include <memory>
#include "Source/common/SNTCommon.h"
#include "Source/common/SantaVnode.h"
#include "Source/common/TestUtils.h"
#include "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
@@ -47,13 +47,6 @@ static inline es_file_t MakeCacheableFile(uint64_t devno, uint64_t ino) {
.path = {}, .path_truncated = false, .stat = {.st_dev = (dev_t)devno, .st_ino = ino}};
}
static inline santa_vnode_id_t VnodeForFile(const es_file_t *es_file) {
return santa_vnode_id_t{
.fsid = (uint64_t)es_file->stat.st_dev,
.fileid = es_file->stat.st_ino,
};
}
static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uint64_t root_count,
uint64_t nonroot_count) {
NSArray<NSNumber *> *counts = cache->CacheCounts();
@@ -86,33 +79,33 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
es_file_t nonrootFile = MakeCacheableFile(RootDevno() + 123, 222);
// Add the root file to the cache
cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY);
cache->AddToCache(&rootFile, SNTActionRequestBinary);
AssertCacheCounts(cache, 1, 0);
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_REQUEST_BINARY);
XCTAssertEqual(cache->CheckCache(&nonrootFile), ACTION_UNSET);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRequestBinary);
XCTAssertEqual(cache->CheckCache(&nonrootFile), SNTActionUnset);
// Now add the non-root file
cache->AddToCache(&nonrootFile, ACTION_REQUEST_BINARY);
cache->AddToCache(&nonrootFile, SNTActionRequestBinary);
AssertCacheCounts(cache, 1, 1);
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_REQUEST_BINARY);
XCTAssertEqual(cache->CheckCache(&nonrootFile), ACTION_REQUEST_BINARY);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRequestBinary);
XCTAssertEqual(cache->CheckCache(&nonrootFile), SNTActionRequestBinary);
// Update the cached values
cache->AddToCache(&rootFile, ACTION_RESPOND_ALLOW);
cache->AddToCache(&nonrootFile, ACTION_RESPOND_DENY);
cache->AddToCache(&rootFile, SNTActionRespondAllow);
cache->AddToCache(&nonrootFile, SNTActionRespondDeny);
AssertCacheCounts(cache, 1, 1);
XCTAssertEqual(cache->CheckCache(VnodeForFile(&rootFile)), ACTION_RESPOND_ALLOW);
XCTAssertEqual(cache->CheckCache(VnodeForFile(&nonrootFile)), ACTION_RESPOND_DENY);
XCTAssertEqual(cache->CheckCache(SantaVnode::VnodeForFile(&rootFile)), SNTActionRespondAllow);
XCTAssertEqual(cache->CheckCache(SantaVnode::VnodeForFile(&nonrootFile)), SNTActionRespondDeny);
// Remove the root file
cache->RemoveFromCache(&rootFile);
AssertCacheCounts(cache, 0, 1);
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_UNSET);
XCTAssertEqual(cache->CheckCache(&nonrootFile), ACTION_RESPOND_DENY);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionUnset);
XCTAssertEqual(cache->CheckCache(&nonrootFile), SNTActionRespondDeny);
}
- (void)testFlushCache {
@@ -122,8 +115,8 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
es_file_t rootFile = MakeCacheableFile(RootDevno(), 111);
es_file_t nonrootFile = MakeCacheableFile(RootDevno() + 123, 111);
cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY);
cache->AddToCache(&nonrootFile, ACTION_REQUEST_BINARY);
cache->AddToCache(&rootFile, SNTActionRequestBinary);
cache->AddToCache(&nonrootFile, SNTActionRequestBinary);
AssertCacheCounts(cache, 1, 1);
@@ -133,7 +126,7 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
AssertCacheCounts(cache, 1, 0);
// Add back the non-root file
cache->AddToCache(&nonrootFile, ACTION_REQUEST_BINARY);
cache->AddToCache(&nonrootFile, SNTActionRequestBinary);
AssertCacheCounts(cache, 1, 1);
@@ -162,33 +155,33 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
es_file_t rootFile = MakeCacheableFile(RootDevno(), 111);
// Cached items must first be in the ACTION_REQUEST_BINARY state
XCTAssertFalse(cache->AddToCache(&rootFile, ACTION_RESPOND_ALLOW));
XCTAssertFalse(cache->AddToCache(&rootFile, ACTION_RESPOND_ALLOW_COMPILER));
XCTAssertFalse(cache->AddToCache(&rootFile, ACTION_RESPOND_DENY));
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_UNSET);
// Cached items must first be in the SNTActionRequestBinary state
XCTAssertFalse(cache->AddToCache(&rootFile, SNTActionRespondAllow));
XCTAssertFalse(cache->AddToCache(&rootFile, SNTActionRespondAllowCompiler));
XCTAssertFalse(cache->AddToCache(&rootFile, SNTActionRespondDeny));
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionUnset);
XCTAssertTrue(cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY));
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_REQUEST_BINARY);
XCTAssertTrue(cache->AddToCache(&rootFile, SNTActionRequestBinary));
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRequestBinary);
// Items in the `ACTION_REQUEST_BINARY` state cannot reenter the same state
XCTAssertFalse(cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY));
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_REQUEST_BINARY);
// Items in the `SNTActionRequestBinary` state cannot reenter the same state
XCTAssertFalse(cache->AddToCache(&rootFile, SNTActionRequestBinary));
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRequestBinary);
santa_action_t allowed_transitions[] = {
ACTION_RESPOND_ALLOW,
ACTION_RESPOND_ALLOW_COMPILER,
ACTION_RESPOND_DENY,
SNTAction allowed_transitions[] = {
SNTActionRespondAllow,
SNTActionRespondAllowCompiler,
SNTActionRespondDeny,
};
for (size_t i = 0; i < sizeof(allowed_transitions) / sizeof(allowed_transitions[0]); i++) {
// First make sure the item doesn't exist
cache->RemoveFromCache(&rootFile);
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_UNSET);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionUnset);
// Now add the item to be in the first allowed state
XCTAssertTrue(cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY));
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_REQUEST_BINARY);
XCTAssertTrue(cache->AddToCache(&rootFile, SNTActionRequestBinary));
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRequestBinary);
// Now assert the allowed transition
XCTAssertTrue(cache->AddToCache(&rootFile, allowed_transitions[i]));
@@ -204,12 +197,12 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
es_file_t rootFile = MakeCacheableFile(RootDevno(), 111);
// Add a file to the cache and put into the ACTION_RESPOND_DENY state
XCTAssertTrue(cache->AddToCache(&rootFile, ACTION_REQUEST_BINARY));
XCTAssertTrue(cache->AddToCache(&rootFile, ACTION_RESPOND_DENY));
// Add a file to the cache and put into the SNTActionRespondDeny state
XCTAssertTrue(cache->AddToCache(&rootFile, SNTActionRequestBinary));
XCTAssertTrue(cache->AddToCache(&rootFile, SNTActionRespondDeny));
// Ensure the file exists
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_RESPOND_DENY);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionRespondDeny);
// Wait for the item to expire
SleepMS(expiryMS);
@@ -218,7 +211,7 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
AssertCacheCounts(cache, 1, 0);
// Now check the cache, which will remove the item
XCTAssertEqual(cache->CheckCache(&rootFile), ACTION_UNSET);
XCTAssertEqual(cache->CheckCache(&rootFile), SNTActionUnset);
AssertCacheCounts(cache, 0, 0);
}

26
Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h
View File

@@ -19,7 +19,9 @@
#import <Foundation/Foundation.h>
#include <set>
#include <string_view>
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
@@ -32,12 +34,26 @@ class EndpointSecurityAPI : public std::enable_shared_from_this<EndpointSecurity
virtual Client NewClient(void (^message_handler)(es_client_t *, Message));
virtual bool Subscribe(const Client &client, const std::set<es_event_type_t> &);
virtual bool UnsubscribeAll(const Client &client);
virtual es_message_t *RetainMessage(const es_message_t *msg);
virtual void ReleaseMessage(es_message_t *msg);
virtual bool UnmuteAllPaths(const Client &client);
virtual bool UnmuteAllTargetPaths(const Client &client);
virtual bool IsTargetPathMutingInverted(const Client &client);
virtual bool InvertTargetPathMuting(const Client &client);
virtual bool MuteTargetPath(const Client &client, std::string_view path,
santa::santad::data_layer::WatchItemPathType path_type);
virtual bool UnmuteTargetPath(const Client &client, std::string_view path,
santa::santad::data_layer::WatchItemPathType path_type);
virtual void RetainMessage(const es_message_t *msg);
virtual void ReleaseMessage(const es_message_t *msg);
virtual bool RespondAuthResult(const Client &client, const Message &msg, es_auth_result_t result,
bool cache);
virtual bool RespondFlagsResult(const Client &client, const Message &msg, uint32_t allowed_flags,
bool cache);
virtual bool MuteProcess(const Client &client, const audit_token_t *tok);
@@ -45,6 +61,12 @@ class EndpointSecurityAPI : public std::enable_shared_from_this<EndpointSecurity
virtual uint32_t ExecArgCount(const es_event_exec_t *event);
virtual es_string_token_t ExecArg(const es_event_exec_t *event, uint32_t index);
virtual uint32_t ExecEnvCount(const es_event_exec_t *event);
virtual es_string_token_t ExecEnv(const es_event_exec_t *event, uint32_t index);
virtual uint32_t ExecFDCount(const es_event_exec_t *event);
virtual const es_fd_t *ExecFD(const es_event_exec_t *event, uint32_t index);
};
} // namespace santa::santad::event_providers::endpoint_security

129
Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.mm
View File

@@ -13,11 +13,14 @@
/// limitations under the License.
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
#include <EndpointSecurity/ESTypes.h>
#include <set>
#include <vector>
#include "Source/common/Platform.h"
using santa::santad::data_layer::WatchItemPathType;
namespace santa::santad::event_providers::endpoint_security {
Client EndpointSecurityAPI::NewClient(void (^message_handler)(es_client_t *, Message)) {
@@ -33,28 +36,12 @@ Client EndpointSecurityAPI::NewClient(void (^message_handler)(es_client_t *, Mes
return Client(client, res);
}
es_message_t *EndpointSecurityAPI::RetainMessage(const es_message_t *msg) {
if (@available(macOS 11.0, *)) {
es_retain_message(msg);
es_message_t *nonconst = const_cast<es_message_t *>(msg);
return nonconst;
} else {
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
return es_copy_message(msg);
#pragma clang diagnostic pop
}
void EndpointSecurityAPI::RetainMessage(const es_message_t *msg) {
es_retain_message(msg);
}
void EndpointSecurityAPI::ReleaseMessage(es_message_t *msg) {
if (@available(macOS 11.0, *)) {
es_release_message(msg);
} else {
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
return es_free_message(msg);
#pragma clang diagnostic pop
}
void EndpointSecurityAPI::ReleaseMessage(const es_message_t *msg) {
es_release_message(msg);
}
bool EndpointSecurityAPI::Subscribe(const Client &client,
@@ -63,11 +50,87 @@ bool EndpointSecurityAPI::Subscribe(const Client &client,
return es_subscribe(client.Get(), subs.data(), (uint32_t)subs.size()) == ES_RETURN_SUCCESS;
}
bool EndpointSecurityAPI::UnsubscribeAll(const Client &client) {
return es_unsubscribe_all(client.Get()) == ES_RETURN_SUCCESS;
}
bool EndpointSecurityAPI::UnmuteAllPaths(const Client &client) {
return es_unmute_all_paths(client.Get()) == ES_RETURN_SUCCESS;
}
bool EndpointSecurityAPI::UnmuteAllTargetPaths(const Client &client) {
#if HAVE_MACOS_13
if (@available(macOS 13.0, *)) {
return es_unmute_all_target_paths(client.Get()) == ES_RETURN_SUCCESS;
}
#endif
return true;
}
bool EndpointSecurityAPI::IsTargetPathMutingInverted(const Client &client) {
#if HAVE_MACOS_13
if (@available(macOS 13.0, *)) {
return es_muting_inverted(client.Get(), ES_MUTE_INVERSION_TYPE_TARGET_PATH) == ES_MUTE_INVERTED;
}
#endif
return false;
}
bool EndpointSecurityAPI::InvertTargetPathMuting(const Client &client) {
#if HAVE_MACOS_13
if (@available(macOS 13.0, *)) {
if (!IsTargetPathMutingInverted(client)) {
return es_invert_muting(client.Get(), ES_MUTE_INVERSION_TYPE_TARGET_PATH) ==
ES_RETURN_SUCCESS;
} else {
return true;
}
}
#endif
return false;
}
bool EndpointSecurityAPI::MuteTargetPath(const Client &client, std::string_view path,
WatchItemPathType path_type) {
#if HAVE_MACOS_13
if (@available(macOS 13.0, *)) {
return es_mute_path(client.Get(), path.data(),
path_type == WatchItemPathType::kPrefix
? ES_MUTE_PATH_TYPE_TARGET_PREFIX
: ES_MUTE_PATH_TYPE_TARGET_LITERAL) == ES_RETURN_SUCCESS;
}
#endif
return false;
}
bool EndpointSecurityAPI::UnmuteTargetPath(const Client &client, std::string_view path,
WatchItemPathType path_type) {
#if HAVE_MACOS_13
if (@available(macOS 13.0, *)) {
return es_unmute_path(client.Get(), path.data(),
path_type == WatchItemPathType::kPrefix
? ES_MUTE_PATH_TYPE_TARGET_PREFIX
: ES_MUTE_PATH_TYPE_TARGET_LITERAL) == ES_RETURN_SUCCESS;
}
#endif
return true;
}
bool EndpointSecurityAPI::RespondAuthResult(const Client &client, const Message &msg,
es_auth_result_t result, bool cache) {
return es_respond_auth_result(client.Get(), &(*msg), result, cache) == ES_RESPOND_RESULT_SUCCESS;
}
bool EndpointSecurityAPI::RespondFlagsResult(const Client &client, const Message &msg,
uint32_t allowed_flags, bool cache) {
return es_respond_flags_result(client.Get(), &(*msg), allowed_flags, cache);
}
bool EndpointSecurityAPI::MuteProcess(const Client &client, const audit_token_t *tok) {
return es_mute_process(client.Get(), tok) == ES_RETURN_SUCCESS;
}
@@ -84,4 +147,28 @@ es_string_token_t EndpointSecurityAPI::ExecArg(const es_event_exec_t *event, uin
return es_exec_arg(event, index);
}
uint32_t EndpointSecurityAPI::ExecEnvCount(const es_event_exec_t *event) {
return es_exec_env_count(event);
}
es_string_token_t EndpointSecurityAPI::ExecEnv(const es_event_exec_t *event, uint32_t index) {
return es_exec_env(event, index);
}
uint32_t EndpointSecurityAPI::ExecFDCount(const es_event_exec_t *event) {
if (@available(macOS 11.0, *)) {
return es_exec_fd_count(event);
} else {
return 0;
}
}
const es_fd_t *EndpointSecurityAPI::ExecFD(const es_event_exec_t *event, uint32_t index) {
if (@available(macOS 11.0, *)) {
return es_exec_fd(event, index);
} else {
return NULL;
}
}
} // namespace santa::santad::event_providers::endpoint_security

