Expand debug logging for transitive rule failure case (#1248)

* Fix test issue caused by move to C++20

* Use spaceship operator as is the style of the time

* lint

* Add include

.bazelrc

@@ -9,6 +9,7 @@ build --copt=-Wno-unknown-warning-option
 build --copt=-Wno-error=deprecated-non-prototype
 build --per_file_copt=.*\.mm\$@-std=c++17
 build --cxxopt=-std=c++17
+build --host_cxxopt=-std=c++17
 
 build --copt=-DSANTA_OPEN_SOURCE=1
 build --cxxopt=-DSANTA_OPEN_SOURCE=1

.bazelversion

@@ -1 +1 @@
-5.3.0
+6.3.2

.github/workflows/check-markdown.yml

@@ -9,6 +9,9 @@ jobs:
   markdown-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
-    - run: "! git grep -EIn $'[ \t]+$' -- ':(exclude)*.patch'"
+      - name: "Checkout Santa"
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # ratchet:actions/checkout@master
+      - name: "Check for deadlinks"
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # ratchet:gaurav-nelson/github-action-markdown-link-check@v1
+      - name: "Check for trailing whitespace and newlines"
+        run: "! git grep -EIn $'[ \t]+$' -- ':(exclude)*.patch'"

.github/workflows/ci.yml

@@ -1,5 +1,4 @@
 name: CI
-
 on:
   push:
     branches:
@@ -11,15 +10,13 @@ on:
       - main
     paths:
       - 'Source/**'
-
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Run linters
         run: ./Testing/lint.sh
-
   build_userspace:
     strategy:
       fail-fast: false
@@ -27,10 +24,9 @@ jobs:
         os: [macos-11, macos-12, macos-13]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Build Userspace
         run: bazel build --apple_generate_dsym -c opt :release --define=SANTA_BUILD_TYPE=adhoc
-
   unit_tests:
     strategy:
       fail-fast: false
@@ -38,18 +34,17 @@ jobs:
         os: [macos-11, macos-12, macos-13]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Run All Tests
         run: bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
-
   test_coverage:
     runs-on: macos-11
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Generate test coverage
         run: sh ./generate_cov.sh
       - name: Coveralls
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # ratchet:coverallsapp/github-action@master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: ./bazel-out/_coverage/_coverage_report.dat

.github/workflows/e2e.yml

@@ -1,25 +1,28 @@
 name: E2E
 
-on: workflow_dispatch
+on:
+  schedule:
+    - cron: '0 4 * * *' # Every day at 4:00 UTC (not to interfere with fuzzing)
+  workflow_dispatch:
 
 jobs:
   start_vm:
     runs-on: e2e-host
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Start VM
-        run: python3 Testing/integration/actions/start_vm.py macOS_12.bundle.tar.gz
+        run: python3 Testing/integration/actions/start_vm.py macOS_14.bundle.tar.gz
 
   integration:
     runs-on: e2e-vm
     env:
       VM_PASSWORD: ${{ secrets.VM_PASSWORD }}
     steps:
-      - uses: actions/checkout@v3
-      - name: Install configuration profile
-        run: bazel run //Testing/integration:install_profile -- Testing/integration/configs/default.mobileconfig
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Add homebrew to PATH
         run: echo "/opt/homebrew/bin/" >> $GITHUB_PATH
+      - name: Install configuration profile
+        run: bazel run //Testing/integration:install_profile -- Testing/integration/configs/default.mobileconfig
       - name: Build, install, and start moroz
         run: |
           bazel build @com_github_groob_moroz//cmd/moroz:moroz
@@ -31,11 +34,16 @@ jobs:
           bazel run //Testing/integration:allow_sysex
           sudo santactl sync --debug
       - name: Run integration test binaries
-        run: bazel test //Testing/integration:integration_tests
+        run: |
+          bazel test //Testing/integration:integration_tests
+          sleep 3
+          bazel run //Testing/integration:dismiss_santa_popup || true
       - name: Test config changes
         run: ./Testing/integration/test_config_changes.sh
       - name: Test sync server changes
         run: ./Testing/integration/test_sync_changes.sh
+      - name: Test USB blocking
+        run: ./Testing/integration/test_usb.sh
       - name: Poweroff
         if: ${{ always() }}
         run: sudo shutdown -h +1

LICENSE

@@ -201,12 +201,3 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 
-------------------
-
-Files: Testing/integration/VM/*
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -7,10 +7,10 @@
 [![downloads](https://img.shields.io/github/downloads/google/santa/latest/total)](https://github.com/google/santa/releases/latest)
 
 <p align="center">
-    <img src="https://raw.githubusercontent.com/google/santa/main/Source/gui/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
+    <img src="./docs/images/santa-sleigh-256.png" height="128" alt="Santa Icon" />
 </p>
 
-Santa is a binary authorization system for macOS. It consists of a system
+Santa is a binary and file access authorization system for macOS. It consists of a system
 extension that monitors for executions, a daemon that makes execution decisions
 based on the contents of a local database, a GUI agent that notifies the user in
 case of a block decision and a command-line utility for managing the system and
@@ -48,9 +48,7 @@ disclosure reporting.
   the events database. In LOCKDOWN mode, only listed binaries are allowed to
   run.
 
-* Event logging: When the kext is loaded, all binary launches are logged.  When
-  in either mode, all unknown or denied binaries are stored in the database to
-  enable later aggregation.
+* Event logging: When the system extension is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
 * Certificate-based rules, with override levels: Instead of relying on a
   binary's hash (or 'fingerprint'), executables can be allowed/blocked by their
@@ -140,7 +138,7 @@ A tool like Santa doesn't really lend itself to screenshots, so here's a video
 instead.
 
 
-<p align="center"> <img src="https://thumbs.gfycat.com/MadFatalAmphiuma-small.gif" alt="Santa Block Video" /> </p>
+<p align="center"> <img src="./docs/images/santa-block.gif" alt="Santa Block Video" /> </p>
 
 # Contributing
 Patches to this project are very much welcome. Please see the

Source/common/BUILD

@@ -1,5 +1,5 @@
-load("//:helper.bzl", "santa_unit_test")
 load("@rules_cc//cc:defs.bzl", "cc_proto_library")
+load("//:helper.bzl", "santa_unit_test")
 
 package(
     default_visibility = ["//:santa_package_group"],
@@ -40,6 +40,12 @@ objc_library(
     ],
 )
 
+objc_library(
+    name = "SNTDeepCopy",
+    srcs = ["SNTDeepCopy.m"],
+    hdrs = ["SNTDeepCopy.h"],
+)
+
 cc_library(
     name = "SantaCache",
     hdrs = ["SantaCache.h"],
@@ -84,12 +90,22 @@ objc_library(
     ],
 )
 
+objc_library(
+    name = "CertificateHelpers",
+    srcs = ["CertificateHelpers.m"],
+    hdrs = ["CertificateHelpers.h"],
+    deps = [
+        "@MOLCertificate",
+    ],
+)
+
 objc_library(
     name = "SNTBlockMessage",
     srcs = ["SNTBlockMessage.m"],
     hdrs = ["SNTBlockMessage.h"],
     deps = [
         ":SNTConfigurator",
+        ":SNTFileAccessEvent",
         ":SNTLogging",
         ":SNTStoredEvent",
         ":SNTSystemInfo",
@@ -103,7 +119,7 @@ objc_library(
     defines = ["SANTAGUI"],
     deps = [
         ":SNTConfigurator",
-        ":SNTDeviceEvent",
+        ":SNTFileAccessEvent",
         ":SNTLogging",
         ":SNTStoredEvent",
         ":SNTSystemInfo",
@@ -142,6 +158,7 @@ objc_library(
         "Foundation",
     ],
     deps = [
+        ":CertificateHelpers",
         "@MOLCertificate",
     ],
 )
@@ -238,7 +255,11 @@ objc_library(
 santa_unit_test(
     name = "SNTRuleTest",
     srcs = ["SNTRuleTest.m"],
-    deps = [":SNTRule"],
+    deps = [
+        ":SNTCommonEnums",
+        ":SNTRule",
+        ":SNTSyncConstants",
+    ],
 )
 
 objc_library(
@@ -393,10 +414,24 @@ santa_unit_test(
     ],
 )
 
+santa_unit_test(
+    name = "SNTBlockMessageTest",
+    srcs = ["SNTBlockMessageTest.m"],
+    deps = [
+        ":SNTBlockMessage",
+        ":SNTConfigurator",
+        ":SNTFileAccessEvent",
+        ":SNTStoredEvent",
+        ":SNTSystemInfo",
+        "@OCMock",
+    ],
+)
+
 test_suite(
     name = "unit_tests",
     tests = [
         ":PrefixTreeTest",
+        ":SNTBlockMessageTest",
         ":SNTCachedDecisionTest",
         ":SNTFileInfoTest",
         ":SNTKVOManagerTest",

Source/common/CertificateHelpers.h

@@ -0,0 +1,43 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+#import <MOLCertificate/MOLCertificate.h>
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+
+/**
+  Return a string representing publisher info from the provided certs
+
+  @param certs A certificate chain
+  @param teamID A team ID to be displayed for apps from the App Store
+
+  @return A string that tries to be more helpful to users by extracting
+  appropriate information from the certificate chain.
+*/
+NSString *Publisher(NSArray<MOLCertificate *> *certs, NSString *teamID);
+
+/**
+  Return an array of the underlying SecCertificateRef's for the given array
+  of MOLCertificates.
+
+  @param certs An array of MOLCertificates
+
+  @return An array of SecCertificateRefs. WARNING: If the refs need to be used
+  for a long time be careful to properly CFRetain/CFRelease the returned items.
+*/
+NSArray<id> *CertificateChain(NSArray<MOLCertificate *> *certs);
+
+__END_DECLS

Source/common/CertificateHelpers.m

@@ -0,0 +1,42 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/CertificateHelpers.h"
+
+#include <Security/SecCertificate.h>
+
+NSString *Publisher(NSArray<MOLCertificate *> *certs, NSString *teamID) {
+  MOLCertificate *leafCert = [certs firstObject];
+
+  if ([leafCert.commonName isEqualToString:@"Apple Mac OS Application Signing"]) {
+    return [NSString stringWithFormat:@"App Store (Team ID: %@)", teamID];
+  } else if (leafCert.commonName && leafCert.orgName) {
+    return [NSString stringWithFormat:@"%@ - %@", leafCert.orgName, leafCert.commonName];
+  } else if (leafCert.commonName) {
+    return leafCert.commonName;
+  } else if (leafCert.orgName) {
+    return leafCert.orgName;
+  } else {
+    return nil;
+  }
+}
+
+NSArray<id> *CertificateChain(NSArray<MOLCertificate *> *certs) {
+  NSMutableArray *certArray = [NSMutableArray arrayWithCapacity:[certs count]];
+  for (MOLCertificate *cert in certs) {
+    [certArray addObject:(id)cert.certRef];
+  }
+
+  return certArray;
+}

Source/common/PrefixTree.h

@@ -74,6 +74,11 @@ class PrefixTree {
     node_count_ = 0;
   }
 
+  uint32_t NodeCount() {
+    absl::ReaderMutexLock lock(&lock_);
+    return node_count_;
+  }
+
 #if SANTA_PREFIX_TREE_DEBUG
   void Print() {
     char buf[max_depth_ + 1];
@@ -82,11 +87,6 @@ class PrefixTree {
     absl::ReaderMutexLock lock(&lock_);
     PrintLocked(root_, buf, 0);
   }
-
-  uint32_t NodeCount() {
-    absl::ReaderMutexLock lock(&lock_);
-    return node_count_;
-  }
 #endif
 
  private:

Source/common/SNTBlockMessage.h

@@ -18,6 +18,9 @@
 #import <Foundation/Foundation.h>
 #endif
 
+#import "Source/common/SNTFileAccessEvent.h"
+#import "Source/common/SNTStoredEvent.h"
+
 @class SNTStoredEvent;
 
 @interface SNTBlockMessage : NSObject
@@ -38,11 +41,15 @@
 + (NSAttributedString *)attributedBlockMessageForEvent:(SNTStoredEvent *)event
                                          customMessage:(NSString *)customMessage;
 
++ (NSAttributedString *)attributedBlockMessageForFileAccessEvent:(SNTFileAccessEvent *)event
+                                                   customMessage:(NSString *)customMessage;
+
 ///
 ///  Return a URL generated from the EventDetailURL configuration key
 ///  after replacing templates in the URL with values from the event.
 ///
-+ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event;
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event customURL:(NSString *)url;
++ (NSURL *)eventDetailURLForFileAccessEvent:(SNTFileAccessEvent *)event customURL:(NSString *)url;
 
 ///
 ///  Strip HTML from a string, replacing <br /> with newline.

Source/common/SNTBlockMessage.m

@@ -15,6 +15,7 @@
 #import "Source/common/SNTBlockMessage.h"
 
 #import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTFileAccessEvent.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTStoredEvent.h"
 #import "Source/common/SNTSystemInfo.h"
@@ -82,6 +83,18 @@
   return [SNTBlockMessage formatMessage:message];
 }
 
++ (NSAttributedString *)attributedBlockMessageForFileAccessEvent:(SNTFileAccessEvent *)event
+                                                   customMessage:(NSString *)customMessage {
+  NSString *message = customMessage;
+  if (!message.length) {
+    message = [[SNTConfigurator configurator] fileAccessBlockMessage];
+    if (!message.length) {
+      message = @"Access to a file has been denied.";
+    }
+  }
+  return [SNTBlockMessage formatMessage:message];
+}
+
 + (NSString *)stringFromHTML:(NSString *)html {
   NSError *error;
   NSXMLDocument *xml = [[NSXMLDocument alloc] initWithXMLString:html options:0 error:&error];
@@ -109,46 +122,127 @@
   return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
 }
 
-+ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event {
++ (NSString *)replaceFormatString:(NSString *)str
+                         withDict:(NSDictionary<NSString *, NSString * (^)()> *)replacements {
+  __block NSString *formatStr = str;
+
+  [replacements
+    enumerateKeysAndObjectsUsingBlock:^(NSString *key, NSString * (^computeValue)(), BOOL *stop) {
+      NSString *value = computeValue();
+      if (value) {
+        formatStr = [formatStr stringByReplacingOccurrencesOfString:key withString:value];
+      }
+    }];
+
+  return formatStr;
+}
+
+// Returns either the generated URL for the passed in event, or an NSURL from the passed in custom
+// URL string. If the custom URL string is the string "null", nil will be returned. If no custom
+// URL is passed and there is no configured EventDetailURL template, nil will be returned.
+// The following "format strings" will be replaced in the URL, if they are present:
+//
+//   %file_identifier%           - The SHA-256 of the binary being executed.
+//   %bundle_or_file_identifier% - The hash of the bundle containing this file or the file itself,
+//                                 if no bundle hash is present.
+//   %username%                  - The executing user's name.
+//   %machine_id%                - The configured machine ID for this host.
+//   %hostname%                  - The machine's FQDN.
+//   %uuid%                      - The machine's UUID.
+//   %serial%                    - The machine's serial number.
+//
++ (NSURL *)eventDetailURLForEvent:(SNTStoredEvent *)event customURL:(NSString *)url {
   SNTConfigurator *config = [SNTConfigurator configurator];
 
-  NSString *hostname = [SNTSystemInfo longHostname];
-  NSString *uuid = [SNTSystemInfo hardwareUUID];
-  NSString *serial = [SNTSystemInfo serialNumber];
-  NSString *formatStr = config.eventDetailURL;
-  if (!formatStr.length) return nil;
-
-  if (event.fileSHA256) {
-    // This key is deprecated, use %file_identifier% or %bundle_or_file_identifier%
-    formatStr =
-      [formatStr stringByReplacingOccurrencesOfString:@"%file_sha%"
-                                           withString:event.fileBundleHash ?: event.fileSHA256];
-
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%file_identifier%"
-                                                     withString:event.fileSHA256];
-    formatStr =
-      [formatStr stringByReplacingOccurrencesOfString:@"%bundle_or_file_identifier%"
-                                           withString:event.fileBundleHash ?: event.fileSHA256];
-  }
-  if (event.executingUser) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%username%"
-                                                     withString:event.executingUser];
-  }
-  if (config.machineID) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%machine_id%"
-                                                     withString:config.machineID];
-  }
-  if (hostname.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%hostname%" withString:hostname];
-  }
-  if (uuid.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%uuid%" withString:uuid];
-  }
-  if (serial.length) {
-    formatStr = [formatStr stringByReplacingOccurrencesOfString:@"%serial%" withString:serial];
+  NSString *formatStr = url;
+  if (!formatStr.length) {
+    formatStr = config.eventDetailURL;
+    if (!formatStr.length) {
+      return nil;
+    }
   }
 
-  return [NSURL URLWithString:formatStr];
+  if ([formatStr isEqualToString:@"null"]) {
+    return nil;
+  }
+
+  // Disabling clang-format. See comment in `eventDetailURLForFileAccessEvent:customURL:`
+  // clang-format off
+  NSDictionary<NSString *, NSString * (^)()> *kvReplacements =
+    [NSDictionary dictionaryWithObjectsAndKeys:
+      // This key is deprecated, use %file_identifier% or %bundle_or_file_identifier%
+      ^{ return event.fileSHA256 ? event.fileBundleHash ?: event.fileSHA256 : nil; },
+                                                 @"%file_sha%",
+      ^{ return event.fileSHA256; },             @"%file_identifier%",
+      ^{ return event.fileSHA256 ? event.fileBundleHash ?: event.fileSHA256 : nil; },
+                                                 @"%bundle_or_file_identifier%",
+      ^{ return event.executingUser; },          @"%username%",
+      ^{ return config.machineID; },             @"%machine_id%",
+      ^{ return [SNTSystemInfo longHostname]; }, @"%hostname%",
+      ^{ return [SNTSystemInfo hardwareUUID]; }, @"%uuid%",
+      ^{ return [SNTSystemInfo serialNumber]; }, @"%serial%",
+      nil];
+  // clang-format on
+
+  formatStr = [SNTBlockMessage replaceFormatString:formatStr withDict:kvReplacements];
+
+  NSURL *u = [NSURL URLWithString:formatStr];
+  if (!u) {
+    LOGW(@"Unable to generate event detail URL for string '%@'", formatStr);
+  }
+
+  return u;
+}
+
+// Returns either the generated URL for the passed in event, or an NSURL from the passed in custom
+// URL string. If the custom URL string is the string "null", nil will be returned. If no custom
+// URL is passed and there is no configured EventDetailURL template, nil will be returned.
+// The following "format strings" will be replaced in the URL, if they are present:
+//
+//   %rule_version%    - The version of the rule that was violated.
+//   %rule_name%       - The name of the rule that was violated.
+//   %file_identifier% - The SHA-256 of the binary being executed.
+//   %accessed_path%   - The path accessed by the binary.
+//   %username%        - The executing user's name.
+//   %machine_id%      - The configured machine ID for this host.
+//   %hostname%        - The machine's FQDN.
+//   %uuid%            - The machine's UUID.
+//   %serial%          - The machine's serial number.
+//
++ (NSURL *)eventDetailURLForFileAccessEvent:(SNTFileAccessEvent *)event customURL:(NSString *)url {
+  if (!url.length || [url isEqualToString:@"null"]) {
+    return nil;
+  }
+
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  // Clang format goes wild here. If you use the container literal syntax `@{}` with a block value
+  // type, it seems to break the clang format on/off functionality and breaks formatting for the
+  // remainder of the file.
+  // Using `dictionaryWithObjectsAndKeys` and disabling clang format as a workaround.
+  // clang-format off
+  NSDictionary<NSString *, NSString * (^)()> *kvReplacements =
+    [NSDictionary dictionaryWithObjectsAndKeys:
+      ^{ return event.ruleVersion; },            @"%rule_version%",
+      ^{ return event.ruleName; },               @"%rule_name%",
+      ^{ return event.fileSHA256; },             @"%file_identifier%",
+      ^{ return event.accessedPath; },           @"%accessed_path%",
+      ^{ return event.executingUser; },          @"%username%",
+      ^{ return config.machineID; },             @"%machine_id%",
+      ^{ return [SNTSystemInfo longHostname]; }, @"%hostname%",
+      ^{ return [SNTSystemInfo hardwareUUID]; }, @"%uuid%",
+      ^{ return [SNTSystemInfo serialNumber]; }, @"%serial%",
+      nil];
+  // clang-format on
+
+  NSString *formatStr = [SNTBlockMessage replaceFormatString:url withDict:kvReplacements];
+
+  NSURL *u = [NSURL URLWithString:formatStr];
+  if (!u) {
+    LOGW(@"Unable to generate event detail URL for string '%@'", formatStr);
+  }
+
+  return u;
 }
 
 @end

Source/common/SNTBlockMessageTest.m

@@ -0,0 +1,95 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <OCMock/OCMock.h>
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTBlockMessage.h"
+#import "Source/common/SNTConfigurator.h"
+#include "Source/common/SNTFileAccessEvent.h"
+#include "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTSystemInfo.h"
+
+@interface SNTBlockMessageTest : XCTestCase
+@property id mockConfigurator;
+@property id mockSystemInfo;
+@end
+
+@implementation SNTBlockMessageTest
+
+- (void)setUp {
+  self.mockConfigurator = OCMClassMock([SNTConfigurator class]);
+  OCMStub([self.mockConfigurator configurator]).andReturn(self.mockConfigurator);
+  OCMStub([self.mockConfigurator machineID]).andReturn(@"my_mid");
+
+  self.mockSystemInfo = OCMClassMock([SNTSystemInfo class]);
+  OCMStub([self.mockSystemInfo longHostname]).andReturn(@"my_hn");
+  OCMStub([self.mockSystemInfo hardwareUUID]).andReturn(@"my_u");
+  OCMStub([self.mockSystemInfo serialNumber]).andReturn(@"my_s");
+}
+
+- (void)testEventDetailURLForEvent {
+  SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+
+  se.fileSHA256 = @"my_fi";
+  se.executingUser = @"my_un";
+
+  NSString *url = @"http://"
+                  @"localhost?fs=%file_sha%&fi=%file_identifier%&bfi=%bundle_or_file_identifier%&"
+                  @"un=%username%&mid=%machine_id%&hn=%hostname%&u=%uuid%&s=%serial%";
+  NSString *wantUrl =
+    @"http://"
+    @"localhost?fs=my_fi&fi=my_fi&bfi=my_fi&bfi=my_fi&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  NSURL *gotUrl = [SNTBlockMessage eventDetailURLForEvent:se customURL:url];
+
+  // Set fileBundleHash and test again for newly expected values
+  se.fileBundleHash = @"my_fbh";
+
+  wantUrl = @"http://"
+            @"localhost?fs=my_fbh&fi=my_fi&bfi=my_fbh&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  gotUrl = [SNTBlockMessage eventDetailURLForEvent:se customURL:url];
+
+  XCTAssertEqualObjects(gotUrl.absoluteString, wantUrl);
+
+  XCTAssertNil([SNTBlockMessage eventDetailURLForEvent:se customURL:nil]);
+  XCTAssertNil([SNTBlockMessage eventDetailURLForEvent:se customURL:@"null"]);
+}
+
+- (void)testEventDetailURLForFileAccessEvent {
+  SNTFileAccessEvent *fae = [[SNTFileAccessEvent alloc] init];
+
+  fae.ruleVersion = @"my_rv";
+  fae.ruleName = @"my_rn";
+  fae.fileSHA256 = @"my_fi";
+  fae.accessedPath = @"my_ap";
+  fae.executingUser = @"my_un";
+
+  NSString *url = @"http://"
+                  @"localhost?rv=%rule_version%&rn=%rule_name%&fi=%file_identifier%&ap=%accessed_"
+                  @"path%&un=%username%&mid=%machine_id%&hn=%hostname%&u=%uuid%&s=%serial%";
+  NSString *wantUrl =
+    @"http://"
+    @"localhost?rv=my_rv&rn=my_rn&fi=my_fi&ap=my_ap&un=my_un&mid=my_mid&hn=my_hn&u=my_u&s=my_s";
+
+  NSURL *gotUrl = [SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:url];
+
+  XCTAssertEqualObjects(gotUrl.absoluteString, wantUrl);
+
+  XCTAssertNil([SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:nil]);
+  XCTAssertNil([SNTBlockMessage eventDetailURLForFileAccessEvent:fae customURL:@"null"]);
+}
+
+@end

Source/common/SNTCachedDecision.h

@@ -38,10 +38,13 @@
 @property NSArray<MOLCertificate *> *certChain;
 @property NSString *teamID;
 @property NSString *signingID;
+@property NSDictionary *entitlements;
+@property BOOL entitlementsFiltered;
 
 @property NSString *quarantineURL;
 
 @property NSString *customMsg;
+@property NSString *customURL;
 @property BOOL silentBlock;
 
 @end

Source/common/SNTCommonEnums.h

@@ -152,6 +152,20 @@ typedef NS_ENUM(NSInteger, SNTMetricFormatType) {
   SNTMetricFormatTypeMonarchJSON,
 };
 
+typedef NS_ENUM(NSInteger, SNTOverrideFileAccessAction) {
+  SNTOverrideFileAccessActionNone,
+  SNTOverrideFileAccessActionAuditOnly,
+  SNTOverrideFileAccessActionDiable,
+};
+
+typedef NS_ENUM(NSInteger, SNTDeviceManagerStartupPreferences) {
+  SNTDeviceManagerStartupPreferencesNone,
+  SNTDeviceManagerStartupPreferencesUnmount,
+  SNTDeviceManagerStartupPreferencesForceUnmount,
+  SNTDeviceManagerStartupPreferencesRemount,
+  SNTDeviceManagerStartupPreferencesForceRemount,
+};
+
 #ifdef __cplusplus
 enum class FileAccessPolicyDecision {
   kNoPolicy,

Source/common/SNTConfigurator.h

@@ -262,6 +262,16 @@
 ///
 @property(readonly, nonatomic) NSString *fileAccessPolicyPlist;
 
+///
+///  This is the message shown to the user when access to a file is blocked
+///  by a binary due to some rule in the current File Access policy if that rule
+///  doesn't provide a custom message. If this is not configured, a reasonable
+///  default is provided.
+///
+///  @note: This property is KVO compliant.
+///
+@property(readonly, nonatomic) NSString *fileAccessBlockMessage;
+
 ///
 ///  If fileAccessPolicyPlist is set, fileAccessPolicyUpdateIntervalSec
 ///  sets the number of seconds between times that the configuration file is
@@ -390,6 +400,27 @@
 ///
 @property(readonly, nonatomic) NSDictionary *syncProxyConfig;
 
+///
+///  Extra headers to include in all requests made during syncing.
+///  Keys and values must all be strings, any other type will be silently ignored.
+///  Some headers cannot be set through this key, including:
+///
+///    * Content-Encoding
+///    * Content-Length
+///    * Content-Type
+///    * Connection
+///    * Host
+///    * Proxy-Authenticate
+///    * Proxy-Authorization
+///    * WWW-Authenticate
+///
+///  The header "Authorization" is also documented by Apple to be one that will
+///  be ignored but this is not really the case, at least at present. If you
+///  are able to use a different header for this that would be safest but if not
+///  using Authorization /should/ be fine.
+///
+@property(readonly, nonatomic) NSDictionary *syncExtraHeaders;
+
 ///
 ///  The machine owner.
 ///
@@ -423,6 +454,39 @@
 ///
 @property(nonatomic) NSArray<NSString *> *remountUSBMode;
 
+///
+/// If set, defines the action that should be taken on existing USB mounts when
+/// Santa starts up.
+///
+/// Supported values are:
+///   * "Unmount": Unmount mass storage devices
+///   * "ForceUnmount": Force unmount mass storage devices
+///
+///
+/// Note: Existing mounts with mount flags that are a superset of RemountUSBMode
+/// are unaffected and left mounted.
+///
+@property(readonly, nonatomic) SNTDeviceManagerStartupPreferences onStartUSBOptions;
+
+///
+/// If set, will override the action taken when a file access rule violation
+/// occurs. This setting will apply across all rules in the file access policy.
+///
+/// Possible values are
+///   * "AuditOnly": When a rule is violated, it will be logged, but the access
+///     will not be blocked
+///   * "Disable": No access will be logged or blocked.
+///
+/// If not set, no override will take place and the file acces spolicy will
+/// apply as configured.
+///
+@property(readonly, nonatomic) SNTOverrideFileAccessAction overrideFileAccessAction;
+
+///
+///  Set the action that will override file access policy config action
+///
+- (void)setSyncServerOverrideFileAccessAction:(NSString *)action;
+
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
 ///
@@ -578,6 +642,18 @@
 ///
 @property(readonly, nonatomic) NSUInteger metricExportTimeout;
 
+///
+/// List of prefix strings for which individual entitlement keys with a matching
+/// prefix should not be logged.
+///
+@property(readonly, nonatomic) NSArray<NSString *> *entitlementsPrefixFilter;
+
+///
+/// List of TeamIDs for which entitlements should not be logged. Use the string
+/// "platform" to refer to platform binaries.
+///
+@property(readonly, nonatomic) NSArray<NSString *> *entitlementsTeamIDFilter;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfigurator.m

@@ -13,7 +13,6 @@
 ///    limitations under the License.
 
 #import "Source/common/SNTConfigurator.h"
-#import "Source/common/SNTCommonEnums.h"
 
 #include <sys/stat.h>
 
@@ -21,6 +20,21 @@
 #import "Source/common/SNTStrengthify.h"
 #import "Source/common/SNTSystemInfo.h"
 
+// Ensures the given object is an NSArray and only contains NSString value types
+static NSArray<NSString *> *EnsureArrayOfStrings(id obj) {
+  if (![obj isKindOfClass:[NSArray class]]) {
+    return nil;
+  }
+
+  for (id item in obj) {
+    if (![item isKindOfClass:[NSString class]]) {
+      return nil;
+    }
+  }
+
+  return obj;
+}
+
 @interface SNTConfigurator ()
 /// A NSUserDefaults object set to use the com.google.santa suite.
 @property(readonly, nonatomic) NSUserDefaults *defaults;
@@ -57,6 +71,7 @@ static NSString *const kMobileConfigDomain = @"com.google.santa";
 static NSString *const kStaticRules = @"StaticRules";
 static NSString *const kSyncBaseURLKey = @"SyncBaseURL";
 static NSString *const kSyncProxyConfigKey = @"SyncProxyConfiguration";
+static NSString *const kSyncExtraHeadersKey = @"SyncExtraHeaders";
 static NSString *const kSyncEnableCleanSyncEventUpload = @"SyncEnableCleanSyncEventUpload";
 static NSString *const kClientAuthCertificateFileKey = @"ClientAuthCertificateFile";
 static NSString *const kClientAuthCertificatePasswordKey = @"ClientAuthCertificatePassword";
@@ -101,6 +116,7 @@ static NSString *const kSpoolDirectoryEventMaxFlushTimeSec = @"SpoolDirectoryEve
 
 static NSString *const kFileAccessPolicy = @"FileAccessPolicy";
 static NSString *const kFileAccessPolicyPlist = @"FileAccessPolicyPlist";
+static NSString *const kFileAccessBlockMessage = @"FileAccessBlockMessage";
 static NSString *const kFileAccessPolicyUpdateIntervalSec = @"FileAccessPolicyUpdateIntervalSec";
 
 static NSString *const kEnableMachineIDDecoration = @"EnableMachineIDDecoration";
@@ -115,11 +131,15 @@ static NSString *const kFCMProject = @"FCMProject";
 static NSString *const kFCMEntity = @"FCMEntity";
 static NSString *const kFCMAPIKey = @"FCMAPIKey";
 
+static NSString *const kEntitlementsPrefixFilterKey = @"EntitlementsPrefixFilter";
+static NSString *const kEntitlementsTeamIDFilterKey = @"EntitlementsTeamIDFilter";
+
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
 static NSString *const kFailClosedKey = @"FailClosed";
 static NSString *const kBlockUSBMountKey = @"BlockUSBMount";
 static NSString *const kRemountUSBModeKey = @"RemountUSBMode";
+static NSString *const kOnStartUSBOptions = @"OnStartUSBOptions";
 static NSString *const kEnableTransitiveRulesKey = @"EnableTransitiveRules";
 static NSString *const kEnableTransitiveRulesKeyDeprecated = @"EnableTransitiveWhitelisting";
 static NSString *const kAllowedPathRegexKey = @"AllowedPathRegex";
@@ -128,6 +148,7 @@ static NSString *const kBlockedPathRegexKey = @"BlockedPathRegex";
 static NSString *const kBlockedPathRegexKeyDeprecated = @"BlacklistRegex";
 static NSString *const kEnableAllEventUploadKey = @"EnableAllEventUpload";
 static NSString *const kDisableUnknownEventUploadKey = @"DisableUnknownEventUpload";
+static NSString *const kOverrideFileAccessActionKey = @"OverrideFileAccessAction";
 
 static NSString *const kMetricFormat = @"MetricFormat";
 static NSString *const kMetricURL = @"MetricURL";
@@ -164,6 +185,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kRuleSyncLastSuccess : date,
       kSyncCleanRequired : number,
       kEnableAllEventUploadKey : number,
+      kOverrideFileAccessActionKey : string,
     };
     _forcedConfigKeyTypes = @{
       kClientModeKey : number,
@@ -178,6 +200,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kBlockedPathRegexKeyDeprecated : re,
       kBlockUSBMountKey : number,
       kRemountUSBModeKey : array,
+      kOnStartUSBOptions : string,
       kEnablePageZeroProtectionKey : number,
       kEnableBadSignatureProtectionKey : number,
       kEnableSilentModeKey : number,
@@ -196,6 +219,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kSyncBaseURLKey : string,
       kSyncEnableCleanSyncEventUpload : number,
       kSyncProxyConfigKey : dictionary,
+      kSyncExtraHeadersKey : dictionary,
       kClientAuthCertificateFileKey : string,
       kClientAuthCertificatePasswordKey : string,
       kClientAuthCertificateCNKey : string,
@@ -217,6 +241,7 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kSpoolDirectoryEventMaxFlushTimeSec : number,
       kFileAccessPolicy : dictionary,
       kFileAccessPolicyPlist : string,
+      kFileAccessBlockMessage : string,
       kFileAccessPolicyUpdateIntervalSec : number,
       kEnableMachineIDDecoration : number,
       kEnableForkAndExitLogging : number,
@@ -232,6 +257,9 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
       kMetricExtraLabels : dictionary,
       kEnableAllEventUploadKey : number,
       kDisableUnknownEventUploadKey : number,
+      kOverrideFileAccessActionKey : string,
+      kEntitlementsPrefixFilterKey : array,
+      kEntitlementsTeamIDFilterKey : array,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
@@ -315,6 +343,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingSyncExtraHeaders {
+  return [self configStateSet];
+}
+
 + (NSSet *)keyPathsForValuesAffectingEnableCleanSyncEventUpload {
   return [self configStateSet];
 }
@@ -435,6 +467,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingFileAccessBlockMessage {
+  return [self configStateSet];
+}
+
 + (NSSet *)keyPathsForValuesAffectingFileAccessPolicyUpdateIntervalSec {
   return [self configStateSet];
 }
@@ -507,6 +543,18 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingOverrideFileAccessActionKey {
+  return [self syncAndConfigStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEntitlementsPrefixFilter {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingEntitlementsTeamIDFilter {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -617,6 +665,22 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return args;
 }
 
+- (SNTDeviceManagerStartupPreferences)onStartUSBOptions {
+  NSString *action = [self.configState[kOnStartUSBOptions] lowercaseString];
+
+  if ([action isEqualToString:@"unmount"]) {
+    return SNTDeviceManagerStartupPreferencesUnmount;
+  } else if ([action isEqualToString:@"forceunmount"]) {
+    return SNTDeviceManagerStartupPreferencesForceUnmount;
+  } else if ([action isEqualToString:@"remount"]) {
+    return SNTDeviceManagerStartupPreferencesRemount;
+  } else if ([action isEqualToString:@"forceremount"]) {
+    return SNTDeviceManagerStartupPreferencesForceRemount;
+  } else {
+    return SNTDeviceManagerStartupPreferencesNone;
+  }
+}
+
 - (NSDictionary<NSString *, SNTRule *> *)staticRules {
   return self.cachedStaticRules;
 }
@@ -632,6 +696,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return self.configState[kSyncProxyConfigKey];
 }
 
+- (NSDictionary *)syncExtraHeaders {
+  return self.configState[kSyncExtraHeadersKey];
+}
+
 - (BOOL)enablePageZeroProtection {
   NSNumber *number = self.configState[kEnablePageZeroProtectionKey];
   return number ? [number boolValue] : YES;
@@ -851,6 +919,10 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   }
 }
 
+- (NSString *)fileAccessBlockMessage {
+  return self.configState[kFileAccessBlockMessage];
+}
+
 - (uint32_t)fileAccessPolicyUpdateIntervalSec {
   return self.configState[kFileAccessPolicyUpdateIntervalSec]
            ? [self.configState[kFileAccessPolicyUpdateIntervalSec] unsignedIntValue]
@@ -931,6 +1003,33 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   return [self.configState[kBlockUSBMountKey] boolValue];
 }
 
+- (void)setSyncServerOverrideFileAccessAction:(NSString *)action {
+  NSString *a = [action lowercaseString];
+  if ([a isEqualToString:@"auditonly"] || [a isEqualToString:@"disable"] ||
+      [a isEqualToString:@"none"] || [a isEqualToString:@""]) {
+    [self updateSyncStateForKey:kOverrideFileAccessActionKey value:action];
+  }
+}
+
+- (SNTOverrideFileAccessAction)overrideFileAccessAction {
+  NSString *action = [self.syncState[kOverrideFileAccessActionKey] lowercaseString];
+
+  if (!action) {
+    action = [self.configState[kOverrideFileAccessActionKey] lowercaseString];
+    if (!action) {
+      return SNTOverrideFileAccessActionNone;
+    }
+  }
+
+  if ([action isEqualToString:@"auditonly"]) {
+    return SNTOverrideFileAccessActionAuditOnly;
+  } else if ([action isEqualToString:@"disable"]) {
+    return SNTOverrideFileAccessActionDiable;
+  } else {
+    return SNTOverrideFileAccessActionNone;
+  }
+}
+
 ///
 /// Returns YES if all of the necessary options are set to export metrics, NO
 /// otherwise.
@@ -1040,6 +1139,14 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   self.syncState = [NSMutableDictionary dictionary];
 }
 
+- (NSArray *)entitlementsPrefixFilter {
+  return EnsureArrayOfStrings(self.configState[kEntitlementsPrefixFilterKey]);
+}
+
+- (NSArray *)entitlementsTeamIDFilter {
+  return EnsureArrayOfStrings(self.configState[kEntitlementsTeamIDFilterKey]);
+}
+
 #pragma mark Private Defaults Methods
 
 - (NSRegularExpression *)expressionForPattern:(NSString *)pattern {
@@ -1063,7 +1170,11 @@ static NSString *const kSyncCleanRequired = @"SyncCleanRequired";
   NSDictionary *overrides = [NSDictionary dictionaryWithContentsOfFile:kConfigOverrideFilePath];
   for (NSString *key in overrides) {
     id obj = overrides[key];
-    if (![obj isKindOfClass:self.forcedConfigKeyTypes[key]]) continue;
+    if (![obj isKindOfClass:self.forcedConfigKeyTypes[key]] ||
+        ([self.forcedConfigKeyTypes[key] isKindOfClass:[NSRegularExpression class]] &&
+         ![obj isKindOfClass:[NSString class]])) {
+      continue;
+    }
     forcedConfig[key] = obj;
     if (self.forcedConfigKeyTypes[key] == [NSRegularExpression class]) {
       NSString *pattern = [obj isKindOfClass:[NSString class]] ? obj : nil;

Source/common/SNTDeepCopy.h

@@ -0,0 +1,27 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import <Foundation/Foundation.h>
+
+@interface NSArray (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy;
+
+@end
+
+@interface NSDictionary (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy;
+
+@end

Source/common/SNTDeepCopy.m

@@ -0,0 +1,53 @@
+/// Copyright 2023 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTDeepCopy.h"
+
+@implementation NSArray (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy {
+  NSMutableArray<__kindof NSObject *> *deepCopy = [NSMutableArray arrayWithCapacity:self.count];
+  for (id object in self) {
+    if ([object respondsToSelector:@selector(sntDeepCopy)]) {
+      [deepCopy addObject:[object sntDeepCopy]];
+    } else if ([object respondsToSelector:@selector(copyWithZone:)]) {
+      [deepCopy addObject:[object copy]];
+    } else {
+      [deepCopy addObject:object];
+    }
+  }
+  return deepCopy;
+}
+
+@end
+
+@implementation NSDictionary (SNTDeepCopy)
+
+- (instancetype)sntDeepCopy {
+  NSMutableDictionary<__kindof NSObject *, __kindof NSObject *> *deepCopy =
+    [NSMutableDictionary dictionary];
+  for (id key in self) {
+    id value = self[key];
+    if ([value respondsToSelector:@selector(sntDeepCopy)]) {
+      deepCopy[key] = [value sntDeepCopy];
+    } else if ([value respondsToSelector:@selector(copyWithZone:)]) {
+      deepCopy[key] = [value copy];
+    } else {
+      deepCopy[key] = value;
+    }
+  }
+  return deepCopy;
+}
+
+@end

Source/common/SNTFileAccessEvent.h

@@ -77,7 +77,23 @@
 ///
 @property NSString *parentName;
 
-// TODO(mlw): Store signing chain info
-// @property NSArray<MOLCertificate*> *signingChain;
+///
+/// If the executed file was signed, this is an NSArray of MOLCertificate's
+/// representing the signing chain.
+///
+@property NSArray<MOLCertificate *> *signingChain;
+
+///
+/// A string representing the publisher based on the signingChain
+///
+@property(readonly) NSString *publisherInfo;
+
+///
+/// Return an array of the underlying SecCertificateRef's of the signingChain
+///
+/// WARNING: If the refs need to be used for a long time be careful to properly
+/// CFRetain/CFRelease the returned items.
+///
+@property(readonly) NSArray *signingChainCertRefs;
 
 @end

Source/common/SNTFileAccessEvent.m

@@ -14,6 +14,8 @@
 
 #import "Source/common/SNTFileAccessEvent.h"
 
+#import "Source/common/CertificateHelpers.h"
+
 @implementation SNTFileAccessEvent
 
 #define ENCODE(o)                               \
@@ -28,6 +30,12 @@
     _##o = [decoder decodeObjectOfClass:[c class] forKey:@(#o)]; \
   } while (0)
 
+#define DECODEARRAY(o, c)                                                                        \
+  do {                                                                                           \
+    _##o = [decoder decodeObjectOfClasses:[NSSet setWithObjects:[NSArray class], [c class], nil] \
+                                   forKey:@(#o)];                                                \
+  } while (0)
+
 - (instancetype)init {
   self = [super init];
   if (self) {
@@ -51,6 +59,7 @@
   ENCODE(pid);
   ENCODE(ppid);
   ENCODE(parentName);
+  ENCODE(signingChain);
 }
 
 - (instancetype)initWithCoder:(NSCoder *)decoder {
@@ -67,6 +76,7 @@
     DECODE(pid, NSNumber);
     DECODE(ppid, NSNumber);
     DECODE(parentName, NSString);
+    DECODEARRAY(signingChain, MOLCertificate);
   }
   return self;
 }
@@ -76,4 +86,12 @@
     stringWithFormat:@"SNTFileAccessEvent: Accessed: %@, By: %@", self.accessedPath, self.filePath];
 }
 
+- (NSString *)publisherInfo {
+  return Publisher(self.signingChain, self.teamID);
+}
+
+- (NSArray *)signingChainCertRefs {
+  return CertificateChain(self.signingChain);
+}
+
 @end

Source/common/SNTRule.h

@@ -41,6 +41,11 @@
 ///
 @property(copy) NSString *customMsg;
 
+///
+///  A custom URL to take the user to when this binary is blocked from executing.
+///
+@property(copy) NSString *customURL;
+
 ///
 ///  The time when this rule was last retrieved from the rules database, if rule is transitive.
 ///  Stored as number of seconds since 00:00:00 UTC on 1 January 2001.
@@ -74,4 +79,9 @@
 ///
 - (void)resetTimestamp;
 
+///
+///  Returns a dictionary representation of the rule.
+///
+- (NSDictionary *)dictionaryRepresentation;
+
 @end

Source/common/SNTRule.m

@@ -13,8 +13,15 @@
 ///    limitations under the License.
 
