google · mlw · Feb 26, 2024 · Feb 24, 2024 · Feb 26, 2024 · Feb 26, 2024
@@ -312,6 +312,12 @@ santa_unit_test(
     ],
 )
 
+objc_library(
+    name = "SNTRuleIdentifiers",
+    srcs = ["SNTRuleIdentifiers.m"],
+    hdrs = ["SNTRuleIdentifiers.h"],
+)
+
 objc_library(
     name = "SNTStoredEvent",
     srcs = ["SNTStoredEvent.m"],
@@ -377,6 +383,7 @@ objc_library(
         ":SNTCommonEnums",
         ":SNTConfigurator",
         ":SNTRule",
+        ":SNTRuleIdentifiers",
         ":SNTStoredEvent",
         ":SNTXPCUnprivilegedControlInterface",
         "@MOLCodesignChecker",

@@ -0,0 +1,49 @@
+/// Copyright 2024 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+/**
+ * This file declares two types that are mirrors of each other.
+ *
+ * The C struct serves as a way to group and pass valid rule identifiers around
+ * in order to minimize interface changes needed when new rule types are added
+ * and also alleviate the need to allocate a short lived object.
+ *
+ * The Objective C class is used for an XPC boundary to easily pass rule
+ * identifiers between Santa components.
+ */
+
+#import <Foundation/Foundation.h>
+
+struct RuleIdentifiers {
+  NSString *binarySHA256;
+  NSString *signingID;
+  NSString *certificateSHA256;
+  NSString *teamID;
+};
+
+@interface SNTRuleIdentifiers : NSObject
+@property(readonly) NSString *binarySHA256;
+@property(readonly) NSString *signingID;
+@property(readonly) NSString *certificateSHA256;
+@property(readonly) NSString *teamID;
+
+/// Please use `initWithRuleIdentifiers:`
+- (instancetype)init NS_UNAVAILABLE;
+
+- (instancetype)initWithRuleIdentifiers:(struct RuleIdentifiers)identifiers
+  NS_DESIGNATED_INITIALIZER;
+
+- (struct RuleIdentifiers)toStruct;
+
+@end
@@ -0,0 +1,37 @@
+/// Copyright 2024 Google LLC
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/common/SNTRuleIdentifiers.h"
+
+@implementation SNTRuleIdentifiers
+
+- (instancetype)initWithRuleIdentifiers:(struct RuleIdentifiers)identifiers {
+  self = [super init];
+  if (self) {
+    _binarySHA256 = identifiers.binarySHA256;
+    _signingID = identifiers.signingID;
+    _certificateSHA256 = identifiers.certificateSHA256;
+    _teamID = identifiers.teamID;
+  }
+  return self;
+}
+
+- (struct RuleIdentifiers)toStruct {
+  return (struct RuleIdentifiers){.binarySHA256 = self.binarySHA256,
+                                  .signingID = self.signingID,
+                                  .certificateSHA256 = self.certificateSHA256,
+                                  .teamID = self.teamID};
+}
+
+@end
@@ -12,6 +12,7 @@
 ///    See the License for the specific language governing permissions and
 ///    limitations under the License.
 
+#import "Source/common/SNTRuleIdentifiers.h"
 #import "Source/common/SNTXPCUnprivilegedControlInterface.h"
 
 ///
@@ -32,11 +33,8 @@
                        reply:(void (^)(NSError *error))reply;
 - (void)databaseEventsPending:(void (^)(NSArray *events))reply;
 - (void)databaseRemoveEventsWithIDs:(NSArray *)ids;
-- (void)databaseRuleForBinarySHA256:(NSString *)binarySHA256
-                  certificateSHA256:(NSString *)certificateSHA256
-                             teamID:(NSString *)teamID
-                          signingID:(NSString *)signingID
-                              reply:(void (^)(SNTRule *))reply;
+- (void)databaseRuleForIdentifiers:(SNTRuleIdentifiers *)identifiers
+                             reply:(void (^)(SNTRule *))reply;
 - (void)retrieveAllRules:(void (^)(NSArray<SNTRule *> *rules, NSError *error))reply;
 
 ///

@@ -22,6 +22,15 @@
 @class SNTStoredEvent;
 @class MOLXPCConnection;
 
+struct RuleCounts {
+  int64_t binary;
+  int64_t certificate;
+  int64_t compiler;
+  int64_t transitive;
+  int64_t teamID;
+  int64_t signingID;
+};
+
 ///
 ///  Protocol implemented by santad and utilized by santactl (unprivileged operations)
 ///
@@ -36,8 +45,7 @@
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate, int64_t compiler,
-                                     int64_t transitive, int64_t teamID, int64_t signingID))reply;
+- (void)databaseRuleCounts:(void (^)(struct RuleCounts ruleCounts))reply;
 - (void)databaseEventCount:(void (^)(int64_t count))reply;
 - (void)staticRuleCount:(void (^)(int64_t count))reply;
 

