From d2bbdff3738421990faa666b0f98239ce56b7027 Mon Sep 17 00:00:00 2001 From: Tom Burgin Date: Wed, 21 Oct 2020 13:20:13 -0400 Subject: [PATCH] Add the option to ignore actions from other ES clients (#498) * [com.google.santa.daemon]: add the option to ignore actions from other ES clients * review updates * review updates --- Source/common/SNTConfigurator.h | 5 +++++ Source/common/SNTConfigurator.m | 11 +++++++++++ .../EventProviders/SNTEndpointSecurityManager.mm | 12 +++++++++++- version.bzl | 2 +- 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/Source/common/SNTConfigurator.h b/Source/common/SNTConfigurator.h index d1e9c52eb..244361398 100644 --- a/Source/common/SNTConfigurator.h +++ b/Source/common/SNTConfigurator.h @@ -320,6 +320,11 @@ /// @property(readonly, nonatomic) BOOL enableForkAndExitLogging; +/// +/// If true, ignore actions from other endpoint security clients. Defaults to false. This only applies when running as a sysx. +/// +@property(readonly, nonatomic) BOOL ignoreOtherEndpointSecurityClients; + /// /// Retrieve an initialized singleton configurator object using the default file path. /// diff --git a/Source/common/SNTConfigurator.m b/Source/common/SNTConfigurator.m index f761408d8..f60103e74 100644 --- a/Source/common/SNTConfigurator.m +++ b/Source/common/SNTConfigurator.m @@ -79,6 +79,7 @@ @implementation SNTConfigurator static NSString *const kEnableSystemExtension = @"EnableSystemExtension"; static NSString *const kEnableForkAndExitLogging = @"EnableForkAndExitLogging"; +static NSString *const kIgnoreOtherEndpointSecurityClients = @"IgnoreOtherEndpointSecurityClients"; // The keys managed by a sync server or mobileconfig. static NSString *const kClientModeKey = @"ClientMode"; @@ -152,6 +153,7 @@ - (instancetype)init { kEnableMachineIDDecoration : number, kEnableSystemExtension : number, kEnableForkAndExitLogging : number, + kIgnoreOtherEndpointSecurityClients : number, }; _defaults = [NSUserDefaults standardUserDefaults]; [_defaults addSuiteNamed:@"com.google.santa"]; @@ -326,6 +328,10 @@ + (NSSet *)keyPathsForValuesAffectingEnableForkAndExitLogging { return [self configStateSet]; } ++ (NSSet *)keyPathsForValuesAffectingIgnoreOtherEndpointSecurityClients { + return [self configStateSet]; +} + #pragma mark Public Interface - (SNTClientMode)clientMode { @@ -570,6 +576,11 @@ - (BOOL)enableForkAndExitLogging { return number ? [number boolValue] : NO; } +- (BOOL)ignoreOtherEndpointSecurityClients { + NSNumber *number = self.configState[kIgnoreOtherEndpointSecurityClients]; + return number ? [number boolValue] : NO; +} + #pragma mark Private /// diff --git a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm index 5f954a01c..0481eb2f4 100644 --- a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm +++ b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm @@ -77,10 +77,20 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) { es_client_t *client = NULL; es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) { + pid_t pid = audit_token_to_pid(m->process->audit_token); + + // If enabled, skip any action generated from another endpoint security client. + if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) { + if (m->action_type == ES_ACTION_TYPE_AUTH) { + es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true); + } + LOGD(@"Skipping action from es_client pid: %d", pid); + return; + } + // Perform the following checks on this serial queue. // Some checks are simple filters that avoid copying m. // However, the bulk of the work done here is to support transitive whitelisting. - pid_t pid = audit_token_to_pid(m->process->audit_token); switch (m->event_type) { case ES_EVENT_TYPE_NOTIFY_EXEC: { // Deny results are currently logged when ES_EVENT_TYPE_AUTH_EXEC posts a deny. diff --git a/version.bzl b/version.bzl index 849f2abd5..2d36fecc6 100644 --- a/version.bzl +++ b/version.bzl @@ -1,3 +1,3 @@ """The version for all Santa components.""" -SANTA_VERSION = "1.14" +SANTA_VERSION = "1.15"