Merge a9acfbd into 10ccee9

google · Nov 29, 2021 · afaad9d · afaad9d
2 parents 10ccee9 + a9acfbd
commit afaad9d
Show file tree

Hide file tree

Showing 22 changed files with 719 additions and 104 deletions.
diff --git a/BUILD b/BUILD
@@ -239,6 +239,7 @@ test_suite(
         "//Source/santactl:SNTCommandSyncTest",
         "//Source/santad:SNTApplicationCoreMetricsTest",
         "//Source/santad:SNTApplicationTest",
+        "//Source/santad:SNTDeviceManagerTest",
         "//Source/santad:SNTEndpointSecurityManagerTest",
         "//Source/santad:SNTEventTableTest",
         "//Source/santad:SNTExecutionControllerTest",

diff --git a/Source/common/SNTConfigurator.h b/Source/common/SNTConfigurator.h
@@ -274,6 +274,23 @@
 ///
 @property(nonatomic) BOOL syncCleanRequired;
 
+///
+/// USB Mount Blocking. Defaults to false.
+///
+@property(nonatomic) BOOL blockUSBMount;
+
+///
+/// Comma-seperated `$ mount -o` arguments used for forced remounting of USB devices. Default
+/// to fully allow/deny without remounting if unset.
+///
+@property(nonatomic) NSArray<NSString *> *remountUSBMode;
+
+///
+/// When `blockUSBMount` is set, this is the message shown to the user when a device is blocked
+/// If this message is not configured, a reasonable default is provided.
+///
+@property(readonly, nonatomic) NSString *usbBlockMessage;
+
 ///
 ///  If set, this over-rides the default machine ID used for syncing.
 ///

diff --git a/Source/common/SNTConfigurator.m b/Source/common/SNTConfigurator.m
@@ -95,6 +95,8 @@ @implementation SNTConfigurator
 
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
+static NSString *const kBlockUSBMountKey = @"BlockUSBMount";
+static NSString *const kRemountUSBModeKey = @"RemountUSBMode";
 static NSString *const kEnableTransitiveRulesKey = @"EnableTransitiveRules";
 static NSString *const kEnableTransitiveRulesKeyDeprecated = @"EnableTransitiveWhitelisting";
 static NSString *const kAllowedPathRegexKey = @"AllowedPathRegex";
@@ -131,6 +133,8 @@ - (instancetype)init {
       kAllowedPathRegexKeyDeprecated : re,
       kBlockedPathRegexKey : re,
       kBlockedPathRegexKeyDeprecated : re,
+      kBlockUSBMountKey : number,
+      kRemountUSBModeKey : array,
       kFullSyncLastSuccess : date,
       kRuleSyncLastSuccess : date,
       kSyncCleanRequired : number
@@ -145,6 +149,8 @@ - (instancetype)init {
       kAllowedPathRegexKeyDeprecated : re,
       kBlockedPathRegexKey : re,
       kBlockedPathRegexKeyDeprecated : re,
+      kBlockUSBMountKey : number,
+      kRemountUSBModeKey : array,
       kEnablePageZeroProtectionKey : number,
       kEnableBadSignatureProtectionKey : number,
       kAboutText : string,
@@ -399,6 +405,14 @@ + (NSSet *)keyPathsForValuesAffectingEnableBadSignatureProtection {
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingBlockUSBMount {
+  return [self configStateSet];
+}
+
++ (NSSet *)keyPathsForValuesAffectingRemountUSBMode {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -486,6 +500,20 @@ - (NSArray *)fileChangesPrefixFilters {
   return filters;
 }
 
+- (void)setRemountUSBMode:(NSArray<NSString *> *)args {
+  [self updateSyncStateForKey:kRemountUSBModeKey value:args];
+}
+
+- (NSArray<NSString *> *)remountUSBMode {
+  NSArray<NSString *> *args = self.configState[kRemountUSBModeKey];
+  for (id arg in args) {
+    if (![arg isKindOfClass:[NSString class]]) {
+      return nil;
+    }
+  }
+  return args;
+}
+
 - (NSURL *)syncBaseURL {
   NSString *urlString = self.configState[kSyncBaseURLKey];
   if (![urlString hasSuffix:@"/"]) urlString = [urlString stringByAppendingString:@"/"];
@@ -679,6 +707,15 @@ - (BOOL)fcmEnabled {
   return (self.fcmProject.length && self.fcmEntity.length && self.fcmAPIKey.length);
 }
 
+- (void)setBlockUSBMount:(BOOL)enabled {
+  [self updateSyncStateForKey:kBlockUSBMountKey value:@(enabled)];
+}
+
+- (BOOL)blockUSBMount {
+  NSNumber *number = self.configState[kBlockUSBMountKey];
+  return number ? [number boolValue] : NO;
+}
+
 ///
 /// Returns YES if all of the necessary options are set to export metrics, NO
 /// otherwise.

diff --git a/Source/common/SNTXPCControlInterface.h b/Source/common/SNTXPCControlInterface.h
@@ -47,6 +47,8 @@
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
 - (void)setAllowedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
 - (void)setBlockedPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
+- (void)setBlockUSBMount:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setRemountUSBMode:(NSArray *)remountUSBMode reply:(void (^)(void))reply;
 - (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
 - (void)setEnableTransitiveRules:(BOOL)enabled reply:(void (^)(void))reply;
 

