Skip to content
This repository has been archived by the owner on Feb 5, 2025. It is now read-only.

Commit

Permalink
Fix issue where client mode was almost always logged as "Unknown"
Browse files Browse the repository at this point in the history
  • Loading branch information
@mlw
mlw committed Aug 27, 2023
1 parent 0400e29 commit 85cc970
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions Source/santad/SNTPolicyProcessor.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

@interface SNTPolicyProcessor ()
@property SNTRuleTable *ruleTable;
@property SNTConfigurator *configurator;
@end

@implementation SNTPolicyProcessor
Expand All @@ -35,6 +36,7 @@ - (instancetype)initWithRuleTable:(SNTRuleTable *)ruleTable {
self = [super init];
if (self) {
_ruleTable = ruleTable;
_configurator = [SNTConfigurator configurator];
}
return self;
}
Expand All @@ -49,10 +51,16 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
cd.teamID = teamID;
cd.signingID = signingID;

SNTClientMode mode = [self.configurator clientMode];
cd.decisionClientMode = mode;

// If the binary is a critical system binary, don't check its signature.
// The binary was validated at startup when the rule table was initialized.
SNTCachedDecision *systemCd = self.ruleTable.criticalSystemBinaries[cd.sha256];
if (systemCd) return systemCd;
if (systemCd) {
systemCd.decisionClientMode = mode;
return systemCd;
}

NSError *csInfoError;
if (certificateSHA256.length) {
Expand Down Expand Up @@ -110,7 +118,7 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
// If transitive rules are enabled, then SNTRuleStateAllowListCompiler rules
// become SNTEventStateAllowCompiler decisions. Otherwise we treat the rule as if
// it were SNTRuleStateAllow.
if ([[SNTConfigurator configurator] enableTransitiveRules]) {
if ([self.configurator enableTransitiveRules]) {
cd.decision = SNTEventStateAllowCompiler;
} else {
cd.decision = SNTEventStateAllowBinary;
Expand All @@ -120,7 +128,7 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
// If transitive rules are enabled, then SNTRuleStateAllowTransitive
// rules become SNTEventStateAllowTransitive decisions. Otherwise, we treat the
// rule as if it were SNTRuleStateUnknown.
if ([[SNTConfigurator configurator] enableTransitiveRules]) {
if ([self.configurator enableTransitiveRules]) {
cd.decision = SNTEventStateAllowTransitive;
return cd;
} else {
Expand Down Expand Up @@ -198,9 +206,6 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
return cd;
}

SNTClientMode mode = [[SNTConfigurator configurator] clientMode];
cd.decisionClientMode = mode;

switch (mode) {
case SNTClientModeMonitor: cd.decision = SNTEventStateAllowUnknown; return cd;
case SNTClientModeLockdown: cd.decision = SNTEventStateBlockUnknown; return cd;
Expand Down

0 comments on commit 85cc970

Please sign in to comment.