MOLCodesignChecker: extract active-slice identity for universal binaries

Threads cputype/cpusubtype from es_event_exec_t through SNTFileInfo into
a new MOLCodesignChecker initializer so signing identity (cdhash, teamID,
signingID, certificates) reflects the slice the kernel actually loaded.
Without the hint, behavior is unchanged - the new path is opt-in via the
new SNTFileInfo exec-event initializer.

For per-arch-inconsistent universals, the active slice's identity now
populates regardless of cross-slice consistency. The cross-slice check
remains as an informational error signal.

Author: mlw

Source/common/BUILD

@@ -11,6 +11,14 @@ package(
 
 licenses(["notice"])
 
+# Expose individual test fixtures for use by tests in other packages.
+exports_files(["testdata/cal-yikes-universal_signed"])
+
+filegroup(
+    name = "testdata_cal_yikes_universal_signed",
+    srcs = ["testdata/cal-yikes-universal_signed"],
+)
+
 proto_library(
     name = "santa_proto",
     srcs = ["santa.proto"],
@@ -1045,7 +1053,10 @@ santa_unit_test(
         "testdata/BundleExample.app/**",
         "testdata/DirectoryBundle/**",
     ]),
-    deps = [":SNTFileInfo"],
+    deps = [
+        ":SNTFileInfo",
+        ":TestUtils",
+    ],
 )
 
 santa_unit_test(

Source/common/MOLCodesignChecker.h

@@ -16,6 +16,7 @@
 @class MOLCertificate;
 
 #import <Foundation/Foundation.h>
+#import <mach/machine.h>
 
 /**
   `MOLCodesignChecker` validates a binary (either on-disk or in memory) has been signed
@@ -174,6 +175,30 @@
 */
 - (instancetype)initWithBinaryPath:(NSString*)binaryPath fileDescriptor:(int)fileDescriptor;
 
+/**
+  Initialize with a binary on disk via a caller-supplied file descriptor, with an
+  active-slice hint for universal binaries.
+
+  When `cpuType` is non-sentinel and the binary is fat, the per-slice signing dict
+  for the matching arch is used to populate `_signingInformation` and `_certificates`,
+  regardless of cross-slice signing consistency. The per-arch consistency check still
+  runs and still surfaces `errSecCSSignatureInvalid` on the error param informationally.
+
+  When `cpuType == CPU_TYPE_ANY` (and/or for thin binaries) this method behaves
+  identically to `initWithBinaryPath:fileDescriptor:error:`.
+
+  @param binaryPath     Path to a binary file on disk (display only when fd is provided).
+  @param fileDescriptor Open fd to the binary, or `-1` to re-resolve `binaryPath`.
+  @param cpuType        Active-slice CPU type, or `CPU_TYPE_ANY` for no hint.
+  @param cpuSubtype     Active-slice CPU subtype, or `CPU_SUBTYPE_ANY` for no hint.
+  @param error          NSError to be filled in if validation fails.
+*/
+- (instancetype)initWithBinaryPath:(NSString*)binaryPath
+                    fileDescriptor:(int)fileDescriptor
+                           cpuType:(cpu_type_t)cpuType
+                        cpuSubtype:(cpu_subtype_t)cpuSubtype
+                             error:(NSError**)error;
+
 /**
   Initialize with a running binary using its process ID.
 

Source/common/MOLCodesignChecker.mm

@@ -75,6 +75,11 @@ @interface MOLCodesignChecker ()
 
 // Cached on-disk binary file descriptor
 @property int binaryFileDescriptor;
+
+// Active-slice hint; values <= 0 mean no hint (CPU_TYPE_ANY is -1; ivar zero-default
+// from non-fd init paths also fails the > 0 gate in -initWithSecStaticCodeRef:error:).
+@property cpu_type_t cpuTypeHint;
+@property cpu_subtype_t cpuSubtypeHint;
 @end
 
 @implementation MOLCodesignChecker
@@ -98,6 +103,12 @@ - (instancetype)initWithSecStaticCodeRef:(SecStaticCodeRef)codeRef error:(NSErro
       }
     });
 
