santad: Populate new signing_id field in CEL context (#793)

Moves activation block creation into a new file to avoid polluting
execution controller any further.

---------

Signed-off-by: Russell Hancox <russellhancox@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: russellhancox

MODULE.bazel

@@ -18,7 +18,7 @@ bazel_dep(name = "boringssl", version = "0.20251110.0")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "7366338b05136295d7a5be013397130d75cbf1b2",
+    commit = "836c28d666b0c498d11363a87eac695e8bcb9767",
     remote = "https://github.com/northpolesec/protos",
 )
 

Source/santad/BUILD

@@ -375,11 +375,29 @@ santa_unit_test(
     ],
 )
 
+objc_library(
+    name = "CELActivation",
+    srcs = ["CELActivation.mm"],
+    hdrs = ["CELActivation.h"],
+    deps = [
+        ":EndpointSecurityAPI",
+        ":EndpointSecurityMessage",
+        ":SNTPolicyProcessor",
+        "//Source/common:MOLCodesignChecker",
+        "//Source/common:SigningIDHelpers",
+        "//Source/common:String",
+        "//Source/common/cel:CEL",
+        "//Source/santad/ProcessTree:process",
+        "//Source/santad/ProcessTree:process_tree",
+    ],
+)
+
 objc_library(
     name = "SNTExecutionController",
     srcs = ["SNTExecutionController.mm"],
     hdrs = ["SNTExecutionController.h"],
     deps = [
+        ":CELActivation",
         ":EndpointSecurityAPI",
         ":EndpointSecurityMessage",
         ":ProcessControl",

Source/santad/CELActivation.h

@@ -0,0 +1,44 @@
+/// Copyright 2026 North Pole Security, Inc.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#ifndef SANTA__SANTAD__CELACTIVATION_H
+#define SANTA__SANTAD__CELACTIVATION_H
+
+#import <Foundation/Foundation.h>
+
+#include <memory>
+
+#include "Source/santad/EventProviders/EndpointSecurity/Message.h"
+#include "Source/santad/ProcessTree/process_tree.h"
+#import "Source/santad/SNTPolicyProcessor.h"
+
+@class MOLCodesignChecker;
+
+namespace santa {
+
+// Create a block that returns a santa::cel::Activation object for the given
+// Message and MOLCodesignChecker object. The block defines a bool parameter
+// that determines whether to create a v1 or v2 activation object.
+//
+// Note: The returned block captures a reference to the Message object and must
+// not use it after the Message object is destroyed. Care must be taken to not
+// use this in an asynchronous context outside of the evaluation of that
+// execution.
+ActivationCallbackBlock _Nonnull CreateCELActivationBlock(
+    const Message &esMsg, MOLCodesignChecker *_Nullable csInfo,
+    std::shared_ptr<santad::process_tree::ProcessTree> processTree);
+
+}  // namespace santa
+
+#endif  // SANTA__SANTAD__CELACTIVATION_H

