Fix: Change uint64 fields in syncv1.proto to uint32 for backwards compatibility (#1422)

Change the uint64 fields in the syncv1.proto to uint32 to ensure backwards compatibility.

This also updates the SNTSyncEventUpload code to use the uint32 values and updates sync protocol docs.

MODULE.bazel

@@ -4,7 +4,7 @@ bazel_dep(name = "apple_support", version = "1.15.1", repo_name = "build_bazel_a
 bazel_dep(name = "abseil-cpp", version = "20240116.2", repo_name = "com_google_absl")
 bazel_dep(name = "rules_python", version = "0.33.2")
 bazel_dep(name = "rules_cc", version = "0.0.9")
-bazel_dep(name = "rules_apple", version = "3.6.0", repo_name = "build_bazel_rules_apple")
+bazel_dep(name = "rules_apple", version = "3.8.0", repo_name = "build_bazel_rules_apple")
 bazel_dep(name = "rules_swift", version = "2.0.0-rc1", repo_name = "build_bazel_rules_swift")
 bazel_dep(name = "rules_fuzzing", version = "0.5.2")
 bazel_dep(name = "protobuf", version = "27.2", repo_name = "com_google_protobuf")

Source/common/SNTFileInfo.m

@@ -423,8 +423,14 @@ extern NSString *const NSURLQuarantinePropertiesKey WEAK_IMPORT_ATTRIBUTE;
       return self.infoDict;
     }
 
-    d = self.bundle.infoDictionary;
-    if (d) {
+    // `-[NSBundle infoDictionary]` is heavily cached, changes to the Info.plist are not realized.
+    // Use `CFBundleCopyInfoDictionaryInDirectory` instead, which does not appear to cache.
+    NSString *bundlePath = [self bundlePath];
+    if (bundlePath.length) {
+      d = CFBridgingRelease(CFBundleCopyInfoDictionaryInDirectory(
+        (__bridge CFURLRef)[NSURL fileURLWithPath:bundlePath]));
+    }
+    if (d.count) {
       self.infoDict = d;
       return self.infoDict;
     }

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm

@@ -688,7 +688,7 @@ bool ShouldMessageTTY(const std::shared_ptr<WatchItemPolicy> &policy, const Mess
 
     // Notify users on block decisions
     if (ShouldNotifyUserDecision(policyDecision) &&
-        (!policy->silent || (!policy->silent_tty && msg->process->tty->path.length > 0))) {
+        (!policy->silent || (!policy->silent_tty && TTYWriter::CanWrite(msg->process)))) {
       SNTCachedDecision *cd =
         [self.decisionCache cachedDecisionForFile:msg->process->executable->stat];
 

Source/santasyncservice/SNTSyncEventUpload.mm

@@ -150,8 +150,8 @@ using santa::NSStringToUTF8String;
   e->set_file_bundle_version(NSStringToUTF8String(event.fileBundleVersion));
   e->set_file_bundle_version_string(NSStringToUTF8String(event.fileBundleVersionString));
   e->set_file_bundle_hash(NSStringToUTF8String(event.fileBundleHash));
-  e->set_file_bundle_hash_millis([event.fileBundleHashMilliseconds longLongValue]);
-  e->set_file_bundle_binary_count([event.fileBundleBinaryCount longLongValue]);
+  e->set_file_bundle_hash_millis([event.fileBundleHashMilliseconds unsignedIntValue]);
+  e->set_file_bundle_binary_count([event.fileBundleBinaryCount unsignedIntValue]);
 
   e->set_pid([event.pid unsignedIntValue]);
   e->set_ppid([event.ppid unsignedIntValue]);

Source/santasyncservice/SNTSyncPostflight.mm

@@ -38,8 +38,8 @@ using santa::NSStringToUTF8String;
   google::protobuf::Arena arena;
   auto req = google::protobuf::Arena::Create<::pbv1::PostflightRequest>(&arena);
   req->set_machine_id(NSStringToUTF8String(self.syncState.machineID));
-  req->set_rules_received(self.syncState.rulesReceived);
-  req->set_rules_processed(self.syncState.rulesProcessed);
+  req->set_rules_received(static_cast<uint32_t>(self.syncState.rulesReceived));
+  req->set_rules_processed(static_cast<uint32_t>(self.syncState.rulesProcessed));
 
