cel: Add path, target.is_platform_binary and target.team_id fields (#863)

russellhancox · web-flow · commit e93d80cbcdd5 · 2026-03-20T11:13:07.000-04:00
diff --git a/.github/workflows/check-markdown.yml b/.github/workflows/check-markdown.yml
@@ -13,7 +13,7 @@ jobs:
       - name: "Checkout Santa"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
       - name: "Check for deadlinks"
-        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # ratchet:lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # ratchet:lycheeverse/lychee-action@v1
         with:
           fail: true
       - name: "Check for trailing whitespace and newlines"
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -17,7 +17,7 @@ bazel_dep(name = "boringssl", version = "0.20260211.0")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "53b9f4e4db95e927f095754c24c12028bae03abc",
+    commit = "fa0ad3f19cd1e32ec4946331e94fb1e13e9df4ea",
     remote = "https://github.com/northpolesec/protos",
 )
 
diff --git a/Source/common/BUILD b/Source/common/BUILD
@@ -26,7 +26,6 @@ cc_proto_library(
     deps = [":santa_proto"],
 )
 
-
 objc_library(
     name = "PowerMonitor",
     srcs = ["PowerMonitor.mm"],
diff --git a/Source/common/cel/Activation.h b/Source/common/cel/Activation.h
@@ -49,12 +49,14 @@ class Activation : public ::google::api::expr::runtime::BaseActivation {
 
   Activation(std::unique_ptr<ExecutableFileT> file, std::vector<std::string> (^args)(),
              std::map<std::string, std::string> (^envs)(), uid_t (^euid)(), std::string (^cwd)(),
-             std::vector<AncestorT> (^ancestors)(), std::vector<FileDescriptorT> (^fds)())
+             std::string (^path)(), std::vector<AncestorT> (^ancestors)(),
+             std::vector<FileDescriptorT> (^fds)())
       : file_(std::move(file)),
         args_(args),
         envs_(envs),
         euid_(euid),
         cwd_(cwd),
+        path_(path),
         ancestors_(ancestors),
         fds_(fds) {};
   ~Activation() = default;
@@ -80,6 +82,7 @@ class Activation : public ::google::api::expr::runtime::BaseActivation {
   Memoizer<std::map<std::string, std::string>> envs_;
   Memoizer<uid_t> euid_;
   Memoizer<std::string> cwd_;
+  Memoizer<std::string> path_;
   Memoizer<std::vector<AncestorT>> ancestors_;
   Memoizer<std::vector<FileDescriptorT>> fds_;
 
diff --git a/Source/common/cel/Activation.mm b/Source/common/cel/Activation.mm
@@ -158,6 +158,8 @@
     return CELValue(euid_(), arena);
   } else if (name == "cwd") {
     return CELValue(cwd_(), arena);
+  } else if (name == "path") {
+    return CELValue(path_(), arena);
   }
 
   // Handle the V2 specific fields
@@ -248,7 +250,8 @@
 
 template <bool IsV2>
 bool Activation<IsV2>::IsResultCacheable() const {
-  if (args_.HasValue() || envs_.HasValue() || euid_.HasValue() || cwd_.HasValue()) {
+  if (args_.HasValue() || envs_.HasValue() || euid_.HasValue() || cwd_.HasValue() ||
+      path_.HasValue()) {
     return false;
   }
 
diff --git a/Source/common/cel/ArenaGrowthTest.mm b/Source/common/cel/ArenaGrowthTest.mm
@@ -93,6 +93,9 @@ - (void)testCompileAndEvaluateArenaGrowth {
           ^std::string() {
             return "/usr/local/bin";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<AncestorT>() {
             return {};
           },
@@ -133,6 +136,9 @@ - (void)testCompileAndEvaluateArenaGrowth {
           ^std::string() {
             return "/usr/local/bin";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<AncestorT>() {
             return {};
           },
diff --git a/Source/common/cel/Test.mm b/Source/common/cel/Test.mm
@@ -39,6 +39,8 @@ - (void)testBasic {
 
