Merge remote-tracking branch 'upstream/main' into pt-3

Source/common/BUILD

@@ -264,6 +264,7 @@ objc_library(
     hdrs = ["SNTFileInfo.h"],
     deps = [
         ":SNTLogging",
+        ":SantaVnode",
         "@FMDB",
         "@MOLCodesignChecker",
     ],
@@ -313,6 +314,12 @@ santa_unit_test(
     ],
 )
 
+objc_library(
+    name = "SNTRuleIdentifiers",
+    srcs = ["SNTRuleIdentifiers.m"],
+    hdrs = ["SNTRuleIdentifiers.h"],
+)
+
 objc_library(
     name = "SNTStoredEvent",
     srcs = ["SNTStoredEvent.m"],
@@ -378,6 +385,7 @@ objc_library(
         ":SNTCommonEnums",
         ":SNTConfigurator",
         ":SNTRule",
+        ":SNTRuleIdentifiers",
         ":SNTStoredEvent",
         ":SNTXPCUnprivilegedControlInterface",
         "@MOLCodesignChecker",
@@ -420,6 +428,7 @@ objc_library(
     deps = [
         ":SNTCommonEnums",
         ":SNTRule",
+        ":SNTRuleIdentifiers",
         ":SNTStoredEvent",
         ":SNTXPCBundleServiceInterface",
         ":SantaVnode",

Source/common/SNTCachedDecision.h

@@ -25,7 +25,9 @@
 ///
 @interface SNTCachedDecision : NSObject
 
+- (instancetype)init;
 - (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile;
+- (instancetype)initWithVnode:(SantaVnode)vnode NS_DESIGNATED_INITIALIZER;
 
 @property SantaVnode vnodeId;
 @property SNTEventState decision;
@@ -38,6 +40,7 @@
 @property NSArray<MOLCertificate *> *certChain;
 @property NSString *teamID;
 @property NSString *signingID;
+@property NSString *cdhash;
 @property NSDictionary *entitlements;
 @property BOOL entitlementsFiltered;
 

Source/common/SNTCachedDecision.mm

@@ -17,10 +17,18 @@
 
 @implementation SNTCachedDecision
 
+- (instancetype)init {
+  return [self initWithVnode:(SantaVnode){}];
+}
+
 - (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile {
+  return [self initWithVnode:SantaVnode::VnodeForFile(esFile)];
+}
+
+- (instancetype)initWithVnode:(SantaVnode)vnode {
   self = [super init];
   if (self) {
-    _vnodeId = SantaVnode::VnodeForFile(esFile);
+    _vnodeId = vnode;
   }
   return self;
 }

Source/common/SNTCommonEnums.h

@@ -46,6 +46,7 @@ typedef NS_ENUM(NSInteger, SNTAction) {
 typedef NS_ENUM(NSInteger, SNTRuleType) {
   SNTRuleTypeUnknown = 0,
 
+  SNTRuleTypeCDHash = 500,
   SNTRuleTypeBinary = 1000,
   SNTRuleTypeSigningID = 2000,
   SNTRuleTypeCertificate = 3000,
@@ -84,6 +85,7 @@ typedef NS_ENUM(uint64_t, SNTEventState) {
   SNTEventStateBlockTeamID = 1ULL << 20,
   SNTEventStateBlockLongPath = 1ULL << 21,
   SNTEventStateBlockSigningID = 1ULL << 22,
+  SNTEventStateBlockCDHash = 1ULL << 23,
 
   // Bits 40-63 store allow decision types
   SNTEventStateAllowUnknown = 1ULL << 40,
@@ -95,6 +97,7 @@ typedef NS_ENUM(uint64_t, SNTEventState) {
   SNTEventStateAllowPendingTransitive = 1ULL << 46,
   SNTEventStateAllowTeamID = 1ULL << 47,
   SNTEventStateAllowSigningID = 1ULL << 48,
+  SNTEventStateAllowCDHash = 1ULL << 49,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFFFFFFULL << 16,

