mirror of
https://github.com/google/santa.git
synced 2026-04-24 03:00:12 -04:00
fcb49701b3
* Initial structure for ES wrappers, enriched types, logging * Basic working ES and logging functionality * Add in oneTBB and thread-safe-lru deps * Added a bunch of enriched types * Auto-mute self when establishing ES client * Basic auth, tamper client. Syslog of all events. Basic compiler tracking. * Update copyright header blobs, convert some tabs to spaces * Auth result cache. Fix getting translocation path. * Added remaining cache methods * Add AuthResultCache to Recorder client. Cache now operates on es_file_t. * Hooked up SNTPrefixTree * Fix CompilerController for RENAME. Fix AllowList logging missing path. * Block loading Santa kext * Added device manager client * Properly log DiskAppear events * Fix build to adopt new adhoc build * Handle clearing cache on UNMOUNT events * Ignore other ES clients if configured * Remove SNTAllowlistInfo. Rename AllowList to Allowlist. Minor cleanup. * Recorder now logs asynchronously. Enricher now returns shared_ptrs. * Added File writer. Added timestamps to BasicStream serializer. * Skip calling stat in SNTFileInfo when path given by ES. * Fix build issue * Address draft PR feedback * santactl integrated, XPC works, fix file writer bug * Integrate syncservice. Start observing some config changes. * Add metrics service wrapper * Add metrics config observers and metrics interval reset. * Start better dependency control. Add Null logger support. * Added more deps * Added more deps * Fix issue where metric service wasn't starting * Add missing variant include * Fix missing parent proc name * Added googletest and new unit test macro * Started expanding AuthResultCacheTest * Properly mock EndpointSecurityAPI * Finished AuthResultCacheTest * bazelrc now builds all C++ as C++17. Added LoggerTest. * Add FileTest. Abstract some File constants to Logger. * Added Empty serializer test * Started work on BasicStringTest. Fixed some BasicString serialization bugs. * Added Unlink BasicString serialization test * Added some more tests. Commonized some test code * Finished BasicStringTest. Converted to XCTest. * Standardize esapi variable naming * Bubble up gTest expect failures to XCTest failures * AuthResultCacheTest now uses XCTest. Added common TestUtils.h * EmptyTest now uses XCTest. * FileTest now uses XCTest * LoggerTest now uses XCTest. Removed santa_unit_gtest bazel macro. * Added ClientTest * Add basic Enricher tests * Add MessageTest. Make more TestUtils. * Rename metrics to Metrics * Add MetricsTest. * Apply template pattern to Serializer * Add SNTDecisionCacheTest. * Add SNTCachedDecisionTest. * Testing with coveralls debug mode * Allow manual CI runs * Remove unused property * Started work on SNTEndpointSecurityClientTest. * WIP SNTEndpointSecurityClientTest, fix test run issue * Added more base ES client tests * Add more base ES client tests * Base ES client tests done. Added serializer utils/tests. Expanded basic string tests. * Add utils test to test suite * Add copy ctor. Add test output to bazel coverage. * Single thread bazel coverage * Updaload coverage file * Updaload coverage file * Old gen cov test * Restructure message handlers to enable better testability * Added enable tests for all ES clients * Made a single MockEndpointSecurityAPI class to share everywhere * Added most of SNTCompilerControllerTest * Cleanup SNTCompilerControllerTest * Started expanding Auth client test * Finished up the Authorizer tests * Move to using enum class for notify/auth instead of bool * WIP for tamper resistance test. ASAN issues. * Add OCMock patch to fix test issue on ARM Macs * Changed patches directory name to external_patches * Update WORKSPACE path * Finished up Tamper Resistance tests * Finished up Recorder tests. * Move SNTExecutionControllerTest to ObjC++ * Initial work to port SNTExecutionControllerTest * Finished porting SNTExecutionControllerTest. * Added SNTExecutionControllerTest to list of unit tests * Ported SNTEndpointSecurityDeviceManager. * Test cleanup, use MockESAPI expectation helpers * Verify SNTEndpointSecurityDeviceManager expectations differently * Test cleanup, omit gTest param list where unused * Log message cleanup * Rename SNTApplicationTest to santad_test.mm * Finished porting santad_test, formerly SNTApplicationTest * Fix