lint

Author: mlw

Source/common/MOLCodesignCheckerTest.mm

@@ -138,19 +138,24 @@ - (void)testInitWithFileDescriptor {
 // cdhash.
 - (void)testInitWithFileDescriptor_SurvivesAtomicRenameSwap {
   NSString* tmp = NSTemporaryDirectory();
-  NSString* a = [tmp stringByAppendingPathComponent:[NSString
-      stringWithFormat:@"mol_a_%d_%@", getpid(), [[NSUUID UUID] UUIDString]]];
-  NSString* b = [tmp stringByAppendingPathComponent:[NSString
-      stringWithFormat:@"mol_b_%d_%@", getpid(), [[NSUUID UUID] UUIDString]]];
+  NSString* a =
+      [tmp stringByAppendingPathComponent:[NSString stringWithFormat:@"mol_a_%d_%@", getpid(),
+                                                                     [[NSUUID UUID] UUIDString]]];
+  NSString* b =
+      [tmp stringByAppendingPathComponent:[NSString stringWithFormat:@"mol_b_%d_%@", getpid(),
+                                                                     [[NSUUID UUID] UUIDString]]];
   NSError* err;
-  XCTAssertTrue([[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/yes" toPath:a error:&err]);
-  XCTAssertTrue([[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/true" toPath:b error:&err]);
+  XCTAssertTrue([[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/yes"
+                                                        toPath:a
+                                                         error:&err]);
+  XCTAssertTrue([[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/true"
+                                                        toPath:b
+                                                         error:&err]);
 
   int fd = open(a.UTF8String, O_RDONLY | O_CLOEXEC);
   XCTAssertGreaterThanOrEqual(fd, 0, "open: %s", strerror(errno));
 
-  MOLCodesignChecker* aRef =
-      [[MOLCodesignChecker alloc] initWithBinaryPath:a fileDescriptor:fd];
+  MOLCodesignChecker* aRef = [[MOLCodesignChecker alloc] initWithBinaryPath:a fileDescriptor:fd];
   MOLCodesignChecker* bRef = [[MOLCodesignChecker alloc] initWithBinaryPath:b];
   XCTAssertNotNil(aRef.cdhash);
   XCTAssertNotNil(bRef.cdhash);
@@ -163,8 +168,7 @@ - (void)testInitWithFileDescriptor_SurvivesAtomicRenameSwap {
   XCTAssertEqual(rename(b.UTF8String, a.UTF8String), 0, "rename: %s", strerror(errno));
 
   // fd-based: must still see A's identity.
-  MOLCodesignChecker* afterFD =
-      [[MOLCodesignChecker alloc] initWithBinaryPath:a fileDescriptor:fd];
+  MOLCodesignChecker* afterFD = [[MOLCodesignChecker alloc] initWithBinaryPath:a fileDescriptor:fd];
   XCTAssertEqualObjects(afterFD.cdhash, originalACdhash);
 
   // Path-based control: now sees B's identity (proving the rename happened
@@ -180,8 +184,9 @@ - (void)testInitWithFileDescriptor_SurvivesAtomicRenameSwap {
 // after the caller's open(): the fd holds the vnode regardless.
 - (void)testInitWithFileDescriptor_SurvivesUnlink {
   NSString* tmp = NSTemporaryDirectory();
-  NSString* path = [tmp stringByAppendingPathComponent:[NSString
-      stringWithFormat:@"mol_unlink_%d_%@", getpid(), [[NSUUID UUID] UUIDString]]];
+  NSString* path =
+      [tmp stringByAppendingPathComponent:[NSString stringWithFormat:@"mol_unlink_%d_%@", getpid(),
+                                                                     [[NSUUID UUID] UUIDString]]];
   NSError* err;
   XCTAssertTrue([[NSFileManager defaultManager] copyItemAtPath:@"/usr/bin/yes"
                                                         toPath:path
@@ -192,15 +197,13 @@ - (void)testInitWithFileDescriptor_SurvivesUnlink {
 
   XCTAssertEqual(unlink(path.UTF8String), 0);
 
-  MOLCodesignChecker* sut =
-      [[MOLCodesignChecker alloc] initWithBinaryPath:path fileDescriptor:fd];
+  MOLCodesignChecker* sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path fileDescriptor:fd];
   XCTAssertNotNil(sut.cdhash);
 