Source/common/SNTFileInfo.h

@@ -15,6 +15,8 @@
 #import <EndpointSecurity/EndpointSecurity.h>
 #import <Foundation/Foundation.h>
 
+#import "Source/common/SantaVnode.h"
+
 @class MOLCodesignChecker;
 
 ///
@@ -220,6 +222,11 @@
 ///
 - (NSUInteger)fileSize;
 
+///
+///  @return The devno/ino pair of the file
+///
+- (SantaVnode)vnode;
+
 ///
 ///  @return The underlying file handle.
 ///

Source/common/SNTFileInfo.m

@@ -49,6 +49,7 @@ @interface SNTFileInfo ()
 @property NSString *path;
 @property NSFileHandle *fileHandle;
 @property NSUInteger fileSize;
+@property SantaVnode vnode;
 @property NSString *fileOwnerHomeDir;
 @property NSString *sha256Storage;
 
@@ -110,6 +111,7 @@ - (instancetype)initWithResolvedPath:(NSString *)path
     }
 
     _fileSize = fileStat->st_size;
+    _vnode = (SantaVnode){.fsid = fileStat->st_dev, .fileid = fileStat->st_ino};
 
     if (_fileSize == 0) return nil;
 

Source/common/SNTRule.m

@@ -15,6 +15,7 @@
 #import "Source/common/SNTRule.h"
 
 #include <CommonCrypto/CommonCrypto.h>
+#include <Kernel/kern/cs_blobs.h>
 #include <os/base.h>
 
 #import "Source/common/SNTSyncConstants.h"
@@ -103,6 +104,14 @@ - (instancetype)initWithIdentifier:(NSString *)identifier
         break;
       }
 
+      case SNTRuleTypeCDHash: {
+        identifier = [[identifier lowercaseString] stringByTrimmingCharactersInSet:nonHex];
+        if (identifier.length != CS_CDHASH_LEN * 2) {
+          return nil;
+        }
+        break;
+      }
+
       default: {
         break;
       }
@@ -173,6 +182,8 @@ - (instancetype)initWithDictionary:(NSDictionary *)dict {
     type = SNTRuleTypeTeamID;
   } else if ([ruleTypeString isEqual:kRuleTypeSigningID]) {
     type = SNTRuleTypeSigningID;
+  } else if ([ruleTypeString isEqual:kRuleTypeCDHash]) {
+    type = SNTRuleTypeCDHash;
   } else {
     return nil;
   }

Source/common/SNTRuleIdentifiers.h

@@ -0,0 +1,51 @@
+/// Copyright 2024 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+/**
+ * This file declares two types that are mirrors of each other.
+ *
+ * The C struct serves as a way to group and pass valid rule identifiers around
+ * in order to minimize interface changes needed when new rule types are added
+ * and also alleviate the need to allocate a short lived object.
+ *
+ * The Objective C class is used for an XPC boundary to easily pass rule
+ * identifiers between Santa components.
+ */
+
+#import <Foundation/Foundation.h>
+
+struct RuleIdentifiers {
+  NSString *cdhash;
+  NSString *binarySHA256;
+  NSString *signingID;
+  NSString *certificateSHA256;
+  NSString *teamID;
+};
+
+@interface SNTRuleIdentifiers : NSObject <NSSecureCoding>
+@property(readonly) NSString *cdhash;
+@property(readonly) NSString *binarySHA256;
+@property(readonly) NSString *signingID;
+@property(readonly) NSString *certificateSHA256;
+@property(readonly) NSString *teamID;
+
+/// Please use `initWithRuleIdentifiers:`
+- (instancetype)init NS_UNAVAILABLE;
+
+- (instancetype)initWithRuleIdentifiers:(struct RuleIdentifiers)identifiers
+  NS_DESIGNATED_INITIALIZER;
+
+- (struct RuleIdentifiers)toStruct;
+
+@end

