Add transitive whitelisting to Santa

Santa.xcodeproj/project.pbxproj

@@ -159,6 +159,8 @@
 		59D56CF2D9C5BD9B7E3CC56D /* libPods-santad-santabs.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 14B98F4051188ECB7D024331 /* libPods-santad-santabs.a */; };
 		81133DB01F3A76F700917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
 		81133DB11F3A77C600917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
+		81A00E7F1FD74F8E00A84676 /* SNTCompilerController.m in Sources */ = {isa = PBXBuildFile; fileRef = 81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */; };
+		81A00E801FD74F9100A84676 /* SNTCompilerController.m in Sources */ = {isa = PBXBuildFile; fileRef = 81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */; };
 		B352A545B76783D568A6D0C5 /* libPods-Santa.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 90E9D568200AB9B642E06272 /* libPods-Santa.a */; };
 		C714F8B11D8044D400700EDF /* SNTCommandFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD5FBE1909D64A006B445C /* SNTCommandFileInfo.m */; };
 		C714F8B21D8044FE00700EDF /* SNTCommandController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */; };
@@ -431,6 +433,8 @@
 		7D949AA996AEAC326A4F6596 /* libPods-LogicTests.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-LogicTests.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		81133DAE1F3A75CE00917FF9 /* SNTCommand.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommand.h; sourceTree = "<group>"; };
 		81133DAF1F3A75CE00917FF9 /* SNTCommand.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommand.m; sourceTree = "<group>"; };
+		81A00E7D1FD74EFF00A84676 /* SNTCompilerController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCompilerController.h; sourceTree = "<group>"; };
+		81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCompilerController.m; sourceTree = "<group>"; };
 		8EF10E4B8C86CED022C72F1B /* Pods-santactl.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santactl.debug.xcconfig"; path = "Pods/Target Support Files/Pods-santactl/Pods-santactl.debug.xcconfig"; sourceTree = "<group>"; };
 		90E9D568200AB9B642E06272 /* libPods-Santa.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Santa.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		A6A91785C40257CC156B4F05 /* Pods-Santa.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.release.xcconfig"; path = "Pods/Target Support Files/Pods-Santa/Pods-Santa.release.xcconfig"; sourceTree = "<group>"; };
@@ -767,6 +771,8 @@
 				0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */,
 				0DE71A731B95F7F900518526 /* SNTCachedDecision.h */,
 				0DE71A741B95F7F900518526 /* SNTCachedDecision.m */,
+				81A00E7D1FD74EFF00A84676 /* SNTCompilerController.h */,
+				81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */,
 				0D8E18CB19107B56000F89B8 /* SNTDaemonControlController.h */,
 				0D8E18CC19107B56000F89B8 /* SNTDaemonControlController.m */,
 				0D63DD5A1906FCB400D346C4 /* SNTDatabaseController.h */,
@@ -1227,7 +1233,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		2146C1274A8C11B3755A8A67 /* [CP] Check Pods Manifest.lock */ = {
@@ -1242,7 +1248,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		23869BA352E2C86DEFE62819 /* [CP] Copy Pods Resources */ = {
@@ -1302,7 +1308,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		B193461D3612BCB47C16E407 /* [CP] Check Pods Manifest.lock */ = {
@@ -1317,7 +1323,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		BA20035148DDEF5808B2C7EF /* [CP] Embed Pods Frameworks */ = {
@@ -1364,7 +1370,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		D49A3AB950AFD99741E9AF89 /* [CP] Embed Pods Frameworks */ = {
@@ -1465,6 +1471,7 @@
 				0D41DAD41A7C28C800A890FE /* SNTEventTableTest.m in Sources */,
 				0D3AFBEE18FB4C6C0087BCEE /* SNTApplication.m in Sources */,
 				0DD0D48F194F78F8005F27EB /* SNTFileInfoTest.m in Sources */,
+				81A00E801FD74F9100A84676 /* SNTCompilerController.m in Sources */,
 				0DC5D86E191AED220078A5C0 /* SNTRuleTable.m in Sources */,
 				0DD0D492194F9BEF005F27EB /* SNTLogging.m in Sources */,
 				0DE71A761B95F7F900518526 /* SNTCachedDecision.m in Sources */,
@@ -1574,6 +1581,7 @@
 				0D377C2A17A071B7008453DB /* SNTEventTable.m in Sources */,
 				0DE50F681912716A007B2B0C /* SNTRule.m in Sources */,
 				0DB77FD81CCE824A004DF060 /* SNTBlockMessage.m in Sources */,
+				81A00E7F1FD74F8E00A84676 /* SNTCompilerController.m in Sources */,
 				0D37C10F18F6029A0069BC61 /* SNTDatabaseTable.m in Sources */,
 				0D42D2B819D2042900955F08 /* SNTConfigurator.m in Sources */,
 				0DCD605519115D17006B445C /* SNTXPCControlInterface.m in Sources */,