 #import "Source/common/SNTRule.h"
+
+#include <CommonCrypto/CommonCrypto.h>
+#include <os/base.h>
+
 #import "Source/common/SNTSyncConstants.h"
 
+// https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/
+static const NSUInteger kExpectedTeamIDLength = 10;
+
 @interface SNTRule ()
 @property(readwrite) NSUInteger timestamp;
 @end
@@ -28,20 +35,84 @@
                          timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
+    if (identifier.length == 0) {
+      return nil;
+    }
+
+    NSCharacterSet *nonHex =
+      [[NSCharacterSet characterSetWithCharactersInString:@"0123456789abcdef"] invertedSet];
+    NSCharacterSet *nonUppercaseAlphaNumeric = [[NSCharacterSet
+      characterSetWithCharactersInString:@"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"] invertedSet];
+
+    switch (type) {
+      case SNTRuleTypeBinary: OS_FALLTHROUGH;
+      case SNTRuleTypeCertificate: {
+        // For binary and certificate rules, force the hash identifier to be lowercase hex.
+        identifier = [identifier lowercaseString];
+
+        identifier = [identifier stringByTrimmingCharactersInSet:nonHex];
+        if (identifier.length != (CC_SHA256_DIGEST_LENGTH * 2)) {
+          return nil;
+        }
+
+        break;
+      }
+
+      case SNTRuleTypeTeamID: {
+        // TeamIDs are always [0-9A-Z], so enforce that the identifier is uppercase
+        identifier =
+          [[identifier uppercaseString] stringByTrimmingCharactersInSet:nonUppercaseAlphaNumeric];
+        if (identifier.length != kExpectedTeamIDLength) {
+          return nil;
+        }
+
+        break;
+      }
+
+      case SNTRuleTypeSigningID: {
+        // SigningID rules are a combination of `TeamID:SigningID`. The TeamID should
+        // be forced to be uppercase, but because very loose rules exist for SigningIDs,
+        // their case will be kept as-is. However, platform binaries are expected to
+        // have the hardcoded string "platform" as the team ID and the case will be left
+        // as is.
+        NSArray *sidComponents = [identifier componentsSeparatedByString:@":"];
+        if (!sidComponents || sidComponents.count < 2) {
+          return nil;
+        }
+
+        // The first component is the TeamID
+        NSString *teamID = sidComponents[0];
+
+        if (![teamID isEqualToString:@"platform"]) {
+          teamID =
+            [[teamID uppercaseString] stringByTrimmingCharactersInSet:nonUppercaseAlphaNumeric];
+          if (teamID.length != kExpectedTeamIDLength) {
+            return nil;
+          }
+        }
+
+        // The rest of the components are the Signing ID since ":" a legal character.
+        // Join all but the last element of the components to rebuild the SigningID.
+        NSString *signingID = [[sidComponents
+          subarrayWithRange:NSMakeRange(1, sidComponents.count - 1)] componentsJoinedByString:@":"];
+        if (signingID.length == 0) {
+          return nil;
+        }
+
+        identifier = [NSString stringWithFormat:@"%@:%@", teamID, signingID];
+        break;
+      }
+
+      default: {
+        break;
+      }
+    }
+
     _identifier = identifier;
     _state = state;
     _type = type;
     _customMsg = customMsg;
     _timestamp = timestamp;
-
-    if (_type == SNTRuleTypeBinary || _type == SNTRuleTypeCertificate) {
-      NSCharacterSet *nonHex =
-        [[NSCharacterSet characterSetWithCharactersInString:@"0123456789ABCDEF"] invertedSet];
-      if ([[_identifier uppercaseString] stringByTrimmingCharactersInSet:nonHex].length != 64)
-        return nil;
-    } else if (_identifier.length == 0) {
-      return nil;
-    }
   }
   return self;
 }
@@ -111,7 +182,14 @@
     customMsg = nil;
   }
 
-  return [self initWithIdentifier:identifier state:state type:type customMsg:customMsg];
+  NSString *customURL = dict[kRuleCustomURL];
+  if (![customURL isKindOfClass:[NSString class]] || customURL.length == 0) {
+    customURL = nil;
+  }
+
+  SNTRule *r = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg];
+  r.customURL = customURL;
+  return r;
 }
 
 #pragma mark NSSecureCoding
@@ -131,6 +209,7 @@
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
+  ENCODE(self.customURL, @"customurl");
   ENCODE(@(self.timestamp), @"timestamp");
 }
 
@@ -141,11 +220,49 @@
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
+    _customURL = DECODE(NSString, @"customurl");
     _timestamp = [DECODE(NSNumber, @"timestamp") unsignedIntegerValue];
   }
   return self;
 }
 
+- (NSString *)ruleStateToPolicyString:(SNTRuleState)state {
+  switch (state) {
+    case SNTRuleStateAllow: return kRulePolicyAllowlist;
+    case SNTRuleStateAllowCompiler: return kRulePolicyAllowlistCompiler;
+    case SNTRuleStateBlock: return kRulePolicyBlocklist;
+    case SNTRuleStateSilentBlock: return kRulePolicySilentBlocklist;
+    case SNTRuleStateRemove: return kRulePolicyRemove;
+    case SNTRuleStateAllowTransitive: return @"AllowTransitive";
+    // This should never be hit. But is here for completion.
+    default: return @"Unknown";
+  }
+}
+
+- (NSString *)ruleTypeToString:(SNTRuleType)ruleType {
+  switch (ruleType) {
+    case SNTRuleTypeBinary: return kRuleTypeBinary;
+    case SNTRuleTypeCertificate: return kRuleTypeCertificate;
+    case SNTRuleTypeTeamID: return kRuleTypeTeamID;
+    case SNTRuleTypeSigningID: return kRuleTypeSigningID;
+    // This should never be hit. If we have rule types of Unknown then there's a
+    // coding error somewhere.
+    default: return @"Unknown";
+  }
+}
+
+// Returns an NSDictionary representation of the rule. Primarily use for
+// exporting rules.
+- (NSDictionary *)dictionaryRepresentation {
+  return @{
+    kRuleIdentifier : self.identifier,
+    kRulePolicy : [self ruleStateToPolicyString:self.state],
+    kRuleType : [self ruleTypeToString:self.type],
+    kRuleCustomMsg : self.customMsg ?: @"",
+    kRuleCustomURL : self.customURL ?: @""
+  };
+}
+
 #undef DECODE
 #undef ENCODE
 #pragma clang diagnostic pop

Source/common/SNTRuleTest.m

@@ -13,6 +13,8 @@
 ///    limitations under the License.
 
 #import <XCTest/XCTest.h>
+#include "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTSyncConstants.h"
 
 #import "Source/common/SNTRule.h"
 
@@ -46,13 +48,25 @@
   XCTAssertEqual(sut.type, SNTRuleTypeCertificate);
   XCTAssertEqual(sut.state, SNTRuleStateBlock);
 
+  // Ensure a Binary and Certificate rules properly convert identifiers to lowercase.
+  for (NSString *ruleType in @[ @"BINARY", @"CERTIFICATE" ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : @"B7C1E3FD640C5F211C89B02C2C6122F78CE322AA5C56EB0BB54BC422A8F8B670",
+      @"policy" : @"BLOCKLIST",
+      @"rule_type" : ruleType,
+    }];
+    XCTAssertNotNil(sut);
+    XCTAssertEqualObjects(sut.identifier,
+                          @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
+  }
+
   sut = [[SNTRule alloc] initWithDictionary:@{
-    @"identifier" : @"some-sort-of-identifier",
+    @"identifier" : @"ABCDEFGHIJ",
     @"policy" : @"SILENT_BLOCKLIST",
     @"rule_type" : @"TEAMID",
   }];
   XCTAssertNotNil(sut);
-  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
   XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
   XCTAssertEqual(sut.state, SNTRuleStateSilentBlock);
 
@@ -68,26 +82,114 @@
   XCTAssertEqual(sut.state, SNTRuleStateAllowCompiler);
 
   sut = [[SNTRule alloc] initWithDictionary:@{
-    @"identifier" : @"some-sort-of-identifier",
+    @"identifier" : @"ABCDEFGHIJ",
     @"policy" : @"REMOVE",
     @"rule_type" : @"TEAMID",
   }];
   XCTAssertNotNil(sut);
-  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
   XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
   XCTAssertEqual(sut.state, SNTRuleStateRemove);
 
   sut = [[SNTRule alloc] initWithDictionary:@{
-    @"identifier" : @"some-sort-of-identifier",
+    @"identifier" : @"ABCDEFGHIJ",
     @"policy" : @"ALLOWLIST",
     @"rule_type" : @"TEAMID",
     @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
   }];
   XCTAssertNotNil(sut);
-  XCTAssertEqualObjects(sut.identifier, @"some-sort-of-identifier");
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
   XCTAssertEqual(sut.type, SNTRuleTypeTeamID);
   XCTAssertEqual(sut.state, SNTRuleStateAllow);
   XCTAssertEqualObjects(sut.customMsg, @"A custom block message");
+  XCTAssertEqualObjects(sut.customURL, @"https://example.com");
+
+  // TeamIDs must be 10 chars in length
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"A",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNil(sut);
+
+  // TeamIDs must be only alphanumeric chars
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ßßßßßßßßßß",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNil(sut);
+
+  // TeamIDs are converted to uppercase
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"abcdefghij",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"TEAMID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ");
+
+  // SigningID tests
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"ABCDEFGHIJ:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ:com.example");
+  XCTAssertEqual(sut.type, SNTRuleTypeSigningID);
+  XCTAssertEqual(sut.state, SNTRuleStateRemove);
+
+  // Invalid SingingID tests:
+  for (NSString *ident in @[
+         @":com.example",     // missing team ID
+         @"ABCDEFGHIJ:",      // missing signing ID
+         @"ABC:com.example",  // Invalid team id
+         @":",                // missing team and signing IDs
+         @"",                 // empty string
+       ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : ident,
+      @"policy" : @"REMOVE",
+      @"rule_type" : @"SIGNINGID",
+    }];
+    XCTAssertNil(sut);
+  }
+
+  // Signing ID with lower team ID has case fixed up
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"abcdefghij:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"ABCDEFGHIJ:com.example");
+
+  // Signing ID with lower platform team ID is left alone
+  sut = [[SNTRule alloc] initWithDictionary:@{
+    @"identifier" : @"platform:com.example",
+    @"policy" : @"REMOVE",
+    @"rule_type" : @"SIGNINGID",
+  }];
+  XCTAssertNotNil(sut);
+  XCTAssertEqualObjects(sut.identifier, @"platform:com.example");
+
+  // Signing ID can contain the TID:SID delimiter character (":")
+  for (NSString *ident in @[
+         @"ABCDEFGHIJ:com:",
+         @"ABCDEFGHIJ:com:example",
+         @"ABCDEFGHIJ::",
+         @"ABCDEFGHIJ:com:example:with:more:components:",
+       ]) {
+    sut = [[SNTRule alloc] initWithDictionary:@{
+      @"identifier" : ident,
+      @"policy" : @"ALLOWLIST",
+      @"rule_type" : @"SIGNINGID",
+    }];
+    XCTAssertNotNil(sut);
+    XCTAssertEqualObjects(sut.identifier, ident);
+  }
 }
 
 - (void)testInitWithDictionaryInvalid {
@@ -123,4 +225,63 @@
   XCTAssertNil(sut);
 }
 
+- (void)testRuleDictionaryRepresentation {
+  NSDictionary *expectedTeamID = @{
+    @"identifier" : @"ABCDEFGHIJ",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"TEAMID",
+    @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
+  };
+
+  SNTRule *sut = [[SNTRule alloc] initWithDictionary:expectedTeamID];
+  NSDictionary *dict = [sut dictionaryRepresentation];
+  XCTAssertEqualObjects(expectedTeamID, dict);
+
+  NSDictionary *expectedBinary = @{
+    @"identifier" : @"84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6",
+    @"policy" : @"BLOCKLIST",
+    @"rule_type" : @"BINARY",
+    @"custom_msg" : @"",
+    @"custom_url" : @"",
+  };
+
+  sut = [[SNTRule alloc] initWithDictionary:expectedBinary];
+  dict = [sut dictionaryRepresentation];
+
+  XCTAssertEqualObjects(expectedBinary, dict);
+}
+
+- (void)testRuleStateToPolicyString {
+  NSDictionary *expected = @{
+    @"identifier" : @"84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6",
+    @"policy" : @"ALLOWLIST",
+    @"rule_type" : @"BINARY",
+    @"custom_msg" : @"A custom block message",
+    @"custom_url" : @"https://example.com",
+  };
+
+  SNTRule *sut = [[SNTRule alloc] initWithDictionary:expected];
+  sut.state = SNTRuleStateBlock;
+  XCTAssertEqualObjects(kRulePolicyBlocklist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateSilentBlock;
+  XCTAssertEqualObjects(kRulePolicySilentBlocklist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateAllow;
+  XCTAssertEqualObjects(kRulePolicyAllowlist, [sut dictionaryRepresentation][kRulePolicy]);
+  sut.state = SNTRuleStateAllowCompiler;
+  XCTAssertEqualObjects(kRulePolicyAllowlistCompiler, [sut dictionaryRepresentation][kRulePolicy]);
+  // Invalid states
+  sut.state = SNTRuleStateRemove;
+  XCTAssertEqualObjects(kRulePolicyRemove, [sut dictionaryRepresentation][kRulePolicy]);
+}
+
+/*
+- (void)testRuleTypeToString {
+  SNTRule *sut = [[SNTRule alloc] init];
+  XCTAssertEqual(kRuleTypeBinary, [sut ruleTypeToString:@""]);//SNTRuleTypeBinary]);
+  XCTAssertEqual(kRuleTypeCertificate,[sut ruleTypeToString:SNTRuleTypeCertificate]);
+  XCTAssertEqual(kRuleTypeTeamID, [sut ruleTypeToString:SNTRuleTypeTeamID]);
+  XCTAssertEqual(kRuleTypeSigningID,[sut ruleTypeToString:SNTRuleTypeSigningID]);
+}*/
+
 @end

Source/common/SNTSyncConstants.h

@@ -54,6 +54,7 @@ extern NSString *const kEnableTransitiveRulesDeprecated;
 extern NSString *const kEnableTransitiveRulesSuperDeprecated;
 extern NSString *const kEnableAllEventUpload;
 extern NSString *const kDisableUnknownEventUpload;
+extern NSString *const kOverrideFileAccessAction;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;
@@ -124,6 +125,7 @@ extern NSString *const kRuleTypeCertificate;
 extern NSString *const kRuleTypeTeamID;
 extern NSString *const kRuleTypeSigningID;
 extern NSString *const kRuleCustomMsg;
+extern NSString *const kRuleCustomURL;
 extern NSString *const kCursor;
 
 extern NSString *const kBackoffInterval;
@@ -135,6 +137,9 @@ extern NSString *const kLogSync;
 
 extern const NSUInteger kDefaultEventBatchSize;
 
+extern NSString *const kPostflightRulesReceived;
+extern NSString *const kPostflightRulesProcessed;
+
 ///
 ///  kDefaultFullSyncInterval
 ///  kDefaultFCMFullSyncInterval

Source/common/SNTSyncConstants.m

@@ -47,6 +47,7 @@ NSString *const kFullSyncInterval = @"full_sync_interval";
 NSString *const kFCMToken = @"fcm_token";
 NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
 NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";
+NSString *const kOverrideFileAccessAction = @"override_file_access_action";
 
 NSString *const kEnableBundles = @"enable_bundles";
 NSString *const kEnableBundlesDeprecated = @"bundles_enabled";
@@ -125,6 +126,7 @@ NSString *const kRuleTypeCertificate = @"CERTIFICATE";
 NSString *const kRuleTypeTeamID = @"TEAMID";
 NSString *const kRuleTypeSigningID = @"SIGNINGID";
 NSString *const kRuleCustomMsg = @"custom_msg";
+NSString *const kRuleCustomURL = @"custom_url";
 NSString *const kCursor = @"cursor";
 
 NSString *const kBackoffInterval = @"backoff";
@@ -134,6 +136,9 @@ NSString *const kRuleSync = @"rule_sync";
 NSString *const kConfigSync = @"config_sync";
 NSString *const kLogSync = @"log_sync";
 
+NSString *const kPostflightRulesReceived = @"rules_received";
+NSString *const kPostflightRulesProcessed = @"rules_processed";
+
 const NSUInteger kDefaultEventBatchSize = 50;
 const NSUInteger kDefaultFullSyncInterval = 600;
 const NSUInteger kDefaultPushNotificationsFullSyncInterval = 14400;

Source/common/SNTXPCControlInterface.h

@@ -37,6 +37,7 @@
                              teamID:(NSString *)teamID
                           signingID:(NSString *)signingID
                               reply:(void (^)(SNTRule *))reply;
+- (void)retrieveAllRules:(void (^)(NSArray<SNTRule *> *rules, NSError *error))reply;
 
 ///
 ///  Config ops
@@ -53,6 +54,7 @@
 - (void)setEnableTransitiveRules:(BOOL)enabled reply:(void (^)(void))reply;
 - (void)setEnableAllEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
 - (void)setDisableUnknownEventUpload:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setOverrideFileAccessAction:(NSString *)action reply:(void (^)(void))reply;
 
 ///
 ///  Syncd Ops

Source/common/SNTXPCControlInterface.m

@@ -53,6 +53,11 @@ NSString *const kBundleID = @"com.google.santa.daemon";
       forSelector:@selector(databaseRuleAddRules:cleanSlate:reply:)
     argumentIndex:0
           ofReply:NO];
+
+  [r setClasses:[NSSet setWithObjects:[NSArray class], [SNTRule class], nil]
+      forSelector:@selector(retrieveAllRules:)
+    argumentIndex:0
+          ofReply:YES];
 }
 
 + (NSXPCInterface *)controlInterface {

Source/common/SNTXPCNotifierInterface.h

@@ -23,10 +23,14 @@
 
 /// Protocol implemented by SantaGUI and utilized by santad
 @protocol SNTNotifierXPC
-- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message;
+- (void)postBlockNotification:(SNTStoredEvent *)event
+            withCustomMessage:(NSString *)message
+                 andCustomURL:(NSString *)url;
 - (void)postUSBBlockNotification:(SNTDeviceEvent *)event withCustomMessage:(NSString *)message;
 - (void)postFileAccessBlockNotification:(SNTFileAccessEvent *)event
-                      withCustomMessage:(NSString *)message API_AVAILABLE(macos(13.0));
+                          customMessage:(NSString *)message
+                              customURL:(NSString *)url
+                             customText:(NSString *)text API_AVAILABLE(macos(13.0));
 - (void)postClientModeNotification:(SNTClientMode)clientmode;
 - (void)postRuleSyncNotificationWithCustomMessage:(NSString *)message;
 - (void)updateCountsForEvent:(SNTStoredEvent *)event

Source/common/SNTXPCUnprivilegedControlInterface.h

@@ -71,6 +71,8 @@
 - (void)syncCleanRequired:(void (^)(BOOL))reply;
 - (void)enableBundles:(void (^)(BOOL))reply;
 - (void)enableTransitiveRules:(void (^)(BOOL))reply;
+- (void)blockUSBMount:(void (^)(BOOL))reply;
+- (void)remountUSBMode:(void (^)(NSArray<NSString *> *))reply;
 
 ///
 /// Metrics ops

Source/common/SantaCacheTest.mm

@@ -245,7 +245,7 @@ struct S {
   uint64_t first_val;
   uint64_t second_val;
 
-  bool operator==(const S &rhs) {
+  bool operator==(const S &rhs) const {
     return first_val == rhs.first_val && second_val == rhs.second_val;
   }
 };

Source/common/String.h

@@ -17,6 +17,7 @@
 
 #include <Foundation/Foundation.h>
 
+#include <optional>
 #include <string>
 #include <string_view>
 
@@ -38,6 +39,15 @@ static inline NSString *StringToNSString(const char *str) {
   return [NSString stringWithUTF8String:str];
 }
 
+static inline NSString *OptionalStringToNSString(const std::optional<std::string> &optional_str) {
+  std::string str = optional_str.value_or("");
+  if (str.length() == 0) {
+    return nil;
+  } else {
+    return StringToNSString(str);
+  }
+}
+
 }  // namespace santa::common
 
 #endif

Source/common/TestUtils.h

@@ -22,6 +22,8 @@
 #include <gtest/gtest.h>
 #include <sys/stat.h>
 
+#include <string>
+
 #define NOBODY_UID ((unsigned int)-2)
 #define NOGROUP_GID ((unsigned int)-1)
 
@@ -38,6 +40,10 @@
 // Pretty print C++ string match errors
 #define XCTAssertCppStringEqual(got, want) XCTAssertCStringEqual((got).c_str(), (want).c_str())
 
+#define XCTAssertCppStringBeginsWith(got, want)                                               \
+  XCTAssertTrue((got).rfind((want), 0) == 0, "\nPrefix not found.\n\t got: %s\n\twant: %s\n", \
+                (got).c_str(), (want).c_str())
+
 // Note: Delta between local formatter and the one run on Github. Disable for now.
 // clang-format off
 #define XCTAssertSemaTrue(s, sec, m) \
@@ -49,15 +55,18 @@
 // function returns early due to interrupts.
 void SleepMS(long ms);
 
-enum class ActionType {
-  Auth,
-  Notify,
-};
+// Helper to construct strings of a given length
+NSString *RepeatedString(NSString *str, NSUInteger len);
 
 //
 // Helpers to construct various ES structs
 //
 
+enum class ActionType {
+  Auth,
+  Notify,
+};
+
 audit_token_t MakeAuditToken(pid_t pid, pid_t pidver);
 
 /// Construct a `struct stat` buffer with each member having a unique value.
@@ -67,7 +76,7 @@ audit_token_t MakeAuditToken(pid_t pid, pid_t pidver);
 struct stat MakeStat(int offset = 0);
 
 es_string_token_t MakeESStringToken(const char *s);
-es_file_t MakeESFile(const char *path, struct stat sb = {});
+es_file_t MakeESFile(const char *path, struct stat sb = MakeStat());
 es_process_t MakeESProcess(es_file_t *file, audit_token_t tok = {}, audit_token_t parent_tok = {});
 es_message_t MakeESMessage(es_event_type_t et, es_process_t *proc,
                            ActionType action_type = ActionType::Notify,

Source/common/TestUtils.mm

@@ -21,6 +21,10 @@
 #include <uuid/uuid.h>
 #include "Source/common/SystemResources.h"
 
+NSString *RepeatedString(NSString *str, NSUInteger len) {
+  return [@"" stringByPaddingToLength:len withString:str startingAtIndex:0];
+}
+
 audit_token_t MakeAuditToken(pid_t pid, pid_t pidver) {
   return audit_token_t{
     .val =
@@ -88,7 +92,11 @@ es_process_t MakeESProcess(es_file_t *file, audit_token_t tok, audit_token_t par
 }
 
 uint32_t MaxSupportedESMessageVersionForCurrentOS() {
-  // Note: ES message v3 was only in betas.
+  // Notes:
+  //   1. ES message v3 was only in betas.
+  //   2. Message version 7 appeared in macOS 13.3, but features from that are
+  //      not currently used. Leaving off support here so as to not require
+  //      adding v7 test JSON files.
   if (@available(macOS 13.0, *)) {
     return 6;
   } else if (@available(macOS 12.3, *)) {

Source/common/santa.proto

@@ -213,6 +213,27 @@ message CertificateInfo {
   optional string common_name = 2;
 }
 
+// Information about a single entitlement key/value pair
+message Entitlement {
+  // The name of an entitlement
+  optional string key = 1;
+
+  // The value of an entitlement
+  optional string value = 2;
+}
+
+// Information about entitlements
+message EntitlementInfo {
+  // Whether or not the set of reported entilements is complete or has been
+  // filtered (e.g. by configuration or clipped because too many to log).
+  optional bool entitlements_filtered = 1;
+
+  // The set of entitlements associated with the target executable
+  // Only top level keys are represented
+  // Values (including nested keys) are JSON serialized
+  repeated Entitlement entitlements = 2;
+}
+
 // Information about a process execution event
 message Execution {
   // The process that executed the new image (e.g. the process that called
@@ -286,6 +307,9 @@ message Execution {
   // The original path on disk of the target executable
   // Applies when executables are translocated
   optional string original_path = 15;
+
+  // Entitlement information about the target executbale
+  optional EntitlementInfo entitlement_info = 16;
 }
 
 // Information about a fork event
@@ -381,6 +405,11 @@ message Unlink {
   optional FileInfo target = 2;
 }
 
+// Information about a processes codesigning invalidation event
+message CodesigningInvalidated {
+  optional ProcessInfoLight instigator = 1;
+}
+
 // Information about a link event
 message Link {
   // The process performing the link
@@ -429,6 +458,9 @@ message Disk {
 
   // Time device appeared/disappeared
   optional google.protobuf.Timestamp appearance = 10;
+
+  // Path mounted from
+  optional string mount_from = 11;
 }
 
 // Information emitted when Santa captures bundle information
@@ -526,6 +558,7 @@ message SantaMessage {
     Bundle bundle = 19;
     Allowlist allowlist = 20;
     FileAccess file_access = 21;
+    CodesigningInvalidated codesigning_invalidated = 22;
   };
 }
 

Source/gui/BUILD

@@ -79,6 +79,7 @@ objc_library(
         ":SNTAboutWindowView",
         ":SNTDeviceMessageWindowView",
         ":SNTFileAccessMessageWindowView",
+        "//Source/common:CertificateHelpers",
         "//Source/common:SNTBlockMessage_SantaGUI",
         "//Source/common:SNTConfigurator",
         "//Source/common:SNTDeviceEvent",

Source/gui/SNTBinaryMessageWindowController.h

@@ -23,7 +23,9 @@
 ///
 @interface SNTBinaryMessageWindowController : SNTMessageWindowController
 
-- (instancetype)initWithEvent:(SNTStoredEvent *)event andMessage:(NSString *)message;
+- (instancetype)initWithEvent:(SNTStoredEvent *)event
+                    customMsg:(NSString *)message
+                    customURL:(NSString *)url;
 
 - (IBAction)showCertInfo:(id)sender;
 - (void)updateBlockNotification:(SNTStoredEvent *)event withBundleHash:(NSString *)bundleHash;

Source/gui/SNTBinaryMessageWindowController.m

@@ -17,6 +17,7 @@
 #import <MOLCertificate/MOLCertificate.h>
 #import <SecurityInterface/SFCertificatePanel.h>
 
+#import "Source/common/CertificateHelpers.h"
 #import "Source/common/SNTBlockMessage.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTStoredEvent.h"
@@ -25,6 +26,9 @@
 ///  The custom message to display for this event
 @property(copy) NSString *customMessage;
 
+///  The custom URL to use for this event
+@property(copy) NSString *customURL;
+
 ///  A 'friendly' string representing the certificate information
 @property(readonly, nonatomic) NSString *publisherInfo;
 
@@ -39,11 +43,14 @@
 
 @implementation SNTBinaryMessageWindowController
 
-- (instancetype)initWithEvent:(SNTStoredEvent *)event andMessage:(NSString *)message {
+- (instancetype)initWithEvent:(SNTStoredEvent *)event
+                    customMsg:(NSString *)message
+                    customURL:(NSString *)url {
   self = [super initWithWindowNibName:@"MessageWindow"];
   if (self) {
     _event = event;
     _customMessage = message;
+    _customURL = url;
     _progress = [NSProgress discreteProgressWithTotalUnitCount:1];
     [_progress addObserver:self
                 forKeyPath:@"fractionCompleted"
@@ -74,9 +81,14 @@
 
 - (void)loadWindow {
   [super loadWindow];
-  if (![[SNTConfigurator configurator] eventDetailURL]) {
+  NSURL *url = [SNTBlockMessage eventDetailURLForEvent:self.event customURL:self.customURL];
+
+  if (!url) {
     [self.openEventButton removeFromSuperview];
-  } else {
+  } else if (self.customURL.length == 0) {
+    // Set the button text only if a per-rule custom URL is not used. If a
+    // custom URL is used, it is assumed that the `EventDetailText` config value
+    // does not apply and the default text will be used.
     NSString *eventDetailText = [[SNTConfigurator configurator] eventDetailText];
     if (eventDetailText) {
       [self.openEventButton setTitle:eventDetailText];
@@ -106,21 +118,17 @@
 
 - (IBAction)showCertInfo:(id)sender {
   // SFCertificatePanel expects an NSArray of SecCertificateRef's
-  NSMutableArray *certArray = [NSMutableArray arrayWithCapacity:[self.event.signingChain count]];
-  for (MOLCertificate *cert in self.event.signingChain) {
-    [certArray addObject:(id)cert.certRef];
-  }
-
   [[[SFCertificatePanel alloc] init] beginSheetForWindow:self.window
                                            modalDelegate:nil
                                           didEndSelector:nil
                                              contextInfo:nil
-                                            certificates:certArray
+                                            certificates:CertificateChain(self.event.signingChain)
                                                showGroup:YES];
 }
 
 - (IBAction)openEventDetails:(id)sender {
-  NSURL *url = [SNTBlockMessage eventDetailURLForEvent:self.event];
+  NSURL *url = [SNTBlockMessage eventDetailURLForEvent:self.event customURL:self.customURL];
+
   [self closeWindow:sender];
   [[NSWorkspace sharedWorkspace] openURL:url];
 }
@@ -136,19 +144,7 @@
 }
 
 - (NSString *)publisherInfo {
-  MOLCertificate *leafCert = [self.event.signingChain firstObject];
-
-  if ([leafCert.commonName isEqualToString:@"Apple Mac OS Application Signing"]) {
-    return [NSString stringWithFormat:@"App Store (Team ID: %@)", self.event.teamID];
-  } else if (leafCert.commonName && leafCert.orgName) {
-    return [NSString stringWithFormat:@"%@ - %@", leafCert.orgName, leafCert.commonName];
-  } else if (leafCert.commonName) {
-    return leafCert.commonName;
-  } else if (leafCert.orgName) {
-    return leafCert.orgName;
-  } else {
-    return nil;
-  }
+  return Publisher(self.event.signingChain, self.event.teamID);
 }
 
 - (NSAttributedString *)attributedCustomMessage {

Source/gui/SNTFileAccessMessageWindowController.h

@@ -26,7 +26,10 @@ NS_ASSUME_NONNULL_BEGIN
 API_AVAILABLE(macos(13.0))
 @interface SNTFileAccessMessageWindowController : SNTMessageWindowController <NSWindowDelegate>
 
-- (instancetype)initWithEvent:(SNTFileAccessEvent *)event message:(nullable NSString *)message;
+- (instancetype)initWithEvent:(SNTFileAccessEvent *)event
+                customMessage:(nullable NSString *)message
+                    customURL:(nullable NSString *)url
+                   customText:(nullable NSString *)text;
 
 @property(readonly) SNTFileAccessEvent *event;
 

Source/gui/SNTFileAccessMessageWindowController.m

@@ -21,16 +21,23 @@
 
 @interface SNTFileAccessMessageWindowController ()
 @property NSString *customMessage;
+@property NSString *customURL;
+@property NSString *customText;
 @property SNTFileAccessEvent *event;
 @end
 
 @implementation SNTFileAccessMessageWindowController
 
-- (instancetype)initWithEvent:(SNTFileAccessEvent *)event message:(nullable NSString *)message {
+- (instancetype)initWithEvent:(SNTFileAccessEvent *)event
+                customMessage:(nullable NSString *)message
+                    customURL:(nullable NSString *)url
+                   customText:(nullable NSString *)text {
   self = [super init];
   if (self) {
-    _customMessage = message;
     _event = event;
+    _customMessage = message;
+    _customURL = url;
+    _customText = text;
   }
   return self;
 }
@@ -40,21 +47,27 @@
     [self.window orderOut:sender];
   }
 
-  self.window =
-    [[NSWindow alloc] initWithContentRect:NSMakeRect(0, 0, 0, 0)
-                                styleMask:NSWindowStyleMaskClosable | NSWindowStyleMaskTitled
-                                  backing:NSBackingStoreBuffered
-                                    defer:NO];
+  self.window = [[NSWindow alloc] initWithContentRect:NSMakeRect(0, 0, 0, 0)
+                                            styleMask:NSWindowStyleMaskBorderless
+                                              backing:NSBackingStoreBuffered
+                                                defer:NO];
 
-  self.window.contentViewController =
-    [SNTFileAccessMessageWindowViewFactory createWithWindow:self.window
-                                                      event:self.event
-                                                  customMsg:self.attributedCustomMessage];
+  self.window.contentViewController = [SNTFileAccessMessageWindowViewFactory
+    createWithWindow:self.window
+               event:self.event
+       customMessage:self.attributedCustomMessage
+           customURL:[SNTBlockMessage eventDetailURLForFileAccessEvent:self.event
+                                                             customURL:self.customURL]
+                       .absoluteString
+          customText:self.customText
+     uiStateCallback:^(BOOL preventNotificationsForADay) {
+       self.silenceFutureNotifications = preventNotificationsForADay;
+     }];
 
   self.window.delegate = self;
 
-  // Add app to Cmd+Tab and Dock.
-  NSApp.activationPolicy = NSApplicationActivationPolicyRegular;
+  // Make sure app doesn't appear in Cmd+Tab or Dock.
+  NSApp.activationPolicy = NSApplicationActivationPolicyAccessory;
 
   [super showWindow:sender];
 }
@@ -66,14 +79,17 @@
 }
 
 - (NSAttributedString *)attributedCustomMessage {
-  return [SNTBlockMessage formatMessage:self.customMessage];
+  return [SNTBlockMessage attributedBlockMessageForFileAccessEvent:self.event
+                                                     customMessage:self.customMessage];
 }
 
 - (NSString *)messageHash {
-  // TODO(mlw): This is not the final form. As this feature is expanded this
-  // hash will need to be revisted to ensure it meets our needs.
-  return [NSString stringWithFormat:@"%@|%@|%d", self.event.ruleName, self.event.ruleVersion,
-                                    [self.event.pid intValue]];
+  // The hash for display de-duplication/silencing purposes is a combination of:
+  // 1. The current file access rule version
+  // 2. The name of the rule that was violated
+  // 3. The path of the process
+  return [NSString
+    stringWithFormat:@"%@|%@|%@", self.event.ruleVersion, self.event.ruleName, self.event.filePath];
 }
 
 @end

Source/gui/SNTFileAccessMessageWindowView.swift

@@ -12,14 +12,25 @@
 /// See the License for the specific language governing permissions and
 /// limitations under the License.
 
+import SecurityInterface
 import SwiftUI
 
 import santa_common_SNTFileAccessEvent
 
 @available(macOS 13, *)
 @objc public class SNTFileAccessMessageWindowViewFactory : NSObject {
-  @objc public static func createWith(window: NSWindow, event: SNTFileAccessEvent, customMsg: NSAttributedString?) -> NSViewController {
-    return NSHostingController(rootView:SNTFileAccessMessageWindowView(window:window, event:event, customMsg:customMsg)
+  @objc public static func createWith(window: NSWindow,
+                                      event: SNTFileAccessEvent,
+                                      customMessage: NSAttributedString?,
+                                      customURL: NSString?,
+                                      customText: NSString?,
+                                      uiStateCallback: ((Bool) -> Void)?) -> NSViewController {
+    return NSHostingController(rootView:SNTFileAccessMessageWindowView(window:window,
+                                                                       event:event,
+                                                                       customMessage:customMessage,
+                                                                       customURL:customURL as String?,
+                                                                       customText:customText as String?,
+                                                                       uiStateCallback:uiStateCallback)
       .frame(width:800, height:600))
   }
 }
@@ -28,16 +39,26 @@ import santa_common_SNTFileAccessEvent
 struct Property : View {
   var lbl: String
   var val: String
+  var propertyAction: (() -> Void)? = nil
 
   var body: some View {
     let width: CGFloat? = 150
 
     HStack(spacing: 5) {
-      Text(lbl + ":")
-        .frame(width: width, alignment: .trailing)
-        .lineLimit(1)
-        .font(.system(size: 12, weight: .bold))
-        .padding(Edge.Set.horizontal, 10)
+      HStack {
+        if let block = propertyAction {
+          Button(action: {
+            block()
+          }) {
+            Image(systemName: "info.circle.fill")
+          }.buttonStyle(BorderlessButtonStyle())
+        }
+        Text(lbl + ":")
+          .frame(alignment: .trailing)
+          .lineLimit(1)
+          .font(.system(size: 12, weight: .bold))
+          .padding(Edge.Set.horizontal, 10)
+      }.frame(width: width, alignment: .trailing)
 
       Text(val)
         .fixedSize(horizontal: false, vertical: true)
@@ -50,6 +71,7 @@ struct Property : View {
 @available(macOS 13, *)
 struct Event: View {
   let e: SNTFileAccessEvent
+  let window: NSWindow?
 
   var body: some View {
     VStack(spacing:10) {
@@ -64,6 +86,18 @@ struct Event: View {
         Property(lbl: "Application", val: app)
       }
 
+      if let pub = e.publisherInfo {
+        Property(lbl: "Publisher", val: pub) {
+          SFCertificatePanel.shared()
+                .beginSheet(for: window,
+                            modalDelegate: nil,
+                            didEnd: nil,
+                            contextInfo: nil,
+                            certificates: e.signingChainCertRefs,
+                            showGroup: true)
+        }
+      }
+
       Property(lbl: "Name", val: (e.filePath as NSString).lastPathComponent)
       Property(lbl: "Path", val: e.filePath)
       Property(lbl: "Identifier", val: e.fileSHA256)
@@ -76,22 +110,26 @@ struct Event: View {
 struct SNTFileAccessMessageWindowView: View {
   let window: NSWindow?
   let event: SNTFileAccessEvent?
-  let customMsg: NSAttributedString?
+  let customMessage: NSAttributedString?
+  let customURL: String?
+  let customText: String?
+  let uiStateCallback: ((Bool) -> Void)?
 
-  @State private var checked = false
+  @Environment(\.openURL) var openURL
+  @State public var checked = false
 
   var body: some View {
     VStack(spacing:20.0) {
       Spacer()
       Text("Santa").font(Font.custom("HelveticaNeue-UltraLight", size: 34.0))
 
-      if let msg = customMsg {
+      if let msg = customMessage {
         Text(AttributedString(msg)).multilineTextAlignment(.center).padding(15.0)
       } else {
         Text("Access to a protected resource was denied.").multilineTextAlignment(.center).padding(15.0)
       }
 
-      Event(e: event!)
+      Event(e: event!, window: window)
 
       Toggle(isOn: $checked) {
         Text("Prevent future notifications for this application for a day")
@@ -99,9 +137,12 @@ struct SNTFileAccessMessageWindowView: View {
       }
 
       VStack(spacing:15) {
-          Button(action: openButton, label: {
-            Text("Open Event Info...").frame(maxWidth:.infinity)
-          })
+          if customURL != nil {
+            Button(action: openButton, label: {
+
+              Text(customText ?? "Open Event...").frame(maxWidth:.infinity)
+            })
+          }
           Button(action: dismissButton, label: {
             Text("Dismiss").frame(maxWidth:.infinity)
           })
@@ -113,19 +154,25 @@ struct SNTFileAccessMessageWindowView: View {
     }.frame(maxWidth:800.0).fixedSize()
   }
 
-  func publisherInfo() {
-    // TODO(mlw): Will hook up in a separate PR
-    print("showing publisher popup...")
-  }
-
   func openButton() {
-    // TODO(mlw): Will hook up in a separate PR
-    print("opening event info...")
+    guard let urlString = customURL else {
+      print("No URL available")
+      return
+    }
+
+    guard let url = URL(string: urlString) else {
+      print("Failed to create URL")
+      return
+    }
+
+    openURL(url)
   }
 
   func dismissButton() {
+    if let block = uiStateCallback {
+      block(self.checked)
+    }
     window?.close()
-    print("close window")
   }
 }
 
@@ -153,6 +200,11 @@ func testFileAccessEvent() -> SNTFileAccessEvent {
 @available(macOS 13, *)
 struct SNTFileAccessMessageWindowView_Previews: PreviewProvider {
   static var previews: some View {
-    SNTFileAccessMessageWindowView(window: nil, event: testFileAccessEvent(), customMsg: nil)
+    SNTFileAccessMessageWindowView(window: nil,
+                                    event: testFileAccessEvent(),
+                            customMessage: nil,
+                                customURL: nil,
+                               customText: nil,
+                          uiStateCallback: nil)
   }
 }

Source/gui/SNTNotificationManager.m

@@ -172,7 +172,8 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
 
   [dc postNotificationName:@"com.google.santa.notification.blockedeexecution"
                     object:@"com.google.santa"
-                  userInfo:userInfo];
+                  userInfo:userInfo
+        deliverImmediately:YES];
 }
 
 - (void)showQueuedWindow {
@@ -322,14 +323,16 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
   [un addNotificationRequest:req withCompletionHandler:nil];
 }
 
-- (void)postBlockNotification:(SNTStoredEvent *)event withCustomMessage:(NSString *)message {
+- (void)postBlockNotification:(SNTStoredEvent *)event
+            withCustomMessage:(NSString *)message
+                 andCustomURL:(NSString *)url {
   if (!event) {
     LOGI(@"Error: Missing event object in message received from daemon!");
     return;
   }
 
   SNTBinaryMessageWindowController *pendingMsg =
-    [[SNTBinaryMessageWindowController alloc] initWithEvent:event andMessage:message];
+    [[SNTBinaryMessageWindowController alloc] initWithEvent:event customMsg:message customURL:url];
 
   [self queueMessage:pendingMsg];
 }
@@ -346,14 +349,19 @@ static NSString *const silencedNotificationsKey = @"SilencedNotifications";
 }
 
 - (void)postFileAccessBlockNotification:(SNTFileAccessEvent *)event
-                      withCustomMessage:(NSString *)message API_AVAILABLE(macos(13.0)) {
+                          customMessage:(NSString *)message
+                              customURL:(NSString *)url
+                             customText:(NSString *)text API_AVAILABLE(macos(13.0)) {
   if (!event) {
     LOGI(@"Error: Missing event object in message received from daemon!");
     return;
   }
 
   SNTFileAccessMessageWindowController *pendingMsg =
-    [[SNTFileAccessMessageWindowController alloc] initWithEvent:event message:message];
+    [[SNTFileAccessMessageWindowController alloc] initWithEvent:event
+                                                  customMessage:message
+                                                      customURL:url
+                                                     customText:text];
 
   [self queueMessage:pendingMsg];
 }

Source/gui/SNTNotificationManagerTest.m

@@ -58,7 +58,7 @@
   id dncMock = OCMClassMock([NSDistributedNotificationCenter class]);
   OCMStub([dncMock defaultCenter]).andReturn(dncMock);
 
-  [sut postBlockNotification:ev withCustomMessage:@""];
+  [sut postBlockNotification:ev withCustomMessage:@"" andCustomURL:@""];
 
   OCMVerify([dncMock postNotificationName:@"com.google.santa.notification.blockedeexecution"
                                    object:@"com.google.santa"
@@ -68,7 +68,8 @@
                                    XCTAssertEqualObjects(userInfo[@"ppid"], @1);
                                    XCTAssertEqualObjects(userInfo[@"execution_time"], @1660221048);
                                    return YES;
-                                 }]]);
+                                 }]
+                       deliverImmediately:YES]);
 }
 
 @end

Source/santabundleservice/BUILD

@@ -35,10 +35,6 @@ macos_command_line_application(
     ],
     infoplists = ["Info.plist"],
     minimum_os_version = "11.0",
-    provisioning_profile = select({
-        "//:adhoc_build": None,
-        "//conditions:default": "//profiles:santa_dev",
-    }),
     version = "//:version",
     visibility = ["//:santa_package_group"],
     deps = [":santabs_lib"],

Source/santactl/BUILD

@@ -31,6 +31,7 @@ objc_library(
         "//Source/common:SNTLogging",
         "//Source/common:santa_cc_proto_library_wrapper",
         "//Source/santad/Logs/EndpointSecurity/Writers/FSSpool:binaryproto_cc_proto_library_wrapper",
+        "@com_google_protobuf//src/google/protobuf/json",
     ],
 )
 
@@ -91,10 +92,6 @@ macos_command_line_application(
     ],
     infoplists = ["Info.plist"],
     minimum_os_version = "11.0",
-    provisioning_profile = select({
-        "//:adhoc_build": None,
-        "//conditions:default": "//profiles:santa_dev",
-    }),
     version = "//:version",
     deps = [":santactl_lib"],
 )
@@ -114,6 +111,8 @@ santa_unit_test(
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
+        "//Source/common:SNTStoredEvent",
+        "//Source/common:SNTXPCBundleServiceInterface",
         "//Source/common:SNTXPCControlInterface",
         "@MOLCertificate",
         "@MOLCodesignChecker",

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -22,6 +22,8 @@
 #import "Source/common/SNTFileInfo.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTRule.h"
+#import "Source/common/SNTStoredEvent.h"
+#import "Source/common/SNTXPCBundleServiceInterface.h"
 #import "Source/common/SNTXPCControlInterface.h"
 #import "Source/santactl/SNTCommand.h"
 #import "Source/santactl/SNTCommandController.h"
@@ -55,6 +57,13 @@ static NSString *const kValidUntil = @"Valid Until";
 static NSString *const kSHA256 = @"SHA-256";
 static NSString *const kSHA1 = @"SHA-1";
 
+// bundle info keys
+static NSString *const kBundleInfo = @"Bundle Info";
+static NSString *const kBundlePath = @"Main Bundle Path";
+static NSString *const kBundleID = @"Main Bundle ID";
+static NSString *const kBundleHash = @"Bundle Hash";
+static NSString *const kBundleHashes = @"Bundle Hashes";
+
 // Message displayed when daemon communication fails
 static NSString *const kCommunicationErrorMsg = @"Could not communicate with daemon";
 
@@ -72,6 +81,7 @@ NSString *formattedStringForKeyArray(NSArray<NSString *> *array) {
 // Properties set from commandline flags
 @property(nonatomic) BOOL recursive;
 @property(nonatomic) BOOL jsonOutput;
+@property(nonatomic) BOOL bundleInfo;
 @property(nonatomic) NSNumber *certIndex;
 @property(nonatomic, copy) NSArray<NSString *> *outputKeyList;
 @property(nonatomic, copy) NSDictionary<NSString *, NSRegularExpression *> *outputFilters;
@@ -156,6 +166,7 @@ REGISTER_COMMAND_NAME(@"fileinfo")
                 @"\n"
                 @"Usage: santactl fileinfo [options] [file-paths]\n"
                 @"    --recursive (-r): Search directories recursively.\n"
+                @"                      Incompatible with --bundleinfo.\n"
                 @"    --json: Output in JSON format.\n"
                 @"    --key: Search and return this one piece of information.\n"
                 @"           You may specify multiple keys by repeating this flag.\n"
@@ -167,12 +178,16 @@ REGISTER_COMMAND_NAME(@"fileinfo")
                 @"                  signing chain to show info only for that certificate.\n"
                 @"                     0 up to n for the leaf certificate up to the root\n"
                 @"                    -1 down to -n-1 for the root certificate down to the leaf\n"
+                @"                  Incompatible with --bundleinfo."
                 @"\n"
                 @"    --filter: Use predicates of the form 'key=regex' to filter out which files\n"
                 @"              are displayed. Valid keys are the same as for --key. Value is a\n"
                 @"              case-insensitive regular expression which must match anywhere in\n"
                 @"              the keyed property value for the file's info to be displayed.\n"
                 @"              You may specify multiple filters by repeating this flag.\n"
+                @"    --bundleinfo: If the file is part of a bundle, will also display bundle\n"
+                @"                  hash information and hashes of all bundle executables.\n"
+                @"                  Incompatible with --recursive and --cert-index.\n"
                 @"\n"
                 @"Examples: santactl fileinfo --cert-index 1 --key SHA-256 --json /usr/bin/yes\n"
                 @"          santactl fileinfo --key SHA-256 --json /usr/bin/yes\n"
@@ -682,6 +697,48 @@ REGISTER_COMMAND_NAME(@"fileinfo")
       if (outputDict[key]) continue;  // ignore keys that we've already set due to a filter
       outputDict[key] = self.propertyMap[key](self, fileInfo);
     }
+
+    if (self.bundleInfo) {
+      SNTStoredEvent *se = [[SNTStoredEvent alloc] init];
+      se.fileBundlePath = fileInfo.bundlePath;
+
+      MOLXPCConnection *bc = [SNTXPCBundleServiceInterface configuredConnection];
+      [bc resume];
+
+      __block NSMutableDictionary *bundleInfo = [[NSMutableDictionary alloc] init];
+
+      bundleInfo[kBundlePath] = fileInfo.bundle.bundlePath;
+      bundleInfo[kBundleID] = fileInfo.bundle.bundleIdentifier;
+
+      dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+
+      [[bc remoteObjectProxy]
+        hashBundleBinariesForEvent:se
+                             reply:^(NSString *hash, NSArray<SNTStoredEvent *> *events,
+                                     NSNumber *time) {
+                               bundleInfo[kBundleHash] = hash;
+
+                               NSMutableArray *bundleHashes = [[NSMutableArray alloc] init];
+
+                               for (SNTStoredEvent *event in events) {
+                                 [bundleHashes
+                                   addObject:@{kSHA256 : event.fileSHA256, kPath : event.filePath}];
+                               }
+
+                               bundleInfo[kBundleHashes] = bundleHashes;
+                               [[bc remoteObjectProxy] spindown];
+                               dispatch_semaphore_signal(sema);
+                             }];
+
+      int secondsToWait = 30;
+      if (dispatch_semaphore_wait(sema,
+                                  dispatch_time(DISPATCH_TIME_NOW, secondsToWait * NSEC_PER_SEC))) {
+        fprintf(stderr, "The bundle service did not finish collecting hashes within %d seconds\n",
+                secondsToWait);
+      }
+
+      outputDict[kBundleInfo] = bundleInfo;
+    }
   }
 
   // If there's nothing in the outputDict, then don't need to print anything.
@@ -710,6 +767,11 @@ REGISTER_COMMAND_NAME(@"fileinfo")
         }
       }
     }
+
+    if (self.bundleInfo) {
+      [output appendString:[self stringForBundleInfo:outputDict[kBundleInfo] key:kBundleInfo]];
+    }
+
     if (!singleKey) [output appendString:@"\n"];
   }
 
@@ -739,6 +801,9 @@ REGISTER_COMMAND_NAME(@"fileinfo")
     if ([arg caseInsensitiveCompare:@"--json"] == NSOrderedSame) {
       self.jsonOutput = YES;
     } else if ([arg caseInsensitiveCompare:@"--cert-index"] == NSOrderedSame) {
+      if (self.bundleInfo) {
+        [self printErrorUsageAndExit:@"\n--cert-index is incompatible with --bundleinfo"];
+      }
       i += 1;  // advance to next argument and grab index
       if (i >= nargs || [arguments[i] hasPrefix:@"--"]) {
         [self printErrorUsageAndExit:@"\n--cert-index requires an argument"];
@@ -788,7 +853,17 @@ REGISTER_COMMAND_NAME(@"fileinfo")
       filters[key] = regex;
     } else if ([arg caseInsensitiveCompare:@"--recursive"] == NSOrderedSame ||
                [arg caseInsensitiveCompare:@"-r"] == NSOrderedSame) {
+      if (self.bundleInfo) {
+        [self printErrorUsageAndExit:@"\n--recursive is incompatible with --bundleinfo"];
+      }
       self.recursive = YES;
+    } else if ([arg caseInsensitiveCompare:@"--bundleinfo"] == NSOrderedSame ||
+               [arg caseInsensitiveCompare:@"-b"] == NSOrderedSame) {
+      if (self.recursive || self.certIndex) {
+        [self printErrorUsageAndExit:
+                @"\n--bundleinfo is incompatible with --recursive and --cert-index"];
+      }
+      self.bundleInfo = YES;
     } else {
       [paths addObject:arg];
     }
@@ -868,6 +943,22 @@ REGISTER_COMMAND_NAME(@"fileinfo")
   return result.copy;
 }
 
+- (NSString *)stringForBundleInfo:(NSDictionary *)bundleInfo key:(NSString *)key {
+  NSMutableString *result = [NSMutableString string];
+
+  [result appendFormat:@"%@:\n", key];
+
+  [result appendFormat:@"       %-20s: %@\n", kBundlePath.UTF8String, bundleInfo[kBundlePath]];
+  [result appendFormat:@"       %-20s: %@\n", kBundleID.UTF8String, bundleInfo[kBundleID]];
+  [result appendFormat:@"       %-20s: %@\n", kBundleHash.UTF8String, bundleInfo[kBundleHash]];
+
+  for (NSDictionary *hashPath in bundleInfo[kBundleHashes]) {
+    [result appendFormat:@"              %@  %@\n", hashPath[kSHA256], hashPath[kPath]];
+  }
+
+  return [result copy];
+}
+
 - (NSString *)stringForCertificate:(NSDictionary *)cert withKeys:(NSArray *)keys index:(int)index {
   if (!cert) return @"";
   NSMutableString *result = [NSMutableString string];

Source/santactl/Commands/SNTCommandPrintLog.mm

@@ -13,7 +13,7 @@
 /// limitations under the License.
 
 #import <Foundation/Foundation.h>
-#include <google/protobuf/util/json_util.h>
+#include <google/protobuf/json/json.h>
 #include <stdlib.h>
 
 #include <iostream>
@@ -26,8 +26,8 @@
 #include "Source/santad/Logs/EndpointSecurity/Writers/FSSpool/binaryproto_proto_include_wrapper.h"
 #include "google/protobuf/any.pb.h"
 
-using google::protobuf::util::JsonPrintOptions;
-using google::protobuf::util::MessageToJsonString;
+using JsonPrintOptions = google::protobuf::json::PrintOptions;
+using google::protobuf::json::MessageToJsonString;
 using santa::fsspool::binaryproto::LogBatch;
 namespace pbv1 = ::santa::pb::v1;
 

Source/santactl/Commands/SNTCommandRule.m

@@ -54,6 +54,8 @@ REGISTER_COMMAND_NAME(@"rule")
           @"    --compiler: allow and mark as a compiler\n"
           @"    --remove: remove existing rule\n"
           @"    --check: check for an existing rule\n"
+          @"    --import {path}: import rules from a JSON file\n"
+          @"    --export {path}: export rules to a JSON file\n"
           @"\n"
           @"  One of:\n"
           @"    --path {path}: path of binary/bundle to add/remove.\n"
@@ -81,7 +83,21 @@ REGISTER_COMMAND_NAME(@"rule")
           @"    that the signing ID is properly scoped to a developer. For the special\n"
           @"    case of platform binaries, `TeamID` should be replaced with the string\n"
           @"    \"platform\" (e.g. `platform:SigningID`). This allows for rules\n"
-          @"    targeting Apple-signed binaries that do not have a team ID.\n");
+          @"    targeting Apple-signed binaries that do not have a team ID.\n"
+          @"\n"
+          @"  Importing / Exporting Rules:\n"
+          @"    If santa is not configured to use a sync server one can export\n"
+          @"    & import its non-static rules to and from JSON files using the \n"
+          @"    --export/--import flags. These files have the following form:\n"
+          @"\n"
+          @"    {\"rules\": [{rule-dictionaries}]}\n"
+          @"    e.g. {\"rules\": [\n"
+          @"                      {\"policy\": \"BLOCKLIST\",\n"
+          @"                       \"identifier\": "
+          @"\"84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6\"\n"
+          @"                       \"custom_url\" : \"\",\n"
+          @"                       \"custom_msg\": \"/bin/ls block for demo\"}\n"
+          @"                      ]}\n");
 }
 
 - (void)runWithArguments:(NSArray *)arguments {
@@ -103,7 +119,10 @@ REGISTER_COMMAND_NAME(@"rule")
   newRule.type = SNTRuleTypeBinary;
 
   NSString *path;
+  NSString *jsonFilePath;
   BOOL check = NO;
+  BOOL importRules = NO;
+  BOOL exportRules = NO;
 
   // Parse arguments
   for (NSUInteger i = 0; i < arguments.count; ++i) {
@@ -154,11 +173,48 @@ REGISTER_COMMAND_NAME(@"rule")
     } else if ([arg caseInsensitiveCompare:@"--force"] == NSOrderedSame) {
       // Don't do anything special.
 #endif
+    } else if ([arg caseInsensitiveCompare:@"--import"] == NSOrderedSame) {
+      if (exportRules) {
+        [self printErrorUsageAndExit:@"--import and --export are mutually exclusive"];
+      }
+      importRules = YES;
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"--import requires an argument"];
+      }
+      jsonFilePath = arguments[i];
+    } else if ([arg caseInsensitiveCompare:@"--export"] == NSOrderedSame) {
+      if (importRules) {
+        [self printErrorUsageAndExit:@"--import and --export are mutually exclusive"];
+      }
+      exportRules = YES;
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"--export requires an argument"];
+      }
+      jsonFilePath = arguments[i];
+    } else if ([arg caseInsensitiveCompare:@"--help"] == NSOrderedSame ||
+               [arg caseInsensitiveCompare:@"-h"] == NSOrderedSame) {
+      printf("%s\n", self.class.longHelpText.UTF8String);
+      exit(0);
     } else {
       [self printErrorUsageAndExit:[@"Unknown argument: " stringByAppendingString:arg]];
     }
   }
 
+  if (jsonFilePath.length > 0) {
+    if (importRules) {
+      if (newRule.identifier != nil || path != nil || check) {
+        [self printErrorUsageAndExit:@"--import can only be used by itself"];
+      }
+      [self importJSONFile:jsonFilePath];
+    } else if (exportRules) {
+      if (newRule.identifier != nil || path != nil || check) {
+        [self printErrorUsageAndExit:@"--export can only be used by itself"];
+      }
+      [self exportJSONFile:jsonFilePath];
+    }
+    return;
+  }
+
   if (path) {
     SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:path];
     if (!fi.path) {
@@ -302,4 +358,101 @@ REGISTER_COMMAND_NAME(@"rule")
   exit(0);
 }
 
+- (void)importJSONFile:(NSString *)jsonFilePath {
+  // If the file exists parse it and then add the rules one at a time.
+  NSError *error;
+  NSData *data = [NSData dataWithContentsOfFile:jsonFilePath options:0 error:&error];
+  if (error) {
+    [self printErrorUsageAndExit:[NSString stringWithFormat:@"Failed to read %@: %@", jsonFilePath,
+                                                            error.localizedDescription]];
+  }
+
+  // We expect a JSON object with one key "rules". This is an array of rule
+  // objects.
+  // e.g.
+  // {"rules": [{
+  //  "policy" : "BLOCKLIST",
+  //    "rule_type" : "BINARY",
+  //    "identifier" : "84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6"
+  //    "custom_url" : "",
+  //    "custom_msg" : "/bin/ls block for demo"
+  //  }]}
+  NSDictionary *rules = [NSJSONSerialization JSONObjectWithData:data options:0 error:&error];
+  if (error) {
+    [self printErrorUsageAndExit:[NSString stringWithFormat:@"Failed to parse %@: %@", jsonFilePath,
+                                                            error.localizedDescription]];
+  }
+
+  NSMutableArray<SNTRule *> *parsedRules = [[NSMutableArray alloc] init];
+
+  for (NSDictionary *jsonRule in rules[@"rules"]) {
+    SNTRule *rule = [[SNTRule alloc] initWithDictionary:jsonRule];
+    if (!rule) {
+      [self printErrorUsageAndExit:[NSString stringWithFormat:@"Invalid rule: %@", jsonRule]];
+    }
+    [parsedRules addObject:rule];
+  }
+
+  [[self.daemonConn remoteObjectProxy]
+    databaseRuleAddRules:parsedRules
+              cleanSlate:NO
+                   reply:^(NSError *error) {
+                     if (error) {
+                       printf("Failed to modify rules: %s",
+                              [error.localizedDescription UTF8String]);
+                       LOGD(@"Failure reason: %@", error.localizedFailureReason);
+                       exit(1);
+                     }
+                     exit(0);
+                   }];
+}
+
+- (void)exportJSONFile:(NSString *)jsonFilePath {
+  // Get the rules from the daemon and then write them to the file.
+  id<SNTDaemonControlXPC> rop = [self.daemonConn synchronousRemoteObjectProxy];
+  [rop retrieveAllRules:^(NSArray<SNTRule *> *rules, NSError *error) {
+    if (error) {
+      printf("Failed to get rules: %s", [error.localizedDescription UTF8String]);
+      LOGD(@"Failure reason: %@", error.localizedFailureReason);
+      exit(1);
+    }
+
+    if (rules.count == 0) {
+      printf("No rules to export.\n");
+      exit(1);
+    }
+    // Convert Rules to an NSDictionary.
+    NSMutableArray *rulesAsDicts = [[NSMutableArray alloc] init];
+
+    for (SNTRule *rule in rules) {
+      // Omit transitive and remove rules as they're not relevan.
+      if (rule.state == SNTRuleStateAllowTransitive || rule.state == SNTRuleStateRemove) {
+        continue;
+      }
+
+      [rulesAsDicts addObject:[rule dictionaryRepresentation]];
+    }
+
+    NSOutputStream *outputStream = [[NSOutputStream alloc] initToFileAtPath:jsonFilePath append:NO];
+    [outputStream open];
+
+    // Write the rules to the file.
+    // File should look like the following JSON:
+    // {"rules": [{"policy": "ALLOWLIST", "identifier": hash, "rule_type: "BINARY"},}]}
+    NSData *jsonData = [NSJSONSerialization dataWithJSONObject:@{@"rules" : rulesAsDicts}
+                                                       options:NSJSONWritingPrettyPrinted
+                                                         error:&error];
+    // Print error
+    if (error) {
+      printf("Failed to jsonify rules: %s", [error.localizedDescription UTF8String]);
+      LOGD(@"Failure reason: %@", error.localizedFailureReason);
+      exit(1);
+    }
+    // Write jsonData to the file
+    [outputStream write:jsonData.bytes maxLength:jsonData.length];
+    [outputStream close];
+    exit(0);
+  }];
+}
+
 @end

Source/santactl/Commands/SNTCommandStatus.m

@@ -15,11 +15,22 @@
 #import <Foundation/Foundation.h>
 #import <MOLXPCConnection/MOLXPCConnection.h>
 
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTXPCControlInterface.h"
 #import "Source/santactl/SNTCommand.h"
 #import "Source/santactl/SNTCommandController.h"
 
+NSString *StartupOptionToString(SNTDeviceManagerStartupPreferences pref) {
+  switch (pref) {
+    case SNTDeviceManagerStartupPreferencesUnmount: return @"Unmount";
+    case SNTDeviceManagerStartupPreferencesForceUnmount: return @"ForceUnmount";
+    case SNTDeviceManagerStartupPreferencesRemount: return @"Remount";
+    case SNTDeviceManagerStartupPreferencesForceRemount: return @"ForceRemount";
+    default: return @"None";
+  }
+}
+
 @interface SNTCommandStatus : SNTCommand <SNTCommandProtocol>
 @end
 
@@ -45,7 +56,6 @@ REGISTER_COMMAND_NAME(@"status")
 }
 
 - (void)runWithArguments:(NSArray *)arguments {
-  dispatch_group_t group = dispatch_group_create();
   id<SNTDaemonControlXPC> rop = [self.daemonConn synchronousRemoteObjectProxy];
 
   // Daemon status
@@ -158,10 +168,15 @@ REGISTER_COMMAND_NAME(@"status")
     }
   }];
 
-  // Wait a maximum of 5s for stats collected from daemon to arrive.
-  if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5))) {
-    fprintf(stderr, "Failed to retrieve some stats from daemon\n\n");
-  }
+  __block BOOL blockUSBMount = NO;
+  [rop blockUSBMount:^(BOOL response) {
+    blockUSBMount = response;
+  }];
+
+  __block NSArray<NSString *> *remountUSBMode;
+  [rop remountUSBMode:^(NSArray<NSString *> *response) {
+    remountUSBMode = response;
+  }];
 
   // Format dates
   NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
@@ -191,10 +206,9 @@ REGISTER_COMMAND_NAME(@"status")
         @"watchdog_ram_events" : @(ramEvents),
         @"watchdog_cpu_peak" : @(cpuPeak),
         @"watchdog_ram_peak" : @(ramPeak),
-        @"block_usb" : @(configurator.blockUSBMount),
-        @"remount_usb_mode" : (configurator.blockUSBMount && configurator.remountUSBMode.count
-                                 ? configurator.remountUSBMode
-                                 : @""),
+        @"block_usb" : @(blockUSBMount),
+        @"remount_usb_mode" : (blockUSBMount && remountUSBMode.count ? remountUSBMode : @""),
+        @"on_start_usb_options" : StartupOptionToString(configurator.onStartUSBOptions),
       },
       @"database" : @{
         @"binary_rules" : @(binaryRuleCount),
@@ -250,11 +264,13 @@ REGISTER_COMMAND_NAME(@"status")
     printf("  %-25s | %s\n", "Mode", [clientMode UTF8String]);
     printf("  %-25s | %s\n", "Log Type", [eventLogType UTF8String]);
     printf("  %-25s | %s\n", "File Logging", (fileLogging ? "Yes" : "No"));
-    printf("  %-25s | %s\n", "USB Blocking", (configurator.blockUSBMount ? "Yes" : "No"));
-    if (configurator.blockUSBMount && configurator.remountUSBMode.count > 0) {
-      printf("  %-25s | %s\n", "USB Remounting Mode:",
-             [[configurator.remountUSBMode componentsJoinedByString:@", "] UTF8String]);
+    printf("  %-25s | %s\n", "USB Blocking", (blockUSBMount ? "Yes" : "No"));
+    if (blockUSBMount && remountUSBMode.count > 0) {
+      printf("  %-25s | %s\n", "USB Remounting Mode",
+             [[remountUSBMode componentsJoinedByString:@", "] UTF8String]);
     }
+    printf("  %-25s | %s\n", "On Start USB Options",
+           StartupOptionToString(configurator.onStartUSBOptions).UTF8String);
     printf("  %-25s | %lld  (Peak: %.2f%%)\n", "Watchdog CPU Events", cpuEvents, cpuPeak);
     printf("  %-25s | %lld  (Peak: %.2fMB)\n", "Watchdog RAM Events", ramEvents, ramPeak);
 

Source/santactl/Commands/SNTCommandSync.m

@@ -32,7 +32,7 @@ REGISTER_COMMAND_NAME(@"sync")
 #pragma mark SNTCommand protocol methods
 
 + (BOOL)requiresRoot {
-  return YES;
+  return NO;
 }
 
 + (BOOL)requiresDaemonConn {

Source/santad/BUILD

@@ -199,6 +199,7 @@ objc_library(
         "//Source/common:SNTCachedDecision",
         "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
+        "//Source/common:SNTDeepCopy",
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
@@ -213,6 +214,9 @@ objc_library(
     name = "TTYWriter",
     srcs = ["TTYWriter.mm"],
     hdrs = ["TTYWriter.h"],
+    sdk_dylibs = [
+        "EndpointSecurity",
+    ],
     deps = [
         "//Source/common:SNTLogging",
         "//Source/common:String",
@@ -233,10 +237,12 @@ objc_library(
         ":SNTSyncdQueue",
         ":TTYWriter",
         "//Source/common:BranchPrediction",
+        "//Source/common:PrefixTree",
         "//Source/common:SNTBlockMessage",
         "//Source/common:SNTCachedDecision",
         "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
+        "//Source/common:SNTDeepCopy",
         "//Source/common:SNTDropRootPrivs",
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTLogging",
@@ -245,7 +251,9 @@ objc_library(
         "//Source/common:SNTStoredEvent",
         "//Source/common:SantaVnode",
         "//Source/common:String",
+        "//Source/common:Unit",
         "@MOLCodesignChecker",
+        "@com_google_absl//absl/synchronization",
     ],
 )
 
@@ -359,9 +367,11 @@ objc_library(
         ":SNTDecisionCache",
         ":SNTEndpointSecurityClient",
         ":SNTEndpointSecurityEventHandler",
+        ":TTYWriter",
         ":WatchItemPolicy",
         ":WatchItems",
         "//Source/common:Platform",
+        "//Source/common:SNTBlockMessage",
         "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
         "//Source/common:SNTFileAccessEvent",
@@ -373,6 +383,8 @@ objc_library(
         "//Source/common:String",
         "@MOLCertificate",
         "@MOLCodesignChecker",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
     ],
 )
 
@@ -388,8 +400,10 @@ objc_library(
         ":Metrics",
         ":SNTEndpointSecurityClient",
         ":SNTEndpointSecurityEventHandler",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTDeviceEvent",
         "//Source/common:SNTLogging",
+        "//Source/common:SNTMetricSet",
     ],
 )
 
@@ -467,6 +481,7 @@ objc_library(
         "//Source/common:SantaCache",
         "//Source/common:SantaVnode",
         "//Source/common:SantaVnodeHash",
+        "//Source/common:String",
     ],
 )
 
@@ -524,6 +539,8 @@ objc_library(
         "//Source/common:SNTStoredEvent",
         "//Source/common:String",
         "//Source/common:santa_cc_proto_library_wrapper",
+        "@com_google_absl//absl/status",
+        "@com_google_protobuf//src/google/protobuf/json",
     ],
 )
 
@@ -664,6 +681,7 @@ objc_library(
     hdrs = ["Metrics.h"],
     deps = [
         ":SNTApplicationCoreMetrics",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTLogging",
         "//Source/common:SNTMetricSet",
         "//Source/common:SNTXPCMetricServiceInterface",
@@ -692,6 +710,7 @@ objc_library(
         ":SNTExecutionController",
         ":SNTNotificationQueue",
         ":SNTSyncdQueue",
+        ":TTYWriter",
         ":WatchItems",
         "//Source/common:PrefixTree",
         "//Source/common:SNTCommonEnums",
@@ -881,8 +900,10 @@ santa_unit_test(
         ":Metrics",
         ":MockEndpointSecurityAPI",
         ":SNTDatabaseController",
+        ":SNTDecisionCache",
         ":SNTEndpointSecurityAuthorizer",
         ":SantadDeps",
+        "//Source/common:SNTCachedDecision",
         "//Source/common:SNTConfigurator",
         "//Source/common:TestUtils",
         "@MOLCertificate",
@@ -981,7 +1002,9 @@ santa_unit_test(
         "//Source/common:TestUtils",
         "//Source/common:santa_cc_proto_library_wrapper",
         "@OCMock",
+        "@com_google_absl//absl/status",
         "@com_google_googletest//:gtest",
+        "@com_google_protobuf//src/google/protobuf/json",
     ],
 )
 
@@ -1230,6 +1253,7 @@ santa_unit_test(
         ":WatchItems",
         "//Source/common:Platform",
         "//Source/common:SNTCachedDecision",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
         "//Source/common:TestUtils",
         "@MOLCertificate",
@@ -1300,6 +1324,7 @@ santa_unit_test(
         ":Metrics",
         ":MockEndpointSecurityAPI",
         ":SNTEndpointSecurityDeviceManager",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
         "//Source/common:SNTDeviceEvent",
         "//Source/common:TestUtils",

Source/santad/DataLayer/SNTRuleTable.h

@@ -101,6 +101,11 @@
 ///
 - (void)removeOutdatedTransitiveRules;
 
+///
+///  Retrieve all rules from the database for export.
+///
+- (NSArray<SNTRule *> *)retrieveAllRules;
+
 ///
 ///  A map of a file hashes to cached decisions. This is used to pre-validate and whitelist
 ///  certain critical system binaries that are integral to Santa's functionality.

