Only respect FailClosed when in Lockdown mode. Update docs.

google · Feb 8, 2024 · 76d33bb · 76d33bb
1 parent fcc1ee5
commit 76d33bb
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 14 deletions.
diff --git a/Source/common/SNTConfigurator.h b/Source/common/SNTConfigurator.h
@@ -40,7 +40,8 @@
 ///
 ///  Enable Fail Close mode. Defaults to NO.
 ///  This controls Santa's behavior when a failure occurs, such as an
-///  inability to read a file. By default, to prevent bugs or misconfiguration
+///  inability to read a file and as a default response when deadlines
+///  are about to expire. By default, to prevent bugs or misconfiguration
 ///  from rendering a machine inoperable Santa will fail open and allow
 ///  execution. With this setting enabled, Santa will fail closed if the client
 ///  is in LOCKDOWN mode, offering a higher level of security but with a higher

diff --git a/Source/santad/BUILD b/Source/santad/BUILD
@@ -286,6 +286,7 @@ objc_library(
         ":SNTEndpointSecurityClientBase",
         ":WatchItemPolicy",
         "//Source/common:BranchPrediction",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
         "//Source/common:SNTLogging",
         "//Source/common:SystemResources",
@@ -1182,6 +1183,7 @@ santa_unit_test(
         ":MockEndpointSecurityAPI",
         ":SNTEndpointSecurityClient",
         ":WatchItemPolicy",
+        "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
         "//Source/common:SystemResources",
         "//Source/common:TestUtils",

diff --git a/Source/santad/EventProviders/SNTEndpointSecurityClient.mm b/Source/santad/EventProviders/SNTEndpointSecurityClient.mm
@@ -27,6 +27,7 @@
 #include <string_view>
 
 #include "Source/common/BranchPrediction.h"
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #include "Source/common/SystemResources.h"
@@ -316,13 +317,18 @@ - (void)processMessage:(Message &&)msg handler:(void (^)(const Message &))messag
       return;
     }
 
-    bool res = [self
-      respondToMessage:deadlineMsg
-        withAuthResult:self.configurator.failClosed ? ES_AUTH_RESULT_DENY : ES_AUTH_RESULT_ALLOW
-             cacheable:false];
+    es_auth_result_t authResult;
+    if (self.configurator.failClosed && self.configurator.clientMode == SNTClientModeLockdown) {
+      authResult = ES_AUTH_RESULT_DENY;
+    } else {
+      authResult = ES_AUTH_RESULT_ALLOW;
+    }
+
+    bool res = [self respondToMessage:deadlineMsg withAuthResult:authResult cacheable:false];
 
-    LOGE(@"SNTEndpointSecurityClient: deadline reached: deny pid=%d, event type: %d ret=%d",
-         audit_token_to_pid(deadlineMsg->process->audit_token), deadlineMsg->event_type, res);
+    LOGE(@"SNTEndpointSecurityClient: deadline reached: pid=%d, event type: %d, result: %@, ret=%d",
+         audit_token_to_pid(deadlineMsg->process->audit_token), deadlineMsg->event_type,
+         (authResult == ES_AUTH_RESULT_DENY ? @"denied" : @"allowed"), res);
     dispatch_semaphore_signal(deadlineExpiredSema);
   });
 

diff --git a/Source/santad/EventProviders/SNTEndpointSecurityClientTest.mm b/Source/santad/EventProviders/SNTEndpointSecurityClientTest.mm
@@ -22,6 +22,7 @@
 
 #include <memory>
 
+#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SystemResources.h"
 #include "Source/common/TestUtils.h"
@@ -547,7 +548,7 @@ - (void)testComputeBudgetForDeadlineCurrentTime {
   XCTBubbleMockVerifyAndClearExpectations(mockESApi.get());
 }
 