   ::pbv1::PostflightResponse response;
   [self performRequest:[self requestWithMessage:req] intoMessage:&response timeout:30];

Source/santasyncservice/SNTSyncStage.mm

@@ -86,13 +86,12 @@ using santa::NSStringToUTF8String;
     return nil;
   }
 
-  SLOGD(@"Request JSON: %s", json.c_str());
   return [self requestWithData:[NSData dataWithBytes:json.data() length:json.size()]
                    contentType:@"application/json"];
 }
 
 - (NSMutableURLRequest *)requestWithData:(NSData *)requestBody contentType:(NSString *)contentType {
-  if (contentType.length) contentType = @"application/octet-stream";
+  if (!contentType.length) contentType = @"application/octet-stream";
 
   NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:[self stageURL]];
   [req setHTTPMethod:@"POST"];

Source/santasyncservice/SNTSyncTest.mm

@@ -280,15 +280,17 @@
   SNTSyncPreflight *sut = [[SNTSyncPreflight alloc] initWithState:self.syncState];
 
   NSData *respData = [self dataFromFixture:@"sync_preflight_basic.json"];
-  [self stubRequestBody:respData
-               response:nil
-                  error:nil
-          validateBlock:^BOOL(NSURLRequest *req) {
-            NSData *gotReqData = [req HTTPBody];
-            NSData *expectedReqData = [self dataFromFixture:@"sync_preflight_request.json"];
-            XCTAssertEqualObjects(gotReqData, expectedReqData);
-            return YES;
-          }];
+  [self
+    stubRequestBody:respData
+           response:nil
+              error:nil
+      validateBlock:^BOOL(NSURLRequest *req) {
+        NSData *gotReqData = [req HTTPBody];
+        NSData *expectedReqData = [self dataFromFixture:@"sync_preflight_request.json"];
+        XCTAssertEqualObjects(gotReqData, expectedReqData);
+        XCTAssertEqualObjects([req valueForHTTPHeaderField:@"Content-Type"], @"application/json");
+        return YES;
+      }];
 
   XCTAssertTrue([sut sync]);
   XCTAssertEqual(self.syncState.clientMode, SNTClientModeMonitor);

Source/santasyncservice/syncv1.proto

@@ -125,16 +125,16 @@ message PreflightResponse {
   optional bool disable_unknown_event_upload = 7;
 
   // Specifies the time interval in seconds between full syncs. Defaults to 600 (10 minutes). Cannot be set lower than 60.
-  uint64 full_sync_interval_seconds = 8 [json_name="full_sync_interval"];
+  uint32 full_sync_interval_seconds = 8 [json_name="full_sync_interval"];
 
   // When push notifications are enabled, this overrides the full_sync_interval above. It is expected that Santa will not
   // need to perform a full sync as frequently when push notifications are working. Defaults to 14400 (6 hours).
-  uint64 push_notification_full_sync_interval_seconds = 9 [json_name="push_notification_full_sync_interval"];
+  uint32 push_notification_full_sync_interval_seconds = 9 [json_name="push_notification_full_sync_interval"];
 
   // The maximum number of seconds Santa can wait before triggering a rule sync after receiving a "global rule sync" notification.
   // As these notifications cause every Santa client to try and sync, we add a random delay to each client to try and spread the
   // load out on the sync server. This defaults to 600 (10 minutes).
-  uint64 push_notification_global_rule_sync_deadline_seconds = 10 [json_name="push_notification_global_rule_sync_deadline"];
+  uint32 push_notification_global_rule_sync_deadline_seconds = 10 [json_name="push_notification_global_rule_sync_deadline"];
 
   // These two regexes are used to allow/block executions whose path matches. The provided regex must conform to ICU format.
   // While this feature can be useful, its use should be very carefully considered as it is much riskier than real rules.
@@ -159,8 +159,8 @@ message PreflightResponse {
   optional bool deprecated_enabled_transitive_whitelisting = 1000 [json_name="enabled_transitive_whitelisting", deprecated=true];
   optional bool deprecated_transitive_whitelisting_enabled = 1001 [json_name="transitive_whitelisting_enabled", deprecated=true];
   optional bool deprecated_bundles_enabled = 1002 [json_name="bundles_enabled", deprecated=true];
-  optional uint64 deprecated_fcm_full_sync_interval_seconds = 1003 [json_name="fcm_full_sync_interval", deprecated=true];
-  optional uint64 deprecated_fcm_global_rule_sync_deadline_seconds = 1004 [json_name="fcm_global_rule_sync_deadline", deprecated=true];
+  optional uint32 deprecated_fcm_full_sync_interval_seconds = 1003 [json_name="fcm_full_sync_interval", deprecated=true];
+  optional uint32 deprecated_fcm_global_rule_sync_deadline_seconds = 1004 [json_name="fcm_global_rule_sync_deadline", deprecated=true];
   optional string deprecated_whitelist_regex = 1005 [json_name="whitelist_regex", deprecated=true];
   optional string deprecated_blacklist_regex = 1006 [json_name="blacklist_regex", deprecated=true];
 