SNTEndpointSecurityDeviceManager issues * Pulled in missed fixes. Updated tests. * Renamed lowercase filenames to match rest of codebase * Fix non-static dispatch_once_t, and noisy watching compiler log message * WIP Started process of removing components no longer used * WIP Continued process of removing components no longer used * BUILD file cleanup. Proto warning. Removed unused global * Rename SNTEventProvider to SNTEndpointSecurityEventHandler * Rename SNTEndpointSecurityEventHandler protocol * Remove EnableSysxCache option. Remove --quick flag used during dev. * Ran testing/fix.sh * Addmissing param to fix.sh that was omitting .mm files. * clang-format * Fix linter: find cmd missing .mm ext, git grep exclude patch files. * Use MakeESProcess default params in tests * Move variables to camelCase in objc classes * More case changes * Sanitize strings * Change dispatch queue priorities and standardize daemon queue naming * Exclude patch files in markdown check * Ensure string log messages end with newline * Fix BasicStringTest * Disable clang-format in code producing different results in local/remote versions * Moved to using date ranges in copyright notices as per current guidelines * Update Source/common/SNTConfigurator.h Suggestion adding whitespace in comment to fix clang-format mangling Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com> * Removed santa_panic macro used in one place * Updated comment about ES cachability * Pin oneTBB to specific commit * Address outstanding WORKSPACE 'canonical reproducible form' messages * Use string append instead of ostringstream due to benchmark results * Remove use of freind classes in EnrichedTypes.h * Added SNTKVOManager, removed observers from SNTConfigurator. * Fixed SNTEndpointSecurityRecorderTest class name * Reduce usage of the auto keyword * Each SNTKVOManager instance now adds its own observer * Replaced more auto keywords with real types. * Remove leftover code coverage debugging from ci.yml * Updated comment * Memoize SNTFileInfo sha256. Reduce some cache sizes. * Fix issue checking for translocated paths * Use more performant NSURL creation method * Fix lint issue * Address PR feedback * Use an array literal for kvo objects * Fix some clang tidy and import issues * Replace third party LRU cache with SantaCache for now * Fix clang tidy issues * Address PR feedback * Fix comment typo Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com> * Added todo for when we adopt macOS 13 Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com> Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
201 lines
6.6 KiB
Python
201 lines
6.6 KiB
Python
load("@build_bazel_rules_apple//apple:versioning.bzl", "apple_bundle_version")
|
|
load("//:helper.bzl", "run_command")
|
|
|
|
package(default_visibility = ["//:santa_package_group"])
|
|
|
|
licenses(["notice"])
|
|
|
|
exports_files(["LICENSE"])
|
|
|
|
# The version label for mac_* rules.
|
|
apple_bundle_version(
|
|
name = "version",
|
|
build_label_pattern = ".*santa_{release}\\.{build}",
|
|
build_version = "{release}.{build}",
|
|
capture_groups = {
|
|
"release": "\\d{4}\\.\\d+",
|
|
"build": "\\d+",
|
|
},
|
|
fallback_build_label = "santa_9999.1.1",
|
|
short_version_string = "{release}",
|
|
)
|
|
|
|
# Used to detect release builds
|
|
config_setting(
|
|
name = "release_build",
|
|
values = {"define": "SANTA_BUILD_TYPE=release"},
|
|
visibility = [":santa_package_group"],
|
|
)
|
|
|
|
# Adhoc signed - provisioning profiles are not used.
|
|
# Used for CI runs and dev builds when SIP is disabled.
|
|
config_setting(
|
|
name = "adhoc_build",
|
|
values = {"define": "SANTA_BUILD_TYPE=adhoc"},
|
|
visibility = [":santa_package_group"],
|
|
)
|
|
|
|
# Used to detect optimized builds
|
|
config_setting(
|
|
name = "opt_build",
|
|
values = {"compilation_mode": "opt"},
|
|
)
|
|
|
|
package_group(
|
|
name = "santa_package_group",
|
|
packages = ["//..."],
|
|
)
|
|
|
|
################################################################################
|
|
# Loading/Unloading/Reloading
|
|
################################################################################
|
|
run_command(
|
|
name = "unload",
|
|
cmd = """
|
|
sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
|
|
sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
|
|
sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
|
|