138
Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h
View File

@@ -20,7 +20,6 @@
#define SANTA__SANTAD__EVENTPROVIDERS_ENDPOINTSECURITY_ENRICHEDTYPES_H
#include <time.h>
#include <uuid/uuid.h>
#include <optional>
#include <string>
@@ -32,6 +31,9 @@ namespace santa::santad::event_providers::endpoint_security {
class EnrichedFile {
public:
EnrichedFile()
: user_(std::nullopt), group_(std::nullopt), hash_(std::nullopt) {}
EnrichedFile(std::optional<std::shared_ptr<std::string>> &&user,
std::optional<std::shared_ptr<std::string>> &&group,
std::optional<std::shared_ptr<std::string>> &&hash)
@@ -39,6 +41,20 @@ class EnrichedFile {
group_(std::move(group)),
hash_(std::move(hash)) {}
EnrichedFile(EnrichedFile &&other)
: user_(std::move(other.user_)),
group_(std::move(other.group_)),
hash_(std::move(other.hash_)) {}
EnrichedFile(const EnrichedFile &other) = delete;
const std::optional<std::shared_ptr<std::string>> &user() const {
return user_;
}
const std::optional<std::shared_ptr<std::string>> &group() const {
return group_;
}
private:
std::optional<std::shared_ptr<std::string>> user_;
std::optional<std::shared_ptr<std::string>> group_;
@@ -47,6 +63,12 @@ class EnrichedFile {
class EnrichedProcess {
public:
EnrichedProcess()
: effective_user_(std::nullopt),
effective_group_(std::nullopt),
real_user_(std::nullopt),
real_group_(std::nullopt) {}
EnrichedProcess(std::optional<std::shared_ptr<std::string>> &&effective_user,
std::optional<std::shared_ptr<std::string>> &&effective_group,
std::optional<std::shared_ptr<std::string>> &&real_user,
@@ -58,12 +80,28 @@ class EnrichedProcess {
real_group_(std::move(real_group)),
executable_(std::move(executable)) {}
EnrichedProcess(EnrichedProcess &&other)
: effective_user_(std::move(other.effective_user_)),
effective_group_(std::move(other.effective_group_)),
real_user_(std::move(other.real_user_)),
real_group_(std::move(other.real_group_)),
executable_(std::move(other.executable_)) {}
EnrichedProcess(const EnrichedProcess &other) = delete;
const std::optional<std::shared_ptr<std::string>> &effective_user() const {
return effective_user_;
}
const std::optional<std::shared_ptr<std::string>> &effective_group() const {
return effective_group_;
}
const std::optional<std::shared_ptr<std::string>> &real_user() const {
return real_user_;
}
const std::optional<std::shared_ptr<std::string>> &real_group() const {
return real_group_;
}
const EnrichedFile &executable() const { return executable_; }
private:
std::optional<std::shared_ptr<std::string>> effective_user_;
@@ -76,21 +114,30 @@ class EnrichedProcess {
class EnrichedEventType {
public:
EnrichedEventType(Message &&es_msg, EnrichedProcess &&instigator)
: es_msg_(std::move(es_msg)), instigator_(std::move(instigator)) {}
: es_msg_(std::move(es_msg)), instigator_(std::move(instigator)) {
clock_gettime(CLOCK_REALTIME, &enrichment_time_);
}
EnrichedEventType(EnrichedEventType &&other)
: es_msg_(std::move(other.es_msg_)),
instigator_(std::move(other.instigator_)) {}
instigator_(std::move(other.instigator_)),
enrichment_time_(std::move(other.enrichment_time_)) {}
EnrichedEventType(const EnrichedEventType &other) = delete;
virtual ~EnrichedEventType() = default;
const es_message_t &es_msg() const { return *es_msg_; }
const EnrichedProcess &instigator() const { return instigator_; }
struct timespec enrichment_time() const {
// No reason to return a reference
return enrichment_time_;
}
private:
Message es_msg_;
EnrichedProcess instigator_;
struct timespec enrichment_time_;
};
class EnrichedClose : public EnrichedEventType {
@@ -100,6 +147,14 @@ class EnrichedClose : public EnrichedEventType {
: EnrichedEventType(std::move(es_msg), std::move(instigator)),
target_(std::move(target)) {}
EnrichedClose(EnrichedClose &&other)
: EnrichedEventType(std::move(other)),
target_(std::move(other.target_)) {}
EnrichedClose(const EnrichedClose &other) = delete;
const EnrichedFile &target() const { return target_; }
private:
EnrichedFile target_;
};
@@ -112,6 +167,16 @@ class EnrichedExchange : public EnrichedEventType {
file1_(std::move(file1)),
file2_(std::move(file2)) {}
EnrichedExchange(EnrichedExchange &&other)
: EnrichedEventType(std::move(other)),
file1_(std::move(other.file1_)),
file2_(std::move(other.file2_)) {}
EnrichedExchange(const EnrichedExchange &other) = delete;
const EnrichedFile &file1() const { return file1_; }
const EnrichedFile &file2() const { return file2_; }
private:
EnrichedFile file1_;
EnrichedFile file2_;
@@ -127,6 +192,20 @@ class EnrichedExec : public EnrichedEventType {
script_(std::move(script)),
working_dir_(std::move(working_dir)) {}
EnrichedExec(EnrichedExec &&other)
: EnrichedEventType(std::move(other)),
target_(std::move(other.target_)),
script_(std::move(other.script_)),
working_dir_(std::move(other.working_dir_)) {}
EnrichedExec(const EnrichedExec &other) = delete;
const EnrichedProcess &target() const { return target_; }
const std::optional<EnrichedFile> &script() const { return script_; }
const std::optional<EnrichedFile> &working_dir() const {
return working_dir_;
}
private:
EnrichedProcess target_;
std::optional<EnrichedFile> script_;
@@ -137,17 +216,28 @@ class EnrichedExit : public EnrichedEventType {
public:
EnrichedExit(Message &&es_msg, EnrichedProcess &&instigator)
: EnrichedEventType(std::move(es_msg), std::move(instigator)) {}
EnrichedExit(EnrichedExit &&other) : EnrichedEventType(std::move(other)) {}
EnrichedExit(const EnrichedExit &other) = delete;
};
class EnrichedFork : public EnrichedEventType {
public:
EnrichedFork(Message &&es_msg, EnrichedProcess &&instigator,
EnrichedProcess &&target)
EnrichedProcess &&child)
: EnrichedEventType(std::move(es_msg), std::move(instigator)),
target_(std::move(target)) {}
child_(std::move(child)) {}
EnrichedFork(EnrichedFork &&other)
: EnrichedEventType(std::move(other)), child_(std::move(other.child_)) {}
EnrichedFork(const EnrichedFork &other) = delete;
const EnrichedProcess &child() const { return child_; }
private:
EnrichedProcess target_;
EnrichedProcess child_;
};
class EnrichedLink : public EnrichedEventType {
@@ -158,6 +248,15 @@ class EnrichedLink : public EnrichedEventType {
source_(std::move(source)),
target_dir_(std::move(target_dir)) {}
EnrichedLink(EnrichedLink &&other)
: EnrichedEventType(std::move(other)),
source_(std::move(other.source_)),
target_dir_(std::move(other.target_dir_)) {}
EnrichedLink(const EnrichedLink &other) = delete;
const EnrichedFile &source() const { return source_; }
private:
EnrichedFile source_;
EnrichedFile target_dir_;
@@ -173,6 +272,16 @@ class EnrichedRename : public EnrichedEventType {
target_(std::move(target)),
target_dir_(std::move(target_dir)) {}
EnrichedRename(EnrichedRename &&other)
: EnrichedEventType(std::move(other)),
source_(std::move(other.source_)),
target_(std::move(other.target_)),
target_dir_(std::move(other.target_dir_)) {}
EnrichedRename(const EnrichedRename &other) = delete;
const EnrichedFile &source() const { return source_; }
private:
EnrichedFile source_;
std::optional<EnrichedFile> target_;
@@ -186,6 +295,14 @@ class EnrichedUnlink : public EnrichedEventType {
: EnrichedEventType(std::move(es_msg), std::move(instigator)),
target_(std::move(target)) {}
EnrichedUnlink(EnrichedUnlink &&other)
: EnrichedEventType(std::move(other)),
target_(std::move(other.target_)) {}
EnrichedUnlink(const EnrichedUnlink &other) = delete;
const EnrichedFile &target() const { return target_; }
private:
EnrichedFile target_;
};
@@ -196,16 +313,11 @@ using EnrichedType =
class EnrichedMessage {
public:
EnrichedMessage(EnrichedType &&msg) : msg_(std::move(msg)) {
uuid_generate(uuid_);
clock_gettime(CLOCK_REALTIME, &enrichment_time_);
}
EnrichedMessage(EnrichedType &&msg) : msg_(std::move(msg)) {}
const EnrichedType &GetEnrichedMessage() { return msg_; }
private:
uuid_t uuid_;
struct timespec enrichment_time_;
EnrichedType msg_;
};

22
Source/santad/EventProviders/EndpointSecurity/Enricher.h
View File

@@ -21,16 +21,30 @@
namespace santa::santad::event_providers::endpoint_security {
enum class EnrichOptions {
// Specifies default enricher operation.
kDefault,
// This option tells the enricher to only enrich with information that can be
// gathered without potentially triggering work from external processes.
kLocalOnly,
};
class Enricher {
public:
Enricher();
virtual ~Enricher() = default;
virtual std::shared_ptr<EnrichedMessage> Enrich(Message &&msg);
virtual EnrichedProcess Enrich(const es_process_t &es_proc);
virtual EnrichedFile Enrich(const es_file_t &es_file);
virtual EnrichedProcess Enrich(
const es_process_t &es_proc,
EnrichOptions options = EnrichOptions::kDefault);
virtual EnrichedFile Enrich(const es_file_t &es_file,
EnrichOptions options = EnrichOptions::kDefault);
virtual std::optional<std::shared_ptr<std::string>> UsernameForUID(uid_t uid);
virtual std::optional<std::shared_ptr<std::string>> UsernameForGID(gid_t gid);
virtual std::optional<std::shared_ptr<std::string>> UsernameForUID(
uid_t uid, EnrichOptions options = EnrichOptions::kDefault);
virtual std::optional<std::shared_ptr<std::string>> UsernameForGID(
gid_t gid, EnrichOptions options = EnrichOptions::kDefault);
private:
SantaCache<uid_t, std::optional<std::shared_ptr<std::string>>>

36
Source/santad/EventProviders/EndpointSecurity/Enricher.mm
View File

@@ -19,7 +19,6 @@
#include <grp.h>
#include <pwd.h>
#include <sys/types.h>
#include <uuid/uuid.h>
#include <memory>
#include <optional>
@@ -48,8 +47,9 @@ std::shared_ptr<EnrichedMessage> Enricher::Enrich(Message &&es_msg) {
(es_msg->version >= 2 && es_msg->event.exec.script)
? std::make_optional(Enrich(*es_msg->event.exec.script))
: std::nullopt,
(es_msg->version >= 3) ? std::make_optional(Enrich(*es_msg->event.exec.cwd))
: std::nullopt));
(es_msg->version >= 3 && es_msg->event.exec.cwd)
? std::make_optional(Enrich(*es_msg->event.exec.cwd))
: std::nullopt));
case ES_EVENT_TYPE_NOTIFY_FORK:
return std::make_shared<EnrichedMessage>(EnrichedFork(
std::move(es_msg), Enrich(*es_msg->process), Enrich(*es_msg->event.fork.child)));
@@ -81,26 +81,30 @@ std::shared_ptr<EnrichedMessage> Enricher::Enrich(Message &&es_msg) {
}
}
EnrichedProcess Enricher::Enrich(const es_process_t &es_proc) {
return EnrichedProcess(UsernameForUID(audit_token_to_euid(es_proc.audit_token)),
UsernameForGID(audit_token_to_egid(es_proc.audit_token)),
UsernameForUID(audit_token_to_ruid(es_proc.audit_token)),
UsernameForGID(audit_token_to_rgid(es_proc.audit_token)),
Enrich(*es_proc.executable));
EnrichedProcess Enricher::Enrich(const es_process_t &es_proc, EnrichOptions options) {
return EnrichedProcess(UsernameForUID(audit_token_to_euid(es_proc.audit_token), options),
UsernameForGID(audit_token_to_egid(es_proc.audit_token), options),
UsernameForUID(audit_token_to_ruid(es_proc.audit_token), options),
UsernameForGID(audit_token_to_rgid(es_proc.audit_token), options),
Enrich(*es_proc.executable, options));
}
EnrichedFile Enricher::Enrich(const es_file_t &es_file) {
EnrichedFile Enricher::Enrich(const es_file_t &es_file, EnrichOptions options) {
// TODO(mlw): Consider having the enricher perform file hashing. This will
// make more sense if we start including hashes in more event types.
return EnrichedFile(UsernameForUID(es_file.stat.st_uid), UsernameForGID(es_file.stat.st_gid),
std::nullopt);
return EnrichedFile(UsernameForUID(es_file.stat.st_uid, options),
UsernameForGID(es_file.stat.st_gid, options), std::nullopt);
}
std::optional<std::shared_ptr<std::string>> Enricher::UsernameForUID(uid_t uid) {
std::optional<std::shared_ptr<std::string>> Enricher::UsernameForUID(uid_t uid,
EnrichOptions options) {
std::optional<std::shared_ptr<std::string>> username = username_cache_.get(uid);
if (username.has_value()) {
return username;
} else if (options == EnrichOptions::kLocalOnly) {
// If `kLocalOnly` option is set, do not attempt a lookup
return std::nullopt;
} else {
struct passwd *pw = getpwuid(uid);
if (pw) {
@@ -115,11 +119,15 @@ std::optional<std::shared_ptr<std::string>> Enricher::UsernameForUID(uid_t uid)
}
}
std::optional<std::shared_ptr<std::string>> Enricher::UsernameForGID(gid_t gid) {
std::optional<std::shared_ptr<std::string>> Enricher::UsernameForGID(gid_t gid,
EnrichOptions options) {
std::optional<std::shared_ptr<std::string>> groupname = groupname_cache_.get(gid);
if (groupname.has_value()) {
return groupname;
} else if (options == EnrichOptions::kLocalOnly) {
// If `kLocalOnly` option is set, do not attempt a lookup
return std::nullopt;
} else {
struct group *gr = getgrgid(gid);
if (gr) {

4
Source/santad/EventProviders/EndpointSecurity/EnricherTest.mm
View File

@@ -32,9 +32,9 @@ using santa::santad::event_providers::endpoint_security::Enricher;
XCTAssertTrue(user.has_value());
XCTAssertEqual(strcmp(user->get()->c_str(), "nobody"), 0);
std::optional<std::shared_ptr<std::string>> group = enricher.UsernameForGID(NOBODY_GID);
std::optional<std::shared_ptr<std::string>> group = enricher.UsernameForGID(NOGROUP_GID);
XCTAssertTrue(group.has_value());
XCTAssertEqual(strcmp(group->get()->c_str(), "nobody"), 0);
XCTAssertEqual(strcmp(group->get()->c_str(), "nogroup"), 0);
uid_t invalidUID = (uid_t)-123;
gid_t invalidGID = (gid_t)-123;

7
Source/santad/EventProviders/EndpointSecurity/Message.h
View File

@@ -34,8 +34,6 @@ class Message {
// Note: Safe to implement this, just not currently needed so left deleted.
Message& operator=(Message&& rhs) = delete;
// In macOS 10.15, es_retain_message/es_release_message were unsupported
// and required a full copy, which impacts performance if done too much...
Message(const Message& other);
Message& operator=(const Message& other) = delete;
@@ -47,10 +45,7 @@ class Message {
private:
std::shared_ptr<EndpointSecurityAPI> esapi_;
es_message_t* es_msg_;
mutable std::string pname_;
mutable std::string parent_pname_;
const es_message_t* es_msg_;
std::string GetProcessName(pid_t pid) const;
};

9
Source/santad/EventProviders/EndpointSecurity/Message.mm
View File

@@ -22,8 +22,8 @@
namespace santa::santad::event_providers::endpoint_security {
Message::Message(std::shared_ptr<EndpointSecurityAPI> esapi, const es_message_t *es_msg)
: esapi_(esapi) {
es_msg_ = esapi_->RetainMessage(es_msg);
: esapi_(std::move(esapi)), es_msg_(es_msg) {
esapi_->RetainMessage(es_msg);
}
Message::~Message() {
@@ -45,10 +45,7 @@ Message::Message(const Message &other) {
}
std::string Message::ParentProcessName() const {
if (parent_pname_.length() == 0) {
parent_pname_ = GetProcessName(es_msg_->process->ppid);
}
return parent_pname_;
return GetProcessName(es_msg_->process->ppid);
}
std::string Message::GetProcessName(pid_t pid) const {

8
Source/santad/EventProviders/EndpointSecurity/MessageTest.mm
View File

@@ -65,7 +65,7 @@ pid_t AttemptToFindUnusedPID() {
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_EXIT, &proc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
// Constructing a `Message` retains the underlying `es_message_t` and it is
// released when the `Message` object is destructed.
@@ -82,9 +82,7 @@ pid_t AttemptToFindUnusedPID() {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
EXPECT_CALL(*mockESApi, ReleaseMessage(testing::_))
.Times(2)
.After(EXPECT_CALL(*mockESApi, RetainMessage(testing::_))
.Times(2)
.WillRepeatedly(testing::Return(&esMsg)));
.After(EXPECT_CALL(*mockESApi, RetainMessage(testing::_)).Times(2));
{
Message msg1(mockESApi, &esMsg);
@@ -106,7 +104,7 @@ pid_t AttemptToFindUnusedPID() {
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_EXIT, &proc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
// Search for an *existing* parent process.
{

33
Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h
View File

@@ -22,6 +22,7 @@
#include <set>
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
@@ -38,14 +39,32 @@ class MockEndpointSecurityAPI
MOCK_METHOD(bool, Subscribe,
(const santa::santad::event_providers::endpoint_security::Client &,
const std::set<es_event_type_t> &));
MOCK_METHOD(bool, UnsubscribeAll, (const Client &client));
MOCK_METHOD(es_message_t *, RetainMessage, (const es_message_t *msg));
MOCK_METHOD(void, ReleaseMessage, (es_message_t * msg));
MOCK_METHOD(bool, UnmuteAllPaths, (const Client &client));
MOCK_METHOD(bool, UnmuteAllTargetPaths, (const Client &client));
MOCK_METHOD(bool, IsTargetPathMutingInverted, (const Client &client));
MOCK_METHOD(bool, InvertTargetPathMuting, (const Client &client));
MOCK_METHOD(bool, MuteTargetPath,
(const Client &client, std::string_view path,
santa::santad::data_layer::WatchItemPathType path_type));
MOCK_METHOD(bool, UnmuteTargetPath,
(const Client &client, std::string_view path,
santa::santad::data_layer::WatchItemPathType path_type));
MOCK_METHOD(void, RetainMessage, (const es_message_t *msg));
MOCK_METHOD(void, ReleaseMessage, (const es_message_t *msg));
MOCK_METHOD(bool, RespondAuthResult,
(const santa::santad::event_providers::endpoint_security::Client &,
const santa::santad::event_providers::endpoint_security::Message &msg,
es_auth_result_t result, bool cache));
MOCK_METHOD(bool, RespondFlagsResult,
(const santa::santad::event_providers::endpoint_security::Client &client,
const santa::santad::event_providers::endpoint_security::Message &msg,
uint32_t allowed_flags, bool cache));
MOCK_METHOD(bool, MuteProcess,
(const santa::santad::event_providers::endpoint_security::Client &,
@@ -57,6 +76,12 @@ class MockEndpointSecurityAPI
MOCK_METHOD(uint32_t, ExecArgCount, (const es_event_exec_t *event));
MOCK_METHOD(es_string_token_t, ExecArg, (const es_event_exec_t *event, uint32_t index));
MOCK_METHOD(uint32_t, ExecEnvCount, (const es_event_exec_t *event));
MOCK_METHOD(es_string_token_t, ExecEnv, (const es_event_exec_t *event, uint32_t index));
MOCK_METHOD(uint32_t, ExecFDCount, (const es_event_exec_t *event));
MOCK_METHOD(const es_fd_t *, ExecFD, (const es_event_exec_t *event, uint32_t index));
void SetExpectationsESNewClient() {
EXPECT_CALL(*this, NewClient)
.WillOnce(testing::Return(santa::santad::event_providers::endpoint_security::Client(
@@ -66,9 +91,9 @@ class MockEndpointSecurityAPI
EXPECT_CALL(*this, Subscribe).WillRepeatedly(testing::Return(true));
}
void SetExpectationsRetainReleaseMessage(es_message_t *msg) {
void SetExpectationsRetainReleaseMessage() {
EXPECT_CALL(*this, ReleaseMessage).Times(testing::AnyNumber());
EXPECT_CALL(*this, RetainMessage).WillRepeatedly(testing::Return(msg));
EXPECT_CALL(*this, RetainMessage).Times(testing::AnyNumber());
}
};

