diff --git a/Source/common/SNTConfigurator.h b/Source/common/SNTConfigurator.h index 80b2326f0..cc660a946 100644 --- a/Source/common/SNTConfigurator.h +++ b/Source/common/SNTConfigurator.h @@ -196,7 +196,7 @@ /// If YES, enables bundle detection for blocked events. This property is not stored on disk. /// Its value is set by a sync server that supports bundles. Defaults to NO. /// -@property BOOL bundlesEnabled; +@property BOOL enableBundles; #pragma mark Transitive Whitelisting Settings @@ -205,7 +205,7 @@ /// whitelist any executables that they produce. If NO, SNTRuleStateWhitelistCompiler rules are /// interpreted as if they were simply SNTRuleStateWhitelist rules. Defaults to NO. /// -@property BOOL transitiveWhitelistingEnabled; +@property BOOL enableTransitiveWhitelisting; #pragma mark Server Auth Settings diff --git a/Source/common/SNTConfigurator.m b/Source/common/SNTConfigurator.m index 775f760e4..b767c7762 100644 --- a/Source/common/SNTConfigurator.m +++ b/Source/common/SNTConfigurator.m @@ -76,7 +76,7 @@ @implementation SNTConfigurator // The keys managed by a sync server or mobileconfig. static NSString *const kClientModeKey = @"ClientMode"; -static NSString *const kTransitiveWhitelistingEnabledKey = @"TransitiveWhitelistingEnabled"; +static NSString *const kEnableTransitiveWhitelistingKey = @"EnableTransitiveWhitelisting"; static NSString *const kWhitelistRegexKey = @"WhitelistRegex"; static NSString *const kBlacklistRegexKey = @"BlacklistRegex"; @@ -95,7 +95,7 @@ - (instancetype)init { Class data = [NSData class]; _syncServerKeyTypes = @{ kClientModeKey : number, - kTransitiveWhitelistingEnabledKey : number, + kEnableTransitiveWhitelistingKey : number, kWhitelistRegexKey : re, kBlacklistRegexKey : re, kFullSyncLastSuccess : date, @@ -104,7 +104,7 @@ - (instancetype)init { }; _forcedConfigKeyTypes = @{ kClientModeKey : number, - kTransitiveWhitelistingEnabledKey : number, + kEnableTransitiveWhitelistingKey : number, kFileChangesRegexKey : re, kWhitelistRegexKey : re, kBlacklistRegexKey : re, @@ -290,8 +290,8 @@ + (NSSet *)keyPathsForValuesAffectingEnableMachineIDDecoration { return [self configStateSet]; } -+ (NSSet *)keyPathsForValuesAffectingTransitiveWhitelistingEnabled { - return [self configStateSet]; ++ (NSSet *)keyPathsForValuesAffectingEnableTransitiveWhitelisting { + return [self syncAndConfigStateSet]; } #pragma mark Public Interface @@ -318,12 +318,16 @@ - (void)setSyncServerClientMode:(SNTClientMode)newMode { } } -- (BOOL)transitiveWhitelistingEnabled { - return [self.configState[kTransitiveWhitelistingEnabledKey] boolValue]; +- (BOOL)enableTransitiveWhitelisting { + NSNumber *n = self.syncState[kEnableTransitiveWhitelistingKey]; + if (n) { + return [n boolValue]; + } + return [self.configState[kEnableTransitiveWhitelistingKey] boolValue]; } -- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled { - [self updateSyncStateForKey:kTransitiveWhitelistingEnabledKey value:@(enabled)]; +- (void)setEnableTransitiveWhitelisting:(BOOL)enabled { + [self updateSyncStateForKey:kEnableTransitiveWhitelistingKey value:@(enabled)]; } - (NSRegularExpression *)whitelistPathRegex { diff --git a/Source/common/SNTXPCControlInterface.h b/Source/common/SNTXPCControlInterface.h index 58337cdee..b7a625b49 100644 --- a/Source/common/SNTXPCControlInterface.h +++ b/Source/common/SNTXPCControlInterface.h @@ -46,8 +46,8 @@ - (void)setSyncCleanRequired:(BOOL)cleanReqd reply:(void (^)(void))reply; - (void)setWhitelistPathRegex:(NSString *)pattern reply:(void (^)(void))reply; - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply; -- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)(void))reply; -- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled reply:(void (^)(void))reply; +- (void)setEnableBundles:(BOOL)bundlesEnabled reply:(void (^)(void))reply; +- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply; /// /// Syncd