Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow banning of team IDs. #640

Merged
merged 6 commits into from
Oct 18, 2021
Merged

Allow banning of team IDs. #640

merged 6 commits into from
Oct 18, 2021

Conversation

tnek
Copy link
Contributor

@tnek tnek commented Oct 15, 2021

This adds the ability to ban by team ID using the teamID value read from MOLCodesignChecker. Banning by certificate or binary hash will take precedence over banning by team ID (e.x. an explicitly allowlisted binary with a banned teamID will still execute).

Some next steps (for followup PRs):

  • Rename the shasum column - especially when we eventually introduce banning by CDhash as well.
  • Read and use the teamID from the es_message_t instead, as it's theoretically possible to race MOLCodesignChecker's file parsing. This will involve refactoring and decoupling the control flow between SNTPolicyProcessor and SNTExecutionController, so I've put it off for a future followup PR.

Linked issue: #634

@google-cla google-cla bot added the cla: yes label Oct 15, 2021
@russellhancox
Copy link
Collaborator

I think you need to handle the new event types in SNTSyslogEventLog.m too.

@tnek tnek merged commit 1f2b82f into google:main Oct 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russellhancox russellhancox russellhancox approved these changes

@pmarkowsky pmarkowsky Awaiting requested review from pmarkowsky

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tnek @russellhancox