Source/santad/DataLayer/SNTRuleTable.m

@@ -25,7 +25,7 @@
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTRule.h"
 
-static const uint32_t kRuleTableCurrentVersion = 5;
+static const uint32_t kRuleTableCurrentVersion = 7;
 
 // TODO(nguyenphillip): this should be configurable.
 // How many rules must be in database before we start trying to remove transitive rules.
@@ -229,6 +229,28 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
     newVersion = 5;
   }
 
+  if (version < 6) {
+    // Force hash identifiers for Binary and Certificate rules to always be lowercase
+    [db executeUpdate:@"UPDATE rules SET identifier = LOWER(identifier) WHERE type = ? OR type = ?",
+                      @(SNTRuleTypeBinary), @(SNTRuleTypeCertificate)];
+
+    // Force team ID identifiers for TeamID rules to always be uppercase
+    [db executeUpdate:@"UPDATE rules SET identifier = UPPER(identifier) WHERE type = ?",
+                      @(SNTRuleTypeTeamID)];
+
+    // Note: Intentionally not attempting to migrate exsting SigningID rules to enforce
+    // the TeamID component to be uppercase. Since this is a newer rule type, it is
+    // assumed to be unnecessary and we'd rather not maintain the SQL to perform this
+    // migration automatically.
+
+    newVersion = 6;
+  }
+
+  if (version < 7) {
+    [db executeUpdate:@"ALTER TABLE 'rules' ADD 'customurl' TEXT"];
+    newVersion = 7;
+  }
+
   // Save signing info for launchd and santad. Used to ensure they are always allowed.
   self.santadCSInfo = [[MOLCodesignChecker alloc] initWithSelf];
   self.launchdCSInfo = [[MOLCodesignChecker alloc] initWithPID:1];
@@ -292,11 +314,13 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
 }
 
 - (SNTRule *)ruleFromResultSet:(FMResultSet *)rs {
-  return [[SNTRule alloc] initWithIdentifier:[rs stringForColumn:@"identifier"]
-                                       state:[rs intForColumn:@"state"]
-                                        type:[rs intForColumn:@"type"]
-                                   customMsg:[rs stringForColumn:@"custommsg"]
-                                   timestamp:[rs intForColumn:@"timestamp"]];
+  SNTRule *r = [[SNTRule alloc] initWithIdentifier:[rs stringForColumn:@"identifier"]
+                                             state:[rs intForColumn:@"state"]
+                                              type:[rs intForColumn:@"type"]
+                                         customMsg:[rs stringForColumn:@"custommsg"]
+                                         timestamp:[rs intForColumn:@"timestamp"]];
+  r.customURL = [rs stringForColumn:@"customurl"];
+  return r;
 }
 
 - (SNTRule *)ruleForBinarySHA256:(NSString *)binarySHA256
@@ -410,10 +434,10 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
         }
       } else {
         if (![db executeUpdate:@"INSERT OR REPLACE INTO rules "
-                               @"(identifier, state, type, custommsg, timestamp) "
-                               @"VALUES (?, ?, ?, ?, ?);",
+                               @"(identifier, state, type, custommsg, customurl, timestamp) "
+                               @"VALUES (?, ?, ?, ?, ?, ?);",
                                rule.identifier, @(rule.state), @(rule.type), rule.customMsg,
-                               @(rule.timestamp)]) {
+                               rule.customURL, @(rule.timestamp)]) {
           [self fillError:error
                      code:SNTRuleTableErrorInsertOrReplaceFailed
                   message:[db lastErrorMessage]];
@@ -515,4 +539,19 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
   return YES;
 }
 
+#pragma mark Querying
+
+// Retrieve all rules from the Database
+- (NSArray<SNTRule *> *)retrieveAllRules {
+  NSMutableArray<SNTRule *> *rules = [NSMutableArray array];
+  [self inDatabase:^(FMDatabase *db) {
+    FMResultSet *rs = [db executeQuery:@"SELECT * FROM rules"];
+    while ([rs next]) {
+      [rules addObject:[self ruleFromResultSet:rs]];
+    }
+    [rs close];
+  }];
+  return rules;
+}
+
 @end

Source/santad/DataLayer/SNTRuleTableTest.m

@@ -36,7 +36,7 @@
 
 - (SNTRule *)_exampleTeamIDRule {
   SNTRule *r = [[SNTRule alloc] init];
-  r.identifier = @"teamID";
+  r.identifier = @"ABCDEFGHIJ";
   r.state = SNTRuleStateBlock;
   r.type = SNTRuleTypeTeamID;
   r.customMsg = @"A teamID rule";
@@ -48,11 +48,11 @@
   if (isPlatformBinary) {
     r.identifier = @"platform:signingID";
   } else {
-    r.identifier = @"teamID:signingID";
+    r.identifier = @"ABCDEFGHIJ:signingID";
   }
   r.state = SNTRuleStateBlock;
   r.type = SNTRuleTypeSigningID;
-  r.customMsg = @"A teamID rule";
+  r.customMsg = @"A signingID rule";
   return r;
 }
 
@@ -187,9 +187,9 @@
   SNTRule *r = [self.sut ruleForBinarySHA256:nil
                                    signingID:nil
                            certificateSHA256:nil
-                                      teamID:@"teamID"];
+                                      teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
-  XCTAssertEqualObjects(r.identifier, @"teamID");
+  XCTAssertEqualObjects(r.identifier, @"ABCDEFGHIJ");
   XCTAssertEqual(r.type, SNTRuleTypeTeamID);
   XCTAssertEqual([self.sut teamIDRuleCount], 1);
 
@@ -211,12 +211,12 @@
   XCTAssertEqual([self.sut signingIDRuleCount], 2);
 
   SNTRule *r = [self.sut ruleForBinarySHA256:nil
-                                   signingID:@"teamID:signingID"
+                                   signingID:@"ABCDEFGHIJ:signingID"
                            certificateSHA256:nil
                                       teamID:nil];
 
   XCTAssertNotNil(r);
-  XCTAssertEqualObjects(r.identifier, @"teamID:signingID");
+  XCTAssertEqualObjects(r.identifier, @"ABCDEFGHIJ:signingID");
   XCTAssertEqual(r.type, SNTRuleTypeSigningID);
 
   r = [self.sut ruleForBinarySHA256:nil
@@ -243,9 +243,9 @@
   // See the comment in SNTRuleTable#ruleForBinarySHA256:certificateSHA256:teamID
   SNTRule *r = [self.sut
     ruleForBinarySHA256:@"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670"
-              signingID:@"teamID:signingID"
+              signingID:@"ABCDEFGHIJ:signingID"
       certificateSHA256:@"7ae80b9ab38af0c63a9a81765f434d9a7cd8f720eb6037ef303de39d779bc258"
-                 teamID:@"teamID"];
+                 teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
   XCTAssertEqualObjects(r.identifier,
                         @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
@@ -253,9 +253,9 @@
 
   r = [self.sut
     ruleForBinarySHA256:@"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670"
-              signingID:@"teamID:signingID"
+              signingID:@"ABCDEFGHIJ:signingID"
       certificateSHA256:@"unknowncert"
-                 teamID:@"teamID"];
+                 teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
   XCTAssertEqualObjects(r.identifier,
                         @"b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670");
@@ -265,26 +265,26 @@
     ruleForBinarySHA256:@"unknown"
               signingID:@"unknown"
       certificateSHA256:@"7ae80b9ab38af0c63a9a81765f434d9a7cd8f720eb6037ef303de39d779bc258"
-                 teamID:@"teamID"];
+                 teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
   XCTAssertEqualObjects(r.identifier,
                         @"7ae80b9ab38af0c63a9a81765f434d9a7cd8f720eb6037ef303de39d779bc258");
   XCTAssertEqual(r.type, SNTRuleTypeCertificate, @"Implicit rule ordering failed");
 
   r = [self.sut ruleForBinarySHA256:@"unknown"
-                          signingID:@"teamID:signingID"
+                          signingID:@"ABCDEFGHIJ:signingID"
                   certificateSHA256:@"unknown"
-                             teamID:@"teamID"];
+                             teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
-  XCTAssertEqualObjects(r.identifier, @"teamID:signingID");
+  XCTAssertEqualObjects(r.identifier, @"ABCDEFGHIJ:signingID");
   XCTAssertEqual(r.type, SNTRuleTypeSigningID, @"Implicit rule ordering failed (SigningID)");
 
   r = [self.sut ruleForBinarySHA256:@"unknown"
                           signingID:@"unknown"
                   certificateSHA256:@"unknown"
-                             teamID:@"teamID"];
+                             teamID:@"ABCDEFGHIJ"];
   XCTAssertNotNil(r);
-  XCTAssertEqualObjects(r.identifier, @"teamID");
+  XCTAssertEqualObjects(r.identifier, @"ABCDEFGHIJ");
   XCTAssertEqual(r.type, SNTRuleTypeTeamID, @"Implicit rule ordering failed (TeamID)");
 }
 
@@ -301,4 +301,25 @@
   [[NSFileManager defaultManager] removeItemAtPath:dbPath error:NULL];
 }
 
+- (void)testRetrieveAllRulesWithEmptyDatabase {
+  NSArray<SNTRule *> *rules = [self.sut retrieveAllRules];
+  XCTAssertEqual(rules.count, 0);
+}
+
+- (void)testRetrieveAllRulesWithMultipleRules {
+  [self.sut addRules:@[
+    [self _exampleCertRule], [self _exampleBinaryRule], [self _exampleTeamIDRule],
+    [self _exampleSigningIDRuleIsPlatform:NO]
+  ]
+          cleanSlate:NO
+               error:nil];
+
+  NSArray<SNTRule *> *rules = [self.sut retrieveAllRules];
+  XCTAssertEqual(rules.count, 4);
+  XCTAssertEqualObjects(rules[0], [self _exampleCertRule]);
+  XCTAssertEqualObjects(rules[1], [self _exampleBinaryRule]);
+  XCTAssertEqualObjects(rules[2], [self _exampleTeamIDRule]);
+  XCTAssertEqualObjects(rules[3], [self _exampleSigningIDRuleIsPlatform:NO]);
+}
+
 @end

Source/santad/DataLayer/WatchItemPolicy.h

@@ -15,6 +15,7 @@
 #ifndef SANTA__SANTAD__DATALAYER_WATCHITEMPOLICY_H
 #define SANTA__SANTAD__DATALAYER_WATCHITEMPOLICY_H
 
+#import <Foundation/Foundation.h>
 #include <Kernel/kern/cs_blobs.h>
 
 #include <optional>
@@ -29,16 +30,17 @@ enum class WatchItemPathType {
   kLiteral,
 };
 
-static constexpr WatchItemPathType kWatchItemPolicyDefaultPathType =
-    WatchItemPathType::kLiteral;
+static constexpr WatchItemPathType kWatchItemPolicyDefaultPathType = WatchItemPathType::kLiteral;
 static constexpr bool kWatchItemPolicyDefaultAllowReadAccess = false;
 static constexpr bool kWatchItemPolicyDefaultAuditOnly = true;
 static constexpr bool kWatchItemPolicyDefaultInvertProcessExceptions = false;
+static constexpr bool kWatchItemPolicyDefaultEnableSilentMode = false;
+static constexpr bool kWatchItemPolicyDefaultEnableSilentTTYMode = false;
 
 struct WatchItemPolicy {
   struct Process {
-    Process(std::string bp, std::string sid, std::string ti,
-            std::vector<uint8_t> cdh, std::string ch, std::optional<bool> pb)
+    Process(std::string bp, std::string sid, std::string ti, std::vector<uint8_t> cdh,
+            std::string ch, std::optional<bool> pb)
         : binary_path(bp),
           signing_id(sid),
           team_id(ti),
@@ -47,13 +49,11 @@ struct WatchItemPolicy {
           platform_binary(pb) {}
 
     bool operator==(const Process &other) const {
-      return binary_path == other.binary_path &&
-             signing_id == other.signing_id && team_id == other.team_id &&
-             cdhash == other.cdhash &&
+      return binary_path == other.binary_path && signing_id == other.signing_id &&
+             team_id == other.team_id && cdhash == other.cdhash &&
              certificate_sha256 == other.certificate_sha256 &&
              platform_binary.has_value() == other.platform_binary.has_value() &&
-             platform_binary.value_or(false) ==
-                 other.platform_binary.value_or(false);
+             platform_binary.value_or(false) == other.platform_binary.value_or(false);
     }
 
     bool operator!=(const Process &other) const { return !(*this == other); }
@@ -71,27 +71,34 @@ struct WatchItemPolicy {
                   bool ara = kWatchItemPolicyDefaultAllowReadAccess,
                   bool ao = kWatchItemPolicyDefaultAuditOnly,
                   bool ipe = kWatchItemPolicyDefaultInvertProcessExceptions,
-                  std::vector<Process> procs = {})
+                  bool esm = kWatchItemPolicyDefaultEnableSilentMode,
+                  bool estm = kWatchItemPolicyDefaultEnableSilentTTYMode, std::string_view cm = "",
+                  NSString *edu = nil, NSString *edt = nil, std::vector<Process> procs = {})
       : name(n),
         path(p),
         path_type(pt),
         allow_read_access(ara),
         audit_only(ao),
         invert_process_exceptions(ipe),
+        silent(esm),
+        silent_tty(estm),
+        custom_message(cm.length() == 0 ? std::nullopt : std::make_optional<std::string>(cm)),
+        // Note: Empty string considered valid for event_detail_url to allow rules
+        // overriding global setting in order to hide the button.
+        event_detail_url(edu == nil ? std::nullopt : std::make_optional<NSString *>(edu)),
+        event_detail_text(edt.length == 0 ? std::nullopt : std::make_optional<NSString *>(edt)),
         processes(std::move(procs)) {}
 
   bool operator==(const WatchItemPolicy &other) const {
-    return name == other.name && path == other.path &&
-           path_type == other.path_type &&
-           allow_read_access == other.allow_read_access &&
-           audit_only == other.audit_only &&
-           invert_process_exceptions == other.invert_process_exceptions &&
-           processes == other.processes;
+    // Note: custom_message, event_detail_url, and event_detail_text are not currently considered
+    // for equality purposes
+    return name == other.name && path == other.path && path_type == other.path_type &&
+           allow_read_access == other.allow_read_access && audit_only == other.audit_only &&
+           invert_process_exceptions == other.invert_process_exceptions && silent == other.silent &&
+           silent_tty == other.silent_tty && processes == other.processes;
   }
 
-  bool operator!=(const WatchItemPolicy &other) const {
-    return !(*this == other);
-  }
+  bool operator!=(const WatchItemPolicy &other) const { return !(*this == other); }
 
   std::string name;
   std::string path;
@@ -99,10 +106,14 @@ struct WatchItemPolicy {
   bool allow_read_access;
   bool audit_only;
   bool invert_process_exceptions;
+  bool silent;
+  bool silent_tty;
+  std::optional<std::string> custom_message;
+  std::optional<NSString *> event_detail_url;
+  std::optional<NSString *> event_detail_text;
   std::vector<Process> processes;
 
   // WIP - No current way to control via config
-  bool silent = true;
   std::string version = "temp_version";
 };
 

Source/santad/DataLayer/WatchItems.h

@@ -40,6 +40,9 @@ extern NSString *const kWatchItemConfigKeyOptions;
 extern NSString *const kWatchItemConfigKeyOptionsAllowReadAccess;
 extern NSString *const kWatchItemConfigKeyOptionsAuditOnly;
 extern NSString *const kWatchItemConfigKeyOptionsInvertProcessExceptions;
+extern NSString *const kWatchItemConfigKeyOptionsEnableSilentMode;
+extern NSString *const kWatchItemConfigKeyOptionsEnableSilentTTYMode;
+extern NSString *const kWatchItemConfigKeyOptionsCustomMessage;
 extern NSString *const kWatchItemConfigKeyProcesses;
 extern NSString *const kWatchItemConfigKeyProcessesBinaryPath;
 extern NSString *const kWatchItemConfigKeyProcessesCertificateSha256;
@@ -93,6 +96,9 @@ class WatchItems : public std::enable_shared_from_this<WatchItems> {
 
   std::optional<WatchItemsState> State();
 
+  std::pair<NSString *, NSString *> EventDetailLinkInfo(
+    const std::shared_ptr<WatchItemPolicy> &watch_item);
+
   friend class santa::santad::data_layer::WatchItemsPeer;
 
  private:
@@ -125,6 +131,8 @@ class WatchItems : public std::enable_shared_from_this<WatchItems> {
   std::string policy_version_ ABSL_GUARDED_BY(lock_);
   std::set<id<SNTEndpointSecurityDynamicEventHandler>> registerd_clients_ ABSL_GUARDED_BY(lock_);
   bool periodic_task_started_ = false;
+  NSString *policy_event_detail_url_ ABSL_GUARDED_BY(lock_);
+  NSString *policy_event_detail_text_ ABSL_GUARDED_BY(lock_);
 };
 
 }  // namespace santa::santad::data_layer

Source/santad/DataLayer/WatchItems.mm

@@ -46,6 +46,8 @@ using santa::santad::data_layer::WatchItemPathType;
 using santa::santad::data_layer::WatchItemPolicy;
 
 NSString *const kWatchItemConfigKeyVersion = @"Version";
+NSString *const kWatchItemConfigKeyEventDetailURL = @"EventDetailURL";
+NSString *const kWatchItemConfigKeyEventDetailText = @"EventDetailText";
 NSString *const kWatchItemConfigKeyWatchItems = @"WatchItems";
 NSString *const kWatchItemConfigKeyPaths = @"Paths";
 NSString *const kWatchItemConfigKeyPathsPath = @"Path";
@@ -54,6 +56,11 @@ NSString *const kWatchItemConfigKeyOptions = @"Options";
 NSString *const kWatchItemConfigKeyOptionsAllowReadAccess = @"AllowReadAccess";
 NSString *const kWatchItemConfigKeyOptionsAuditOnly = @"AuditOnly";
 NSString *const kWatchItemConfigKeyOptionsInvertProcessExceptions = @"InvertProcessExceptions";
+NSString *const kWatchItemConfigKeyOptionsEnableSilentMode = @"EnableSilentMode";
+NSString *const kWatchItemConfigKeyOptionsEnableSilentTTYMode = @"EnableSilentTTYMode";
+NSString *const kWatchItemConfigKeyOptionsCustomMessage = @"BlockMessage";
+NSString *const kWatchItemConfigKeyOptionsEventDetailURL = kWatchItemConfigKeyEventDetailURL;
+NSString *const kWatchItemConfigKeyOptionsEventDetailText = kWatchItemConfigKeyEventDetailText;
 NSString *const kWatchItemConfigKeyProcesses = @"Processes";
 NSString *const kWatchItemConfigKeyProcessesBinaryPath = @"BinaryPath";
 NSString *const kWatchItemConfigKeyProcessesCertificateSha256 = @"CertificateSha256";
@@ -73,6 +80,22 @@ static constexpr NSUInteger kMaxSigningIDLength = 512;
 // churn rebuilding glob paths based on the state of the filesystem.
 static constexpr uint64_t kMinReapplyConfigFrequencySecs = 15;
 
+// Semi-arbitrary max custom message length. The goal is to protect against
+// potential unbounded lengths, but no real reason this cannot be higher.
+static constexpr NSUInteger kWatchItemConfigOptionCustomMessageMaxLength = 2048;
+
+// Semi-arbitrary max event detail text length. The text has to fit on a button
+// and shouldn't be too large.
+static constexpr NSUInteger kWatchItemConfigEventDetailTextMaxLength = 48;
+
+// Servers are recommended to support up to 8000 octets.
+// https://www.rfc-editor.org/rfc/rfc9110#section-4.1-5
+//
+// Seems excessive but no good reason to not allow long URLs. However because
+// the URL supports pseudo-format strings that can extend the length, a smaller
+// max is used here.
+static constexpr NSUInteger kWatchItemConfigEventDetailURLMaxLength = 6000;
+
 namespace santa::santad::data_layer {
 
 // Type aliases
@@ -126,6 +149,10 @@ static std::vector<uint8_t> HexStringToBytes(NSString *str) {
   return bytes;
 }
 
+static inline bool GetBoolValue(NSDictionary *options, NSString *key, bool default_value) {
+  return options[key] ? [options[key] boolValue] : default_value;
+}
+
 // Given a length, returns a ValidatorBlock that confirms the
 // string is a valid hex string of the given length.
 ValidatorBlock HexValidator(NSUInteger expected_length) {
@@ -140,8 +167,8 @@ ValidatorBlock HexValidator(NSUInteger expected_length) {
   };
 }
 
-// Given a max length, returns a ValidatorBlock that confirms the
-// string is a not longer than the max.
+// Given a min and max length, returns a ValidatorBlock that confirms the
+// string is within the given bounds.
 ValidatorBlock LenRangeValidator(NSUInteger min_length, NSUInteger max_length) {
   return ^bool(NSString *val, NSError **err) {
     if (val.length < min_length) {
@@ -379,6 +406,16 @@ std::variant<Unit, ProcessList> VerifyConfigWatchItemProcesses(NSDictionary *wat
 ///     <false/>
 ///     <key>InvertProcessExceptions</key>
 ///     <false/>
+///     <key>EnableSilentMode</key>
+///     <true/>
+///     <key>EnableSilentTTYMode</key>
+///     <true/>
+///     <key>BlockMessage</key>
+///     <string>...</string>
+///     <key>EventDetailURL</key>
+///     <string>...</string>
+///     <key>EventDetailText</key>
+///     <string>...</string>
 ///   </dict>
 ///   <key>Processes</key>
 ///   <array>
@@ -405,31 +442,48 @@ bool ParseConfigSingleWatchItem(NSString *name, NSDictionary *watch_item,
 
   NSDictionary *options = watch_item[kWatchItemConfigKeyOptions];
   if (options) {
-    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsAllowReadAccess, [NSNumber class],
-                         err)) {
+    NSArray<NSString *> *boolOptions = @[
+      kWatchItemConfigKeyOptionsAllowReadAccess,
+      kWatchItemConfigKeyOptionsAuditOnly,
+      kWatchItemConfigKeyOptionsInvertProcessExceptions,
+      kWatchItemConfigKeyOptionsEnableSilentMode,
+      kWatchItemConfigKeyOptionsEnableSilentTTYMode,
+    ];
+
+    for (NSString *key in boolOptions) {
+      if (!VerifyConfigKey(options, key, [NSNumber class], err)) {
+        return false;
+      }
+    }
+
+    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsCustomMessage, [NSString class], err,
+                         false,
+                         LenRangeValidator(0, kWatchItemConfigOptionCustomMessageMaxLength))) {
       return false;
     }
 
-    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsAuditOnly, [NSNumber class], err)) {
+    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsEventDetailURL, [NSString class], err,
+                         false, LenRangeValidator(0, kWatchItemConfigEventDetailURLMaxLength))) {
       return false;
     }
 
-    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsInvertProcessExceptions,
-                         [NSNumber class], err)) {
+    if (!VerifyConfigKey(options, kWatchItemConfigKeyOptionsEventDetailText, [NSString class], err,
+                         false, LenRangeValidator(0, kWatchItemConfigEventDetailTextMaxLength))) {
       return false;
     }
   }
 
-  bool allow_read_access = options[kWatchItemConfigKeyOptionsAllowReadAccess]
-                             ? [options[kWatchItemConfigKeyOptionsAllowReadAccess] boolValue]
-                             : kWatchItemPolicyDefaultAllowReadAccess;
-  bool audit_only = options[kWatchItemConfigKeyOptionsAuditOnly]
-                      ? [options[kWatchItemConfigKeyOptionsAuditOnly] boolValue]
-                      : kWatchItemPolicyDefaultAuditOnly;
+  bool allow_read_access = GetBoolValue(options, kWatchItemConfigKeyOptionsAllowReadAccess,
+                                        kWatchItemPolicyDefaultAllowReadAccess);
+  bool audit_only =
+    GetBoolValue(options, kWatchItemConfigKeyOptionsAuditOnly, kWatchItemPolicyDefaultAuditOnly);
   bool invert_process_exceptions =
-    options[kWatchItemConfigKeyOptionsInvertProcessExceptions]
-      ? [options[kWatchItemConfigKeyOptionsInvertProcessExceptions] boolValue]
-      : kWatchItemPolicyDefaultInvertProcessExceptions;
+    GetBoolValue(options, kWatchItemConfigKeyOptionsInvertProcessExceptions,
+                 kWatchItemPolicyDefaultInvertProcessExceptions);
+  bool enable_silent_mode = GetBoolValue(options, kWatchItemConfigKeyOptionsEnableSilentMode,
+                                         kWatchItemPolicyDefaultEnableSilentMode);
+  bool enable_silent_tty_mode = GetBoolValue(options, kWatchItemConfigKeyOptionsEnableSilentTTYMode,
+                                             kWatchItemPolicyDefaultEnableSilentTTYMode);
 
   std::variant<Unit, ProcessList> proc_list = VerifyConfigWatchItemProcesses(watch_item, err);
   if (std::holds_alternative<Unit>(proc_list)) {
@@ -439,7 +493,11 @@ bool ParseConfigSingleWatchItem(NSString *name, NSDictionary *watch_item,
   for (const PathAndTypePair &path_type_pair : std::get<PathList>(path_list)) {
     policies.push_back(std::make_shared<WatchItemPolicy>(
       NSStringToUTF8StringView(name), path_type_pair.first, path_type_pair.second,
-      allow_read_access, audit_only, invert_process_exceptions, std::get<ProcessList>(proc_list)));
+      allow_read_access, audit_only, invert_process_exceptions, enable_silent_mode,
+      enable_silent_tty_mode,
+      NSStringToUTF8StringView(options[kWatchItemConfigKeyOptionsCustomMessage]),
+      options[kWatchItemConfigKeyOptionsEventDetailURL],
+      options[kWatchItemConfigKeyOptionsEventDetailText], std::get<ProcessList>(proc_list)));
   }
 
   return true;
@@ -487,6 +545,16 @@ bool ParseConfig(NSDictionary *config, std::vector<std::shared_ptr<WatchItemPoli
     return false;
   }
 
+  if (!VerifyConfigKey(config, kWatchItemConfigKeyEventDetailURL, [NSString class], err, false,
+                       LenRangeValidator(0, kWatchItemConfigEventDetailURLMaxLength))) {
+    return false;
+  }
+
+  if (!VerifyConfigKey(config, kWatchItemConfigKeyEventDetailText, [NSString class], err, false,
+                       LenRangeValidator(0, kWatchItemConfigEventDetailTextMaxLength))) {
+    return false;
+  }
+
   if (config[kWatchItemConfigKeyWatchItems] &&
       ![config[kWatchItemConfigKeyWatchItems] isKindOfClass:[NSDictionary class]]) {
     PopulateError(err, [NSString stringWithFormat:@"Top level key '%@' must be a dictionary",
@@ -661,8 +729,18 @@ void WatchItems::UpdateCurrentState(
     current_config_ = new_config;
     if (new_config) {
       policy_version_ = NSStringToUTF8String(new_config[kWatchItemConfigKeyVersion]);
+      // Non-existent kWatchItemConfigKeyEventDetailURL key or zero length value
+      // will both result in a nil global policy event detail URL.
+      if (((NSString *)new_config[kWatchItemConfigKeyEventDetailURL]).length) {
+        policy_event_detail_url_ = new_config[kWatchItemConfigKeyEventDetailURL];
+      } else {
+        policy_event_detail_url_ = nil;
+      }
+      policy_event_detail_text_ = new_config[kWatchItemConfigKeyEventDetailText];
     } else {
       policy_version_ = "";
+      policy_event_detail_url_ = nil;
+      policy_event_detail_text_ = nil;
     }
 
     last_update_time_ = [[NSDate date] timeIntervalSince1970];
@@ -794,4 +872,29 @@ std::optional<WatchItemsState> WatchItems::State() {
   return state;
 }
 
+std::pair<NSString *, NSString *> WatchItems::EventDetailLinkInfo(
+  const std::shared_ptr<WatchItemPolicy> &watch_item) {
+  absl::ReaderMutexLock lock(&lock_);
+  if (!watch_item) {
+    return {policy_event_detail_url_, policy_event_detail_text_};
+  }
+
+  NSString *url = watch_item->event_detail_url.has_value() ? watch_item->event_detail_url.value()
+                                                           : policy_event_detail_url_;
+
+  NSString *text = watch_item->event_detail_text.has_value() ? watch_item->event_detail_text.value()
+                                                             : policy_event_detail_text_;
+
+  // Ensure empty strings are repplaced with nil
+  if (!url.length) {
+    url = nil;
+  }
+
+  if (!text.length) {
+    text = nil;
+  }
+
+  return {url, text};
+}
+
 }  // namespace santa::santad::data_layer

Source/santad/DataLayer/WatchItemsTest.mm

@@ -93,10 +93,6 @@ static NSMutableDictionary *WrapWatchItemsConfig(NSDictionary *config) {
   return [@{@"Version" : @(kVersion.data()), @"WatchItems" : [config mutableCopy]} mutableCopy];
 }
 
-static NSString *RepeatedString(NSString *str, NSUInteger len) {
-  return [@"" stringByPaddingToLength:len withString:str startingAtIndex:0];
-}
-
 @interface WatchItemsTest : XCTestCase
 @property NSFileManager *fileMgr;
 @property NSString *testDir;
@@ -757,37 +753,66 @@ static NSString *RepeatedString(NSString *str, NSUInteger len) {
     &err));
 
   // Options keys must be valid types
-  XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAllowReadAccess : @""}
-  },
-                                            policies, &err));
-  XCTAssertTrue(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAllowReadAccess : @(0)}
-  },
-                                           policies, &err));
-  XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAuditOnly : @""}
-  },
-                                            policies, &err));
-  XCTAssertTrue(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsAuditOnly : @(0)}
-  },
-                                           policies, &err));
+  {
+    // Check bool option keys
+    for (NSString *key in @[
+           kWatchItemConfigKeyOptionsAllowReadAccess,
+           kWatchItemConfigKeyOptionsAuditOnly,
+           kWatchItemConfigKeyOptionsInvertProcessExceptions,
+           kWatchItemConfigKeyOptionsEnableSilentMode,
+           kWatchItemConfigKeyOptionsEnableSilentTTYMode,
+         ]) {
+      // Parse bool option with invliad type
+      XCTAssertFalse(ParseConfigSingleWatchItem(
+        @"",
+        @{kWatchItemConfigKeyPaths : @[ @"a" ],
+          kWatchItemConfigKeyOptions : @{key : @""}},
+        policies, &err));
 
-  XCTAssertFalse(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsInvertProcessExceptions : @""}
-  },
-                                            policies, &err));
-  XCTAssertTrue(ParseConfigSingleWatchItem(@"", @{
-    kWatchItemConfigKeyPaths : @[ @"a" ],
-    kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsInvertProcessExceptions : @(0)}
-  },
-                                           policies, &err));
+      // Parse bool option with valid type
+      XCTAssertTrue(ParseConfigSingleWatchItem(
+        @"",
+        @{kWatchItemConfigKeyPaths : @[ @"a" ],
+          kWatchItemConfigKeyOptions : @{key : @(0)}},
+        policies, &err));
+    }
+
+    // Check other option keys
+
+    // kWatchItemConfigKeyOptionsCustomMessage - Invalid type
+    XCTAssertFalse(ParseConfigSingleWatchItem(
+      @"", @{
+        kWatchItemConfigKeyPaths : @[ @"a" ],
+        kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsCustomMessage : @[]}
+      },
+      policies, &err));
+
+    // kWatchItemConfigKeyOptionsCustomMessage zero length
+    XCTAssertTrue(ParseConfigSingleWatchItem(
+      @"", @{
+        kWatchItemConfigKeyPaths : @[ @"a" ],
+        kWatchItemConfigKeyOptions : @{kWatchItemConfigKeyOptionsCustomMessage : @""}
+      },
+      policies, &err));
+
+    // kWatchItemConfigKeyOptionsCustomMessage valid "normal" length
+    XCTAssertTrue(ParseConfigSingleWatchItem(
+      @"", @{
+        kWatchItemConfigKeyPaths : @[ @"a" ],
+        kWatchItemConfigKeyOptions :
+          @{kWatchItemConfigKeyOptionsCustomMessage : @"This is a custom message"}
+      },
+      policies, &err));
+
+    // kWatchItemConfigKeyOptionsCustomMessage Invalid "long" length
+    XCTAssertFalse(ParseConfigSingleWatchItem(
+      @"", @{
+        kWatchItemConfigKeyPaths : @[ @"a" ],
+        kWatchItemConfigKeyOptions :
+          @{kWatchItemConfigKeyOptionsCustomMessage : RepeatedString(@"A", 4096)}
+      },
+      policies, &err));
+  }
 
   // If processes are specified, they must be valid format
   // Note: Full tests in `testVerifyConfigWatchItemProcesses`
@@ -806,7 +831,7 @@ static NSString *RepeatedString(NSString *str, NSUInteger len) {
     *policies[0].get(),
     WatchItemPolicy("rule", "a", kWatchItemPolicyDefaultPathType,
                     kWatchItemPolicyDefaultAllowReadAccess, kWatchItemPolicyDefaultAuditOnly,
-                    kWatchItemPolicyDefaultInvertProcessExceptions, {}));
+                    kWatchItemPolicyDefaultInvertProcessExceptions));
 
   // Test multiple paths, options, and processes
   policies.clear();
@@ -822,6 +847,9 @@ static NSString *RepeatedString(NSString *str, NSUInteger len) {
       kWatchItemConfigKeyOptionsAllowReadAccess : @(YES),
       kWatchItemConfigKeyOptionsAuditOnly : @(NO),
       kWatchItemConfigKeyOptionsInvertProcessExceptions : @(YES),
+      kWatchItemConfigKeyOptionsEnableSilentMode : @(YES),
+      kWatchItemConfigKeyOptionsEnableSilentMode : @(NO),
+      kWatchItemConfigKeyOptionsCustomMessage : @"",
     },
     kWatchItemConfigKeyProcesses : @[
       @{kWatchItemConfigKeyProcessesBinaryPath : @"pa"},
@@ -829,11 +857,14 @@ static NSString *RepeatedString(NSString *str, NSUInteger len) {
     ]
   },
                                            policies, &err));
+
   XCTAssertEqual(policies.size(), 2);
-  XCTAssertEqual(*policies[0].get(), WatchItemPolicy("rule", "a", kWatchItemPolicyDefaultPathType,
-                                                     true, false, true, procs));
-  XCTAssertEqual(*policies[1].get(), WatchItemPolicy("rule", "b", WatchItemPathType::kPrefix, true,
-                                                     false, true, procs));
+  XCTAssertEqual(*policies[0].get(),
+                 WatchItemPolicy("rule", "a", kWatchItemPolicyDefaultPathType, true, false, true,
+                                 true, false, "", nil, nil, procs));
+  XCTAssertEqual(*policies[1].get(),
+                 WatchItemPolicy("rule", "b", WatchItemPathType::kPrefix, true, false, true, true,
+                                 false, "", nil, nil, procs));
 }
 
 - (void)testState {

Source/santad/EventProviders/AuthResultCache.h

@@ -41,6 +41,8 @@ enum class FlushCacheReason {
   kStaticRulesChanged,
   kExplicitCommand,
   kFilesystemUnmounted,
+  kEntitlementsPrefixFilterChanged,
+  kEntitlementsTeamIDFilterChanged,
 };
 
 class AuthResultCache {

Source/santad/EventProviders/AuthResultCache.mm

@@ -31,6 +31,10 @@ static NSString *const kFlushCacheReasonRulesChanged = @"RulesChanged";
 static NSString *const kFlushCacheReasonStaticRulesChanged = @"StaticRulesChanged";
 static NSString *const kFlushCacheReasonExplicitCommand = @"ExplicitCommand";
 static NSString *const kFlushCacheReasonFilesystemUnmounted = @"FilesystemUnmounted";
+static NSString *const kFlushCacheReasonEntitlementsPrefixFilterChanged =
+  @"EntitlementsPrefixFilterChanged";
+static NSString *const kFlushCacheReasonEntitlementsTeamIDFilterChanged =
+  @"EntitlementsTeamIDFilterChanged";
 
 namespace santa::santad::event_providers {
 
@@ -59,8 +63,13 @@ NSString *const FlushCacheReasonToString(FlushCacheReason reason) {
     case FlushCacheReason::kStaticRulesChanged: return kFlushCacheReasonStaticRulesChanged;
     case FlushCacheReason::kExplicitCommand: return kFlushCacheReasonExplicitCommand;
     case FlushCacheReason::kFilesystemUnmounted: return kFlushCacheReasonFilesystemUnmounted;
+    case FlushCacheReason::kEntitlementsPrefixFilterChanged:
+      return kFlushCacheReasonEntitlementsPrefixFilterChanged;
+    case FlushCacheReason::kEntitlementsTeamIDFilterChanged:
+      return kFlushCacheReasonEntitlementsTeamIDFilterChanged;
     default:
-      [NSException raise:@"Invalid reason" format:@"Unknown reason value: %d", reason];
+      [NSException raise:@"Invalid reason"
+                  format:@"Unknown reason value: %d", static_cast<int>(reason)];
       return nil;
   }
 }

Source/santad/EventProviders/AuthResultCacheTest.mm

@@ -230,13 +230,16 @@ static inline void AssertCacheCounts(std::shared_ptr<AuthResultCache> cache, uin
     {FlushCacheReason::kStaticRulesChanged, @"StaticRulesChanged"},
     {FlushCacheReason::kExplicitCommand, @"ExplicitCommand"},
     {FlushCacheReason::kFilesystemUnmounted, @"FilesystemUnmounted"},
+    {FlushCacheReason::kEntitlementsPrefixFilterChanged, @"EntitlementsPrefixFilterChanged"},
+    {FlushCacheReason::kEntitlementsTeamIDFilterChanged, @"EntitlementsTeamIDFilterChanged"},
   };
 
   for (const auto &kv : reasonToString) {
     XCTAssertEqualObjects(FlushCacheReasonToString(kv.first), kv.second);
   }
 
-  XCTAssertThrows(FlushCacheReasonToString((FlushCacheReason)12345));
+  XCTAssertThrows(FlushCacheReasonToString(
+    (FlushCacheReason)(static_cast<int>(FlushCacheReason::kEntitlementsTeamIDFilterChanged) + 1)));
 }
 
 @end

Source/santad/EventProviders/DiskArbitrationTestUtil.h

@@ -16,6 +16,9 @@
 #include <CoreFoundation/CoreFoundation.h>
 #include <DiskArbitration/DiskArbitration.h>
 #include <Foundation/Foundation.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/ucred.h>
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -27,6 +30,8 @@ NS_ASSUME_NONNULL_BEGIN
 @interface MockDADisk : NSObject
 @property(nonatomic) NSDictionary *diskDescription;
 @property(nonatomic, readwrite) NSString *name;
+@property(nonatomic) BOOL wasMounted;
+@property(nonatomic) BOOL wasUnmounted;
 @end
 
 typedef void (^MockDADiskAppearedCallback)(DADiskRef ref);
@@ -36,19 +41,35 @@ typedef void (^MockDADiskAppearedCallback)(DADiskRef ref);
   NSMutableDictionary<NSString *, MockDADisk *> *insertedDevices;
 @property(nonatomic, readwrite, nonnull)
   NSMutableArray<MockDADiskAppearedCallback> *diskAppearedCallbacks;
-@property(nonatomic) BOOL wasRemounted;
 @property(nonatomic, nullable) dispatch_queue_t sessionQueue;
 
 - (instancetype _Nonnull)init;
 - (void)reset;
 
 // Also triggers DADiskRegisterDiskAppearedCallback
-- (void)insert:(MockDADisk *)ref bsdName:(NSString *)bsdName;
+- (void)insert:(MockDADisk *)ref;
 
 // Retrieve an initialized singleton MockDiskArbitration object
 + (instancetype _Nonnull)mockDiskArbitration;
 @end
 
+@interface MockStatfs : NSObject
+@property NSString *fromName;
+@property NSString *onName;
+@property NSNumber *flags;
+
+- (instancetype _Nonnull)initFrom:(NSString *)from on:(NSString *)on flags:(NSNumber *)flags;
+@end
+
+@interface MockMounts : NSObject
+@property(nonatomic) NSMutableDictionary<NSString *, MockStatfs *> *mounts;
+
+- (instancetype _Nonnull)init;
+- (void)reset;
+- (void)insert:(MockStatfs *)sfs;
++ (instancetype _Nonnull)mockMounts;
+@end
+
 //
 // All DiskArbitration functions used in SNTEndpointSecurityDeviceManager
 // and shimmed out accordingly.
@@ -81,5 +102,9 @@ void DARegisterDiskDescriptionChangedCallback(DASessionRef session,
 void DASessionSetDispatchQueue(DASessionRef session, dispatch_queue_t __nullable queue);
 DASessionRef __nullable DASessionCreate(CFAllocatorRef __nullable allocator);
 
+void DADiskUnmount(DADiskRef disk, DADiskUnmountOptions options,
+                   DADiskUnmountCallback __nullable callback, void *__nullable context);
+int getmntinfo_r_np(struct statfs *__nullable *__nullable mntbufp, int flags);
+
 CF_EXTERN_C_END
 NS_ASSUME_NONNULL_END

Source/santad/EventProviders/DiskArbitrationTestUtil.mm

@@ -14,6 +14,9 @@
 #import <Foundation/Foundation.h>
 
 #include <stdlib.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/ucred.h>
 
 #import "Source/santad/EventProviders/DiskArbitrationTestUtil.h"
 
@@ -37,11 +40,14 @@ NS_ASSUME_NONNULL_BEGIN
   [self.insertedDevices removeAllObjects];
   [self.diskAppearedCallbacks removeAllObjects];
   self.sessionQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
-  self.wasRemounted = NO;
 }
 
-- (void)insert:(MockDADisk *)ref bsdName:(NSString *)bsdName {
-  self.insertedDevices[bsdName] = ref;
+- (void)insert:(MockDADisk *)ref {
+  if (!ref.diskDescription[@"DAMediaBSDName"]) {
+    [NSException raise:@"Missing DAMediaBSDName"
+                format:@"The MockDADisk is missing the DAMediaBSDName diskDescription key."];
+  }
+  self.insertedDevices[ref.diskDescription[@"DAMediaBSDName"]] = ref;
 
   for (MockDADiskAppearedCallback callback in self.diskAppearedCallbacks) {
     dispatch_sync(self.sessionQueue, ^{
@@ -62,12 +68,58 @@ NS_ASSUME_NONNULL_BEGIN
 
 @end
 
+@implementation MockStatfs
+- (instancetype _Nonnull)initFrom:(NSString *)from on:(NSString *)on flags:(NSNumber *)flags {
+  self = [super init];
+  if (self) {
+    _fromName = from;
+    _onName = on;
+    _flags = flags;
+  }
+  return self;
+}
+@end
+
+@implementation MockMounts
+
+- (instancetype _Nonnull)init {
+  self = [super init];
+  if (self) {
+    _mounts = [NSMutableDictionary dictionary];
+  }
+  return self;
+}
+
+- (void)reset {
+  [self.mounts removeAllObjects];
+}
+
+- (void)insert:(MockStatfs *)sfs {
+  self.mounts[sfs.fromName] = sfs;
+}
+
++ (instancetype _Nonnull)mockMounts {
+  static MockMounts *sharedMounts;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    sharedMounts = [[MockMounts alloc] init];
+  });
+  return sharedMounts;
+}
+
+@end
+
 void DADiskMountWithArguments(DADiskRef _Nonnull disk, CFURLRef __nullable path,
                               DADiskMountOptions options, DADiskMountCallback __nullable callback,
                               void *__nullable context,
                               CFStringRef __nullable arguments[_Nullable]) {
-  MockDiskArbitration *mockDA = [MockDiskArbitration mockDiskArbitration];
-  mockDA.wasRemounted = YES;
+  MockDADisk *mockDisk = (__bridge MockDADisk *)disk;
+  mockDisk.wasMounted = YES;
+
+  if (context) {
+    dispatch_semaphore_t sema = (__bridge dispatch_semaphore_t)context;
+    dispatch_semaphore_signal(sema);
+  }
 }
 
 DADiskRef __nullable DADiskCreateFromBSDName(CFAllocatorRef __nullable allocator,
@@ -117,4 +169,32 @@ DASessionRef __nullable DASessionCreate(CFAllocatorRef __nullable allocator) {
   return (__bridge DASessionRef)[MockDiskArbitration mockDiskArbitration];
 };
 
+void DADiskUnmount(DADiskRef disk, DADiskUnmountOptions options,
+                   DADiskUnmountCallback __nullable callback, void *__nullable context) {
+  MockDADisk *mockDisk = (__bridge MockDADisk *)disk;
+  mockDisk.wasUnmounted = YES;
+
+  dispatch_semaphore_t sema = (__bridge dispatch_semaphore_t)context;
+  dispatch_semaphore_signal(sema);
+}
+
+int getmntinfo_r_np(struct statfs *__nullable *__nullable mntbufp, int flags) {
+  MockMounts *mockMounts = [MockMounts mockMounts];
+
+  struct statfs *sfs = (struct statfs *)calloc(mockMounts.mounts.count, sizeof(struct statfs));
+
+  __block NSUInteger i = 0;
+  [mockMounts.mounts
+    enumerateKeysAndObjectsUsingBlock:^(NSString *key, MockStatfs *mockSfs, BOOL *stop) {
+      strlcpy(sfs[i].f_mntfromname, mockSfs.fromName.UTF8String, sizeof(sfs[i].f_mntfromname));
+      strlcpy(sfs[i].f_mntonname, mockSfs.onName.UTF8String, sizeof(sfs[i].f_mntonname));
+      sfs[i].f_flags = [mockSfs.flags unsignedIntValue];
+      i++;
+    }];
+
+  *mntbufp = sfs;
+
+  return (int)mockMounts.mounts.count;
+}
+
 NS_ASSUME_NONNULL_END

Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h

@@ -320,9 +320,19 @@ class EnrichedUnlink : public EnrichedEventType {
   EnrichedFile target_;
 };
 
