common: Allow transitive whitelisting to be controlled by sync server…

…s. (#300)

Also rename TransitiveWhitelistingEnabled -> EnableTransitiveWhitelisting and BundlesEnabled -> EnableBundles

Source/common/SNTConfigurator.h

@@ -196,7 +196,7 @@
 ///  If YES, enables bundle detection for blocked events. This property is not stored on disk.
 ///  Its value is set by a sync server that supports bundles. Defaults to NO.
 ///
-@property BOOL bundlesEnabled;
+@property BOOL enableBundles;
 
 #pragma mark Transitive Whitelisting Settings
 
@@ -205,7 +205,7 @@
 ///  whitelist any executables that they produce.  If NO, SNTRuleStateWhitelistCompiler rules are
 ///  interpreted as if they were simply SNTRuleStateWhitelist rules.  Defaults to NO.
 ///
-@property BOOL transitiveWhitelistingEnabled;
+@property BOOL enableTransitiveWhitelisting;
 
 #pragma mark Server Auth Settings
 

Source/common/SNTConfigurator.m

@@ -76,7 +76,7 @@ @implementation SNTConfigurator
 
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
-static NSString *const kTransitiveWhitelistingEnabledKey = @"TransitiveWhitelistingEnabled";
+static NSString *const kEnableTransitiveWhitelistingKey = @"EnableTransitiveWhitelisting";
 static NSString *const kWhitelistRegexKey = @"WhitelistRegex";
 static NSString *const kBlacklistRegexKey = @"BlacklistRegex";
 
@@ -95,7 +95,7 @@ - (instancetype)init {
     Class data = [NSData class];
     _syncServerKeyTypes = @{
       kClientModeKey : number,
-      kTransitiveWhitelistingEnabledKey : number,
+      kEnableTransitiveWhitelistingKey : number,
       kWhitelistRegexKey : re,
       kBlacklistRegexKey : re,
       kFullSyncLastSuccess : date,
@@ -104,7 +104,7 @@ - (instancetype)init {
     };
     _forcedConfigKeyTypes = @{
       kClientModeKey : number,
-      kTransitiveWhitelistingEnabledKey : number,
+      kEnableTransitiveWhitelistingKey : number,
       kFileChangesRegexKey : re,
       kWhitelistRegexKey : re,
       kBlacklistRegexKey : re,
@@ -290,8 +290,8 @@ + (NSSet *)keyPathsForValuesAffectingEnableMachineIDDecoration {
   return [self configStateSet];
 }
 
-+ (NSSet *)keyPathsForValuesAffectingTransitiveWhitelistingEnabled {
-  return [self configStateSet];
++ (NSSet *)keyPathsForValuesAffectingEnableTransitiveWhitelisting {
+  return [self syncAndConfigStateSet];
 }
 
 #pragma mark Public Interface
@@ -318,12 +318,16 @@ - (void)setSyncServerClientMode:(SNTClientMode)newMode {
   }
 }
 
-- (BOOL)transitiveWhitelistingEnabled {
-  return [self.configState[kTransitiveWhitelistingEnabledKey] boolValue];
+- (BOOL)enableTransitiveWhitelisting {
+  NSNumber *n = self.syncState[kEnableTransitiveWhitelistingKey];
+  if (n) {
+    return [n boolValue];
+  }
+  return [self.configState[kEnableTransitiveWhitelistingKey] boolValue];
 }
 
-- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled {
-  [self updateSyncStateForKey:kTransitiveWhitelistingEnabledKey value:@(enabled)];
+- (void)setEnableTransitiveWhitelisting:(BOOL)enabled {
+  [self updateSyncStateForKey:kEnableTransitiveWhitelistingKey value:@(enabled)];
 }
 
 - (NSRegularExpression *)whitelistPathRegex {

Source/common/SNTXPCControlInterface.h

@@ -46,8 +46,8 @@
 - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply;
 - (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
 - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply;
-- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
-- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled reply:(void (^)(void))reply;
+- (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply;
+- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply;
 
 ///
 ///  Syncd Ops

Source/common/SNTXPCUnprivilegedControlInterface.h

@@ -73,8 +73,8 @@
 - (void)fullSyncLastSuccess:(void (^)(NSDate *))reply;
 - (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply;
 - (void)syncCleanRequired:(void (^)(BOOL))reply;
-- (void)bundlesEnabled:(void (^)(BOOL))reply;
-- (void)transitiveWhitelistingEnabled:(void (^)(BOOL))reply;
+- (void)enableBundles:(void (^)(BOOL))reply;
+- (void)enableTransitiveWhitelisting:(void (^)(BOOL))reply;
 
 ///
 ///  GUI Ops

Source/santactl/Commands/SNTCommandStatus.m

@@ -145,18 +145,18 @@ - (void)runWithArguments:(NSArray *)arguments {
     }];
   }
 
