Move decision making to SNTPolicyProcessor

Move SNTEventState to a mixed bit field enum SNTCommandFileInfo now handles all rule states
google · Sep 14, 2016 · 951ffe2 · 951ffe2
1 parent 4380016
commit 951ffe2
Show file tree

Hide file tree

Showing 13 changed files with 358 additions and 274 deletions.
diff --git a/Podfile.lock b/Podfile.lock
@@ -2,8 +2,8 @@ PODS:
   - FMDB (2.6.2):
     - FMDB/standard (= 2.6.2)
   - FMDB/standard (2.6.2)
-  - MOLAuthenticatingURLSession (1.8):
-    - MOLCertificate (~> 1.3)
+  - MOLAuthenticatingURLSession (2.1):
+    - MOLCertificate (~> 1.5)
   - MOLCertificate (1.5)
   - MOLCodesignChecker (1.5):
     - MOLCertificate (~> 1.3)
@@ -18,7 +18,7 @@ DEPENDENCIES:
 
 SPEC CHECKSUMS:
   FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
-  MOLAuthenticatingURLSession: d04d93e7fe209533befb3d0e70a6675aa7f21d5a
+  MOLAuthenticatingURLSession: 2f0fd35f641bc857ee1b026021dbd759955adaa3
   MOLCertificate: c39cae866d24d36fbc78032affff83d401b5384a
   MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
   OCMock: f3f61e6eaa16038c30caa5798c5e49d3307b6f22

diff --git a/Santa.xcodeproj/project.pbxproj b/Santa.xcodeproj/project.pbxproj
@@ -180,6 +180,8 @@
 		C714F8B21D8044FE00700EDF /* SNTCommandController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */; };
 		C72E8D941D7F399900C86DD3 /* SNTCommandFileInfoTest.m in Sources */ = {isa = PBXBuildFile; fileRef = C72E8D931D7F399900C86DD3 /* SNTCommandFileInfoTest.m */; };
 		C76614EC1D142D3C00D150C1 /* SNTCommandCheckCache.m in Sources */ = {isa = PBXBuildFile; fileRef = C76614EB1D142D3C00D150C1 /* SNTCommandCheckCache.m */; };
+		C795ED901D80A5BE007CFF42 /* SNTPolicyProcessor.m in Sources */ = {isa = PBXBuildFile; fileRef = C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */; };
+		C795ED911D80B66B007CFF42 /* SNTPolicyProcessor.m in Sources */ = {isa = PBXBuildFile; fileRef = C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */; };
 		EFD8E30D32F6128B9E833D64 /* libPods-LogicTests.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 873978BCE4B0DBD2A89C99D1 /* libPods-LogicTests.a */; };
 /* End PBXBuildFile section */
 
@@ -416,6 +418,8 @@
 		BE53E1EAE84D54E7FCB22FD5 /* libPods-santactl.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-santactl.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		C72E8D931D7F399900C86DD3 /* SNTCommandFileInfoTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandFileInfoTest.m; sourceTree = "<group>"; };
 		C76614EB1D142D3C00D150C1 /* SNTCommandCheckCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommandCheckCache.m; sourceTree = "<group>"; };
+		C795ED8E1D80A5BE007CFF42 /* SNTPolicyProcessor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTPolicyProcessor.h; sourceTree = "<group>"; };
+		C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTPolicyProcessor.m; sourceTree = "<group>"; };
 		D227889DF327E7D3532FE00B /* Pods-Santa.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.debug.xcconfig"; path = "Pods/Target Support Files/Pods-Santa/Pods-Santa.debug.xcconfig"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -738,6 +742,8 @@
 				0D8E18CC19107B56000F89B8 /* SNTDaemonControlController.m */,
 				0D63DD5A1906FCB400D346C4 /* SNTDatabaseController.h */,
 				0D63DD5B1906FCB400D346C4 /* SNTDatabaseController.m */,
+				C795ED8E1D80A5BE007CFF42 /* SNTPolicyProcessor.h */,
+				C795ED8F1D80A5BE007CFF42 /* SNTPolicyProcessor.m */,
 				0D7D01851774F93A005DBAB4 /* SNTDriverManager.h */,
 				0D7D01861774F93A005DBAB4 /* SNTDriverManager.m */,
 				0D536ED91B94E9230039A26D /* SNTEventLog.h */,
@@ -1305,6 +1311,7 @@
 				0D202D1A1CDD464B00A88F16 /* SNTCommandSyncPreflight.m in Sources */,
 				0D10BE891A0AAF6700C0C944 /* SNTDropRootPrivs.m in Sources */,
 				0DEFB7C61ACDE5F600B92AAE /* SNTFileWatcher.m in Sources */,
+				C795ED911D80B66B007CFF42 /* SNTPolicyProcessor.m in Sources */,
 				C72E8D941D7F399900C86DD3 /* SNTCommandFileInfoTest.m in Sources */,
 				0DEFB7C81ACF0BFE00B92AAE /* SNTFileWatcherTest.m in Sources */,
 				0D28D53819D9F5910015C5EB /* SNTConfigurator.m in Sources */,
@@ -1421,6 +1428,7 @@
 				0D37C10F18F6029A0069BC61 /* SNTDatabaseTable.m in Sources */,
 				0D42D2B819D2042900955F08 /* SNTConfigurator.m in Sources */,
 				0DCD605519115D17006B445C /* SNTXPCControlInterface.m in Sources */,
+				C795ED901D80A5BE007CFF42 /* SNTPolicyProcessor.m in Sources */,
 				0D536EDB1B94E9230039A26D /* SNTEventLog.m in Sources */,
 				0DCD604F19115A06006B445C /* SNTXPCNotifierInterface.m in Sources */,
 				0DE5B54B1C926E3300C00603 /* SNTNotificationQueue.m in Sources */,

diff --git a/Source/common/SNTCommonEnums.h b/Source/common/SNTCommonEnums.h
@@ -41,19 +41,25 @@ typedef NS_ENUM(NSInteger, SNTClientMode) {
 };
 
 typedef NS_ENUM(NSInteger, SNTEventState) {
-  SNTEventStateUnknown,
+  // Bits 0-15 bits store non-decision types
+  SNTEventStateUnknown = 0,
+  SNTEventStateBundleBinary = 1,
 
-  SNTEventStateAllowUnknown = 1,
-  SNTEventStateAllowBinary = 2,
-  SNTEventStateAllowCertificate = 3,
-  SNTEventStateAllowScope = 4,
+  // Bits 16-23 store deny decision types
+  SNTEventStateBlockUnknown = 1 << 16,
+  SNTEventStateBlockBinary = 1 << 17,
+  SNTEventStateBlockCertificate = 1 << 18,
+  SNTEventStateBlockScope = 1 << 19,
 
-  SNTEventStateBlockUnknown = 5,
-  SNTEventStateBlockBinary = 6,
-  SNTEventStateBlockCertificate = 7,
-  SNTEventStateBlockScope = 8,
+  // Bits 24-31 store allow decision types
+  SNTEventStateAllowUnknown = 1 << 24,
+  SNTEventStateAllowBinary = 1 << 25,
+  SNTEventStateAllowCertificate = 1 << 26,
+  SNTEventStateAllowScope = 1 << 27,
 
-  SNTEventStateBundleBinary = 9,
+  // Block and Allow masks
+  SNTEventStateBlock = 0xFF << 16,
+  SNTEventStateAllow = 0xFF << 24
 };
 
 typedef NS_ENUM(NSInteger, SNTRuleTableError) {

diff --git a/Source/common/SNTKernelCommon.h b/Source/common/SNTKernelCommon.h
@@ -28,6 +28,10 @@
 #define USERCLIENT_CLASS "com_google_SantaDriver"
 #define USERCLIENT_ID "com.google.santa-driver"
 
+// Branch prediction
+#define likely(x)   __builtin_expect((x), 1)
+#define unlikely(x) __builtin_expect((x), 0)
+
 // List of methods supported by the driver.
 enum SantaDriverMethods {
   kSantaUserClientOpen,

diff --git a/Source/common/SNTXPCControlInterface.h b/Source/common/SNTXPCControlInterface.h
@@ -12,6 +12,9 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <MOLCertificate/MOLCertificate.h>
+
+#import "SNTCachedDecision.h"
 #import "SNTCommonEnums.h"
 #import "SNTKernelCommon.h"
 