   auto f = std::make_unique<ExecutableFileT>();
   f->mutable_signing_time()->set_seconds(1748436989);
+  f->set_is_platform_binary(false);
+  f->set_team_id("EQHXZ8M8AV");
   santa::cel::Activation<true> activation(
       std::move(f),
       ^std::vector<std::string>() {
@@ -53,6 +55,9 @@ - (void)testBasic {
       ^std::string() {
         return "/";
       },
+      ^std::string() {
+        return "/usr/bin/test";
+      },
       ^std::vector<AncestorT>() {
         return {};
       },
@@ -92,6 +97,37 @@ - (void)testBasic {
       XCTAssertEqual(result.value().cacheable, true);
     }
   }
+  {
+    // Static - is_platform_binary on target
+    auto result = sut.value()->CompileAndEvaluate("target.is_platform_binary == false", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::ALLOWLIST);
+      XCTAssertEqual(result.value().cacheable, true);
+    }
+  }
+  {
+    // Static - team_id on target
+    auto result = sut.value()->CompileAndEvaluate("target.team_id == 'EQHXZ8M8AV'", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::ALLOWLIST);
+      XCTAssertEqual(result.value().cacheable, true);
+    }
+  }
+  {
+    // Combined - is_platform_binary and team_id
+    auto result = sut.value()->CompileAndEvaluate(
+        "!target.is_platform_binary && target.team_id == 'EQHXZ8M8AV'", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::ALLOWLIST);
+      XCTAssertEqual(result.value().cacheable, true);
+    }
+  }
   {
     // Re-use of a compiled expression.
     google::protobuf::Arena arena;
@@ -125,6 +161,9 @@ - (void)testBasic {
         ^std::string() {
           return "/Users/foo";
         },
+        ^std::string() {
+          return "/usr/bin/test";
+        },
         ^std::vector<santa::cel::v2::Ancestor>() {
           return {};
         },
@@ -179,6 +218,9 @@ - (void)testBasic {
         ^std::string {
           return "/";
         },
+        ^std::string() {
+          return "/usr/bin/test";
+        },
         ^std::vector<santa::cel::v2::Ancestor>() {
           return {};
         },
@@ -206,6 +248,26 @@ - (void)testBasic {
       XCTAssertEqual(result.value().cacheable, false);
     }
   }
+  {
+    // Dynamic - filepath via path field
+    auto result = sut.value()->CompileAndEvaluate("path == '/usr/bin/test'", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::ALLOWLIST);
+      XCTAssertEqual(result.value().cacheable, false);
+    }
+  }
+  {
+    // Dynamic - path with startsWith
+    auto result = sut.value()->CompileAndEvaluate("path.startsWith('/usr/bin')", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::ALLOWLIST);
+      XCTAssertEqual(result.value().cacheable, false);
+    }
+  }
 }
 
 - (void)testV2Only {
@@ -221,6 +283,9 @@ - (void)testV2Only {
   auto cwdFn = ^std::string() {
     return "/";
   };
+  auto pathFn = ^std::string() {
+    return "/usr/bin/test";
+  };
   auto ancestorsV1Fn = ^std::vector<santa::cel::CELProtoTraits<false>::AncestorT>() {
     return {};
   };
@@ -238,7 +303,7 @@ - (void)testV2Only {
     // V1
     auto f = std::make_unique<santa::cel::CELProtoTraits<false>::ExecutableFileT>();
     f->mutable_signing_time()->set_seconds(1748436989);
-    santa::cel::Activation<false> activation(std::move(f), argsFn, envsFn, euidFn, cwdFn,
+    santa::cel::Activation<false> activation(std::move(f), argsFn, envsFn, euidFn, cwdFn, pathFn,
                                              ancestorsV1Fn, fdsV1Fn);
     auto sut = santa::cel::Evaluator<false>::Create();
     XCTAssertTrue(sut.ok());
@@ -254,7 +319,7 @@ - (void)testV2Only {
     using ReturnValue = santa::cel::CELProtoTraits<true>::ReturnValue;
     auto f = std::make_unique<santa::cel::CELProtoTraits<true>::ExecutableFileT>();
     f->mutable_signing_time()->set_seconds(1748436989);
-    santa::cel::Activation<true> activation(std::move(f), argsFn, envsFn, euidFn, cwdFn,
+    santa::cel::Activation<true> activation(std::move(f), argsFn, envsFn, euidFn, cwdFn, pathFn,
                                             ancestorsV2Fn, fdsV2Fn);
     auto sut = santa::cel::Evaluator<true>::Create();
     XCTAssertTrue(sut.ok());
@@ -292,6 +357,9 @@ - (void)testFds {
       ^std::string() {
         return "/";
       },
+      ^std::string() {
+        return "/usr/bin/test";
+      },
       ^std::vector<AncestorT>() {
         return {};
       },
@@ -387,6 +455,9 @@ - (void)testTouchIDCooldownFunctions {
       ^std::string() {
         return "/";
       },
+      ^std::string() {
+        return "/usr/bin/test";
+      },
       ^std::vector<AncestorT>() {
         return {};
       },
@@ -490,6 +561,9 @@ - (void)testTouchIDCooldownNotAvailableInV1 {
       ^std::string() {
         return "/";
       },
+      ^std::string() {
+        return "/usr/bin/test";
+      },
       ^std::vector<AncestorT>() {
         return {};
       },
diff --git a/Source/santad/CELActivation.mm b/Source/santad/CELActivation.mm
@@ -138,6 +138,11 @@ ActivationCallbackBlock CreateCELActivationBlock(
         f->mutable_secure_signing_time()->set_seconds(secureSigningTime.timeIntervalSince1970);
       }
 