Source/santad/CELActivation.mm

@@ -0,0 +1,146 @@
+/// Copyright 2026 North Pole Security, Inc.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+
+#import "Source/santad/CELActivation.h"
+
+#include <bsm/libbsm.h>
+
+#include <map>
+#include <memory>
+#include <string>
+#include <vector>
+
+#import "Source/common/MOLCodesignChecker.h"
+#import "Source/common/SigningIDHelpers.h"
+#include "Source/common/String.h"
+#include "Source/common/cel/Activation.h"
+#include "Source/common/cel/CELProtoTraits.h"
+#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
+#include "Source/santad/ProcessTree/process_tree_macos.h"
+
+namespace {
+
+template <bool IsV2>
+std::vector<typename santa::cel::CELProtoTraits<IsV2>::AncestorT> Ancestors(
+    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
+    const santa::Message &esMsg);
+
+template <>
+std::vector<santa::cel::CELProtoTraits<true>::AncestorT> Ancestors<true>(
+    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
+    const santa::Message &esMsg) {
+  if (!processTree) return {};
+
+  using Traits = santa::cel::CELProtoTraits<true>;
+  using AncestorT = typename Traits::AncestorT;
+
+  auto pid = santa::santad::process_tree::PidFromAuditToken(esMsg->process->parent_audit_token);
+  auto proc = processTree->Get(pid);
+  if (!proc) {
+    return {};
+  }
+
+  std::vector<santa::cel::CELProtoTraits<true>::AncestorT> ancestors;
+  for (const auto &p : processTree->RootSlice(*proc)) {
+    if (!p->program_) {
+      continue;
+    }
+
+    AncestorT ancestor;
+    ancestor.set_path(p->program_->executable);
+
+    if (p->program_->code_signing) {
+      const auto &cs = *p->program_->code_signing;
+      if (cs.is_platform_binary) {
+        ancestor.set_signing_id("platform:" + cs.signing_id);
+      } else {
+        ancestor.set_signing_id(cs.team_id + ":" + cs.signing_id);
+      }
+      ancestor.set_team_id(cs.team_id);
+      ancestor.set_cdhash(cs.cdhash);
+    }
+
+    ancestors.push_back(std::move(ancestor));
+  }
+  return ancestors;
+}
+
+template <>
+std::vector<santa::cel::CELProtoTraits<false>::AncestorT> Ancestors<false>(
+    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
+    const santa::Message &esMsg) {
+  return {};
+}
+
+}  // namespace
+
+namespace santa {
+
+ActivationCallbackBlock CreateCELActivationBlock(
+    const Message &esMsg, MOLCodesignChecker *csInfo,
+    std::shared_ptr<santad::process_tree::ProcessTree> processTree) {
+  std::shared_ptr<EndpointSecurityAPI> esApi = esMsg.ESAPI();
+
+  return ^std::unique_ptr<::google::api::expr::runtime::BaseActivation>(bool useV2) {
+    auto makeActivation =
+        [&]<bool IsV2>() -> std::unique_ptr<::google::api::expr::runtime::BaseActivation> {
+      using Traits = santa::cel::CELProtoTraits<IsV2>;
+      using ExecutableFileT = typename Traits::ExecutableFileT;
+      using AncestorT = typename Traits::AncestorT;
+
+      auto f = std::make_unique<ExecutableFileT>();
+
+      NSString *signingID = FormatSigningID(csInfo);
+      if (signingID) {
+        f->set_signing_id(santa::NSStringToUTF8String(signingID));
+      }
+
+      if (csInfo.signingTime) {
+        f->mutable_signing_time()->set_seconds(csInfo.signingTime.timeIntervalSince1970);
+      }
+      if (csInfo.secureSigningTime) {
+        f->mutable_secure_signing_time()->set_seconds(
+            csInfo.secureSigningTime.timeIntervalSince1970);
+      }
+
+      return std::make_unique<santa::cel::Activation<IsV2>>(
+          std::move(f),
+          ^std::vector<std::string>() {
+            return esApi->ExecArgs(&esMsg->event.exec);
+          },
+          ^std::map<std::string, std::string>() {
+            return esApi->ExecEnvs(&esMsg->event.exec);
+          },
+          ^uid_t() {
+            return audit_token_to_euid(esMsg->event.exec.target->audit_token);
+          },
+          ^std::string() {
+            es_file_t *f = esMsg->event.exec.cwd;
+            if (!f) return std::string();
+            return std::string(f->path.data, f->path.length);
+          },
+          ^std::vector<AncestorT>() {
+            return Ancestors<IsV2>(processTree, esMsg);
+          });
+    };
+
+    if (useV2) {
+      return makeActivation.operator()<true>();
+    } else {
+      return makeActivation.operator()<false>();
+    }
+  };
+}
+
+}  // namespace santa

Source/santad/SNTExecutionController.mm

@@ -47,10 +47,10 @@
 #include "Source/common/String.h"
 #include "Source/common/SystemResources.h"
 #include "Source/common/Unit.h"
+#include "Source/santad/CELActivation.h"
 #import "Source/santad/DataLayer/SNTEventTable.h"
 #import "Source/santad/DataLayer/SNTRuleTable.h"
 #include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
-#include "Source/santad/ProcessTree/process_tree_macos.h"
 #import "Source/santad/SNTDecisionCache.h"
 #import "Source/santad/SNTNotificationQueue.h"
 #import "Source/santad/SNTSyncdQueue.h"
@@ -263,10 +263,8 @@ - (void)validateExecEvent:(const Message &)esMsg postAction:(bool (^)(SNTAction)
       decisionForFileInfo:binInfo
             targetProcess:targetProc
               configState:configState
-       activationCallback:[self
-                              createActivationBlockForMessage:esMsg
-                                                    andCSInfo:[binInfo
-                                                                  codesignCheckerWithError:NULL]]];
+       activationCallback:santa::CreateCELActivationBlock(
+                              esMsg, [binInfo codesignCheckerWithError:NULL], _processTree)];
 
   cd.codesigningFlags = targetProc->codesigning_flags;
   cd.vnodeId = SantaVnode::VnodeForFile(targetProc->executable);
@@ -649,117 +647,8 @@ - (void)createRuleForStandaloneModeEvent:(SNTStoredExecutionEvent *)se {
   // TODO: Notify the sync service of the new rule.
 }
 