Ops diff --git a/Source/common/SNTXPCUnprivilegedControlInterface.h b/Source/common/SNTXPCUnprivilegedControlInterface.h index 63bac6547..dd0ca69e9 100644 --- a/Source/common/SNTXPCUnprivilegedControlInterface.h +++ b/Source/common/SNTXPCUnprivilegedControlInterface.h @@ -73,8 +73,8 @@ - (void)fullSyncLastSuccess:(void (^)(NSDate *))reply; - (void)ruleSyncLastSuccess:(void (^)(NSDate *))reply; - (void)syncCleanRequired:(void (^)(BOOL))reply; -- (void)bundlesEnabled:(void (^)(BOOL))reply; -- (void)transitiveWhitelistingEnabled:(void (^)(BOOL))reply; +- (void)enableBundles:(void (^)(BOOL))reply; +- (void)enableTransitiveWhitelisting:(void (^)(BOOL))reply; /// /// GUI Ops diff --git a/Source/santactl/Commands/SNTCommandStatus.m b/Source/santactl/Commands/SNTCommandStatus.m index af38e12d5..23a5ac2e1 100644 --- a/Source/santactl/Commands/SNTCommandStatus.m +++ b/Source/santactl/Commands/SNTCommandStatus.m @@ -145,18 +145,18 @@ - (void)runWithArguments:(NSArray *)arguments { }]; } - __block BOOL bundlesEnabled = NO; + __block BOOL enableBundles = NO; if ([[SNTConfigurator configurator] syncBaseURL]) { dispatch_group_enter(group); - [[self.daemonConn remoteObjectProxy] bundlesEnabled:^(BOOL response) { - bundlesEnabled = response; + [[self.daemonConn remoteObjectProxy] enableBundles:^(BOOL response) { + enableBundles = response; dispatch_group_leave(group); }]; } __block BOOL transitiveWhitelistingEnabled = NO; dispatch_group_enter(group); - [[self.daemonConn remoteObjectProxy] transitiveWhitelistingEnabled:^(BOOL response) { + [[self.daemonConn remoteObjectProxy] enableTransitiveWhitelisting:^(BOOL response) { transitiveWhitelistingEnabled = response; dispatch_group_leave(group); }]; @@ -202,7 +202,7 @@ - (void)runWithArguments:(NSArray *)arguments { @"last_successful_full" : fullSyncLastSuccessStr ?: @"null", @"last_successful_rule" : ruleSyncLastSuccessStr ?: @"null", @"push_notifications" : pushNotifications ? @"Connected" : @"Disconnected", - @"bundle_scanning" : @(bundlesEnabled), + @"bundle_scanning" : @(enableBundles), @"transitive_whitelisting" : @(transitiveWhitelistingEnabled), }, }; @@ -235,7 +235,7 @@ - (void)runWithArguments:(NSArray *)arguments { printf(" %-25s | %s\n", "Last Successful Rule Sync", [ruleSyncLastSuccessStr UTF8String]); printf(" %-25s | %s\n", "Push Notifications", (pushNotifications ? "Connected" : "Disconnected")); - printf(" %-25s | %s\n", "Bundle Scanning", (bundlesEnabled ? "Yes" : "No")); + printf(" %-25s | %s\n", "Bundle Scanning", (enableBundles ? "Yes" : "No")); printf(" %-25s | %s\n", "Transitive Whitelisting", (transitiveWhitelistingEnabled ? "Yes" : "No")); } diff --git a/Source/santactl/Commands/sync/SNTCommandSyncConstants.h b/Source/santactl/Commands/sync/SNTCommandSyncConstants.h index 1e9e65fd1..1d13a9159 100644 --- a/Source/santactl/Commands/sync/SNTCommandSyncConstants.h +++ b/Source/santactl/Commands/sync/SNTCommandSyncConstants.h @@ -38,8 +38,10 @@ extern NSString *const kTransitiveRuleCount; extern NSString *const kFCMToken; extern NSString *const kFCMFullSyncInterval; extern NSString *const kFCMGlobalRuleSyncDeadline; -extern NSString *const kBundlesEnabled; -extern NSString *const kTransitiveWhitelistingEnabled; +extern NSString *const kEnableBundles; +extern NSString *const kEnableBundles_OLD; +extern NSString *const kEnableTransitiveWhitelisting; +extern NSString *const kEnableTransitiveWhitelisting_OLD; extern NSString *const kEvents; extern NSString *const kFileSHA256; diff --git a/Source/santactl/Commands/sync/SNTCommandSyncConstants.m b/Source/santactl/Commands/sync/SNTCommandSyncConstants.m index 42cc8a4df..9ec059be1 100644 --- a/Source/santactl/Commands/sync/SNTCommandSyncConstants.m +++ b/Source/santactl/Commands/sync/SNTCommandSyncConstants.m @@ -38,8 +38,12 @@ NSString *const kFCMToken = @"fcm_token"; NSString *const kFCMFullSyncInterval = @"fcm_full_sync_interval"; NSString *const kFCMGlobalRuleSyncDeadline = @"fcm_global_rule_sync_deadline"; -NSString *const kBundlesEnabled = @"bundles_enabled"; -NSString *const kTransitiveWhitelistingEnabled = @"transitive_whitelisting_enabled"; + +// NOTE: Both of the _OLD values will be removed at some indeterminate point in the future. +NSString *const kEnableBundles = @"enable_bundles"; +NSString *const kEnableBundles_OLD = @"bundles_enabled"; +NSString *const kEnableTransitiveWhitelisting = @"enabled_transitive_whitelisting"; +NSString *const kEnableTransitiveWhitelisting_OLD = @"transitive_whitelisting_enabled"; NSString *const kEvents = @"events"; NSString *const kFileSHA256 = @"file_sha256"; diff --git a/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m b/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m index 612b8f129..ee26d111e 100644 --- a/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m +++ b/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m @@ -87,17 +87,23 @@ - (BOOL)sync { if (!resp) return NO; dispatch_group_enter(group); - [[self.daemonConn remoteObjectProxy] setBundlesEnabled:[resp[kBundlesEnabled] boolValue] reply:^{ + NSNumber *enableBundles = resp[kEnableBundles]; + if (!enableBundles) { + enableBundles = resp[kEnableBundles_OLD]; + } + [[self.daemonConn remoteObjectProxy] setEnableBundles:[enableBundles boolValue] reply:^{ dispatch_group_leave(group); }]; dispatch_group_enter(group); - if ([resp[kTransitiveWhitelistingEnabled] respondsToSelector:@selector(boolValue)]) { - BOOL enabled = [resp[kTransitiveWhitelistingEnabled] boolValue]; - [[self.daemonConn remoteObjectProxy] setTransitiveWhitelistingEnabled:enabled reply:^{ - dispatch_group_leave(group); - }]; + NSNumber *enableTransitiveWhitelisting = resp[kEnableTransitiveWhitelisting]; + if (!enableTransitiveWhitelisting) { + enableTransitiveWhitelisting = resp[kEnableTransitiveWhitelisting_OLD]; } + BOOL enabled = [enableTransitiveWhitelisting boolValue]; + [[self.daemonConn remoteObjectProxy] setEnableTransitiveWhitelisting:enabled reply:^{ + dispatch_group_leave(group); + }]; self.syncState.eventBatchSize = [resp[kBatchSize] unsignedIntegerValue] ?: kDefaultEventBatchSize; self.syncState.FCMToken = resp[kFCMToken]; diff --git a/Source/santad/SNTDaemonControlController.m b/Source/santad/SNTDaemonControlController.m index f7515444d..be7d9be0c 100644 --- a/Source/santad/SNTDaemonControlController.m +++ b/Source/santad/SNTDaemonControlController.m @@ -224,21 +224,21 @@ - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)(void))reply { reply(); } -- (void)bundlesEnabled:(void (^)(BOOL))reply { - reply([SNTConfigurator configurator].bundlesEnabled); +- (void)enableBundles:(void (^)(BOOL))reply { + reply([SNTConfigurator configurator].enableBundles); } -- (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)(void))reply { - [[SNTConfigurator configurator] setBundlesEnabled:bundlesEnabled]; +- (void)setEnableBundles:(BOOL)enableBundles reply:(void (^)(void))reply { + [[SNTConfigurator configurator] setEnableBundles:enableBundles]; reply(); } -- (void)transitiveWhitelistingEnabled:(void (^)(BOOL))reply { - reply([SNTConfigurator configurator].transitiveWhitelistingEnabled); +- (void)enableTransitiveWhitelisting:(void (^)(BOOL))reply { + reply([SNTConfigurator configurator].enableTransitiveWhitelisting); } -- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled reply:(void (^)(void))reply { - [[SNTConfigurator configurator] setTransitiveWhitelistingEnabled:enabled]; +- (void)setEnableTransitiveWhitelisting:(BOOL)enabled reply:(void (^)(void))reply { + [[SNTConfigurator configurator] setEnableTransitiveWhitelisting:enabled]; reply(); } diff --git a/Source/santad/SNTExecutionController.m b/Source/santad/SNTExecutionController.m index daac5eb42..d57c38274 100644 --- a/Source/santad/SNTExecutionController.m +++ b/Source/santad/SNTExecutionController.m @@ -209,7 +209,7 @@ - (void)validateBinaryWithMessage:(santa_message_t)message { if (action != ACTION_RESPOND_ALLOW && action != ACTION_RESPOND_ALLOW_COMPILER) { [_eventLog logDeniedExecution:cd withMessage:message]; - if ([[SNTConfigurator configurator] bundlesEnabled] && binInfo.bundle) { + if ([[SNTConfigurator configurator] enableBundles] && binInfo.bundle) { // If the binary is part of a bundle, find and hash all the related binaries in the bundle. // Let the GUI know hashing is needed. Once the hashing is complete the GUI will send a // message to santad to perform the upload logic for bundles. diff --git a/Source/santad/SNTPolicyProcessor.m b/Source/santad/SNTPolicyProcessor.m index a5666eba0..783f1c7d6 100644 --- a/Source/santad/SNTPolicyProcessor.m +++ b/Source/santad/SNTPolicyProcessor.m @@ -64,7 +64,7 @@ - (SNTCachedDecision *)decisionForFileInfo:(SNTFileInfo *)fileInfo // If transitive whitelisting is enabled, then SNTRuleStateWhiteListCompiler rules // become SNTEventStateAllowCompiler decisions. Otherwise we treat the rule as if // it were SNTRuleStateWhitelist. - if ([[SNTConfigurator configurator] transitiveWhitelistingEnabled]) { + if ([[SNTConfigurator configurator] enableTransitiveWhitelisting]) { cd.decision = SNTEventStateAllowCompiler; } else { cd.decision = SNTEventStateAllow; @@ -74,7 +74,7 @@ - (SNTCachedDecision *)decisionForFileInfo:(SNTFileInfo *)fileInfo // If transitive whitelisting is enabled, then SNTRuleStateWhitelistTransitive // rules become SNTEventStateAllowTransitive decisions. Otherwise, we treat the // rule as if it were SNTRuleStateUnknown. - if ([[SNTConfigurator configurator] transitiveWhitelistingEnabled]) { + if ([[SNTConfigurator configurator] enableTransitiveWhitelisting]) { cd.decision = SNTEventStateAllowTransitive; return cd; } else { diff --git a/Tests/LogicTests/SNTExecutionControllerTest.m b/Tests/LogicTests/SNTExecutionControllerTest.m index 64c4ed586..c41f44608 100644 --- a/Tests/LogicTests/SNTExecutionControllerTest.m +++ b/Tests/LogicTests/SNTExecutionControllerTest.m @@ -168,7 +168,7 @@ - (void)testCertificateBlacklistRule { - (void)testBinaryWhitelistCompilerRule { OCMStub([self.mockFileInfo isMachO]).andReturn(YES); OCMStub([self.mockFileInfo SHA256]).andReturn(@"a"); - OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(YES); + OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(YES); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateWhitelistCompiler; @@ -184,7 +184,7 @@ - (void)testBinaryWhitelistCompilerRule { - (void)testBinaryWhitelistCompilerRuleDisabled { OCMStub([self.mockFileInfo isMachO]).andReturn(YES); OCMStub([self.mockFileInfo SHA256]).andReturn(@"a"); - OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(NO); + OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(NO); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateWhitelistCompiler; @@ -200,7 +200,7 @@ - (void)testBinaryWhitelistCompilerRuleDisabled { - (void)testBinaryWhitelistTransitiveRule { OCMStub([self.mockFileInfo isMachO]).andReturn(YES); OCMStub([self.mockFileInfo SHA256]).andReturn(@"a"); - OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(YES); + OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(YES); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateWhitelistTransitive; @@ -217,7 +217,7 @@ - (void)testBinaryWhitelistTransitiveRuleDisabled { OCMStub([self.mockFileInfo isMachO]).andReturn(YES); OCMStub([self.mockFileInfo SHA256]).andReturn(@"a"); OCMStub([self.mockConfigurator clientMode]).andReturn(SNTClientModeLockdown); - OCMStub([self.mockConfigurator transitiveWhitelistingEnabled]).andReturn(NO); + OCMStub([self.mockConfigurator enableTransitiveWhitelisting]).andReturn(NO); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateWhitelistTransitive;