Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use runtime platform binary check for exec evals #1424

Merged
merged 4 commits into from
Sep 10, 2024
Merged

Use runtime platform binary check for exec evals #1424

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
78ee410
Use runtime platform binary check for exec evals
mlw Sep 5, 2024
4185b5d
PR Feedback
mlw Sep 6, 2024
e29a83f
Remove parens to mitigate insane clang-formatting
mlw Sep 7, 2024
773cadc
Merge branch 'main' into platform-binary-runtime-check
mlw Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 21 additions & 28 deletions Source/santad/SNTPolicyProcessor.mm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,9 +135,8 @@ - (BOOL)decision:(SNTCachedDecision *)cd
}

static void UpdateCachedDecisionSigningInfo(
SNTCachedDecision *cd, MOLCodesignChecker *csInfo,
NSDictionary *_Nullable (^entitlementsFilterCallback)(NSDictionary *_Nullable entitlements),
PlatformBinaryState platformBinaryState) {
SNTCachedDecision *cd, MOLCodesignChecker *csInfo, PlatformBinaryState platformBinaryState,
NSDictionary *_Nullable (^entitlementsFilterCallback)(NSDictionary *_Nullable entitlements)) {
cd.certSHA256 = csInfo.leafCertificate.SHA256;
cd.certCommonName = csInfo.leafCertificate.commonName;
cd.certChain = csInfo.certificates;
Expand Down Expand Up @@ -166,12 +165,6 @@ static void UpdateCachedDecisionSigningInfo(
}
}

if (!cd.teamID && cd.signingID) {
if (!csInfo.platformBinary) {
cd.signingID = nil;
}
}

NSDictionary *entitlements = csInfo.entitlements;

if (entitlementsFilterCallback) {
Expand All @@ -183,18 +176,18 @@ static void UpdateCachedDecisionSigningInfo(
}
}

- (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
cdhash:(nullable NSString *)cdhash
fileSHA256:(nullable NSString *)fileSHA256
certificateSHA256:(nullable NSString *)certificateSHA256
teamID:(nullable NSString *)teamID
signingID:(nullable NSString *)signingID
isProdSignedCallback:(BOOL (^_Nonnull)())isProdSignedCallback
entitlementsFilterCallback:
(NSDictionary *_Nullable (^_Nullable)(
NSDictionary *_Nullable entitlements))entitlementsFilterCallback
preCodesignCheckCallback:(void (^_Nullable)(void))preCodesignCheckCallback
platformBinaryState:(PlatformBinaryState)platformBinaryState {
- (nonnull SNTCachedDecision *)
decisionForFileInfo:(nonnull SNTFileInfo *)fileInfo
cdhash:(nullable NSString *)cdhash
fileSHA256:(nullable NSString *)fileSHA256
certificateSHA256:(nullable NSString *)certificateSHA256
teamID:(nullable NSString *)teamID
signingID:(nullable NSString *)signingID
platformBinaryState:(PlatformBinaryState)platformBinaryState
isProdSignedCallback:(BOOL (^_Nonnull)())isProdSignedCallback
entitlementsFilterCallback:(NSDictionary *_Nullable (^_Nullable)(
NSDictionary *_Nullable entitlements))entitlementsFilterCallback
preCodesignCheckCallback:(void (^_Nullable)(void))preCodesignCheckCallback {
// Check the hash before allocating a SNTCachedDecision.
NSString *fileHash = fileSHA256 ?: fileInfo.SHA256;
SNTClientMode mode = [self.configurator clientMode];
Expand Down Expand Up @@ -236,7 +229,7 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
cd.signingID = nil;
cd.cdhash = nil;
} else {
UpdateCachedDecisionSigningInfo(cd, csInfo, entitlementsFilterCallback, platformBinaryState);
UpdateCachedDecisionSigningInfo(cd, csInfo, platformBinaryState, entitlementsFilterCallback);
}
}

Expand Down Expand Up @@ -347,15 +340,15 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
certificateSHA256:nil
teamID:teamID
signingID:signingID
isProdSignedCallback:^BOOL {
platformBinaryState:(targetProc->is_platform_binary
? PlatformBinaryState::kRuntimeTrue
: PlatformBinaryState::kRuntimeFalse)isProdSignedCallback:^BOOL {
mlw marked this conversation as resolved.
Show resolved Hide resolved
return ((targetProc->codesigning_flags & CS_DEV_CODE) == 0);
}
entitlementsFilterCallback:^NSDictionary *(NSDictionary *entitlements) {
return entitlementsFilterCallback(entitlementsFilterTeamID, entitlements);
}
preCodesignCheckCallback:preCodesignCheckCallback
platformBinaryState:(targetProc->is_platform_binary ? PlatformBinaryState::kRuntimeTrue
: PlatformBinaryState::kRuntimeFalse)];
preCodesignCheckCallback:preCodesignCheckCallback];
}

// Used by `$ santactl fileinfo`.
Expand All @@ -380,6 +373,7 @@ - (nonnull SNTCachedDecision *)decisionForFilePath:(nonnull NSString *)filePath
certificateSHA256:identifiers.certificateSHA256
teamID:identifiers.teamID
signingID:identifiers.signingID
platformBinaryState:PlatformBinaryState::kStaticCheck
isProdSignedCallback:^BOOL {
if (csInfo) {
// Development OID values defined by Apple and used by the Security Framework
Expand All @@ -393,8 +387,7 @@ - (nonnull SNTCachedDecision *)decisionForFilePath:(nonnull NSString *)filePath
}
}
entitlementsFilterCallback:nil
preCodesignCheckCallback:nil
platformBinaryState:PlatformBinaryState::kStaticCheck];
preCodesignCheckCallback:nil];
}

///
Expand Down
Loading