@@ -68,6 +68,7 @@ objc_library(
         "//Source/common:SNTLogging",
         "//Source/common:SNTMetricSet",
         "//Source/common:SNTRule",
+        "//Source/common:SNTRuleIdentifiers",
         "//Source/common:SNTStoredEvent",
         "//Source/common:SNTStrengthify",
         "//Source/common:SNTSystemInfo",

@@ -22,6 +22,7 @@
 #import "Source/common/SNTFileInfo.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTRule.h"
+#import "Source/common/SNTRuleIdentifiers.h"
 #import "Source/common/SNTXPCControlInterface.h"
 #import "Source/santactl/Commands/SNTCommandRule.h"
 #import "Source/santactl/SNTCommand.h"
@@ -365,20 +366,20 @@ + (NSString *)stringifyRule:(SNTRule *)rule withColor:(BOOL)colorize {
 
 - (void)printStateOfRule:(SNTRule *)rule daemonConnection:(MOLXPCConnection *)daemonConn {
   id<SNTDaemonControlXPC> rop = [daemonConn synchronousRemoteObjectProxy];
-  NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.identifier : nil;
-  NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.identifier : nil;
-  NSString *teamID = (rule.type == SNTRuleTypeTeamID) ? rule.identifier : nil;
-  NSString *signingID = (rule.type == SNTRuleTypeSigningID) ? rule.identifier : nil;
   __block NSString *output;
 
-  [rop databaseRuleForBinarySHA256:fileSHA256
-                 certificateSHA256:certificateSHA256
-                            teamID:teamID
-                         signingID:signingID
-                             reply:^(SNTRule *r) {
-                               output = [SNTCommandRule stringifyRule:r
-                                                            withColor:(isatty(STDOUT_FILENO) == 1)];
-                             }];
+  struct RuleIdentifiers identifiers = {
+    .binarySHA256 = (rule.type == SNTRuleTypeBinary) ? rule.identifier : nil,
+    .certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.identifier : nil,
+    .teamID = (rule.type == SNTRuleTypeTeamID) ? rule.identifier : nil,
+    .signingID = (rule.type == SNTRuleTypeSigningID) ? rule.identifier : nil,
+  };
+
+  [rop databaseRuleForIdentifiers:[[SNTRuleIdentifiers alloc] initWithRuleIdentifiers:identifiers]
+                            reply:^(SNTRule *r) {
+                              output = [SNTCommandRule stringifyRule:r
+                                                           withColor:(isatty(STDOUT_FILENO) == 1)];
+                            }];
 
   printf("%s\n", output.UTF8String);
   exit(0);

@@ -91,22 +91,19 @@ - (void)runWithArguments:(NSArray *)arguments {
   }];
 
   // Database counts
-  __block int64_t eventCount = -1;
-  __block int64_t binaryRuleCount = -1;
-  __block int64_t certRuleCount = -1;
-  __block int64_t teamIDRuleCount = -1;
-  __block int64_t signingIDRuleCount = -1;
-  __block int64_t compilerRuleCount = -1;
-  __block int64_t transitiveRuleCount = -1;
-  [rop databaseRuleCounts:^(int64_t binary, int64_t certificate, int64_t compiler,
-                            int64_t transitive, int64_t teamID, int64_t signingID) {
-    binaryRuleCount = binary;
-    certRuleCount = certificate;
-    teamIDRuleCount = teamID;
-    signingIDRuleCount = signingID;
-    compilerRuleCount = compiler;
-    transitiveRuleCount = transitive;
+  __block struct RuleCounts ruleCounts = {
+    .binary = -1,
+    .certificate = -1,
+    .compiler = -1,
+    .transitive = -1,
+    .teamID = -1,
+    .signingID = -1,
+  };
+  [rop databaseRuleCounts:^(struct RuleCounts counts) {
+    ruleCounts = counts;
   }];
+
+  __block int64_t eventCount = -1;
   [rop databaseEventCount:^(int64_t count) {
     eventCount = count;
   }];
@@ -212,12 +209,12 @@ - (void)runWithArguments:(NSArray *)arguments {
         @"on_start_usb_options" : StartupOptionToString(configurator.onStartUSBOptions),
       },
       @"database" : @{
-        @"binary_rules" : @(binaryRuleCount),
-        @"certificate_rules" : @(certRuleCount),
-        @"teamid_rules" : @(teamIDRuleCount),
-        @"signingid_rules" : @(signingIDRuleCount),
-        @"compiler_rules" : @(compilerRuleCount),
-        @"transitive_rules" : @(transitiveRuleCount),
+        @"binary_rules" : @(ruleCounts.binary),
+        @"certificate_rules" : @(ruleCounts.certificate),
+        @"teamid_rules" : @(ruleCounts.teamID),
+        @"signingid_rules" : @(ruleCounts.signingID),
+        @"compiler_rules" : @(ruleCounts.compiler),
+        @"transitive_rules" : @(ruleCounts.transitive),
         @"events_pending_upload" : @(eventCount),
       },
       @"static_rules" : @{
@@ -284,12 +281,12 @@ - (void)runWithArguments:(NSArray *)arguments {
     printf("  %-25s | %lld\n", "Non-root cache count", nonRootCacheCount);
 