-- (void)checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:(BOOL)shouldFailClosed {
+- (void)checkDeadlineExpiredFailClosed:(BOOL)shouldFailClosed clientMode:(SNTClientMode)clientMode {
   // Set a es_message_t deadline of 750ms
   // Set a deadline leeway in the `SNTEndpointSecurityClient` of 500ms
   // Mock `RespondFlagsResult` which is called from the deadline handler
@@ -570,7 +571,9 @@ - (void)checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:(BOOL)shouldFail
   dispatch_semaphore_t deadlineSema = dispatch_semaphore_create(0);
   dispatch_semaphore_t controlSema = dispatch_semaphore_create(0);
 
-  es_auth_result_t wantAuthResult = shouldFailClosed ? ES_AUTH_RESULT_DENY : ES_AUTH_RESULT_ALLOW;
+  es_auth_result_t wantAuthResult = (shouldFailClosed && clientMode == SNTClientModeLockdown)
+                                      ? ES_AUTH_RESULT_DENY
+                                      : ES_AUTH_RESULT_ALLOW;
   EXPECT_CALL(*mockESApi, RespondAuthResult(testing::_, testing::_, wantAuthResult, false))
     .WillOnce(testing::InvokeWithoutArgs(^() {
       // Signal deadlineSema to let the handler block continue execution
@@ -581,6 +584,9 @@ - (void)checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:(BOOL)shouldFail
   id mockConfigurator = OCMClassMock([SNTConfigurator class]);
   OCMStub([mockConfigurator configurator]).andReturn(mockConfigurator);
   OCMExpect([mockConfigurator failClosed]).andReturn(shouldFailClosed);
+  if (shouldFailClosed) {
+    OCMExpect([mockConfigurator clientMode]).andReturn(clientMode);
+  }
 
   SNTEndpointSecurityClient *client =
     [[SNTEndpointSecurityClient alloc] initWithESAPI:mockESApi
@@ -624,12 +630,20 @@ - (void)checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:(BOOL)shouldFail
   [mockConfigurator stopMocking];
 }
 
-- (void)testProcessMessageHandlerWithDeadlineTimeoutFailClosed {
-  [self checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:YES];
+- (void)testDeadlineExpiredFailClosedLockdown {
+  [self checkDeadlineExpiredFailClosed:YES clientMode:SNTClientModeLockdown];
+}
+
+- (void)testDeadlineExpiredFailOpenLockdown {
+  [self checkDeadlineExpiredFailClosed:NO clientMode:SNTClientModeLockdown];
+}
+
+- (void)testDeadlineExpiredFailClosedMonitor {
+  [self checkDeadlineExpiredFailClosed:YES clientMode:SNTClientModeMonitor];
 }
 
-- (void)testProcessMessageHandlerWithDeadlineTimeoutFailOpen {
-  [self checkProcessMessageHandlerWithDeadlineTimeoutFailClosed:NO];
+- (void)testDeadlineExpiredFailOpenMonitor {
+  [self checkDeadlineExpiredFailClosed:NO clientMode:SNTClientModeMonitor];
 }
 
 @end
diff --git a/docs/deployment/configuration.md b/docs/deployment/configuration.md
@@ -23,7 +23,7 @@ also known as mobileconfig files, which are in an Apple-specific XML format.
 | Key                                | Value Type | Description                              |
 | ---------------------------------- | ---------- | ---------------------------------------- |
 | ClientMode\*                       | Integer    | 1 = MONITOR, 2 = LOCKDOWN, defaults to MONITOR |
-| FailClosed                         | Bool       | If true and the ClientMode is LOCKDOWN: execution will be denied when there is an error reading or processing an executable file. Defaults to false. |
+| FailClosed                         | Bool       | If true and the ClientMode is LOCKDOWN: execution will be denied when there is an error reading or processing an executable file and when Santa has to make a default response just prior to deadlines expiring. Defaults to false. |
 | FileChangesRegex\*                 | String     | The regex of paths to log file changes. Regexes are specified in ICU format. |
 | AllowedPathRegex\*                 | String     | A regex to allow if the binary, certificate, or Team ID scopes did not allow/block execution.  Regexes are specified in ICU format. |
 | BlockedPathRegex\*                 | String     | A regex to block if the binary, certificate, or Team ID scopes did not allow/block an execution.  Regexes are specified in ICU format. |