+class EnrichedCSInvalidated : public EnrichedEventType {
+ public:
+  EnrichedCSInvalidated(Message &&es_msg, EnrichedProcess &&instigator)
+      : EnrichedEventType(std::move(es_msg), std::move(instigator)) {}
+  EnrichedCSInvalidated(EnrichedCSInvalidated &&other)
+      : EnrichedEventType(std::move(other)) {}
+  EnrichedCSInvalidated(const EnrichedCSInvalidated &other) = delete;
+};
+
 using EnrichedType =
     std::variant<EnrichedClose, EnrichedExchange, EnrichedExec, EnrichedExit,
-                 EnrichedFork, EnrichedLink, EnrichedRename, EnrichedUnlink>;
+                 EnrichedFork, EnrichedLink, EnrichedRename, EnrichedUnlink,
+                 EnrichedCSInvalidated>;
 
 class EnrichedMessage {
  public:

Source/santad/EventProviders/EndpointSecurity/Enricher.mm

@@ -74,6 +74,9 @@ std::unique_ptr<EnrichedMessage> Enricher::Enrich(Message &&es_msg) {
     case ES_EVENT_TYPE_NOTIFY_UNLINK:
       return std::make_unique<EnrichedMessage>(EnrichedUnlink(
         std::move(es_msg), Enrich(*es_msg->process), Enrich(*es_msg->event.unlink.target)));
+    case ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED:
+      return std::make_unique<EnrichedMessage>(
+        EnrichedCSInvalidated(std::move(es_msg), Enrich(*es_msg->process)));
     default:
       // This is a programming error
       LOGE(@"Attempting to enrich an unhandled event type: %d", es_msg->event_type);

Source/santad/EventProviders/SNTEndpointSecurityClientTest.mm

@@ -322,11 +322,14 @@ using santa::santad::event_providers::endpoint_security::Message;
 
   // Ensure all paths are attempted to be muted even if some fail.
   // Ensure if any paths fail the overall result is false.
-  EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "a", WatchItemPathType::kLiteral))
+  EXPECT_CALL(*mockESApi,
+              MuteTargetPath(testing::_, std::string_view("a"), WatchItemPathType::kLiteral))
     .WillOnce(testing::Return(true));
-  EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "b", WatchItemPathType::kLiteral))
+  EXPECT_CALL(*mockESApi,
+              MuteTargetPath(testing::_, std::string_view("b"), WatchItemPathType::kLiteral))
     .WillOnce(testing::Return(false));
-  EXPECT_CALL(*mockESApi, MuteTargetPath(testing::_, "c", WatchItemPathType::kPrefix))
+  EXPECT_CALL(*mockESApi,
+              MuteTargetPath(testing::_, std::string_view("c"), WatchItemPathType::kPrefix))
     .WillOnce(testing::Return(true));
 
   std::vector<std::pair<std::string, WatchItemPathType>> paths = {
@@ -349,11 +352,14 @@ using santa::santad::event_providers::endpoint_security::Message;
 
   // Ensure all paths are attempted to be unmuted even if some fail.
   // Ensure if any paths fail the overall result is false.
-  EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "a", WatchItemPathType::kLiteral))
+  EXPECT_CALL(*mockESApi,
+              UnmuteTargetPath(testing::_, std::string_view("a"), WatchItemPathType::kLiteral))
     .WillOnce(testing::Return(true));
-  EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "b", WatchItemPathType::kLiteral))
+  EXPECT_CALL(*mockESApi,
+              UnmuteTargetPath(testing::_, std::string_view("b"), WatchItemPathType::kLiteral))
     .WillOnce(testing::Return(false));
-  EXPECT_CALL(*mockESApi, UnmuteTargetPath(testing::_, "c", WatchItemPathType::kPrefix))
+  EXPECT_CALL(*mockESApi,
+              UnmuteTargetPath(testing::_, std::string_view("c"), WatchItemPathType::kPrefix))
     .WillOnce(testing::Return(true));
 
   std::vector<std::pair<std::string, WatchItemPathType>> paths = {

Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.h

@@ -15,6 +15,7 @@
 #include <DiskArbitration/DiskArbitration.h>
 #import <Foundation/Foundation.h>
 
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTDeviceEvent.h"
 #import "Source/santad/EventProviders/AuthResultCache.h"
 #include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
@@ -39,11 +40,16 @@ typedef void (^SNTDeviceBlockCallback)(SNTDeviceEvent *event);
 @property(nonatomic, nullable) SNTDeviceBlockCallback deviceBlockCallback;
 
 - (instancetype)
-    initWithESAPI:
-      (std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
-          metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
-           logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
-  authResultCache:(std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache;
+       initWithESAPI:
+         (std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)
+           esApi
+             metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
+              logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
+     authResultCache:
+       (std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache
+       blockUSBMount:(BOOL)blockUSBMount
+      remountUSBMode:(nullable NSArray<NSString *> *)remountUSBMode
+  startupPreferences:(SNTDeviceManagerStartupPreferences)startupPrefs;
 
 @end
 

Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm

@@ -24,9 +24,12 @@
 #include <errno.h>
 #include <libproc.h>
 #include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/ucred.h>
 
 #import "Source/common/SNTDeviceEvent.h"
 #import "Source/common/SNTLogging.h"
+#import "Source/common/SNTMetricSet.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/Metrics.h"
 
@@ -38,32 +41,53 @@ using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
 using santa::santad::event_providers::endpoint_security::Message;
 using santa::santad::logs::endpoint_security::Logger;
 
+// Defined operations for startup metrics:
+// Device shouldn't be operated on (e.g. not a mass storage device)
+static NSString *const kMetricStartupDiskOperationSkip = @"Skipped";
+// Device already had appropriate flags set
+static NSString *const kMetricStartupDiskOperationAllowed = @"Allowed";
+// Device failed to be unmounted
+static NSString *const kMetricStartupDiskOperationUnmountFailed = @"UnmountFailed";
+// Device failed to be remounted
+static NSString *const kMetricStartupDiskOperationRemountFailed = @"RemountFailed";
+// Remounts were requested, but remount args weren't set
+static NSString *const kMetricStartupDiskOperationRemountSkipped = @"RemountSkipped";
+// Operations on device matching the configured startup pref wwere successful
+static NSString *const kMetricStartupDiskOperationSuccess = @"Success";
+
 @interface SNTEndpointSecurityDeviceManager ()
 
 - (void)logDiskAppeared:(NSDictionary *)props;
 - (void)logDiskDisappeared:(NSDictionary *)props;
 
+@property SNTMetricCounter *startupDiskMetrics;
 @property DASessionRef diskArbSession;
 @property(nonatomic, readonly) dispatch_queue_t diskQueue;
+@property dispatch_semaphore_t diskSema;
 
 @end
 
-void diskMountedCallback(DADiskRef disk, DADissenterRef dissenter, void *context) {
+void DiskMountedCallback(DADiskRef disk, DADissenterRef dissenter, void *context) {
   if (dissenter) {
     DAReturn status = DADissenterGetStatus(dissenter);
 
-    NSString *statusString = (NSString *)DADissenterGetStatusString(dissenter);
     IOReturn systemCode = err_get_system(status);
     IOReturn subSystemCode = err_get_sub(status);
     IOReturn errorCode = err_get_code(status);
 
     LOGE(@"SNTEndpointSecurityDeviceManager: dissenter status codes: system: %d, subsystem: %d, "
-         @"err: %d; status: %s",
-         systemCode, subSystemCode, errorCode, [statusString UTF8String]);
+         @"err: %d; status: %@",
+         systemCode, subSystemCode, errorCode,
+         CFBridgingRelease(DADissenterGetStatusString(dissenter)));
+  }
+
+  if (context) {
+    dispatch_semaphore_t sema = (__bridge dispatch_semaphore_t)context;
+    dispatch_semaphore_signal(sema);
   }
 }
 
-void diskAppearedCallback(DADiskRef disk, void *context) {
+void DiskAppearedCallback(DADiskRef disk, void *context) {
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
   SNTEndpointSecurityDeviceManager *dm = (__bridge SNTEndpointSecurityDeviceManager *)context;
@@ -71,7 +95,7 @@ void diskAppearedCallback(DADiskRef disk, void *context) {
   [dm logDiskAppeared:props];
 }
 
-void diskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *context) {
+void DiskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *context) {
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
 
@@ -82,7 +106,7 @@ void diskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *conte
   }
 }
 
-void diskDisappearedCallback(DADiskRef disk, void *context) {
+void DiskDisappearedCallback(DADiskRef disk, void *context) {
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
 
@@ -91,7 +115,22 @@ void diskDisappearedCallback(DADiskRef disk, void *context) {
   [dm logDiskDisappeared:props];
 }
 
-NSArray<NSString *> *maskToMountArgs(long remountOpts) {
+void DiskUnmountCallback(DADiskRef disk, DADissenterRef dissenter, void *context) {
+  if (dissenter) {
+    LOGW(@"Unable to unmount device: %@", CFBridgingRelease(DADissenterGetStatusString(dissenter)));
+  } else if (disk) {
+    NSDictionary *diskInfo = CFBridgingRelease(DADiskCopyDescription(disk));
+    LOGI(@"Unmounted device: Model: %@, Vendor: %@, Path: %@",
+         diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceModelKey],
+         diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceVendorKey],
+         diskInfo[(__bridge NSString *)kDADiskDescriptionVolumePathKey]);
+  }
+
+  dispatch_semaphore_t sema = (__bridge dispatch_semaphore_t)context;
+  dispatch_semaphore_signal(sema);
+}
+
+NSArray<NSString *> *maskToMountArgs(uint32_t remountOpts) {
   NSMutableArray<NSString *> *args = [NSMutableArray array];
   if (remountOpts & MNT_RDONLY) [args addObject:@"rdonly"];
   if (remountOpts & MNT_NOEXEC) [args addObject:@"noexec"];
@@ -104,28 +143,29 @@ NSArray<NSString *> *maskToMountArgs(long remountOpts) {
   return args;
 }
 
-long mountArgsToMask(NSArray<NSString *> *args) {
-  long flags = 0;
+uint32_t mountArgsToMask(NSArray<NSString *> *args) {
+  uint32_t flags = 0;
   for (NSString *i in args) {
     NSString *arg = [i lowercaseString];
-    if ([arg isEqualToString:@"rdonly"])
+    if ([arg isEqualToString:@"rdonly"]) {
       flags |= MNT_RDONLY;
-    else if ([arg isEqualToString:@"noexec"])
+    } else if ([arg isEqualToString:@"noexec"]) {
       flags |= MNT_NOEXEC;
-    else if ([arg isEqualToString:@"nosuid"])
+    } else if ([arg isEqualToString:@"nosuid"]) {
       flags |= MNT_NOSUID;
-    else if ([arg isEqualToString:@"nobrowse"])
+    } else if ([arg isEqualToString:@"nobrowse"]) {
       flags |= MNT_DONTBROWSE;
-    else if ([arg isEqualToString:@"noowners"])
+    } else if ([arg isEqualToString:@"noowners"]) {
       flags |= MNT_UNKNOWNPERMISSIONS;
-    else if ([arg isEqualToString:@"nodev"])
+    } else if ([arg isEqualToString:@"nodev"]) {
       flags |= MNT_NODEV;
-    else if ([arg isEqualToString:@"-j"])
+    } else if ([arg isEqualToString:@"-j"]) {
       flags |= MNT_JOURNALED;
-    else if ([arg isEqualToString:@"async"])
+    } else if ([arg isEqualToString:@"async"]) {
       flags |= MNT_ASYNC;
-    else
+    } else {
       LOGE(@"SNTEndpointSecurityDeviceManager: unexpected mount arg: %@", arg);
+    }
   }
   return flags;
 }
@@ -140,25 +180,205 @@ NS_ASSUME_NONNULL_BEGIN
 - (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
                       metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
                        logger:(std::shared_ptr<Logger>)logger
-              authResultCache:(std::shared_ptr<AuthResultCache>)authResultCache {
+              authResultCache:(std::shared_ptr<AuthResultCache>)authResultCache
+                blockUSBMount:(BOOL)blockUSBMount
+               remountUSBMode:(nullable NSArray<NSString *> *)remountUSBMode
+           startupPreferences:(SNTDeviceManagerStartupPreferences)startupPrefs {
   self = [super initWithESAPI:std::move(esApi)
                       metrics:std::move(metrics)
                     processor:santa::santad::Processor::kDeviceManager];
   if (self) {
     _logger = logger;
     _authResultCache = authResultCache;
-    _blockUSBMount = false;
+    _blockUSBMount = blockUSBMount;
+    _remountArgs = remountUSBMode;
 
     _diskQueue = dispatch_queue_create("com.google.santa.daemon.disk_queue", DISPATCH_QUEUE_SERIAL);
 
     _diskArbSession = DASessionCreate(NULL);
     DASessionSetDispatchQueue(_diskArbSession, _diskQueue);
 
+    SNTMetricInt64Gauge *startupPrefsMetric =
+      [[SNTMetricSet sharedInstance] int64GaugeWithName:@"/santa/device_manager/startup_preference"
+                                             fieldNames:@[]
+                                               helpText:@"The current startup preference value"];
+
+    [[SNTMetricSet sharedInstance] registerCallback:^{
+      [startupPrefsMetric set:startupPrefs forFieldValues:@[]];
+    }];
+
+    _startupDiskMetrics = [[SNTMetricSet sharedInstance]
+      counterWithName:@"/santa/device_manager/startup_disk_operation"
+           fieldNames:@[ @"operation" ]
+             helpText:@"Count of the number of USB devices encountered per operation"];
+
+    [self performStartupTasks:startupPrefs];
+
     [self establishClientOrDie];
   }
   return self;
 }
 
+- (uint32_t)updatedMountFlags:(struct statfs *)sfs {
+  uint32_t mask = sfs->f_flags | mountArgsToMask(self.remountArgs);
+
+  // NB: APFS mounts get MNT_JOURNALED implicitly set. However, mount_apfs
+  // does not support the `-j` option so this flag needs to be cleared.
+  if (strncmp(sfs->f_fstypename, "apfs", sizeof(sfs->f_fstypename)) == 0) {
+    mask &= ~MNT_JOURNALED;
+  }
+
+  return mask;
+}
+
+- (BOOL)shouldOperateOnDisk:(DADiskRef)disk {
+  NSDictionary *diskInfo = CFBridgingRelease(DADiskCopyDescription(disk));
+
+  BOOL isInternal = [diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceInternalKey] boolValue];
+  BOOL isRemovable = [diskInfo[(__bridge NSString *)kDADiskDescriptionMediaRemovableKey] boolValue];
+  BOOL isEjectable = [diskInfo[(__bridge NSString *)kDADiskDescriptionMediaEjectableKey] boolValue];
+  NSString *protocol = diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceProtocolKey];
+  BOOL isUSB = [protocol isEqualToString:@"USB"];
+  BOOL isSecureDigital = [protocol isEqualToString:@"Secure Digital"];
+  BOOL isVirtual = [protocol isEqualToString:@"Virtual Interface"];
+
+  NSString *kind = diskInfo[(__bridge NSString *)kDADiskDescriptionMediaKindKey];
+
+  // TODO: check kind and protocol for banned things (e.g. MTP).
+  LOGD(@"SNTEndpointSecurityDeviceManager: DiskInfo Protocol: %@ Kind: %@ isInternal: %d "
+       @"isRemovable: %d isEjectable: %d",
+       protocol, kind, isInternal, isRemovable, isEjectable);
+
+  // if the device is internal, or virtual *AND* is not an SD Card,
+  // then allow the mount. This is to ensure we block SD cards inserted into
+  // the internal reader of some Macs, whilst also ensuring we don't block
+  // the internal storage device.
+  if ((isInternal || isVirtual) && !isSecureDigital) {
+    return false;
+  }
+
+  // We are okay with operations for devices that are non-removable as long as
+  // they are NOT a USB device, or an SD Card.
+  if (!isRemovable && !isEjectable && !isUSB && !isSecureDigital) {
+    return false;
+  }
+
+  return true;
+}
+
+- (BOOL)haveRemountArgs {
+  return [self.remountArgs count] > 0;
+}
+
+- (BOOL)remountUSBModeContainsFlags:(uint32_t)flags {
+  if (![self haveRemountArgs]) {
+    return false;
+  }
+
+  uint32_t requiredFlags = mountArgsToMask(self.remountArgs);
+
+  LOGD(@" Got mount flags: 0x%08x | %@", flags, maskToMountArgs(flags));
+  LOGD(@"Want mount flags: 0x%08x | %@", mountArgsToMask(self.remountArgs), self.remountArgs);
+
+  return (flags & requiredFlags) == requiredFlags;
+}
+
+- (void)incrementStartupMetricsOperation:(NSString *)op {
+  [self.startupDiskMetrics incrementForFieldValues:@[ op ]];
+}
+
+// NB: Remount options are implemented as separate "unmount" and "mount"
+// operations instead of using the "update"/MNT_UPDATE flag. This is because
+// filesystems often don't support many transitions (e.g. RW to RO). Performing
+// the two step process has a higher chance of succeeding.
+- (void)performStartupTasks:(SNTDeviceManagerStartupPreferences)startupPrefs {
+  if (!self.blockUSBMount || (startupPrefs != SNTDeviceManagerStartupPreferencesUnmount &&
+                              startupPrefs != SNTDeviceManagerStartupPreferencesForceUnmount &&
+                              startupPrefs != SNTDeviceManagerStartupPreferencesRemount &&
+                              startupPrefs != SNTDeviceManagerStartupPreferencesForceRemount)) {
+    return;
+  }
+
+  struct statfs *mnts;
+  int numMounts = getmntinfo_r_np(&mnts, MNT_WAIT);
+
+  if (numMounts == 0) {
+    LOGE(@"Failed to get mount info: %d: %s", errno, strerror(errno));
+    return;
+  }
+
+  self.diskSema = dispatch_semaphore_create(0);
+
+  for (int i = 0; i < numMounts; i++) {
+    struct statfs *sfs = &mnts[i];
+
+    DADiskRef disk = DADiskCreateFromBSDName(NULL, self.diskArbSession, sfs->f_mntfromname);
+    if (!disk) {
+      LOGW(@"Unable to create disk reference for device: '%s' -> '%s'", sfs->f_mntfromname,
+           sfs->f_mntonname);
+      continue;
+    }
+
+    CFAutorelease(disk);
+
+    if (![self shouldOperateOnDisk:disk]) {
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationSkip];
+      continue;
+    }
+
+    if ([self remountUSBModeContainsFlags:sfs->f_flags]) {
+      LOGI(@"Allowing existing mount as flags contain RemountUSBMode. '%s' -> '%s'",
+           sfs->f_mntfromname, sfs->f_mntonname);
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationAllowed];
+      continue;
+    }
+
+    DADiskUnmountOptions unmountOptions = kDADiskUnmountOptionDefault;
+    if (startupPrefs == SNTDeviceManagerStartupPreferencesForceUnmount ||
+        startupPrefs == SNTDeviceManagerStartupPreferencesForceRemount) {
+      unmountOptions = kDADiskUnmountOptionForce;
+    }
+
+    LOGI(@"Attempting to unmount device: '%s' mounted on '%s'", sfs->f_mntfromname,
+         sfs->f_mntonname);
+
+    DADiskUnmount(disk, unmountOptions, DiskUnmountCallback, (__bridge void *)self.diskSema);
+
+    if (dispatch_semaphore_wait(self.diskSema,
+                                dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+      LOGW(
+        @"Unmounting '%s' mounted on '%s' took longer than expected. Device may still be mounted.",
+        sfs->f_mntfromname, sfs->f_mntonname);
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationUnmountFailed];
+      continue;
+    }
+
+    if (startupPrefs == SNTDeviceManagerStartupPreferencesRemount ||
+        startupPrefs == SNTDeviceManagerStartupPreferencesForceRemount) {
+      if (![self haveRemountArgs]) {
+        [self incrementStartupMetricsOperation:kMetricStartupDiskOperationRemountSkipped];
+        LOGW(@"Remount requested during startup, but no remount args set. Leaving unmounted.");
+        continue;
+      }
+
+      uint32_t newMode = [self updatedMountFlags:sfs];
+      LOGI(@"Attempting to mount device again changing flags: 0x%08x --> 0x%08x", sfs->f_flags,
+           newMode);
+
+      [self remount:disk mountMode:newMode semaphore:self.diskSema];
+
+      if (dispatch_semaphore_wait(self.diskSema,
+                                  dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+        LOGW(@"Failed to remount device after unmounting: %s", sfs->f_mntfromname);
+        [self incrementStartupMetricsOperation:kMetricStartupDiskOperationRemountFailed];
+        continue;
+      }
+    }
+
+    [self incrementStartupMetricsOperation:kMetricStartupDiskOperationSuccess];
+  }
+}
+
 - (void)logDiskAppeared:(NSDictionary *)props {
   self->_logger->LogDiskAppeared(props);
 }
@@ -199,11 +419,11 @@ NS_ASSUME_NONNULL_BEGIN
 }
 
 - (void)enable {
-  DARegisterDiskAppearedCallback(_diskArbSession, NULL, diskAppearedCallback,
+  DARegisterDiskAppearedCallback(_diskArbSession, NULL, DiskAppearedCallback,
                                  (__bridge void *)self);
   DARegisterDiskDescriptionChangedCallback(_diskArbSession, NULL, NULL,
-                                           diskDescriptionChangedCallback, (__bridge void *)self);
-  DARegisterDiskDisappearedCallback(_diskArbSession, NULL, diskDisappearedCallback,
+                                           DiskDescriptionChangedCallback, (__bridge void *)self);
+  DARegisterDiskDisappearedCallback(_diskArbSession, NULL, DiskDisappearedCallback,
                                     (__bridge void *)self);
 
   [super subscribeAndClearCache:{
@@ -225,44 +445,15 @@ NS_ASSUME_NONNULL_BEGIN
       exit(EXIT_FAILURE);
   }
 
-  long mountMode = eventStatFS->f_flags;
   pid_t pid = audit_token_to_pid(m->process->audit_token);
   LOGD(
-    @"SNTEndpointSecurityDeviceManager: mount syscall arriving from path: %s, pid: %d, fflags: %lu",
-    m->process->executable->path.data, pid, mountMode);
+    @"SNTEndpointSecurityDeviceManager: mount syscall arriving from path: %s, pid: %d, fflags: %u",
+    m->process->executable->path.data, pid, eventStatFS->f_flags);
 
   DADiskRef disk = DADiskCreateFromBSDName(NULL, self.diskArbSession, eventStatFS->f_mntfromname);
   CFAutorelease(disk);
 
-  // TODO(tnek): Log all of the other attributes available in diskInfo into a structured log format.
-  NSDictionary *diskInfo = CFBridgingRelease(DADiskCopyDescription(disk));
-  BOOL isInternal = [diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceInternalKey] boolValue];
-  BOOL isRemovable = [diskInfo[(__bridge NSString *)kDADiskDescriptionMediaRemovableKey] boolValue];
-  BOOL isEjectable = [diskInfo[(__bridge NSString *)kDADiskDescriptionMediaEjectableKey] boolValue];
-  NSString *protocol = diskInfo[(__bridge NSString *)kDADiskDescriptionDeviceProtocolKey];
-  BOOL isUSB = [protocol isEqualToString:@"USB"];
-  BOOL isSecureDigital = [protocol isEqualToString:@"Secure Digital"];
-  BOOL isVirtual = [protocol isEqualToString:@"Virtual Interface"];
-
-  NSString *kind = diskInfo[(__bridge NSString *)kDADiskDescriptionMediaKindKey];
-
-  // TODO: check kind and protocol for banned things (e.g. MTP).
-  LOGD(@"SNTEndpointSecurityDeviceManager: DiskInfo Protocol: %@ Kind: %@ isInternal: %d "
-       @"isRemovable: %d "
-       @"isEjectable: %d",
-       protocol, kind, isInternal, isRemovable, isEjectable);
-
-  // if the device is internal, or virtual *AND* is not an SD Card,
-  // then allow the mount. This is to ensure we block SD cards inserted into
-  // the internal reader of some Macs, whilst also ensuring we don't block
-  // the internal storage device.
-  if ((isInternal || isVirtual) && !isSecureDigital) {
-    return ES_AUTH_RESULT_ALLOW;
-  }
-
-  // We are okay with operations for devices that are non-removable as long as
-  // they are NOT a USB device, or an SD Card.
-  if (!isRemovable && !isEjectable && !isUSB && !isSecureDigital) {
+  if (![self shouldOperateOnDisk:disk]) {
     return ES_AUTH_RESULT_ALLOW;
   }
 
@@ -270,24 +461,20 @@ NS_ASSUME_NONNULL_BEGIN
     initWithOnName:[NSString stringWithUTF8String:eventStatFS->f_mntonname]
           fromName:[NSString stringWithUTF8String:eventStatFS->f_mntfromname]];
 
-  BOOL shouldRemount = self.remountArgs != nil && [self.remountArgs count] > 0;
-
-  if (shouldRemount) {
+  if ([self haveRemountArgs]) {
     event.remountArgs = self.remountArgs;
-    long remountOpts = mountArgsToMask(self.remountArgs);
 
-    LOGD(@"SNTEndpointSecurityDeviceManager: mountMode: %@", maskToMountArgs(mountMode));
-    LOGD(@"SNTEndpointSecurityDeviceManager: remountOpts: %@", maskToMountArgs(remountOpts));
-
-    if ((mountMode & remountOpts) == remountOpts && m->event_type != ES_EVENT_TYPE_AUTH_REMOUNT) {
-      LOGD(@"SNTEndpointSecurityDeviceManager: Allowing as mount as flags match remountOpts");
+    if ([self remountUSBModeContainsFlags:eventStatFS->f_flags] &&
+        m->event_type != ES_EVENT_TYPE_AUTH_REMOUNT) {
+      LOGD(@"Allowing mount as flags contain RemountUSBMode. '%s' -> '%s'",
+           eventStatFS->f_mntfromname, eventStatFS->f_mntonname);
       return ES_AUTH_RESULT_ALLOW;
     }
 
-    long newMode = mountMode | remountOpts;
-    LOGI(@"SNTEndpointSecurityDeviceManager: remounting device '%s'->'%s', flags (%lu) -> (%lu)",
-         eventStatFS->f_mntfromname, eventStatFS->f_mntonname, mountMode, newMode);
-    [self remount:disk mountMode:newMode];
+    uint32_t newMode = [self updatedMountFlags:eventStatFS];
+    LOGI(@"SNTEndpointSecurityDeviceManager: remounting device '%s'->'%s', flags (%u) -> (%u)",
+         eventStatFS->f_mntfromname, eventStatFS->f_mntonname, eventStatFS->f_flags, newMode);
+    [self remount:disk mountMode:newMode semaphore:nil];
   }
 
   if (self.deviceBlockCallback) {
@@ -297,14 +484,16 @@ NS_ASSUME_NONNULL_BEGIN
   return ES_AUTH_RESULT_DENY;
 }
 
-- (void)remount:(DADiskRef)disk mountMode:(long)remountMask {
+- (void)remount:(DADiskRef)disk
+      mountMode:(uint32_t)remountMask
+      semaphore:(nullable dispatch_semaphore_t)sema {
   NSArray<NSString *> *args = maskToMountArgs(remountMask);
   CFStringRef *argv = (CFStringRef *)calloc(args.count + 1, sizeof(CFStringRef));
   CFArrayGetValues((__bridge CFArrayRef)args, CFRangeMake(0, (CFIndex)args.count),
                    (const void **)argv);
 
-  DADiskMountWithArguments(disk, NULL, kDADiskMountOptionDefault, diskMountedCallback,
-                           (__bridge void *)self, (CFStringRef *)argv);
+  DADiskMountWithArguments(disk, NULL, kDADiskMountOptionDefault, DiskMountedCallback,
+                           (__bridge void *)sema, (CFStringRef *)argv);
 
   free(argv);
 }

Source/santad/EventProviders/SNTEndpointSecurityDeviceManagerTest.mm

@@ -26,6 +26,7 @@
 #include <memory>
 #include <set>
 
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTDeviceEvent.h"
 #include "Source/common/TestUtils.h"
@@ -50,12 +51,17 @@ class MockAuthResultCache : public AuthResultCache {
 };
 
 @interface SNTEndpointSecurityDeviceManager (Testing)
+- (instancetype)init;
 - (void)logDiskAppeared:(NSDictionary *)props;
+- (BOOL)shouldOperateOnDisk:(DADiskRef)disk;
+- (void)performStartupTasks:(SNTDeviceManagerStartupPreferences)startupPrefs;
+- (uint32_t)updatedMountFlags:(struct statfs *)sfs;
 @end
 
 @interface SNTEndpointSecurityDeviceManagerTest : XCTestCase
 @property id mockConfigurator;
 @property MockDiskArbitration *mockDA;
+@property MockMounts *mockMounts;
 @end
 
 @implementation SNTEndpointSecurityDeviceManagerTest
@@ -70,6 +76,9 @@ class MockAuthResultCache : public AuthResultCache {
   self.mockDA = [MockDiskArbitration mockDiskArbitration];
   [self.mockDA reset];
 
+  self.mockMounts = [MockMounts mockMounts];
+  [self.mockMounts reset];
+
   fclose(stdout);
 }
 
@@ -112,7 +121,10 @@ class MockAuthResultCache : public AuthResultCache {
     [[SNTEndpointSecurityDeviceManager alloc] initWithESAPI:mockESApi
                                                     metrics:nullptr
                                                      logger:nullptr
-                                            authResultCache:nullptr];
+                                            authResultCache:nullptr
+                                              blockUSBMount:false
+                                             remountUSBMode:nil
+                                         startupPreferences:SNTDeviceManagerStartupPreferencesNone];
 
   setupDMCallback(deviceManager);
 
@@ -120,7 +132,7 @@ class MockAuthResultCache : public AuthResultCache {
   id partialDeviceManager = OCMPartialMock(deviceManager);
   OCMStub([partialDeviceManager logDiskAppeared:OCMOCK_ANY]);
 
-  [self.mockDA insert:disk bsdName:test_mntfromname];
+  [self.mockDA insert:disk];
 
   es_file_t file = MakeESFile("foo");
   es_process_t proc = MakeESProcess(&file);
@@ -211,7 +223,8 @@ class MockAuthResultCache : public AuthResultCache {
              };
            }];
 
-  XCTAssertEqual(self.mockDA.wasRemounted, YES);
+  XCTAssertEqual(self.mockDA.insertedDevices.count, 1);
+  XCTAssertTrue([self.mockDA.insertedDevices allValues][0].wasMounted);
 
   [self waitForExpectations:@[ expectation ] timeout:60.0];
 
@@ -274,7 +287,8 @@ class MockAuthResultCache : public AuthResultCache {
              };
            }];
 
-  XCTAssertEqual(self.mockDA.wasRemounted, YES);
+  XCTAssertEqual(self.mockDA.insertedDevices.count, 1);
+  XCTAssertTrue([self.mockDA.insertedDevices allValues][0].wasMounted);
 
   [self waitForExpectations:@[ expectation ] timeout:10.0];
 
@@ -303,7 +317,8 @@ class MockAuthResultCache : public AuthResultCache {
              };
            }];
 
-  XCTAssertEqual(self.mockDA.wasRemounted, NO);
+  XCTAssertEqual(self.mockDA.insertedDevices.count, 1);
+  XCTAssertFalse([self.mockDA.insertedDevices allValues][0].wasMounted);
 }
 
 - (void)testNotifyUnmountFlushesCache {
@@ -324,7 +339,10 @@ class MockAuthResultCache : public AuthResultCache {
     [[SNTEndpointSecurityDeviceManager alloc] initWithESAPI:mockESApi
                                                     metrics:nullptr
                                                      logger:nullptr
-                                            authResultCache:mockAuthCache];
+                                            authResultCache:mockAuthCache
+                                              blockUSBMount:YES
+                                             remountUSBMode:nil
+                                         startupPreferences:SNTDeviceManagerStartupPreferencesNone];
 
   deviceManager.blockUSBMount = YES;
 
@@ -340,6 +358,122 @@ class MockAuthResultCache : public AuthResultCache {
   XCTBubbleMockVerifyAndClearExpectations(mockAuthCache.get());
 }
 
+- (void)testPerformStartupTasks {
+  SNTEndpointSecurityDeviceManager *deviceManager = [[SNTEndpointSecurityDeviceManager alloc] init];
+
+  id partialDeviceManager = OCMPartialMock(deviceManager);
+  OCMStub([partialDeviceManager shouldOperateOnDisk:nil]).ignoringNonObjectArgs().andReturn(YES);
+
+  deviceManager.blockUSBMount = YES;
+  deviceManager.remountArgs = @[ @"noexec", @"rdonly" ];
+
+  [self.mockMounts insert:[[MockStatfs alloc] initFrom:@"d1" on:@"v1" flags:@(0x0)]];
+  [self.mockMounts insert:[[MockStatfs alloc] initFrom:@"d2"
+                                                    on:@"v2"
+                                                 flags:@(MNT_RDONLY | MNT_NOEXEC | MNT_JOURNALED)]];
+
+  // Create mock disks with desired args
+  MockDADisk * (^CreateMockDisk)(NSString *, NSString *) =
+    ^MockDADisk *(NSString *mountOn, NSString *mountFrom) {
+    MockDADisk *mockDisk = [[MockDADisk alloc] init];
+    mockDisk.diskDescription = @{
+      @"DAVolumePath" : mountOn,      // f_mntonname,
+      @"DADevicePath" : mountOn,      // f_mntonname,
+      @"DAMediaBSDName" : mountFrom,  // f_mntfromname,
+    };
+
+    return mockDisk;
+  };
+
+  // Reset the Mock DA property, setup disks and remount args, then trigger the test
+  void (^PerformStartupTest)(NSArray<MockDADisk *> *, NSArray<NSString *> *,
+                             SNTDeviceManagerStartupPreferences) =
+    ^void(NSArray<MockDADisk *> *disks, NSArray<NSString *> *remountArgs,
+          SNTDeviceManagerStartupPreferences startupPref) {
+      [self.mockDA reset];
+
+      for (MockDADisk *d in disks) {
+        [self.mockDA insert:d];
+      }
+
+      deviceManager.remountArgs = remountArgs;
+
+      [deviceManager performStartupTasks:startupPref];
+    };
+
+  // Unmount with RemountUSBMode set
+  {
+    MockDADisk *disk1 = CreateMockDisk(@"v1", @"d1");
+    MockDADisk *disk2 = CreateMockDisk(@"v2", @"d2");
+
+    PerformStartupTest(@[ disk1, disk2 ], @[ @"noexec", @"rdonly" ],
+                       SNTDeviceManagerStartupPreferencesUnmount);
+
+    XCTAssertTrue(disk1.wasUnmounted);
+    XCTAssertFalse(disk1.wasMounted);
+    XCTAssertFalse(disk2.wasUnmounted);
+    XCTAssertFalse(disk2.wasMounted);
+  }
+
+  // Unmount with RemountUSBMode nil
+  {
+    MockDADisk *disk1 = CreateMockDisk(@"v1", @"d1");
+    MockDADisk *disk2 = CreateMockDisk(@"v2", @"d2");
+
+    PerformStartupTest(@[ disk1, disk2 ], nil, SNTDeviceManagerStartupPreferencesUnmount);
+
+    XCTAssertTrue(disk1.wasUnmounted);
+    XCTAssertFalse(disk1.wasMounted);
+    XCTAssertTrue(disk2.wasUnmounted);
+    XCTAssertFalse(disk2.wasMounted);
+  }
+
+  // Remount with RemountUSBMode set
+  {
+    MockDADisk *disk1 = CreateMockDisk(@"v1", @"d1");
+    MockDADisk *disk2 = CreateMockDisk(@"v2", @"d2");
+
+    PerformStartupTest(@[ disk1, disk2 ], @[ @"noexec", @"rdonly" ],
+                       SNTDeviceManagerStartupPreferencesRemount);
+
+    XCTAssertTrue(disk1.wasUnmounted);
+    XCTAssertTrue(disk1.wasMounted);
+    XCTAssertFalse(disk2.wasUnmounted);
+    XCTAssertFalse(disk2.wasMounted);
+  }
+
+  // Unmount with RemountUSBMode nil
+  {
+    MockDADisk *disk1 = CreateMockDisk(@"v1", @"d1");
+    MockDADisk *disk2 = CreateMockDisk(@"v2", @"d2");
+
+    PerformStartupTest(@[ disk1, disk2 ], nil, SNTDeviceManagerStartupPreferencesRemount);
+
+    XCTAssertTrue(disk1.wasUnmounted);
+    XCTAssertFalse(disk1.wasMounted);
+    XCTAssertTrue(disk2.wasUnmounted);
+    XCTAssertFalse(disk2.wasMounted);
+  }
+}
+
+- (void)testUpdatedMountFlags {
+  struct statfs sfs;
+
+  strlcpy(sfs.f_fstypename, "foo", sizeof(sfs.f_fstypename));
+  sfs.f_flags = MNT_JOURNALED | MNT_NOSUID | MNT_NODEV;
+
+  SNTEndpointSecurityDeviceManager *deviceManager = [[SNTEndpointSecurityDeviceManager alloc] init];
+  deviceManager.remountArgs = @[ @"noexec", @"rdonly" ];
+
+  // For most filesystems, the flags are the union of what is in statfs and the remount args
+  XCTAssertEqual([deviceManager updatedMountFlags:&sfs], sfs.f_flags | MNT_RDONLY | MNT_NOEXEC);
+
+  // For APFS, flags are still unioned, but MNT_JOUNRNALED is cleared
+  strlcpy(sfs.f_fstypename, "apfs", sizeof(sfs.f_fstypename));
+  XCTAssertEqual([deviceManager updatedMountFlags:&sfs],
+                 (sfs.f_flags | MNT_RDONLY | MNT_NOEXEC) & ~MNT_JOURNALED);
+}
+
 - (void)testEnable {
   // Ensure the client subscribes to expected event types
   std::set<es_event_type_t> expectedEventSubs{

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.h

@@ -25,8 +25,10 @@
 #include "Source/santad/Logs/EndpointSecurity/Logger.h"
 #include "Source/santad/Metrics.h"
 #import "Source/santad/SNTDecisionCache.h"
+#include "Source/santad/TTYWriter.h"
 
-typedef void (^SNTFileAccessBlockCallback)(SNTFileAccessEvent *event);
+typedef void (^SNTFileAccessBlockCallback)(SNTFileAccessEvent *event, NSString *customMsg,
+                                           NSString *customURL, NSString *customText);
 
 @interface SNTEndpointSecurityFileAccessAuthorizer
     : SNTEndpointSecurityClient <SNTEndpointSecurityDynamicEventHandler>
@@ -39,7 +41,8 @@ typedef void (^SNTFileAccessBlockCallback)(SNTFileAccessEvent *event);
      watchItems:(std::shared_ptr<santa::santad::data_layer::WatchItems>)watchItems
        enricher:
          (std::shared_ptr<santa::santad::event_providers::endpoint_security::Enricher>)enricher
-  decisionCache:(SNTDecisionCache *)decisionCache;
+  decisionCache:(SNTDecisionCache *)decisionCache
+      ttyWriter:(std::shared_ptr<santa::santad::TTYWriter>)ttyWriter;
 
 @property SNTFileAccessBlockCallback fileAccessBlockCallback;
 

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm

@@ -20,17 +20,20 @@
 #import <MOLCodesignChecker/MOLCodesignChecker.h>
 #include <bsm/libbsm.h>
 #include <sys/fcntl.h>
+#include <sys/types.h>
 
 #include <algorithm>
 #include <array>
 #include <cstdlib>
+#include <functional>
 #include <memory>
 #include <optional>
-#include <set>
 #include <type_traits>
+#include <utility>
 #include <variant>
 
 #include "Source/common/Platform.h"
+#import "Source/common/SNTBlockMessage.h"
 #import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #include "Source/common/SNTFileAccessEvent.h"
@@ -45,9 +48,15 @@
 #include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/EventProviders/RateLimiter.h"
+#include "absl/container/flat_hash_map.h"
+#include "absl/container/flat_hash_set.h"
 