Source/common/SNTRuleIdentifiers.m

@@ -0,0 +1,73 @@
+/// Copyright 2024 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTRuleIdentifiers.h"
+
+@implementation SNTRuleIdentifiers
+
+- (instancetype)initWithRuleIdentifiers:(struct RuleIdentifiers)identifiers {
+  self = [super init];
+  if (self) {
+    _cdhash = identifiers.cdhash;
+    _binarySHA256 = identifiers.binarySHA256;
+    _signingID = identifiers.signingID;
+    _certificateSHA256 = identifiers.certificateSHA256;
+    _teamID = identifiers.teamID;
+  }
+  return self;
+}
+
+- (struct RuleIdentifiers)toStruct {
+  return (struct RuleIdentifiers){.cdhash = self.cdhash,
+                                  .binarySHA256 = self.binarySHA256,
+                                  .signingID = self.signingID,
+                                  .certificateSHA256 = self.certificateSHA256,
+                                  .teamID = self.teamID};
+}
+
+#pragma mark NSSecureCoding
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-literal-conversion"
+#define ENCODE(obj, key) \
+  if (obj) [coder encodeObject:obj forKey:key]
+#define DECODE(cls, key) [decoder decodeObjectOfClass:[cls class] forKey:key]
+
++ (BOOL)supportsSecureCoding {
+  return YES;
+}
+
+- (instancetype)initWithCoder:(NSCoder *)decoder {
+  self = [self init];
+  if (self) {
+    _cdhash = DECODE(NSString, @"cdhash");
+    _binarySHA256 = DECODE(NSString, @"binarySHA256");
+    _signingID = DECODE(NSString, @"signingID");
+    _certificateSHA256 = DECODE(NSString, @"certificateSHA256");
+    _teamID = DECODE(NSString, @"teamID");
+  }
+  return self;
+}
+
+- (void)encodeWithCoder:(NSCoder *)coder {
+  ENCODE(self.cdhash, @"cdhash");
+  ENCODE(self.binarySHA256, @"binarySHA256");
+  ENCODE(self.signingID, @"signingID");
+  ENCODE(self.certificateSHA256, @"certificateSHA256");
+  ENCODE(self.teamID, @"teamID");
+}
+
+#pragma clang diagnostic pop
+
+@end

Source/common/SNTStoredEvent.h

@@ -105,6 +105,11 @@
 ///
 @property NSString *signingID;
 
+///
+/// If the executed file was signed, this is the CDHash of the binary.
+///
+@property NSString *cdhash;
+
 ///
 ///  The user who executed the binary.
 ///

Source/common/SNTStoredEvent.m

@@ -51,6 +51,7 @@ - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(self.signingChain, @"signingChain");
   ENCODE(self.teamID, @"teamID");
   ENCODE(self.signingID, @"signingID");
+  ENCODE(self.cdhash, @"cdhash");
 
   ENCODE(self.executingUser, @"executingUser");
   ENCODE(self.occurrenceDate, @"occurrenceDate");
@@ -97,6 +98,7 @@ - (instancetype)initWithCoder:(NSCoder *)decoder {
     _signingChain = DECODEARRAY(MOLCertificate, @"signingChain");
     _teamID = DECODE(NSString, @"teamID");
     _signingID = DECODE(NSString, @"signingID");
+    _cdhash = DECODE(NSString, @"cdhash");
 
     _executingUser = DECODE(NSString, @"executingUser");
     _occurrenceDate = DECODE(NSDate, @"occurrenceDate");

