From d1d008af0a51955ffbf3cf131c26d81f2dfd47a0 Mon Sep 17 00:00:00 2001 From: Tom Burgin Date: Fri, 20 Dec 2019 14:00:16 -0500 Subject: [PATCH] don't log TRUNCATE and don't log fileops from com.google.santa.daemon (#428) * don't log TRUNCATE and don't log fileops from com.google.santa.daemon * review updates --- .../SNTEndpointSecurityManager.mm | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm index 290e9a0d6..391344a39 100644 --- a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm +++ b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm @@ -35,6 +35,7 @@ @interface SNTEndpointSecurityManager () @property(nonatomic, copy) void (^logCallback)(santa_message_t); @property(nonatomic, readonly) dispatch_queue_t esAuthQueue; @property(nonatomic, readonly) dispatch_queue_t esNotifyQueue; +@property(nonatomic, readonly) pid_t selfPID; @end @@ -55,6 +56,7 @@ - (instancetype)init API_AVAILABLE(macos(10.15)) { dispatch_queue_create("com.google.santa.daemon.es_notify", DISPATCH_QUEUE_CONCURRENT); dispatch_set_target_queue(_esNotifyQueue, dispatch_get_global_queue(QOS_CLASS_BACKGROUND, 0)); + _selfPID = getpid(); } return self; @@ -142,9 +144,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) { } } - // Copy the message and return control back to ES - es_message_t *mc = es_copy_message(m); - switch (mc->action_type) { + switch (m->action_type) { case ES_ACTION_TYPE_AUTH: { // Create a timer to deny the execution 2 seconds before the deadline, // if a response hasn't already been sent. This block will still be enqueued if @@ -154,11 +154,14 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) { // large enough binary will never be allowed to execute. This should be a rare edge case; // it's probably not worth adding a caching layer just for this. auto responded = std::make_shared>(false); - dispatch_after(dispatch_time(mc->deadline, NSEC_PER_SEC * -2), self.esAuthQueue, ^(void) { + dispatch_after(dispatch_time(m->deadline, NSEC_PER_SEC * -2), self.esAuthQueue, ^(void) { if (responded->load()) return; LOGE(@"Deadline reached: deny pid=%d ret=%d", - pid, es_respond_auth_result(self.client, mc, ES_AUTH_RESULT_DENY, false)); + pid, es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, false)); }); + + // Copy the message and return control back to ES + es_message_t *mc = es_copy_message(m); dispatch_async(self.esAuthQueue, ^{ [self messageHandler:mc]; responded->store(true); @@ -167,6 +170,11 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) { break; } case ES_ACTION_TYPE_NOTIFY: { + // Don't log fileop events from com.google.santa.daemon + if (self.selfPID == pid && m->event_type != ES_EVENT_TYPE_NOTIFY_EXEC) return; + + // Copy the message and return control back to ES + es_message_t *mc = es_copy_message(m); dispatch_async(self.esNotifyQueue, ^{ [self messageHandler:mc]; es_free_message(mc); @@ -174,7 +182,6 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) { break; } default: { - es_free_message(mc); break; } } @@ -246,13 +253,6 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) { callback = self.logCallback; break; } - case ES_EVENT_TYPE_NOTIFY_TRUNCATE: { - sm.action = ACTION_NOTIFY_DELETE; - targetFile = m->event.truncate.target; - targetProcess = m->process; - callback = self.logCallback; - break; - } case ES_EVENT_TYPE_NOTIFY_LINK: { sm.action = ACTION_NOTIFY_LINK; targetFile = m->event.link.source; @@ -327,7 +327,6 @@ - (void)listenForLogRequests:(void (^)(santa_message_t))callback API_AVAILABLE(m es_event_type_t events[] = { ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_CLOSE, - ES_EVENT_TYPE_NOTIFY_TRUNCATE, ES_EVENT_TYPE_NOTIFY_LINK, ES_EVENT_TYPE_NOTIFY_RENAME, ES_EVENT_TYPE_NOTIFY_UNLINK,