Switch to using new rule and event states for standalone mode.

northpolesec · Nov 19, 2024 · dae864c · dae864c
1 parent a14193e
commit dae864c
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 25 deletions.
diff --git a/Source/common/SNTCommonEnums.h b/Source/common/SNTCommonEnums.h
@@ -99,6 +99,8 @@ typedef NS_ENUM(uint64_t, SNTEventState) {
   SNTEventStateAllowTeamID = 1ULL << 47,
   SNTEventStateAllowSigningID = 1ULL << 48,
   SNTEventStateAllowCDHash = 1ULL << 49,
+  SNTEventStateAllowLocalBinary = 1ULL << 50,
+  SNTEventStateAllowLocalSigningID = 1ULL << 51,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFFFFFFULL << 16,

diff --git a/Source/gui/SNTBinaryMessageWindowView.swift b/Source/gui/SNTBinaryMessageWindowView.swift
@@ -285,39 +285,36 @@ struct SNTBinaryMessageWindowView: View {
             Text(bundleProgress.label)
           }
         }
+      }
 
-        // Display the standalone error message to the user if one is provided.
-        if c.enableStandaloneMode {
-          if let errorMessage = standaloneErrorMessage {
-            if errorMessage != "" {
-              Text(errorMessage).foregroundColor(.red)
-            }
+      // Display the standalone error message to the user if one is provided.
+      if c.enableStandaloneMode {
+        if let errorMessage = standaloneErrorMessage {
+          if errorMessage != "" {
+            Text(errorMessage).foregroundColor(.red)
           }
         }
+      }
 
-        HStack(spacing: 15.0) {
-          if c.eventDetailURL?.count ?? 0 > 0
-            && !(event?.needsBundleHash ?? false && !bundleProgress.isFinished) && !c.enableStandaloneMode
-          {
-            OpenEventButton(customText: c.eventDetailText, action: openButton)
-          } else if addStandaloneButton() {
-            StandaloneButton(action: standAloneButton)
-          }
-
-          DismissButton(
-            customText: c.dismissText,
-            silence: preventFutureNotifications,
-            action: dismissButton
-          )
+      HStack(spacing: 15.0) {
+        if c.eventDetailURL?.count ?? 0 > 0
+          && !(event?.needsBundleHash ?? false && !bundleProgress.isFinished) && !c.enableStandaloneMode
+        {
+          OpenEventButton(customText: c.eventDetailText, action: openButton)
+        } else if addStandaloneButton() {
+          StandaloneButton(action: standAloneButton)
         }
-      }
 
+        DismissButton(
+          customText: c.dismissText,
+          silence: preventFutureNotifications,
+          action: dismissButton
+        )
+      }
       Spacer()
-    }
-    .fixedSize()
+    }.fixedSize()
   }
 
-
   func addStandaloneButton() -> Bool {
     var shouldDisplay = c.enableStandaloneMode
     if let errorMessage = standaloneErrorMessage {

diff --git a/Source/santactl/Commands/SNTCommandFileInfo.m b/Source/santactl/Commands/SNTCommandFileInfo.m
@@ -416,12 +416,14 @@ - (SNTAttributeBlock)rule {
         case SNTEventStateAllowUnknown:
         case SNTEventStateBlockUnknown: [output appendString:@" (Unknown)"]; break;
         case SNTEventStateAllowBinary:
+        case SNTEventStateAllowLocalBinary:
         case SNTEventStateBlockBinary: [output appendString:@" (Binary)"]; break;
         case SNTEventStateAllowCertificate:
         case SNTEventStateBlockCertificate: [output appendString:@" (Certificate)"]; break;
         case SNTEventStateAllowTeamID:
         case SNTEventStateBlockTeamID: [output appendString:@" (TeamID)"]; break;
         case SNTEventStateAllowSigningID:
+        case SNTEventStateAllowLocalSigningID:
         case SNTEventStateBlockSigningID: [output appendString:@" (SigningID)"]; break;
         case SNTEventStateAllowCDHash:
         case SNTEventStateBlockCDHash: [output appendString:@" (CDHash)"]; break;

diff --git a/Source/santad/SNTExecutionController.h b/Source/santad/SNTExecutionController.h
@@ -20,12 +20,14 @@
 
