ES and Logging Interfaces Redesign (#888)

* Initial structure for ES wrappers, enriched types, logging

* Basic working ES and logging functionality

* Add in oneTBB and thread-safe-lru deps

* Added a bunch of enriched types

* Auto-mute self when establishing ES client

* Basic auth, tamper client. Syslog of all events. Basic compiler tracking.

* Update copyright header blobs, convert some tabs to spaces

* Auth result cache. Fix getting translocation path.

* Added remaining cache methods

* Add AuthResultCache to Recorder client. Cache now operates on es_file_t.

* Hooked up SNTPrefixTree

* Fix CompilerController for RENAME. Fix AllowList logging missing path.

* Block loading Santa kext

* Added device manager client

* Properly log DiskAppear events

* Fix build to adopt new adhoc build

* Handle clearing cache on UNMOUNT events

* Ignore other ES clients if configured

* Remove SNTAllowlistInfo. Rename AllowList to Allowlist. Minor cleanup.

* Recorder now logs asynchronously. Enricher now returns shared_ptrs.

* Added File writer. Added timestamps to BasicStream serializer.

* Skip calling stat in SNTFileInfo when path given by ES.

* Fix build issue

* Address draft PR feedback

* santactl integrated, XPC works, fix file writer bug

* Integrate syncservice. Start observing some config changes.

* Add metrics service wrapper

* Add metrics config observers and metrics interval reset.

* Start better dependency control. Add Null logger support.

* Added more deps

* Added more deps

* Fix issue where metric service wasn't starting

* Add missing variant include

* Fix missing parent proc name

* Added googletest and new unit test macro

* Started expanding AuthResultCacheTest

* Properly mock EndpointSecurityAPI

* Finished AuthResultCacheTest

* bazelrc now builds all C++ as C++17. Added LoggerTest.

* Add FileTest. Abstract some File constants to Logger.

* Added Empty serializer test

* Started work on BasicStringTest. Fixed some BasicString serialization bugs.

* Added Unlink BasicString serialization test

* Added some more tests. Commonized some test code

* Finished BasicStringTest. Converted to XCTest.

* Standardize esapi variable naming

* Bubble up gTest expect failures to XCTest failures

* AuthResultCacheTest now uses XCTest. Added common TestUtils.h

* EmptyTest now uses XCTest.

* FileTest now uses XCTest

* LoggerTest now uses XCTest. Removed santa_unit_gtest bazel macro.

* Added ClientTest

* Add basic Enricher tests

* Add MessageTest. Make more TestUtils.

* Rename metrics to Metrics

* Add MetricsTest.

* Apply template pattern to Serializer

* Add SNTDecisionCacheTest.

* Add SNTCachedDecisionTest.

* Testing with coveralls debug mode

* Allow manual CI runs

* Remove unused property

* Started work on SNTEndpointSecurityClientTest.

* WIP SNTEndpointSecurityClientTest, fix test run issue

* Added more base ES client tests

* Add more base ES client tests

* Base ES client tests done. Added serializer utils/tests. Expanded basic string tests.

* Add utils test to test suite

* Add copy ctor. Add test output to bazel coverage.

* Single thread bazel coverage

* Updaload coverage file

* Updaload coverage file

* Old gen cov test

* Restructure message handlers to enable better testability

* Added enable tests for all ES clients

* Made a single MockEndpointSecurityAPI class to share everywhere

* Added most of SNTCompilerControllerTest

* Cleanup SNTCompilerControllerTest

* Started expanding Auth client test

* Finished up the Authorizer tests

* Move to using enum class for notify/auth instead of bool

* WIP for tamper resistance test. ASAN issues.

* Add OCMock patch to fix test issue on ARM Macs

* Changed patches directory name to external_patches

* Update WORKSPACE path

* Finished up Tamper Resistance tests

* Finished up Recorder tests.

* Move SNTExecutionControllerTest to ObjC++

* Initial work to port SNTExecutionControllerTest

* Finished porting SNTExecutionControllerTest.

* Added SNTExecutionControllerTest to list of unit tests

* Ported SNTEndpointSecurityDeviceManager.

* Test cleanup, use MockESAPI expectation helpers

* Verify SNTEndpointSecurityDeviceManager expectations differently

* Test cleanup, omit gTest param list where unused

* Log message cleanup

* Rename SNTApplicationTest to santad_test.mm

* Finished porting santad_test, formerly SNTApplicationTest

* Fix SNTEndpointSecurityDeviceManager issues

* Pulled in missed fixes. Updated tests.

* Renamed lowercase filenames to match rest of codebase

* Fix non-static dispatch_once_t, and noisy watching compiler log message

* WIP Started process of removing components no longer used

* WIP Continued process of removing components no longer used

* BUILD file cleanup. Proto warning. Removed unused global

* Rename SNTEventProvider to SNTEndpointSecurityEventHandler

* Rename SNTEndpointSecurityEventHandler protocol

* Remove EnableSysxCache option. Remove --quick flag used during dev.

* Ran testing/fix.sh

* Addmissing param to fix.sh that was omitting .mm files.

* clang-format

* Fix linter: find cmd missing .mm ext, git grep exclude patch files.

* Use MakeESProcess default params in tests

* Move variables to camelCase in objc classes

* More case changes

* Sanitize strings

* Change dispatch queue priorities and standardize daemon queue naming

* Exclude patch files in markdown check

* Ensure string log messages end with newline

* Fix BasicStringTest

* Disable clang-format in code producing different results in local/remote versions

* Moved to using date ranges in copyright notices as per current guidelines

* Update Source/common/SNTConfigurator.h

Suggestion adding whitespace in comment to fix clang-format mangling

Co-authored-by: Russell Hancox <[email protected]>

* Removed santa_panic macro used in one place

* Updated comment about ES cachability

* Pin oneTBB to specific commit

* Address outstanding WORKSPACE 'canonical reproducible form' messages

* Use string append instead of ostringstream due to benchmark results

* Remove use of freind classes in EnrichedTypes.h

* Added SNTKVOManager, removed observers from SNTConfigurator.

* Fixed SNTEndpointSecurityRecorderTest class name

* Reduce usage of the auto keyword

* Each SNTKVOManager instance now adds its own observer

* Replaced more auto keywords with real types.

* Remove leftover code coverage debugging from ci.yml

* Updated comment

* Memoize SNTFileInfo sha256. Reduce some cache sizes.

* Fix issue checking for translocated paths

* Use more performant NSURL creation method

* Fix lint issue

* Address PR feedback

* Use an array literal for kvo objects

* Fix some clang tidy and import issues

* Replace third party LRU cache with SantaCache for now

* Fix clang tidy issues

* Address PR feedback

* Fix comment typo

Co-authored-by: Pete Markowsky <[email protected]>

* Added todo for when we adopt macOS 13

Co-authored-by: Russell Hancox <[email protected]>
Co-authored-by: Pete Markowsky <[email protected]>

Author: 3 people

.bazelrc

@@ -3,3 +3,14 @@ build --apple_generate_dsym --define=apple.propagate_embedded_extra_outputs=yes
 build --copt=-Werror
 build --copt=-Wall
 build --copt=-Wno-error=deprecated-declarations
+build --per_file_copt=.*\.mm\$@-std=c++17
+build --cxxopt=-std=c++17
+
+build:asan --strip=never
+build:asan --copt="-Wno-macro-redefined"
+build:asan --copt="-D_FORTIFY_SOURCE=0"
+build:asan --copt="-O1"
+build:asan --copt="-fno-omit-frame-pointer"
+build:asan --copt="-fsanitize=address"
+build:asan --copt="-DADDRESS_SANITIZER"
+build:asan --linkopt="-fsanitize=address"

.github/workflows/check-markdown.yml

@@ -11,4 +11,4 @@ jobs:
     steps:
     - uses: actions/checkout@master
     - uses: gaurav-nelson/github-action-markdown-link-check@v1
-    - run: "! git grep -EIn $'[ \t]+$'"
+    - run: "! git grep -EIn $'[ \t]+$' -- ':(exclude)*.patch'"

.github/workflows/ci.yml

@@ -20,7 +20,6 @@ jobs:
       - name: Run linters
         run: ./Testing/lint.sh
 
-
   build_userspace:
     strategy:
       fail-fast: false
@@ -55,10 +54,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: ./bazel-out/_coverage/_coverage_report.dat
           flag-name: Unit
-
-  benchmark:
-    runs-on: macos-11
-    steps:
-      - uses: actions/checkout@v2
-      - name: Run All Tests
-        run: ./Testing/benchmark.sh

