Skip to content

Feat/bundle id rules#964

Closed
yuvraj-garhwal wants to merge 3 commits into
northpolesec:mainfrom
yuvraj-garhwal:feat/bundle-id-rules
Closed

Feat/bundle id rules#964
yuvraj-garhwal wants to merge 3 commits into
northpolesec:mainfrom
yuvraj-garhwal:feat/bundle-id-rules

Conversation

@yuvraj-garhwal
Copy link
Copy Markdown

@yuvraj-garhwal yuvraj-garhwal commented May 24, 2026

No description provided.

yuvraj-garhwal and others added 3 commits May 24, 2026 20:50
@yuvraj-garhwal @claude
Add BundleID rule type for execution authorization
80261d1 
Introduces a new rule identifier type, SNTRuleTypeBundleID (5000), keyed on
"<TEAMID>:<CFBundleIdentifier>" (or "platform:<CFBundleIdentifier>" for
Apple platform binaries). CFBundleIdentifier alone is attacker-controlled,
so the TeamID prefix is mandatory at insert time — bare bundle IDs are
rejected. Lookup precedence is unchanged for the existing types and slots
BundleID at the lowest priority (CDHash > Binary > SigningID > Certificate
> TeamID > BundleID).

Wired through SNTRule parsing/validation, SNTRuleIdentifiers, the SQLite
executionRuleForIdentifiers UNION, the static-rules cache, the policy
processor (populates the lookup key from SNTFileInfo.bundleIdentifier and
cd.teamID/platformBinary), `santactl rule --bundle-id`, and all
SNTEventState switches (log serializers, block message strings, event
counters).

Sync wire format is unchanged: SNTSyncEventUpload returns nullptr for
BundleID decisions and Protobuf logging emits REASON_UNKNOWN, pending the
follow-up change to northpolesec/protos to add BUNDLE_ID to the RuleType
and Reason enums.

Tests: SNTRuleTest covers validator accept/reject paths (incl. platform
prefix); SNTRuleTableTest adds fetch, team-mismatch isolation, and
Binary>BundleID precedence cases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yuvraj-garhwal @claude
MOLXPCConnection: skip code-signing requirement in adhoc builds
7c63b1e 
The default XPC code-signing requirement pins peers to TeamID ZMCG7MLDV9
(North Pole Security). Adhoc-signed builds have no team identifier, so
every inter-Santa XPC connection (santactl → daemon, syncservice → daemon,
bundleservice → daemon) was being rejected with errSecCSReqFailed and the
daemon was unreachable.

When SANTAADHOC is defined, CopyDefaultCodeSigningRequirement now returns
nil so no requirement is set on the connection. This is only safe because
adhoc builds are intended for SIP-disabled dev/test machines where the
sysext is loaded via systemextensionsctl developer mode.

Adds the SANTAADHOC define to the MOLXPCConnection target (previously it
was only set on SNTXPCControlInterface).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yuvraj-garhwal @claude
santactl fileinfo: populate BundleID identifier for rule lookup
ed7c93d 
SNTCommandFileInfo was building its RuleIdentifiers without the new
bundleID field, so 'santactl fileinfo' always reported 'Rule: None' for
binaries matched only by a BundleID rule, even when the daemon would
correctly block them at exec time.

Adds a shared FormatBundleID helper in SigningIDHelpers (mirroring
FormatSigningID) and uses it from both santactl fileinfo and the policy
processor so the two paths can't drift again.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yuvraj-garhwal yuvraj-garhwal requested a review from a team as a code owner May 24, 2026 17:50
@github-actions github-actions Bot added comp/santad Issues or PRs related to the daemon comp/santasyncservice Issues or PRs related to the sync protocol comp/santactl Issues or PRs related to santactl lang/objc++ PRs modifying files in ObjC++ comp/common size/m Size: medium labels May 24, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 24, 2026

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3a6d96f-10c3-4ec8-858f-330f26c9d5df

📥 Commits

Reviewing files that changed from the base of the PR and between cb2c6c4 and ed7c93d.

📒 Files selected for processing (26)
  • Source/common/BUILD
  • Source/common/MOLXPCConnection.mm
  • Source/common/SNTBlockMessage.mm
  • Source/common/SNTCachedDecision.h
  • Source/common/SNTCommonEnums.h
  • Source/common/SNTRule.mm
  • Source/common/SNTRuleIdentifiers.h
  • Source/common/SNTRuleIdentifiers.mm
  • Source/common/SNTRuleTest.mm
  • Source/common/SNTSyncConstants.h
  • Source/common/SNTSyncConstants.mm
  • Source/common/SigningIDHelpers.h
  • Source/common/SigningIDHelpers.mm
  • Source/santactl/Commands/SNTCommandFileInfo.mm
  • Source/santactl/Commands/SNTCommandRule.mm
  • Source/santad/DataLayer/SNTRuleTable.h
  • Source/santad/DataLayer/SNTRuleTable.mm
  • Source/santad/DataLayer/SNTRuleTableTest.mm
  • Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
  • Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm
  • Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm
  • Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm
  • Source/santad/SNTExecutionController.h
  • Source/santad/SNTExecutionController.mm
  • Source/santad/SNTPolicyProcessor.mm
  • Source/santasyncservice/SNTSyncEventUpload.mm

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📝 Walkthrough

Walkthrough

This PR adds comprehensive bundle identifier rule support to Santa. Bundle ID rules permit whitelisting or blocking based on CFBundleIdentifier and team identity, evaluated with specified precedence relative to binary hash rules. The PR also introduces ad-hoc build support via conditional compilation.

