Merge branch 'main' into fix-tests-again

google · Nov 11, 2021 · d735f6e · d735f6e
2 parents 7031d9a + c268ad4
commit d735f6e
Show file tree

Hide file tree

Showing 11 changed files with 54 additions and 76 deletions.
diff --git a/Source/santad/BUILD b/Source/santad/BUILD
@@ -125,36 +125,14 @@ macos_bundle(
 santa_unit_test(
     name = "SNTExecutionControllerTest",
     srcs = [
-        "DataLayer/SNTDatabaseTable.h",
-        "DataLayer/SNTDatabaseTable.m",
-        "DataLayer/SNTEventTable.h",
-        "DataLayer/SNTEventTable.m",
-        "DataLayer/SNTRuleTable.h",
-        "DataLayer/SNTRuleTable.m",
-        "EventProviders/SNTDriverManager.h",
-        "EventProviders/SNTDriverManager.m",
-        "EventProviders/SNTEndpointSecurityManager.h",
-        "EventProviders/SNTEndpointSecurityManager.mm",
-        "EventProviders/SNTEventProvider.h",
-        "Logs/SNTEventLog.h",
-        "Logs/SNTEventLog.m",
-        "SNTDatabaseController.h",
-        "SNTDatabaseController.m",
-        "SNTExecutionController.h",
-        "SNTExecutionController.m",
         "SNTExecutionControllerTest.m",
-        "SNTNotificationQueue.h",
-        "SNTNotificationQueue.m",
-        "SNTPolicyProcessor.h",
-        "SNTPolicyProcessor.m",
-        "SNTSyncdQueue.h",
-        "SNTSyncdQueue.m",
     ],
     sdk_dylibs = [
         "EndpointSecurity",
         "bsm",
     ],
     deps = [
+        ":santad_lib",
         "//Source/common:SNTBlockMessage",
         "//Source/common:SNTCachedDecision",
         "//Source/common:SNTCommonEnums",

diff --git a/Source/santad/Logs/SNTEventLog.h b/Source/santad/Logs/SNTEventLog.h
@@ -14,15 +14,20 @@
 
 #import <Foundation/Foundation.h>
 
-#import "Source/common/SNTKernelCommon.h"
+#include "Source/common/SNTKernelCommon.h"
 
 @class SNTCachedDecision;
 @class SNTStoredEvent;
 
 ///
-///  Logs execution and file write events to syslog
+///  Abstract interface for logging execution and file write events to syslog
 ///
 @interface SNTEventLog : NSObject
+
+// Getter for a singleton SNTEventLog object.
+// Determines which type of SNTEventLog to use based on [SNTConfigurator eventLogType].
++ (instancetype)logger;
+
 // Methods implemented by a concrete subclass.
 - (void)logDiskAppeared:(NSDictionary *)diskProperties;
 - (void)logDiskDisappeared:(NSDictionary *)diskProperties;
@@ -34,7 +39,7 @@
 - (void)logExit:(santa_message_t)message;
 - (void)writeLog:(NSString *)log;
 
-// Methods for storing, retrieving, and removing cached decisions.
+// Methods for storing, retrieving, and removing cached decisions.
 - (void)cacheDecision:(SNTCachedDecision *)cd;
 - (SNTCachedDecision *)cachedDecisionForMessage:(santa_message_t)message;
 - (void)forgetCachedDecisionForVnodeId:(santa_vnode_id_t)vnodeId;

diff --git a/Source/santad/Logs/SNTEventLog.m b/Source/santad/Logs/SNTEventLog.m
@@ -11,7 +11,6 @@
 ///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
-
 #import "Source/santad/Logs/SNTEventLog.h"
 
 #include <dlfcn.h>
@@ -25,6 +24,9 @@
 #import "Source/santad/DataLayer/SNTRuleTable.h"
 #import "Source/santad/SNTDatabaseController.h"
 
+#import "Source/santad/Logs/SNTFileEventLog.h"
+#import "Source/santad/Logs/SNTSyslogEventLog.h"
+
 @interface SNTEventLog ()
 @property NSMutableDictionary<NSNumber *, SNTCachedDecision *> *detailStore;
 @property dispatch_queue_t detailStoreQueue;
@@ -418,4 +420,22 @@ - (NSString *)originalPathForTranslocation:(santa_message_t)message {
   return [origURL path];  // this will be nil if there was an error
 }
 