   // Path-based at the now-missing path must fail, confirming the fd was the
   // load-bearing source.
   NSError* pathErr;
-  MOLCodesignChecker* viaPath = [[MOLCodesignChecker alloc] initWithBinaryPath:path
-                                                                         error:&pathErr];
+  MOLCodesignChecker* viaPath = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&pathErr];
   XCTAssertNil(viaPath);
   XCTAssertNotNil(pathErr);
 

Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm

@@ -548,7 +548,9 @@ - (void)testGetReasonEnum {
       case SNTEventStateUnknown: want = ::pbv1::Execution::REASON_UNKNOWN; break;
       case SNTEventStateBundleBinary: want = ::pbv1::Execution::REASON_UNKNOWN; break;
       case SNTEventStateBlockUnknown: want = ::pbv1::Execution::REASON_UNKNOWN; break;
-      case SNTEventStateBlockBinaryMismatch: want = ::pbv1::Execution::REASON_BINARY_MISMATCH; break;
+      case SNTEventStateBlockBinaryMismatch:
+        want = ::pbv1::Execution::REASON_BINARY_MISMATCH;
+        break;
       case SNTEventStateBlockBinary: want = ::pbv1::Execution::REASON_BINARY; break;
       case SNTEventStateBlockCertificate: want = ::pbv1::Execution::REASON_CERT; break;
       case SNTEventStateBlockScope: want = ::pbv1::Execution::REASON_SCOPE; break;

Source/santad/SNTPolicyProcessor.mm

@@ -626,8 +626,7 @@ + (IdentityVerifyResult)verifyIdentityForTargetProc:(const es_process_t*)targetP
         case IdentityVerifyResult::kDriftAllowed:
           cd.decisionExtra = @"CDHash drift allowed by matching TeamID/SigningID";
           break;
-        case IdentityVerifyResult::kMatch:
-          break;
+        case IdentityVerifyResult::kMatch: break;
       }
     }
 

Source/santad/SNTPolicyProcessorTest.mm

@@ -77,7 +77,8 @@ BOOL RuleIdentifiersAreEqual(struct RuleIdentifiers r1, struct RuleIdentifiers r
 
 static NSString* HexOf(const uint8_t* b, size_t n) {
   NSMutableString* s = [NSMutableString stringWithCapacity:n * 2];
-  for (size_t i = 0; i < n; i++) [s appendFormat:@"%02x", b[i]];
+  for (size_t i = 0; i < n; i++)
+    [s appendFormat:@"%02x", b[i]];
   return s;
 }
 
@@ -1338,8 +1339,8 @@ - (void)testOuter_Unsigned_StatMismatch_ReturnsBlockBinaryMismatch {
       /*filename_template=*/@"santa_test_XXXXXX", /*keep_path=*/true);
   XCTAssertStatusOk(scopedFile);
 
-  NSError *err;
-  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
+  NSError* err;
+  SNTFileInfo* fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
   XCTAssertNotNil(fi);
 
   struct stat fakeStat = MakeStat(/*offset=*/42);  // differs from the real file's stat
@@ -1349,13 +1350,13 @@ - (void)testOuter_Unsigned_StatMismatch_ReturnsBlockBinaryMismatch {
   esProc.team_id = MakeESStringToken("");
   esProc.signing_id = MakeESStringToken("");
 
-  SNTConfigState *cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
+  SNTConfigState* cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
 
-  SNTCachedDecision *cd = [self.processor decisionForFileInfo:fi
-                                                 targetProcess:&esProc
-                                                   configState:cs
-                                            activationCallback:nil
-                                                cachedDecision:nil];
+  SNTCachedDecision* cd = [self.processor decisionForFileInfo:fi
+                                                targetProcess:&esProc
+                                                  configState:cs
+                                           activationCallback:nil
+                                               cachedDecision:nil];
 
   XCTAssertEqual(cd.decision, SNTEventStateBlockBinaryMismatch);
   XCTAssertEqualObjects(cd.decisionExtra,
@@ -1372,8 +1373,8 @@ - (void)testOuter_ReEvalPath_VerificationSkipped {
                                                        /*keep_path=*/true);
   XCTAssertStatusOk(scopedFile);
 
-  NSError *err;
-  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
+  NSError* err;
+  SNTFileInfo* fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
   XCTAssertNotNil(fi);
 
   // Deliberate stat mismatch — if verifyIdentity ran, this would short-circuit to
@@ -1390,16 +1391,16 @@ - (void)testOuter_ReEvalPath_VerificationSkipped {
   // if it were non-nil. The bypass invariant under test is that the outer method
   // passes verifyIdentity:nil whenever existingDecision is non-nil (per spec §4),
   // independent of the inner method's certSHA256-skip optimization.
-  SNTCachedDecision *existing = [[SNTCachedDecision alloc] init];
+  SNTCachedDecision* existing = [[SNTCachedDecision alloc] init];
   // Do NOT set certSHA256.
 
