google · tnek · Mar 21, 2022 · Mar 21, 2022
@@ -4,12 +4,11 @@
     <img src="./Source/santa/Resources/Images.xcassets/AppIcon.appiconset/santa-hat-icon-128.png" alt="Santa Icon" />
 </p>
 
-Santa is a binary authorization system for macOS. It consists of a system or
-kernel extension (depending on the macOS version) that monitors for executions,
-a daemon that makes execution decisions based on the contents of a local
-database, a GUI agent that notifies the user in case of a block decision
-and a command-line utility for managing the system and synchronizing the
-database with a server.
+Santa is a binary authorization system for macOS. It consists of a system 
+extension that monitors for executions, a daemon that makes execution decisions 
+based on the contents of a local database, a GUI agent that notifies the user in
+case of a block decision and a command-line utility for managing the system and 
+synchronizing the database with a server.
 
 It is named Santa because it keeps track of binaries that are naughty or nice.
 

@@ -10,10 +10,6 @@ Most IPC within Santa is done by way of Apple's
 to provide client multiplexing, signature validation of connecting clients and
 forced connection establishment. This is called SNTXPCConnection.
 
-Communication between santad and santa-driver (KEXT) is done with a
-[IOUserClient](https://developer.apple.com/documentation/kernel/iouserclient?language=objc)
-subclass and IOKit/IOKitLib.h functions.
-
 ##### Who starts who?
 
 The santad and Santa (GUI) processes are both started and kept alive by launchd

@@ -30,9 +30,3 @@ flight, including messages related to the system extension:
 ```sh
 /usr/bin/log show --info --debug --predicate 'senderImagePath CONTAINS[c] "santa"'
 ```
-
-For those still using the kernel extension, you could use a more specific command:
-
-```sh
-/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'
-````
@@ -4,7 +4,7 @@ parent: Details
 
 # santabs
 
-The santabs process is an XPC service for the santa-driver.kext bundle, meaning
+The santabs process is an XPC service for the santad bundle, meaning
 only binaries within that bundle can launch santabs. It will be launched with
 the same privileges as its calling process. Currently, santad is the only caller
 of santabs, so santabs runs as root.

@@ -80,7 +80,6 @@ To view all of the component versions `santactl version`
 
 ```sh
 ⇒  santactl version
-santa-driver    | 0.9.19
 santad          | 0.9.19
 santactl        | 0.9.19
 SantaGUI        | 0.9.19
@@ -91,7 +90,6 @@ Again, a JSON version is available `santactl version --json`
 ```sh
 ⇒  santactl version --json
 {
-  "santa-driver" : "0.9.19",
   "santad" : "0.9.19",
   "SantaGUI" : "0.9.19",
   "santactl" : "0.9.19"
@@ -408,35 +406,3 @@ BundleID: com.ridiculousfish.HexFiend
 
 See the [santabs.md](santabs.md) document for more information on bundles and
 bundle hashes.
-
-##### checkcache
-
-This is used to check if a particular file is apart of santa-driver's kernel
-cache. Mainly for debugging purposes.
-
-```sh
-⇒  santactl checkcache /usr/bin/yes
-File does not exist in cache
-⇒  /usr/bin/yes
-y
-y
-y
-y
-y
-^C
-⇒  santactl checkcache /usr/bin/yes
-File exists in [allowlist] kernel cache
-```
-
-##### flushcache
-
-This can be used to flush santa-driver's kernel cache, as shown here.
-
-```sh
-⇒  santactl checkcache /usr/bin/yes
-File exists in [allowlist] kernel cache
-⇒  sudo santactl flushcache
-Cache flush requested
-⇒  santactl checkcache /usr/bin/yes
-File does not exist in cache
-```
@@ -35,8 +35,7 @@ For those who want even more details on how Santa works under the hood, this sec
 
 There are five main components that make up Santa whose core functionality is described in snippets below. For additional detail on each component, visit their respective pages. These quick descriptions do not encompass all the jobs performed by each component, but do provide a quick look at the basic functionality utilized to achieve the goal of binary authorization.
 
-* [santa-driver](details/santa-driver.md): A macOS kernel extension that participates in `execve()` decisions.
-* [santad](details/santad.md): A user-land root daemon that makes decisions on behalf of santa-driver requests.
+* [santad](details/santad.md): A user-land root daemon that makes decisions.
 * [santactl](details/santactl.md): A user-land anonymous daemon that communicates with a sync server for configurations and policies. santactl can also be used by a user to manually configure Santa when using the local configuration.
 * [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `execve()` is blocked.
 * [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them.