++ (instancetype)logger {
+  static SNTEventLog *logger;
+  static dispatch_once_t onceToken;
+  dispatch_once(&onceToken, ^{
+    switch ([[SNTConfigurator configurator] eventLogType]) {
+      case SNTEventLogTypeSyslog: {
+        logger = [[SNTSyslogEventLog alloc] init];
+        break;
+      }
+      case SNTEventLogTypeFilelog: {
+        logger = [[SNTFileEventLog alloc] init];
+        break;
+      }
+      default: logger = nil;
+    }
+  });
+  return logger;
+}
 @end
diff --git a/Source/santad/SNTApplication.m b/Source/santad/SNTApplication.m
@@ -33,8 +33,7 @@
 #import "Source/santad/EventProviders/SNTDriverManager.h"
 #import "Source/santad/EventProviders/SNTEndpointSecurityManager.h"
 #import "Source/santad/EventProviders/SNTEventProvider.h"
-#import "Source/santad/Logs/SNTFileEventLog.h"
-#import "Source/santad/Logs/SNTSyslogEventLog.h"
+#import "Source/santad/Logs/SNTEventLog.h"
 #import "Source/santad/SNTCompilerController.h"
 #import "Source/santad/SNTDaemonControlController.h"
 #import "Source/santad/SNTDatabaseController.h"
@@ -45,7 +44,6 @@
 @interface SNTApplication ()
 @property DASessionRef diskArbSession;
 @property id<SNTEventProvider> eventProvider;
-@property SNTEventLog *eventLog;
 @property SNTExecutionController *execController;
 @property SNTCompilerController *compilerController;
 @property MOLXPCConnection *controlConnection;
@@ -94,11 +92,6 @@ - (instancetype)init {
       return nil;
     }
 
-    switch ([configurator eventLogType]) {
-      case SNTEventLogTypeSyslog: _eventLog = [[SNTSyslogEventLog alloc] init]; break;
-      case SNTEventLogTypeFilelog: _eventLog = [[SNTFileEventLog alloc] init]; break;
-    }
-
     dispatch_async(dispatch_get_global_queue(QOS_CLASS_BACKGROUND, 0), ^{
       // The filter is reset when santad disconnects from the driver.
       // Add the default filters.
@@ -154,8 +147,7 @@ - (instancetype)init {
     SNTDaemonControlController *dc =
       [[SNTDaemonControlController alloc] initWithEventProvider:_eventProvider
                                               notificationQueue:self.notQueue
-                                                     syncdQueue:syncdQueue
-                                                       eventLog:_eventLog];
+                                                     syncdQueue:syncdQueue];
 
     _controlConnection =
       [[MOLXPCConnection alloc] initServerWithName:[SNTXPCControlInterface serviceID]];
@@ -166,16 +158,14 @@ - (instancetype)init {
     [_controlConnection resume];
 
     // Initialize the transitive whitelisting controller object.
-    _compilerController = [[SNTCompilerController alloc] initWithEventProvider:_eventProvider
-                                                                      eventLog:_eventLog];
+    _compilerController = [[SNTCompilerController alloc] initWithEventProvider:_eventProvider];
 
     // Initialize the binary checker object
     _execController = [[SNTExecutionController alloc] initWithEventProvider:_eventProvider
                                                                   ruleTable:ruleTable
                                                                  eventTable:eventTable
                                                               notifierQueue:self.notQueue
-                                                                 syncdQueue:syncdQueue
-                                                                   eventLog:_eventLog];
+                                                                 syncdQueue:syncdQueue];
     // Start up santactl as a daemon if a sync server exists.
     [self startSyncd];
 
@@ -234,16 +224,16 @@ - (void)beginListeningForLogRequests {
         NSString *path = @(message.path);
         if (!path) break;
         if ([re numberOfMatchesInString:path options:0 range:NSMakeRange(0, path.length)]) {
-          [self->_eventLog logFileModification:message];
+          [[SNTEventLog logger] logFileModification:message];
         }
         break;
       }
       case ACTION_NOTIFY_EXEC: {
-        [self->_eventLog logAllowedExecution:message];
+        [[SNTEventLog logger] logAllowedExecution:message];
         break;
       }
-      case ACTION_NOTIFY_FORK: [self->_eventLog logFork:message]; break;
-      case ACTION_NOTIFY_EXIT: [self->_eventLog logExit:message]; break;
+      case ACTION_NOTIFY_FORK: [[SNTEventLog logger] logFork:message]; break;
+      case ACTION_NOTIFY_EXIT: [[SNTEventLog logger] logExit:message]; break;
       default: LOGE(@"Received log request without a valid action: %d", message.action); break;
     }
   }];
@@ -265,27 +255,25 @@ - (void)beginListeningForDiskMounts {
 }
 
 void diskAppearedCallback(DADiskRef disk, void *context) {
-  SNTApplication *app = (__bridge SNTApplication *)context;
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
 
-  [app.eventLog logDiskAppeared:props];
+  [[SNTEventLog logger] logDiskAppeared:props];
 }
 
 void diskDescriptionChangedCallback(DADiskRef disk, CFArrayRef keys, void *context) {
-  SNTApplication *app = (__bridge SNTApplication *)context;
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
 
