docs: Colorize callout and make the link work (#1445 )

docs: Add deprecation note (#1444 )
Add deprecation message (#1443 )
2026-01-15 09:17:59 -05:00 · 2025-02-05 14:23:36 +01:00 · 2025-02-05 14:08:38 +01:00 · 2025-02-05 13:54:29 +01:00 · 2024-09-12 19:23:30 -04:00 · 2024-09-10 09:07:50 -04:00
7 changed files with 48 additions and 31 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,12 @@
 # Santa

+> [!NOTE]
+> **As of 2025, Santa is no longer maintained by Google.**  We encourage
+> existing users to migrate to an actively maintained fork of Santa, such as
+> https://github.com/northpolesec/santa.
+
+---
+
 [![license](https://img.shields.io/github/license/google/santa)](https://github.com/google/santa/blob/main/LICENSE)
 [![CI](https://github.com/google/santa/actions/workflows/ci.yml/badge.svg)](https://github.com/google/santa/actions/workflows/ci.yml)
 [![latest release](https://img.shields.io/github/v/release/google/santa.svg)](https://github.com/google/santa/releases/latest)
--- a/Source/common/SNTConfigurator.m
+++ b/Source/common/SNTConfigurator.m
@@ -368,7 +368,12 @@ static NSString *const kSyncTypeRequired = @"SyncTypeRequired";
 }

 + (NSSet *)keyPathsForValuesAffectingStaticRules {
-  return [self configStateSet];
+  static NSSet *set;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    set = [NSSet setWithObject:NSStringFromSelector(@selector(cachedStaticRules))];
+  });
+  return set;
 }

 + (NSSet *)keyPathsForValuesAffectingSyncBaseURL {
--- a/Source/santad/SNTPolicyProcessor.h
+++ b/Source/santad/SNTPolicyProcessor.h
@@ -45,12 +45,6 @@
 ///  only guaranteed for the duration of the call to the block. Do not perform
 ///  any async processing without extending their lifetimes.
 ///
- (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
-                                     targetProcess:(nonnull const es_process_t *)targetProc
-                        entitlementsFilterCallback:
-                          (NSDictionary *_Nullable (^_Nonnull)(
-                            const char *_Nullable teamID,
-                            NSDictionary *_Nullable entitlements))entitlementsFilterCallback;
 - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
                                     targetProcess:(nonnull const es_process_t *)targetProc
                          preCodesignCheckCallback:(void (^_Nullable)(void))preCodesignCheckCallback
--- a/Source/santad/SNTPolicyProcessor.mm
+++ b/Source/santad/SNTPolicyProcessor.mm
@@ -30,6 +30,12 @@
 #import "Source/santad/DataLayer/SNTRuleTable.h"
 #include "absl/container/flat_hash_map.h"

+enum class PlatformBinaryState {
+  kRuntimeTrue = 0,
+  kRuntimeFalse,
+  kStaticCheck,
+};
+
@interface SNTPolicyProcessor ()
@property SNTRuleTable *ruleTable;
@property SNTConfigurator *configurator;
@@ -129,7 +135,7 @@
 }

 static void UpdateCachedDecisionSigningInfo(
-  SNTCachedDecision *cd, MOLCodesignChecker *csInfo,
+  SNTCachedDecision *cd, MOLCodesignChecker *csInfo, PlatformBinaryState platformBinaryState,
  NSDictionary *_Nullable (^entitlementsFilterCallback)(NSDictionary *_Nullable entitlements)) {
  cd.certSHA256 = csInfo.leafCertificate.SHA256;
  cd.certCommonName = csInfo.leafCertificate.commonName;
@@ -144,11 +150,18 @@ static void UpdateCachedDecisionSigningInfo(
    cd.signingID = FormatSigningID(csInfo);
  }

-  // Ensure that if no teamID exists that the signing info confirms it is a
-  // platform binary. If not, remove the signingID.
+  // Ensure that if no teamID exists but a signingID does exist, that the binary
+  // is a platform binary. If not, remove the signingID.
  if (!cd.teamID && cd.signingID) {
-    if (!csInfo.platformBinary) {
-      cd.signingID = nil;
+    switch (platformBinaryState) {
+      case PlatformBinaryState::kRuntimeTrue: break;
+      case PlatformBinaryState::kStaticCheck:
+        if (!csInfo.platformBinary) {
+          cd.signingID = nil;
+        }
+        break;
+      case PlatformBinaryState::kRuntimeFalse: OS_FALLTHROUGH;
+      default: cd.signingID = nil; break;
    }
  }

