santactl/sync: Add ability to ingest CEL rules.

This covers `santactl rule`, syncing, and StaticRules.

Author: russellhancox

MODULE.bazel

@@ -15,7 +15,7 @@ bazel_dep(name = "xxhash", version = "0.8.2")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "bd61ba67c96bb8983e1b1ecf51f0af0d9308ac63",
+    commit = "547a10d6b2e0502af11d54368a74c3b128715223",
     remote = "https://github.com/northpolesec/protos",
 )
 

Source/common/SNTRule.h

@@ -82,7 +82,8 @@
                              state:(SNTRuleState)state
                               type:(SNTRuleType)type
                          customMsg:(NSString *)customMsg
-                         customURL:(NSString *)customURL;
+                         customURL:(NSString *)customURL
+                           celExpr:(NSString *)celExpr;
 
 ///
 ///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.

Source/common/SNTRule.m

@@ -166,15 +166,16 @@ - (instancetype)initWithIdentifier:(NSString *)identifier
                              state:(SNTRuleState)state
                               type:(SNTRuleType)type
                          customMsg:(NSString *)customMsg
-                         customURL:(NSString *)customURL {
+                         customURL:(NSString *)customURL
+                           celExpr:(NSString *)celExpr {
   self = [self initWithIdentifier:identifier
                             state:state
                              type:type
                         customMsg:customMsg
                         customURL:customURL
                         timestamp:0
                           comment:nil
-                          celExpr:nil
+                          celExpr:celExpr
                             error:nil];
   // Initialize timestamp to current time if rule is transitive.
   if (self && state == SNTRuleStateAllowTransitive) {
@@ -186,7 +187,15 @@ - (instancetype)initWithIdentifier:(NSString *)identifier
 - (instancetype)initWithIdentifier:(NSString *)identifier
                              state:(SNTRuleState)state
                               type:(SNTRuleType)type {
-  return [self initWithIdentifier:identifier state:state type:type customMsg:nil customURL:nil];
+  return [self initWithIdentifier:identifier
+                            state:state
+                             type:type
+                        customMsg:nil
+                        customURL:nil
+                        timestamp:0
+                          comment:nil
+                          celExpr:nil
+                            error:nil];
 }
 
 // lowercase policy keys and upper case the policy decision.
@@ -254,6 +263,8 @@ - (instancetype)initWithDictionary:(NSDictionary *)rawDict error:(NSError **)err
     state = SNTRuleStateSilentBlock;
   } else if ([policyString isEqual:kRulePolicyRemove]) {
     state = SNTRuleStateRemove;
+  } else if ([policyString isEqual:kRulePolicyCEL]) {
+    state = SNTRuleStateCEL;
   } else {
     [SNTError populateError:error
                    withCode:SNTErrorCodeRuleInvalidPolicy
@@ -301,14 +312,19 @@ - (instancetype)initWithDictionary:(NSDictionary *)rawDict error:(NSError **)err
     comment = nil;
   }
 
+  NSString *celExpr = dict[kRuleCELExpr];
+  if (![celExpr isKindOfClass:[NSString class]] || celExpr.length == 0) {
+    celExpr = nil;
+  }
+
   return [self initWithIdentifier:identifier
                             state:state
                              type:type
                         customMsg:customMsg
                         customURL:customURL
                         timestamp:0
                           comment:comment
-                          celExpr:nil
+                          celExpr:celExpr
                             error:error];
 }
 
@@ -354,6 +370,7 @@ - (NSString *)ruleStateToPolicyString:(SNTRuleState)state {
     case SNTRuleStateAllowTransitive: return @"AllowTransitive";
     case SNTRuleStateAllowLocalBinary: return kRulePolicyAllowlistLocalBinary;
     case SNTRuleStateAllowLocalSigningID: return kRulePolicyAllowlistLocalSigningID;
+    case SNTRuleStateCEL: return kRulePolicyCEL;
     // This should never be hit. But is here for completion.
     default: return @"Unknown";
   }
@@ -381,6 +398,7 @@ - (NSDictionary *)dictionaryRepresentation {
     kRuleCustomMsg : self.customMsg ?: @"",
     kRuleCustomURL : self.customURL ?: @"",
     kRuleComment : self.comment ?: @"",
+    kRuleCELExpr : self.celExpr ?: @"",
   };
 }
 
@@ -399,6 +417,7 @@ - (NSUInteger)hash {
   result = prime * result + self.state;
   result = prime * result + self.type;
   result = prime * result + [self.celExpr hash];
+  result = prime * result + [self.celExpr hash];
   return result;
 }
 

Source/common/SNTSyncConstants.h

@@ -126,6 +126,7 @@ extern NSString *const kRulePolicyBlocklistDeprecated;
 extern NSString *const kRulePolicySilentBlocklist;
 extern NSString *const kRulePolicySilentBlocklistDeprecated;
 extern NSString *const kRulePolicyRemove;
+extern NSString *const kRulePolicyCEL;
 extern NSString *const kRuleType;
 extern NSString *const kRuleTypeBinary;
 extern NSString *const kRuleTypeCertificate;
@@ -135,6 +136,7 @@ extern NSString *const kRuleTypeCDHash;
 extern NSString *const kRuleCustomMsg;
 extern NSString *const kRuleCustomURL;
 extern NSString *const kRuleComment;
+extern NSString *const kRuleCELExpr;
 extern NSString *const kCursor;
 
 extern NSString *const kBackoffInterval;

Source/common/SNTSyncConstants.m

@@ -127,6 +127,7 @@
 NSString *const kRulePolicySilentBlocklist = @"SILENT_BLOCKLIST";
 NSString *const kRulePolicySilentBlocklistDeprecated = @"SILENT_BLACKLIST";
 NSString *const kRulePolicyRemove = @"REMOVE";
+NSString *const kRulePolicyCEL = @"CEL";
 NSString *const kRuleType = @"rule_type";
 NSString *const kRuleTypeBinary = @"BINARY";
 NSString *const kRuleTypeCertificate = @"CERTIFICATE";
@@ -136,6 +137,7 @@
 NSString *const kRuleCustomMsg = @"custom_msg";
 NSString *const kRuleCustomURL = @"custom_url";
 NSString *const kRuleComment = @"comment";
+NSString *const kRuleCELExpr = @"cel_expr";
 NSString *const kCursor = @"cursor";
 
 NSString *const kBackoffInterval = @"backoff";

Source/common/cel/Activation.h

@@ -32,26 +32,23 @@
 #include "eval/public/activation.h"
 #pragma clang diagnostic pop
 
-namespace cel_runtime = ::google::api::expr::runtime;
-namespace pbv1 = ::santa::cel::v1;
-
 namespace santa {
 namespace cel {
 
 // SantaActivation is a CEL activation that provides lookups of values from the
 // santa.pb.cel.v1.Context message, and easy access to variables for return values.
-class Activation : public ::cel_runtime::BaseActivation {
+class Activation : public ::google::api::expr::runtime::BaseActivation {
  public:
-  Activation(std::unique_ptr<::pbv1::ExecutableFile> file, std::vector<std::string> (^args)(),
-             std::map<std::string, std::string> (^envs)())
+  Activation(std::unique_ptr<::santa::cel::v1::ExecutableFile> file,
+             std::vector<std::string> (^args)(), std::map<std::string, std::string> (^envs)())
       : file_(std::move(file)), args_(args), envs_(envs) {};
   ~Activation() = default;
 
-  std::optional<cel_runtime::CelValue> FindValue(absl::string_view name,
-                                                 google::protobuf::Arena *arena) const override;
+  std::optional<::google::api::expr::runtime::CelValue> FindValue(
+      absl::string_view name, google::protobuf::Arena *arena) const override;
 