+      f->set_is_platform_binary(isPlatformBinary);
+      if (teamID) {
+        f->set_team_id(santa::NSStringToUTF8String(teamID));
+      }
+
       if constexpr (IsV2) {
         if (entitlementsDict) {
           auto *entitlements = f->mutable_entitlements();
@@ -179,6 +184,11 @@ ActivationCallbackBlock CreateCELActivationBlock(
             if (!f) return std::string();
             return std::string(f->path.data, f->path.length);
           },
+          ^std::string() {
+            es_file_t *f = esMsg->event.exec.target->executable;
+            if (!f) return std::string();
+            return std::string(f->path.data, f->path.length);
+          },
           ^std::vector<AncestorT>() {
             return Ancestors<IsV2>(processTree, esMsg);
           },
diff --git a/Source/santad/Logs/EndpointSecurity/Writers/FSSpool/BUILD b/Source/santad/Logs/EndpointSecurity/Writers/FSSpool/BUILD
@@ -23,7 +23,6 @@ cc_proto_library(
     ],
 )
 
-
 cc_library(
     name = "fsspool_nowindows",
     srcs = ["fsspool_nowindows.cc"],
diff --git a/Source/santad/SNTPolicyProcessorTest.mm b/Source/santad/SNTPolicyProcessorTest.mm
@@ -695,6 +695,9 @@ - (void)testCELDecisions {
           ^std::string() {
             return "/";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<AncestorT>() {
             return {};
           },
@@ -847,6 +850,9 @@ - (void)testCELAncestors {
           ^std::string() {
             return "/Users/admin";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<ActivationAncestorT>() {
             if constexpr (IsV2) {
               AncestorT launchd;
@@ -1027,6 +1033,9 @@ - (ActivationCallbackBlock)fallbackTestActivationCallback {
           ^std::string() {
             return "/tmp";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<AncestorT>() {
             return {};
           },
@@ -1052,6 +1061,9 @@ - (ActivationCallbackBlock)fallbackTestActivationCallback {
           ^std::string() {
             return "";
           },
+          ^std::string() {
+            return "/usr/bin/test";
+          },
           ^std::vector<V1AncestorT>() {
             return {};
           },
diff --git a/docs/docs/features/binary-authorization.md b/docs/docs/features/binary-authorization.md
@@ -327,6 +327,27 @@ The following fields are available on the `target` object:
 | `target.signing_id` | `string` | Signing ID of the target binary, prefixed with Team ID or `platform` (e.g. `EQHXZ8M8AV:com.google.Chrome` or `platform:com.apple.curl`) |
 | `target.signing_time` | `timestamp` | Code signing timestamp (developer-provided) |
 | `target.secure_signing_time` | `timestamp` | Secure code signing timestamp (from a timestamp authority) |
+| `target.is_platform_binary` | `bool` | Whether the binary is signed with Apple platform certificates |
+| `target.team_id` | `string` | Team ID from the binary's code signature |
+
+The following additional fields are available in the execution context:
+
+| Field | Type | Description |
+| ----- | ---- | ----------- |
+| `path` | `string` | File path of the executable |
+| `args` | `list<string>` | Command-line arguments passed to the binary |
+| `envs` | `map<string, string>` | Environment variables available to the process |
+| `euid` | `int` | Effective user ID (0 for root, etc.) |
+| `cwd` | `string` | Current working directory of the process |
+
+:::note
+
+Fields accessed from `target.*` are **cacheable** — their result is cached so
+subsequent executions are faster. All other fields (`path`, `args`, `envs`,
+`euid`, `cwd`) are **not cacheable** and may impact performance if used in
+rules for frequently-executed binaries.
+
+:::
 
