Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proto serializer #897

Merged
merged 25 commits into from
Oct 13, 2022
Merged

Proto serializer #897

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
b6c4e9a
Initial proto serializer with close event
mlw Sep 26, 2022
b13364c
Define move ctors for enriched types, delete copy ctors
mlw Sep 26, 2022
5fc3b24
More event proto serialization. Commonized proto test code.
mlw Sep 27, 2022
b63d3fd
Started work serializing exec event. Added serializer utilities.
mlw Sep 27, 2022
d9795bd
More progress serializing exec event
mlw Sep 27, 2022
fa78d8c
Add mroe test data. Test restructure to permit fine grained mocking.
mlw Sep 27, 2022
fecd424
Env/FD ES types now wrapped in EndpointSecurityAPI. Added calls to pr…
mlw Sep 27, 2022
eacf5f9
Add fd type names to proto
mlw Sep 27, 2022
df48cfe
Version compat. Script and Working Dir encoding.
mlw Sep 30, 2022
2010f73
Add process start time
mlw Sep 30, 2022
785d675
Serialize Link event
mlw Sep 30, 2022
c28407a
Add null check, mainly to fix tests
mlw Sep 30, 2022
76b0344
Handle versioned expectations
mlw Oct 3, 2022
76cd24d
Each test now build msg in callbacks to set better expectations
mlw Oct 3, 2022
eccd24c
Serialize rename event and tests
mlw Oct 3, 2022
dc7ce10
Serialize unlink event and tests
mlw Oct 3, 2022
ef4feea
Serialize allowlist and bundle events. Add utilities tests.
mlw Oct 4, 2022
06d2fb5
Formatting
mlw Oct 4, 2022
5e07303
Disk event proto serialization and tests
mlw Oct 4, 2022
b6d03df
Fix test only issues
mlw Oct 4, 2022
da54541
Rename santa_new.proto to santa.proto
mlw Oct 4, 2022
62fb410
Change fd type int and string to an enum
mlw Oct 13, 2022
efbd86b
Proto namespace now versioned
mlw Oct 13, 2022
9164f01
Added comments to proto schema
mlw Oct 13, 2022
f0135dc
Add proto support to indicate if fd list truncated
mlw Oct 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions Source/common/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
load("//:helper.bzl", "santa_unit_test")
load("@rules_proto_grpc//objc:defs.bzl", "objc_proto_library")
load("@rules_cc//cc:defs.bzl", "cc_proto_library")

package(
default_visibility = ["//:santa_package_group"],
Expand All @@ -16,11 +16,18 @@ proto_library(
],
)

objc_proto_library(
name = "santa_objc_proto",
copts = ["-fno-objc-arc"],
non_arc_srcs = ["Santa.pbobjc.m"],
protos = [":santa_proto"],
cc_proto_library(
name = "santa_cc_proto",
deps = [":santa_proto"],
)

# Note: Simple wrapper for a `cc_proto_library` target which cannot be directly
# depended upon by an `objc_library` target.
cc_library(
name = "santa_cc_proto_library_wrapper",
deps = [
":santa_cc_proto",
],
)

cc_library(
Expand Down
2 changes: 1 addition & 1 deletion Source/common/SNTCachedDecisionTest.mm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ @implementation SNTCachedDecisionTest

- (void)testSNTCachedDecisionInit {
// Ensure the vnodeId field is properly set from the es_file_t
struct stat sb = MakeStat(1234, 5678);
struct stat sb = MakeStat();
es_file_t file = MakeESFile("foo", sb);

SNTCachedDecision *cd = [[SNTCachedDecision alloc] initWithEndpointSecurityFile:&file];
Expand Down
15 changes: 13 additions & 2 deletions Source/common/TestUtils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
#include <sys/stat.h>

#define NOBODY_UID ((unsigned int)-2)
#define NOBODY_GID ((unsigned int)-2)
#define NOGROUP_GID ((unsigned int)-1)

// Bubble up googletest expectation failures to XCTest failures
#define XCTBubbleMockVerifyAndClearExpectations(mock) \
Expand All @@ -47,14 +47,25 @@ enum class ActionType {
Notify,
};

//
// Helpers to construct various ES structs
//

audit_token_t MakeAuditToken(pid_t pid, pid_t pidver);
struct stat MakeStat(ino_t ino, dev_t devno = 0);