-  __block BOOL bundlesEnabled = NO;
+  __block BOOL enableBundles = NO;
   if ([[SNTConfigurator configurator] syncBaseURL]) {
     dispatch_group_enter(group);
-    [[self.daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) {
-      bundlesEnabled = response;
+    [[self.daemonConn remoteObjectProxy] enableBundles:^(BOOL response) {
+      enableBundles = response;
       dispatch_group_leave(group);
     }];
   }
 
   __block BOOL transitiveWhitelistingEnabled = NO;
   dispatch_group_enter(group);
-  [[self.daemonConn remoteObjectProxy] transitiveWhitelistingEnabled:^(BOOL response) {
+  [[self.daemonConn remoteObjectProxy] enableTransitiveWhitelisting:^(BOOL response) {
     transitiveWhitelistingEnabled = response;
     dispatch_group_leave(group);
   }];
@@ -202,7 +202,7 @@ - (void)runWithArguments:(NSArray *)arguments {
         @"last_successful_full" : fullSyncLastSuccessStr ?: @"null",
         @"last_successful_rule" : ruleSyncLastSuccessStr ?: @"null",
         @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected",
-        @"bundle_scanning" : @(bundlesEnabled),
+        @"bundle_scanning" : @(enableBundles),
         @"transitive_whitelisting" : @(transitiveWhitelistingEnabled),
       },
     };
@@ -235,7 +235,7 @@ - (void)runWithArguments:(NSArray *)arguments {
       printf("  %-25s | %s\n", "Last Successful Rule Sync", [ruleSyncLastSuccessStr UTF8String]);
       printf("  %-25s | %s\n", "Push Notifications",
              (pushNotifications ? "Connected" : "Disconnected"));
-      printf("  %-25s | %s\n", "Bundle Scanning", (bundlesEnabled ? "Yes" : "No"));
+      printf("  %-25s | %s\n", "Bundle Scanning", (enableBundles ? "Yes" : "No"));
       printf("  %-25s | %s\n", "Transitive Whitelisting",
              (transitiveWhitelistingEnabled ? "Yes" : "No"));
     }

Source/santactl/Commands/sync/SNTCommandSyncConstants.h

@@ -38,8 +38,10 @@ extern NSString *const kTransitiveRuleCount;
 extern NSString *const kFCMToken;
 extern NSString *const kFCMFullSyncInterval;
 extern NSString *const kFCMGlobalRuleSyncDeadline;
-extern NSString *const kBundlesEnabled;
-extern NSString *const kTransitiveWhitelistingEnabled;
+extern NSString *const kEnableBundles;
+extern NSString *const kEnableBundles_OLD;
+extern NSString *const kEnableTransitiveWhitelisting;
+extern NSString *const kEnableTransitiveWhitelisting_OLD;
 
 extern NSString *const kEvents;
 extern NSString *const kFileSHA256;

Source/santactl/Commands/sync/SNTCommandSyncConstants.m

@@ -38,8 +38,12 @@
 NSString *const kFCMToken = @"fcm_token";
 NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval";
 NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline";
-NSString *const kBundlesEnabled = @"bundles_enabled";
-NSString *const kTransitiveWhitelistingEnabled = @"transitive_whitelisting_enabled";
+
+// NOTE: Both of the _OLD values will be removed at some indeterminate point in the future.
+NSString *const kEnableBundles = @"enable_bundles";
+NSString *const kEnableBundles_OLD = @"bundles_enabled";
+NSString *const kEnableTransitiveWhitelisting = @"enabled_transitive_whitelisting";
+NSString *const kEnableTransitiveWhitelisting_OLD = @"transitive_whitelisting_enabled";
 
 NSString *const kEvents = @"events";
 NSString *const kFileSHA256 = @"file_sha256";

Source/santactl/Commands/sync/SNTCommandSyncPreflight.m

@@ -87,17 +87,23 @@ - (BOOL)sync {
   if (!resp) return NO;
 
   dispatch_group_enter(group);
-  [[self.daemonConn remoteObjectProxy] setBundlesEnabled:[resp[kBundlesEnabled] boolValue] reply:^{
+  NSNumber *enableBundles = resp[kEnableBundles];
+  if (!enableBundles) {
+    enableBundles = resp[kEnableBundles_OLD];
+  }
+  [[self.daemonConn remoteObjectProxy] setEnableBundles:[enableBundles boolValue] reply:^{
     dispatch_group_leave(group);
   }];
 
   dispatch_group_enter(group);
-  if ([resp[kTransitiveWhitelistingEnabled] respondsToSelector:@selector(boolValue)]) {
-    BOOL enabled = [resp[kTransitiveWhitelistingEnabled] boolValue];
-    [[self.daemonConn remoteObjectProxy] setTransitiveWhitelistingEnabled:enabled reply:^{
-      dispatch_group_leave(group);
-    }];
+  NSNumber *enableTransitiveWhitelisting = resp[kEnableTransitiveWhitelisting];
+  if (!enableTransitiveWhitelisting) {
+    enableTransitiveWhitelisting = resp[kEnableTransitiveWhitelisting_OLD];
   }
+  BOOL enabled = [enableTransitiveWhitelisting boolValue];
+  [[self.daemonConn remoteObjectProxy] setEnableTransitiveWhitelisting:enabled reply:^{
+    dispatch_group_leave(group);
+  }];
 
   self.syncState.eventBatchSize = [resp[kBatchSize] unsignedIntegerValue] ?: kDefaultEventBatchSize;
   self.syncState.FCMToken = resp[kFCMToken];