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncConstants.h b/Source/santactl/Commands/sync/SNTCommandSyncConstants.h
@@ -28,6 +28,8 @@ extern NSString *const kUploadLogsURL;
 extern NSString *const kClientMode;
 extern NSString *const kClientModeMonitor;
 extern NSString *const kClientModeLockdown;
+extern NSString *const kBlockUSBMount;
+extern NSString *const kRemountUSBMode;
 extern NSString *const kCleanSync;
 extern NSString *const kAllowedPathRegex;
 extern NSString *const kAllowedPathRegexDeprecated;

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncConstants.m b/Source/santactl/Commands/sync/SNTCommandSyncConstants.m
@@ -26,6 +26,8 @@
 NSString *const kBatchSize = @"batch_size";
 NSString *const kUploadLogsURL = @"upload_logs_url";
 NSString *const kClientMode = @"client_mode";
+NSString *const kBlockUSBMount = @"block_usb_mount";
+NSString *const kRemountUSBMode = @"remount_usb_mode";
 NSString *const kClientModeMonitor = @"MONITOR";
 NSString *const kClientModeLockdown = @"LOCKDOWN";
 NSString *const kCleanSync = @"clean_sync";

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncPostflight.m b/Source/santactl/Commands/sync/SNTCommandSyncPostflight.m
@@ -60,6 +60,17 @@ - (BOOL)sync {
                                                        reply:replyBlock];
   }
 
+  if (self.syncState.blockUSBMount) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setBlockUSBMount:self.syncState.blockUSBMount
+                                                    reply:replyBlock];
+  }
+  if (self.syncState.remountUSBMode) {
+    dispatch_group_enter(group);
+    [[self.daemonConn remoteObjectProxy] setRemountUSBMode:self.syncState.remountUSBMode
+                                                     reply:replyBlock];
+  }
+
   // Update last sync success
   dispatch_group_enter(group);
   [[self.daemonConn remoteObjectProxy] setFullSyncLastSuccess:[NSDate date] reply:replyBlock];

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m b/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m
@@ -134,6 +134,14 @@ - (BOOL)sync {
     self.syncState.blocklistRegex = resp[kBlockedPathRegexDeprecated];
   }
 
+  if ([resp[kBlockUSBMount] boolValue]) {
+    self.syncState.blockUSBMount = YES;
+  }
+
+  if ([resp[kRemountUSBMode] isKindOfClass:[NSArray class]]) {
+    self.syncState.remountUSBMode = resp[kRemountUSBMode];
+  }
+
   if ([resp[kCleanSync] boolValue]) {
     LOGD(@"Clean sync requested by server");
     self.syncState.cleanSync = YES;

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncState.h b/Source/santactl/Commands/sync/SNTCommandSyncState.h
@@ -56,6 +56,9 @@
 @property SNTClientMode clientMode;
 @property NSString *allowlistRegex;
 @property NSString *blocklistRegex;
+@property BOOL blockUSBMount;
+// Array of mount args for the forced remounting feature.
+@property NSArray *remountUSBMode;
 
 /// Clean sync flag, if True, all existing rules should be deleted before inserting any new rules.
 @property BOOL cleanSync;

diff --git a/Source/santad/BUILD b/Source/santad/BUILD
@@ -14,6 +14,8 @@ objc_library(
         "DataLayer/SNTRuleTable.m",
         "EventProviders/SNTCachingEndpointSecurityManager.h",
         "EventProviders/SNTCachingEndpointSecurityManager.mm",
+        "EventProviders/SNTDeviceManager.h",
+        "EventProviders/SNTDeviceManager.mm",
         "EventProviders/SNTDriverManager.h",
         "EventProviders/SNTDriverManager.m",
         "EventProviders/SNTEndpointSecurityManager.h",
@@ -99,6 +101,10 @@ objc_library(
         "EndpointSecurity",
         "bsm",
     ],
+    sdk_frameworks = [
+        "DiskArbitration",
+        "IOKit",
+    ],
 )
 
 macos_bundle(
@@ -199,6 +205,7 @@ santa_unit_test(
         "EventProviders/SNTEndpointSecurityManagerTest.mm",
         "EventProviders/SNTEventProvider.h",
     ],
+    minimum_os_version = "10.15",
     sdk_dylibs = [
         "EndpointSecurity",
         "bsm",
@@ -211,6 +218,26 @@ santa_unit_test(
     ],
 )
 
+santa_unit_test(
+    name = "SNTDeviceManagerTest",
+    srcs = [
+        "EventProviders/SNTDeviceManagerTest.mm",
+    ],
+    minimum_os_version = "10.15",
+    sdk_dylibs = [
+        "EndpointSecurity",
+        "bsm",
+    ],
+    deps = [
+        ":EndpointSecurityTestLib",
+        ":santad_lib",
+        "//Source/common:SNTKernelCommon",
+        "//Source/common:SNTPrefixTree",
+        "//Source/common:SantaCache",
+        "@OCMock",
+    ],
+)
+
 santa_unit_test(
     name = "SNTApplicationTest",
     srcs = [

diff --git a/Source/santad/EventProviders/EndpointSecurityTestUtil.h b/Source/santad/EventProviders/EndpointSecurityTestUtil.h
@@ -46,7 +46,7 @@ typedef void (^ESCallback)(ESResponse *_Nonnull);
 @interface MockEndpointSecurity : NSObject
 @property NSMutableArray *_Nonnull subscriptions;
 - (void)reset;
-- (void)registerResponseCallback:(ESCallback _Nonnull)callback;
+- (void)registerResponseCallback:(es_event_type_t)t withCallback:(ESCallback _Nonnull)callback;
 - (void)triggerHandler:(es_message_t *_Nonnull)msg;
 
 ///  Retrieve an initialized singleton MockEndpointSecurity object