@@ -46,6 +49,22 @@
 - (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
                   certificateSHA256:(NSString *)certificateSHA256
                               reply:(void (^)(SNTRule *))reply;
+///
+///  Decision ops
+///
+
+///
+///  @param filePath A Path to the file, can be nil.
+///  @param fileSHA256 The pre-calculated SHA256 hash for the file, can be nil. If nil the hash will
+///                    be calculated by this method from the filePath.
+///  @param signingCertificate A MOLCertificate object, can be nil.
+///  @note If fileInfo and signingCertificate are both passed in, the most specific rule will be
+///        returned. Binary rules take precedence over cert rules.
+///
+- (void)decisionForFilePath:(NSString *)filePath
+                 fileSHA256:(NSString *)fileSHA256
+         signingCertificate:(MOLCertificate *)signingCertificate
+                      reply:(void (^)(SNTEventState))reply;
 
 ///
 ///  Config ops

diff --git a/Source/santa-driver/SantaCache.h b/Source/santa-driver/SantaCache.h
@@ -22,9 +22,6 @@
 
 #include "SNTKernelCommon.h"
 
-#define likely(x)   __builtin_expect((x), 1)
-#define unlikely(x) __builtin_expect((x), 0)
-
 #ifdef KERNEL
 #include <IOKit/IOLib.h>
 #else // KERNEL

diff --git a/Source/santactl/Commands/SNTCommandFileInfo.m b/Source/santactl/Commands/SNTCommandFileInfo.m
@@ -14,11 +14,12 @@
 
 #import "SNTCommandController.h"
 
-#include "SNTLogging.h"
+#import <MOLCertificate/MOLCertificate.h>
+#import <MOLCodesignChecker/MOLCodesignChecker.h>
 
-#import "MOLCertificate.h"
-#import "MOLCodesignChecker.h"
+#import "SNTCachedDecision.h"
 #import "SNTFileInfo.h"
+#import "SNTLogging.h"
 #import "SNTRule.h"
 #import "SNTXPCConnection.h"
 #import "SNTXPCControlInterface.h"
@@ -261,51 +262,60 @@ - (SNTAttributeBlock)codeSigned {
 
 - (SNTAttributeBlock)rule {
   return ^id (SNTCommandFileInfo *fi) {
-    __block SNTRule *r;
-    dispatch_group_t group = dispatch_group_create();
+    __block SNTEventState s;
     static dispatch_once_t onceToken;
     dispatch_once(&onceToken, ^{
       [fi.daemonConn resume];
     });
-    dispatch_group_enter(group);
+    dispatch_semaphore_t sema = dispatch_semaphore_create(0);
     if (!fi.csc) {
       NSError *error;
       fi.csc = [[MOLCodesignChecker alloc] initWithBinaryPath:fi.filePath error:&error];
     }
-    NSString *leafCertSHA = [[fi.csc.certificates firstObject] SHA256];
-    [[fi.daemonConn remoteObjectProxy] databaseRuleForBinarySHA256:fi.fileInfo.SHA256
-                                                 certificateSHA256:leafCertSHA
-                                                             reply:^(SNTRule *rule) {
-      if (rule) r = rule;
-      dispatch_group_leave(group);
+    [[fi.daemonConn remoteObjectProxy] decisionForFilePath:fi.filePath
+                                                fileSHA256:fi.propertyMap[kSHA256](fi)
+                                        signingCertificate:fi.csc.leafCertificate
+                                                     reply:^(SNTEventState state) {
+      if (state) s = state;
+      dispatch_semaphore_signal(sema);
     }];
-    if (dispatch_group_wait(group, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
+    if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
       return @"Cannot communicate with daemon";
     } else {
-      NSString *output;
-      switch (r.state) {
-        case SNTRuleStateWhitelist:
-          output = @"Whitelisted";
-          if (isatty(STDOUT_FILENO) && !fi.jsonOutput) {
-            output = @"\033[32mWhitelisted\033[0m";
-          }
-          return output;
+      NSMutableString *output =
+          (SNTEventStateAllow & s) ? @"Whitelisted".mutableCopy : @"Blacklisted".mutableCopy;
+      switch (s) {
+        case SNTEventStateAllowUnknown:
+        case SNTEventStateBlockUnknown:
+          [output appendString:@" (Unknown)"];
           break;
-        case SNTRuleStateBlacklist:
-        case SNTRuleStateSilentBlacklist:
-          output = @"Blacklisted";
-          if (isatty(STDOUT_FILENO) && !fi.jsonOutput) {
-            output = @"\033[31mBlacklisted\033[0m";
-          }
-          return output;
+        case SNTEventStateAllowBinary:
+        case SNTEventStateBlockBinary:
+          [output appendString:@" (Binary)"];
+          break;
+        case SNTEventStateAllowCertificate:
+        case SNTEventStateBlockCertificate:
+          [output appendString:@" (Certificate)"];
+          break;
+        case SNTEventStateAllowScope:
+        case SNTEventStateBlockScope:
+          [output appendString:@" (Scope)"];
           break;
         default:
-          output = @"None";
-          if (isatty(STDOUT_FILENO) && !fi.jsonOutput) {
-            output = @"\033[33mNone\033[0m";
-          }
-          return output;
+          output = @"None".mutableCopy;
+          break;
+      }
+      if ((SNTEventStateAllow & s) && isatty(STDOUT_FILENO) && !fi.jsonOutput) {
+        [output insertString:@"\033[32m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else if ((SNTEventStateBlock & s) && isatty(STDOUT_FILENO) && !fi.jsonOutput) {
+        [output insertString:@"\033[31m" atIndex:0];
+        [output appendString:@"\033[0m"];
+      } else if (isatty(STDOUT_FILENO) && !fi.jsonOutput) {
+        [output insertString:@"\033[33m" atIndex:0];
+        [output appendString:@"\033[0m"];
       }
+      return output.copy;
     }
   };
 }

diff --git a/Source/santad/SNTDaemonControlController.m b/Source/santad/SNTDaemonControlController.m
@@ -14,13 +14,15 @@
 
 #import "SNTDaemonControlController.h"
 
+#import "SNTCachedDecision.h"
 #import "SNTConfigurator.h"
 #import "SNTDatabaseController.h"
 #import "SNTDriverManager.h"
 #import "SNTDropRootPrivs.h"
 #import "SNTEventTable.h"
 #import "SNTLogging.h"
 #import "SNTNotificationQueue.h"
+#import "SNTPolicyProcessor.h"
 #import "SNTRule.h"
 #import "SNTRuleTable.h"
 #import "SNTXPCConnection.h"
@@ -35,6 +37,7 @@
 @interface SNTDaemonControlController ()
 @property NSString *_syncXsrfToken;
 @property dispatch_source_t syncTimer;
+@property SNTPolicyProcessor *policyProcessor;
 @end
 
 @implementation SNTDaemonControlController
@@ -44,6 +47,8 @@ - (instancetype)init {
   if (self) {
     _syncTimer = [self createSyncTimer];
     [self rescheduleSyncSecondsFromNow:30];
+    _policyProcessor = [[SNTPolicyProcessor alloc] initWithRuleTable:
+                           [SNTDatabaseController ruleTable]];
   }
   return self;
 }
@@ -141,6 +146,17 @@ - (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
                                              certificateSHA256:certificateSHA256]);
 }
 
+#pragma mark Decision Ops
+
+- (void)decisionForFilePath:(NSString *)filePath
+                 fileSHA256:(NSString *)fileSHA256
+         signingCertificate:(MOLCertificate *)signingCertificate
+                      reply:(void (^)(SNTEventState))reply {
+  reply([self.policyProcessor decisionForFilePath:filePath
+                                       fileSHA256:fileSHA256
+                               signingCertificate:signingCertificate].decision);
+}
+
 #pragma mark Config Ops
 
 - (void)clientMode:(void (^)(SNTClientMode))reply {

diff --git a/Source/santad/SNTExecutionController.h b/Source/santad/SNTExecutionController.h
@@ -23,10 +23,8 @@
 @class SNTRuleTable;
 
 ///
-///  SNTExecutionController is responsible for everything that happens when a request to execute
-///  a binary occurs:
-///    + Making a decision about whether to allow or deny this binary based on any existing rules
-///      for that specific binary, its signing certificate and the operating mode of santad.
+///  SNTExecutionController is responsible for handling binary execution requests:
+///    + Uses SNTPolicyProcessor to make a decision about whether to allow or deny the binary.
 ///    + Sending the decision to the kernel as soon as possible
 ///    + (If denied or unknown) Storing details about the execution event to the database
 ///      for upload and spwaning santactl to quickly try and send that to the server.