Source/common/SNTCommonEnums.h

@@ -33,6 +33,9 @@ typedef NS_ENUM(NSInteger, SNTRuleState) {
   SNTRuleStateBlacklist = 2,
   SNTRuleStateSilentBlacklist = 3,
   SNTRuleStateRemove = 4,
+
+  SNTRuleStateWhitelistCompiler = 5,
+  SNTRuleStateWhitelistTransitive = 6,
 };
 
 typedef NS_ENUM(NSInteger, SNTClientMode) {
@@ -58,6 +61,8 @@ typedef NS_ENUM(NSInteger, SNTEventState) {
   SNTEventStateAllowBinary = 1 << 25,
   SNTEventStateAllowCertificate = 1 << 26,
   SNTEventStateAllowScope = 1 << 27,
+  SNTEventStateAllowCompiler = 1 << 28,
+  SNTEventStateAllowTransitive = 1 << 29,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFF << 16,

Source/common/SNTConfigurator.h

@@ -159,6 +159,15 @@ extern NSString *const kDefaultConfigFilePath;
 ///
 @property BOOL bundlesEnabled;
 
+#pragma mark Transitive Whitelisting Settings
+
+///
+///  If YES, binaries marked with SNTRuleStateWhitelistCompiler rules are allowed to transitively
+///  whitelist any executables that they produce.  If NO, SNTRuleStateWhitelistCompiler rules are
+///  interpreted as if they were simply SNTRuleStateWhitelist rules.  Defaults to NO.
+///
+@property BOOL transitiveWhitelistingEnabled;
+
 #pragma mark Server Auth Settings
 
 ///

Source/common/SNTKernelCommon.h

@@ -36,6 +36,8 @@
 enum SantaDriverMethods {
   kSantaUserClientOpen,
   kSantaUserClientAllowBinary,
+  kSantaUserClientAllowCompiler,
+  kSantaUserClientAllowTransitive,
   kSantaUserClientDenyBinary,
   kSantaUserClientClearCache,
   kSantaUserClientCacheCount,
@@ -48,7 +50,7 @@ enum SantaDriverMethods {
 
 typedef enum {
   QUEUETYPE_DECISION,
-  QUEUETYPE_LOG
+  QUEUETYPE_LOG,
 } santa_queuetype_t;
 
 // Enum defining actions that can be passed down the IODataQueue and in
@@ -63,6 +65,8 @@ typedef enum {
   // RESPONSES
   ACTION_RESPOND_ALLOW = 20,
   ACTION_RESPOND_DENY = 21,
+  ACTION_RESPOND_ALLOW_COMPILER = 22,
+  ACTION_RESPOND_ALLOW_TRANSITIVE = 23,
 
   // NOTIFY
   ACTION_NOTIFY_EXEC = 30,
@@ -71,13 +75,15 @@ typedef enum {
   ACTION_NOTIFY_LINK = 33,
   ACTION_NOTIFY_EXCHANGE = 34,
   ACTION_NOTIFY_DELETE = 35,
+  ACTION_NOTIFY_CLOSE = 36,
 
   // ERROR
   ACTION_ERROR = 99,
 } santa_action_t;
 
 #define RESPONSE_VALID(x) \
-  (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY)
+  (x == ACTION_RESPOND_ALLOW || x == ACTION_RESPOND_DENY || x == ACTION_RESPOND_ALLOW_COMPILER || \
+   x == ACTION_RESPOND_ALLOW_TRANSITIVE)
 
 // Message struct that is sent down the IODataQueue.
 typedef struct {

Source/common/SNTRule.h

@@ -41,12 +41,32 @@
 ///
 @property(copy) NSString *customMsg;
 