     printf(">>> Database Info\n");
-    printf("  %-25s | %lld\n", "Binary Rules", binaryRuleCount);
-    printf("  %-25s | %lld\n", "Certificate Rules", certRuleCount);
-    printf("  %-25s | %lld\n", "TeamID Rules", teamIDRuleCount);
-    printf("  %-25s | %lld\n", "SigningID Rules", signingIDRuleCount);
-    printf("  %-25s | %lld\n", "Compiler Rules", compilerRuleCount);
-    printf("  %-25s | %lld\n", "Transitive Rules", transitiveRuleCount);
+    printf("  %-25s | %lld\n", "Binary Rules", ruleCounts.binary);
+    printf("  %-25s | %lld\n", "Certificate Rules", ruleCounts.certificate);
+    printf("  %-25s | %lld\n", "TeamID Rules", ruleCounts.teamID);
+    printf("  %-25s | %lld\n", "SigningID Rules", ruleCounts.signingID);
+    printf("  %-25s | %lld\n", "Compiler Rules", ruleCounts.compiler);
+    printf("  %-25s | %lld\n", "Transitive Rules", ruleCounts.transitive);
     printf("  %-25s | %lld\n", "Events Pending Upload", eventCount);
 
     if ([SNTConfigurator configurator].staticRules.count) {

@@ -33,6 +33,7 @@ objc_library(
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
+        "//Source/common:SNTRuleIdentifiers",
         "@MOLCertificate",
         "@MOLCodesignChecker",
     ],
@@ -192,13 +193,10 @@ objc_library(
 
 objc_library(
     name = "SNTPolicyProcessor",
-    srcs = [
-        "DataLayer/SNTDatabaseTable.h",
-        "DataLayer/SNTRuleTable.h",
-        "SNTPolicyProcessor.m",
-    ],
+    srcs = ["SNTPolicyProcessor.m"],
     hdrs = ["SNTPolicyProcessor.h"],
     deps = [
+        ":SNTRuleTable",
         "//Source/common:SNTCachedDecision",
         "//Source/common:SNTCommonEnums",
         "//Source/common:SNTConfigurator",
@@ -668,6 +666,7 @@ objc_library(
         "//Source/common:SNTLogging",
         "//Source/common:SNTMetricSet",
         "//Source/common:SNTRule",
+        "//Source/common:SNTRuleIdentifiers",
         "//Source/common:SNTStoredEvent",
         "//Source/common:SNTStrengthify",
         "//Source/common:SNTXPCControlInterface",
@@ -877,6 +876,7 @@ santa_unit_test(
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
+        "//Source/common:SNTRuleIdentifiers",
         "@FMDB",
         "@MOLCertificate",
         "@MOLCodesignChecker",
@@ -1213,6 +1213,7 @@ santa_unit_test(
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTMetricSet",
         "//Source/common:SNTRule",
+        "//Source/common:SNTRuleIdentifiers",
         "//Source/common:TestUtils",
         "@MOLCertificate",
         "@MOLCodesignChecker",

@@ -15,6 +15,7 @@
 #import <Foundation/Foundation.h>
 
 #import "Source/common/SNTCommonEnums.h"
+#import "Source/common/SNTRuleIdentifiers.h"
 #import "Source/santad/DataLayer/SNTDatabaseTable.h"
 
 @class SNTCachedDecision;
@@ -29,46 +30,44 @@
 ///
 ///  @return Number of rules in the database
 ///
-- (NSUInteger)ruleCount;
+- (int64_t)ruleCount;
 
 ///
 ///  @return Number of binary rules in the database
 ///
-- (NSUInteger)binaryRuleCount;
+- (int64_t)binaryRuleCount;
 
 ///
 ///  @return Number of compiler rules in the database
 ///
-- (NSUInteger)compilerRuleCount;
+- (int64_t)compilerRuleCount;
 
 ///
 ///  @return Number of transitive rules in the database
 ///
-- (NSUInteger)transitiveRuleCount;
+- (int64_t)transitiveRuleCount;
 
 ///
 ///  @return Number of certificate rules in the database
 ///
-- (NSUInteger)certificateRuleCount;
+- (int64_t)certificateRuleCount;
 
 ///
 /// @return Number of team ID rules in the database
 ///
-- (NSUInteger)teamIDRuleCount;
+- (int64_t)teamIDRuleCount;
 
 ///
 /// @return Number of signing ID rules in the database
 ///
-- (NSUInteger)signingIDRuleCount;
+- (int64_t)signingIDRuleCount;
 
 ///
-///  @return Rule for binary, signingID, certificate or teamID (in that order).
+///  @return Rule for given identifiers.
+///          Currently: binary, signingID, certificate or teamID (in that order).
 ///          The first matching rule found is returned.
 ///
-- (SNTRule *)ruleForBinarySHA256:(NSString *)binarySHA256
-                       signingID:(NSString *)signingID
-               certificateSHA256:(NSString *)certificateSHA256
-                          teamID:(NSString *)teamID;
+- (SNTRule *)ruleForIdentifiers:(struct RuleIdentifiers)identifiers;
 
 ///
 ///  Add an array of rules to the database. The rules will be added within a transaction and the