BUILD

@@ -198,10 +198,3 @@ test_suite(
         "//Source/santasyncservice:unit_tests",
     ],
 )
-
-test_suite(
-    name = "benchmarks",
-    tests = [
-        "//Source/santad:SNTApplicationBenchmark",
-    ],
-)

Source/common/BUILD

@@ -83,12 +83,6 @@ objc_library(
     ],
 )
 
-objc_library(
-    name = "SNTAllowlistInfo",
-    srcs = ["SNTAllowlistInfo.m"],
-    hdrs = ["SNTAllowlistInfo.h"],
-)
-
 objc_library(
     name = "SNTCommonEnums",
     hdrs = ["SNTCommonEnums.h"],
@@ -106,6 +100,23 @@ objc_library(
     ],
 )
 
+objc_library(
+    name = "SNTKVOManager",
+    srcs = ["SNTKVOManager.mm"],
+    hdrs = ["SNTKVOManager.h"],
+    deps = [
+        ":SNTLogging",
+    ],
+)
+
+santa_unit_test(
+    name = "SNTKVOManagerTest",
+    srcs = ["SNTKVOManagerTest.mm"],
+    deps = [
+        ":SNTKVOManager",
+    ],
+)
+
 objc_library(
     name = "SNTDropRootPrivs",
     srcs = ["SNTDropRootPrivs.m"],
@@ -117,6 +128,7 @@ objc_library(
     srcs = ["SNTFileInfo.m"],
     hdrs = ["SNTFileInfo.h"],
     deps = [
+        ":SNTLogging",
         "@FMDB",
         "@MOLCodesignChecker",
     ],
@@ -298,13 +310,40 @@ santa_unit_test(
     deps = [":SNTMetricSet"],
 )
 
+santa_unit_test(
+    name = "SNTCachedDecisionTest",
+    srcs = ["SNTCachedDecisionTest.mm"],
+    deps = [
+        "//Source/common:SNTCachedDecision",
+        "//Source/common:TestUtils",
+        "@OCMock",
+    ],
+)
+
 test_suite(
     name = "unit_tests",
     tests = [
+        ":SNTCachedDecisionTest",
         ":SNTFileInfoTest",
+        ":SNTKVOManagerTest",
         ":SNTMetricSetTest",
         ":SNTPrefixTreeTest",
+        ":SNTRuleTest",
         ":SantaCacheTest",
     ],
     visibility = ["//:santa_package_group"],
 )
+
+objc_library(
+    name = "TestUtils",
+    testonly = 1,
+    srcs = ["TestUtils.mm"],
+    hdrs = ["TestUtils.h"],
+    sdk_dylibs = [
+        "bsm",
+    ],
+    deps = [
+        "@OCMock",
+        "@com_google_googletest//:gtest",
+    ],
+)

Source/common/SNTAllowlistInfo.m

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -12,10 +12,11 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import <EndpointSecurity/EndpointSecurity.h>
 #import <Foundation/Foundation.h>
 
-#import "Source/common/SNTCommonEnums.h"
 #import "Source/common/SNTCommon.h"
+#import "Source/common/SNTCommonEnums.h"
 
 @class MOLCertificate;
 
@@ -24,6 +25,8 @@
 ///
 @interface SNTCachedDecision : NSObject
 
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile;
+
 @property santa_vnode_id_t vnodeId;
 @property SNTEventState decision;
 @property NSString *decisionExtra;

Source/common/SNTCachedDecision.h

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -15,4 +15,14 @@
 #import "Source/common/SNTCachedDecision.h"
 
 @implementation SNTCachedDecision
+
+- (instancetype)initWithEndpointSecurityFile:(const es_file_t *)esFile {
+  self = [super init];
+  if (self) {
+    _vnodeId.fsid = (uint64_t)esFile->stat.st_dev;
+    _vnodeId.fileid = esFile->stat.st_ino;
+  }
+  return self;
+}
+
 @end

