santad: add critical system binaries #296
Conversation
| fileSHA256:nil | ||
| certificateSHA256:csInfo.leafCertificate.SHA256]; | ||
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
| } |
There was a problem hiding this comment.
I think this might be easier to follow if it were structured as
if (!cd) {
// declare csInfo
if (binInfo.isMachO) {
// get csInfo
}
// get cd from policyProcessor
}
instead of having two separate checks for !cd
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
|
|
||
| bins[binInfo.SHA256] = cd; | ||
| } |
There was a problem hiding this comment.
log error if signing info doesn't match?
| // TODO(tburgin): Add the Santa components to this feature and remove the santadCertSHA rule. | ||
| NSMutableDictionary *bins = [NSMutableDictionary dictionary]; | ||
| for (NSString *path in @[ @"/usr/libexec/trustd" ]) { | ||
| SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path]; |
There was a problem hiding this comment.
Does this fail the right way if there's no file at path? I'm guessing csInfo will end up nil and then the call to signingInformationMatches: will return NO?
There was a problem hiding this comment.
Yeah, if csInfo is nil, sending any message to it will return nil.
| @@ -116,21 +116,28 @@ - (void)validateBinaryWithMessage:(santa_message_t)message { | |||
| } | |||
|
|
|||
| // Get codesigning info about the file but only if it's a Mach-O. | |||
| // If the binary is a critical system binary, don't check its signiture. The binary was validated | |||
There was a problem hiding this comment.
typo: signiture -> signature
| // TODO(tburgin): Add the Santa components to this feature and remove the santadCertSHA rule. | ||
| NSMutableDictionary *bins = [NSMutableDictionary dictionary]; | ||
| for (NSString *path in @[ @"/usr/libexec/trustd" ]) { | ||
| SNTFileInfo *binInfo = [[SNTFileInfo alloc] initWithPath:path]; |
There was a problem hiding this comment.
Yeah, if csInfo is nil, sending any message to it will return nil.
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
|
|
||
| bins[binInfo.SHA256] = cd; | ||
| } |
| @@ -116,21 +116,28 @@ - (void)validateBinaryWithMessage:(santa_message_t)message { | |||
| } | |||
|
|
|||
| // Get codesigning info about the file but only if it's a Mach-O. | |||
| // If the binary is a critical system binary, don't check its signiture. The binary was validated | |||
| fileSHA256:nil | ||
| certificateSHA256:csInfo.leafCertificate.SHA256]; | ||
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
| cd.certCommonName = csInfo.leafCertificate.commonName; | ||
| } |
|
PTAL |
|
Thanks a ton for this fix @tburgin I was wondering when the next release would be? :) |
|
A couple of hours, most likely |
|
Awesome, Thanks again! |
* santad: add critical system binaries * review updates * use a getter
/usr/libexec/trustdneeds to run in order to check arbitrary code signatures. This may be a departure from previous version of macOS. Iftrustdis killed, Santa can cause a deadlock. This fix pre-validates and whiteliststrustdatsantadstartup time.