+    // hintActiveForFat is YES when the caller passed a real arch hint and we're
+    // looking at a fat binary. In that mode the per-slice dict is the authority
+    // for _signingInformation/_certificates; the whole-binary fallback below is
+    // suppressed regardless of whether a matching slice was found.
+    BOOL hintActiveForFat = NO;
+
     // For static code checks perform additional checks across all slices
     if (CFGetTypeID(codeRef) == SecStaticCodeGetTypeID()) {
       // Ensure signing is consistent for all architectures.
@@ -106,6 +117,26 @@ - (instancetype)initWithSecStaticCodeRef:(SecStaticCodeRef)codeRef error:(NSErro
       NSArray* infos = [self universalSigningInformationForBinaryPath:_binaryPath
                                                        fileDescriptor:_binaryFileDescriptor];
       if (infos) _universalSigningInformation = infos;
+
+      // When the caller provided an active-slice hint and this is a fat binary,
+      // populate _signingInformation/_certificates from the matching slice.
+      // The cross-slice consistency check below still runs and still surfaces
+      // its error informationally; the per-arch identity is already locked in
+      // via the active-slice extraction. If no slice matches the hint (e.g. a
+      // PowerPC hint against an i386/x86_64 binary), _signingInformation stays
+      // nil and hintActiveForFat suppresses the whole-binary fallback below so
+      // callers see an empty identity for the mismatched arch request.
+      hintActiveForFat = (_cpuTypeHint > 0 && _universalSigningInformation.count > 0);
+      if (hintActiveForFat) {
+        NSDictionary* sliceDict = [self perSliceDictForCpuType:_cpuTypeHint
+                                                    cpuSubtype:_cpuSubtypeHint];
+        if (sliceDict.count > 0) {
+          _signingInformation = sliceDict;
+          NSArray* certs = sliceDict[(__bridge id)kSecCodeInfoCertificates];
+          _certificates = [MOLCertificate certificatesFromArray:certs];
+        }
+      }
+
       if (infos && ![self allSigningInformationMatches:infos]) {
         status = errSecCSSignatureInvalid;
         scopedError = ScopedCFError::BridgeRetain([self
@@ -114,9 +145,14 @@ - (instancetype)initWithSecStaticCodeRef:(SecStaticCodeRef)codeRef error:(NSErro
       }
     }
 
-    // Do not set _signingInformation or _certificates for universal binaries with signing issues.
+    // Do not set _signingInformation or _certificates for universal binaries with
+    // signing issues EXCEPT when the cputype hint already populated them from the
+    // active slice (above). Also suppress when hint mode is active but no slice
+    // matched — callers asked for a specific arch and should not receive the
+    // whole-binary aggregate identity.
     NSError* err = scopedError.BridgeRelease<NSError*>();
-    if (!([err.domain isEqualToString:kMOLCodesignCheckerErrorDomain] &&
+    if (!_signingInformation && !hintActiveForFat &&
+        !([err.domain isEqualToString:kMOLCodesignCheckerErrorDomain] &&
           status == errSecCSSignatureInvalid)) {
       // Get CFDictionary of signing information for binary
       CFDictionaryRef signingDict = NULL;
@@ -154,6 +190,18 @@ - (instancetype)initWithBinaryPath:(NSString*)binaryPath {
 - (instancetype)initWithBinaryPath:(NSString*)binaryPath
                     fileDescriptor:(int)fileDescriptor
                              error:(NSError**)error {
+  return [self initWithBinaryPath:binaryPath
+                   fileDescriptor:fileDescriptor
+                          cpuType:CPU_TYPE_ANY
+                       cpuSubtype:CPU_SUBTYPE_ANY
+                            error:error];
+}
+
+- (instancetype)initWithBinaryPath:(NSString*)binaryPath
+                    fileDescriptor:(int)fileDescriptor
+                           cpuType:(cpu_type_t)cpuType
+                        cpuSubtype:(cpu_subtype_t)cpuSubtype
+                             error:(NSError**)error {
   OSStatus status = errSecSuccess;
   SecStaticCodeRef codeRef = NULL;
 
@@ -177,6 +225,8 @@ - (instancetype)initWithBinaryPath:(NSString*)binaryPath
 
   _binaryPath = binaryPath;
   _binaryFileDescriptor = (fileDescriptor != -1) ? fileDescriptor : -1;
+  _cpuTypeHint = cpuType;
+  _cpuSubtypeHint = cpuSubtype;
 
   self = [self initWithSecStaticCodeRef:codeRef error:error];
   if (codeRef) CFRelease(codeRef);  // it was retained above
@@ -415,6 +465,11 @@ - (NSError*)errorWithCode:(OSStatus)code {
   return [self errorWithCode:code description:nil];
 }
 
+// Reports whether every slice of a universal binary shares the same signing
+// identity (cert chain, or "-" for ad-hoc). Callers that care about per-arch
+// identity should use the cputype-aware initializer instead; this check is
+// retained as an informational signal that surfaces `errSecCSSignatureInvalid`
+// in MOL's error domain for cross-slice inconsistencies.
 - (BOOL)allSigningInformationMatches:(NSArray*)signingInformation {
   NSMutableSet* chains = [NSMutableSet set];
   for (NSDictionary* arch in signingInformation) {
@@ -460,6 +515,17 @@ - (NSArray*)universalSigningInformationForBinaryPath:(NSString*)path fileDescrip
   return infos.count ? infos : nil;
 }
 