@@ -214,8 +214,8 @@ message Event {
   string file_bundle_version = 13               [json_name="file_bundle_version"];
   string file_bundle_version_string = 14        [json_name="file_bundle_version_string"];
   string file_bundle_hash = 15                  [json_name="file_bundle_hash"];
-  uint64 file_bundle_hash_millis = 16           [json_name="file_bundle_hash_millis"];
-  uint64 file_bundle_binary_count = 17          [json_name="file_bundle_binary_count"];
+  uint32 file_bundle_hash_millis = 16           [json_name="file_bundle_hash_millis"];
+  uint32 file_bundle_binary_count = 17          [json_name="file_bundle_binary_count"];
 
   // pid_t is an int32
   int32 pid = 18                                [json_name="pid"];
@@ -305,8 +305,8 @@ message RuleDownloadResponse {
 }
 
 message PostflightRequest {
-  uint64 rules_received = 1   [json_name="rules_received"];
-  uint64 rules_processed = 2  [json_name="rules_processed"];
+  uint32 rules_received = 1   [json_name="rules_received"];
+  uint32 rules_processed = 2  [json_name="rules_processed"];
   // The UUID of the machine that is sending this postflight.
   string machine_id = 3       [json_name="machine_id"];
 }

docs/development/sync-protocol.md

@@ -140,7 +140,7 @@ The JSON object has the following keys:
 | enable_bundles              | Use previous setting                        | boolean | Enable bundle scanning | true |
 | enable_transitive_rules     | Use previous setting                        | boolean | Whether or not to enable transitive allowlisting | true |
 | batch_size                  | Use a Santa-defined default value           | integer | Number of events to upload at a time | 128 |
-| full_sync_interval          | Defaults to 600 seconds                     | integer | Number of seconds between full syncs. Note: Santa enforces a minimum value of 60. The default value will be used if a smaller value is provided. | 600 |
+| full_sync_interval          | Defaults to 600 seconds                     | uint32 | Number of seconds between full syncs. Note: Santa enforces a minimum value of 60. The default value will be used if a smaller value is provided. | 600 |
 | client_mode                 | Use previous setting                        | string  | Operating mode to set for the client | either `MONITOR` or `LOCKDOWN` |
 | allowed_path_regex          | Use previous setting                        | string  | Regular expression to allow a binary to execute from a path | "/Users/markowsk/foo/.\*" |
 | blocked_path_regex          | Use previous setting                        | string  | Regular expression to block a binary from executing by path | "/tmp/" |
@@ -223,8 +223,8 @@ sequenceDiagram
 | file_bundle_version | NO | string | The bundle version string | "9999.1.1" |
 | file_bundle_version_string | NO | string | Bundle short version string | "2.3.4" |
 | file_bundle_hash | NO | string | SHA256 hash of all executables in the bundle | "7466e3687f540bcb7792c6d14d5a186667dbe18a85021857b42effe9f0370805" |
-| file_bundle_hash_millis | NO | float64 | The time in milliseconds it took to find all of the binaries, hash and produce the bundle_hash | 1234775 |
-| file_bundle_binary_count | NO | integer | The number of binaries in a bundle | 13 |
+| file_bundle_hash_millis | NO | uint32 | The time in milliseconds it took to find all of the binaries, hash and produce the bundle_hash | 1234775 |
+| file_bundle_binary_count | NO | uint32 | The number of binaries in a bundle | 13 |
 | pid | NO | int | Process id of the executable that was blocked | 1234 |
 | ppid | NO | int | Parent process id of the executable that was blocked | 456 |
 | parent_name | NO | Parent process short command name of the executable that was blocked | "bar" |