-  if (props[@"DAVolumePath"]) [app.eventLog logDiskAppeared:props];
+  if (props[@"DAVolumePath"]) [[SNTEventLog logger] logDiskAppeared:props];
 }
 
 void diskDisappearedCallback(DADiskRef disk, void *context) {
   SNTApplication *app = (__bridge SNTApplication *)context;
   NSDictionary *props = CFBridgingRelease(DADiskCopyDescription(disk));
   if (![props[@"DAVolumeMountable"] boolValue]) return;
 
-  [app.eventLog logDiskDisappeared:props];
+  [[SNTEventLog logger] logDiskDisappeared:props];
   [app.eventProvider flushCacheNonRootOnly:YES];
 }
 

diff --git a/Source/santad/SNTCompilerController.h b/Source/santad/SNTCompilerController.h
@@ -23,8 +23,7 @@
 // Designated initializer takes a SNTEventLog instance so that we can
 // call saveDecisionDetails: to create a fake cached decision for transitive
 // rule creation requests that are still pending.
-- (instancetype)initWithEventProvider:(SNTDriverManager *)driverManager
-                             eventLog:(SNTEventLog *)eventLog;
+- (instancetype)initWithEventProvider:(SNTDriverManager *)driverManager;
 
 // Whenever an executable file is closed or renamed whitelist the resulting file.
 // We assume that we have already determined that the writing process was a compiler.

diff --git a/Source/santad/SNTCompilerController.m b/Source/santad/SNTCompilerController.m
@@ -27,17 +27,14 @@
 
 @interface SNTCompilerController ()
 @property id<SNTEventProvider> eventProvider;
-@property SNTEventLog *eventLog;
 @end
 
 @implementation SNTCompilerController
 
-- (instancetype)initWithEventProvider:(id<SNTEventProvider>)eventProvider
-                             eventLog:(SNTEventLog *)eventLog {
+- (instancetype)initWithEventProvider:(id<SNTEventProvider>)eventProvider {
   self = [super init];
   if (self) {
     _eventProvider = eventProvider;
-    _eventLog = eventLog;
   }
   return self;
 }
@@ -50,11 +47,11 @@ - (void)saveFakeDecision:(santa_message_t)message {
   cd.decision = SNTEventStateAllowPendingTransitive;
   cd.vnodeId = message.vnode_id;
   cd.sha256 = @"pending";
-  [self.eventLog cacheDecision:cd];
+  [[SNTEventLog logger] cacheDecision:cd];
 }
 
 - (void)removeFakeDecision:(santa_message_t)message {
-  [self.eventLog forgetCachedDecisionForVnodeId:message.vnode_id];
+  [[SNTEventLog logger] forgetCachedDecisionForVnodeId:message.vnode_id];
 }
 
 // Assume that this method is called only when we already know that the writing process is a
@@ -84,7 +81,7 @@ - (void)createTransitiveRule:(santa_message_t)message {
       if (![ruleTable addRules:@[ rule ] cleanSlate:NO error:&err]) {
         LOGE(@"unable to add new transitive rule to database: %@", err.localizedDescription);
       } else {
-        [self.eventLog
+        [[SNTEventLog logger]
           writeLog:[NSString
                      stringWithFormat:@"action=ALLOWLIST|pid=%d|pidversion=%d|path=%s|sha256=%@",
                                       message.pid, message.pidversion, target, fi.SHA256]];

diff --git a/Source/santad/SNTDaemonControlController.h b/Source/santad/SNTDaemonControlController.h
@@ -28,6 +28,5 @@
 
 - (instancetype)initWithEventProvider:(SNTDriverManager *)driverManager
                     notificationQueue:(SNTNotificationQueue *)notQueue
-                           syncdQueue:(SNTSyncdQueue *)syncdQueue
-                             eventLog:(SNTEventLog *)eventLog;
+                           syncdQueue:(SNTSyncdQueue *)syncdQueue;
 @end
diff --git a/Source/santad/SNTDaemonControlController.m b/Source/santad/SNTDaemonControlController.m
@@ -44,7 +44,6 @@
 @interface SNTDaemonControlController ()
 @property NSString *_syncXsrfToken;
 @property SNTPolicyProcessor *policyProcessor;
-@property SNTEventLog *eventLog;
 @property id<SNTEventProvider> eventProvider;
 @property SNTNotificationQueue *notQueue;
 @property SNTSyncdQueue *syncdQueue;
@@ -54,16 +53,14 @@ @implementation SNTDaemonControlController
 