+- (NSDictionary*)perSliceDictForCpuType:(cpu_type_t)cpuType cpuSubtype:(cpu_subtype_t)cpuSubtype {
+  const char* nameRaw = macho_arch_name_for_cpu_type(cpuType, cpuSubtype);
+  NSString* archName =
+      nameRaw ? @(nameRaw) : [NSString stringWithFormat:@"%i:%i", cpuType, cpuSubtype];
+  for (NSDictionary* arch in _universalSigningInformation) {
+    NSDictionary* dict = arch[archName];
+    if (dict) return dict;
+  }
+  return nil;
+}
+
 - (NSString*)architectureString:(struct fat_arch*)fatArch bigEndian:(BOOL)bigEndian {
   cpu_type_t cpu = bigEndian ? OSSwapBigToHostInt(fatArch->cputype) : fatArch->cputype;
   cpu_subtype_t cpuSub = bigEndian ? OSSwapBigToHostInt(fatArch->cpusubtype) : fatArch->cpusubtype;

Source/common/MOLCodesignCheckerTest.mm

@@ -17,6 +17,7 @@
 
 #include <fcntl.h>
 #include <mach-o/fat.h>
+#include <mach/machine.h>
 #include <unistd.h>
 
 #import "Source/common/MOLCodesignChecker.h"
@@ -386,4 +387,131 @@ - (void)testEntitlements {
   }];
 }
 
+// yikes-universal_signed has i386 + x86_64, both signed with the same cert chain.
+- (void)testCpuTypeHint_ConsistentFat_PicksActiveSlice {
+  NSError* error;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"yikes-universal_signed" ofType:@""];
+
+  MOLCodesignChecker* sutA = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                             fileDescriptor:-1
+                                                                    cpuType:CPU_TYPE_I386
+                                                                 cpuSubtype:CPU_SUBTYPE_I386_ALL
+                                                                      error:&error];
+  XCTAssertNotNil(sutA);
+  XCTAssertNil(error);
+  XCTAssertGreaterThan(sutA.cdhash.length, 0u);
+
+  error = nil;
+  MOLCodesignChecker* sutB = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                             fileDescriptor:-1
+                                                                    cpuType:CPU_TYPE_X86_64
+                                                                 cpuSubtype:CPU_SUBTYPE_X86_64_ALL
+                                                                      error:&error];
+  XCTAssertNotNil(sutB);
+  XCTAssertNil(error);
+  XCTAssertGreaterThan(sutB.cdhash.length, 0u);
+
+  // Per-slice cdhashes always differ across slices of the same fat file.
+  XCTAssertNotEqualObjects(sutA.cdhash, sutB.cdhash);
+}
+
+// cal-yikes-universal_signed: two different cert chains, one per slice.
+- (void)testCpuTypeHint_InconsistentFat_PopulatesActiveSlice_AndSurfacesError {
+  NSError* error;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"cal-yikes-universal_signed" ofType:@""];
+
+  MOLCodesignChecker* sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                            fileDescriptor:-1
+                                                                   cpuType:CPU_TYPE_I386
+                                                                cpuSubtype:CPU_SUBTYPE_I386_ALL
+                                                                     error:&error];
+  XCTAssertNotNil(sut);
+  // Active-slice signing info is now present despite the per-arch inconsistency.
+  XCTAssertGreaterThan(sut.cdhash.length, 0u);
+  XCTAssertNotNil(sut.leafCertificate);
+  // The consistency-check error still surfaces informationally.
+  XCTAssertEqual(error.code, errSecCSSignatureInvalid);
+  XCTAssertEqualObjects(error.domain, kMOLCodesignCheckerErrorDomain);
+}
+
+// cal-yikes-universal: unknown-arch slice is cert-signed; i386 slice is unsigned.
+// Requesting i386 should yield empty identity with a consistency-check error.
+- (void)testCpuTypeHint_InconsistentFat_UnsignedActiveSlice_LeavesEmpty {
+  NSError* error;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"cal-yikes-universal" ofType:@""];
+
+  MOLCodesignChecker* sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                            fileDescriptor:-1
+                                                                   cpuType:CPU_TYPE_I386
+                                                                cpuSubtype:CPU_SUBTYPE_I386_ALL
+                                                                     error:&error];
+  XCTAssertNotNil(sut);
+  XCTAssertEqual(sut.cdhash.length, 0u);
+  XCTAssertNil(sut.leafCertificate);
+  XCTAssertEqual(error.code, errSecCSSignatureInvalid);
+  XCTAssertEqualObjects(error.domain, kMOLCodesignCheckerErrorDomain);
+}
+
+// PowerPC won't be in any modern universal fixture; requesting it should leave empty identity.
+- (void)testCpuTypeHint_NoMatchingSlice_LeavesEmpty {
+  NSError* error;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"yikes-universal_signed" ofType:@""];
+
+  MOLCodesignChecker* sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                            fileDescriptor:-1
+                                                                   cpuType:CPU_TYPE_POWERPC
+                                                                cpuSubtype:CPU_SUBTYPE_POWERPC_ALL
+                                                                     error:&error];
+  XCTAssertNotNil(sut);
+  XCTAssertEqual(sut.cdhash.length, 0u);
+  XCTAssertNil(sut.leafCertificate);
+}
+
+// signed-with-teamid is a thin x86_64 fixture. The cputype hint must be inert
+// for thin binaries: behavior must match the no-hint path exactly.
+- (void)testCpuTypeHint_ThinBinary_Ignored {
+  NSError* error;
+  NSError* errorWithoutHint;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"signed-with-teamid" ofType:@""];
+
+  MOLCodesignChecker* sutNoHint = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                                           error:&errorWithoutHint];
+
+  MOLCodesignChecker* sutWithHint =
+      [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                      fileDescriptor:-1
+                                             cpuType:CPU_TYPE_X86_64
+                                          cpuSubtype:CPU_SUBTYPE_X86_64_ALL
+                                               error:&error];
+  XCTAssertNotNil(sutNoHint);
+  XCTAssertNotNil(sutWithHint);
+  XCTAssertEqualObjects(sutNoHint.cdhash, sutWithHint.cdhash);
+  XCTAssertEqualObjects(sutNoHint.teamID, sutWithHint.teamID);
+  XCTAssertEqualObjects(sutNoHint.signingID, sutWithHint.signingID);
+}
+
+// CPU_TYPE_ANY must fall back to today's (no-hint) behavior.
+- (void)testCpuTypeAny_FallsBackToTodayBehavior {
+  NSError* errorBaseline;
+  NSError* errorSentinel;
+  NSBundle* bundle = [NSBundle bundleForClass:[self class]];
+  NSString* path = [bundle pathForResource:@"yikes-universal_signed" ofType:@""];
+
+  MOLCodesignChecker* sutBaseline = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                                             error:&errorBaseline];
+  MOLCodesignChecker* sutSentinel = [[MOLCodesignChecker alloc] initWithBinaryPath:path
+                                                                    fileDescriptor:-1
+                                                                           cpuType:CPU_TYPE_ANY
+                                                                        cpuSubtype:CPU_SUBTYPE_ANY
+                                                                             error:&errorSentinel];
+  XCTAssertEqualObjects(sutBaseline.cdhash, sutSentinel.cdhash);
+  XCTAssertEqualObjects(sutBaseline.teamID, sutSentinel.teamID);
+  XCTAssertEqualObjects(sutBaseline.signingID, sutSentinel.signingID);
+}
+
 @end

