Add the option to ignore actions from other ES clients (#498)

* [com.google.santa.daemon]: add the option to ignore actions from other ES clients

* review updates

* review updates

Source/common/SNTConfigurator.h

@@ -320,6 +320,11 @@
 ///
 @property(readonly, nonatomic) BOOL enableForkAndExitLogging;
 
+///
+///  If true, ignore actions from other endpoint security clients. Defaults to false. This only applies when running as a sysx.
+///
+@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients;
+
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.
 ///

Source/common/SNTConfigurator.m

@@ -79,6 +79,7 @@ @implementation SNTConfigurator
 static NSString *const kEnableSystemExtension = @"EnableSystemExtension";
 
 static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging";
+static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients";
 
 // The keys managed by a sync server or mobileconfig.
 static NSString *const kClientModeKey = @"ClientMode";
@@ -152,6 +153,7 @@ - (instancetype)init {
       kEnableMachineIDDecoration : number,
       kEnableSystemExtension : number,
       kEnableForkAndExitLogging : number,
+      kIgnoreOtherEndpointSecurityClients : number,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
@@ -326,6 +328,10 @@ + (NSSet *)keyPathsForValuesAffectingEnableForkAndExitLogging {
   return [self configStateSet];
 }
 
++ (NSSet *)keyPathsForValuesAffectingIgnoreOtherEndpointSecurityClients {
+  return [self configStateSet];
+}
+
 #pragma mark Public Interface
 
 - (SNTClientMode)clientMode {
@@ -570,6 +576,11 @@ - (BOOL)enableForkAndExitLogging {
   return number ? [number boolValue] : NO;
 }
 
+- (BOOL)ignoreOtherEndpointSecurityClients {
+  NSNumber *number = self.configState[kIgnoreOtherEndpointSecurityClients];
+  return number ? [number boolValue] : NO;
+}
+
 #pragma mark Private
 
 ///

Source/santad/EventProviders/SNTEndpointSecurityManager.mm

@@ -77,10 +77,20 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
 
     es_client_t *client = NULL;
     es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) {
+      pid_t pid = audit_token_to_pid(m->process->audit_token);
+
+      // If enabled, skip any action generated from another endpoint security client.
+      if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) {
+        if (m->action_type == ES_ACTION_TYPE_AUTH) {
+          es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
+        }
+        LOGD(@"Skipping action from es_client pid: %d", pid);
+        return;
+      }
+
       // Perform the following checks on this serial queue.
       // Some checks are simple filters that avoid copying m.
       // However, the bulk of the work done here is to support transitive whitelisting.
-      pid_t pid = audit_token_to_pid(m->process->audit_token);
       switch (m->event_type) {
         case ES_EVENT_TYPE_NOTIFY_EXEC: {
           // Deny results are currently logged when ES_EVENT_TYPE_AUTH_EXEC posts a deny.

version.bzl

@@ -1,3 +1,3 @@
 """The version for all Santa components."""
 
-SANTA_VERSION = "1.14"
+SANTA_VERSION = "1.15"