2
Source/santad/EventProviders/SNTEndpointSecurityAuthorizer.h
View File

@@ -18,6 +18,7 @@
#import "Source/santad/EventProviders/AuthResultCache.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
#include "Source/santad/Metrics.h"
#import "Source/santad/SNTCompilerController.h"
#import "Source/santad/SNTExecutionController.h"
@@ -30,6 +31,7 @@
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)
esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
execController:(SNTExecutionController *)execController
compilerController:(SNTCompilerController *)compilerController
authResultCache:

42
Source/santad/EventProviders/SNTEndpointSecurityAuthorizer.mm
View File

@@ -18,11 +18,15 @@
#include <os/base.h>
#include <stdlib.h>
#import "Source/common/BranchPrediction.h"
#import "Source/common/SNTCommonEnums.h"
#import "Source/common/SNTLogging.h"
#include "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
using santa::santad::event_providers::endpoint_security::Message;
@@ -37,10 +41,13 @@ using santa::santad::event_providers::endpoint_security::Message;
}
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
execController:(SNTExecutionController *)execController
compilerController:(SNTCompilerController *)compilerController
authResultCache:(std::shared_ptr<AuthResultCache>)authResultCache {
self = [super initWithESAPI:std::move(esApi)];
self = [super initWithESAPI:std::move(esApi)
metrics:std::move(metrics)
processor:santa::santad::Processor::kAuthorizer];
if (self) {
_execController = execController;
_compilerController = compilerController;
@@ -51,19 +58,23 @@ using santa::santad::event_providers::endpoint_security::Message;
return self;
}
- (NSString *)description {
return @"Authorizer";
}
- (void)processMessage:(const Message &)msg {
const es_file_t *targetFile = msg->event.exec.target->executable;
while (true) {
santa_action_t returnAction = self->_authResultCache->CheckCache(targetFile);
SNTAction returnAction = self->_authResultCache->CheckCache(targetFile);
if (RESPONSE_VALID(returnAction)) {
es_auth_result_t authResult = ES_AUTH_RESULT_DENY;
switch (returnAction) {
case ACTION_RESPOND_ALLOW_COMPILER:
case SNTActionRespondAllowCompiler:
[self.compilerController setProcess:msg->event.exec.target->audit_token isCompiler:true];
OS_FALLTHROUGH;
case ACTION_RESPOND_ALLOW: authResult = ES_AUTH_RESULT_ALLOW; break;
case SNTActionRespondAllow: authResult = ES_AUTH_RESULT_ALLOW; break;
default: break;
}
@@ -71,7 +82,7 @@ using santa::santad::event_providers::endpoint_security::Message;
withAuthResult:authResult
cacheable:(authResult == ES_AUTH_RESULT_ALLOW)];
return;
} else if (returnAction == ACTION_REQUEST_BINARY) {
} else if (returnAction == SNTActionRequestBinary) {
// TODO(mlw): Add a metric here to observe how ofthen this happens in practice.
// TODO(mlw): Look into caching a `Deferred<value>` to better prevent
// raciness of multiple threads checking the cache simultaneously.
@@ -82,15 +93,16 @@ using santa::santad::event_providers::endpoint_security::Message;
}
}
self->_authResultCache->AddToCache(targetFile, ACTION_REQUEST_BINARY);
self->_authResultCache->AddToCache(targetFile, SNTActionRequestBinary);
[self.execController validateExecEvent:msg
postAction:^bool(santa_action_t action) {
postAction:^bool(SNTAction action) {
return [self postAction:action forMessage:msg];
}];
}
- (void)handleMessage:(Message &&)esMsg {
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
if (unlikely(esMsg->event_type != ES_EVENT_TYPE_AUTH_EXEC)) {
// This is a programming error
LOGE(@"Atteempting to authorize a non-exec event");
@@ -99,29 +111,31 @@ using santa::santad::event_providers::endpoint_security::Message;
}
if (![self.execController synchronousShouldProcessExecEvent:esMsg]) {
[self postAction:ACTION_RESPOND_DENY forMessage:esMsg];
[self postAction:SNTActionRespondDeny forMessage:esMsg];
recordEventMetrics(EventDisposition::kDropped);
return;
}
[self processMessage:std::move(esMsg)
handler:^(const Message &msg) {
[self processMessage:msg];
recordEventMetrics(EventDisposition::kProcessed);
}];
}
- (bool)postAction:(santa_action_t)action forMessage:(const Message &)esMsg {
- (bool)postAction:(SNTAction)action forMessage:(const Message &)esMsg {
es_auth_result_t authResult;
switch (action) {
case ACTION_RESPOND_ALLOW_COMPILER:
case SNTActionRespondAllowCompiler:
[self.compilerController setProcess:esMsg->event.exec.target->audit_token isCompiler:true];
OS_FALLTHROUGH;
case ACTION_RESPOND_ALLOW: authResult = ES_AUTH_RESULT_ALLOW; break;
case ACTION_RESPOND_DENY: authResult = ES_AUTH_RESULT_DENY; break;
case SNTActionRespondAllow: authResult = ES_AUTH_RESULT_ALLOW; break;
case SNTActionRespondDeny: authResult = ES_AUTH_RESULT_DENY; break;
default:
// This is a programming error. Bail.
LOGE(@"Invalid action for postAction, exiting.");
[NSException raise:@"Invalid post action" format:@"Invalid post action: %d", action];
[NSException raise:@"Invalid post action" format:@"Invalid post action: %ld", action];
}
self->_authResultCache->AddToCache(esMsg->event.exec.target->executable, action);

91
Source/santad/EventProviders/SNTEndpointSecurityAuthorizerTest.mm
View File

@@ -22,15 +22,18 @@
#include <memory>
#include <set>
#include "Source/common/SNTCommonEnums.h"
#include "Source/common/TestUtils.h"
#include "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityAuthorizer.h"
#include "Source/santad/Metrics.h"
#import "Source/santad/SNTCompilerController.h"
#import "Source/santad/SNTExecutionController.h"
using santa::santad::EventDisposition;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::endpoint_security::Message;
@@ -38,13 +41,13 @@ class MockAuthResultCache : public AuthResultCache {
public:
using AuthResultCache::AuthResultCache;
MOCK_METHOD(bool, AddToCache, (const es_file_t *es_file, santa_action_t decision));
MOCK_METHOD(santa_action_t, CheckCache, (const es_file_t *es_file));
MOCK_METHOD(bool, AddToCache, (const es_file_t *es_file, SNTAction decision));
MOCK_METHOD(SNTAction, CheckCache, (const es_file_t *es_file));
};
@interface SNTEndpointSecurityAuthorizer (Testing)
- (void)processMessage:(const Message &)msg;
- (bool)postAction:(santa_action_t)action forMessage:(const Message &)esMsg;
- (bool)postAction:(SNTAction)action forMessage:(const Message &)esMsg;
@end
@interface SNTEndpointSecurityAuthorizerTest : XCTestCase
@@ -66,7 +69,10 @@ class MockAuthResultCache : public AuthResultCache {
std::set<es_event_type_t> expectedEventSubs{ES_EVENT_TYPE_AUTH_EXEC};
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
id authClient = [[SNTEndpointSecurityAuthorizer alloc] initWithESAPI:mockESApi];
id authClient =
[[SNTEndpointSecurityAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:santa::santad::Processor::kAuthorizer];
EXPECT_CALL(*mockESApi, ClearCache)
.After(EXPECT_CALL(*mockESApi, Subscribe(testing::_, expectedEventSubs))
@@ -85,10 +91,20 @@ class MockAuthResultCache : public AuthResultCache {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
// There is a benign leak of the mock object in this test.
// `handleMessage:recordEventMetrics:` will call `processMessage:handler:` in the parent
// class. This will dispatch to two blocks and create message copies. The block that
// handles `deadline` timeouts will not complete before the test finishes, and the
// mock object will think that it has been leaked.
::testing::Mock::AllowLeak(mockESApi.get());
dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
SNTEndpointSecurityAuthorizer *authClient =
[[SNTEndpointSecurityAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
execController:self.mockExecController
compilerController:nil
authResultCache:nullptr];
@@ -99,7 +115,10 @@ class MockAuthResultCache : public AuthResultCache {
{
// Temporarily change the event type
esMsg.event_type = ES_EVENT_TYPE_NOTIFY_EXEC;
XCTAssertThrows([authClient handleMessage:Message(mockESApi, &esMsg)]);
XCTAssertThrows([authClient handleMessage:Message(mockESApi, &esMsg)
recordEventMetrics:^(EventDisposition d) {
XCTFail("Unhandled event types shouldn't call metrics recorder");
}]);
esMsg.event_type = ES_EVENT_TYPE_AUTH_EXEC;
}
@@ -111,13 +130,20 @@ class MockAuthResultCache : public AuthResultCache {
.ignoringNonObjectArgs()
.andReturn(NO);
OCMExpect([mockAuthClient postAction:ACTION_RESPOND_DENY forMessage:Message(mockESApi, &esMsg)])
OCMExpect([mockAuthClient postAction:SNTActionRespondDeny
forMessage:Message(mockESApi, &esMsg)])
.ignoringNonObjectArgs();
OCMStub([mockAuthClient postAction:ACTION_RESPOND_DENY forMessage:Message(mockESApi, &esMsg)])
OCMStub([mockAuthClient postAction:SNTActionRespondDeny forMessage:Message(mockESApi, &esMsg)])
.ignoringNonObjectArgs()
.andDo(nil);
[mockAuthClient handleMessage:std::move(msg)];
[mockAuthClient handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertTrue(OCMVerifyAll(mockAuthClient));
}
@@ -130,13 +156,18 @@ class MockAuthResultCache : public AuthResultCache {
.ignoringNonObjectArgs()
.andReturn(YES);
OCMExpect([mockAuthClient processMessage:Message(mockESApi, &esMsg) handler:[OCMArg any]])
.ignoringNonObjectArgs();
OCMStub([mockAuthClient processMessage:Message(mockESApi, &esMsg) handler:[OCMArg any]])
OCMExpect([mockAuthClient processMessage:Message(mockESApi, &esMsg)]).ignoringNonObjectArgs();
OCMStub([mockAuthClient processMessage:Message(mockESApi, &esMsg)])
.ignoringNonObjectArgs()
.andDo(nil);
[mockAuthClient handleMessage:std::move(msg)];
[mockAuthClient handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, EventDisposition::kProcessed);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertTrue(OCMVerifyAll(mockAuthClient));
}
@@ -157,15 +188,15 @@ class MockAuthResultCache : public AuthResultCache {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
auto mockAuthCache = std::make_shared<MockAuthResultCache>(nullptr);
EXPECT_CALL(*mockAuthCache, CheckCache)
.WillOnce(testing::Return(ACTION_REQUEST_BINARY))
.WillOnce(testing::Return(ACTION_REQUEST_BINARY))
.WillOnce(testing::Return(ACTION_RESPOND_ALLOW_COMPILER))
.WillOnce(testing::Return(ACTION_UNSET));
EXPECT_CALL(*mockAuthCache, AddToCache(testing::_, ACTION_REQUEST_BINARY))
.WillOnce(testing::Return(SNTActionRequestBinary))
.WillOnce(testing::Return(SNTActionRequestBinary))
.WillOnce(testing::Return(SNTActionRespondAllowCompiler))
.WillOnce(testing::Return(SNTActionUnset));
EXPECT_CALL(*mockAuthCache, AddToCache(testing::_, SNTActionRequestBinary))
.WillOnce(testing::Return(true));
id mockCompilerController = OCMStrictClassMock([SNTCompilerController class]);
@@ -173,6 +204,7 @@ class MockAuthResultCache : public AuthResultCache {
SNTEndpointSecurityAuthorizer *authClient =
[[SNTEndpointSecurityAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
execController:self.mockExecController
compilerController:mockCompilerController
authResultCache:mockAuthCache];
@@ -180,7 +212,7 @@ class MockAuthResultCache : public AuthResultCache {
// This block tests that processing is held up until an outstanding thread
// processing another event completes and returns a result. This test
// specifically will check the `ACTION_RESPOND_ALLOW_COMPILER` flow.
// specifically will check the `SNTActionRespondAllowCompiler` flow.
{
Message msg(mockESApi, &esMsg);
OCMExpect([mockAuthClient respondToMessage:msg
@@ -223,14 +255,14 @@ class MockAuthResultCache : public AuthResultCache {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
auto mockAuthCache = std::make_shared<MockAuthResultCache>(nullptr);
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, ACTION_RESPOND_ALLOW_COMPILER))
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, SNTActionRespondAllowCompiler))
.WillOnce(testing::Return(true));
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, ACTION_RESPOND_ALLOW))
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, SNTActionRespondAllow))
.WillOnce(testing::Return(true));
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, ACTION_RESPOND_DENY))
EXPECT_CALL(*mockAuthCache, AddToCache(&execFile, SNTActionRespondDeny))
.WillOnce(testing::Return(true));
id mockCompilerController = OCMStrictClassMock([SNTCompilerController class]);
@@ -238,6 +270,7 @@ class MockAuthResultCache : public AuthResultCache {
SNTEndpointSecurityAuthorizer *authClient =
[[SNTEndpointSecurityAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
execController:self.mockExecController
compilerController:mockCompilerController
authResultCache:mockAuthCache];
@@ -246,12 +279,12 @@ class MockAuthResultCache : public AuthResultCache {
{
Message msg(mockESApi, &esMsg);
XCTAssertThrows([mockAuthClient postAction:(santa_action_t)123 forMessage:msg]);
XCTAssertThrows([mockAuthClient postAction:(SNTAction)123 forMessage:msg]);
std::map<santa_action_t, es_auth_result_t> actions = {
{ACTION_RESPOND_ALLOW_COMPILER, ES_AUTH_RESULT_ALLOW},
{ACTION_RESPOND_ALLOW, ES_AUTH_RESULT_ALLOW},
{ACTION_RESPOND_DENY, ES_AUTH_RESULT_DENY},
std::map<SNTAction, es_auth_result_t> actions = {
{SNTActionRespondAllowCompiler, ES_AUTH_RESULT_ALLOW},
{SNTActionRespondAllow, ES_AUTH_RESULT_ALLOW},
{SNTActionRespondDeny, ES_AUTH_RESULT_DENY},
};
for (const auto &kv : actions) {