Source/common/SNTFileInfo.h

@@ -15,6 +15,7 @@
 
 #import <EndpointSecurity/EndpointSecurity.h>
 #import <Foundation/Foundation.h>
+#import <mach/machine.h>
 
 #import "Source/common/SantaVnode.h"
 
@@ -44,6 +45,17 @@
 ///
 - (instancetype)initWithEndpointSecurityFile:(const es_file_t*)esFile error:(NSError**)error;
 
+///
+///  Initialize with an Endpoint Security `es_event_exec_t`. Captures the active-slice
+///  CPU type/subtype from `image_cputype` / `image_cpusubtype` so subsequent
+///  `codesignCheckerWithError:` calls return active-slice-correct identity for
+///  fat binaries.
+///
+///  Equivalent to `initWithEndpointSecurityFile:` for thin binaries.
+///
+- (instancetype)initWithEndpointSecurityExecEvent:(const es_event_exec_t*)esExec
+                                            error:(NSError**)error;
+
 ///
 ///  Convenience initializer.
 ///
@@ -233,6 +245,18 @@
 ///
 @property(readonly) NSFileHandle* fileHandle;
 
+///
+///  Active-slice CPU type captured at init time (from `es_event_exec_t.image_cputype`).
+///  Defaults to `CPU_TYPE_ANY` for inits without exec-event context.
+///
+@property(readonly) cpu_type_t cpuType;
+
+///
+///  Active-slice CPU subtype captured at init time (from `es_event_exec_t.image_cpusubtype`).
+///  Defaults to `CPU_SUBTYPE_ANY` for inits without exec-event context.
+///
+@property(readonly) cpu_subtype_t cpuSubtype;
+
 ///
 ///  @return Returns an instance of MOLCodeSignChecker initialized with the file's binary path.
 ///  Both the MOLCodesignChecker and any resulting NSError are cached and returned on subsequent