+using santa::common::OptionalStringToNSString;
 using santa::common::StringToNSString;
 using santa::santad::EventDisposition;
+using santa::santad::FileAccessMetricStatus;
+using santa::santad::Metrics;
+using santa::santad::TTYWriter;
 using santa::santad::data_layer::WatchItemPathType;
 using santa::santad::data_layer::WatchItemPolicy;
 using santa::santad::data_layer::WatchItems;
@@ -69,6 +78,122 @@ static constexpr uint16_t kDefaultRateLimitQPS = 50;
 struct PathTarget {
   std::string path;
   bool isReadable;
+  std::optional<std::pair<dev_t, ino_t>> devnoIno;
+};
+
+// This is a bespoke cache for mapping processes to a set of values. It has
+// similar semantics to SantaCache in terms of clearing the cache keys and
+// values when max sizes are reached.
+//
+// TODO: We need a proper LRU cache
+//
+// NB: This exists instead of using SantaCache for two main reasons:
+//     1.) SantaCache doesn't efficiently support non-primitive value types.
+//         Since the value of each key needs to be a set, we want to refrain
+//         from having to unnecessarily copy the value.
+//     2.) SantaCache doesn't support size limits on value types
+template <typename ValueT>
+class ProcessSet {
+  using FileSet = absl::flat_hash_set<ValueT>;
+
+ public:
+  ProcessSet() {
+    q_ = dispatch_queue_create(
+      "com.google.santa.daemon.faa",
+      dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL,
+                                              QOS_CLASS_USER_INTERACTIVE, 0));
+  };
+
+  // Add the given target to the set of files a process can read
+  void Set(const es_process_t *proc, std::function<ValueT()> valueBlock) {
+    if (!valueBlock) {
+      return;
+    }
+
+    dispatch_sync(q_, ^{
+      std::pair<pid_t, pid_t> pidPidver = {audit_token_to_pid(proc->audit_token),
+                                           audit_token_to_pidversion(proc->audit_token)};
+      SetLocked(pidPidver, valueBlock());
+    });
+  }
+
+  // Remove the given process from the cache
+  void Remove(const es_process_t *proc) {
+    std::pair<pid_t, pid_t> pidPidver = {audit_token_to_pid(proc->audit_token),
+                                         audit_token_to_pidversion(proc->audit_token)};
+    dispatch_sync(q_, ^{
+      cache_.erase(pidPidver);
+    });
+  }
+
+  // Check if the set of files for a given process contains the given file
+  bool Exists(const es_process_t *proc, std::function<ValueT()> valueBlock) {
+    return ExistsOrSet(proc, valueBlock, false);
+  }
+
+  // Check if the ValueT set for a given process contains the given file, and
+  // if not, set it. Both steps are done atomically.
+  bool ExistsOrSet(const es_process_t *proc, std::function<ValueT()> valueBlock) {
+    return ExistsOrSet(proc, valueBlock, true);
+  }
+
+  // Clear all cache entries
+  void Clear() {
+    dispatch_sync(q_, ^{
+      ClearLocked();
+    });
+  }
+
+ private:
+  // Remove everything in the cache.
+  void ClearLocked() { cache_.clear(); }
+
+  void SetLocked(std::pair<pid_t, pid_t> pidPidver, ValueT value) {
+    // If we hit the size limit, clear the cache to prevent unbounded growth
+    if (cache_.size() >= kMaxCacheSize) {
+      ClearLocked();
+    }
+
+    FileSet &fs = cache_[std::move(pidPidver)];
+
+    // If we hit the per-entry size limit, clear the entry to prevent unbounded growth
+    if (fs.size() >= kMaxCacheEntrySize) {
+      fs.clear();
+    }
+
+    fs.insert(value);
+  }
+
+  bool ExistsOrSet(const es_process_t *proc, std::function<ValueT()> valueBlock, bool shouldSet) {
+    std::pair<pid_t, pid_t> pidPidver = {audit_token_to_pid(proc->audit_token),
+                                         audit_token_to_pidversion(proc->audit_token)};
+
+    __block bool exists = false;
+
+    dispatch_sync(q_, ^{
+      ValueT value = valueBlock();
+      const auto &iter = cache_.find(pidPidver);
+
+      if (iter != cache_.end() && iter->second.count(value) > 0) {
+        exists = true;
+      } else if (shouldSet) {
+        SetLocked(pidPidver, value);
+      }
+    });
+
+    return exists;
+  }
+
+  dispatch_queue_t q_;
+  absl::flat_hash_map<std::pair<pid_t, pid_t>, FileSet> cache_;
+
+  // Cache limits are merely meant to protect against unbounded growth. In practice,
+  // the observed cache size is typically small for normal WatchItems rules (those
+  // that do not target high-volume paths). The per entry size was observed to vary
+  // quite dramatically based on the type of process (e.g. large, complex applications
+  // were observed to frequently have several thousands of entries).
+  static constexpr size_t kMaxCacheSize = 512;
+  static constexpr size_t kMaxCacheEntrySize = 8192;
 };
 
 static inline std::string Path(const es_file_t *esFile) {
@@ -82,14 +207,18 @@ static inline std::string Path(const es_string_token_t &tok) {
 static inline void PushBackIfNotTruncated(std::vector<PathTarget> &vec, const es_file_t *esFile,
                                           bool isReadable = false) {
   if (!esFile->path_truncated) {
-    vec.push_back({Path(esFile), isReadable});
+    vec.push_back({Path(esFile), isReadable,
+                   isReadable ? std::make_optional<std::pair<dev_t, ino_t>>(
+                                  {esFile->stat.st_dev, esFile->stat.st_ino})
+                              : std::nullopt});
   }
 }
 
+// Note: This variant of PushBackIfNotTruncated can never be marked "isReadable"
 static inline void PushBackIfNotTruncated(std::vector<PathTarget> &vec, const es_file_t *dir,
-                                          const es_string_token_t &name, bool isReadable = false) {
+                                          const es_string_token_t &name) {
   if (!dir->path_truncated) {
-    vec.push_back({Path(dir) + "/" + Path(name), isReadable});
+    vec.push_back({Path(dir) + "/" + Path(name), false, std::nullopt});
   }
 }
 
@@ -103,9 +232,43 @@ es_auth_result_t FileAccessPolicyDecisionToESAuthResult(FileAccessPolicyDecision
     case FileAccessPolicyDecision::kAllowedAuditOnly: return ES_AUTH_RESULT_ALLOW;
     default:
       // This is a programming error. Bail.
-      LOGE(@"Invalid file access decision encountered: %d", decision);
+      LOGE(@"Invalid file access decision encountered: %d", static_cast<int>(decision));
       [NSException raise:@"Invalid FileAccessPolicyDecision"
-                  format:@"Invalid FileAccessPolicyDecision: %d", decision];
+                  format:@"Invalid FileAccessPolicyDecision: %d", static_cast<int>(decision)];
+  }
+}
+
+bool IsBlockDecision(FileAccessPolicyDecision decision) {
+  return decision == FileAccessPolicyDecision::kDenied ||
+         decision == FileAccessPolicyDecision::kDeniedInvalidSignature;
+}
+
+FileAccessPolicyDecision ApplyOverrideToDecision(FileAccessPolicyDecision decision,
+                                                 SNTOverrideFileAccessAction overrideAction) {
+  switch (overrideAction) {
+    // When no override should be applied, return the decision unmodified
+    case SNTOverrideFileAccessActionNone: return decision;
+
+    // When the decision should be overridden to be audit only, only change the
+    // decision if it was going to deny the operation.
+    case SNTOverrideFileAccessActionAuditOnly:
+      if (IsBlockDecision(decision)) {
+        return FileAccessPolicyDecision::kAllowedAuditOnly;
+      } else {
+        return decision;
+      }
+
+    // If the override action is to disable policy, return a decision that will
+    // be treated as if no policy applied to the operation.
+    case SNTOverrideFileAccessActionDiable: return FileAccessPolicyDecision::kNoPolicy;
+
+    default:
+      // This is a programming error. Bail.
+      LOGE(@"Invalid override file access action encountered: %d",
+           static_cast<int>(overrideAction));
+      [NSException
+         raise:@"Invalid SNTOverrideFileAccessAction"
+        format:@"Invalid SNTOverrideFileAccessAction: %d", static_cast<int>(overrideAction)];
   }
 }
 
@@ -118,6 +281,10 @@ bool ShouldLogDecision(FileAccessPolicyDecision decision) {
   }
 }
 
+bool ShouldNotifyUserDecision(FileAccessPolicyDecision decision) {
+  return ShouldLogDecision(decision) && decision != FileAccessPolicyDecision::kAllowedAuditOnly;
+}
+
 es_auth_result_t CombinePolicyResults(es_auth_result_t result1, es_auth_result_t result2) {
   // If either policy denied the operation, the operation is denied
   return ((result1 == ES_AUTH_RESULT_DENY || result2 == ES_AUTH_RESULT_DENY)
@@ -196,7 +363,23 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
   }
 }
 
+bool ShouldMessageTTY(const std::shared_ptr<WatchItemPolicy> &policy, const Message &msg,
+                      ProcessSet<std::pair<std::string, std::string>> &ttyMessageCache) {
+  if (policy->silent_tty || !TTYWriter::CanWrite(msg->process)) {
+    return false;
+  }
+
+  // ExistsOrSet returns `true` if the item existed. However we want to invert
+  // this result as the return value for this function since we want to message
+  // the TTY only when `ExistsOrSet` was a "set" operation, meaning it was the
+  // first time this value was added.
+  return !ttyMessageCache.ExistsOrSet(msg->process, ^std::pair<std::string, std::string>() {
+    return {policy->version, policy->name};
+  });
+}
+
 @interface SNTEndpointSecurityFileAccessAuthorizer ()
+@property SNTConfigurator *configurator;
 @property SNTDecisionCache *decisionCache;
 @property bool isSubscribed;
 @end
@@ -207,17 +390,22 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
   std::shared_ptr<Enricher> _enricher;
   std::shared_ptr<RateLimiter> _rateLimiter;
   SantaCache<SantaVnode, NSString *> _certHashCache;
+  std::shared_ptr<TTYWriter> _ttyWriter;
+  ProcessSet<std::pair<dev_t, ino_t>> _readsCache;
+  ProcessSet<std::pair<std::string, std::string>> _ttyMessageCache;
+  std::shared_ptr<Metrics> _metrics;
 }
 
 - (instancetype)
   initWithESAPI:
     (std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)esApi
-        metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
+        metrics:(std::shared_ptr<Metrics>)metrics
          logger:(std::shared_ptr<santa::santad::logs::endpoint_security::Logger>)logger
      watchItems:(std::shared_ptr<WatchItems>)watchItems
        enricher:
          (std::shared_ptr<santa::santad::event_providers::endpoint_security::Enricher>)enricher
-  decisionCache:(SNTDecisionCache *)decisionCache {
+  decisionCache:(SNTDecisionCache *)decisionCache
+      ttyWriter:(std::shared_ptr<santa::santad::TTYWriter>)ttyWriter {
   self = [super initWithESAPI:std::move(esApi)
                       metrics:metrics
                     processor:santa::santad::Processor::kFileAccessAuthorizer];
@@ -225,10 +413,13 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
     _watchItems = std::move(watchItems);
     _logger = std::move(logger);
     _enricher = std::move(enricher);
-
     _decisionCache = decisionCache;
+    _ttyWriter = std::move(ttyWriter);
+    _metrics = std::move(metrics);
 
-    _rateLimiter = RateLimiter::Create(metrics, santa::santad::Processor::kFileAccessAuthorizer,
+    _configurator = [SNTConfigurator configurator];
+
+    _rateLimiter = RateLimiter::Create(_metrics, santa::santad::Processor::kFileAccessAuthorizer,
                                        kDefaultRateLimitQPS);
 
     SNTMetricBooleanGauge *famEnabled = [[SNTMetricSet sharedInstance]
@@ -411,7 +602,7 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
 
   // If the process is signed but has an invalid signature, it is denied
   if (((msg->process->codesigning_flags & (CS_SIGNED | CS_VALID)) == CS_SIGNED) &&
-      [[SNTConfigurator configurator] enableBadSignatureProtection]) {
+      [self.configurator enableBadSignatureProtection]) {
     // TODO(mlw): Think about how to make stronger guarantees here to handle
     // programs becoming invalid after first being granted access. Maybe we
     // should only allow things that have hardened runtime flags set?
@@ -420,6 +611,13 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
 
   std::shared_ptr<WatchItemPolicy> policy = optionalPolicy.value();
 
+  // If policy allows reading, add target to the cache
+  if (policy->allow_read_access && target.devnoIno.has_value()) {
+    self->_readsCache.Set(msg->process, ^{
+      return *target.devnoIno;
+    });
+  }
+
   // Check if this action contains any special case that would produce
   // an immediate result.
   FileAccessPolicyDecision specialCase = [self specialCaseForPolicy:policy
@@ -453,10 +651,6 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
     decision = FileAccessPolicyDecision::kAllowedAuditOnly;
   }
 
-  // https://github.com/google/santa/issues/1084
-  // TODO(xyz): Write to TTY like in exec controller?
-  // TODO(xyz): Need new config item for custom message in UI
-
   return decision;
 }
 
@@ -464,16 +658,25 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
                                    target:(const PathTarget &)target
                                    policy:
                                      (std::optional<std::shared_ptr<WatchItemPolicy>>)optionalPolicy
-                            policyVersion:(const std::string &)policyVersion {
-  FileAccessPolicyDecision policyDecision = [self applyPolicy:optionalPolicy
-                                                    forTarget:target
-                                                    toMessage:msg];
+                            policyVersion:(const std::string &)policyVersion
+                           overrideAction:(SNTOverrideFileAccessAction)overrideAction {
+  FileAccessPolicyDecision policyDecision = ApplyOverrideToDecision(
+    [self applyPolicy:optionalPolicy forTarget:target toMessage:msg], overrideAction);
 
   // Note: If ShouldLogDecision, it shouldn't be possible for optionalPolicy
   // to not have a value. Performing the check just in case to prevent a crash.
   if (ShouldLogDecision(policyDecision) && optionalPolicy.has_value()) {
-    if (_rateLimiter->Decide(msg->mach_time) == RateLimiter::Decision::kAllowed) {
-      std::string policyNameCopy = optionalPolicy.value()->name;
+    std::shared_ptr<WatchItemPolicy> policy = optionalPolicy.value();
+    RateLimiter::Decision decision = _rateLimiter->Decide(msg->mach_time);
+
+    self->_metrics->SetFileAccessEventMetrics(policyVersion, policy->name,
+                                              (decision == RateLimiter::Decision::kAllowed)
+                                                ? FileAccessMetricStatus::kOK
+                                                : FileAccessMetricStatus::kBlockedUser,
+                                              msg->event_type, policyDecision);
+
+    if (decision == RateLimiter::Decision::kAllowed) {
+      std::string policyNameCopy = policy->name;
       std::string policyVersionCopy = policyVersion;
       std::string targetPathCopy = target.path;
 
@@ -486,15 +689,17 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
                           }];
     }
 
-    if (!optionalPolicy.value()->silent && self.fileAccessBlockCallback) {
+    // Notify users on block decisions
+    if (ShouldNotifyUserDecision(policyDecision) &&
+        (!policy->silent || (!policy->silent_tty && msg->process->tty->path.length > 0))) {
       SNTCachedDecision *cd =
         [self.decisionCache cachedDecisionForFile:msg->process->executable->stat];
 
       SNTFileAccessEvent *event = [[SNTFileAccessEvent alloc] init];
 
       event.accessedPath = StringToNSString(target.path);
-      event.ruleVersion = StringToNSString(optionalPolicy.value()->version);
-      event.ruleName = StringToNSString(optionalPolicy.value()->name);
+      event.ruleVersion = StringToNSString(policy->version);
+      event.ruleName = StringToNSString(policy->name);
 
       event.fileSHA256 = cd.sha256 ?: @"<unknown sha>";
       event.filePath = StringToNSString(msg->process->executable->path.data);
@@ -503,15 +708,50 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
       event.pid = @(audit_token_to_pid(msg->process->audit_token));
       event.ppid = @(audit_token_to_pid(msg->process->parent_audit_token));
       event.parentName = StringToNSString(msg.ParentProcessName());
+      event.signingChain = cd.certChain;
 
-      self.fileAccessBlockCallback(event);
+      std::pair<NSString *, NSString *> linkInfo = self->_watchItems->EventDetailLinkInfo(policy);
+
+      if (!policy->silent && self.fileAccessBlockCallback) {
+        self.fileAccessBlockCallback(event, OptionalStringToNSString(policy->custom_message),
+                                     linkInfo.first, linkInfo.second);
+      }
+
+      if (ShouldMessageTTY(policy, msg, self->_ttyMessageCache)) {
+        NSAttributedString *attrStr =
+          [SNTBlockMessage attributedBlockMessageForFileAccessEvent:event
+                                                      customMessage:OptionalStringToNSString(
+                                                                      policy->custom_message)];
+
+        NSMutableString *blockMsg = [NSMutableString stringWithCapacity:1024];
+        // Escape sequences `\033[1m` and `\033[0m` begin/end bold lettering
+        [blockMsg appendFormat:@"\n\033[1mSanta\033[0m\n\n%@\n\n", attrStr.string];
+        [blockMsg appendFormat:@"\033[1mAccessed Path:\033[0m %@\n"
+                               @"\033[1mRule Version: \033[0m %@\n"
+                               @"\033[1mRule Name:    \033[0m %@\n"
+                               @"\n"
+                               @"\033[1mProcess Path: \033[0m %@\n"
+                               @"\033[1mIdentifier:   \033[0m %@\n"
+                               @"\033[1mParent:       \033[0m %@\n\n",
+                               event.accessedPath, event.ruleVersion, event.ruleName,
+                               event.filePath, event.fileSHA256, event.parentName];
+
+        NSURL *detailURL = [SNTBlockMessage eventDetailURLForFileAccessEvent:event
+                                                                   customURL:linkInfo.first];
+        if (detailURL) {
+          [blockMsg appendFormat:@"More info:\n%@\n\n", detailURL.absoluteString];
+        }
+
+        self->_ttyWriter->Write(msg->process, blockMsg);
+      }
     }
   }
 
   return policyDecision;
 }
 
-- (void)processMessage:(const Message &)msg {
+- (void)processMessage:(const Message &)msg
+        overrideAction:(SNTOverrideFileAccessAction)overrideAction {
   std::vector<PathTarget> targets;
   targets.reserve(2);
   PopulatePathTargets(msg, targets);
@@ -533,7 +773,8 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
     FileAccessPolicyDecision curDecision = [self handleMessage:msg
                                                         target:targets[i]
                                                         policy:versionAndPolicies.second[i]
-                                                 policyVersion:versionAndPolicies.first];
+                                                 policyVersion:versionAndPolicies.first
+                                                overrideAction:overrideAction];
 
     policyResult =
       CombinePolicyResults(policyResult, FileAccessPolicyDecisionToESAuthResult(curDecision));
@@ -558,19 +799,44 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
 
 - (void)handleMessage:(santa::santad::event_providers::endpoint_security::Message &&)esMsg
    recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
+  SNTOverrideFileAccessAction overrideAction = [self.configurator overrideFileAccessAction];
+
+  // If the override action is set to Disable, return immediately.
+  if (overrideAction == SNTOverrideFileAccessActionDiable) {
+    if (esMsg->action_type == ES_ACTION_TYPE_AUTH) {
+      [self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_ALLOW cacheable:false];
+    }
+    return;
+  }
+
+  if (esMsg->event_type == ES_EVENT_TYPE_AUTH_OPEN &&
+      !(esMsg->event.open.fflag & kOpenFlagsIndicatingWrite)) {
+    if (self->_readsCache.Exists(esMsg->process, ^std::pair<pid_t, pid_t> {
+          return std::pair<dev_t, ino_t>{esMsg->event.open.file->stat.st_dev,
+                                         esMsg->event.open.file->stat.st_ino};
+        })) {
+      [self respondToMessage:esMsg withAuthResult:ES_AUTH_RESULT_ALLOW cacheable:false];
+      return;
+    }
+  } else if (esMsg->event_type == ES_EVENT_TYPE_NOTIFY_EXIT) {
+    // On process exit, remove the cache entry
+    self->_readsCache.Remove(esMsg->process);
+    self->_ttyMessageCache.Remove(esMsg->process);
+    return;
+  }
+
   [self processMessage:std::move(esMsg)
                handler:^(const Message &msg) {
-                 [self processMessage:msg];
+                 [self processMessage:msg overrideAction:overrideAction];
                  recordEventMetrics(EventDisposition::kProcessed);
                }];
 }
 
 - (void)enable {
-  // TODO(xyz): Expand to support ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_TRUNCATE
   std::set<es_event_type_t> events = {
     ES_EVENT_TYPE_AUTH_CLONE,    ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
     ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,   ES_EVENT_TYPE_AUTH_RENAME,
-    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
+    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK, ES_EVENT_TYPE_NOTIFY_EXIT,
   };
 
 #if HAVE_MACOS_12
@@ -614,6 +880,8 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
     // begin receiving events (if not already)
     [self enable];
   }
+
+  self->_readsCache.Clear();
 }
 
 @end

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizerTest.mm

@@ -20,7 +20,9 @@
 #include <gmock/gmock.h>
 #include <gtest/gtest.h>
 #include <sys/fcntl.h>
+#include <sys/types.h>
 #include <cstring>
+#include <utility>
 
 #include <array>
 #include <cstddef>
@@ -31,6 +33,7 @@
 
 #include "Source/common/Platform.h"
 #include "Source/common/SNTCachedDecision.h"
+#include "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #include "Source/common/TestUtils.h"
 #include "Source/santad/DataLayer/WatchItemPolicy.h"
@@ -50,13 +53,22 @@ extern NSString *kBadCertHash;
 struct PathTarget {
   std::string path;
   bool isReadable;
+  std::optional<std::pair<dev_t, ino_t>> devnoIno;
 };
 
 using PathTargetsPair = std::pair<std::optional<std::string>, std::optional<std::string>>;
 extern void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets);
 extern es_auth_result_t FileAccessPolicyDecisionToESAuthResult(FileAccessPolicyDecision decision);
 extern bool ShouldLogDecision(FileAccessPolicyDecision decision);
+extern bool ShouldNotifyUserDecision(FileAccessPolicyDecision decision);
 extern es_auth_result_t CombinePolicyResults(es_auth_result_t result1, es_auth_result_t result2);
+extern bool IsBlockDecision(FileAccessPolicyDecision decision);
+extern FileAccessPolicyDecision ApplyOverrideToDecision(FileAccessPolicyDecision decision,
+                                                        SNTOverrideFileAccessAction overrideAction);
+
+static inline std::pair<dev_t, ino_t> FileID(const es_file_t &file) {
+  return std::make_pair(file.stat.st_dev, file.stat.st_ino);
+}
 
 void SetExpectationsForFileAccessAuthorizerInit(
   std::shared_ptr<MockEndpointSecurityAPI> mockESApi) {
@@ -135,7 +147,8 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
                                                             logger:nullptr
                                                         watchItems:nullptr
                                                           enricher:nullptr
-                                                     decisionCache:self.dcMock];
+                                                     decisionCache:self.dcMock
+                                                         ttyWriter:nullptr];
 
   //
   // Test 1 - Not in local cache or decision cache, and code sig lookup fails
@@ -229,7 +242,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     {FileAccessPolicyDecision::kAllowed, false},
     {FileAccessPolicyDecision::kAllowedReadAccess, false},
     {FileAccessPolicyDecision::kAllowedAuditOnly, true},
-    {(FileAccessPolicyDecision)5, false},
+    {(FileAccessPolicyDecision)123, false},
   };
 
   for (const auto &kv : policyDecisionToShouldLog) {
@@ -237,6 +250,79 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
   }
 }
 
+- (void)testShouldNotifyUserDecision {
+  std::map<FileAccessPolicyDecision, bool> policyDecisionToShouldLog = {
+    {FileAccessPolicyDecision::kNoPolicy, false},
+    {FileAccessPolicyDecision::kDenied, true},
+    {FileAccessPolicyDecision::kDeniedInvalidSignature, true},
+    {FileAccessPolicyDecision::kAllowed, false},
+    {FileAccessPolicyDecision::kAllowedReadAccess, false},
+    {FileAccessPolicyDecision::kAllowedAuditOnly, false},
+    {(FileAccessPolicyDecision)123, false},
+  };
+
+  for (const auto &kv : policyDecisionToShouldLog) {
+    XCTAssertEqual(ShouldNotifyUserDecision(kv.first), kv.second);
+  }
+}
+
+- (void)testIsBlockDecision {
+  std::map<FileAccessPolicyDecision, bool> policyDecisionToIsBlockDecision = {
+    {FileAccessPolicyDecision::kNoPolicy, false},
+    {FileAccessPolicyDecision::kDenied, true},
+    {FileAccessPolicyDecision::kDeniedInvalidSignature, true},
+    {FileAccessPolicyDecision::kAllowed, false},
+    {FileAccessPolicyDecision::kAllowedReadAccess, false},
+    {FileAccessPolicyDecision::kAllowedAuditOnly, false},
+    {(FileAccessPolicyDecision)123, false},
+  };
+
+  for (const auto &kv : policyDecisionToIsBlockDecision) {
+    XCTAssertEqual(ShouldNotifyUserDecision(kv.first), kv.second);
+  }
+}
+
+- (void)testApplyOverrideToDecision {
+  std::map<std::pair<FileAccessPolicyDecision, SNTOverrideFileAccessAction>,
+           FileAccessPolicyDecision>
+    decisionAndOverrideToDecision = {
+      // Override action: None - Policy shouldn't be changed
+      {{FileAccessPolicyDecision::kNoPolicy, SNTOverrideFileAccessActionNone},
+       FileAccessPolicyDecision::kNoPolicy},
+      {{FileAccessPolicyDecision::kDenied, SNTOverrideFileAccessActionNone},
+       FileAccessPolicyDecision::kDenied},
+
+      // Override action: AuditOnly - Policy should be changed only on blocked decisions
+      {{FileAccessPolicyDecision::kNoPolicy, SNTOverrideFileAccessActionAuditOnly},
+       FileAccessPolicyDecision::kNoPolicy},
+      {{FileAccessPolicyDecision::kAllowedAuditOnly, SNTOverrideFileAccessActionAuditOnly},
+       FileAccessPolicyDecision::kAllowedAuditOnly},
+      {{FileAccessPolicyDecision::kAllowedReadAccess, SNTOverrideFileAccessActionAuditOnly},
+       FileAccessPolicyDecision::kAllowedReadAccess},
+      {{FileAccessPolicyDecision::kDenied, SNTOverrideFileAccessActionAuditOnly},
+       FileAccessPolicyDecision::kAllowedAuditOnly},
+      {{FileAccessPolicyDecision::kDeniedInvalidSignature, SNTOverrideFileAccessActionAuditOnly},
+       FileAccessPolicyDecision::kAllowedAuditOnly},
+
+      // Override action: Disable - Always changes the decision to be no policy applied
+      {{FileAccessPolicyDecision::kAllowed, SNTOverrideFileAccessActionDiable},
+       FileAccessPolicyDecision::kNoPolicy},
+      {{FileAccessPolicyDecision::kDenied, SNTOverrideFileAccessActionDiable},
+       FileAccessPolicyDecision::kNoPolicy},
+      {{FileAccessPolicyDecision::kAllowedReadAccess, SNTOverrideFileAccessActionDiable},
+       FileAccessPolicyDecision::kNoPolicy},
+      {{FileAccessPolicyDecision::kAllowedAuditOnly, SNTOverrideFileAccessActionDiable},
+       FileAccessPolicyDecision::kNoPolicy},
+  };
+
+  for (const auto &kv : decisionAndOverrideToDecision) {
+    XCTAssertEqual(ApplyOverrideToDecision(kv.first.first, kv.first.second), kv.second);
+  }
+
+  XCTAssertThrows(
+    ApplyOverrideToDecision(FileAccessPolicyDecision::kAllowed, (SNTOverrideFileAccessAction)123));
+}
+
 - (void)testCombinePolicyResults {
   // Ensure that the combined result is ES_AUTH_RESULT_DENY if both or either
   // input result is ES_AUTH_RESULT_DENY.
@@ -269,7 +355,8 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
                                                             logger:nullptr
                                                         watchItems:nullptr
                                                           enricher:nullptr
-                                                     decisionCache:nil];
+                                                     decisionCache:nil
+                                                         ttyWriter:nullptr];
 
   auto policy = std::make_shared<WatchItemPolicy>("foo_policy", "/foo");
 
@@ -397,7 +484,8 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
                                                             logger:nullptr
                                                         watchItems:nullptr
                                                           enricher:nullptr
-                                                     decisionCache:nil];
+                                                     decisionCache:nil
+                                                         ttyWriter:nullptr];
 
   id accessClientMock = OCMPartialMock(accessClient);
 
@@ -515,7 +603,8 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
                                                             logger:nullptr
                                                         watchItems:nullptr
                                                           enricher:nullptr
-                                                     decisionCache:nil];
+                                                     decisionCache:nil
+                                                         ttyWriter:nullptr];
 
   id accessClientMock = OCMPartialMock(accessClient);
 
@@ -642,7 +731,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
   std::set<es_event_type_t> expectedEventSubs = {
     ES_EVENT_TYPE_AUTH_CLONE,    ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
     ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,   ES_EVENT_TYPE_AUTH_RENAME,
-    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
+    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK, ES_EVENT_TYPE_NOTIFY_EXIT,
   };
 
 #if HAVE_MACOS_12
@@ -678,7 +767,8 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
                                                             logger:nullptr
                                                         watchItems:nullptr
                                                           enricher:nullptr
-                                                     decisionCache:nil];
+                                                     decisionCache:nil
+                                                         ttyWriter:nullptr];
 
   EXPECT_CALL(*mockESApi, UnsubscribeAll);
   EXPECT_CALL(*mockESApi, UnmuteAllTargetPaths).WillOnce(testing::Return(true));
@@ -689,12 +779,12 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
   XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
 }
 
-- (void)testGetPathTargets {
+- (void)testPopulatePathTargets {
   // This test ensures that the `GetPathTargets` functions returns the
   // expected combination of targets for each handled event variant
-  es_file_t testFile1 = MakeESFile("test_file_1");
-  es_file_t testFile2 = MakeESFile("test_file_2");
-  es_file_t testDir = MakeESFile("test_dir");
+  es_file_t testFile1 = MakeESFile("test_file_1", MakeStat(100));
+  es_file_t testFile2 = MakeESFile("test_file_2", MakeStat(200));
+  es_file_t testDir = MakeESFile("test_dir", MakeStat(300));
   es_string_token_t testTok = MakeESStringToken("test_tok");
   std::string dirTok = std::string(testDir.path.data) + "/" + std::string(testTok.data);
 
@@ -715,6 +805,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 1);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertTrue(targets[0].isReadable);
+    XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
   }
 
   {
@@ -729,8 +820,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 2);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertFalse(targets[0].isReadable);
+    XCTAssertFalse(targets[0].devnoIno.has_value());
     XCTAssertCppStringEqual(targets[1].path, dirTok);
     XCTAssertFalse(targets[1].isReadable);
+    XCTAssertFalse(targets[1].devnoIno.has_value());
   }
 
   {
@@ -747,8 +840,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
       XCTAssertEqual(targets.size(), 2);
       XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
       XCTAssertFalse(targets[0].isReadable);
+      XCTAssertFalse(targets[0].devnoIno.has_value());
       XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
       XCTAssertFalse(targets[1].isReadable);
+      XCTAssertFalse(targets[1].devnoIno.has_value());
     }
 
     {
@@ -762,8 +857,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
       XCTAssertEqual(targets.size(), 2);
       XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
       XCTAssertFalse(targets[0].isReadable);
+      XCTAssertFalse(targets[0].devnoIno.has_value());
       XCTAssertCppStringEqual(targets[1].path, dirTok);
       XCTAssertFalse(targets[1].isReadable);
+      XCTAssertFalse(targets[1].devnoIno.has_value());
     }
   }
 
@@ -777,6 +874,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 1);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertFalse(targets[0].isReadable);
+    XCTAssertFalse(targets[0].devnoIno.has_value());
   }
 
   {
@@ -791,8 +889,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 2);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertTrue(targets[0].isReadable);
+    XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
     XCTAssertCppStringEqual(targets[1].path, dirTok);
     XCTAssertFalse(targets[1].isReadable);
+    XCTAssertFalse(targets[1].devnoIno.has_value());
   }
 
   {
@@ -806,8 +906,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 2);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertFalse(targets[0].isReadable);
+    XCTAssertFalse(targets[0].devnoIno.has_value());
     XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
     XCTAssertFalse(targets[1].isReadable);
+    XCTAssertFalse(targets[1].devnoIno.has_value());
   }
 
   {
@@ -822,6 +924,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 1);
     XCTAssertCppStringEqual(targets[0].path, dirTok);
     XCTAssertFalse(targets[0].isReadable);
+    XCTAssertFalse(targets[0].devnoIno.has_value());
   }
 
   {
@@ -834,6 +937,7 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
     XCTAssertEqual(targets.size(), 1);
     XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
     XCTAssertFalse(targets[0].isReadable);
+    XCTAssertFalse(targets[0].devnoIno.has_value());
   }
 
   if (@available(macOS 12.0, *)) {
@@ -852,8 +956,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
         XCTAssertEqual(targets.size(), 2);
         XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
         XCTAssertTrue(targets[0].isReadable);
+        XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
         XCTAssertCppStringEqual(targets[1].path, dirTok);
         XCTAssertFalse(targets[1].isReadable);
+        XCTAssertFalse(targets[1].devnoIno.has_value());
       }
 
       {
@@ -865,8 +971,10 @@ void ClearWatchItemPolicyProcess(WatchItemPolicy::Process &proc) {
         XCTAssertEqual(targets.size(), 2);
         XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
         XCTAssertTrue(targets[0].isReadable);
+        XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
         XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
         XCTAssertFalse(targets[1].isReadable);
+        XCTAssertFalse(targets[1].devnoIno.has_value());
       }
     }
   }

Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm

@@ -88,9 +88,23 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
   // Pre-enrichment processing
   switch (esMsg->event_type) {
     case ES_EVENT_TYPE_NOTIFY_CLOSE: {
-      // TODO(mlw): Once we move to building with the macOS 13 SDK, we should also check
-      // the `was_mapped_writable` field
-      if (esMsg->event.close.modified == false) {
+      BOOL shouldLogClose = esMsg->event.close.modified;
+
+#if HAVE_MACOS_13
+      if (@available(macOS 13.5, *)) {
+        // As of macSO 13.0 we have a new field for if a file was mmaped with
+        // write permissions on close events. However it did not work until
+        // 13.5.
+        //
+        // If something was mmaped writable it was probably written to. Often
+        // developer tools do this to avoid lots of write syscalls, e.g. go's
+        // tool chain. We log this so the compiler controller can take that into
+        // account.
+        shouldLogClose |= esMsg->event.close.was_mapped_writable;
+      }
+#endif
+
+      if (!shouldLogClose) {
         // Ignore unmodified files
         // Note: Do not record metrics in this case. These are not considered "drops"
         // because this is not a failure case. Ideally we would tell ES to not send
@@ -115,7 +129,6 @@ es_file_t *GetTargetFileForPrefixTree(const es_message_t *msg) {
 
       break;
     }
-
     default: break;
   }
 

Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm

@@ -17,6 +17,7 @@
 #import <XCTest/XCTest.h>
 #include <gmock/gmock.h>
 #include <gtest/gtest.h>
+#include <objc/NSObjCRuntime.h>
 #include <cstddef>
 
 #include <memory>
@@ -102,12 +103,21 @@ class MockLogger : public Logger {
   XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
 }
 
-- (void)testHandleMessage {
+typedef void (^testHelperBlock)(es_message_t *message,
+                                std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+                                SNTEndpointSecurityRecorder *recorderClient,
+                                std::shared_ptr<PrefixTree<Unit>> prefixTree,
+                                dispatch_semaphore_t *sema, dispatch_semaphore_t *semaMetrics);
+
+es_file_t targetFileMatchesRegex = MakeESFile("/foo/matches");
+es_file_t targetFileMissesRegex = MakeESFile("/foo/misses");
+
+- (void)handleMessageWithMatchCalls:(BOOL)regexMatchCalls
+                      withMissCalls:(BOOL)regexFailsMatchCalls
+                          withBlock:(testHelperBlock)testBlock {
   es_file_t file = MakeESFile("foo");
   es_process_t proc = MakeESProcess(&file);
   es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_CLOSE, &proc, ActionType::Auth);
-  es_file_t targetFileMatchesRegex = MakeESFile("/foo/matches");
-  es_file_t targetFileMissesRegex = MakeESFile("/foo/misses");
 
   auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
   mockESApi->SetExpectationsESNewClient();
@@ -116,11 +126,15 @@ class MockLogger : public Logger {
   std::unique_ptr<EnrichedMessage> enrichedMsg = std::unique_ptr<EnrichedMessage>(nullptr);
 
   auto mockEnricher = std::make_shared<MockEnricher>();
-  EXPECT_CALL(*mockEnricher, Enrich).WillOnce(testing::Return(std::move(enrichedMsg)));
+
+  if (regexMatchCalls) {
+    EXPECT_CALL(*mockEnricher, Enrich).WillOnce(testing::Return(std::move(enrichedMsg)));
+  }
 
   auto mockAuthCache = std::make_shared<MockAuthResultCache>(nullptr, nil);
-  EXPECT_CALL(*mockAuthCache, RemoveFromCache(&targetFileMatchesRegex)).Times(1);
-  EXPECT_CALL(*mockAuthCache, RemoveFromCache(&targetFileMissesRegex)).Times(1);
+  EXPECT_CALL(*mockAuthCache, RemoveFromCache(&targetFileMatchesRegex)).Times((int)regexMatchCalls);
+  EXPECT_CALL(*mockAuthCache, RemoveFromCache(&targetFileMissesRegex))
+    .Times((int)regexFailsMatchCalls);
 
   dispatch_semaphore_t semaMetrics = dispatch_semaphore_create(0);
 
@@ -128,11 +142,13 @@ class MockLogger : public Logger {
   // `SNTEndpointSecurityRecorder` object. There is a bug in OCMock that doesn't
   // properly handle the `processEnrichedMessage:handler:` block. Instead this
   // test will mock the `Log` method that is called in the handler block.
-  dispatch_semaphore_t sema = dispatch_semaphore_create(0);
+  __block dispatch_semaphore_t sema = dispatch_semaphore_create(0);
   auto mockLogger = std::make_shared<MockLogger>(nullptr, nullptr);
-  EXPECT_CALL(*mockLogger, Log).WillOnce(testing::InvokeWithoutArgs(^() {
-    dispatch_semaphore_signal(sema);
-  }));
+  if (regexMatchCalls) {
+    EXPECT_CALL(*mockLogger, Log).WillOnce(testing::InvokeWithoutArgs(^() {
+      dispatch_semaphore_signal(sema);
+    }));
+  }
 
   auto prefixTree = std::make_shared<PrefixTree<Unit>>();
 
@@ -147,66 +163,7 @@ class MockLogger : public Logger {
                                        authResultCache:mockAuthCache
                                             prefixTree:prefixTree];
 
-  // CLOSE not modified, bail early
-  {
-    esMsg.event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
-    esMsg.event.close.modified = false;
-    esMsg.event.close.target = NULL;
-
-    XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, &esMsg)
-                                recordEventMetrics:^(EventDisposition d) {
-                                  XCTFail("Metrics record callback should not be called here");
-                                }]);
-  }
-
-  // CLOSE modified, remove from cache, and matches fileChangesRegex
-  {
-    esMsg.event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
-    esMsg.event.close.modified = true;
-    esMsg.event.close.target = &targetFileMatchesRegex;
-    Message msg(mockESApi, &esMsg);
-
-    OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
-
-    [recorderClient handleMessage:std::move(msg)
-               recordEventMetrics:^(EventDisposition d) {
-                 XCTAssertEqual(d, EventDisposition::kProcessed);
-                 dispatch_semaphore_signal(semaMetrics);
-               }];
-
-    XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
-    XCTAssertSemaTrue(sema, 5, "Log wasn't called within expected time window");
-  }
-
-  // CLOSE modified, remove from cache, but doesn't match fileChangesRegex
-  {
-    esMsg.event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
-    esMsg.event.close.modified = true;
-    esMsg.event.close.target = &targetFileMissesRegex;
-    Message msg(mockESApi, &esMsg);
-    XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, &esMsg)
-                                recordEventMetrics:^(EventDisposition d) {
-                                  XCTFail("Metrics record callback should not be called here");
-                                }]);
-  }
-
-  // LINK, Prefix match, bail early
-  {
-    esMsg.event_type = ES_EVENT_TYPE_NOTIFY_LINK;
-    esMsg.event.link.source = &targetFileMatchesRegex;
-    prefixTree->InsertPrefix(esMsg.event.link.source->path.data, Unit{});
-    Message msg(mockESApi, &esMsg);
-
-    OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
-
-    [recorderClient handleMessage:std::move(msg)
-               recordEventMetrics:^(EventDisposition d) {
-                 XCTAssertEqual(d, EventDisposition::kDropped);
-                 dispatch_semaphore_signal(semaMetrics);
-               }];
-
-    XCTAssertSemaTrue(semaMetrics, 5, "Metrics not recorded within expected window");
-  }
+  testBlock(&esMsg, mockESApi, mockCC, recorderClient, prefixTree, &sema, &semaMetrics);
 