Changes

Bundle ID Rule Type and Execution

Layer / File(s) Summary
Bundle ID type contracts and constants
Source/common/SNTCommonEnums.h, Source/common/SNTSyncConstants.h, Source/common/SNTSyncConstants.mm		 Introduces SNTRuleTypeBundleID enum value, SNTEventStateBlockBundleID and SNTEventStateAllowBundleID event state bits, and the sync constant kRuleTypeBundleID used throughout the codebase.
Rule identifiers and cached decision data model extensions
Source/common/SNTCachedDecision.h, Source/common/SNTRuleIdentifiers.h, Source/common/SNTRuleIdentifiers.mm		 Extends SNTCachedDecision with bundleIdentifier property and RuleIdentifiers with bundleID field; implements NSCoding serialization and signing-status conditional population (production-signed binaries only).
Bundle ID rule parsing, validation, and type conversions
Source/common/SNTRule.mm, Source/common/SNTRuleTest.mm		 Implements identifier parsing for SNTRuleTypeBundleID that validates and normalizes TEAMID:CFBundleIdentifier format (with special case for platform: prefix), adds error formatting, dictionary initialization, and type-to-string conversions. Test coverage verifies normalization and rejection of malformed identifiers.
Bundle ID rule key formatting utility
Source/common/SigningIDHelpers.h, Source/common/SigningIDHelpers.mm		 Provides FormatBundleID helper function to generate normalized bundle ID rule keys from bundleID, teamID, and isPlatformBinary context, returning nil for invalid/insufficient identifiers.
Database queries and counting for bundle ID rules
Source/santad/DataLayer/SNTRuleTable.h, Source/santad/DataLayer/SNTRuleTable.mm, Source/santad/DataLayer/SNTRuleTableTest.mm		 Adds bundleIDRuleCount accessor, extends executionRuleForIdentifiers: to query bundle ID rules via SQL UNION ALL with specified precedence after binary/teamID rules, and includes test coverage for rule matching and precedence verification.
CLI tool support for bundle ID rules
Source/santactl/Commands/SNTCommandRule.mm, Source/santactl/Commands/SNTCommandFileInfo.mm		 Updates SNTCommandRule to parse --bundle-id flag, derive bundle identifiers from binary path, validate TeamID/platform context, and format rule creation/result output. Updates SNTCommandFileInfo to populate bundleID in RuleIdentifiers for rule/decision lookups.
Daemon-side policy processor rule evaluation
Source/santad/SNTPolicyProcessor.mm		 Extends rule ID construction to populate bundleID from cached decision, memoizes bundleIdentifier from file info when needed, ensuring bundle ID lookup infrastructure is wired through decision evaluation.
Event logging, serialization, and metrics for bundle ID decisions
Source/common/SNTBlockMessage.mm, Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm, Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm, Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm, Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm, Source/santad/SNTExecutionController.h, Source/santad/SNTExecutionController.mm, Source/santasyncservice/SNTSyncEventUpload.mm		 Updates event reason mappings and serialization: block message reasons return "Bundle ID rule", protobuf serializer maps to REASON_UNKNOWN (no dedicated wire enum), execution controller handles block-to-allow conversion and metrics, and sync event upload suppresses bundle ID decisions.

Ad-hoc Build Signing Support

Layer / File(s) Summary
Build configuration for ad-hoc signing
Source/common/BUILD		 Updates MOLXPCConnection build target to conditionally define SANTAADHOC when //:adhoc_build config is true.
Ad-hoc code-signing requirement bypass
Source/common/MOLXPCConnection.mm		 CopyDefaultCodeSigningRequirement() returns nil early when SANTAADHOC is defined, skipping designated requirement validation for ad-hoc signed XPC connections.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • northpolesec/santa#894: Modifies MOLXPCConnection code-signing logic; main PR gates behavior via SANTAADHOC while this PR refactors signing-requirement path.
  • northpolesec/santa#842: Extends SNTBlockMessage event-state-to-reason switch; main PR adds SNTEventState*BundleID branches.
  • northpolesec/santa#839: Modifies SNTCachedDecision copy/seed mechanics and decision flow threading; main PR adds bundleIdentifier property to support bundle ID rule lookup.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/common comp/santactl Issues or PRs related to santactl comp/santad Issues or PRs related to the daemon comp/santasyncservice Issues or PRs related to the sync protocol lang/objc++ PRs modifying files in ObjC++ size/m Size: medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yuvraj-garhwal