use EndpointSecurityAPI in adapter

google · Feb 13, 2024 · a001162 · a001162
1 parent fddb995
commit a001162
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 11 deletions.
diff --git a/Source/santad/ProcessTree/BUILD b/Source/santad/ProcessTree/BUILD
@@ -52,14 +52,15 @@ cc_proto_library(
 )
 
 objc_library(
-    name = "EndpointSecurityAdapter",
-    srcs = ["EndpointSecurityAdapter.mm"],
-    hdrs = ["EndpointSecurityAdapter.h"],
+    name = "SNTEndpointSecurityAdapter",
+    srcs = ["SNTEndpointSecurityAdapter.mm"],
+    hdrs = ["SNTEndpointSecurityAdapter.h"],
     sdk_dylibs = [
         "bsm",
     ],
     deps = [
         ":process_tree",
+        "//Source/santad:EndpointSecurityAPI",
         "@com_google_absl//absl/status:statusor",
     ],
 )

diff --git a/...tad/ProcessTree/EndpointSecurityAdapter.h → .../ProcessTree/SNTEndpointSecurityAdapter.h b/...tad/ProcessTree/EndpointSecurityAdapter.h → .../ProcessTree/SNTEndpointSecurityAdapter.h
@@ -11,19 +11,25 @@
 /// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 /// See the License for the specific language governing permissions and
 /// limitations under the License.
-#ifndef SANTA__SANTAD_PROCESSTREE_ENDPOINTSECURITYADAPTER_H
-#define SANTA__SANTAD_PROCESSTREE_ENDPOINTSECURITYADAPTER_H
+#ifndef SANTA__SANTAD_PROCESSTREE_SNTENDPOINTSECURITYADAPTER_H
+#define SANTA__SANTAD_PROCESSTREE_SNTENDPOINTSECURITYADAPTER_H
 
-#include <EndpointSecurity/ESTypes.h>
+#include <EndpointSecurity/EndpointSecurity.h>
 
+#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
 #include "Source/santad/ProcessTree/process_tree.h"
 
 namespace santa::santad::process_tree {
 
 // Inform the tree of the ES event in msg.
 // This is idempotent on the tree, so can be called from multiple places with
 // the same msg.
-void InformFromESEvent(ProcessTree &tree, const es_message_t *msg);
+void InformFromESEvent(
+    ProcessTree &tree,
+    std::shared_ptr<
+        santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>
+        esapi,
+    const es_message_t *msg);
 
 }  // namespace santa::santad::process_tree
 

diff --git a/...ad/ProcessTree/EndpointSecurityAdapter.mm → ...ProcessTree/SNTEndpointSecurityAdapter.mm b/...ad/ProcessTree/EndpointSecurityAdapter.mm → ...ProcessTree/SNTEndpointSecurityAdapter.mm
@@ -11,17 +11,23 @@
 /// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 /// See the License for the specific language governing permissions and
 /// limitations under the License.
+#include "Source/santad/ProcessTree/SNTEndpointSecurityAdapter.h"
+
 #include <EndpointSecurity/EndpointSecurity.h>
 #include <Foundation/Foundation.h>
 #include <bsm/libbsm.h>
 
+#include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
 #include "Source/santad/ProcessTree/process_tree.h"
 #include "Source/santad/ProcessTree/process_tree_macos.h"
 #include "absl/status/statusor.h"
 
+using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
+
 namespace santa::santad::process_tree {
 
-void InformFromESEvent(ProcessTree &tree, const es_message_t *msg) {
+void InformFromESEvent(ProcessTree &tree, std::shared_ptr<EndpointSecurityAPI> esapi,
+                       const es_message_t *msg) {
   struct Pid event_pid = PidFromAuditToken(msg->process->audit_token);
   auto proc = tree.Get(event_pid);
 
@@ -33,9 +39,9 @@ void InformFromESEvent(ProcessTree &tree, const es_message_t *msg) {
     case ES_EVENT_TYPE_AUTH_EXEC:
     case ES_EVENT_TYPE_NOTIFY_EXEC: {
       std::vector<std::string> args;
-      args.reserve(es_exec_arg_count(&msg->event.exec));
-      for (int i = 0; i < es_exec_arg_count(&msg->event.exec); i++) {
-        es_string_token_t arg = es_exec_arg(&msg->event.exec, i);
+      args.reserve(esapi->ExecArgCount(&msg->event.exec));
+      for (int i = 0; i < esapi->ExecArgCount(&msg->event.exec); i++) {
+        es_string_token_t arg = esapi->ExecArg(&msg->event.exec, i);
         args.push_back(std::string(arg.data, arg.length));
       }