132
Source/santad/EventProviders/SNTEndpointSecurityClient.mm
View File

@@ -13,50 +13,62 @@
/// limitations under the License.
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#include <EndpointSecurity/ESTypes.h>
#include <EndpointSecurity/EndpointSecurity.h>
#include <bsm/libbsm.h>
#include <dispatch/dispatch.h>
#include <mach/mach_time.h>
#include <stdlib.h>
#include <sys/qos.h>
#import "Source/common/SNTCommon.h"
#include <set>
#include <string>
#include <string_view>
#include "Source/common/BranchPrediction.h"
#import "Source/common/SNTConfigurator.h"
#import "Source/common/SNTLogging.h"
#include "Source/common/SystemResources.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::Metrics;
using santa::santad::Processor;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::event_providers::endpoint_security::Client;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
using santa::santad::event_providers::endpoint_security::EnrichedMessage;
using santa::santad::event_providers::endpoint_security::Message;
constexpr std::string_view kProtectedFiles[] = {"/private/var/db/santa/rules.db",
"/private/var/db/santa/events.db"};
@interface SNTEndpointSecurityClient ()
@property int64_t deadlineMarginMS;
@end
;
@implementation SNTEndpointSecurityClient {
std::shared_ptr<EndpointSecurityAPI> _esApi;
std::shared_ptr<Metrics> _metrics;
Client _esClient;
mach_timebase_info_data_t _timebase;
dispatch_queue_t _authQueue;
dispatch_queue_t _notifyQueue;
Processor _processor;
}
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi {
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<Metrics>)metrics
processor:(Processor)processor {
self = [super init];
if (self) {
_esApi = std::move(esApi);
_metrics = std::move(metrics);
_deadlineMarginMS = 5000;
if (mach_timebase_info(&_timebase) != KERN_SUCCESS) {
LOGE(@"Failed to get mach timebase info");
// Assumed to be transitory failure. Let the daemon restart.
exit(EXIT_FAILURE);
}
_processor = processor;
_authQueue = dispatch_queue_create(
"com.google.santa.daemon.auth_queue",
@@ -84,7 +96,8 @@ using santa::santad::event_providers::endpoint_security::Message;
}
}
- (void)handleMessage:(Message &&)esMsg {
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition disposition))recordEventMetrics {
// This method should only be used by classes derived
// from SNTEndpointSecurityClient.
[self doesNotRecognizeSelector:_cmd];
@@ -110,10 +123,21 @@ using santa::santad::event_providers::endpoint_security::Message;
}
self->_esClient = self->_esApi->NewClient(^(es_client_t *c, Message esMsg) {
int64_t processingStart = clock_gettime_nsec_np(CLOCK_MONOTONIC);
es_event_type_t eventType = esMsg->event_type;
if ([self shouldHandleMessage:esMsg
ignoringOtherESClients:[[SNTConfigurator configurator]
ignoreOtherEndpointSecurityClients]]) {
[self handleMessage:std::move(esMsg)];
[self handleMessage:std::move(esMsg)
recordEventMetrics:^(EventDisposition disposition) {
int64_t processingEnd = clock_gettime_nsec_np(CLOCK_MONOTONIC);
self->_metrics->SetEventMetrics(self->_processor, eventType, disposition,
processingEnd - processingStart);
}];
} else {
int64_t processingEnd = clock_gettime_nsec_np(CLOCK_MONOTONIC);
self->_metrics->SetEventMetrics(self->_processor, eventType, EventDisposition::kDropped,
processingEnd - processingStart);
}
});
@@ -122,7 +146,7 @@ using santa::santad::event_providers::endpoint_security::Message;
LOGE(@"Unable to create EndpointSecurity client: %@", errMsg);
[NSException raise:@"Failed to create ES client" format:@"%@", errMsg];
} else {
LOGI(@"Connected to EndpointSecurity");
LOGI(@"Connected to EndpointSecurity (%@)", self);
}
if (![self muteSelf]) {
@@ -166,16 +190,65 @@ using santa::santad::event_providers::endpoint_security::Message;
return [self subscribe:events] && [self clearCache];
}
- (bool)unsubscribeAll {
return _esApi->UnsubscribeAll(_esClient);
}
- (bool)unmuteEverything {
bool result = _esApi->UnmuteAllPaths(_esClient);
result = _esApi->UnmuteAllTargetPaths(_esClient) && result;
return result;
}
- (bool)enableTargetPathWatching {
return _esApi->InvertTargetPathMuting(_esClient);
}
- (bool)muteTargetPaths:(const std::vector<std::pair<std::string, WatchItemPathType>> &)paths {
bool result = true;
for (const auto &pathAndTypePair : paths) {
result =
_esApi->MuteTargetPath(_esClient, pathAndTypePair.first, pathAndTypePair.second) && result;
}
return result;
}
- (bool)unmuteTargetPaths:(const std::vector<std::pair<std::string, WatchItemPathType>> &)paths {
bool result = true;
for (const auto &pathAndTypePair : paths) {
result =
_esApi->UnmuteTargetPath(_esClient, pathAndTypePair.first, pathAndTypePair.second) && result;
}
return result;
}
- (bool)respondToMessage:(const Message &)msg
withAuthResult:(es_auth_result_t)result
cacheable:(bool)cacheable {
return _esApi->RespondAuthResult(_esClient, msg, result, cacheable);
if (msg->event_type == ES_EVENT_TYPE_AUTH_OPEN) {
return _esApi->RespondFlagsResult(
// For now, Santa is only concerned about alllowing all access or no
// access, hence the flags being translated here to all or nothing based
// on the auth result. In the future it might be beneficial to expand the
// scope of Santa to enforce things like read-only access.
_esClient, msg, (result == ES_AUTH_RESULT_ALLOW) ? 0xffffffff : 0x0, cacheable);
} else {
return _esApi->RespondAuthResult(_esClient, msg, result, cacheable);
}
}
- (void)processEnrichedMessage:(std::shared_ptr<EnrichedMessage>)msg
handler:(void (^)(std::shared_ptr<EnrichedMessage>))messageHandler {
__block std::shared_ptr<EnrichedMessage> msgTmp = std::move(msg);
dispatch_async(_notifyQueue, ^{
messageHandler(std::move(msg));
messageHandler(std::move(msgTmp));
});
}
- (void)asynchronouslyProcess:(Message)msg handler:(void (^)(Message &&))messageHandler {
__block Message msgTmp = std::move(msg);
dispatch_async(_notifyQueue, ^{
messageHandler(std::move(msgTmp));
});
}
@@ -195,15 +268,14 @@ using santa::santad::event_providers::endpoint_security::Message;
dispatch_semaphore_t deadlineExpiredSema = dispatch_semaphore_create(0);
const uint64_t timeout = NSEC_PER_MSEC * (self.deadlineMarginMS);
uint64_t deadlineMachTime = msg->deadline - mach_absolute_time();
uint64_t deadlineNano = deadlineMachTime * _timebase.numer / _timebase.denom;
uint64_t deadlineNano = MachTimeToNanos(msg->deadline - mach_absolute_time());
// TODO(mlw): How should we handle `deadlineNano <= timeout`. Will currently
// result in the deadline block being dispatched immediately (and therefore
// the event will be denied).
// Workaround for compiler bug that doesn't properly close over variables
// Note: On macOS 10.15 this will cause extra message copies.
__block Message processMsg = msg;
__block Message deadlineMsg = msg;
@@ -224,7 +296,7 @@ using santa::santad::event_providers::endpoint_security::Message;
});
dispatch_async(self->_authQueue, ^{
messageHandler(deadlineMsg);
messageHandler(processMsg);
if (dispatch_semaphore_wait(processingSema, DISPATCH_TIME_NOW) != 0) {
// Deadline expired, wait for deadline block to finish.
dispatch_semaphore_wait(deadlineExpiredSema, DISPATCH_TIME_FOREVER);
@@ -232,12 +304,28 @@ using santa::santad::event_providers::endpoint_security::Message;
});
}
+ (bool)isDatabasePath:(const std::string_view)path {
+ (std::set<std::string>)getProtectedPaths {
std::set<std::string> protectedPathsCopy;
for (size_t i = 0; i < sizeof(kProtectedFiles) / sizeof(kProtectedFiles[0]); i++) {
protectedPathsCopy.insert(std::string(kProtectedFiles[i]));
}
return protectedPathsCopy;
}
+ (bool)isProtectedPath:(const std::string_view)path {
// TODO(mlw): These values should come from `SNTDatabaseController`. But right
// now they live as NSStrings. We should make them `std::string_view` types
// in order to use them here efficiently, but will need to make the
// `SNTDatabaseController` an ObjC++ file.
return (path == "/private/var/db/santa/rules.db" || path == "/private/var/db/santa/events.db");
for (size_t i = 0; i < sizeof(kProtectedFiles) / sizeof(kProtectedFiles[0]); i++) {
if (path == kProtectedFiles[i]) {
return true;
}
}
return false;
}
@end

30
Source/santad/EventProviders/SNTEndpointSecurityClientBase.h
View File

@@ -17,17 +17,23 @@
#include <memory>
#include <string>
#include <vector>
#import <Foundation/Foundation.h>
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
@protocol SNTEndpointSecurityClientBase
- (instancetype)initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi;
- (instancetype)
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
processor:(santa::santad::Processor)processor;
/// @note If this fails to establish a new ES client via `es_new_client`, an exception is raised
/// that should terminate the program.
@@ -42,12 +48,24 @@
/// subscribing mitigates this posibility.
- (bool)subscribeAndClearCache:(const std::set<es_event_type_t> &)events;
- (bool)unsubscribeAll;
- (bool)unmuteEverything;
- (bool)enableTargetPathWatching;
- (bool)muteTargetPaths:
(const std::vector<std::pair<std::string, santa::santad::data_layer::WatchItemPathType>> &)paths;
- (bool)unmuteTargetPaths:
(const std::vector<std::pair<std::string, santa::santad::data_layer::WatchItemPathType>> &)paths;
/// Responds to the Message with the given auth result
///
/// @param Message The wrapped es_message_t being responded to
/// @param result Either ES_AUTH_RESULT_ALLOW or ES_AUTH_RESULT_DENY
/// @param cacheable true if ES should attempt to cache the result, otherwise false
/// @return true if the response was successful, otherwise false
///
/// @note If the msg event type requires a flags response, the correct ES API will automatically
/// be called. ALLOWED results will be translated to having all flags set, and DENIED results
/// will be translated to having all flags cleared.
- (bool)respondToMessage:(const santa::santad::event_providers::endpoint_security::Message &)msg
withAuthResult:(es_auth_result_t)result
cacheable:(bool)cacheable;
@@ -60,6 +78,11 @@
santa::santad::event_providers::endpoint_security::EnrichedMessage>))
messageHandler;
- (void)asynchronouslyProcess:(santa::santad::event_providers::endpoint_security::Message)msg
handler:
(void (^)(santa::santad::event_providers::endpoint_security::Message &&))
messageHandler;
- (void)processMessage:(santa::santad::event_providers::endpoint_security::Message &&)msg
handler:
(void (^)(const santa::santad::event_providers::endpoint_security::Message &))
@@ -67,7 +90,8 @@
- (bool)clearCache;
+ (bool)isDatabasePath:(const std::string_view)path;
+ (std::set<std::string>)getProtectedPaths;
+ (bool)isProtectedPath:(const std::string_view)path;
+ (bool)populateAuditTokenSelf:(audit_token_t *)tok;
@end

252
Source/santad/EventProviders/SNTEndpointSecurityClientTest.mm
View File

@@ -23,12 +23,16 @@
#include <memory>
#include "Source/common/TestUtils.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#include "Source/santad/Metrics.h"
using santa::santad::Processor;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::event_providers::endpoint_security::Client;
using santa::santad::event_providers::endpoint_security::EnrichedClose;
using santa::santad::event_providers::endpoint_security::EnrichedFile;
@@ -40,7 +44,8 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)establishClientOrDie;
- (bool)muteSelf;
- (NSString *)errorMessageForNewClientResult:(es_new_client_result_t)result;
- (void)handleMessage:(Message &&)esMsg;
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(santa::santad::EventDisposition disposition))recordEventMetrics;
- (BOOL)shouldHandleMessage:(const Message &)esMsg
ignoringOtherESClients:(BOOL)ignoringOtherESClients;
@@ -61,7 +66,10 @@ using santa::santad::event_providers::endpoint_security::Message;
.WillOnce(testing::Return(Client()))
.WillOnce(testing::Return(Client(nullptr, ES_NEW_CLIENT_RESULT_SUCCESS)));
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// First time throws because mock triggers failed connection
// Second time succeeds
@@ -83,7 +91,10 @@ using santa::santad::event_providers::endpoint_security::Message;
{(es_new_client_result_t)123, "Unknown error"},
};
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:nullptr];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:nullptr
metrics:nullptr
processor:Processor::kUnknown];
for (const auto &kv : resultMessagePairs) {
NSString *message = [client errorMessageForNewClientResult:kv.first];
@@ -95,11 +106,14 @@ using santa::santad::event_providers::endpoint_security::Message;
es_message_t esMsg;
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{ XCTAssertThrows([client handleMessage:Message(mockESApi, &esMsg)]); }
{ XCTAssertThrows([client handleMessage:Message(mockESApi, &esMsg) recordEventMetrics:nil]); }
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
@@ -110,13 +124,16 @@ using santa::santad::event_providers::endpoint_security::Message;
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_FORK, &proc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
// Have subscribe fail the first time, meaning clear cache only called once.
EXPECT_CALL(*mockESApi, RespondAuthResult(testing::_, testing::_, ES_AUTH_RESULT_ALLOW, true))
.WillOnce(testing::Return(true));
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{
Message msg(mockESApi, &esMsg);
@@ -153,7 +170,10 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)testMuteSelf {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
EXPECT_CALL(*mockESApi, MuteProcess)
.WillOnce(testing::Return(true))
@@ -167,7 +187,10 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)testClearCache {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Test the underlying clear cache impl returning both true and false
EXPECT_CALL(*mockESApi, ClearCache)
@@ -182,7 +205,10 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)testSubscribe {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
std::set<es_event_type_t> events = {
ES_EVENT_TYPE_NOTIFY_CLOSE,
@@ -202,7 +228,10 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)testSubscribeAndClearCache {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Have subscribe fail the first time, meaning clear cache only called once.
EXPECT_CALL(*mockESApi, ClearCache)
@@ -217,10 +246,121 @@ using santa::santad::event_providers::endpoint_security::Message;
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testUnsubscribeAll {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Test the underlying unsubscribe all impl returning both true and false
EXPECT_CALL(*mockESApi, UnsubscribeAll)
.WillOnce(testing::Return(true))
.WillOnce(testing::Return(false));
XCTAssertTrue([client unsubscribeAll]);
XCTAssertFalse([client unsubscribeAll]);
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testUnmuteEverything {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Test variations of underlying unmute impls returning both true and false
EXPECT_CALL(*mockESApi, UnmuteAllPaths)
.WillOnce(testing::Return(true))
.WillOnce(testing::Return(false));
EXPECT_CALL(*mockESApi, UnmuteAllTargetPaths)
.WillOnce(testing::Return(true))
.WillOnce(testing::Return(true));
XCTAssertTrue([client unmuteEverything]);
XCTAssertFalse([client unmuteEverything]);
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testEnableTargetPathWatching {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Test the underlying invert nute impl returning both true and false
EXPECT_CALL(*mockESApi, InvertTargetPathMuting)
.WillOnce(testing::Return(true))
.WillOnce(testing::Return(false));
XCTAssertTrue([client enableTargetPathWatching]);
XCTAssertFalse([client enableTargetPathWatching]);
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testMuteTargetPaths {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Ensure all paths are attempted to be muted even if some fail.
// Ensure if any paths fail the overall result is false.
EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "a", WatchItemPathType::kLiteral))
.WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "b", WatchItemPathType::kLiteral))
.WillOnce(testing::Return(false));
EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "c", WatchItemPathType::kPrefix))
.WillOnce(testing::Return(true));
std::vector<std::pair<std::string, WatchItemPathType>> paths = {
{"a", WatchItemPathType::kLiteral},
{"b", WatchItemPathType::kLiteral},
{"c", WatchItemPathType::kPrefix},
};
XCTAssertFalse([client muteTargetPaths:paths]);
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testUnmuteTargetPaths {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
// Ensure all paths are attempted to be unmuted even if some fail.
// Ensure if any paths fail the overall result is false.
EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "a", WatchItemPathType::kLiteral))
.WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "b", WatchItemPathType::kLiteral))
.WillOnce(testing::Return(false));
EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "c", WatchItemPathType::kPrefix))
.WillOnce(testing::Return(true));
std::vector<std::pair<std::string, WatchItemPathType>> paths = {
{"a", WatchItemPathType::kLiteral},
{"b", WatchItemPathType::kLiteral},
{"c", WatchItemPathType::kPrefix},
};
XCTAssertFalse([client unmuteTargetPaths:paths]);
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testRespondToMessageWithAuthResultCacheable {
es_message_t esMsg;
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
es_auth_result_t result = ES_AUTH_RESULT_DENY;
bool cacheable = true;
@@ -229,7 +369,10 @@ using santa::santad::event_providers::endpoint_security::Message;
EXPECT_CALL(*mockESApi, RespondAuthResult(testing::_, testing::_, result, cacheable))
.WillOnce(testing::Return(true));
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{
Message msg(mockESApi, &esMsg);
@@ -240,41 +383,41 @@ using santa::santad::event_providers::endpoint_security::Message;
}
- (void)testProcessEnrichedMessageHandler {
es_message_t esMsg;
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
// Note: In this test, `RetainMessage` isn't setup to return anything. This
// means that the underlying `es_msg_` in the `Message` object is NULL, and
// therefore no call to `ReleaseMessage` is ever made (hence no expectations).
// Because we don't need to operate on the es_msg_, this simplifies the test.
EXPECT_CALL(*mockESApi, RetainMessage);
mockESApi->SetExpectationsRetainReleaseMessage();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{
auto enrichedMsg = std::make_shared<EnrichedMessage>(
EnrichedClose(Message(mockESApi, &esMsg),
EnrichedProcess(std::nullopt, std::nullopt, std::nullopt, std::nullopt,
EnrichedFile(std::nullopt, std::nullopt, std::nullopt)),
EnrichedFile(std::nullopt, std::nullopt, std::nullopt)));
es_message_t esMsg;
auto enrichedMsg = std::make_shared<EnrichedMessage>(
EnrichedClose(Message(mockESApi, &esMsg),
EnrichedProcess(std::nullopt, std::nullopt, std::nullopt, std::nullopt,
EnrichedFile(std::nullopt, std::nullopt, std::nullopt)),
EnrichedFile(std::nullopt, std::nullopt, std::nullopt)));
[client processEnrichedMessage:enrichedMsg
handler:^(std::shared_ptr<EnrichedMessage> msg) {
dispatch_semaphore_signal(sema);
}];
[client processEnrichedMessage:enrichedMsg
handler:^(std::shared_ptr<EnrichedMessage> msg) {
dispatch_semaphore_signal(sema);
}];
XCTAssertEqual(0,
dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
"Handler block not called within expected time window");
XCTAssertEqual(
0, dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
"Handler block not called within expected time window");
}
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testIsDatabasePath {
XCTAssertTrue([SNTEndpointSecurityClient isDatabasePath:"/private/var/db/santa/rules.db"]);
XCTAssertTrue([SNTEndpointSecurityClient isDatabasePath:"/private/var/db/santa/events.db"]);
- (void)testIsProtectedPath {
XCTAssertTrue([SNTEndpointSecurityClient isProtectedPath:"/private/var/db/santa/rules.db"]);
XCTAssertTrue([SNTEndpointSecurityClient isProtectedPath:"/private/var/db/santa/events.db"]);
XCTAssertFalse([SNTEndpointSecurityClient isDatabasePath:"/not/a/db/path"]);
XCTAssertFalse([SNTEndpointSecurityClient isProtectedPath:"/not/a/db/path"]);
}
- (void)testProcessMessageHandlerBadEventType {
@@ -283,9 +426,12 @@ using santa::santad::event_providers::endpoint_security::Message;
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_EXIT, &proc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{
XCTAssertThrows([client processMessage:Message(mockESApi, &esMsg)
@@ -309,22 +455,25 @@ using santa::santad::event_providers::endpoint_security::Message;
45 * 1000); // Long deadline to not hit
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
{
XCTAssertNoThrow([client processMessage:Message(mockESApi, &esMsg)
handler:^(const Message &msg) {
dispatch_semaphore_signal(sema);
}]);
}
XCTAssertEqual(0,
dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC)),
"Handler block not called within expected time window");
XCTAssertEqual(
0, dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC)),
"Handler block not called within expected time window");
}
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
@@ -332,7 +481,7 @@ using santa::santad::event_providers::endpoint_security::Message;
- (void)testProcessMessageHandlerWithDeadlineTimeout {
// Set a es_message_t deadline of 750ms
// Set a deadline leeway in the `SNTEndpointSecurityClient` of 500ms
// Mock `RespondAuthResult` which is called from the deadline handler
// Mock `RespondFlagsResult` which is called from the deadline handler
// Signal the semaphore from the mock
// Wait a few seconds for the semaphore (should take ~250ms)
//
@@ -347,19 +496,22 @@ using santa::santad::event_providers::endpoint_security::Message;
750); // 750ms timeout
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
dispatch_semaphore_t deadlineSema = dispatch_semaphore_create(0);
dispatch_semaphore_t controlSema = dispatch_semaphore_create(0);
EXPECT_CALL(*mockESApi, RespondAuthResult(testing::_, testing::_, ES_AUTH_RESULT_DENY, false))
EXPECT_CALL(*mockESApi, RespondFlagsResult(testing::_, testing::_, 0x0, false))
.WillOnce(testing::InvokeWithoutArgs(^() {
// Signal deadlineSema to let the handler block continue execution
dispatch_semaphore_signal(deadlineSema);
return true;
}));
SNTEndpointSecurityClient *client = [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi];
SNTEndpointSecurityClient *client =
[[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kUnknown];
client.deadlineMarginMS = 500;
{