/// Construct a `struct stat` buffer with each member having a unique value.
/// @param offset An optional offset to be added to each member. useful when
/// a test has multiple stats and you'd like for them each to have different
/// values across the members.
struct stat MakeStat(int offset = 0);

es_string_token_t MakeESStringToken(const char *s);
es_file_t MakeESFile(const char *path, struct stat sb = {});
es_process_t MakeESProcess(es_file_t *file, audit_token_t tok = {}, audit_token_t parent_tok = {});
es_message_t MakeESMessage(es_event_type_t et, es_process_t *proc,
ActionType action_type = ActionType::Notify,
uint64_t future_deadline_ms = 100000);

uint32_t MaxSupportedESMessageVersionForCurrentOS();

#endif
50 changes: 44 additions & 6 deletions Source/common/TestUtils.mm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,42 @@
#include <dispatch/dispatch.h>
#include <mach/mach_time.h>
#include <time.h>
#include <uuid/uuid.h>

audit_token_t MakeAuditToken(pid_t pid, pid_t pidver) {
return audit_token_t{
.val =
{
0,
NOBODY_UID,
NOBODY_GID,
NOGROUP_GID,
NOBODY_UID,
NOBODY_GID,
NOGROUP_GID,
(unsigned int)pid,
0,
(unsigned int)pidver,
},
};
}

struct stat MakeStat(ino_t ino, dev_t devno) {
struct stat MakeStat(int offset) {
return (struct stat){
.st_dev = devno,
.st_ino = ino,
.st_dev = 1 + offset,
.st_mode = (mode_t)(2 + offset),
.st_nlink = (nlink_t)(3 + offset),
.st_ino = (uint64_t)(4 + offset),
.st_uid = NOBODY_UID,
.st_gid = NOGROUP_GID,
.st_rdev = 5 + offset,
.st_atimespec = {.tv_sec = 100 + offset, .tv_nsec = 200 + offset},
.st_mtimespec = {.tv_sec = 101 + offset, .tv_nsec = 21 + offset},
.st_ctimespec = {.tv_sec = 102 + offset, .tv_nsec = 202 + offset},
.st_birthtimespec = {.tv_sec = 103 + offset, .tv_nsec = 203 + offset},
.st_size = 6 + offset,
.st_blocks = 7 + offset,
.st_blksize = 8 + offset,
.st_flags = (uint32_t)(9 + offset),
.st_gen = (uint32_t)(10 + offset),
};
}

Expand All @@ -62,6 +77,10 @@ es_process_t MakeESProcess(es_file_t *file, audit_token_t tok, audit_token_t par
.audit_token = tok,
.ppid = audit_token_to_pid(parent_tok),
.original_ppid = audit_token_to_pid(parent_tok),
.group_id = 111,
.session_id = 222,
.is_platform_binary = true,
pmarkowsky marked this conversation as resolved.
Show resolved Hide resolved
.is_es_client = true,
.executable = file,
.parent_audit_token = parent_tok,
};
Expand All @@ -85,15 +104,34 @@ static uint64_t AddMillisToMachTime(uint64_t ms, uint64_t machTime) {
return nanoTime * timebase.denom / timebase.numer;
}

uint32_t MaxSupportedESMessageVersionForCurrentOS() {
// Note: ES message v3 was only in betas.
if (@available(macOS 13.0, *)) {
return 6;
} else if (@available(macOS 12.3, *)) {
return 5;
} else if (@available(macOS 11.0, *)) {
return 4;
} else if (@available(macOS 10.15.4, *)) {
return 2;
} else {
return 1;
}
}

es_message_t MakeESMessage(es_event_type_t et, es_process_t *proc, ActionType action_type,
uint64_t future_deadline_ms) {
return es_message_t{
es_message_t es_msg = {
.deadline = AddMillisToMachTime(future_deadline_ms, mach_absolute_time()),
.process = proc,
.action_type =
(action_type == ActionType::Notify) ? ES_ACTION_TYPE_NOTIFY : ES_ACTION_TYPE_AUTH,
.event_type = et,
};

es_msg.version = MaxSupportedESMessageVersionForCurrentOS();

return es_msg;
}

void SleepMS(long ms) {
Expand Down
Loading