google · mlw · May 31, 2022 · May 27, 2022 · May 31, 2022 · May 31, 2022
@@ -69,6 +69,10 @@ API_UNAVAILABLE(ios, tvos, watchos)
 es_new_client_result_t es_new_client(es_client_t *_Nullable *_Nonnull client,
                                      es_handler_block_t _Nonnull handler);
 
+API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos)
+es_return_t es_mute_process(es_client_t * _Nonnull client,
+                            const audit_token_t * _Nonnull audit_token);
+
 #if defined(MAC_OS_VERSION_12_0) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
 API_AVAILABLE(macos(12.0))
 API_UNAVAILABLE(ios, tvos, watchos)

@@ -301,6 +301,11 @@ es_new_client_result_t es_new_client(es_client_t *_Nullable *_Nonnull client,
   return ES_NEW_CLIENT_RESULT_SUCCESS;
 };
 
+es_return_t es_mute_process(es_client_t * _Nonnull client,
+                            const audit_token_t * _Nonnull audit_token) {
+  return ES_RETURN_SUCCESS;
+}
+
 #if defined(MAC_OS_VERSION_12_0) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
 API_AVAILABLE(macos(12.0))
 API_UNAVAILABLE(ios, tvos, watchos)

@@ -34,7 +34,6 @@ @interface SNTEndpointSecurityManager () {
 @property(nonatomic) SNTPrefixTree *prefixTree;
 @property(nonatomic, readonly) dispatch_queue_t esAuthQueue;
 @property(nonatomic, readonly) dispatch_queue_t esNotifyQueue;
-@property(nonatomic, readonly) pid_t selfPID;
 
 @end
 
@@ -48,6 +47,7 @@ - (instancetype)init API_AVAILABLE(macos(10.15)) {
     _decisionCallback = ^(santa_message_t) {};
     _logCallback = ^(santa_message_t) {};
     [self establishClient];
+    [self muteSelf];
     _prefixTree = new SNTPrefixTree();
     _esAuthQueue =
       dispatch_queue_create("com.google.santa.daemon.es_auth", DISPATCH_QUEUE_CONCURRENT);
@@ -56,7 +56,6 @@ - (instancetype)init API_AVAILABLE(macos(10.15)) {
     _esNotifyQueue =
       dispatch_queue_create("com.google.santa.daemon.es_notify", DISPATCH_QUEUE_CONCURRENT);
     dispatch_set_target_queue(_esNotifyQueue, dispatch_get_global_queue(QOS_CLASS_BACKGROUND, 0));
-    _selfPID = getpid();
   }
 
   return self;
@@ -70,6 +69,24 @@ - (void)dealloc API_AVAILABLE(macos(10.15)) {
   if (_prefixTree) delete _prefixTree;
 }
 
+- (void)muteSelf {
+  audit_token_t myAuditToken;
+  mach_msg_type_number_t count = TASK_AUDIT_TOKEN_COUNT;
+  if (task_info(mach_task_self(), TASK_AUDIT_TOKEN, (task_info_t)&myAuditToken, &count) ==
+        KERN_SUCCESS) {
+    if (es_mute_process(self.client, &myAuditToken) == ES_RETURN_SUCCESS) {
+      return;
+    } else {
+      LOGE(@"Failed to mute this client's process, its events will not be muted.");
+    }
+  } else {
+    LOGE(@"Failed to fetch this client's audit token. Its events will not be muted.");
+  }
+
+  // If we get here, Santa was unable to mute itself. Assume transitory and bail.
+  exit(EXIT_FAILURE);
+}
+
 - (void)establishClient API_AVAILABLE(macos(10.15)) {
   while (!self.client) {
     SNTConfigurator *config = [SNTConfigurator configurator];
@@ -84,9 +101,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
         if (m->action_type == ES_ACTION_TYPE_AUTH) {
           es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, false);
         }
-        if (self.selfPID != pid) {
-          LOGD(@"Skipping event type: 0x%x from es_client pid: %d", m->event_type, pid);
-        }
+
         return;
       }
 
@@ -235,9 +250,6 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
           break;
         }
         case ES_ACTION_TYPE_NOTIFY: {
-          // Don't log fileop events from com.google.santa.daemon
-          if (self.selfPID == pid && m->event_type != ES_EVENT_TYPE_NOTIFY_EXEC) return;
-
           // Copy the message and return control back to ES
           es_message_t *mc = es_copy_message(m);
           dispatch_async(self.esNotifyQueue, ^{
@@ -322,8 +334,7 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) {
       NSString *path = [[NSString alloc] initWithBytes:pathToken.data
                                                 length:pathToken.length
                                               encoding:NSUTF8StringEncoding];
-      if ([self isDatabasePath:path] &&
-          audit_token_to_pid(m->process->audit_token) != self.selfPID) {
+      if ([self isDatabasePath:path]) {
         LOGW(@"Preventing attempt to delete Santa databases!");
         es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
         return;
@@ -337,8 +348,7 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) {
                                                 length:pathToken.length
                                               encoding:NSUTF8StringEncoding];
 
-      if ([self isDatabasePath:path] &&
-          audit_token_to_pid(m->process->audit_token) != self.selfPID) {
+      if ([self isDatabasePath:path]) {
         LOGW(@"Preventing attempt to rename Santa databases!");
         es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
         return;
@@ -348,8 +358,7 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) {
         NSString *destPath = [[NSString alloc] initWithBytes:destToken.data
                                                       length:destToken.length
                                                     encoding:NSUTF8StringEncoding];
-        if ([self isDatabasePath:destPath] &&
-            audit_token_to_pid(m->process->audit_token) != self.selfPID) {
+        if ([self isDatabasePath:destPath]) {
           LOGW(@"Preventing attempt to overwrite Santa databases!");
           es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
           return;