2
Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.h
View File

@@ -21,6 +21,7 @@
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
#include "Source/santad/Logs/EndpointSecurity/Logger.h"
#include "Source/santad/Metrics.h"
NS_ASSUME_NONNULL_BEGIN
@@ -40,6 +41,7 @@ typedef void (^SNTDeviceBlockCallback)(SNTDeviceEvent *event);
- (instancetype)
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
authResultCache:(std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache;

22
Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm
View File

@@ -28,7 +28,9 @@
#import "Source/common/SNTDeviceEvent.h"
#import "Source/common/SNTLogging.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::FlushCacheMode;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
@@ -135,9 +137,12 @@ NS_ASSUME_NONNULL_BEGIN
}
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<Logger>)logger
authResultCache:(std::shared_ptr<AuthResultCache>)authResultCache {
self = [super initWithESAPI:std::move(esApi)];
self = [super initWithESAPI:std::move(esApi)
metrics:std::move(metrics)
processor:santa::santad::Processor::kDeviceManager];
if (self) {
_logger = logger;
_authResultCache = authResultCache;
@@ -161,16 +166,23 @@ NS_ASSUME_NONNULL_BEGIN
self->_logger->LogDiskDisappeared(props);
}
- (void)handleMessage:(Message &&)esMsg {
- (NSString *)description {
return @"Device Manager";
}
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
if (!self.blockUSBMount) {
// TODO: We should also unsubscribe from events when this isn't set, but
// this is generally a low-volume event type.
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_ALLOW cacheable:false];
recordEventMetrics(EventDisposition::kDropped);
return;
}
if (esMsg->event_type == ES_EVENT_TYPE_NOTIFY_UNMOUNT) {
self->_authResultCache->FlushCache(FlushCacheMode::kNonRootOnly);
recordEventMetrics(EventDisposition::kProcessed);
return;
}
@@ -178,6 +190,7 @@ NS_ASSUME_NONNULL_BEGIN
handler:^(const Message &msg) {
es_auth_result_t result = [self handleAuthMount:msg];
[self respondToMessage:msg withAuthResult:result cacheable:false];
recordEventMetrics(EventDisposition::kProcessed);
}];
}
@@ -224,6 +237,7 @@ NS_ASSUME_NONNULL_BEGIN
BOOL isEjectable = [diskInfo[(__bridge NSString *)kDADiskDescriptionMediaEjectableKey] boolValue];
NSString *protocol = diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceProtocolKey];
BOOL isUSB = [protocol isEqualToString:@"USB"];
BOOL isSecureDigital = [protocol isEqualToString:@"Secure Digital"];
BOOL isVirtual = [protocol isEqualToString:@"Virtual Interface"];
NSString *kind = diskInfo[(__bridge NSString *)kDADiskDescriptionMediaKindKey];
@@ -236,8 +250,8 @@ NS_ASSUME_NONNULL_BEGIN
// If the device is internal or virtual we are okay with the operation. We
// also are okay with operations for devices that are non-removal as long as
// they are NOT a USB device.
if (isInternal || isVirtual || (!isRemovable && !isEjectable && !isUSB)) {
// they are NOT a USB device, or an SD Card.
if (isInternal || isVirtual || (!isRemovable && !isEjectable && !isUSB && !isSecureDigital)) {
return ES_AUTH_RESULT_ALLOW;
}

39
Source/santad/EventProviders/SNTEndpointSecurityDeviceManagerTest.mm
View File

@@ -21,6 +21,7 @@
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <sys/mount.h>
#include <cstddef>
#include <memory>
#include <set>
@@ -33,7 +34,9 @@
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.h"
#include "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::FlushCacheMode;
using santa::santad::event_providers::endpoint_security::Message;
@@ -106,6 +109,7 @@ class MockAuthResultCache : public AuthResultCache {
SNTEndpointSecurityDeviceManager *deviceManager =
[[SNTEndpointSecurityDeviceManager alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
authResultCache:nullptr];
@@ -120,8 +124,8 @@ class MockAuthResultCache : public AuthResultCache {
es_file_t file = MakeESFile("foo");
es_process_t proc = MakeESProcess(&file);
es_message_t esMsg = MakeESMessage(eventType, &proc, ActionType::Auth, 6000);
// Need a pointer to esMsg to capture in blocks below.
es_message_t *heapESMsg = &esMsg;
dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
__block int retainCount = 0;
dispatch_semaphore_t sema = dispatch_semaphore_create(0);
@@ -136,7 +140,6 @@ class MockAuthResultCache : public AuthResultCache {
});
EXPECT_CALL(*mockESApi, RetainMessage).WillRepeatedly(^{
retainCount++;
return heapESMsg;
});
if (eventType == ES_EVENT_TYPE_AUTH_MOUNT) {
@@ -157,13 +160,17 @@ class MockAuthResultCache : public AuthResultCache {
return true;
}));
[deviceManager handleMessage:Message(mockESApi, &esMsg)];
[deviceManager handleMessage:Message(mockESApi, &esMsg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, deviceManager.blockUSBMount ? EventDisposition::kProcessed
: EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
[self waitForExpectations:@[ mountExpectation ] timeout:60.0];
XCTAssertEqual(0,
dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC)),
"Failed waiting for message to be processed...");
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertSemaTrue(sema, 5, "Failed waiting for message to be processed...");
[partialDeviceManager stopMocking];
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
@@ -303,21 +310,30 @@ class MockAuthResultCache : public AuthResultCache {
es_process_t proc = MakeESProcess(&file);
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_UNMOUNT, &proc);
dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
auto mockAuthCache = std::make_shared<MockAuthResultCache>(nullptr);
EXPECT_CALL(*mockAuthCache, FlushCache);
SNTEndpointSecurityDeviceManager *deviceManager =
[[SNTEndpointSecurityDeviceManager alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
authResultCache:mockAuthCache];
deviceManager.blockUSBMount = YES;
[deviceManager handleMessage:Message(mockESApi, &esMsg)];
[deviceManager handleMessage:Message(mockESApi, &esMsg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, EventDisposition::kProcessed);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
XCTBubbleMockVerifyAndClearExpectations(mockAuthCache.get());
@@ -332,7 +348,10 @@ class MockAuthResultCache : public AuthResultCache {
};
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
id deviceClient = [[SNTEndpointSecurityDeviceManager alloc] initWithESAPI:mockESApi];
id deviceClient = [[SNTEndpointSecurityDeviceManager alloc]
initWithESAPI:mockESApi
metrics:nullptr
processor:santa::santad::Processor::kDeviceManager];
EXPECT_CALL(*mockESApi, ClearCache(testing::_))
.After(EXPECT_CALL(*mockESApi, Subscribe(testing::_, expectedEventSubs))

27
Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h
View File

@@ -14,19 +14,42 @@
#import <Foundation/Foundation.h>
#include "Source/common/SNTCommon.h"
#include <string>
#include <vector>
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
// Protocol that all subclasses of `SNTEndpointSecurityClient` should adhere to.
@protocol SNTEndpointSecurityEventHandler <NSObject>
// Called Synchronously and serially for each message provided by the
// EndpointSecurity framework.
- (void)handleMessage:(santa::santad::event_providers::endpoint_security::Message &&)esMsg;
- (void)handleMessage:(santa::santad::event_providers::endpoint_security::Message &&)esMsg
recordEventMetrics:(void (^)(santa::santad::EventDisposition))recordEventMetrics;
// Called after Santa has finished initializing itself.
// This is an optimal place to subscribe to ES events
- (void)enable;
@end
// Extension of the `SNTEndpointSecurityEventHandler` protocol for
// `SNTEndpointSecurityClient` subclasses that can be dynamically
// enabled and disabled.
@protocol SNTEndpointSecurityDynamicEventHandler <SNTEndpointSecurityEventHandler>
// Called when a client should no longer receive events.
- (void)disable;
- (void)
watchItemsCount:(size_t)count
newPaths:
(const std::vector<std::pair<std::string, santa::santad::data_layer::WatchItemPathType>>
&)newPaths
removedPaths:
(const std::vector<std::pair<std::string, santa::santad::data_layer::WatchItemPathType>> &)
removedPaths;
@end

41
Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.h Normal file
View File

@@ -0,0 +1,41 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import <Foundation/Foundation.h>
#include <memory>
#include "Source/santad/DataLayer/WatchItems.h"
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
#include "Source/santad/EventProviders/EndpointSecurity/Enricher.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
#include "Source/santad/Logs/EndpointSecurity/Logger.h"
#include "Source/santad/Metrics.h"
#import "Source/santad/SNTDecisionCache.h"
@interface SNTEndpointSecurityFileAccessAuthorizer
: SNTEndpointSecurityClient <SNTEndpointSecurityDynamicEventHandler>
- (instancetype)
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
watchItems:(std::shared_ptr<santa::santad::data_layer::WatchItems>)watchItems
enricher:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::Enricher>)enricher
decisionCache:(SNTDecisionCache *)decisionCache;
@end