-  SNTConfigState *cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
+  SNTConfigState* cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
 
-  SNTCachedDecision *cd = [self.processor decisionForFileInfo:fi
-                                                 targetProcess:&esProc
-                                                   configState:cs
-                                            activationCallback:nil
-                                                cachedDecision:existing];
+  SNTCachedDecision* cd = [self.processor decisionForFileInfo:fi
+                                                targetProcess:&esProc
+                                                  configState:cs
+                                           activationCallback:nil
+                                               cachedDecision:existing];
 
   XCTAssertNotEqual(cd.decision, SNTEventStateBlockBinaryMismatch,
                     @"re-eval path must never surface BinaryMismatch (outer method "
@@ -1413,8 +1414,8 @@ - (void)testOuter_Unsigned_StatMatches_NoMismatch {
                                                        /*keep_path=*/true);
   XCTAssertStatusOk(scopedFile);
 
-  NSError *err;
-  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
+  NSError* err;
+  SNTFileInfo* fi = [[SNTFileInfo alloc] initWithPath:scopedFile->Path() error:&err];
   XCTAssertNotNil(fi);
 
   struct stat realStat;
@@ -1426,13 +1427,13 @@ - (void)testOuter_Unsigned_StatMatches_NoMismatch {
   esProc.team_id = MakeESStringToken("");
   esProc.signing_id = MakeESStringToken("");
 
-  SNTConfigState *cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
+  SNTConfigState* cs = [[SNTConfigState alloc] initWithConfig:[SNTConfigurator configurator]];
 
-  SNTCachedDecision *cd = [self.processor decisionForFileInfo:fi
-                                                 targetProcess:&esProc
-                                                   configState:cs
-                                            activationCallback:nil
-                                                cachedDecision:nil];
+  SNTCachedDecision* cd = [self.processor decisionForFileInfo:fi
+                                                targetProcess:&esProc
+                                                  configState:cs
+                                           activationCallback:nil
+                                               cachedDecision:nil];
 
   XCTAssertNotEqual(cd.decision, SNTEventStateBlockBinaryMismatch);
 }
@@ -1559,9 +1560,10 @@ - (void)testVerifyIdentity_Unsigned_StatMatches_ReturnsMatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, /*csFlags=*/0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMatch);
 }
 
 // Case 5: both unsigned, st_dev differs -> Mismatch.
@@ -1574,9 +1576,10 @@ - (void)testVerifyIdentity_Unsigned_DevDiffers_ReturnsMismatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, 0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMismatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMismatch);
 }
 
 // Case 5: both unsigned, st_ino differs -> Mismatch.
@@ -1589,9 +1592,10 @@ - (void)testVerifyIdentity_Unsigned_InoDiffers_ReturnsMismatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, 0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMismatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMismatch);
 }
 
 // Case 5: both unsigned, st_size differs -> Mismatch.
@@ -1604,9 +1608,10 @@ - (void)testVerifyIdentity_Unsigned_SizeDiffers_ReturnsMismatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, 0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMismatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMismatch);
 }
 
 // Case 5: both unsigned, st_mtimespec.tv_sec differs -> Mismatch.
@@ -1619,9 +1624,10 @@ - (void)testVerifyIdentity_Unsigned_MtimeSecDiffers_ReturnsMismatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, 0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMismatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMismatch);
 }
 
 // Case 5: both unsigned, st_mtimespec.tv_nsec differs -> Mismatch.
@@ -1634,9 +1640,10 @@ - (void)testVerifyIdentity_Unsigned_MtimeNsecDiffers_ReturnsMismatch {
   es_file_t file;
   es_process_t proc;
   MakeTargetProc(&file, &proc, "/tmp/test", realStat, 0, "", "", kHashA);
-  XCTAssertEqual(
-      [SNTPolicyProcessor verifyIdentityForTargetProc:&proc fd:scopedFile->UnsafeFD() csInfo:nil],
-      IdentityVerifyResult::kMismatch);
+  XCTAssertEqual([SNTPolicyProcessor verifyIdentityForTargetProc:&proc
+                                                              fd:scopedFile->UnsafeFD()
+                                                          csInfo:nil],
+                 IdentityVerifyResult::kMismatch);
 }
 
 // Case 5: both unsigned, fstat fails (invalid fd) -> Mismatch (fail-closed).