 - (instancetype)initWithEventProvider:(id<SNTEventProvider>)eventProvider
                     notificationQueue:(SNTNotificationQueue *)notQueue
-                           syncdQueue:(SNTSyncdQueue *)syncdQueue
-                             eventLog:(SNTEventLog *)eventLog {
+                           syncdQueue:(SNTSyncdQueue *)syncdQueue {
   self = [super init];
   if (self) {
     _policyProcessor =
       [[SNTPolicyProcessor alloc] initWithRuleTable:[SNTDatabaseController ruleTable]];
     _eventProvider = eventProvider;
     _notQueue = notQueue;
     _syncdQueue = syncdQueue;
-    _eventLog = eventLog;
   }
   return self;
 }
@@ -303,7 +300,7 @@ - (void)syncBundleEvent:(SNTStoredEvent *)event relatedEvents:(NSArray<SNTStored
   [eventTable addStoredEvent:event];
 
   // Log all of the generated bundle events.
-  [self.eventLog logBundleHashingEvents:events];
+  [[SNTEventLog logger] logBundleHashingEvents:events];
 
   WEAKIFY(self);
 

diff --git a/Source/santad/SNTExecutionController.h b/Source/santad/SNTExecutionController.h
@@ -40,8 +40,7 @@
                             ruleTable:(SNTRuleTable *)ruleTable
                            eventTable:(SNTEventTable *)eventTable
                         notifierQueue:(SNTNotificationQueue *)notifierQueue
-                           syncdQueue:(SNTSyncdQueue *)syncdQueue
-                             eventLog:(SNTEventLog *)eventLog;
+                           syncdQueue:(SNTSyncdQueue *)syncdQueue;
 
 ///
 ///  Handles the logic of deciding whether to allow the binary to run or not, sends the response to

diff --git a/Source/santad/SNTExecutionController.m b/Source/santad/SNTExecutionController.m
@@ -46,7 +46,6 @@
 
 @interface SNTExecutionController ()
 @property id<SNTEventProvider> eventProvider;
-@property SNTEventLog *eventLog;
 @property SNTEventTable *eventTable;
 @property SNTNotificationQueue *notifierQueue;
 @property SNTPolicyProcessor *policyProcessor;
@@ -64,16 +63,14 @@ - (instancetype)initWithEventProvider:(id<SNTEventProvider>)eventProvider
                             ruleTable:(SNTRuleTable *)ruleTable
                            eventTable:(SNTEventTable *)eventTable
                         notifierQueue:(SNTNotificationQueue *)notifierQueue
-                           syncdQueue:(SNTSyncdQueue *)syncdQueue
-                             eventLog:(SNTEventLog *)eventLog {
+                           syncdQueue:(SNTSyncdQueue *)syncdQueue {
   self = [super init];
   if (self) {
     _eventProvider = eventProvider;
     _ruleTable = ruleTable;
     _eventTable = eventTable;
     _notifierQueue = notifierQueue;
     _syncdQueue = syncdQueue;
-    _eventLog = eventLog;
     _policyProcessor = [[SNTPolicyProcessor alloc] initWithRuleTable:_ruleTable];
 
     _eventQueue = dispatch_queue_create("com.google.santad.event_upload", DISPATCH_QUEUE_SERIAL);
@@ -128,7 +125,7 @@ - (void)validateBinaryWithMessage:(santa_message_t)message {
   // ACTION_NOTIFY_EXEC message related to the transitive rule is received.
   NSString *ttyPath;
   if (action == ACTION_RESPOND_ALLOW) {
-    [_eventLog cacheDecision:cd];
+    [[SNTEventLog logger] cacheDecision:cd];
   } else {
     ttyPath = [self ttyPathForPID:message.ppid];
   }
@@ -188,7 +185,7 @@ - (void)validateBinaryWithMessage:(santa_message_t)message {
 
     // If binary was blocked, do the needful
     if (action != ACTION_RESPOND_ALLOW && action != ACTION_RESPOND_ALLOW_COMPILER) {
-      [_eventLog logDeniedExecution:cd withMessage:message];
+      [[SNTEventLog logger] logDeniedExecution:cd withMessage:message];
 
       if ([[SNTConfigurator configurator] enableBundles] && binInfo.bundle) {
         // If the binary is part of a bundle, find and hash all the related binaries in the bundle.

diff --git a/Source/santad/SNTExecutionControllerTest.m b/Source/santad/SNTExecutionControllerTest.m
@@ -69,8 +69,7 @@ - (void)setUp {
                                                          ruleTable:self.mockRuleDatabase
                                                         eventTable:self.mockEventDatabase
                                                      notifierQueue:nil
-                                                        syncdQueue:nil
-                                                          eventLog:nil];
+                                                        syncdQueue:nil];
 }
 
 ///  Return a pre-configured santa_message_ t for testing with.