Source/santad/SNTDaemonControlController.m

@@ -224,21 +224,21 @@ - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply {
   reply();
 }
 
-- (void)bundlesEnabled:(void (^)(BOOL))reply {
-  reply([SNTConfigurator configurator].bundlesEnabled);
+- (void)enableBundles:(void (^)(BOOL))reply {
+  reply([SNTConfigurator configurator].enableBundles);
 }
 
-- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)(void))reply {
-  [[SNTConfigurator configurator] setBundlesEnabled:bundlesEnabled];
+- (void)setEnableBundles:(BOOL)enableBundles reply:(void (^)(void))reply {
+  [[SNTConfigurator configurator] setEnableBundles:enableBundles];
   reply();
 }
 
-- (void)transitiveWhitelistingEnabled:(void (^)(BOOL))reply {
-  reply([SNTConfigurator configurator].transitiveWhitelistingEnabled);
+- (void)enableTransitiveWhitelisting:(void (^)(BOOL))reply {
+  reply([SNTConfigurator configurator].enableTransitiveWhitelisting);
 }
 
-- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled reply:(void (^)(void))reply {
-  [[SNTConfigurator configurator] setTransitiveWhitelistingEnabled:enabled];
+- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply {
+  [[SNTConfigurator configurator] setEnableTransitiveWhitelisting:enabled];
   reply();
 }
 

Source/santad/SNTExecutionController.m

@@ -209,7 +209,7 @@ - (void)validateBinaryWithMessage:(santa_message_t)message {
     if (action != ACTION_RESPOND_ALLOW && action != ACTION_RESPOND_ALLOW_COMPILER) {
       [_eventLog logDeniedExecution:cd withMessage:message];
 
-      if ([[SNTConfigurator configurator] bundlesEnabled] && binInfo.bundle) {
+      if ([[SNTConfigurator configurator] enableBundles] && binInfo.bundle) {
         // If the binary is part of a bundle, find and hash all the related binaries in the bundle.
         // Let the GUI know hashing is needed. Once the hashing is complete the GUI will send a
         // message to santad to perform the upload logic for bundles.

Source/santad/SNTPolicyProcessor.m

@@ -64,7 +64,7 @@ - (SNTCachedDecision *)decisionForFileInfo:(SNTFileInfo *)fileInfo
             // If transitive whitelisting is enabled, then SNTRuleStateWhiteListCompiler rules
             // become SNTEventStateAllowCompiler decisions.  Otherwise we treat the rule as if
             // it were SNTRuleStateWhitelist.
-            if ([[SNTConfigurator configurator] transitiveWhitelistingEnabled]) {
+            if ([[SNTConfigurator configurator] enableTransitiveWhitelisting]) {
               cd.decision = SNTEventStateAllowCompiler;
             } else {
               cd.decision = SNTEventStateAllow;
@@ -74,7 +74,7 @@ - (SNTCachedDecision *)decisionForFileInfo:(SNTFileInfo *)fileInfo
             // If transitive whitelisting is enabled, then SNTRuleStateWhitelistTransitive
             // rules become SNTEventStateAllowTransitive decisions.  Otherwise, we treat the
             // rule as if it were SNTRuleStateUnknown.
-            if ([[SNTConfigurator configurator] transitiveWhitelistingEnabled]) {
+            if ([[SNTConfigurator configurator] enableTransitiveWhitelisting]) {
               cd.decision = SNTEventStateAllowTransitive;
               return cd;
             } else {

Tests/LogicTests/SNTExecutionControllerTest.m

@@ -168,7 +168,7 @@ - (void)testCertificateBlacklistRule {
 - (void)testBinaryWhitelistCompilerRule {
   OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
   OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
-  OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(YES);
+  OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(YES);
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateWhitelistCompiler;
@@ -184,7 +184,7 @@ - (void)testBinaryWhitelistCompilerRule {
 - (void)testBinaryWhitelistCompilerRuleDisabled {
   OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
   OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
-  OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(NO);
+  OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(NO);
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateWhitelistCompiler;
@@ -200,7 +200,7 @@ - (void)testBinaryWhitelistCompilerRuleDisabled {
 - (void)testBinaryWhitelistTransitiveRule {
   OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
   OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
-  OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(YES);
+  OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(YES);
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateWhitelistTransitive;
@@ -217,7 +217,7 @@ - (void)testBinaryWhitelistTransitiveRuleDisabled {
   OCMStub([self.mockFileInfo isMachO]).andReturn(YES);
   OCMStub([self.mockFileInfo SHA256]).andReturn(@"a");
   OCMStub([self.mockConfigurator clientMode]).andReturn(SNTClientModeLockdown);
-  OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(NO);
+  OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(NO);
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateWhitelistTransitive;