Incorporate review feedback.

google · Mar 14, 2024 · 9510c05 · 9510c05
1 parent d642bde
commit 9510c05
Showing 1 changed file with 34 additions and 30 deletions.
diff --git a/Source/santad/SNTPolicyProcessor.mm b/Source/santad/SNTPolicyProcessor.mm
@@ -49,7 +49,7 @@ - (instancetype)initWithRuleTable:(SNTRuleTable *)ruleTable {
 inline SNTCachedDecision *updateCachedDecisionForRule(SNTCachedDecision *cd, SNTRule *rule,
                                                       SNTClientMode mode,
                                                       bool enableTransitiveRules) {
-  static const absl::flat_hash_map<std::pair<SNTRuleType, SNTRuleState>, SNTEventState> decisions =
+  static const auto decisions =
     absl::flat_hash_map<std::pair<SNTRuleType, SNTRuleState>, SNTEventState>{
       {{SNTRuleTypeCDHash, SNTRuleStateAllow}, SNTEventStateAllowCDHash},
       {{SNTRuleTypeCDHash, SNTRuleStateAllowCompiler}, SNTEventStateAllowCompiler},
@@ -77,43 +77,47 @@ - (instancetype)initWithRuleTable:(SNTRuleTable *)ruleTable {
     cd.decision = iterator->second;
   } else {
     // We don't have a matching rule type, rule state for this.
+    // These states aren't final and may be changed by scope rules.
     if (mode == SNTClientModeMonitor) {
       cd.decision = SNTEventStateAllowUnknown;
     } else {
       cd.decision = SNTEventStateBlockUnknown;
     }
   }
 
-  if (rule.state == SNTRuleStateSilentBlock) {
-    cd.silentBlock = YES;
-  } else if (rule.state == SNTRuleStateAllowCompiler) {
-    if (!enableTransitiveRules) {
-      switch (rule.type) {
-        case SNTRuleTypeCDHash: cd.decision = SNTEventStateAllowCDHash; break;
-        case SNTRuleTypeBinary: cd.decision = SNTEventStateAllowBinary; break;
-        case SNTRuleTypeSigningID: cd.decision = SNTEventStateAllowSigningID; break;
-        default:
-          // Programming error. Something's marked as a compiler that shouldn't
-          // be.
-          LOGE(@"Invalid compiler rule type %ld", rule.type);
-          [NSException
-             raise:@"Invalid compiler rule type"
-            format:@"updateCachedDecisionForRule: Unexpected compiler rule type: %ld", rule.type];
-          break;
+  switch (rule.state) {
+    case SNTRuleStateSilentBlock: cd.silentBlock = YES; break;
+    case SNTRuleStateAllowCompiler:
+      if (!enableTransitiveRules) {
+        switch (rule.type) {
+          case SNTRuleTypeCDHash: cd.decision = SNTEventStateAllowCDHash; break;
+          case SNTRuleTypeBinary: cd.decision = SNTEventStateAllowBinary; break;
+          case SNTRuleTypeSigningID: cd.decision = SNTEventStateAllowSigningID; break;
+          default:
+            // Programming error. Something's marked as a compiler that shouldn't
+            // be.
+            LOGE(@"Invalid compiler rule type %ld", rule.type);
+            [NSException
+               raise:@"Invalid compiler rule type"
+              format:@"updateCachedDecisionForRule: Unexpected compiler rule type: %ld", rule.type];
+            break;
+        }
       }
-    }
-  } else if (rule.state == SNTRuleStateAllowTransitive) {
-    // If transitive rules are enabled, then SNTRuleStateAllowTransitive rules
-    // become SNTEventStateAllowTransitive decisions.  Otherwise, we treat the
-    // rule as if it were SNTRuleStateUnknown.
-    if (!enableTransitiveRules) {
-      // check operating mode.
-      if (mode == SNTClientModeMonitor) {
-        cd.decision = SNTEventStateAllowUnknown;
-      } else {
-        cd.decision = SNTEventStateBlockUnknown;
+      break;
+    case SNTRuleStateAllowTransitive:
+      // If transitive rules are enabled, then SNTRuleStateAllowTransitive rules
+      // become SNTEventStateAllowTransitive decisions.  Otherwise, we treat the
+      // rule as if it were SNTRuleStateUnknown.
+      if (!enableTransitiveRules) {
+        // check operating mode.
+        if (mode == SNTClientModeMonitor) {
+          cd.decision = SNTEventStateAllowUnknown;
+        } else {
+          cd.decision = SNTEventStateBlockUnknown;
+        }
       }
-    }
+      break;
+    default: break;
   }
 
   if (rule.customMsg) {
@@ -154,7 +158,7 @@ - (instancetype)initWithRuleTable:(SNTRuleTable *)ruleTable {
 
   if (entitlementsFilterCallback) {
     cd.entitlements = entitlementsFilterCallback(entitlements);
-    cd.entitlementsFiltered = (cd.entitlements.count == entitlements.count);
+    cd.entitlementsFiltered = (cd.entitlements.count != entitlements.count);
   } else {
     cd.entitlements = [entitlements sntDeepCopy];
     cd.entitlementsFiltered = NO;