Source/common/SNTSyncConstants.h

@@ -44,6 +44,7 @@ extern NSString *const kCompilerRuleCount;
 extern NSString *const kTransitiveRuleCount;
 extern NSString *const kTeamIDRuleCount;
 extern NSString *const kSigningIDRuleCount;
+extern NSString *const kCDHashRuleCount;
 extern NSString *const kFullSyncInterval;
 extern NSString *const kFCMToken;
 extern NSString *const kFCMFullSyncInterval;
@@ -70,12 +71,14 @@ extern NSString *const kDecisionAllowCertificate;
 extern NSString *const kDecisionAllowScope;
 extern NSString *const kDecisionAllowTeamID;
 extern NSString *const kDecisionAllowSigningID;
+extern NSString *const kDecisionAllowCDHash;
 extern NSString *const kDecisionBlockUnknown;
 extern NSString *const kDecisionBlockBinary;
 extern NSString *const kDecisionBlockCertificate;
 extern NSString *const kDecisionBlockScope;
 extern NSString *const kDecisionBlockTeamID;
 extern NSString *const kDecisionBlockSigningID;
+extern NSString *const kDecisionBlockCDHash;
 extern NSString *const kDecisionUnknown;
 extern NSString *const kDecisionBundleBinary;
 extern NSString *const kLoggedInUsers;
@@ -101,6 +104,7 @@ extern NSString *const kCertValidFrom;
 extern NSString *const kCertValidUntil;
 extern NSString *const kTeamID;
 extern NSString *const kSigningID;
+extern NSString *const kCDHash;
 extern NSString *const kQuarantineDataURL;
 extern NSString *const kQuarantineRefererURL;
 extern NSString *const kQuarantineTimestamp;
@@ -125,6 +129,7 @@ extern NSString *const kRuleTypeBinary;
 extern NSString *const kRuleTypeCertificate;
 extern NSString *const kRuleTypeTeamID;
 extern NSString *const kRuleTypeSigningID;
+extern NSString *const kRuleTypeCDHash;
 extern NSString *const kRuleCustomMsg;
 extern NSString *const kRuleCustomURL;
 extern NSString *const kCursor;

Source/common/SNTSyncConstants.m

@@ -44,6 +44,7 @@
 NSString *const kTransitiveRuleCount = @"transitive_rule_count";
 NSString *const kTeamIDRuleCount = @"teamid_rule_count";
 NSString *const kSigningIDRuleCount = @"signingid_rule_count";
+NSString *const kCDHashRuleCount = @"cdhash_rule_count";
 NSString *const kFullSyncInterval = @"full_sync_interval";
 NSString *const kFCMToken = @"fcm_token";
 NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
@@ -71,12 +72,14 @@
 NSString *const kDecisionAllowScope = @"ALLOW_SCOPE";
 NSString *const kDecisionAllowTeamID = @"ALLOW_TEAMID";
 NSString *const kDecisionAllowSigningID = @"ALLOW_SIGNINGID";
+NSString *const kDecisionAllowCDHash = @"ALLOW_CDHASH";
 NSString *const kDecisionBlockUnknown = @"BLOCK_UNKNOWN";
 NSString *const kDecisionBlockBinary = @"BLOCK_BINARY";
 NSString *const kDecisionBlockCertificate = @"BLOCK_CERTIFICATE";
 NSString *const kDecisionBlockScope = @"BLOCK_SCOPE";
 NSString *const kDecisionBlockTeamID = @"BLOCK_TEAMID";
 NSString *const kDecisionBlockSigningID = @"BLOCK_SIGNINGID";
+NSString *const kDecisionBlockCDHash = @"BLOCK_CDHASH";
 NSString *const kDecisionUnknown = @"UNKNOWN";
 NSString *const kDecisionBundleBinary = @"BUNDLE_BINARY";
 NSString *const kLoggedInUsers = @"logged_in_users";
@@ -102,6 +105,7 @@
 NSString *const kCertValidUntil = @"valid_until";
 NSString *const kTeamID = @"team_id";
 NSString *const kSigningID = @"signing_id";
+NSString *const kCDHash = @"cdhash";
 NSString *const kQuarantineDataURL = @"quarantine_data_url";
 NSString *const kQuarantineRefererURL = @"quarantine_referer_url";
 NSString *const kQuarantineTimestamp = @"quarantine_timestamp";
@@ -126,6 +130,7 @@
 NSString *const kRuleTypeCertificate = @"CERTIFICATE";
 NSString *const kRuleTypeTeamID = @"TEAMID";
 NSString *const kRuleTypeSigningID = @"SIGNINGID";
+NSString *const kRuleTypeCDHash = @"CDHASH";
 NSString *const kRuleCustomMsg = @"custom_msg";
 NSString *const kRuleCustomURL = @"custom_url";
 NSString *const kCursor = @"cursor";