sudo launchctl unload /Library/LaunchDaemons/com.google.santa.syncservice.plist 2>/dev/null
|
|
launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
|
|
""",
|
|
)
|
|
|
|
run_command(
|
|
name = "load",
|
|
cmd = """
|
|
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
|
|
sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
|
|
sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
|
|
sudo launchctl load /Library/LaunchDaemons/com.google.santa.syncservice.plist
|
|
launchctl load /Library/LaunchAgents/com.google.santa.plist
|
|
""",
|
|
)
|
|
|
|
run_command(
|
|
name = "reload",
|
|
srcs = [
|
|
"//Source/gui:Santa",
|
|
],
|
|
cmd = """
|
|
set -e
|
|
|
|
rm -rf /tmp/bazel_santa_reload
|
|
unzip -d /tmp/bazel_santa_reload \
|
|
$${BUILD_WORKSPACE_DIRECTORY}/bazel-out/*$(COMPILATION_MODE)*/bin/Source/gui/Santa.zip >/dev/null
|
|
echo "You may be asked for your password for sudo"
|
|
sudo BINARIES=/tmp/bazel_santa_reload CONF=$${BUILD_WORKSPACE_DIRECTORY}/Conf \
|
|
$${BUILD_WORKSPACE_DIRECTORY}/Conf/install.sh
|
|
rm -rf /tmp/bazel_santa_reload
|
|
echo "Time to stop being naughty"
|
|
""",
|
|
)
|
|
|
|
################################################################################
|
|
# Release rules - used to create a release tarball
|
|
################################################################################
|
|
genrule(
|
|
name = "release",
|
|
srcs = [
|
|
"//Source/gui:Santa",
|
|
"Conf/install.sh",
|
|
"Conf/uninstall.sh",
|
|
"Conf/com.google.santa.bundleservice.plist",
|
|
"Conf/com.google.santa.metricservice.plist",
|
|
"Conf/com.google.santa.syncservice.plist",
|
|
"Conf/com.google.santad.plist",
|
|
"Conf/com.google.santa.plist",
|
|
"Conf/com.google.santa.newsyslog.conf",
|
|
"Conf/Package/Distribution.xml",
|
|
"Conf/Package/notarization_tool.sh",
|
|
"Conf/Package/package_and_sign.sh",
|
|
"Conf/Package/postinstall",
|
|
"Conf/Package/preinstall",
|
|
],
|
|
outs = ["santa-release.tar.gz"],
|
|
cmd = select({
|
|
"//conditions:default": """
|
|
echo "ERROR: Trying to create a release tarball without optimization."
|
|
echo "Please add '-c opt' flag to bazel invocation"
|
|
""",
|
|
":opt_build": """
|
|
# Extract Santa.zip
|
|
for SRC in $(SRCS); do
|
|
if [ "$$(basename $${SRC})" == "Santa.zip" ]; then
|
|
mkdir -p $(@D)/binaries
|
|
unzip -q $${SRC} -d $(@D)/binaries >/dev/null
|
|
fi
|
|
done
|
|
|
|
# Copy config files
|
|
for SRC in $(SRCS); do
|
|
if [[ "$$(dirname $${SRC})" == *"Conf"* ]]; then
|
|
mkdir -p $(@D)/conf
|
|
cp -H $${SRC} $(@D)/conf/
|
|
fi
|
|
done
|
|
|
|
# Gather together the dSYMs. Throw an error if no dSYMs were found
|
|
for SRC in $(SRCS); do
|
|
case $${SRC} in
|
|
*santad.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santad.dSYM
|
|
;;
|
|
*santactl.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santactl.dSYM
|
|
;;
|
|
*santabundleservice.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
|
|
;;
|
|
*santametricservice.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
|
|
;;
|
|
*santasyncservice.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santasyncservice.dSYM
|
|
;;
|
|
*Santa.app.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
|
|
;;
|
|
*com.google.santa.daemon.systemextension.dSYM*Info.plist)
|
|
mkdir -p $(@D)/dsym
|
|
cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/com.google.santa.daemon.systemextension.dSYM
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Cause a build failure if the dSYMs are missing.
|
|
if [[ ! -d "$(@D)/dsym" ]]; then
|
|
echo "dsym dir missing: Did you forget to use --apple_generate_dsym?"
|
|
echo "This flag is required for the 'release' target."
|
|
exit 1
|
|
fi
|
|
|
|
# Update all the timestamps to now. Bazel avoids timestamps to allow
|
|
# builds to be hermetic and cacheable but for releases we want the
|
|
# timestamps to be more-or-less correct.
|
|
find $(@D)/{binaries,conf,dsym} -exec touch {} \\;
|
|
|
|
# Create final output tar
|
|
tar -C $(@D) -czpf $(@) binaries dsym conf
|
|
""",
|
|
}),
|
|
heuristic_label_expansion = 0,
|
|
)
|
|
|
|
test_suite(
|
|
name = "unit_tests",
|
|
tests = [
|
|
"//Source/common:unit_tests",
|
|
"//Source/gui:unit_tests",
|
|
"//Source/santactl:unit_tests",
|
|
"//Source/santad:unit_tests",
|
|
"//Source/santametricservice:unit_tests",
|
|
"//Source/santasyncservice:unit_tests",
|
|
],
|
|
)
|