@@ -170,6 +183,7 @@ static void UpdateCachedDecisionSigningInfo(
           certificateSHA256:(nullable NSString *)certificateSHA256
                      teamID:(nullable NSString *)teamID
                   signingID:(nullable NSString *)signingID
+         platformBinaryState:(PlatformBinaryState)platformBinaryState
        isProdSignedCallback:(BOOL (^_Nonnull)())isProdSignedCallback
  entitlementsFilterCallback:(NSDictionary *_Nullable (^_Nullable)(
                               NSDictionary *_Nullable entitlements))entitlementsFilterCallback
@@ -215,7 +229,7 @@ static void UpdateCachedDecisionSigningInfo(
      cd.signingID = nil;
      cd.cdhash = nil;
    } else {
-      UpdateCachedDecisionSigningInfo(cd, csInfo, entitlementsFilterCallback);
+      UpdateCachedDecisionSigningInfo(cd, csInfo, platformBinaryState, entitlementsFilterCallback);
    }
  }

@@ -276,18 +290,6 @@ static void UpdateCachedDecisionSigningInfo(
  }
 }

- (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
-                                     targetProcess:(nonnull const es_process_t *)targetProc
-                        entitlementsFilterCallback:
-                          (NSDictionary *_Nullable (^_Nonnull)(
-                            const char *_Nullable teamID,
-                            NSDictionary *_Nullable entitlements))entitlementsFilterCallback {
-  return [self decisionForFileInfo:fileInfo
-                     targetProcess:targetProc
-          preCodesignCheckCallback:nil
-        entitlementsFilterCallback:entitlementsFilterCallback];
-}
-
 - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
                                     targetProcess:(nonnull const es_process_t *)targetProc
                          preCodesignCheckCallback:(void (^_Nullable)(void))preCodesignCheckCallback
@@ -338,6 +340,8 @@ static void UpdateCachedDecisionSigningInfo(
    certificateSHA256:nil
    teamID:teamID
    signingID:signingID
+    platformBinaryState:targetProc->is_platform_binary ? PlatformBinaryState::kRuntimeTrue
+                                                       : PlatformBinaryState::kRuntimeFalse
    isProdSignedCallback:^BOOL {
      return ((targetProc->codesigning_flags & CS_DEV_CODE) == 0);
    }
@@ -369,6 +373,7 @@ static void UpdateCachedDecisionSigningInfo(
                 certificateSHA256:identifiers.certificateSHA256
                            teamID:identifiers.teamID
                         signingID:identifiers.signingID
+               platformBinaryState:PlatformBinaryState::kStaticCheck
              isProdSignedCallback:^BOOL {
                if (csInfo) {
                  // Development OID values defined by Apple and used by the Security Framework
--- a/Source/santad/Santad.mm
+++ b/Source/santad/Santad.mm
@@ -315,12 +315,9 @@ void SantadMain(std::shared_ptr<EndpointSecurityAPI> esapi, std::shared_ptr<Logg
                                 }],
    [[SNTKVOManager alloc] initWithObject:configurator
                                 selector:@selector(staticRules)
-                                     type:[NSArray class]
-                                 callback:^(NSArray *oldValue, NSArray *newValue) {
-                                   NSSet *oldValueSet = [NSSet setWithArray:oldValue ?: @[]];
-                                   NSSet *newValueSet = [NSSet setWithArray:newValue ?: @[]];
-
-                                   if ([oldValueSet isEqualToSet:newValueSet]) {
+                                     type:[NSDictionary class]
+                                 callback:^(NSDictionary *oldValue, NSDictionary *newValue) {
+                                   if ([oldValue isEqualToDictionary:newValue]) {
                                     return;
                                   }

--- a/docs/_config.yml
+++ b/docs/_config.yml
@@ -14,3 +14,7 @@ gh_edit_branch: "main"
 plugins:
    - jekyll-redirect-from

+callouts:
+  important:
+    title: Important
+    color: blue
--- a/docs/index.md
+++ b/docs/index.md
@@ -3,6 +3,11 @@ title: Home
 nav_order: 1
 ---

+{: .important }
+**As of 2025, Santa is no longer maintained by Google.**  We encourage existing
+users to migrate to an actively maintained fork of Santa, such as
+[https://github.com/northpolesec/santa](https://github.com/northpolesec/santa).
+
 # Welcome to the Santa documentation

 Santa is a binary and file access authorization system for macOS. It consists of a system extension that allows or denies attempted executions using a set of rules stored in a local database, a GUI agent that notifies the user in case of a block decision, a sync daemon responsible for syncing the database, and a server, and a command-line utility for managing the system.
Author	SHA1	Message	Date
Günther Noack	261425aa64	docs: Colorize callout and make the link work (#1445 )	2025-02-05 14:23:36 +01:00
Günther Noack	c17c890356	docs: Add deprecation note (#1444 )	2025-02-05 14:08:38 +01:00
Günther Noack	e4e1704495	Add deprecation message (#1443 )	2025-02-05 13:54:29 +01:00
Tom Burgin	737525b746	kvo static rules (#1425 )	2024-09-12 19:23:30 -04:00
Matt W	8199348091	Use runtime platform binary check for exec evals (#1424 ) * Use runtime platform binary check for exec evals * PR Feedback * Remove parens to mitigate insane clang-formatting	2024-09-10 09:07:50 -04:00