 Some examples of valid CEL expressions:
 
@@ -353,6 +374,10 @@ euid != 0
 
 // Disallow execution from inside /Library/LaunchDaemons. Requires Santa 2025.12+
 cwd != '/Library/LaunchDaemons'
+
+// Only allow platform binaries from a specific path.
+// This expression will NOT be cacheable.
+target.is_platform_binary && path.startsWith('/usr/bin/')
 ```
 
 ### Rule Dictionary Format
diff --git a/docs/src/components/CELPlayground/constants.ts b/docs/src/components/CELPlayground/constants.ts
@@ -7,6 +7,7 @@ export const VARIABLES: CELVariable[] = [
   { name: "args", type: "list", dynamic: true, documentation: "Command line arguments" },
   { name: "euid", type: "int", dynamic: true, documentation: "Effective user ID" },
   { name: "cwd", type: "string", dynamic: true, documentation: "Current working directory" },
+  { name: "path", type: "string", dynamic: true, documentation: "File path of the executable" },
   {
     name: "target.signing_id",
     type: "string",
@@ -23,6 +24,16 @@ export const VARIABLES: CELVariable[] = [
     type: "timestamp",
     documentation: "Secure code signing timestamp",
   },
+  {
+    name: "target.is_platform_binary",
+    type: "bool",
+    documentation: "Whether the binary is signed with Apple platform certificates",
+  },
+  {
+    name: "target.team_id",
+    type: "string",
+    documentation: "Team ID from the binary's code signature",
+  },
   { name: "FD_TYPE_UNKNOWN", type: "int", documentation: "Unknown file descriptor type" },
   { name: "FD_TYPE_ATALK", type: "int", documentation: "AppleTalk file descriptor" },
   { name: "FD_TYPE_VNODE", type: "int", documentation: "Vnode (regular file) file descriptor" },
diff --git a/docs/src/components/CELPlayground/eslogger.ts b/docs/src/components/CELPlayground/eslogger.ts
diff --git a/docs/src/components/CELPlayground/eval.test.ts b/docs/src/components/CELPlayground/eval.test.ts
diff --git a/docs/src/components/CELPlayground/eval.ts b/docs/src/components/CELPlayground/eval.ts

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ bazel_dep(name = "boringssl", version = "0.20260211.0")`
`17`	`17`	`bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")`
`18`	`18`	`git_override(`
`19`	`19`	`module_name = "protos",`
`20`		`- commit = "53b9f4e4db95e927f095754c24c12028bae03abc",`
	`20`	`+ commit = "fa0ad3f19cd1e32ec4946331e94fb1e13e9df4ea",`
`21`	`21`	`remote = "https://github.com/northpolesec/protos",`
`22`	`22`	`)`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@ cc_proto_library(`
`26`	`26`	`deps = [":santa_proto"],`
`27`	`27`	`)`
`28`	`28`
`29`		`-`
`30`	`29`	`objc_library(`
`31`	`30`	`name = "PowerMonitor",`
`32`	`31`	`srcs = ["PowerMonitor.mm"],`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,6 @@ cc_proto_library(`
`23`	`23`	`],`
`24`	`24`	`)`
`25`	`25`
`26`		`-`
`27`	`26`	`cc_library(`
`28`	`27`	`name = "fsspool_nowindows",`
`29`	`28`	`srcs = ["fsspool_nowindows.cc"],`