[DRAFT] Add codesigning information to the ProcessInfoLight message

Source/common/santa.proto

@@ -1,4 +1,17 @@
-// Important: This schema is currently in BETA
+/// Copyright 2024 Google LLC
+/// Copyright 2024 North Pole Security, Inc.
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     https://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
 
 syntax = "proto3";
 
@@ -206,7 +219,11 @@ message ProcessInfoLight {
   // File information for the executable backing this process
   optional FileInfoLight executable = 10;
 
+  // Tags added by configured annotators
   optional process_tree.Annotations annotations = 11;
+
+  // Code signature information for the process
+  optional CodeSignature code_signature = 12;
 }
 
 // Certificate information

Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm

@@ -1,4 +1,5 @@
 /// Copyright 2022 Google LLC
+/// Copyright 2024 North Pole Security, Inc.
 ///
 /// Licensed under the Apache License, Version 2.0 (the "License");
 /// you may not use this file except in compliance with the License.
@@ -214,6 +215,23 @@ static inline void EncodeAnnotations(std::function<::pbv1::process_tree::Annotat
   }
 }
 
+static inline void EncodeCodeSignature(std::function<::pbv1::CodeSignature *()> lazy_f, const es_process_t *es_proc) {
+  if (es_proc->codesigning_flags & CS_SIGNED) {
+    ::pbv1::CodeSignature *pb_code_sig = lazy_f();
+
+    pb_code_sig->set_cdhash(es_proc->cdhash, sizeof(es_proc->cdhash));
+
+    if (es_proc->signing_id.length > 0) {
+      pb_code_sig->set_signing_id(es_proc->signing_id.data, es_proc->signing_id.length);
+    }
+
+    if (es_proc->team_id.length > 0) {
+      pb_code_sig->set_team_id(es_proc->team_id.data, es_proc->team_id.length);
+    }
+  }
+}
+
+
 static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info,
                                           const es_process_t *es_proc,
                                           const EnrichedProcess &enriched_proc) {
@@ -236,6 +254,8 @@ static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info
   EncodeFileInfoLight(pb_proc_info->mutable_executable(), es_proc->executable);
 
   EncodeAnnotations([pb_proc_info] { return pb_proc_info->mutable_annotations(); }, enriched_proc);
+
+  EncodeCodeSignature([pb_proc_info] { return pb_proc_info->mutable_code_signature(); }, es_proc);
 }
 
 static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info,
@@ -269,17 +289,7 @@ static inline void EncodeProcessInfo(::pbv1::ProcessInfo *pb_proc_info, uint32_t
   pb_proc_info->set_is_platform_binary(es_proc->is_platform_binary);
   pb_proc_info->set_is_es_client(es_proc->is_es_client);
 
-  if (es_proc->codesigning_flags & CS_SIGNED) {
-    ::pbv1::CodeSignature *pb_code_sig = pb_proc_info->mutable_code_signature();
-    pb_code_sig->set_cdhash(es_proc->cdhash, sizeof(es_proc->cdhash));
-    if (es_proc->signing_id.length > 0) {
-      pb_code_sig->set_signing_id(es_proc->signing_id.data, es_proc->signing_id.length);
-    }
-
-    if (es_proc->team_id.length > 0) {
-      pb_code_sig->set_team_id(es_proc->team_id.data, es_proc->team_id.length);
-    }
-  }
+  EncodeCodeSignature([pb_proc_info]{ return pb_proc_info->mutable_code_signature(); }, es_proc);
 
   pb_proc_info->set_cs_flags(es_proc->codesigning_flags);
 

Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm

@@ -248,6 +248,10 @@ void SerializeAndCheck(es_event_type_t eventType,
     es_process_t proc = MakeESProcess(&procFile, MakeAuditToken(12, 34), MakeAuditToken(56, 78));
     es_message_t esMsg = MakeESMessage(eventType, &proc);
     esMsg.process->tty = &ttyFile;
+    esMsg.process->codesigning_flags = CS_SIGNED | CS_HARD | CS_KILL;
+    esMsg.process->signing_id = MakeESStringToken("my_signing_id");
+    esMsg.process->team_id = MakeESStringToken("my_team_id");
+    memset(esMsg.process->cdhash, 'A', sizeof(esMsg.process->cdhash));
     esMsg.version = cur_version;
 
     mockESApi->SetExpectationsRetainReleaseMessage();
@@ -334,6 +338,10 @@ void SerializeAndCheckNonESEvents(
     es_process_t proc = MakeESProcess(&procFile, MakeAuditToken(12, 34), MakeAuditToken(56, 78));
     es_message_t esMsg = MakeESMessage(eventType, &proc);
     esMsg.process->tty = &ttyFile;
+    esMsg.process->codesigning_flags = CS_SIGNED | CS_HARD | CS_KILL;
+    esMsg.process->signing_id = MakeESStringToken("my_signing_id");
+    esMsg.process->team_id = MakeESStringToken("my_team_id");
+    memset(esMsg.process->cdhash, 'A', sizeof(esMsg.process->cdhash));
     esMsg.version = cur_version;
 
     messageSetup(mockESApi, &esMsg);

Source/santad/testdata/protobuf/v1/allowlist.json

@@ -26,6 +26,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v1/close.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v1/exchangedata.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "file1": {

Source/santad/testdata/protobuf/v1/exec.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v1/exit.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "exited": {

Source/santad/testdata/protobuf/v1/fork.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "child": {

Source/santad/testdata/protobuf/v1/link.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "source": {

Source/santad/testdata/protobuf/v1/rename.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "source": {

Source/santad/testdata/protobuf/v1/unlink.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v2/allowlist.json

@@ -26,6 +26,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v2/close.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v2/exchangedata.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "file1": {

Source/santad/testdata/protobuf/v2/exec.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v2/exit.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "exited": {

Source/santad/testdata/protobuf/v2/fork.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "child": {

Source/santad/testdata/protobuf/v2/link.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "source": {

Source/santad/testdata/protobuf/v2/rename.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "source": {

Source/santad/testdata/protobuf/v2/unlink.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v4/allowlist.json

@@ -26,6 +26,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v4/close.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v4/cs_invalidated.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  }
 }

Source/santad/testdata/protobuf/v4/exchangedata.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "file1": {

Source/santad/testdata/protobuf/v4/exec.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "target": {

Source/santad/testdata/protobuf/v4/exit.json

@@ -30,6 +30,11 @@
   "executable": {
    "path": "foo",
    "truncated": false
+  },
+  "code_signature": {
+   "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=",
+   "signing_id": "my_signing_id",
+   "team_id": "my_team_id"
   }
  },
  "exited": {