   XCTAssertTrue(OCMVerifyAll(mockCC));
 
@@ -218,6 +175,150 @@ class MockLogger : public Logger {
   [mockCC stopMocking];
 }
 
+- (void)testHandleMessageWithCloseMappedWriteable {
+#if HAVE_MACOS_13
+  if (@available(macOS 13.0, *)) {
+    // CLOSE not modified, but was_mapped_writable, should remove from cache,
+    // and matches fileChangesRegex
+    testHelperBlock testBlock =
+      ^(es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+        SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+        __autoreleasing dispatch_semaphore_t *sema,
+        __autoreleasing dispatch_semaphore_t *semaMetrics) {
+        esMsg->event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
+        esMsg->event.close.modified = false;
+        esMsg->event.close.was_mapped_writable = true;
+        esMsg->event.close.target = &targetFileMatchesRegex;
+        Message msg(mockESApi, esMsg);
+
+        OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
+
+        XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, esMsg)
+                                    recordEventMetrics:^(EventDisposition d) {
+                                      XCTAssertEqual(d, EventDisposition::kProcessed);
+                                      dispatch_semaphore_signal(*semaMetrics);
+                                    }]);
+        XCTAssertSemaTrue(*semaMetrics, 5, "Metrics not recorded within expected window");
+        XCTAssertSemaTrue(*sema, 5, "Log wasn't called within expected time window");
+      };
+
+    [self handleMessageWithMatchCalls:YES withMissCalls:NO withBlock:testBlock];
+  }
+#endif
+}
+
+- (void)testHandleEventCloseNotModifiedWithWasMappedWritable {
+#if HAVE_MACOS_13
+  if (@available(macOS 13.0, *)) {
+    // CLOSE not modified, but was_mapped_writable, remove from cache, and does not match
+    // fileChangesRegex
+    testHelperBlock testBlock =
+      ^(es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+        SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+        __autoreleasing dispatch_semaphore_t *sema,
+        __autoreleasing dispatch_semaphore_t *semaMetrics) {
+        esMsg->event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
+        esMsg->event.close.modified = false;
+        esMsg->event.close.was_mapped_writable = true;
+        esMsg->event.close.target = &targetFileMissesRegex;
+        Message msg(mockESApi, esMsg);
+
+        XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, esMsg)
+                                    recordEventMetrics:^(EventDisposition d) {
+                                      XCTFail("Metrics record callback should not be called here");
+                                    }]);
+      };
+
+    [self handleMessageWithMatchCalls:NO withMissCalls:YES withBlock:testBlock];
+  }
+#endif
+}
+
+- (void)testHandleMessage {
+  // CLOSE not modified, bail early
+  testHelperBlock testBlock = ^(
+    es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+    SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+    __autoreleasing dispatch_semaphore_t *sema, __autoreleasing dispatch_semaphore_t *semaMetrics) {
+    esMsg->event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
+    esMsg->event.close.modified = false;
+    esMsg->event.close.target = NULL;
+
+    XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, esMsg)
+                                recordEventMetrics:^(EventDisposition d) {
+                                  XCTFail("Metrics record callback should not be called here");
+                                }]);
+  };
+
+  [self handleMessageWithMatchCalls:NO withMissCalls:NO withBlock:testBlock];
+
+  // CLOSE modified, remove from cache, and matches fileChangesRegex
+  testBlock = ^(
+    es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+    SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+    __autoreleasing dispatch_semaphore_t *sema, __autoreleasing dispatch_semaphore_t *semaMetrics) {
+    esMsg->event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
+    esMsg->event.close.modified = true;
+    esMsg->event.close.target = &targetFileMatchesRegex;
+    Message msg(mockESApi, esMsg);
+
+    OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
+
+    [recorderClient handleMessage:std::move(msg)
+               recordEventMetrics:^(EventDisposition d) {
+                 XCTAssertEqual(d, EventDisposition::kProcessed);
+                 dispatch_semaphore_signal(*semaMetrics);
+               }];
+
+    XCTAssertSemaTrue(*semaMetrics, 5, "Metrics not recorded within expected window");
+    XCTAssertSemaTrue(*sema, 5, "Log wasn't called within expected time window");
+  };
+
+  [self handleMessageWithMatchCalls:YES withMissCalls:NO withBlock:testBlock];
+
+  // CLOSE modified, remove from cache, but doesn't match fileChangesRegex
+  testBlock = ^(
+    es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+    SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+    __autoreleasing dispatch_semaphore_t *sema, __autoreleasing dispatch_semaphore_t *semaMetrics) {
+    esMsg->event_type = ES_EVENT_TYPE_NOTIFY_CLOSE;
+    esMsg->event.close.modified = true;
+    esMsg->event.close.target = &targetFileMissesRegex;
+    Message msg(mockESApi, esMsg);
+    XCTAssertNoThrow([recorderClient handleMessage:Message(mockESApi, esMsg)
+                                recordEventMetrics:^(EventDisposition d) {
+                                  XCTFail("Metrics record callback should not be called here");
+                                }]);
+  };
+
+  [self handleMessageWithMatchCalls:NO withMissCalls:YES withBlock:testBlock];
+
+  // LINK, Prefix match, bail early
+  testBlock =
+    ^(es_message_t *esMsg, std::shared_ptr<MockEndpointSecurityAPI> mockESApi, id mockCC,
+      SNTEndpointSecurityRecorder *recorderClient, std::shared_ptr<PrefixTree<Unit>> prefixTree,
+      __autoreleasing dispatch_semaphore_t *sema, __autoreleasing dispatch_semaphore_t *semaMetrics)
+
+  {
+    esMsg->event_type = ES_EVENT_TYPE_NOTIFY_LINK;
+    esMsg->event.link.source = &targetFileMatchesRegex;
+    prefixTree->InsertPrefix(esMsg->event.link.source->path.data, Unit{});
+    Message msg(mockESApi, esMsg);
+
+    OCMExpect([mockCC handleEvent:msg withLogger:nullptr]).ignoringNonObjectArgs();
+
+    [recorderClient handleMessage:std::move(msg)
+               recordEventMetrics:^(EventDisposition d) {
+                 XCTAssertEqual(d, EventDisposition::kDropped);
+                 dispatch_semaphore_signal(*semaMetrics);
+               }];
+
+    XCTAssertSemaTrue(*semaMetrics, 5, "Metrics not recorded within expected window");
+  };
+
+  [self handleMessageWithMatchCalls:NO withMissCalls:NO withBlock:testBlock];
+}
+
 - (void)testGetTargetFileForPrefixTree {
   // Ensure `GetTargetFileForPrefixTree` returns expected field for each
   // subscribed event type in the `SNTEndpointSecurityRecorder`.

Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h

@@ -55,6 +55,8 @@ class BasicString : public Serializer {
     const santa::santad::event_providers::endpoint_security::EnrichedRename &) override;
   std::vector<uint8_t> SerializeMessage(
     const santa::santad::event_providers::endpoint_security::EnrichedUnlink &) override;
+  std::vector<uint8_t> SerializeMessage(
+    const santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated &) override;
 
   std::vector<uint8_t> SerializeFileAccess(
     const std::string &policy_version, const std::string &policy_name,

Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm

@@ -37,6 +37,7 @@
 
 using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
 using santa::santad::event_providers::endpoint_security::EnrichedClose;
+using santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated;
 using santa::santad::event_providers::endpoint_security::EnrichedExchange;
 using santa::santad::event_providers::endpoint_security::EnrichedExec;
 using santa::santad::event_providers::endpoint_security::EnrichedExit;
@@ -46,6 +47,7 @@ using santa::santad::event_providers::endpoint_security::EnrichedProcess;
 using santa::santad::event_providers::endpoint_security::EnrichedRename;
 using santa::santad::event_providers::endpoint_security::EnrichedUnlink;
 using santa::santad::event_providers::endpoint_security::Message;
+using santa::santad::logs::endpoint_security::serializers::Utilities::MountFromName;
 using santa::santad::logs::endpoint_security::serializers::Utilities::NonNull;
 using santa::santad::logs::endpoint_security::serializers::Utilities::Pid;
 using santa::santad::logs::endpoint_security::serializers::Utilities::Pidversion;
@@ -411,6 +413,19 @@ std::vector<uint8_t> BasicString::SerializeMessage(const EnrichedUnlink &msg) {
   return FinalizeString(str);
 }
 
+std::vector<uint8_t> BasicString::SerializeMessage(const EnrichedCSInvalidated &msg) {
+  const es_message_t &esm = msg.es_msg();
+  std::string str = CreateDefaultString();
+
+  str.append("action=CODESIGNING_INVALIDATED");
+  AppendProcess(str, esm.process);
+  AppendUserGroup(str, esm.process->audit_token, msg.instigator().real_user(),
+                  msg.instigator().real_group());
+  str.append("|codesigning_flags=");
+  str.append([NSString stringWithFormat:@"0x%08x", esm.process->codesigning_flags].UTF8String);
+  return FinalizeString(str);
+}
+
 std::vector<uint8_t> BasicString::SerializeFileAccess(const std::string &policy_version,
                                                       const std::string &policy_name,
                                                       const Message &msg,
@@ -509,6 +524,8 @@ std::vector<uint8_t> BasicString::SerializeDiskAppeared(NSDictionary *props) {
   str.append([NonNull(dmg_path) UTF8String]);
   str.append("|appearance=");
   str.append([NonNull(appearanceDateString) UTF8String]);
+  str.append("|mountfrom=");
+  str.append([NonNull(MountFromName([props[@"DAVolumePath"] path])) UTF8String]);
 
   return FinalizeString(str);
 }

Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm

@@ -251,6 +251,20 @@ std::string BasicStringSerializeMessage(es_message_t *esMsg) {
   XCTAssertCppStringEqual(got, want);
 }
 
+- (void)testSerializeMessageCSInvalidated {
+  es_file_t procFile = MakeESFile("foo");
+  es_process_t proc = MakeESProcess(&procFile, MakeAuditToken(12, 34), MakeAuditToken(56, 78));
+  es_message_t esMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED, &proc);
+
+  std::string got = BasicStringSerializeMessage(&esMsg);
+  std::string want =
+    "action=CODESIGNING_INVALIDATED"
+    "|pid=12|ppid=56|process=foo|processpath=foo"
+    "|uid=-2|user=nobody|gid=-1|group=nogroup|codesigning_flags=0x00000000|machineid=my_id\n";
+
+  XCTAssertCppStringEqual(got, want);
+}
+
 - (void)testGetAccessTypeString {
   std::map<es_event_type_t, std::string> accessTypeToString = {
     {ES_EVENT_TYPE_AUTH_OPEN, "OPEN"},         {ES_EVENT_TYPE_AUTH_LINK, "LINK"},
@@ -351,7 +365,7 @@ std::string BasicStringSerializeMessage(es_message_t *esMsg) {
     @"DADeviceVendor" : @"vendor",
     @"DADeviceModel" : @"model",
     @"DAAppearanceTime" : @(1252487349),  // 2009-09-09 09:09:09
-    @"DAVolumePath" : [NSURL URLWithString:@"path"],
+    @"DAVolumePath" : [NSURL URLWithString:@"/"],
     @"DAMediaBSDName" : @"bsd",
     @"DAVolumeKind" : @"apfs",
     @"DADeviceProtocol" : @"usb",
@@ -365,11 +379,11 @@ std::string BasicStringSerializeMessage(es_message_t *esMsg) {
   std::vector<uint8_t> ret = BasicString::Create(nullptr, nil, false)->SerializeDiskAppeared(props);
   std::string got(ret.begin(), ret.end());
 
-  std::string want = "action=DISKAPPEAR|mount=path|volume=|bsdname=bsd|fs=apfs"
+  std::string want = "action=DISKAPPEAR|mount=/|volume=|bsdname=bsd|fs=apfs"
                      "|model=vendor model|serial=|bus=usb|dmgpath="
-                     "|appearance=2040-09-09T09:09:09.000Z\n";
+                     "|appearance=2040-09-09T09:09:09.000Z|mountfrom=/";
 
-  XCTAssertCppStringEqual(got, want);
+  XCTAssertCppStringBeginsWith(got, want);
 }
 
 - (void)testSerializeDiskDisappeared {

Source/santad/Logs/EndpointSecurity/Serializers/Empty.h

@@ -47,6 +47,8 @@ class Empty : public Serializer {
     const santa::santad::event_providers::endpoint_security::EnrichedRename &) override;
   std::vector<uint8_t> SerializeMessage(
     const santa::santad::event_providers::endpoint_security::EnrichedUnlink &) override;
+  std::vector<uint8_t> SerializeMessage(
+    const santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated &) override;
 
   std::vector<uint8_t> SerializeFileAccess(
     const std::string &policy_version, const std::string &policy_name,

Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm

@@ -15,6 +15,7 @@
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Empty.h"
 
 using santa::santad::event_providers::endpoint_security::EnrichedClose;
+using santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated;
 using santa::santad::event_providers::endpoint_security::EnrichedExchange;
 using santa::santad::event_providers::endpoint_security::EnrichedExec;
 using santa::santad::event_providers::endpoint_security::EnrichedExit;
@@ -65,6 +66,10 @@ std::vector<uint8_t> Empty::SerializeMessage(const EnrichedUnlink &msg) {
   return {};
 }
 
+std::vector<uint8_t> Empty::SerializeMessage(const EnrichedCSInvalidated &msg) {
+  return {};
+}
+
 std::vector<uint8_t> Empty::SerializeFileAccess(const std::string &policy_version,
                                                 const std::string &policy_name, const Message &msg,
                                                 const EnrichedProcess &enriched_process,

Source/santad/Logs/EndpointSecurity/Serializers/EmptyTest.mm

@@ -43,6 +43,7 @@ namespace es = santa::santad::event_providers::endpoint_security;
   XCTAssertEqual(e->SerializeMessage(*(es::EnrichedLink *)&fake).size(), 0);
   XCTAssertEqual(e->SerializeMessage(*(es::EnrichedRename *)&fake).size(), 0);
   XCTAssertEqual(e->SerializeMessage(*(es::EnrichedUnlink *)&fake).size(), 0);
+  XCTAssertEqual(e->SerializeMessage(*(es::EnrichedCSInvalidated *)&fake).size(), 0);
 
   XCTAssertEqual(e->SerializeAllowlist(*(es::Message *)&fake, "").size(), 0);
   XCTAssertEqual(e->SerializeBundleHashingEvent(nil).size(), 0);

Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h

@@ -56,6 +56,8 @@ class Protobuf : public Serializer {
     const santa::santad::event_providers::endpoint_security::EnrichedRename &) override;
   std::vector<uint8_t> SerializeMessage(
     const santa::santad::event_providers::endpoint_security::EnrichedUnlink &) override;
+  std::vector<uint8_t> SerializeMessage(
+    const santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated &) override;
 
   std::vector<uint8_t> SerializeFileAccess(
     const std::string &policy_version, const std::string &policy_name,

Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm

@@ -17,8 +17,7 @@
 #include <EndpointSecurity/EndpointSecurity.h>
 #include <Kernel/kern/cs_blobs.h>
 #include <bsm/libbsm.h>
-#include <google/protobuf/stubs/status.h>
-#include <google/protobuf/util/json_util.h>
+#include <google/protobuf/json/json.h>
 #include <mach/message.h>
 #include <math.h>
 #include <sys/proc_info.h>
@@ -36,16 +35,18 @@
 #include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Utilities.h"
 #import "Source/santad/SNTDecisionCache.h"
+#include "absl/status/status.h"
 #include "google/protobuf/timestamp.pb.h"
 
 using google::protobuf::Arena;
 using google::protobuf::Timestamp;
-using google::protobuf::util::JsonPrintOptions;
-using google::protobuf::util::MessageToJsonString;
+using JsonPrintOptions = google::protobuf::json::PrintOptions;
+using google::protobuf::json::MessageToJsonString;
 
 using santa::common::NSStringToUTF8StringView;
 using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
 using santa::santad::event_providers::endpoint_security::EnrichedClose;
+using santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated;
 using santa::santad::event_providers::endpoint_security::EnrichedEventType;
 using santa::santad::event_providers::endpoint_security::EnrichedExchange;
 using santa::santad::event_providers::endpoint_security::EnrichedExec;
@@ -59,6 +60,7 @@ using santa::santad::event_providers::endpoint_security::EnrichedUnlink;
 using santa::santad::event_providers::endpoint_security::Message;
 using santa::santad::logs::endpoint_security::serializers::Utilities::EffectiveGroup;
 using santa::santad::logs::endpoint_security::serializers::Utilities::EffectiveUser;
+using santa::santad::logs::endpoint_security::serializers::Utilities::MountFromName;
 using santa::santad::logs::endpoint_security::serializers::Utilities::NonNull;
 using santa::santad::logs::endpoint_security::serializers::Utilities::Pid;
 using santa::santad::logs::endpoint_security::serializers::Utilities::Pidversion;
@@ -69,6 +71,9 @@ namespace pbv1 = ::santa::pb::v1;
 
 namespace santa::santad::logs::endpoint_security::serializers {
 
+static constexpr NSUInteger kMaxEncodeObjectEntries = 64;
+static constexpr NSUInteger kMaxEncodeObjectLevels = 5;
+
 std::shared_ptr<Protobuf> Protobuf::Create(std::shared_ptr<EndpointSecurityAPI> esapi,
                                            SNTDecisionCache *decision_cache, bool json) {
   return std::make_shared<Protobuf>(esapi, std::move(decision_cache), json);
@@ -400,7 +405,7 @@ std::vector<uint8_t> Protobuf::FinalizeProto(::pbv1::SantaMessage *santa_msg) {
     options.preserve_proto_field_names = true;
     std::string json;
 
-    google::protobuf::util::Status status = MessageToJsonString(*santa_msg, &json, options);
+    absl::Status status = MessageToJsonString(*santa_msg, &json, options);
 
     if (!status.ok()) {
       LOGE(@"Failed to convert protobuf to JSON: %s", status.ToString().c_str());
@@ -447,6 +452,124 @@ std::vector<uint8_t> Protobuf::SerializeMessage(const EnrichedExchange &msg) {
   return FinalizeProto(santa_msg);
 }
 
+id StandardizedNestedObjects(id obj, int level) {
+  if (level-- == 0) {
+    return [obj description];
+  }
+
+  if ([obj isKindOfClass:[NSNumber class]] || [obj isKindOfClass:[NSString class]]) {
+    return obj;
+  } else if ([obj isKindOfClass:[NSArray class]]) {
+    NSMutableArray *arr = [NSMutableArray array];
+    for (id item in obj) {
+      [arr addObject:StandardizedNestedObjects(item, level)];
+    }
+    return arr;
+  } else if ([obj isKindOfClass:[NSDictionary class]]) {
+    NSMutableDictionary *dict = [NSMutableDictionary dictionary];
+    for (id key in obj) {
+      [dict setObject:StandardizedNestedObjects(obj[key], level) forKey:key];
+    }
+    return dict;
+  } else if ([obj isKindOfClass:[NSData class]]) {
+    return [obj base64EncodedStringWithOptions:0];
+  } else if ([obj isKindOfClass:[NSDate class]]) {
+    return [NSISO8601DateFormatter stringFromDate:obj
+                                         timeZone:[NSTimeZone timeZoneWithAbbreviation:@"UTC"]
+                                    formatOptions:NSISO8601DateFormatWithFractionalSeconds |
+                                                  NSISO8601DateFormatWithInternetDateTime];
+
+  } else {
+    LOGW(@"Unexpected object encountered: %@", obj);
+    return [obj description];
+  }
+}
+
+void EncodeEntitlements(::pbv1::Execution *pb_exec, SNTCachedDecision *cd) {
+  ::pbv1::EntitlementInfo *pb_entitlement_info = pb_exec->mutable_entitlement_info();
+
+  pb_entitlement_info->set_entitlements_filtered(cd.entitlementsFiltered != NO);
+
+  if (!cd.entitlements) {
+    return;
+  }
+
+  // Since nested objects with varying types is hard for the API to serialize to
+  // JSON, first go through and standardize types to ensure better serialization
+  // as well as a consitent view of data.
+  NSDictionary *entitlements = StandardizedNestedObjects(cd.entitlements, kMaxEncodeObjectLevels);
+
+  __block int numObjectsToEncode = (int)std::min(kMaxEncodeObjectEntries, entitlements.count);
+
+  pb_entitlement_info->mutable_entitlements()->Reserve(numObjectsToEncode);
+
+  [entitlements enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+    if (numObjectsToEncode-- == 0) {
+      // Because entitlements are being clipped, ensure that we update that
+      // the set of entitlements were filtered.
+      pb_entitlement_info->set_entitlements_filtered(true);
+      *stop = YES;
+      return;
+    }
+
+    if (![key isKindOfClass:[NSString class]]) {
+      LOGW(@"Skipping entitlement key with unexpected key type: %@", key);
+      return;
+    }
+
+    NSError *err;
+    NSData *jsonData;
+    @try {
+      jsonData = [NSJSONSerialization dataWithJSONObject:obj
+                                                 options:NSJSONWritingFragmentsAllowed
+                                                   error:&err];
+    } @catch (NSException *e) {
+      LOGW(@"Encountered entitlement that cannot directly convert to JSON: %@: %@", key, obj);
+    }
+
+    if (!jsonData) {
+      // If the first attempt to serialize to JSON failed, get a string
+      // representation of the object via the `description` method and attempt
+      // to serialize that instead. Serialization can fail for a number of
+      // reasons, such as arrays including invalid types.
+      @try {
+        jsonData = [NSJSONSerialization dataWithJSONObject:[obj description]
+                                                   options:NSJSONWritingFragmentsAllowed
+                                                     error:&err];
+      } @catch (NSException *e) {
+        LOGW(@"Unable to create fallback string: %@: %@", key, obj);
+      }
+
+      if (!jsonData) {
+        @try {
+          // As a final fallback, simply serialize an error message so that the
+          // entitlement key is still logged.
+          jsonData = [NSJSONSerialization dataWithJSONObject:@"JSON Serialization Failed"
+                                                     options:NSJSONWritingFragmentsAllowed
+                                                       error:&err];
+        } @catch (NSException *e) {
+          // This shouldn't be able to happen...
+          LOGW(@"Failed to serialize fallback error message");
+        }
+      }
+    }
+
+    // This shouldn't be possible given the fallback code above. But handle it
+    // just in case to prevent a crash.
+    if (!jsonData) {
+      LOGW(@"Failed to create valid JSON for entitlement: %@", key);
+      return;
+    }
+
+    ::pbv1::Entitlement *pb_entitlement = pb_entitlement_info->add_entitlements();
+    EncodeString([pb_entitlement] { return pb_entitlement->mutable_key(); },
+                 NSStringToUTF8StringView(key));
+    EncodeString([pb_entitlement] { return pb_entitlement->mutable_value(); },
+                 NSStringToUTF8StringView([[NSString alloc] initWithData:jsonData
+                                                                encoding:NSUTF8StringEncoding]));
+  }];
+}
+
 std::vector<uint8_t> Protobuf::SerializeMessage(const EnrichedExec &msg, SNTCachedDecision *cd) {
   Arena arena;
   ::pbv1::SantaMessage *santa_msg = CreateDefaultProto(&arena, msg);
@@ -523,6 +646,8 @@ std::vector<uint8_t> Protobuf::SerializeMessage(const EnrichedExec &msg, SNTCach
   NSString *orig_path = Utilities::OriginalPathForTranslocation(msg.es_msg().event.exec.target);
   EncodeString([pb_exec] { return pb_exec->mutable_original_path(); }, orig_path);
 
+  EncodeEntitlements(pb_exec, cd);
+
   return FinalizeProto(santa_msg);
 }
 
@@ -599,6 +724,17 @@ std::vector<uint8_t> Protobuf::SerializeMessage(const EnrichedUnlink &msg) {
   return FinalizeProto(santa_msg);
 }
 
+std::vector<uint8_t> Protobuf::SerializeMessage(const EnrichedCSInvalidated &msg) {
+  Arena arena;
+  ::pbv1::SantaMessage *santa_msg = CreateDefaultProto(&arena, msg);
+
+  ::pbv1::CodesigningInvalidated *pb_cs_invalidated = santa_msg->mutable_codesigning_invalidated();
+  EncodeProcessInfoLight(pb_cs_invalidated->mutable_instigator(), msg.es_msg().version,
+                         msg.es_msg().process, msg.instigator());
+
+  return FinalizeProto(santa_msg);
+}
+
 std::vector<uint8_t> Protobuf::SerializeFileAccess(const std::string &policy_version,
                                                    const std::string &policy_name,
                                                    const Message &msg,
@@ -682,6 +818,8 @@ static void EncodeDisk(::pbv1::Disk *pb_disk, ::pbv1::Disk_Action action, NSDict
   EncodeString([pb_disk] { return pb_disk->mutable_serial(); }, serial);
   EncodeString([pb_disk] { return pb_disk->mutable_bus(); }, props[@"DADeviceProtocol"]);
   EncodeString([pb_disk] { return pb_disk->mutable_dmg_path(); }, dmg_path);
+  EncodeString([pb_disk] { return pb_disk->mutable_mount_from(); },
+               MountFromName([props[@"DAVolumePath"] path]));
 
   if (props[@"DAAppearanceTime"]) {
     // Note: `DAAppearanceTime` is set via `CFAbsoluteTimeGetCurrent`, which uses the defined

Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm

@@ -18,7 +18,7 @@
 #import <OCMock/OCMock.h>
 #import <XCTest/XCTest.h>
 #include <gmock/gmock.h>
-#include <google/protobuf/util/json_util.h>
+#include <google/protobuf/json/json.h>
 #include <gtest/gtest.h>
 #include <sys/proc_info.h>
 #include <sys/signal.h>
@@ -40,12 +40,15 @@
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h"
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h"
 #import "Source/santad/SNTDecisionCache.h"
+#include "absl/status/status.h"
 #include "google/protobuf/any.pb.h"
 #include "google/protobuf/timestamp.pb.h"
 
 using google::protobuf::Timestamp;
-using google::protobuf::util::JsonPrintOptions;
-using google::protobuf::util::JsonStringToMessage;
+using JsonPrintOptions = google::protobuf::json::PrintOptions;
+using JsonParseOptions = ::google::protobuf::json::ParseOptions;
+using google::protobuf::json::JsonStringToMessage;
+using google::protobuf::json::MessageToJsonString;
 using santa::santad::event_providers::endpoint_security::EnrichedEventType;
 using santa::santad::event_providers::endpoint_security::EnrichedMessage;
 using santa::santad::event_providers::endpoint_security::Enricher;
@@ -57,6 +60,7 @@ namespace pbv1 = ::santa::pb::v1;
 
 namespace santa::santad::logs::endpoint_security::serializers {
 extern void EncodeExitStatus(::pbv1::Exit *pbExit, int exitStatus);
+extern void EncodeEntitlements(::pbv1::Execution *pb_exec, SNTCachedDecision *cd);
 extern ::pbv1::Execution::Decision GetDecisionEnum(SNTEventState event_state);
 extern ::pbv1::Execution::Reason GetReasonEnum(SNTEventState event_state);
 extern ::pbv1::Execution::Mode GetModeEnum(SNTClientMode mode);
@@ -65,6 +69,7 @@ extern ::pbv1::FileAccess::AccessType GetAccessType(es_event_type_t event_type);
 extern ::pbv1::FileAccess::PolicyDecision GetPolicyDecision(FileAccessPolicyDecision decision);
 }  // namespace santa::santad::logs::endpoint_security::serializers
 
+using santa::santad::logs::endpoint_security::serializers::EncodeEntitlements;
 using santa::santad::logs::endpoint_security::serializers::EncodeExitStatus;
 using santa::santad::logs::endpoint_security::serializers::GetAccessType;
 using santa::santad::logs::endpoint_security::serializers::GetDecisionEnum;
@@ -107,6 +112,7 @@ NSString *EventTypeToFilename(es_event_type_t eventType) {
     case ES_EVENT_TYPE_NOTIFY_LINK: return @"link.json";
     case ES_EVENT_TYPE_NOTIFY_RENAME: return @"rename.json";
     case ES_EVENT_TYPE_NOTIFY_UNLINK: return @"unlink.json";
+    case ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED: return @"cs_invalidated.json";
     default: XCTFail(@"Unhandled event type: %d", eventType); return nil;
   }
 }
@@ -142,6 +148,7 @@ const google::protobuf::Message &SantaMessageEvent(const ::pbv1::SantaMessage &s
     case ::pbv1::SantaMessage::kBundle: return santaMsg.bundle();
     case ::pbv1::SantaMessage::kAllowlist: return santaMsg.allowlist();
     case ::pbv1::SantaMessage::kFileAccess: return santaMsg.file_access();
+    case ::pbv1::SantaMessage::kCodesigningInvalidated: return santaMsg.codesigning_invalidated();
     case ::pbv1::SantaMessage::EVENT_NOT_SET:
       XCTFail(@"Protobuf message SantaMessage did not set an 'event' field");
       OS_FALLTHROUGH;
@@ -157,32 +164,39 @@ std::string ConvertMessageToJsonString(const ::pbv1::SantaMessage &santaMsg) {
   const google::protobuf::Message &message = SantaMessageEvent(santaMsg);
 
   std::string json;
-  XCTAssertTrue(google::protobuf::util::MessageToJsonString(message, &json, options).ok());
+  XCTAssertTrue(MessageToJsonString(message, &json, options).ok());
   return json;
 }
 
-NSDictionary *findDelta(NSDictionary *a, NSDictionary *b) {
-  NSMutableDictionary *delta = NSMutableDictionary.dictionary;
+NSDictionary *FindDelta(NSDictionary *want, NSDictionary *got) {
+  NSMutableDictionary *delta = [NSMutableDictionary dictionary];
+  delta[@"want"] = [NSMutableDictionary dictionary];
+  delta[@"got"] = [NSMutableDictionary dictionary];
 
-  // Find objects in a that don't exist or are different in b.
-  [a enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL *_Nonnull stop) {
-    id otherObj = b[key];
+  // Find objects in `want` that don't exist or are different in `got`.
+  [want enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+    id otherObj = got[key];
 
-    if (![obj isEqual:otherObj]) {
-      delta[key] = obj;
+    if (!otherObj) {
+      delta[@"want"][key] = obj;
+      delta[@"got"][key] = @"Key missing";
+    } else if (![obj isEqual:otherObj]) {
+      delta[@"want"][key] = obj;
+      delta[@"got"][key] = otherObj;
     }
   }];
 
-  // Find objects in the other dictionary that don't exist in self
-  [b enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL *_Nonnull stop) {
-    id aObj = a[key];
+  // Find objects in `got` that don't exist in `want`
+  [got enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+    id aObj = want[key];
 
     if (!aObj) {
-      delta[key] = obj;
+      delta[@"want"][key] = @"Key missing";
+      delta[@"got"][key] = obj;
     }
   }];
 
-  return delta;
+  return [delta[@"want"] count] > 0 ? delta : nil;
 }
 
 void SerializeAndCheck(es_event_type_t eventType,
@@ -236,9 +250,10 @@ void SerializeAndCheck(es_event_type_t eventType,
     if (json) {
       // Parse the jsonified string into the protobuf
       // gotData = protoStr;
-      google::protobuf::util::JsonParseOptions options;
+      JsonParseOptions options;
       options.ignore_unknown_fields = true;
-      google::protobuf::util::Status status = JsonStringToMessage(protoStr, &santaMsg, options);
+      absl::Status status = JsonStringToMessage(protoStr, &santaMsg, options);
+      XCTAssertTrue(status.ok());
       gotData = ConvertMessageToJsonString(santaMsg);
     } else {
       XCTAssertTrue(santaMsg.ParseFromString(protoStr));
@@ -262,9 +277,9 @@ void SerializeAndCheck(es_event_type_t eventType,
                    error:&jsonError];
     XCTAssertNil(jsonError, @"failed to parse got data as JSON");
 
+    XCTAssertNil(FindDelta(wantJSONDict, gotJSONDict));
+    // Note: Uncomment this line to help create testfile JSON when the assert above fails
     // XCTAssertEqualObjects([NSString stringWithUTF8String:gotData.c_str()], wantData);
-    NSDictionary *delta = findDelta(wantJSONDict, gotJSONDict);
-    XCTAssertEqualObjects(@{}, delta);
   }
 
   XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
@@ -332,6 +347,22 @@ void SerializeAndCheckNonESEvents(
   self.testCachedDecision.quarantineURL = @"google.com";
   self.testCachedDecision.certSHA256 = @"5678_cert_hash";
   self.testCachedDecision.decisionClientMode = SNTClientModeLockdown;
+  self.testCachedDecision.entitlements = @{
+    @"key_with_str_val" : @"bar",
+    @"key_with_num_val" : @(1234),
+    @"key_with_date_val" : [NSDate dateWithTimeIntervalSince1970:1699376402],
+    @"key_with_data_val" : [@"Hello World" dataUsingEncoding:NSUTF8StringEncoding],
+    @"key_with_arr_val" : @[ @"v1", @"v2", @"v3" ],
+    @"key_with_arr_val_nested" : @[ @"v1", @"v2", @"v3", @[ @"nv1", @"nv2" ] ],
+    @"key_with_arr_val_multitype" :
+      @[ @"v1", @"v2", @"v3", @(123), [NSDate dateWithTimeIntervalSince1970:1699376402] ],
+    @"key_with_dict_val" : @{@"k1" : @"v1", @"k2" : @"v2"},
+    @"key_with_dict_val_nested" : @{
+      @"k1" : @"v1",
+      @"k2" : @"v2",
+      @"k3" : @{@"nk1" : @"nv1", @"nk2" : [NSDate dateWithTimeIntervalSince1970:1699376402]}
+    },
+  };
 
   self.mockDecisionCache = OCMClassMock([SNTDecisionCache class]);
   OCMStub([self.mockDecisionCache sharedCache]).andReturn(self.mockDecisionCache);
@@ -567,6 +598,70 @@ void SerializeAndCheckNonESEvents(
                           json:YES];
 }
 
+- (void)testEncodeEntitlements {
+  int kMaxEncodeObjectEntries = 64;  // From Protobuf.mm
+  // Test basic encoding without filtered entitlements
+  {
+    ::pbv1::Execution pbExec;
+
+    SNTCachedDecision *cd = [[SNTCachedDecision alloc] init];
+    cd.entitlements = @{@"com.google.test" : @(YES)};
+
+    XCTAssertEqual(0, pbExec.entitlement_info().entitlements_size());
+    XCTAssertFalse(cd.entitlementsFiltered);
+    XCTAssertEqual(1, cd.entitlements.count);
+
+    EncodeEntitlements(&pbExec, cd);
+
+    XCTAssertEqual(1, pbExec.entitlement_info().entitlements_size());
+    XCTAssertTrue(pbExec.entitlement_info().has_entitlements_filtered());
+    XCTAssertFalse(pbExec.entitlement_info().entitlements_filtered());
+  }
+
+  // Test basic encoding with filtered entitlements
+  {
+    ::pbv1::Execution pbExec;
+
+    SNTCachedDecision *cd = [[SNTCachedDecision alloc] init];
+    cd.entitlements = @{@"com.google.test" : @(YES), @"com.google.test2" : @(NO)};
+    cd.entitlementsFiltered = YES;
+
+    XCTAssertEqual(0, pbExec.entitlement_info().entitlements_size());
+    XCTAssertTrue(cd.entitlementsFiltered);
+    XCTAssertEqual(2, cd.entitlements.count);
+
+    EncodeEntitlements(&pbExec, cd);
+
+    XCTAssertEqual(2, pbExec.entitlement_info().entitlements_size());
+    XCTAssertTrue(pbExec.entitlement_info().has_entitlements_filtered());
+    XCTAssertTrue(pbExec.entitlement_info().entitlements_filtered());
+  }
+
+  // Test max number of entitlements logged
+  // When entitlements are clipped, `entitlements_filtered` is set to true
+  {
+    ::pbv1::Execution pbExec;
+    NSMutableDictionary *ents = [NSMutableDictionary dictionary];
+
+    for (int i = 0; i < 100; i++) {
+      ents[[NSString stringWithFormat:@"k%d", i]] = @(i);
+    }
+
+    SNTCachedDecision *cd = [[SNTCachedDecision alloc] init];
+    cd.entitlements = ents;
+
+    XCTAssertEqual(0, pbExec.entitlement_info().entitlements_size());
+    XCTAssertFalse(cd.entitlementsFiltered);
+    XCTAssertGreaterThan(cd.entitlements.count, kMaxEncodeObjectEntries);
+
+    EncodeEntitlements(&pbExec, cd);
+
+    XCTAssertEqual(kMaxEncodeObjectEntries, pbExec.entitlement_info().entitlements_size());
+    XCTAssertTrue(pbExec.entitlement_info().has_entitlements_filtered());
+    XCTAssertTrue(pbExec.entitlement_info().entitlements_filtered());
+  }
+}
+
 - (void)testSerializeMessageExit {
   [self serializeAndCheckEvent:ES_EVENT_TYPE_NOTIFY_EXIT
                   messageSetup:^(std::shared_ptr<MockEndpointSecurityAPI> mockESApi,
@@ -664,6 +759,14 @@ void SerializeAndCheckNonESEvents(
                           json:NO];
 }
 
+- (void)testSerializeMessageCodesigningInvalidated {
+  [self serializeAndCheckEvent:ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED
+                  messageSetup:^(std::shared_ptr<MockEndpointSecurityAPI> mockESApi,
+                                 es_message_t *esMsg) {
+                  }
+                          json:NO];
+}
+
 - (void)testGetAccessType {
   std::map<es_event_type_t, ::pbv1::FileAccess::AccessType> eventTypeToAccessType = {
     {ES_EVENT_TYPE_AUTH_CLONE, ::pbv1::FileAccess::ACCESS_TYPE_CLONE},
@@ -767,7 +870,7 @@ void SerializeAndCheckNonESEvents(
     @"DADeviceVendor" : @"vendor",
     @"DADeviceModel" : @"model",
     @"DAAppearanceTime" : @(123456789),
-    @"DAVolumePath" : [NSURL URLWithString:@"path"],
+    @"DAVolumePath" : [NSURL URLWithString:@"/"],
     @"DAMediaBSDName" : @"bsd",
     @"DAVolumeKind" : @"apfs",
     @"DADeviceProtocol" : @"usb",
@@ -792,6 +895,7 @@ void SerializeAndCheckNonESEvents(
   XCTAssertEqualObjects(@(pbDisk.serial().c_str()), @"");
   XCTAssertEqualObjects(@(pbDisk.bus().c_str()), props[@"DADeviceProtocol"]);
   XCTAssertEqualObjects(@(pbDisk.dmg_path().c_str()), @"");
+  XCTAssertCppStringBeginsWith(pbDisk.mount_from(), std::string("/"));
 
   // Note: `DAAppearanceTime` is treated as a reference time since 2001 and is converted to a
   // reference time of 1970. Skip the calculation in the test here, just ensure the value is set.

Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h

@@ -61,6 +61,8 @@ class Serializer {
     const santa::santad::event_providers::endpoint_security::EnrichedRename &) = 0;
   virtual std::vector<uint8_t> SerializeMessage(
     const santa::santad::event_providers::endpoint_security::EnrichedUnlink &) = 0;
+  virtual std::vector<uint8_t> SerializeMessage(
+    const santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated &) = 0;
 
   virtual std::vector<uint8_t> SerializeFileAccess(
     const std::string &policy_version, const std::string &policy_name,
@@ -95,6 +97,8 @@ class Serializer {
     const santa::santad::event_providers::endpoint_security::EnrichedRename &);
   std::vector<uint8_t> SerializeMessageTemplate(
     const santa::santad::event_providers::endpoint_security::EnrichedUnlink &);
+  std::vector<uint8_t> SerializeMessageTemplate(
+    const santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated &);
 
   bool enabled_machine_id_ = false;
   std::string machine_id_;

Source/santad/Logs/EndpointSecurity/Serializers/Serializer.mm

@@ -74,5 +74,8 @@ std::vector<uint8_t> Serializer::SerializeMessageTemplate(const es::EnrichedRena
 std::vector<uint8_t> Serializer::SerializeMessageTemplate(const es::EnrichedUnlink &msg) {
   return SerializeMessage(msg);
 }
+std::vector<uint8_t> Serializer::SerializeMessageTemplate(const es::EnrichedCSInvalidated &msg) {
+  return SerializeMessage(msg);
+}
 
 };  // namespace santa::santad::logs::endpoint_security::serializers

Source/santad/Logs/EndpointSecurity/Serializers/Utilities.h

@@ -54,6 +54,8 @@ static inline NSString *NonNull(NSString *str) {
 NSString *OriginalPathForTranslocation(const es_process_t *es_proc);
 NSString *SerialForDevice(NSString *devPath);
 NSString *DiskImageForDevice(NSString *devPath);
+NSString *MountFromName(NSString *path);
+
 es_file_t *GetAllowListTargetFile(
   const santa::santad::event_providers::endpoint_security::Message &msg);
 

Source/santad/Logs/EndpointSecurity/Serializers/Utilities.mm

@@ -14,9 +14,13 @@
 
 #include "Source/santad/Logs/EndpointSecurity/Serializers/Utilities.h"
 
+#include <sys/mount.h>
+#include <sys/param.h>
+
 #include "Source/common/SantaCache.h"
 #import "Source/common/SantaVnode.h"
 #include "Source/common/SantaVnodeHash.h"
+#include "Source/common/String.h"
 
 // These functions are exported by the Security framework, but are not included in headers
 extern "C" Boolean SecTranslocateIsTranslocatedURL(CFURLRef path, bool *isTranslocated,
@@ -114,6 +118,22 @@ NSString *SerialForDevice(NSString *devPath) {
   return [serial stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceCharacterSet]];
 }
 
+NSString *MountFromName(NSString *path) {
+  if (!path.length) {
+    return nil;
+  }
+
+  struct statfs sfs;
+
+  if (statfs(path.UTF8String, &sfs) != 0) {
+    return nil;
+  }
+
+  NSString *mntFromName = santa::common::StringToNSString(sfs.f_mntfromname);
+
+  return mntFromName.length > 0 ? mntFromName : nil;
+}
+
 NSString *DiskImageForDevice(NSString *devPath) {
   devPath = [devPath stringByDeletingLastPathComponent];
   if (!devPath.length) {

Source/santad/Logs/EndpointSecurity/Serializers/UtilitiesTest.mm

@@ -24,6 +24,7 @@
 
 using santa::santad::event_providers::endpoint_security::Message;
 using santa::santad::logs::endpoint_security::serializers::Utilities::GetAllowListTargetFile;
+using santa::santad::logs::endpoint_security::serializers::Utilities::MountFromName;
 
 @interface UtilitiesTest : XCTestCase
 @end
@@ -62,4 +63,12 @@ using santa::santad::logs::endpoint_security::serializers::Utilities::GetAllowLi
   }
 }
 
+- (void)testMountFromName {
+  XCTAssertNil(MountFromName(@""));
+  XCTAssertNil(MountFromName(nil));
+  XCTAssertNil(MountFromName(@"./this/path/should/not/ever/exist/"));
+
+  XCTAssertCppStringBeginsWith(std::string(MountFromName(@"/").UTF8String), std::string("/"));
+}
+
 @end

Source/santad/Logs/EndpointSecurity/Writers/FSSpool/BUILD

@@ -10,6 +10,7 @@ proto_library(
     srcs = ["binaryproto.proto"],
     deps = [
         "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:timestamp_proto",
     ],
 )
 
@@ -69,6 +70,7 @@ santa_unit_test(
     deps = [
         ":fsspool",
         ":fsspool_log_batch_writer",
+        "//Source/common:TestUtils",
         "@OCMock",
     ],
 )

Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool.cc

@@ -16,6 +16,7 @@
 
 #include <fcntl.h>
 #include <sys/stat.h>
+#include <time.h>
 
 #include <functional>
 #include <limits>
@@ -156,6 +157,12 @@ std::string SpoolDirectory(absl::string_view base_dir) {
   return absl::StrCat(base_dir, PathSeparator(), kSpoolDirName);
 }
 
+bool operator==(struct timespec a, struct timespec b) {
+  return a.tv_sec == b.tv_sec && a.tv_nsec == b.tv_nsec;
+}
+
+bool operator!=(struct timespec a, struct timespec b) { return !(a == b); }
+
 }  // namespace
 
 FsSpoolWriter::FsSpoolWriter(absl::string_view base_dir, size_t max_spool_size)
@@ -197,6 +204,25 @@ std::string FsSpoolWriter::UniqueFilename() {
   return result;
 }
 
+absl::StatusOr<size_t> FsSpoolWriter::EstimateSpoolDirSize() {
+  struct stat stats;
+  if (stat(spool_dir_.c_str(), &stats) < 0) {
+    return absl::ErrnoToStatus(errno, "failed to stat spool directory");
+  }
+
+  if (stats.st_mtimespec != spool_dir_last_mtime_) {
+    // Store the updated mtime
+    spool_dir_last_mtime_ = stats.st_mtimespec;
+
+    // Recompute the current estimated size
+    return EstimateDirSize(spool_dir_);
+  } else {
+    // If the spool's last modification time hasn't changed then
+    // re-use the current estimate.
+    return spool_size_estimate_;
+  }
+}
+
 absl::Status FsSpoolWriter::WriteMessage(absl::string_view msg) {
   if (absl::Status status = BuildDirectoryStructureIfNeeded(); !status.ok()) {
     return status;  // << "can't create directory structure for writer";
@@ -209,7 +235,7 @@ absl::Status FsSpoolWriter::WriteMessage(absl::string_view msg) {
   // Recompute the spool size if we think we are
   // over the limit.
   if (spool_size_estimate_ > max_spool_size_) {
-    absl::StatusOr<size_t> estimate = EstimateDirSize(spool_dir_);
+    absl::StatusOr<size_t> estimate = EstimateSpoolDirSize();
     if (!estimate.ok()) {
       return estimate.status();  // failed to recompute spool size
     }

Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool.h

@@ -25,6 +25,11 @@
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
 
+// Forward declarations
+namespace fsspool {
+class FsSpoolWriterPeer;
+}
+
 namespace fsspool {
 
 // Enqueues messages into the spool. Multiple concurrent writers can
@@ -42,10 +47,13 @@ class FsSpoolWriter {
   // returns the UNAVAILABLE canonical code (which is retryable).
   absl::Status WriteMessage(absl::string_view msg);
 
+  friend class fsspool::FsSpoolWriterPeer;
+
  private:
   const std::string base_dir_;
   const std::string spool_dir_;
   const std::string tmp_dir_;
+  struct timespec spool_dir_last_mtime_;
 
   // Approximate maximum size of the spooling area, in bytes. If a message is
   // being written to a spooling area which already contains more than
@@ -81,6 +89,10 @@ class FsSpoolWriter {
   // Generates a unique filename by combining the random ID of
   // this writer with a sequence number.
   std::string UniqueFilename();
+
+  // Estimate the size of the spool directory. However, only recompute a new
+  // estimate if the spool directory has has a change to its modification time.
+  absl::StatusOr<size_t> EstimateSpoolDirSize();
 };
 
 // This class is thread-unsafe.

Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool_log_batch_writer.cc

@@ -33,7 +33,6 @@ FsSpoolLogBatchWriter::~FsSpoolLogBatchWriter() {
   if (!s.ok()) {
     os_log(OS_LOG_DEFAULT, "Flush() failed with %s",
            s.ToString(absl::StatusToStringMode::kWithEverything).c_str());
-    // LOG(WARNING) << "Flush() failed with " << s;
   }
 }
 

Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool_test.mm

@@ -18,13 +18,31 @@
 
 #include <memory>
 
+#include "Source/common/TestUtils.h"
 #include "Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool.h"
 #include "Source/santad/Logs/EndpointSecurity/Writers/FSSpool/fsspool_log_batch_writer.h"
 #include "google/protobuf/any.pb.h"
 #include "google/protobuf/timestamp.pb.h"
 
+namespace fsspool {
+
+class FsSpoolWriterPeer : public FsSpoolWriter {
+ public:
+  // Constructors
+  using FsSpoolWriter::FsSpoolWriter;
+
+  // Private Methods
+  using FsSpoolWriter::BuildDirectoryStructureIfNeeded;
+  using FsSpoolWriter::EstimateSpoolDirSize;
+
+  // Private member variables
+  using FsSpoolWriter::spool_size_estimate_;
+};
+
+}  // namespace fsspool
+
 using fsspool::FsSpoolLogBatchWriter;
-using fsspool::FsSpoolWriter;
+using fsspool::FsSpoolWriterPeer;
 
 static constexpr size_t kSpoolSize = 1048576;
 
@@ -72,8 +90,65 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
   XCTAssertTrue([self.fileMgr removeItemAtPath:self.testDir error:nil]);
 }
 
+- (void)testEstimateSpoolDirSize {
+  NSString *testData = @"What a day for some testing!";
+  NSString *largeTestData = RepeatedString(@"A", 10240);
+  NSString *path = [NSString stringWithFormat:@"%@/%@", self.spoolDir, @"temppy.log"];
+  NSString *emptyPath = [NSString stringWithFormat:@"%@/%@", self.spoolDir, @"empty.log"];
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
+
+  // Create the spool dir structure and ensure no files exist
+  XCTAssertStatusOk(writer->BuildDirectoryStructureIfNeeded());
+  XCTAssertEqual([[self.fileMgr contentsOfDirectoryAtPath:self.spoolDir error:nil] count], 0);
+
+  // Ensure that the initial spool dir estimate is 0
+  auto status = writer->EstimateSpoolDirSize();
+  XCTAssertStatusOk(status);
+  XCTAssertEqual(*status, 0);
+
+  // Force the current estimate to be 0 since we're not recomputing on first write.
+  writer->spool_size_estimate_ = *status;
+
+  XCTAssertTrue([testData writeToFile:path atomically:YES encoding:NSUTF8StringEncoding error:nil]);
+
+  // Ensure the test file was created
+  XCTAssertEqual([[self.fileMgr contentsOfDirectoryAtPath:self.spoolDir error:nil] count], 1);
+
+  // Ensure the spool size estimate has grown at least as much as the content length
+  status = writer->EstimateSpoolDirSize();
+  XCTAssertStatusOk(status);
+  // Update the current estimate
+  writer->spool_size_estimate_ = *status;
+  XCTAssertGreaterThanOrEqual(writer->spool_size_estimate_, testData.length);
+
+  // Modify file contents without modifying spool directory mtime
+  NSFileHandle *fileHandle = [NSFileHandle fileHandleForWritingAtPath:path];
+  [fileHandle seekToEndOfFile];
+  [fileHandle writeData:[largeTestData dataUsingEncoding:NSUTF8StringEncoding]];
+  [fileHandle closeFile];
+
+  // Ensure only one file still exists
+  XCTAssertEqual([[self.fileMgr contentsOfDirectoryAtPath:self.spoolDir error:nil] count], 1);
+
+  // Ensure that the returned estimate is the same as the old since mtime didn't change
+  status = writer->EstimateSpoolDirSize();
+  XCTAssertStatusOk(status);
+  // Check that the current estimate is the same as the old estimate
+  XCTAssertEqual(*status, writer->spool_size_estimate_);
+
+  // Create a second file in the spool dir to bump mtime
+  XCTAssertTrue([@"" writeToFile:emptyPath atomically:YES encoding:NSUTF8StringEncoding error:nil]);
+  XCTAssertEqual([[self.fileMgr contentsOfDirectoryAtPath:self.spoolDir error:nil] count], 2);
+
+  status = writer->EstimateSpoolDirSize();
+  XCTAssertStatusOk(status);
+
+  // Ensure the newly returned size is appropriate
+  XCTAssertGreaterThanOrEqual(*status, testData.length + largeTestData.length);
+}
+
 - (void)testSimpleWrite {
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
 
   XCTAssertFalse([self.fileMgr fileExistsAtPath:self.baseDir]);
   XCTAssertFalse([self.fileMgr fileExistsAtPath:self.spoolDir]);
@@ -90,7 +165,7 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
 }
 
 - (void)testSpoolFull {
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
   const std::string largeMessage(kSpoolSize + 1, '\x42');
 
   XCTAssertFalse([self.fileMgr fileExistsAtPath:self.baseDir]);
@@ -121,7 +196,7 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
 }
 
 - (void)testWriteMessageNoFlush {
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
   FsSpoolLogBatchWriter batch_writer(writer.get(), 10);
 
   // Ensure that writing in batch mode doesn't flsuh on individual writes.
@@ -134,7 +209,7 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
 
 - (void)testWriteMessageFlushAtCapacity {
   static const int kCapacity = 5;
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
   FsSpoolLogBatchWriter batch_writer(writer.get(), kCapacity);
 
   // Ensure batch flushed once capacity exceeded
@@ -153,7 +228,7 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
   static const int kCapacity = 5;
   static const int kExpectedFlushes = 3;
 
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
   FsSpoolLogBatchWriter batch_writer(writer.get(), kCapacity);
 
   // Ensure batch flushed expected number of times
@@ -173,7 +248,7 @@ google::protobuf::Any TestAnyTimestamp(int64_t s, int32_t n) {
   static const int kCapacity = 10;
   static const int kNumberOfWrites = 7;
 
-  auto writer = std::make_unique<FsSpoolWriter>([self.baseDir UTF8String], kSpoolSize);
+  auto writer = std::make_unique<FsSpoolWriterPeer>([self.baseDir UTF8String], kSpoolSize);
 
   {
     // Extra scope to enforce early destroy of batch_writer.

Source/santad/Metrics.h

@@ -22,7 +22,9 @@
 
 #include <map>
 #include <memory>
+#include <string>
 
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTMetricSet.h"
 
 namespace santa::santad {
@@ -44,8 +46,18 @@ enum class Processor {
   kFileAccessAuthorizer,
 };
 
+enum class FileAccessMetricStatus {
+  kOK = 0,
+  kBlockedUser,
+};
+
 using EventCountTuple = std::tuple<Processor, es_event_type_t, EventDisposition>;
 using EventTimesTuple = std::tuple<Processor, es_event_type_t>;
+using FileAccessMetricsPolicyVersion = std::string;
+using FileAccessMetricsPolicyName = std::string;
+using FileAccessEventCountTuple =
+  std::tuple<FileAccessMetricsPolicyVersion, FileAccessMetricsPolicyName, FileAccessMetricStatus,
+             es_event_type_t, FileAccessPolicyDecision>;
 
 class Metrics : public std::enable_shared_from_this<Metrics> {
  public:
@@ -53,8 +65,8 @@ class Metrics : public std::enable_shared_from_this<Metrics> {
 
   Metrics(dispatch_queue_t q, dispatch_source_t timer_source, uint64_t interval,
           SNTMetricInt64Gauge *event_processing_times, SNTMetricCounter *event_counts,
-          SNTMetricCounter *rate_limit_counts, SNTMetricSet *metric_set,
-          void (^run_on_first_start)(Metrics *));
+          SNTMetricCounter *rate_limit_counts, SNTMetricCounter *faa_event_counts,
+          SNTMetricSet *metric_set, void (^run_on_first_start)(Metrics *));
 
   ~Metrics();
 
@@ -71,6 +83,10 @@ class Metrics : public std::enable_shared_from_this<Metrics> {
 
   void SetRateLimitingMetrics(Processor processor, int64_t events_rate_limited_count);
 
+  void SetFileAccessEventMetrics(std::string policy_version, std::string rule_name,
+                                 FileAccessMetricStatus status, es_event_type_t event_type,
+                                 FileAccessPolicyDecision decision);
+
   friend class santa::santad::MetricsPeer;
 
  private:
@@ -84,6 +100,7 @@ class Metrics : public std::enable_shared_from_this<Metrics> {
   SNTMetricInt64Gauge *event_processing_times_;
   SNTMetricCounter *event_counts_;
   SNTMetricCounter *rate_limit_counts_;
+  SNTMetricCounter *faa_event_counts_;
   SNTMetricSet *metric_set_;
   // Tracks whether or not the timer_source should be running.
   // This helps manage dispatch source state to ensure the source is not
@@ -99,6 +116,7 @@ class Metrics : public std::enable_shared_from_this<Metrics> {
   std::map<EventCountTuple, int64_t> event_counts_cache_;
   std::map<EventTimesTuple, int64_t> event_times_cache_;
   std::map<Processor, int64_t> rate_limit_counts_cache_;
+  std::map<FileAccessEventCountTuple, int64_t> faa_event_counts_cache_;
 };
 
 }  // namespace santa::santad

Source/santad/Metrics.mm

@@ -53,6 +53,16 @@ static NSString *const kEventTypeNotifyUnmount = @"NotifyUnmount";
 static NSString *const kEventDispositionDropped = @"Dropped";
 static NSString *const kEventDispositionProcessed = @"Processed";
 
+// Compat values
+static NSString *const kFileAccessMetricStatusOK = @"OK";
+static NSString *const kFileAccessMetricStatusBlockedUser = @"BLOCKED_USER";
+
+static NSString *const kFileAccessPolicyDecisionDenied = @"Denied";
+static NSString *const kFileAccessPolicyDecisionDeniedInvalidSignature = @"Denied";
+static NSString *const kFileAccessPolicyDecisionAllowedAuditOnly = @"AllowedAuditOnly";
+
+static NSString *const kFileAccessMetricsAccessType = @"access";
+
 namespace santa::santad {
 
 NSString *const ProcessorToString(Processor processor) {
@@ -63,7 +73,8 @@ NSString *const ProcessorToString(Processor processor) {
     case Processor::kTamperResistance: return kProcessorTamperResistance;
     case Processor::kFileAccessAuthorizer: return kProcessorFileAccessAuthorizer;
     default:
-      [NSException raise:@"Invalid processor" format:@"Unknown processor value: %d", processor];
+      [NSException raise:@"Invalid processor"
+                  format:@"Unknown processor value: %d", static_cast<int>(processor)];
       return nil;
   }
 }
@@ -103,7 +114,34 @@ NSString *const EventDispositionToString(EventDisposition d) {
     case EventDisposition::kDropped: return kEventDispositionDropped;
     case EventDisposition::kProcessed: return kEventDispositionProcessed;
     default:
-      [NSException raise:@"Invalid disposition" format:@"Unknown disposition value: %d", d];
+      [NSException raise:@"Invalid disposition"
+                  format:@"Unknown disposition value: %d", static_cast<int>(d)];
+      return nil;
+  }
+}
+
+NSString *const FileAccessMetricStatusToString(FileAccessMetricStatus status) {
+  switch (status) {
+    case FileAccessMetricStatus::kOK: return kFileAccessMetricStatusOK;
+    case FileAccessMetricStatus::kBlockedUser: return kFileAccessMetricStatusBlockedUser;
+    default:
+      [NSException raise:@"Invalid file access metric status"
+                  format:@"Unknown file access metric status value: %d", static_cast<int>(status)];
+      return nil;
+  }
+}
+
+NSString *const FileAccessPolicyDecisionToString(FileAccessPolicyDecision decision) {
+  switch (decision) {
+    case FileAccessPolicyDecision::kDenied: return kFileAccessPolicyDecisionDenied;
+    case FileAccessPolicyDecision::kDeniedInvalidSignature:
+      return kFileAccessPolicyDecisionDeniedInvalidSignature;
+    case FileAccessPolicyDecision::kAllowedAuditOnly:
+      return kFileAccessPolicyDecisionAllowedAuditOnly;
+    default:
+      [NSException
+         raise:@"Invalid file access policy decision"
+        format:@"Unknown file access policy decision value: %d", static_cast<int>(decision)];
       return nil;
   }
 }
@@ -129,9 +167,16 @@ std::shared_ptr<Metrics> Metrics::Create(SNTMetricSet *metric_set, uint64_t inte
                      fieldNames:@[ @"Processor" ]
                        helpText:@"Events rate limited by each processor"];
 
+  SNTMetricCounter *faa_event_counts = [metric_set
+    counterWithName:@"/santa/file_access_authorizer/log/count"
+         fieldNames:@[
+           @"config_version", @"access_type", @"rule_id", @"status", @"operation", @"decision"
+         ]
+           helpText:@"Count of times a log is emitted from the File Access Authorizer client"];
+
   std::shared_ptr<Metrics> metrics =
     std::make_shared<Metrics>(q, timer_source, interval, event_processing_times, event_counts,
-                              rate_limit_counts, metric_set, ^(Metrics *metrics) {
+                              rate_limit_counts, faa_event_counts, metric_set, ^(Metrics *metrics) {
                                 SNTRegisterCoreMetrics();
                                 metrics->EstablishConnection();
                               });
@@ -151,14 +196,15 @@ std::shared_ptr<Metrics> Metrics::Create(SNTMetricSet *metric_set, uint64_t inte
 
 Metrics::Metrics(dispatch_queue_t q, dispatch_source_t timer_source, uint64_t interval,
                  SNTMetricInt64Gauge *event_processing_times, SNTMetricCounter *event_counts,
-                 SNTMetricCounter *rate_limit_counts, SNTMetricSet *metric_set,
-                 void (^run_on_first_start)(Metrics *))
+                 SNTMetricCounter *rate_limit_counts, SNTMetricCounter *faa_event_counts,
+                 SNTMetricSet *metric_set, void (^run_on_first_start)(Metrics *))
     : q_(q),
       timer_source_(timer_source),
       interval_(interval),
       event_processing_times_(event_processing_times),
       event_counts_(event_counts),
       rate_limit_counts_(rate_limit_counts),
+      faa_event_counts_(faa_event_counts),
       metric_set_(metric_set),
       run_on_first_start_(run_on_first_start) {
   SetInterval(interval_);
@@ -224,10 +270,26 @@ void Metrics::FlushMetrics() {
       [rate_limit_counts_ incrementBy:kv.second forFieldValues:@[ processorName ]];
     }
 
+    for (const auto &kv : faa_event_counts_cache_) {
+      NSString *policyVersion = @(std::get<0>(kv.first).c_str());  // FileAccessMetricsPolicyVersion
+      NSString *policyName = @(std::get<1>(kv.first).c_str());     // FileAccessMetricsPolicyName
+      NSString *eventName = EventTypeToString(std::get<es_event_type_t>(kv.first));
+      NSString *status = FileAccessMetricStatusToString(std::get<FileAccessMetricStatus>(kv.first));
+      NSString *decision =
+        FileAccessPolicyDecisionToString(std::get<FileAccessPolicyDecision>(kv.first));
+
+      [faa_event_counts_
+           incrementBy:kv.second
+        forFieldValues:@[
+          policyVersion, kFileAccessMetricsAccessType, policyName, status, eventName, decision
+        ]];
+    }
+
     // Reset the maps so the next cycle begins with a clean state
     event_counts_cache_ = {};
     event_times_cache_ = {};
     rate_limit_counts_cache_ = {};
+    faa_event_counts_cache_ = {};
   });
 }
 
@@ -283,4 +345,13 @@ void Metrics::SetRateLimitingMetrics(Processor processor, int64_t events_rate_li
   });
 }
 
+void Metrics::SetFileAccessEventMetrics(std::string policy_version, std::string rule_name,
+                                        FileAccessMetricStatus status, es_event_type_t event_type,
+                                        FileAccessPolicyDecision decision) {
+  dispatch_sync(events_q_, ^{
+    faa_event_counts_cache_[FileAccessEventCountTuple{
+      std::move(policy_version), std::move(rule_name), status, event_type, decision}]++;
+  });
+}
+
 }  // namespace santa::santad

Source/santad/MetricsTest.mm

@@ -24,37 +24,44 @@
 #include "Source/common/TestUtils.h"
 #include "Source/santad/Metrics.h"
 
+using santa::santad::EventCountTuple;
 using santa::santad::EventDisposition;
+using santa::santad::EventTimesTuple;
+using santa::santad::FileAccessEventCountTuple;
 using santa::santad::Processor;
 
-using EventCountTuple = std::tuple<Processor, es_event_type_t, EventDisposition>;
-using EventTimesTuple = std::tuple<Processor, es_event_type_t>;
-
 namespace santa::santad {
 
 extern NSString *const ProcessorToString(Processor processor);
 extern NSString *const EventTypeToString(es_event_type_t eventType);
 extern NSString *const EventDispositionToString(EventDisposition d);
+extern NSString *const FileAccessMetricStatusToString(FileAccessMetricStatus status);
+extern NSString *const FileAccessPolicyDecisionToString(FileAccessPolicyDecision decision);
 
 class MetricsPeer : public Metrics {
  public:
   // Make base class constructors visible
-  using Metrics::FlushMetrics;
   using Metrics::Metrics;
 
-  bool IsRunning() { return running_; }
+  // Private methods
+  using Metrics::FlushMetrics;
 
-  uint64_t Interval() { return interval_; }
-
-  std::map<EventCountTuple, int64_t> &EventCounts() { return event_counts_cache_; };
-  std::map<EventTimesTuple, int64_t> &EventTimes() { return event_times_cache_; };
-  std::map<Processor, int64_t> &RateLimitCounts() { return rate_limit_counts_cache_; };
+  // Private member variables
+  using Metrics::event_counts_cache_;
+  using Metrics::event_times_cache_;
+  using Metrics::faa_event_counts_cache_;
+  using Metrics::interval_;
+  using Metrics::rate_limit_counts_cache_;
+  using Metrics::running_;
 };
 
 }  // namespace santa::santad
 
 using santa::santad::EventDispositionToString;
 using santa::santad::EventTypeToString;
+using santa::santad::FileAccessMetricStatus;
+using santa::santad::FileAccessMetricStatusToString;
+using santa::santad::FileAccessPolicyDecisionToString;
 using santa::santad::MetricsPeer;
 using santa::santad::ProcessorToString;
 
@@ -73,19 +80,19 @@ using santa::santad::ProcessorToString;
 
 - (void)testStartStop {
   dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
-  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil,
+  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil, nil,
                                                ^(santa::santad::Metrics *m) {
                                                  dispatch_semaphore_signal(self.sema);
                                                });
 
-  XCTAssertFalse(metrics->IsRunning());
+  XCTAssertFalse(metrics->running_);
 
   metrics->StartPoll();
   XCTAssertEqual(0, dispatch_semaphore_wait(self.sema, DISPATCH_TIME_NOW),
                  "Initialization block never called");
 
   // Should be marked running after starting
-  XCTAssertTrue(metrics->IsRunning());
+  XCTAssertTrue(metrics->running_);
 
   metrics->StartPoll();
 
@@ -94,29 +101,29 @@ using santa::santad::ProcessorToString;
                     "Initialization block called second time unexpectedly");
 
   // Double-start doesn't change the running state
-  XCTAssertTrue(metrics->IsRunning());
+  XCTAssertTrue(metrics->running_);
 
   metrics->StopPoll();
 
   // After stopping, the internal state is no longer marked running
-  XCTAssertFalse(metrics->IsRunning());
+  XCTAssertFalse(metrics->running_);
 
   metrics->StopPoll();
 
   // Double-stop doesn't change the running state
-  XCTAssertFalse(metrics->IsRunning());
+  XCTAssertFalse(metrics->running_);
 }
 
 - (void)testSetInterval {
   dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
-  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil,
+  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil, nil,
                                                ^(santa::santad::Metrics *m){
                                                });
 
-  XCTAssertEqual(100, metrics->Interval());
+  XCTAssertEqual(100, metrics->interval_);
 
   metrics->SetInterval(200);
-  XCTAssertEqual(200, metrics->Interval());
+  XCTAssertEqual(200, metrics->interval_);
 }
 
 - (void)testProcessorToString {
@@ -179,25 +186,60 @@ using santa::santad::ProcessorToString;
   XCTAssertThrows(EventDispositionToString((EventDisposition)12345));
 }
 
+- (void)testFileAccessMetricStatusToString {
+  std::map<FileAccessMetricStatus, NSString *> statusToString = {
+    {FileAccessMetricStatus::kOK, @"OK"},
+    {FileAccessMetricStatus::kBlockedUser, @"BLOCKED_USER"},
+  };
+
+  for (const auto &kv : statusToString) {
+    XCTAssertEqualObjects(FileAccessMetricStatusToString(kv.first), kv.second);
+  }
+
+  XCTAssertThrows(FileAccessMetricStatusToString((FileAccessMetricStatus)12345));
+}
+
+- (void)testFileAccessPolicyDecisionToString {
+  std::map<FileAccessPolicyDecision, NSString *> decisionToString = {
+    {FileAccessPolicyDecision::kDenied, @"Denied"},
+    {FileAccessPolicyDecision::kDeniedInvalidSignature, @"Denied"},
+    {FileAccessPolicyDecision::kDeniedInvalidSignature, @"Denied"},
+  };
+
+  for (const auto &kv : decisionToString) {
+    XCTAssertEqualObjects(FileAccessPolicyDecisionToString(kv.first), kv.second);
+  }
+
+  std::set<FileAccessPolicyDecision> decisionToStringThrows = {
+    FileAccessPolicyDecision::kNoPolicy,
+    FileAccessPolicyDecision::kAllowed,
+    FileAccessPolicyDecision::kAllowedReadAccess,
+    (FileAccessPolicyDecision)12345,
+  };
+  for (const auto &v : decisionToStringThrows) {
+    XCTAssertThrows(FileAccessPolicyDecisionToString(v));
+  }
+}
+
 - (void)testSetEventMetrics {
   int64_t nanos = 1234;
 
   dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
-  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil,
+  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil, nil,
                                                ^(santa::santad::Metrics *m){
                                                  // This block intentionally left blank
                                                });
 
   // Initial maps are empty
-  XCTAssertEqual(metrics->EventCounts().size(), 0);
-  XCTAssertEqual(metrics->EventTimes().size(), 0);
+  XCTAssertEqual(metrics->event_counts_cache_.size(), 0);
+  XCTAssertEqual(metrics->event_times_cache_.size(), 0);
 
   metrics->SetEventMetrics(Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_EXEC,
                            EventDisposition::kProcessed, nanos);
 
   // Check sizes after setting metrics once
-  XCTAssertEqual(metrics->EventCounts().size(), 1);
-  XCTAssertEqual(metrics->EventTimes().size(), 1);
+  XCTAssertEqual(metrics->event_counts_cache_.size(), 1);
+  XCTAssertEqual(metrics->event_times_cache_.size(), 1);
 
   metrics->SetEventMetrics(Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_EXEC,
                            EventDisposition::kProcessed, nanos);
@@ -205,8 +247,8 @@ using santa::santad::ProcessorToString;
                            EventDisposition::kProcessed, nanos * 2);
 
   // Re-check expected counts. One was an update, so should only be 2 items
-  XCTAssertEqual(metrics->EventCounts().size(), 2);
-  XCTAssertEqual(metrics->EventTimes().size(), 2);
+  XCTAssertEqual(metrics->event_counts_cache_.size(), 2);
+  XCTAssertEqual(metrics->event_times_cache_.size(), 2);
 
   // Check map values
   EventCountTuple ecExec{Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_EXEC,
@@ -216,36 +258,72 @@ using santa::santad::ProcessorToString;
   EventTimesTuple etExec{Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_EXEC};
   EventTimesTuple etOpen{Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_OPEN};
 
-  XCTAssertEqual(metrics->EventCounts()[ecExec], 2);
-  XCTAssertEqual(metrics->EventCounts()[ecOpen], 1);
-  XCTAssertEqual(metrics->EventTimes()[etExec], nanos);
-  XCTAssertEqual(metrics->EventTimes()[etOpen], nanos * 2);
+  XCTAssertEqual(metrics->event_counts_cache_[ecExec], 2);
+  XCTAssertEqual(metrics->event_counts_cache_[ecOpen], 1);
+  XCTAssertEqual(metrics->event_times_cache_[etExec], nanos);
+  XCTAssertEqual(metrics->event_times_cache_[etOpen], nanos * 2);
 }
 
 - (void)testSetRateLimitingMetrics {
   dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
-  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil,
+  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil, nil,
                                                ^(santa::santad::Metrics *m){
                                                  // This block intentionally left blank
                                                });
 
   // Initial map is empty
-  XCTAssertEqual(metrics->RateLimitCounts().size(), 0);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_.size(), 0);
 
   metrics->SetRateLimitingMetrics(Processor::kFileAccessAuthorizer, 123);
 
   // Check sizes after setting metrics once
-  XCTAssertEqual(metrics->RateLimitCounts().size(), 1);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_.size(), 1);
 
   metrics->SetRateLimitingMetrics(Processor::kFileAccessAuthorizer, 456);
   metrics->SetRateLimitingMetrics(Processor::kAuthorizer, 789);
 
   // Re-check expected counts. One was an update, so should only be 2 items
-  XCTAssertEqual(metrics->RateLimitCounts().size(), 2);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_.size(), 2);
 
   // Check map values
-  XCTAssertEqual(metrics->RateLimitCounts()[Processor::kFileAccessAuthorizer], 123 + 456);
-  XCTAssertEqual(metrics->RateLimitCounts()[Processor::kAuthorizer], 789);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_[Processor::kFileAccessAuthorizer], 123 + 456);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_[Processor::kAuthorizer], 789);
+}
+
+- (void)testSetFileAccessEventMetrics {
+  dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
+  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, nil, nil, nil, nil, nil,
+                                               ^(santa::santad::Metrics *m){
+                                                 // This block intentionally left blank
+                                               });
+
+  // Initial map is empty
+  XCTAssertEqual(metrics->faa_event_counts_cache_.size(), 0);
+
+  metrics->SetFileAccessEventMetrics("v1.0", "rule_abc", FileAccessMetricStatus::kOK,
+                                     ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied);
+
+  // Check sizes after setting metrics once
+  XCTAssertEqual(metrics->faa_event_counts_cache_.size(), 1);
+
+  // Update the previous metric
+  metrics->SetFileAccessEventMetrics("v1.0", "rule_abc", FileAccessMetricStatus::kOK,
+                                     ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied);
+
+  // Add a second metric
+  metrics->SetFileAccessEventMetrics("v1.0", "rule_xyz", FileAccessMetricStatus::kOK,
+                                     ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied);
+
+  // Re-check expected counts. One was an update, so should only be 2 items
+  XCTAssertEqual(metrics->faa_event_counts_cache_.size(), 2);
+
+  FileAccessEventCountTuple ruleAbc{"v1.0", "rule_abc", FileAccessMetricStatus::kOK,
+                                    ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied};
+  FileAccessEventCountTuple ruleXyz{"v1.0", "rule_xyz", FileAccessMetricStatus::kOK,
+                                    ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied};
+
+  XCTAssertEqual(metrics->faa_event_counts_cache_[ruleAbc], 2);
+  XCTAssertEqual(metrics->faa_event_counts_cache_[ruleXyz], 1);
 }
 
 - (void)testFlushMetrics {
@@ -266,22 +344,26 @@ using santa::santad::ProcessorToString;
     });
 
   dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, self.q);
-  auto metrics = std::make_shared<MetricsPeer>(self.q, timer, 100, mockEventProcessingTimes,
-                                               mockEventCounts, mockEventCounts, nil,
-                                               ^(santa::santad::Metrics *m){
-                                                 // This block intentionally left blank
-                                               });
+  auto metrics =
+    std::make_shared<MetricsPeer>(self.q, timer, 100, mockEventProcessingTimes, mockEventCounts,
+                                  mockEventCounts, mockEventCounts, nil,
+                                  ^(santa::santad::Metrics *m){
+                                    // This block intentionally left blank
+                                  });
 
   metrics->SetEventMetrics(Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_EXEC,
                            EventDisposition::kProcessed, nanos);
   metrics->SetEventMetrics(Processor::kAuthorizer, ES_EVENT_TYPE_AUTH_OPEN,
                            EventDisposition::kProcessed, nanos * 2);
   metrics->SetRateLimitingMetrics(Processor::kFileAccessAuthorizer, 123);
+  metrics->SetFileAccessEventMetrics("v1.0", "rule_abc", FileAccessMetricStatus::kOK,
+                                     ES_EVENT_TYPE_AUTH_OPEN, FileAccessPolicyDecision::kDenied);
 
   // First ensure we have the expected map sizes
-  XCTAssertEqual(metrics->EventCounts().size(), 2);
-  XCTAssertEqual(metrics->EventTimes().size(), 2);
-  XCTAssertEqual(metrics->RateLimitCounts().size(), 1);
+  XCTAssertEqual(metrics->event_counts_cache_.size(), 2);
+  XCTAssertEqual(metrics->event_times_cache_.size(), 2);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_.size(), 1);
+  XCTAssertEqual(metrics->faa_event_counts_cache_.size(), 1);
 
   metrics->FlushMetrics();
 
@@ -293,11 +375,13 @@ using santa::santad::ProcessorToString;
   XCTAssertSemaTrue(self.sema, 5, "Failed waiting for metrics to flush (3)");
   XCTAssertSemaTrue(self.sema, 5, "Failed waiting for metrics to flush (4)");
   XCTAssertSemaTrue(self.sema, 5, "Failed waiting for metrics to flush (5)");
+  XCTAssertSemaTrue(self.sema, 5, "Failed waiting for metrics to flush (6)");
 
   // After a flush, map sizes should be reset to 0
-  XCTAssertEqual(metrics->EventCounts().size(), 0);
-  XCTAssertEqual(metrics->EventTimes().size(), 0);
-  XCTAssertEqual(metrics->RateLimitCounts().size(), 0);
+  XCTAssertEqual(metrics->event_counts_cache_.size(), 0);
+  XCTAssertEqual(metrics->event_times_cache_.size(), 0);
+  XCTAssertEqual(metrics->rate_limit_counts_cache_.size(), 0);
+  XCTAssertEqual(metrics->faa_event_counts_cache_.size(), 0);
 }
 
 @end

Source/santad/SNTCompilerController.mm

@@ -132,8 +132,8 @@ static constexpr std::string_view kIgnoredCompilerProcessPathPrefix = "/dev/";
   NSError *error = nil;
   SNTFileInfo *fi = [[SNTFileInfo alloc] initWithEndpointSecurityFile:targetFile error:&error];
   if (error) {
-    LOGD(@"Unable to create SNTFileInfo while attempting to create transitive rule. Path: %@",
-         @(targetFile->path.data));
+    LOGD(@"Unable to create SNTFileInfo while attempting to create transitive rule. Event: %d | Path: %@ | Error: %@",
+         (int)esMsg->event_type, @(targetFile->path.data), error);
     return;
   }
 

Source/santad/SNTDaemonControlController.mm

@@ -156,6 +156,21 @@ double watchdogRAMPeak = 0;
   reply([SNTConfigurator configurator].staticRules.count);
 }
 
+- (void)retrieveAllRules:(void (^)(NSArray<SNTRule *> *, NSError *))reply {
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  // Do not return any rules if syncBaseURL is set and return an error.
+  if (config.syncBaseURL) {
+    reply(@[], [NSError errorWithDomain:@"com.google.santad"
+                                   code:403  // (TODO) define error code
+                               userInfo:@{NSLocalizedDescriptionKey : @"SyncBaseURL is set"}]);
+    return;
+  }
+
+  NSArray<SNTRule *> *rules = [[SNTDatabaseController ruleTable] retrieveAllRules];
+  reply(rules, nil);
+}
+
 #pragma mark Decision Ops
 
 - (void)decisionForFilePath:(NSString *)filePath
@@ -243,15 +258,29 @@ double watchdogRAMPeak = 0;
   reply();
 }
 
+- (void)blockUSBMount:(void (^)(BOOL))reply {
+  reply([[SNTConfigurator configurator] blockUSBMount]);
+}
+
 - (void)setBlockUSBMount:(BOOL)enabled reply:(void (^)(void))reply {
   [[SNTConfigurator configurator] setBlockUSBMount:enabled];
   reply();
 }
+
+- (void)remountUSBMode:(void (^)(NSArray<NSString *> *))reply {
+  reply([[SNTConfigurator configurator] remountUSBMode]);
+}
+
 - (void)setRemountUSBMode:(NSArray *)remountUSBMode reply:(void (^)(void))reply {
   [[SNTConfigurator configurator] setRemountUSBMode:remountUSBMode];
   reply();
 }
 
+- (void)setOverrideFileAccessAction:(NSString *)action reply:(void (^)(void))reply {
+  [[SNTConfigurator configurator] setSyncServerOverrideFileAccessAction:action];
+  reply();
+}
+
 - (void)enableBundles:(void (^)(BOOL))reply {
   reply([SNTConfigurator configurator].enableBundles);
 }

Source/santad/SNTDecisionCacheTest.mm

@@ -85,8 +85,8 @@ SNTCachedDecision *MakeCachedDecision(struct stat sb, SNTEventState decision) {
 
   OCMExpect([self.mockRuleDatabase
     resetTimestampForRule:[OCMArg checkWithBlock:^BOOL(SNTRule *rule) {
-      return rule.identifier == cd.sha256 && rule.state == SNTRuleStateAllowTransitive &&
-             rule.type == SNTRuleTypeBinary;
+      return [rule.identifier isEqualToString:cd.sha256] &&
+             rule.state == SNTRuleStateAllowTransitive && rule.type == SNTRuleTypeBinary;
     }]]);
 
   [dc resetTimestampForCachedDecision:sb];