Skip to content

Commit

Permalink
Only eval TID and SID rules when the binary signature is valid (#1191)
Browse files Browse the repository at this point in the history
* Only eval TID and SID rules when the binary signature is valid

* Simplify setting sid on cached decision
  • Loading branch information
mlw authored Sep 28, 2023
1 parent 913af69 commit 5a383eb
Show file tree
Hide file tree
Showing 8 changed files with 169 additions and 81 deletions.
2 changes: 2 additions & 0 deletions Source/santad/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -893,8 +893,10 @@ santa_unit_test(
":Metrics",
":MockEndpointSecurityAPI",
":SNTDatabaseController",
":SNTDecisionCache",
":SNTEndpointSecurityAuthorizer",
":SantadDeps",
"//Source/common:SNTCachedDecision",
"//Source/common:SNTConfigurator",
"//Source/common:TestUtils",
"@MOLCertificate",
Expand Down
11 changes: 4 additions & 7 deletions Source/santad/SNTPolicyProcessor.m
Original file line number Diff line number Diff line change
Expand Up @@ -82,27 +82,24 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
cd.teamID = teamID
?: [csInfo.signingInformation
objectForKey:(__bridge NSString *)kSecCodeInfoTeamIdentifier];
teamID = cd.teamID;

// Ensure that if no teamID exists that the signing info confirms it is a
// platform binary. If not, remove the signingID.
if (!teamID && signingID) {
if (!cd.teamID && cd.signingID) {
id platformID = [csInfo.signingInformation
objectForKey:(__bridge NSString *)kSecCodeInfoPlatformIdentifier];
if (![platformID isKindOfClass:[NSNumber class]] || [platformID intValue] == 0) {
signingID = nil;
cd.signingID = nil;
}
}

cd.signingID = signingID;
}
}
cd.quarantineURL = fileInfo.quarantineDataURL;

SNTRule *rule = [self.ruleTable ruleForBinarySHA256:cd.sha256
signingID:signingID
signingID:cd.signingID
certificateSHA256:cd.certSHA256
teamID:teamID];
teamID:cd.teamID];
if (rule) {
switch (rule.type) {
case SNTRuleTypeBinary:
Expand Down
237 changes: 163 additions & 74 deletions Source/santad/SantadTest.mm

Large diffs are not rendered by default.

Binary file not shown.
Binary file added Source/santad/testdata/binaryrules/allowed_teamid
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file modified Source/santad/testdata/binaryrules/rules.db
Binary file not shown.

0 comments on commit 5a383eb

Please sign in to comment.