 const static NSString *kBlockBinary = @"BlockBinary";
 const static NSString *kAllowBinary = @"AllowBinary";
+const static NSString *kAllowLocalBinary = @"AllowLocalBinary";
 const static NSString *kBlockCertificate = @"BlockCertificate";
 const static NSString *kAllowCertificate = @"AllowCertificate";
 const static NSString *kBlockTeamID = @"BlockTeamID";
 const static NSString *kAllowTeamID = @"AllowTeamID";
 const static NSString *kBlockSigningID = @"BlockSigningID";
 const static NSString *kAllowSigningID = @"AllowSigningID";
+const static NSString *kAllowLocalSigningID = @"AllowLocalSigningID";
 const static NSString *kBlockCDHash = @"BlockCDHash";
 const static NSString *kAllowCDHash = @"AllowCDHash";
 const static NSString *kBlockScope = @"BlockScope";

diff --git a/Source/santad/SNTExecutionController.mm b/Source/santad/SNTExecutionController.mm
@@ -156,6 +156,7 @@ - (void)incrementEventCounters:(SNTEventState)eventType {
   switch (eventType) {
     case SNTEventStateBlockBinary: eventTypeStr = kBlockBinary; break;
     case SNTEventStateAllowBinary: eventTypeStr = kAllowBinary; break;
+    case SNTEventStateAllowLocalBinary: eventTypeStr = kAllowLocalBinary; break;
     case SNTEventStateBlockCertificate: eventTypeStr = kBlockCertificate; break;
     case SNTEventStateAllowCertificate: eventTypeStr = kAllowCertificate; break;
     case SNTEventStateBlockTeamID: eventTypeStr = kBlockTeamID; break;
@@ -409,7 +410,8 @@ - (void)validateExecEvent:(const Message &)esMsg postAction:(bool (^)(SNTAction)
 
         // Only allow a user in standalone mode to override a block if an
         // explicit block rule is not set when using a sync service.
-        if (config.enableStandaloneMode && se.decision == SNTEventStateBlockUnknown) {
+        if (config.enableStandaloneMode &&
+            (!config.syncBaseURL || se.decision == SNTEventStateBlockUnknown)) {
           replyBlock = ^void(BOOL authenticated) {
             LOGD(@"User responded to block event for %@ with authenticated: %d", se.filePath,
                  authenticated);

diff --git a/Source/santad/SNTPolicyProcessor.mm b/Source/santad/SNTPolicyProcessor.mm
@@ -65,11 +65,13 @@ - (BOOL)decision:(SNTCachedDecision *)cd
       {{SNTRuleTypeCDHash, SNTRuleStateBlock}, SNTEventStateBlockCDHash},
       {{SNTRuleTypeCDHash, SNTRuleStateSilentBlock}, SNTEventStateBlockCDHash},
       {{SNTRuleTypeBinary, SNTRuleStateAllow}, SNTEventStateAllowBinary},
+      {{SNTRuleTypeBinary, SNTRuleStateAllowLocalBinary}, SNTEventStateAllowLocalBinary},
       {{SNTRuleTypeBinary, SNTRuleStateAllowTransitive}, SNTEventStateAllowTransitive},
       {{SNTRuleTypeBinary, SNTRuleStateAllowCompiler}, SNTEventStateAllowCompiler},
       {{SNTRuleTypeBinary, SNTRuleStateSilentBlock}, SNTEventStateBlockBinary},
       {{SNTRuleTypeBinary, SNTRuleStateBlock}, SNTEventStateBlockBinary},
       {{SNTRuleTypeSigningID, SNTRuleStateAllow}, SNTEventStateAllowSigningID},
+      {{SNTRuleTypeSigningID, SNTRuleStateAllowLocalSigningID}, SNTEventStateAllowLocalSigningID},
       {{SNTRuleTypeSigningID, SNTRuleStateAllowCompiler}, SNTEventStateAllowCompiler},
       {{SNTRuleTypeSigningID, SNTRuleStateSilentBlock}, SNTEventStateBlockSigningID},
       {{SNTRuleTypeSigningID, SNTRuleStateBlock}, SNTEventStateBlockSigningID},