547
Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm Normal file
View File

@@ -0,0 +1,547 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import "Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.h"
#include <EndpointSecurity/EndpointSecurity.h>
#include <Kernel/kern/cs_blobs.h>
#import <MOLCertificate/MOLCertificate.h>
#import <MOLCodesignChecker/MOLCodesignChecker.h>
#include <sys/fcntl.h>
#include <algorithm>
#include <array>
#include <cstdlib>
#include <memory>
#include <optional>
#include <set>
#include <type_traits>
#include <variant>
#include "Source/common/Platform.h"
#import "Source/common/SNTCommonEnums.h"
#import "Source/common/SNTConfigurator.h"
#include "Source/common/SantaCache.h"
#include "Source/common/SantaVnode.h"
#include "Source/common/SantaVnodeHash.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/DataLayer/WatchItems.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
using santa::santad::EventDisposition;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::data_layer::WatchItemPolicy;
using santa::santad::data_layer::WatchItems;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
using santa::santad::event_providers::endpoint_security::Enricher;
using santa::santad::event_providers::endpoint_security::EnrichOptions;
using santa::santad::event_providers::endpoint_security::Message;
using santa::santad::logs::endpoint_security::Logger;
NSString *kBadCertHash = @"BAD_CERT_HASH";
static constexpr uint32_t kOpenFlagsIndicatingWrite = FWRITE | O_APPEND | O_TRUNC;
// Small structure to hold a complete event path target being operated upon and
// a bool indicating whether the path is a readable target (e.g. a file being
// opened or cloned)
struct PathTarget {
std::string path;
bool isReadable;
};
static inline std::string Path(const es_file_t *esFile) {
return std::string(esFile->path.data, esFile->path.length);
}
static inline std::string Path(const es_string_token_t &tok) {
return std::string(tok.data, tok.length);
}
static inline void PushBackIfNotTruncated(std::vector<PathTarget> &vec, const es_file_t *esFile,
bool isReadable = false) {
if (!esFile->path_truncated) {
vec.push_back({Path(esFile), isReadable});
}
}
static inline void PushBackIfNotTruncated(std::vector<PathTarget> &vec, const es_file_t *dir,
const es_string_token_t &name, bool isReadable = false) {
if (!dir->path_truncated) {
vec.push_back({Path(dir) + "/" + Path(name), isReadable});
}
}
es_auth_result_t FileAccessPolicyDecisionToESAuthResult(FileAccessPolicyDecision decision) {
switch (decision) {
case FileAccessPolicyDecision::kNoPolicy: return ES_AUTH_RESULT_ALLOW;
case FileAccessPolicyDecision::kDenied: return ES_AUTH_RESULT_DENY;
case FileAccessPolicyDecision::kDeniedInvalidSignature: return ES_AUTH_RESULT_DENY;
case FileAccessPolicyDecision::kAllowed: return ES_AUTH_RESULT_ALLOW;
case FileAccessPolicyDecision::kAllowedReadAccess: return ES_AUTH_RESULT_ALLOW;
case FileAccessPolicyDecision::kAllowedAuditOnly: return ES_AUTH_RESULT_ALLOW;
default:
// This is a programming error. Bail.
LOGE(@"Invalid file access decision encountered: %d", decision);
[NSException raise:@"Invalid FileAccessPolicyDecision"
format:@"Invalid FileAccessPolicyDecision: %d", decision];
}
}
bool ShouldLogDecision(FileAccessPolicyDecision decision) {
switch (decision) {
case FileAccessPolicyDecision::kDenied: return true;
case FileAccessPolicyDecision::kDeniedInvalidSignature: return true;
case FileAccessPolicyDecision::kAllowedAuditOnly: return true;
default: return false;
}
}
es_auth_result_t CombinePolicyResults(es_auth_result_t result1, es_auth_result_t result2) {
// If either policy denied the operation, the operation is denied
return ((result1 == ES_AUTH_RESULT_DENY || result2 == ES_AUTH_RESULT_DENY)
? ES_AUTH_RESULT_DENY
: ES_AUTH_RESULT_ALLOW);
}
void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
switch (msg->event_type) {
case ES_EVENT_TYPE_AUTH_CLONE:
PushBackIfNotTruncated(targets, msg->event.clone.source, true);
PushBackIfNotTruncated(targets, msg->event.clone.target_dir, msg->event.clone.target_name);
break;
case ES_EVENT_TYPE_AUTH_CREATE:
// AUTH CREATE events should always be ES_DESTINATION_TYPE_NEW_PATH
if (msg->event.create.destination_type == ES_DESTINATION_TYPE_NEW_PATH) {
PushBackIfNotTruncated(targets, msg->event.create.destination.new_path.dir,
msg->event.create.destination.new_path.filename);
} else {
LOGW(@"Unexpected destination type for create event: %d. Ignoring target.",
msg->event.create.destination_type);
}
break;
case ES_EVENT_TYPE_AUTH_COPYFILE:
PushBackIfNotTruncated(targets, msg->event.copyfile.source, true);
if (msg->event.copyfile.target_file) {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_file);
} else {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_dir,
msg->event.copyfile.target_name);
}
break;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA:
PushBackIfNotTruncated(targets, msg->event.exchangedata.file1);
PushBackIfNotTruncated(targets, msg->event.exchangedata.file2);
break;
case ES_EVENT_TYPE_AUTH_LINK:
PushBackIfNotTruncated(targets, msg->event.link.source);
PushBackIfNotTruncated(targets, msg->event.link.target_dir, msg->event.link.target_filename);
break;
case ES_EVENT_TYPE_AUTH_OPEN:
PushBackIfNotTruncated(targets, msg->event.open.file, true);
break;
case ES_EVENT_TYPE_AUTH_RENAME:
PushBackIfNotTruncated(targets, msg->event.rename.source);
if (msg->event.rename.destination_type == ES_DESTINATION_TYPE_EXISTING_FILE) {
PushBackIfNotTruncated(targets, msg->event.rename.destination.existing_file);
} else if (msg->event.rename.destination_type == ES_DESTINATION_TYPE_NEW_PATH) {
PushBackIfNotTruncated(targets, msg->event.rename.destination.new_path.dir,
msg->event.rename.destination.new_path.filename);
} else {
LOGW(@"Unexpected destination type for rename event: %d. Ignoring destination.",
msg->event.rename.destination_type);
}
break;
case ES_EVENT_TYPE_AUTH_TRUNCATE:
PushBackIfNotTruncated(targets, msg->event.truncate.target);
break;
case ES_EVENT_TYPE_AUTH_UNLINK:
PushBackIfNotTruncated(targets, msg->event.unlink.target);
break;
default:
[NSException
raise:@"Unexpected event type"
format:@"File Access Authorizer client does not handle event: %d", msg->event_type];
exit(EXIT_FAILURE);
}
}
@interface SNTEndpointSecurityFileAccessAuthorizer ()
@property SNTDecisionCache *decisionCache;
@property bool isSubscribed;
@end
@implementation SNTEndpointSecurityFileAccessAuthorizer {
std::shared_ptr<Logger> _logger;
std::shared_ptr<WatchItems> _watchItems;
std::shared_ptr<Enricher> _enricher;
SantaCache<SantaVnode, NSString *> _certHashCache;
}
- (instancetype)
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
watchItems:(std::shared_ptr<WatchItems>)watchItems
enricher:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::Enricher>)enricher
decisionCache:(SNTDecisionCache *)decisionCache {
self = [super initWithESAPI:std::move(esApi)
metrics:std::move(metrics)
processor:santa::santad::Processor::kFileAccessAuthorizer];
if (self) {
_watchItems = std::move(watchItems);
_logger = std::move(logger);
_enricher = std::move(enricher);
_decisionCache = decisionCache;
[self establishClientOrDie];
[super enableTargetPathWatching];
[super unmuteEverything];
}
return self;
}
- (NSString *)description {
return @"FileAccessAuthorizer";
}
- (NSString *)getCertificateHash:(es_file_t *)esFile {
// First see if we've already cached this value
SantaVnode vnodeID = SantaVnode::VnodeForFile(esFile);
NSString *result = self->_certHashCache.get(vnodeID);
if (!result) {
// If this wasn't already cached, try finding a cached SNTCachedDecision
SNTCachedDecision *cd = [self.decisionCache cachedDecisionForFile:esFile->stat];
if (cd) {
// There was an existing cached decision, use its cert hash
result = cd.certSHA256;
} else {
// If the cached decision didn't exist, try a manual lookup
NSError *e;
MOLCodesignChecker *csInfo =
[[MOLCodesignChecker alloc] initWithBinaryPath:@(esFile->path.data) error:&e];
if (!e) {
result = csInfo.leafCertificate.SHA256;
}
}
if (!result.length) {
// If result is still nil, there isn't much recourse... We will
// assume that this error isn't transient and set a terminal value
// in the cache to prevent continous attempts to lookup cert hash.
result = kBadCertHash;
}
// Finally, add the result to the cache to prevent future lookups
self->_certHashCache.set(vnodeID, result);
}
return result;
}
- (FileAccessPolicyDecision)specialCaseForPolicy:(std::shared_ptr<WatchItemPolicy>)policy
target:(const PathTarget &)target
message:(const Message &)msg {
switch (msg->event_type) {
case ES_EVENT_TYPE_AUTH_OPEN:
// If the policy is write-only, but the operation isn't a write action, it's allowed
if (policy->allow_read_access && !(msg->event.open.fflag & kOpenFlagsIndicatingWrite)) {
return FileAccessPolicyDecision::kAllowedReadAccess;
}
break;
case ES_EVENT_TYPE_AUTH_CLONE:
// If policy is write-only, readable targets are allowed (e.g. source file)
if (policy->allow_read_access && target.isReadable) {
return FileAccessPolicyDecision::kAllowedReadAccess;
}
break;
case ES_EVENT_TYPE_AUTH_COPYFILE:
// Note: Flags for the copyfile event represent the kernel view, not the usersapce
// copyfile(3) implementation. This means if a `copyfile(3)` flag like `COPYFILE_MOVE`
// is specified, it will come as a separate `unlink(2)` event, not a flag here.
if (policy->allow_read_access && target.isReadable) {
return FileAccessPolicyDecision::kAllowedReadAccess;
}
break;
case ES_EVENT_TYPE_AUTH_CREATE:
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA:
case ES_EVENT_TYPE_AUTH_LINK:
case ES_EVENT_TYPE_AUTH_RENAME:
case ES_EVENT_TYPE_AUTH_TRUNCATE:
case ES_EVENT_TYPE_AUTH_UNLINK:
// These event types have no special case
break;
default:
[NSException raise:@"Unexpected event type"
format:@"Received unexpected event type in the file access authorizer: %d",
msg->event_type];
exit(EXIT_FAILURE);
}
return FileAccessPolicyDecision::kNoPolicy;
}
/// An An `es_process_t` must match all criteria within the given
/// WatchItemPolicy::Process to be considered a match.
- (bool)policyProcess:(const WatchItemPolicy::Process &)policyProc
matchesESProcess:(const es_process_t *)esProc {
// Note: Intentionally not checking `CS_VALID` here - this check must happen
// outside of this method. This method is used to individually check each
// configured process exception while the check for a valid code signature
// is more broad and applies whether or not process exceptions exist.
if (esProc->codesigning_flags & CS_SIGNED) {
// Check if the instigating process has an allowed TeamID
if (!policyProc.team_id.empty() && esProc->team_id.data &&
policyProc.team_id != esProc->team_id.data) {
return false;
}
if (!policyProc.signing_id.empty() && esProc->signing_id.data &&
policyProc.signing_id != esProc->signing_id.data) {
return false;
}
// Check if the instigating process has an allowed CDHash
if (policyProc.cdhash.size() == CS_CDHASH_LEN &&
std::memcmp(policyProc.cdhash.data(), esProc->cdhash, CS_CDHASH_LEN) != 0) {
return false;
}
// Check if the instigating process has an allowed certificate hash
if (!policyProc.certificate_sha256.empty()) {
NSString *result = [self getCertificateHash:esProc->executable];
if (!result || policyProc.certificate_sha256 != [result UTF8String]) {
return false;
}
}
} else {
// If the process isn't signed, ensure the policy doesn't contain any
// attributes that require a signature
if (!policyProc.team_id.empty() || !policyProc.signing_id.empty() ||
policyProc.cdhash.size() == CS_CDHASH_LEN || !policyProc.certificate_sha256.empty()) {
return false;
}
}
// Check if the instigating process path opening the file is allowed
if (policyProc.binary_path.length() > 0 &&
policyProc.binary_path != esProc->executable->path.data) {
return false;
}
return true;
}
// The operation is allowed when:
// - No policy exists
// - The policy is write-only, but the operation is read-only
// - The operation was instigated by an allowed process
// - If the instigating process is signed, the codesignature is valid
// Otherwise the operation is denied.
- (FileAccessPolicyDecision)applyPolicy:
(std::optional<std::shared_ptr<WatchItemPolicy>>)optionalPolicy
forTarget:(const PathTarget &)target
toMessage:(const Message &)msg {
// If no policy exists, everything is allowed
if (!optionalPolicy.has_value()) {
return FileAccessPolicyDecision::kNoPolicy;
}
// If the process is signed but has an invalid signature, it is denied
if (((msg->process->codesigning_flags & (CS_SIGNED | CS_VALID)) == CS_SIGNED) &&
[[SNTConfigurator configurator] enableBadSignatureProtection]) {
// TODO(mlw): Think about how to make stronger guarantees here to handle
// programs becoming invalid after first being granted access. Maybe we
// should only allow things that have hardened runtime flags set?
return FileAccessPolicyDecision::kDeniedInvalidSignature;
}
std::shared_ptr<WatchItemPolicy> policy = optionalPolicy.value();
// Check if this action contains any special case that would produce
// an immediate result.
FileAccessPolicyDecision specialCase = [self specialCaseForPolicy:policy
target:target
message:msg];
if (specialCase != FileAccessPolicyDecision::kNoPolicy) {
return specialCase;
}
for (const WatchItemPolicy::Process &process : policy->processes) {
if ([self policyProcess:process matchesESProcess:msg->process]) {
return FileAccessPolicyDecision::kAllowed;
}
}
if (policy->audit_only) {
return FileAccessPolicyDecision::kAllowedAuditOnly;
} else {
// TODO(xyz): Write to TTY like in exec controller?
// TODO(xyz): Need new config item for custom message in UI
return FileAccessPolicyDecision::kDenied;
}
}
- (FileAccessPolicyDecision)handleMessage:(const Message &)msg
target:(const PathTarget &)target
policy:
(std::optional<std::shared_ptr<WatchItemPolicy>>)optionalPolicy
policyVersion:(const std::string &)policyVersion {
FileAccessPolicyDecision policyDecision = [self applyPolicy:optionalPolicy
forTarget:target
toMessage:msg];
if (ShouldLogDecision(policyDecision)) {
if (optionalPolicy.has_value()) {
std::string policyNameCopy = optionalPolicy.value()->name;
std::string policyVersionCopy = policyVersion;
std::string targetPathCopy = target.path;
[self asynchronouslyProcess:msg
handler:^(Message &&esMsg) {
self->_logger->LogFileAccess(
policyVersionCopy, policyNameCopy, esMsg,
self->_enricher->Enrich(*esMsg->process, EnrichOptions::kLocalOnly),
targetPathCopy, policyDecision);
}];
} else {
LOGE(@"Unexpectedly missing policy: Unable to log file access event: %s -> %s",
Path(msg->process->executable).data(), target.path.c_str());
}
}
return policyDecision;
}
- (void)processMessage:(const Message &)msg {
std::vector<PathTarget> targets;
targets.reserve(2);
PopulatePathTargets(msg, targets);
// Extract the paths from the vector of PathTargets in order to lookup policies
// Note: There should only ever be 1 or 2 items in the vector
std::vector<std::string_view> paths;
paths.reserve(2);
for (const PathTarget &target : targets) {
paths.push_back(std::string_view(target.path));
}
WatchItems::VersionAndPolicies versionAndPolicies = self->_watchItems->FindPolciesForPaths(paths);
es_auth_result_t policyResult = ES_AUTH_RESULT_ALLOW;
bool allow_read_access = false;
for (size_t i = 0; i < targets.size(); i++) {
FileAccessPolicyDecision curDecision = [self handleMessage:msg
target:targets[i]
policy:versionAndPolicies.second[i]
policyVersion:versionAndPolicies.first];
policyResult =
CombinePolicyResults(policyResult, FileAccessPolicyDecisionToESAuthResult(curDecision));
// If the overall policy result is deny, then reset allow_read_access.
// Otherwise if the current decision would allow read access, set the flag.
if (policyResult == ES_AUTH_RESULT_DENY) {
allow_read_access = false;
} else if (curDecision == FileAccessPolicyDecision::kAllowedReadAccess) {
allow_read_access = true;
}
}
// IMPORTANT: A response is only cacheable if the policy result was explicitly
// allowed. An "allow read access" result must not be cached to ensure a future
// non-read accesss can be evaluated. Similarly, denied results must never be
// cached so access attempts can be logged.
[self respondToMessage:msg
withAuthResult:policyResult
cacheable:(policyResult == ES_AUTH_RESULT_ALLOW && !allow_read_access)];
}
- (void)handleMessage:(santa::santad::event_providers::endpoint_security::Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
[self processMessage:std::move(esMsg)
handler:^(const Message &msg) {
[self processMessage:msg];
recordEventMetrics(EventDisposition::kProcessed);
}];
}
- (void)enable {
// TODO(xyz): Expand to support ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_TRUNCATE
std::set<es_event_type_t> events = {
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
ES_EVENT_TYPE_AUTH_LINK, ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME,
ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
#if HAVE_MACOS_12
if (@available(macOS 12.0, *)) {
events.insert(ES_EVENT_TYPE_AUTH_COPYFILE);
}
#endif
if (!self.isSubscribed) {
self.isSubscribed = [super subscribe:events];
[super clearCache];
}
}
- (void)disable {
if (self.isSubscribed) {
if ([super unsubscribeAll]) {
self.isSubscribed = false;
}
[super unmuteEverything];
}
}
- (void)watchItemsCount:(size_t)count
newPaths:(const std::vector<std::pair<std::string, WatchItemPathType>> &)newPaths
removedPaths:
(const std::vector<std::pair<std::string, WatchItemPathType>> &)removedPaths {
if (count == 0) {
[self disable];
} else {
// Stop watching removed paths
[super unmuteTargetPaths:removedPaths];
// Begin watching the added paths
[super muteTargetPaths:newPaths];
// begin receiving events (if not already)
[self enable];
}
}
@end

811
Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizerTest.mm Normal file
View File