Source/common/SNTCachedDecision.m

@@ -0,0 +1,36 @@
+/// Copyright 2022 Google Inc. All rights reserved.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///    http://www.apache.org/licenses/LICENSE-2.0
+///
+///    Unless required by applicable law or agreed to in writing, software
+///    distributed under the License is distributed on an "AS IS" BASIS,
+///    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+///    See the License for the specific language governing permissions and
+///    limitations under the License.
+
+#import <XCTest/XCTest.h>
+
+#import "Source/common/SNTCachedDecision.h"
+#include "Source/common/TestUtils.h"
+
+@interface SNTCachedDecisionTest : XCTestCase
+@end
+
+@implementation SNTCachedDecisionTest
+
+- (void)testSNTCachedDecisionInit {
+  // Ensure the vnodeId field is properly set from the es_file_t
+  struct stat sb = MakeStat(1234, 5678);
+  es_file_t file = MakeESFile("foo", sb);
+
+  SNTCachedDecision *cd = [[SNTCachedDecision alloc] initWithEndpointSecurityFile:&file];
+
+  XCTAssertEqual(sb.st_ino, cd.vnodeId.fileid);
+  XCTAssertEqual(sb.st_dev, cd.vnodeId.fsid);
+}
+
+@end

Source/common/SNTCachedDecisionTest.mm

@@ -1,4 +1,4 @@
-/// Copyright 2015 Google Inc. All rights reserved.
+/// Copyright 2015-2022 Google Inc. All rights reserved.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -27,41 +27,23 @@
 #define unlikely(x) __builtin_expect(!!(x), 0)
 
 typedef enum {
-  ACTION_UNSET = 0,
+  ACTION_UNSET,
 
   // REQUESTS
-  ACTION_REQUEST_SHUTDOWN = 10,
-  ACTION_REQUEST_BINARY = 11,
+  // If an operation is awaiting a cache decision from a similar operation
+  // currently being processed, it will poll about every 5 ms for an answer.
+  ACTION_REQUEST_BINARY,
 
   // RESPONSES
-  ACTION_RESPOND_ALLOW = 20,
-  ACTION_RESPOND_DENY = 21,
-  ACTION_RESPOND_TOOLONG = 22,
-  ACTION_RESPOND_ACK = 23,
-  ACTION_RESPOND_ALLOW_COMPILER = 24,
-  // The following response is stored only in the kernel decision cache.
-  // It is removed by SNTCompilerController
-  ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE = 25,
+  ACTION_RESPOND_ALLOW,
+  ACTION_RESPOND_DENY,
+  ACTION_RESPOND_ALLOW_COMPILER,
 
-  // NOTIFY
-  ACTION_NOTIFY_EXEC = 30,
-  ACTION_NOTIFY_WRITE = 31,
-  ACTION_NOTIFY_RENAME = 32,
-  ACTION_NOTIFY_LINK = 33,
-  ACTION_NOTIFY_EXCHANGE = 34,
-  ACTION_NOTIFY_DELETE = 35,
-  ACTION_NOTIFY_WHITELIST = 36,
-  ACTION_NOTIFY_FORK = 37,
-  ACTION_NOTIFY_EXIT = 38,
-
-  // ERROR
-  ACTION_ERROR = 99,
 } santa_action_t;
 
 #define RESPONSE_VALID(x)                                   \
   (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY || \
-   x == ACTION_RESPOND_ALLOW_COMPILER ||                    \
-   x == ACTION_RESPOND_ALLOW_PENDING_TRANSITIVE)
+   x == ACTION_RESPOND_ALLOW_COMPILER)
 
 // Struct to manage vnode IDs
 typedef struct santa_vnode_id_t {
@@ -75,28 +57,4 @@ typedef struct santa_vnode_id_t {
 #endif
 } santa_vnode_id_t;
 
-typedef struct {
-  santa_action_t action;
-  santa_vnode_id_t vnode_id;
-  uid_t uid;
-  gid_t gid;
-  pid_t pid;
-  int pidversion;
-  pid_t ppid;
-  char path[MAXPATHLEN];
-  char newpath[MAXPATHLEN];
-  char ttypath[MAXPATHLEN];
-  // For file events, this is the process name.
-  // For exec requests, this is the parent process name.
-  // While process names can technically be 4*MAXPATHLEN, that never
-  // actually happens, so only take MAXPATHLEN and throw away any excess.
-  char pname[MAXPATHLEN];
-
-  // This points to a copy of the original ES message.
-  void *es_message;
-
-  // This points to an NSArray of the process arguments.
-  void *args_array;
-} santa_message_t;
-
 #endif  // SANTA__COMMON__COMMON_H