   // Activation does not support lazy-loaded functions.
-  std::vector<const cel_runtime::CelFunction *> FindFunctionOverloads(
+  std::vector<const ::google::api::expr::runtime::CelFunction *> FindFunctionOverloads(
       absl::string_view) const override {
     return {};
   }
@@ -72,11 +69,14 @@ class Activation : public ::cel_runtime::BaseActivation {
                              const google::protobuf::Descriptor *messageType);
 
   template <typename T>
-  static cel_runtime::CelValue CELValue(const T &v, google::protobuf::Arena *arena);
+  static ::google::api::expr::runtime::CelValue CELValue(const T &v,
+                                                         google::protobuf::Arena *arena);
   template <typename T>
-  static cel_runtime::CelValue CELValue(const std::vector<T> &v, google::protobuf::Arena *arena);
+  static ::google::api::expr::runtime::CelValue CELValue(const std::vector<T> &v,
+                                                         google::protobuf::Arena *arena);
   template <typename K, typename V>
-  static cel_runtime::CelValue CELValue(const std::map<K, V> &v, google::protobuf::Arena *arena);
+  static ::google::api::expr::runtime::CelValue CELValue(const std::map<K, V> &v,
+                                                         google::protobuf::Arena *arena);
 };
 
 }  // namespace cel

Source/common/cel/Activation.mm

@@ -84,7 +84,7 @@
 std::optional<cel_runtime::CelValue> Activation::FindValue(absl::string_view name,
                                                            google::protobuf::Arena *arena) const {
   // Handle the ReturnValue values.
-  auto retDescriptor = pbv1::ReturnValue_descriptor();
+  auto retDescriptor = santa::cel::v1::ReturnValue_descriptor();
   auto retValue = retDescriptor->FindValueByName(name);
   if (retValue != nullptr) {
     return CELValue(retValue->number(), arena);
@@ -109,14 +109,14 @@
   // ALLOWLIST or BLOCKLIST in their CEL expressions without having to use the
   // proto package name prefix. Start from value number 1 to avoid the
   // UNSPECIFIED value.
-  auto retDescriptor = pbv1::ReturnValue_descriptor();
+  auto retDescriptor = ::santa::cel::v1::ReturnValue_descriptor();
   for (int i = 1; i < retDescriptor->value_count(); i++) {
     auto value = retDescriptor->value(i);
     v.push_back({value->name(), ::cel::IntType()});
   }
 
   // Now add all the fields from the CELContext message.
-  auto ctxDescriptor = pbv1::ExecutionContext::descriptor();
+  auto ctxDescriptor = santa::cel::v1::ExecutionContext::descriptor();
   for (int i = 0; i < ctxDescriptor->field_count(); i++) {
     auto field = ctxDescriptor->field(i);
 

Source/santactl/Commands/SNTCommandRule.m

@@ -54,6 +54,7 @@ + (NSString *)longHelpText {
           @"    --block: add to block\n"
           @"    --silent-block: add to silent block\n"
           @"    --compiler: allow and mark as a compiler\n"
+          @"    --cel {cel_expr}: add a CEL rule\n"
           @"    --remove: remove existing rule\n"
           @"    --check: check for an existing rule\n"
           @"    --import {path}: import rules from a JSON file\n"
@@ -153,6 +154,12 @@ - (void)runWithArguments:(NSArray *)arguments {
       newRule.state = SNTRuleStateSilentBlock;
     } else if ([arg caseInsensitiveCompare:@"--compiler"] == NSOrderedSame) {
       newRule.state = SNTRuleStateAllowCompiler;
+    } else if ([arg caseInsensitiveCompare:@"--cel"] == NSOrderedSame) {
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"--cel requires an argument"];
+      }
+      newRule.state = SNTRuleStateCEL;
+      newRule.celExpr = arguments[i];
     } else if ([arg caseInsensitiveCompare:@"--remove"] == NSOrderedSame) {
       newRule.state = SNTRuleStateRemove;
     } else if ([arg caseInsensitiveCompare:@"--check"] == NSOrderedSame) {

Source/santad/SNTPolicyProcessor.mm

@@ -127,7 +127,7 @@ - (BOOL)decision:(SNTCachedDecision *)cd
         break;
       default: break;
     }
-    if (!(*evalResult).second) {
+    if (!evalResult->second) {
       cd.cacheable = NO;
     }
   }

Source/santasyncservice/BUILD

@@ -124,6 +124,7 @@ objc_library(
         "//Source/common:SNTXPCControlInterface",
         "//Source/common:SNTXPCSyncServiceInterface",
         "//Source/common:String",
+        "//Source/common/cel:CEL",
         "@northpolesec_protos//sync:v1_cc_proto",
         "@protobuf//src/google/protobuf/json",
     ],