@@ -0,0 +1,811 @@
/// Copyright 2022 Google LLC
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// https://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
#include <EndpointSecurity/EndpointSecurity.h>
#import <MOLCertificate/MOLCertificate.h>
#import <MOLCodesignChecker/MOLCodesignChecker.h>
#import <OCMock/OCMock.h>
#import <XCTest/XCTest.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <sys/fcntl.h>
#include <cstring>
#include <array>
#include <cstddef>
#include <map>
#include <memory>
#include <optional>
#include <variant>
#include "Source/common/Platform.h"
#include "Source/common/SNTCachedDecision.h"
#import "Source/common/SNTConfigurator.h"
#include "Source/common/TestUtils.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/DataLayer/WatchItems.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.h"
#include "Source/santad/Logs/EndpointSecurity/MockLogger.h"
#include "Source/santad/SNTDecisionCache.h"
using santa::santad::data_layer::WatchItemPolicy;
using santa::santad::event_providers::endpoint_security::Message;
extern NSString *kBadCertHash;
// Duplicate definition for test implementation
struct PathTarget {
std::string path;
bool isReadable;
};
using PathTargetsPair = std::pair<std::optional<std::string>, std::optional<std::string>>;
extern void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets);
extern es_auth_result_t FileAccessPolicyDecisionToESAuthResult(FileAccessPolicyDecision decision);
extern bool ShouldLogDecision(FileAccessPolicyDecision decision);
extern es_auth_result_t CombinePolicyResults(es_auth_result_t result1, es_auth_result_t result2);
void SetExpectationsForFileAccessAuthorizerInit(
std::shared_ptr<MockEndpointSecurityAPI> mockESApi) {
EXPECT_CALL(*mockESApi, InvertTargetPathMuting).WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteAllPaths).WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteAllTargetPaths).WillOnce(testing::Return(true));
}
// Helper to reset a policy to an empty state
void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
proc.binary_path = "";
proc.signing_id = "";
proc.team_id = "";
proc.certificate_sha256 = "";
proc.cdhash.clear();
}
@interface SNTEndpointSecurityFileAccessAuthorizer (Testing)
- (NSString *)getCertificateHash:(es_file_t *)esFile;
- (FileAccessPolicyDecision)specialCaseForPolicy:(std::shared_ptr<WatchItemPolicy>)policy
target:(const PathTarget &)target
message:(const Message &)msg;
- (bool)policyProcess:(const WatchItemPolicy::Process &)policyProc
matchesESProcess:(const es_process_t *)esProc;
- (FileAccessPolicyDecision)applyPolicy:
(std::optional<std::shared_ptr<WatchItemPolicy>>)optionalPolicy
forTarget:(const PathTarget &)target
toMessage:(const Message &)msg;
@property bool isSubscribed;
@end
@interface SNTEndpointSecurityFileAccessAuthorizerTest : XCTestCase
@property id mockConfigurator;
@property id cscMock;
@property id dcMock;
@end
@implementation SNTEndpointSecurityFileAccessAuthorizerTest
- (void)setUp {
[super setUp];
self.mockConfigurator = OCMClassMock([SNTConfigurator class]);
OCMStub([self.mockConfigurator configurator]).andReturn(self.mockConfigurator);
self.cscMock = OCMClassMock([MOLCodesignChecker class]);
OCMStub([self.cscMock alloc]).andReturn(self.cscMock);
self.dcMock = OCMStrictClassMock([SNTDecisionCache class]);
}
- (void)tearDown {
[self.cscMock stopMocking];
[self.dcMock stopMocking];
[super tearDown];
}
- (void)testGetCertificateHash {
es_file_t esFile1 = MakeESFile("foo", MakeStat(100));
es_file_t esFile2 = MakeESFile("foo", MakeStat(200));
es_file_t esFile3 = MakeESFile("foo", MakeStat(300));
NSString *certHash2 = @"abc123";
NSString *certHash3 = @"xyz789";
NSString *got;
NSString *want;
id certMock = OCMClassMock([MOLCertificate class]);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
SetExpectationsForFileAccessAuthorizerInit(mockESApi);
SNTEndpointSecurityFileAccessAuthorizer *accessClient =
[[SNTEndpointSecurityFileAccessAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
watchItems:nullptr
enricher:nullptr
decisionCache:self.dcMock];
//
// Test 1 - Not in local cache or decision cache, and code sig lookup fails
//
OCMExpect([self.dcMock cachedDecisionForFile:esFile1.stat])
.ignoringNonObjectArgs()
.andReturn(nil);
NSError *err = [NSError errorWithDomain:@"" code:errSecCSSignatureFailed userInfo:nil];
OCMExpect([self.cscMock initWithBinaryPath:OCMOCK_ANY error:[OCMArg setTo:err]])
.andReturn(self.cscMock);
got = [accessClient getCertificateHash:&esFile1];
want = kBadCertHash;
XCTAssertEqualObjects(got, want);
// Call again without setting new expectations on dcMock to ensure the
// cached value is used
got = [accessClient getCertificateHash:&esFile1];
XCTAssertEqualObjects(got, want);
XCTAssertTrue(OCMVerifyAll(self.dcMock));
//
// Test 2 - Not in local cache or decision cache, code sig lookup successful
//
OCMExpect([self.dcMock cachedDecisionForFile:esFile2.stat])
.ignoringNonObjectArgs()
.andReturn(nil);
OCMExpect([self.cscMock initWithBinaryPath:OCMOCK_ANY error:[OCMArg setTo:nil]])
.andReturn(self.cscMock);
OCMExpect([self.cscMock leafCertificate]).andReturn(certMock);
OCMExpect([certMock SHA256]).andReturn(certHash2);
got = [accessClient getCertificateHash:&esFile2];
want = certHash2;
XCTAssertEqualObjects(got, want);
// Call again without setting new expectations on dcMock to ensure the
// cached value is used
got = [accessClient getCertificateHash:&esFile2];
XCTAssertEqualObjects(got, want);
XCTAssertTrue(OCMVerifyAll(self.dcMock));
//
// Test 3 - Not in local cache, but is in decision cache
//
SNTCachedDecision *cd = [[SNTCachedDecision alloc] init];
cd.certSHA256 = certHash3;
OCMExpect([self.dcMock cachedDecisionForFile:esFile3.stat]).ignoringNonObjectArgs().andReturn(cd);
got = [accessClient getCertificateHash:&esFile3];
want = certHash3;
XCTAssertEqualObjects(got, want);
// Call again without setting new expectations on dcMock to ensure the
// cached value is used
got = [accessClient getCertificateHash:&esFile3];
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
[certMock stopMocking];
}
- (void)testFileAccessPolicyDecisionToESAuthResult {
std::map<FileAccessPolicyDecision, es_auth_result_t> policyDecisionToAuthResult = {
{FileAccessPolicyDecision::kNoPolicy, ES_AUTH_RESULT_ALLOW},
{FileAccessPolicyDecision::kDenied, ES_AUTH_RESULT_DENY},
{FileAccessPolicyDecision::kDeniedInvalidSignature, ES_AUTH_RESULT_DENY},
{FileAccessPolicyDecision::kAllowed, ES_AUTH_RESULT_ALLOW},
{FileAccessPolicyDecision::kAllowedReadAccess, ES_AUTH_RESULT_ALLOW},
{FileAccessPolicyDecision::kAllowedAuditOnly, ES_AUTH_RESULT_ALLOW},
};
for (const auto &kv : policyDecisionToAuthResult) {
XCTAssertEqual(FileAccessPolicyDecisionToESAuthResult(kv.first), kv.second);
}
XCTAssertThrows(FileAccessPolicyDecisionToESAuthResult((FileAccessPolicyDecision)123));
}
- (void)testShouldLogDecision {
std::map<FileAccessPolicyDecision, bool> policyDecisionToShouldLog = {
{FileAccessPolicyDecision::kNoPolicy, false},
{FileAccessPolicyDecision::kDenied, true},
{FileAccessPolicyDecision::kDeniedInvalidSignature, true},
{FileAccessPolicyDecision::kAllowed, false},
{FileAccessPolicyDecision::kAllowedReadAccess, false},
{FileAccessPolicyDecision::kAllowedAuditOnly, true},
{(FileAccessPolicyDecision)5, false},
};
for (const auto &kv : policyDecisionToShouldLog) {
XCTAssertEqual(ShouldLogDecision(kv.first), kv.second);
}
}
- (void)testCombinePolicyResults {
// Ensure that the combined result is ES_AUTH_RESULT_DENY if both or either
// input result is ES_AUTH_RESULT_DENY.
XCTAssertEqual(CombinePolicyResults(ES_AUTH_RESULT_DENY, ES_AUTH_RESULT_DENY),
ES_AUTH_RESULT_DENY);
XCTAssertEqual(CombinePolicyResults(ES_AUTH_RESULT_DENY, ES_AUTH_RESULT_ALLOW),
ES_AUTH_RESULT_DENY);
XCTAssertEqual(CombinePolicyResults(ES_AUTH_RESULT_ALLOW, ES_AUTH_RESULT_DENY),
ES_AUTH_RESULT_DENY);
XCTAssertEqual(CombinePolicyResults(ES_AUTH_RESULT_ALLOW, ES_AUTH_RESULT_ALLOW),
ES_AUTH_RESULT_ALLOW);
}
- (void)testSpecialCaseForPolicyMessage {
es_file_t esFile = MakeESFile("foo");
es_process_t esProc = MakeESProcess(&esFile);
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_AUTH_OPEN, &esProc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage();
SetExpectationsForFileAccessAuthorizerInit(mockESApi);
SNTEndpointSecurityFileAccessAuthorizer *accessClient =
[[SNTEndpointSecurityFileAccessAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
watchItems:nullptr
enricher:nullptr
decisionCache:nil];
auto policy = std::make_shared<WatchItemPolicy>("foo_policy", "/foo");
FileAccessPolicyDecision result;
PathTarget target = {.path = "/some/random/path", .isReadable = true};
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_OPEN;
// Write-only policy, Write operation
{
policy->allow_read_access = true;
esMsg.event.open.fflag = FWRITE | FREAD;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kNoPolicy);
}
// Write-only policy, Read operation
{
policy->allow_read_access = true;
esMsg.event.open.fflag = FREAD;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kAllowedReadAccess);
}
// Read/Write policy, Read operation
{
policy->allow_read_access = false;
esMsg.event.open.fflag = FREAD;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kNoPolicy);
}
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_CLONE;
// Write-only policy, target readable
{
policy->allow_read_access = true;
target.isReadable = true;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kAllowedReadAccess);
}
// Write-only policy, target not readable
{
policy->allow_read_access = true;
target.isReadable = false;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kNoPolicy);
}
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_COPYFILE;
// Write-only policy, target readable
{
policy->allow_read_access = true;
target.isReadable = true;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kAllowedReadAccess);
}
// Write-only policy, target not readable
{
policy->allow_read_access = true;
target.isReadable = false;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kNoPolicy);
}
}
// Ensure other handled event types do not have a special case
std::set<es_event_type_t> eventTypes = {
ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,
ES_EVENT_TYPE_AUTH_RENAME, ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
for (const auto &event : eventTypes) {
esMsg.event_type = event;
Message msg(mockESApi, &esMsg);
result = [accessClient specialCaseForPolicy:policy target:target message:msg];
XCTAssertEqual(result, FileAccessPolicyDecision::kNoPolicy);
}
// Ensure unsubscribed event types throw an exception
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_SIGNAL;
Message msg(mockESApi, &esMsg);
XCTAssertThrows([accessClient specialCaseForPolicy:policy target:target message:msg]);
}
}
- (void)testPolicyProcessMatchesESProcess {
const char *instigatingCertHash = "abc123";
const char *teamId = "myvalidtid";
const char *signingId = "com.google.test";
std::vector<uint8_t> cdhashBytes(CS_CDHASH_LEN);
std::fill(cdhashBytes.begin(), cdhashBytes.end(), 0xAA);
es_file_t esFile = MakeESFile("foo");
es_process_t esProc = MakeESProcess(&esFile);
esProc.codesigning_flags = CS_SIGNED;
esProc.team_id = MakeESStringToken(teamId);
esProc.signing_id = MakeESStringToken(signingId);
std::memcpy(esProc.cdhash, cdhashBytes.data(), sizeof(esProc.cdhash));
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage();
SetExpectationsForFileAccessAuthorizerInit(mockESApi);
SNTEndpointSecurityFileAccessAuthorizer *accessClient =
[[SNTEndpointSecurityFileAccessAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
watchItems:nullptr
enricher:nullptr
decisionCache:nil];
id accessClientMock = OCMPartialMock(accessClient);
OCMStub([accessClientMock getCertificateHash:&esFile])
.ignoringNonObjectArgs()
.andReturn(@(instigatingCertHash));
WatchItemPolicy::Process policyProc("", "", "", {}, "");
{
// Process policy matching single attribute - path
ClearWatchItemPolicyProcess(policyProc);
policyProc.binary_path = "foo";
XCTAssertTrue([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
policyProc.binary_path = "badpath";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy matching single attribute - SigningID
ClearWatchItemPolicyProcess(policyProc);
policyProc.signing_id = signingId;
XCTAssertTrue([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
policyProc.signing_id = "badid";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy matching single attribute - TeamID
ClearWatchItemPolicyProcess(policyProc);
policyProc.team_id = teamId;
XCTAssertTrue([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
policyProc.team_id = "badid";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy matching single attribute - cert hash
ClearWatchItemPolicyProcess(policyProc);
policyProc.certificate_sha256 = instigatingCertHash;
XCTAssertTrue([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
policyProc.certificate_sha256 = "badcert";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy matching single attribute - cdhash
ClearWatchItemPolicyProcess(policyProc);
policyProc.cdhash = cdhashBytes;
XCTAssertTrue([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
policyProc.cdhash[0] = 0x0;
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy with only a subset of matching attributes
ClearWatchItemPolicyProcess(policyProc);
policyProc.binary_path = "foo";
policyProc.team_id = "invalidtid";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
{
// Process policy with codesigning-based attributes, but unsigned ES process
ClearWatchItemPolicyProcess(policyProc);
esProc.codesigning_flags = 0x0;
policyProc.team_id = "myvalidtid";
XCTAssertFalse([accessClient policyProcess:policyProc matchesESProcess:&esProc]);
}
[accessClientMock stopMocking];
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testApplyPolicyToMessage {
const char *instigatingPath = "/path/to/proc";
const char *instigatingTeamID = "my_teamid";
const char *instigatingCertHash = "abc123";
WatchItemPolicy::Process policyProc(instigatingPath, "", "", {}, "");
std::array<uint8_t, 20> instigatingCDHash;
instigatingCDHash.fill(0x41);
es_file_t esFile = MakeESFile(instigatingPath);
es_process_t esProc = MakeESProcess(&esFile);
esProc.team_id = MakeESStringToken(instigatingTeamID);
memcpy(esProc.cdhash, instigatingCDHash.data(), sizeof(esProc.cdhash));
es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_AUTH_OPEN, &esProc);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage();
SetExpectationsForFileAccessAuthorizerInit(mockESApi);
SNTEndpointSecurityFileAccessAuthorizer *accessClient =
[[SNTEndpointSecurityFileAccessAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
watchItems:nullptr
enricher:nullptr
decisionCache:nil];
id accessClientMock = OCMPartialMock(accessClient);
PathTarget target = {.path = "/some/random/path", .isReadable = true};
int fake;
OCMStub([accessClientMock specialCaseForPolicy:nullptr target:target message:*(Message *)&fake])
.ignoringNonObjectArgs()
.andReturn(FileAccessPolicyDecision::kNoPolicy);
OCMStub([accessClientMock getCertificateHash:&esFile])
.ignoringNonObjectArgs()
.andReturn(@(instigatingCertHash));
// If no policy exists, the operation is allowed
{
Message msg(mockESApi, &esMsg);
XCTAssertEqual([accessClient applyPolicy:std::nullopt forTarget:target toMessage:msg],
FileAccessPolicyDecision::kNoPolicy);
}
auto policy = std::make_shared<WatchItemPolicy>("foo_policy", "/foo");
policy->processes.push_back(policyProc);
auto optionalPolicy = std::make_optional<std::shared_ptr<WatchItemPolicy>>(policy);
// Signed but invalid instigating processes are automatically
// denied when `EnableBadSignatureProtection` is true
{
OCMExpect([self.mockConfigurator enableBadSignatureProtection]).andReturn(YES);
esMsg.process->codesigning_flags = CS_SIGNED;
Message msg(mockESApi, &esMsg);
XCTAssertEqual([accessClient applyPolicy:optionalPolicy forTarget:target toMessage:msg],
FileAccessPolicyDecision::kDeniedInvalidSignature);
}
// Signed but invalid instigating processes are not automatically
// denied when `EnableBadSignatureProtection` is false. Policy
// evaluation should continue normally.
{
OCMExpect([self.mockConfigurator enableBadSignatureProtection]).andReturn(NO);
esMsg.process->codesigning_flags = CS_SIGNED;
Message msg(mockESApi, &esMsg);
OCMExpect([accessClientMock policyProcess:policyProc matchesESProcess:&esProc])
.ignoringNonObjectArgs()
.andReturn(true);
XCTAssertEqual([accessClient applyPolicy:optionalPolicy forTarget:target toMessage:msg],
FileAccessPolicyDecision::kAllowed);
}
// Set the codesign flags to be signed and valid for the remaining tests
esMsg.process->codesigning_flags = CS_SIGNED | CS_VALID;
// If no exceptions, operations are logged and denied
{
OCMExpect([accessClientMock policyProcess:policyProc matchesESProcess:&esProc])
.ignoringNonObjectArgs()
.andReturn(false);
policy->audit_only = false;
Message msg(mockESApi, &esMsg);
XCTAssertEqual([accessClient applyPolicy:optionalPolicy forTarget:target toMessage:msg],
FileAccessPolicyDecision::kDenied);
}
// For audit only policies with no exceptions, operations are logged but allowed
{
OCMExpect([accessClientMock policyProcess:policyProc matchesESProcess:&esProc])
.ignoringNonObjectArgs()
.andReturn(false);
policy->audit_only = true;
Message msg(mockESApi, &esMsg);
XCTAssertEqual([accessClient applyPolicy:optionalPolicy forTarget:target toMessage:msg],
FileAccessPolicyDecision::kAllowedAuditOnly);
}
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testEnable {
std::set<es_event_type_t> expectedEventSubs = {
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
ES_EVENT_TYPE_AUTH_LINK, ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME,
ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
#if HAVE_MACOS_12
if (@available(macOS 12.0, *)) {
expectedEventSubs.insert(ES_EVENT_TYPE_AUTH_COPYFILE);
}
#endif
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
EXPECT_CALL(*mockESApi, ClearCache)
.After(EXPECT_CALL(*mockESApi, Subscribe(testing::_, expectedEventSubs))
.WillOnce(testing::Return(true)))
.WillOnce(testing::Return(true));
id fileAccessClient = [[SNTEndpointSecurityFileAccessAuthorizer alloc]
initWithESAPI:mockESApi
metrics:nullptr
processor:santa::santad::Processor::kFileAccessAuthorizer];
[fileAccessClient enable];
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testDisable {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
SetExpectationsForFileAccessAuthorizerInit(mockESApi);
SNTEndpointSecurityFileAccessAuthorizer *accessClient =
[[SNTEndpointSecurityFileAccessAuthorizer alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr
watchItems:nullptr
enricher:nullptr
decisionCache:nil];
EXPECT_CALL(*mockESApi, UnsubscribeAll);
EXPECT_CALL(*mockESApi, UnmuteAllPaths).WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteAllTargetPaths).WillOnce(testing::Return(true));
accessClient.isSubscribed = true;
[accessClient disable];
XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
}
- (void)testGetPathTargets {
// This test ensures that the `GetPathTargets` functions returns the
// expected combination of targets for each handled event variant
es_file_t testFile1 = MakeESFile("test_file_1");
es_file_t testFile2 = MakeESFile("test_file_2");
es_file_t testDir = MakeESFile("test_dir");
es_string_token_t testTok = MakeESStringToken("test_tok");
std::string dirTok = std::string(testDir.path.data) + "/" + std::string(testTok.data);
es_message_t esMsg;
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsRetainReleaseMessage();
Message msg(mockESApi, &esMsg);
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_OPEN;
esMsg.event.open.file = &testFile1;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertTrue(targets[0].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_LINK;
esMsg.event.link.source = &testFile1;
esMsg.event.link.target_dir = &testDir;
esMsg.event.link.target_filename = testTok;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
XCTAssertCppStringEqual(targets[1].path, dirTok);
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_RENAME;
esMsg.event.rename.source = &testFile1;
{
esMsg.event.rename.destination_type = ES_DESTINATION_TYPE_EXISTING_FILE;
esMsg.event.rename.destination.existing_file = &testFile2;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event.rename.destination_type = ES_DESTINATION_TYPE_NEW_PATH;
esMsg.event.rename.destination.new_path.dir = &testDir;
esMsg.event.rename.destination.new_path.filename = testTok;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
XCTAssertCppStringEqual(targets[1].path, dirTok);
XCTAssertFalse(targets[1].isReadable);
}
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_UNLINK;
esMsg.event.unlink.target = &testFile1;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_CLONE;
esMsg.event.clone.source = &testFile1;
esMsg.event.clone.target_dir = &testDir;
esMsg.event.clone.target_name = testTok;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertTrue(targets[0].isReadable);
XCTAssertCppStringEqual(targets[1].path, dirTok);
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_EXCHANGEDATA;
esMsg.event.exchangedata.file1 = &testFile1;
esMsg.event.exchangedata.file2 = &testFile2;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_CREATE;
esMsg.event.create.destination_type = ES_DESTINATION_TYPE_NEW_PATH;
esMsg.event.create.destination.new_path.dir = &testDir;
esMsg.event.create.destination.new_path.filename = testTok;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCppStringEqual(targets[0].path, dirTok);
XCTAssertFalse(targets[0].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_TRUNCATE;
esMsg.event.truncate.target = &testFile1;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
}
if (@available(macOS 12.0, *)) {
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_COPYFILE;
esMsg.event.copyfile.source = &testFile1;
esMsg.event.copyfile.target_dir = &testDir;
esMsg.event.copyfile.target_name = testTok;
{
esMsg.event.copyfile.target_file = nullptr;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertTrue(targets[0].isReadable);
XCTAssertCppStringEqual(targets[1].path, dirTok);
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event.copyfile.target_file = &testFile2;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 2);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertTrue(targets[0].isReadable);
XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
XCTAssertFalse(targets[1].isReadable);
}
}
}
}
@end