-// Create a block that returns a santa::cel::Activation object for the given Message
-// and MOLCodesignChecker object. The block defines a bool parameter that determines
-// whether to create a v1 or v2 activation object.
-//
-// Note: The returned block captures a reference to the Message object and must
-// not use it after the Message object is destroyed. Care must be taken to not
-// use this in an asynchronous context outside of the evaluation of that execution.
-- (ActivationCallbackBlock)createActivationBlockForMessage:(const santa::Message &)esMsg
-                                                 andCSInfo:(nullable MOLCodesignChecker *)csInfo {
-  std::shared_ptr<santa::EndpointSecurityAPI> esApi = esMsg.ESAPI();
-  std::shared_ptr<santa::santad::process_tree::ProcessTree> processTree = _processTree;
-
-  return ^std::unique_ptr<::google::api::expr::runtime::BaseActivation>(bool useV2) {
-    auto makeActivation =
-        [&]<bool IsV2>() -> std::unique_ptr<::google::api::expr::runtime::BaseActivation> {
-      using Traits = santa::cel::CELProtoTraits<IsV2>;
-      using ExecutableFileT = typename Traits::ExecutableFileT;
-      using AncestorT = typename Traits::AncestorT;
-
-      auto f = std::make_unique<ExecutableFileT>();
-
-      if (csInfo.signingTime) {
-        f->mutable_signing_time()->set_seconds(csInfo.signingTime.timeIntervalSince1970);
-      }
-      if (csInfo.secureSigningTime) {
-        f->mutable_secure_signing_time()->set_seconds(
-            csInfo.secureSigningTime.timeIntervalSince1970);
-      }
-
-      return std::make_unique<santa::cel::Activation<IsV2>>(
-          std::move(f),
-          ^std::vector<std::string>() {
-            return esApi->ExecArgs(&esMsg->event.exec);
-          },
-          ^std::map<std::string, std::string>() {
-            return esApi->ExecEnvs(&esMsg->event.exec);
-          },
-          ^uid_t() {
-            return audit_token_to_euid(esMsg->event.exec.target->audit_token);
-          },
-          ^std::string() {
-            es_file_t *f = esMsg->event.exec.cwd;
-            return std::string(f->path.data, f->path.length);
-          },
-          ^std::vector<AncestorT>() {
-            return Ancestors<IsV2>(processTree, esMsg);
-          });
-    };
-
-    if (useV2) {
-      return makeActivation.operator()<true>();
-    } else {
-      return makeActivation.operator()<false>();
-    }
-  };
-}
-
 - (void)flushTouchIDApprovalCache {
   _touchIDApprovalCache->clear();
 }
 
-template <bool IsV2>
-std::vector<typename santa::cel::CELProtoTraits<IsV2>::AncestorT> Ancestors(
-    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
-    const santa::Message &esMsg);
-
-template <>
-std::vector<santa::cel::CELProtoTraits<true>::AncestorT> Ancestors<true>(
-    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
-    const santa::Message &esMsg) {
-  if (!processTree) return {};
-
-  using Traits = santa::cel::CELProtoTraits<true>;
-  using AncestorT = typename Traits::AncestorT;
-
-  auto pid = santa::santad::process_tree::PidFromAuditToken(esMsg->process->parent_audit_token);
-  auto proc = processTree->Get(pid);
-  if (!proc) {
-    return {};
-  }
-
-  std::vector<santa::cel::CELProtoTraits<true>::AncestorT> ancestors;
-  for (const auto &p : processTree->RootSlice(*proc)) {
-    if (!p->program_) {
-      continue;
-    }
-
-    AncestorT ancestor;
-    ancestor.set_path(p->program_->executable);
-
-    if (p->program_->code_signing) {
-      const auto &cs = *p->program_->code_signing;
-      if (cs.is_platform_binary) {
-        ancestor.set_signing_id("platform:" + cs.signing_id);
-      } else {
-        ancestor.set_signing_id(cs.team_id + ":" + cs.signing_id);
-      }
-      ancestor.set_team_id(cs.team_id);
-      ancestor.set_cdhash(cs.cdhash);
-    }
-
-    ancestors.push_back(std::move(ancestor));
-  }
-  return ancestors;
-}
-
-template <>
-std::vector<santa::cel::CELProtoTraits<false>::AncestorT> Ancestors<false>(
-    const std::shared_ptr<santa::santad::process_tree::ProcessTree> &processTree,
-    const santa::Message &esMsg) {
-  return {};
-}
-
 @end