+///
+///  The time when this rule was last retrieved from the rules database, if rule is transitive.
+///  Stored as number of seconds since 00:00:00 UTC on 1 January 2001.
+///
+@property(readonly) NSUInteger timestamp;
+
 ///
 ///  Designated initializer.
 ///
+- (instancetype)initWithShasum:(NSString *)shasum
+                         state:(SNTRuleState)state
+                          type:(SNTRuleType)type
+                     customMsg:(NSString *)customMsg
+                     timestamp:(NSUInteger)timestamp;
+
+///
+///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.
+///
 - (instancetype)initWithShasum:(NSString *)shasum
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg;
 
+///
+///  Sets timestamp of rule to the current time.
+///
+- (void)resetTimestamp;
+
 @end

Source/common/SNTRule.m

@@ -19,17 +19,37 @@ @implementation SNTRule
 - (instancetype)initWithShasum:(NSString *)shasum
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg {
+                     customMsg:(NSString *)customMsg
+                     timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
     _shasum = shasum;
     _state = state;
     _type = type;
     _customMsg = customMsg;
+    _timestamp = timestamp;
+  }
+  return self;
+}
+
+- (instancetype)initWithShasum:(NSString *)shasum
+                         state:(SNTRuleState)state
+                          type:(SNTRuleType)type
+                     customMsg:(NSString *)customMsg {
+
+  self = [self initWithShasum:shasum
+                        state:state
+                         type:type
+                    customMsg:customMsg
+                    timestamp:0];
+  // Initialize timestamp to current time if rule is transitive.
+  if (self && state == SNTRuleStateWhitelistTransitive) {
+    [self resetTimestamp];
   }
   return self;
 }
 
+
 #pragma mark NSSecureCoding
 
 #define ENCODE(obj, key) if (obj) [coder encodeObject:obj forKey:key]
@@ -44,6 +64,7 @@ - (void)encodeWithCoder:(NSCoder *)coder {
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
+  ENCODE(@(self.timestamp), @"timestamp");
 }
 
 - (instancetype)initWithCoder:(NSCoder *)decoder {
@@ -53,6 +74,7 @@ - (instancetype)initWithCoder:(NSCoder *)decoder {
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
+    _timestamp = [DECODE(NSNumber, @"timestamp") unsignedIntegerValue];
   }
   return self;
 }
@@ -64,7 +86,9 @@ - (BOOL)isEqual:(id)other {
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTRule class]]) return NO;
   SNTRule *o = other;
-  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+  return ([self.shasum isEqual:o.shasum] &&
+          self.state == o.state &&
+          self.type == o.type);
 }
 
 - (NSUInteger)hash {
@@ -73,12 +97,19 @@ - (NSUInteger)hash {
   result = prime * result + [self.shasum hash];
   result = prime * result + self.state;
   result = prime * result + self.type;
+  result = prime * result + self.timestamp;
   return result;
 }
 
 - (NSString *)description {
-  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld",
-                                    self.shasum, self.state, self.type];
+  return [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld, Timestamp: %lu",
+          self.shasum, self.state, self.type, (unsigned long)self.timestamp];
+}
+
+# pragma mark Last-access Timestamp
+
+- (void)resetTimestamp {
+  _timestamp = (NSUInteger)[[NSDate date] timeIntervalSinceReferenceDate];
 }
 
 @end

Source/common/SNTXPCControlInterface.h

@@ -40,7 +40,10 @@
 ///
 ///  Database ops
 ///
-- (void)databaseRuleCounts:(void (^)(int64_t binary, int64_t certificate))reply;
+- (void)databaseRuleCounts:(void (^)(int64_t binary,
+                                     int64_t certificate,
+                                     int64_t compiler,
+                                     int64_t transitive))reply;
 - (void)databaseRuleAddRules:(NSArray *)rules
                   cleanSlate:(BOOL)cleanSlate
                        reply:(void (^)(NSError *error))reply;
@@ -82,6 +85,8 @@
 - (void)setBlacklistPathRegex:(NSString *)pattern reply:(void (^)())reply;
 - (void)bundlesEnabled:(void (^)(BOOL))reply;
 - (void)setBundlesEnabled:(BOOL)bundlesEnabled reply:(void (^)())reply;
+- (void)transitiveWhitelistingEnabled:(void (^)(BOOL))reply;
+- (void)setTransitiveWhitelistingEnabled:(BOOL)enabled reply:(void (^)())reply;
 
 ///
 ///  GUI Ops