7
Source/santad/EventProviders/SNTEndpointSecurityRecorder.h
View File

@@ -12,13 +12,15 @@
/// See the License for the specific language governing permissions and
/// limitations under the License.
#import "Source/common/SNTPrefixTree.h"
#import "Source/common/PrefixTree.h"
#import "Source/common/Unit.h"
#import "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
#include "Source/santad/EventProviders/EndpointSecurity/Enricher.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
#include "Source/santad/Logs/EndpointSecurity/Logger.h"
#import "Source/santad/Metrics.h"
#import "Source/santad/SNTCompilerController.h"
/// ES Client focused on subscribing to NOTIFY event variants with the intention of enriching
@@ -29,12 +31,13 @@
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)
esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
enricher:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::Enricher>)enricher
compilerController:(SNTCompilerController *)compilerController
authResultCache:
(std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache
prefixTree:(std::shared_ptr<SNTPrefixTree>)prefixTree;
prefixTree:(std::shared_ptr<santa::common::PrefixTree<santa::common::Unit>>)prefixTree;
@end

29
Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm
View File

@@ -14,13 +14,17 @@
#import "Source/santad/EventProviders/SNTEndpointSecurityRecorder.h"
#include <EndpointSecurity/ESTypes.h>
#include <EndpointSecurity/EndpointSecurity.h>
#import "Source/common/SNTLogging.h"
#include "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
using santa::common::PrefixTree;
using santa::common::Unit;
using santa::santad::EventDisposition;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
using santa::santad::event_providers::endpoint_security::EnrichedMessage;
@@ -46,16 +50,19 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
std::shared_ptr<AuthResultCache> _authResultCache;
std::shared_ptr<Enricher> _enricher;
std::shared_ptr<Logger> _logger;
std::shared_ptr<SNTPrefixTree> _prefixTree;
std::shared_ptr<PrefixTree<Unit>> _prefixTree;
}
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<Logger>)logger
enricher:(std::shared_ptr<Enricher>)enricher
compilerController:(SNTCompilerController *)compilerController
authResultCache:(std::shared_ptr<AuthResultCache>)authResultCache
prefixTree:(std::shared_ptr<SNTPrefixTree>)prefixTree {
self = [super initWithESAPI:std::move(esApi)];
prefixTree:(std::shared_ptr<PrefixTree<Unit>>)prefixTree {
self = [super initWithESAPI:std::move(esApi)
metrics:std::move(metrics)
processor:santa::santad::Processor::kRecorder];
if (self) {
_enricher = enricher;
_logger = logger;
@@ -68,7 +75,12 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
return self;
}
- (void)handleMessage:(Message &&)esMsg {
- (NSString *)description {
return @"Recorder";
}
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
// Pre-enrichment processing
switch (esMsg->event_type) {
case ES_EVENT_TYPE_NOTIFY_CLOSE:
@@ -76,6 +88,9 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
// the `was_mapped_writable` field
if (esMsg->event.close.modified == false) {
// Ignore unmodified files
// Note: Do not record metrics in this case. These are not considered "drops"
// because this is not a failure case. Ideally we would tell ES to not send
// these events in the first place but no such mechanism currently exists.
return;
}
@@ -89,6 +104,7 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
// Filter file op events matching the prefix tree.
es_file_t *targetFile = GetTargetFileForPrefixTree(&(*esMsg));
if (targetFile != NULL && self->_prefixTree->HasPrefix(targetFile->path.data)) {
recordEventMetrics(EventDisposition::kDropped);
return;
}
@@ -100,6 +116,7 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
[self processEnrichedMessage:std::move(sharedEnrichedMessage)
handler:^(std::shared_ptr<EnrichedMessage> msg) {
self->_logger->Log(std::move(msg));
recordEventMetrics(EventDisposition::kProcessed);
}];
}
@@ -108,8 +125,8 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
ES_EVENT_TYPE_NOTIFY_CLOSE,
ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA,
ES_EVENT_TYPE_NOTIFY_EXEC,
ES_EVENT_TYPE_NOTIFY_FORK,
ES_EVENT_TYPE_NOTIFY_EXIT,
ES_EVENT_TYPE_NOTIFY_FORK,
ES_EVENT_TYPE_NOTIFY_LINK,
ES_EVENT_TYPE_NOTIFY_RENAME,
ES_EVENT_TYPE_NOTIFY_UNLINK,

44
Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm
View File

@@ -22,7 +22,9 @@
#include <memory>
#include <set>
#include "Source/common/PrefixTree.h"
#include "Source/common/TestUtils.h"
#include "Source/common/Unit.h"
#import "Source/santad/EventProviders/AuthResultCache.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
@@ -31,8 +33,13 @@
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityRecorder.h"
#include "Source/santad/Logs/EndpointSecurity/Logger.h"
#include "Source/santad/Metrics.h"
#import "Source/santad/SNTCompilerController.h"
using santa::common::PrefixTree;
using santa::common::Unit;
using santa::santad::EventDisposition;
using santa::santad::Processor;
using santa::santad::event_providers::AuthResultCache;
using santa::santad::event_providers::endpoint_security::EnrichedMessage;
using santa::santad::event_providers::endpoint_security::Enricher;
@@ -72,7 +79,9 @@ class MockLogger : public Logger {
};
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
id recorderClient = [[SNTEndpointSecurityRecorder alloc] initWithESAPI:mockESApi];
id recorderClient = [[SNTEndpointSecurityRecorder alloc] initWithESAPI:mockESApi
metrics:nullptr
processor:Processor::kRecorder];
EXPECT_CALL(*mockESApi, Subscribe(testing::_, expectedEventSubs)).WillOnce(testing::Return(true));
@@ -89,7 +98,7 @@ class MockLogger : public Logger {
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
std::shared_ptr<EnrichedMessage> enrichedMsg = std::shared_ptr<EnrichedMessage>(nullptr);
@@ -99,6 +108,8 @@ class MockLogger : public Logger {
auto mockAuthCache = std::make_shared<MockAuthResultCache>(nullptr);
EXPECT_CALL(*mockAuthCache, RemoveFromCache(&targetFile)).Times(1);
dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
// NOTE: Currently unable to create a partial mock of the
// `SNTEndpointSecurityRecorder` object. There is a bug in OCMock that doesn't
// properly handle the `processEnrichedMessage:handler:` block. Instead this
@@ -109,12 +120,13 @@ class MockLogger : public Logger {
dispatch_semaphore_signal(sema);
}));
auto prefixTree = std::make_shared<SNTPrefixTree>();
auto prefixTree = std::make_shared<PrefixTree<Unit>>();
id mockCC = OCMStrictClassMock([SNTCompilerController class]);
SNTEndpointSecurityRecorder *recorderClient =
[[SNTEndpointSecurityRecorder alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:mockLogger
enricher:mockEnricher
compilerController:mockCC
@@ -127,7 +139,10 @@ class MockLogger : public Logger {
esMsg.event.close.modified = false;
esMsg.event.close.target = NULL;
XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, &esMsg)]);
XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, &esMsg)
recordEventMetrics:^(EventDisposition d) {
XCTFail("Metrics record callback should not be called here");
}]);
}
// CLOSE modified, remove from cache
@@ -139,23 +154,32 @@ class MockLogger : public Logger {
OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
[recorderClient handleMessage:std::move(msg)];
[recorderClient handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, EventDisposition::kProcessed);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertEqual(
0, dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 10 * NSEC_PER_SEC)),
"Log wasn't called within expected time window");
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertSemaTrue(sema, 5, "Log wasn't called within expected time window");
}
// LINK, Prefix match, bail early
{
esMsg.event_type = ES_EVENT_TYPE_NOTIFY_LINK;
esMsg.event.link.source = &targetFile;
prefixTree->AddPrefix(esMsg.event.link.source->path.data);
prefixTree->InsertPrefix(esMsg.event.link.source->path.data, Unit{});
Message msg(mockESApi, &esMsg);
OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
[recorderClient handleMessage:std::move(msg)];
[recorderClient handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
}
XCTAssertTrue(OCMVerifyAll(mockCC));

2
Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.h
View File

@@ -20,6 +20,7 @@
#import "Source/santad/EventProviders/SNTEndpointSecurityClient.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityEventHandler.h"
#include "Source/santad/Logs/EndpointSecurity/Logger.h"
#include "Source/santad/Metrics.h"
/// ES Client focused on mitigating accidental or malicious tampering of Santa and its components.
@interface SNTEndpointSecurityTamperResistance
@@ -28,6 +29,7 @@
- (instancetype)
initWithESAPI:
(std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger;
@end

74
Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.mm
View File

@@ -18,8 +18,12 @@
#include <string.h>
#import "Source/common/SNTLogging.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
using santa::santad::event_providers::endpoint_security::Message;
using santa::santad::logs::endpoint_security::Logger;
@@ -31,8 +35,11 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
}
- (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
logger:(std::shared_ptr<Logger>)logger {
self = [super initWithESAPI:std::move(esApi)];
self = [super initWithESAPI:std::move(esApi)
metrics:std::move(metrics)
processor:santa::santad::Processor::kTamperResistance];
if (self) {
_logger = logger;
@@ -41,54 +48,51 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
return self;
}
- (void)handleMessage:(Message &&)esMsg {
- (NSString *)description {
return @"Tamper Resistance";
}
- (void)handleMessage:(Message &&)esMsg
recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
es_auth_result_t result = ES_AUTH_RESULT_ALLOW;
switch (esMsg->event_type) {
case ES_EVENT_TYPE_AUTH_UNLINK: {
if ([SNTEndpointSecurityTamperResistance
isDatabasePath:esMsg->event.unlink.target->path.data]) {
// Do not cache so that each attempt to remove santa is logged
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_DENY cacheable:false];
isProtectedPath:esMsg->event.unlink.target->path.data]) {
result = ES_AUTH_RESULT_DENY;
LOGW(@"Preventing attempt to delete Santa databases!");
} else {
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_ALLOW cacheable:true];
}
return;
break;
}
case ES_EVENT_TYPE_AUTH_RENAME: {
if ([SNTEndpointSecurityTamperResistance
isDatabasePath:esMsg->event.rename.source->path.data]) {
// Do not cache so that each attempt to remove santa is logged
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_DENY cacheable:false];
isProtectedPath:esMsg->event.rename.source->path.data]) {
result = ES_AUTH_RESULT_DENY;
LOGW(@"Preventing attempt to rename Santa databases!");
return;
break;
}
if (esMsg->event.rename.destination_type == ES_DESTINATION_TYPE_EXISTING_FILE) {
if ([SNTEndpointSecurityTamperResistance
isDatabasePath:esMsg->event.rename.destination.existing_file->path.data]) {
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_DENY cacheable:false];
isProtectedPath:esMsg->event.rename.destination.existing_file->path.data]) {
result = ES_AUTH_RESULT_DENY;
LOGW(@"Preventing attempt to overwrite Santa databases!");
return;
break;
}
}
// If we get to here, no more reasons to deny the event, so allow it
[self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_ALLOW cacheable:true];
return;
break;
}
case ES_EVENT_TYPE_AUTH_KEXTLOAD: {
// TODO(mlw): Since we don't package the kext anymore, we should consider removing this.
// TODO(mlw): Consider logging when kext loads are attempted.
es_auth_result_t res = ES_AUTH_RESULT_ALLOW;
if (strcmp(esMsg->event.kextload.identifier.data, kSantaKextIdentifier.data()) == 0) {
result = ES_AUTH_RESULT_DENY;
LOGW(@"Preventing attempt to load Santa kext!");
res = ES_AUTH_RESULT_DENY;
}
[self respondToMessage:esMsg withAuthResult:res cacheable:true];
return;
break;
}
default:
@@ -96,12 +100,30 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
[NSException raise:@"Invalid event type"
format:@"Invalid tamper resistance event type: %d", esMsg->event_type];
}
// Do not cache denied operations so that each tamper attempt is logged
[self respondToMessage:esMsg withAuthResult:result cacheable:result == ES_AUTH_RESULT_ALLOW];
// For this client, a processed event is one that was found to be violating anti-tamper policy
recordEventMetrics(result == ES_AUTH_RESULT_DENY ? EventDisposition::kProcessed
: EventDisposition::kDropped);
}
- (void)enable {
// TODO(mlw): For macOS 13, use new mute and invert APIs to limit the
// messages sent for these events to the Santa-specific directories
// checked in the `handleMessage:` method.
[super enableTargetPathWatching];
[super unmuteEverything];
// Get the set of protected paths
std::set<std::string> protectedPaths = [SNTEndpointSecurityTamperResistance getProtectedPaths];
// Iterate the set, and create a vector of literals to mute
std::vector<std::pair<std::string, WatchItemPathType>> watchPaths;
for (const auto &path : protectedPaths) {
watchPaths.push_back({path, WatchItemPathType::kLiteral});
}
// Begin watching the protected set
[super muteTargetPaths:watchPaths];
[super subscribeAndClearCache:{
ES_EVENT_TYPE_AUTH_KEXTLOAD,

70
Source/santad/EventProviders/SNTEndpointSecurityTamperResistanceTest.mm
View File

@@ -17,17 +17,22 @@
#import <XCTest/XCTest.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <stdlib.h>
#include <map>
#include <memory>
#include <set>
#include "Source/common/TestUtils.h"
#include "Source/santad/DataLayer/WatchItemPolicy.h"
#include "Source/santad/EventProviders/EndpointSecurity/Client.h"
#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
#include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
#import "Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.h"
#import "Source/santad/Metrics.h"
using santa::santad::EventDisposition;
using santa::santad::data_layer::WatchItemPathType;
using santa::santad::event_providers::endpoint_security::Client;
using santa::santad::event_providers::endpoint_security::Message;
@@ -58,8 +63,19 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
.WillOnce(testing::Return(true)))
.WillOnce(testing::Return(true));
// Setup mocks to handle inverting target path muting
EXPECT_CALL(*mockESApi, InvertTargetPathMuting).WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteAllPaths).WillOnce(testing::Return(true));
EXPECT_CALL(*mockESApi, UnmuteAllTargetPaths).WillOnce(testing::Return(true));
// Setup mocks to handle muting the rules db and events db
EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, testing::_, WatchItemPathType::kLiteral))
.WillRepeatedly(testing::Return(true));
SNTEndpointSecurityTamperResistance *tamperClient =
[[SNTEndpointSecurityTamperResistance alloc] initWithESAPI:mockESApi logger:nullptr];
[[SNTEndpointSecurityTamperResistance alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr];
id mockTamperClient = OCMPartialMock(tamperClient);
[mockTamperClient enable];
@@ -91,12 +107,16 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
{&benignTok, ES_AUTH_RESULT_ALLOW},
};
dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
mockESApi->SetExpectationsESNewClient();
mockESApi->SetExpectationsRetainReleaseMessage(&esMsg);
mockESApi->SetExpectationsRetainReleaseMessage();
SNTEndpointSecurityTamperResistance *tamperClient =
[[SNTEndpointSecurityTamperResistance alloc] initWithESAPI:mockESApi logger:nullptr];
[[SNTEndpointSecurityTamperResistance alloc] initWithESAPI:mockESApi
metrics:nullptr
logger:nullptr];
id mockTamperClient = OCMPartialMock(tamperClient);
@@ -118,7 +138,10 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
// First check unhandled event types will crash
{
Message msg(mockESApi, &esMsg);
XCTAssertThrows([tamperClient handleMessage:Message(mockESApi, &esMsg)]);
XCTAssertThrows([tamperClient handleMessage:Message(mockESApi, &esMsg)
recordEventMetrics:^(EventDisposition d) {
XCTFail("Unhandled event types shouldn't call metrics recorder");
}]);
}
// Check UNLINK tamper events
@@ -128,7 +151,15 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
Message msg(mockESApi, &esMsg);
esMsg.event.unlink.target = kv.first;
[mockTamperClient handleMessage:std::move(msg)];
[mockTamperClient
handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, kv.second == ES_AUTH_RESULT_DENY ? EventDisposition::kProcessed
: EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertEqual(gotAuthResult, kv.second);
XCTAssertEqual(gotCachable, kv.second == ES_AUTH_RESULT_ALLOW);
@@ -143,8 +174,15 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
esMsg.event.rename.source = kv.first;
esMsg.event.rename.destination_type = ES_DESTINATION_TYPE_NEW_PATH;
[mockTamperClient handleMessage:std::move(msg)];
[mockTamperClient
handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, kv.second == ES_AUTH_RESULT_DENY ? EventDisposition::kProcessed
: EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertEqual(gotAuthResult, kv.second);
XCTAssertEqual(gotCachable, kv.second == ES_AUTH_RESULT_ALLOW);
}
@@ -159,8 +197,15 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
esMsg.event.rename.destination_type = ES_DESTINATION_TYPE_EXISTING_FILE;
esMsg.event.rename.destination.existing_file = kv.first;
[mockTamperClient handleMessage:std::move(msg)];
[mockTamperClient
handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, kv.second == ES_AUTH_RESULT_DENY ? EventDisposition::kProcessed
: EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertEqual(gotAuthResult, kv.second);
XCTAssertEqual(gotCachable, kv.second == ES_AUTH_RESULT_ALLOW);
}
@@ -174,10 +219,17 @@ static constexpr std::string_view kSantaKextIdentifier = "com.google.santa-drive
Message msg(mockESApi, &esMsg);
esMsg.event.kextload.identifier = *kv.first;
[mockTamperClient handleMessage:std::move(msg)];
[mockTamperClient
handleMessage:std::move(msg)
recordEventMetrics:^(EventDisposition d) {
XCTAssertEqual(d, kv.second == ES_AUTH_RESULT_DENY ? EventDisposition::kProcessed
: EventDisposition::kDropped);
dispatch_semaphore_signal(semaMetrics);
}];
XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
XCTAssertEqual(gotAuthResult, kv.second);
XCTAssertEqual(gotCachable, true); // Note: Kext responses always cached
XCTAssertEqual(gotCachable, kv.second == ES_AUTH_RESULT_ALLOW);
}
}

Some files were not shown because too many files have changed in this diff Show More