Drop macos 11 (#1377)

* Drop macOS 11 support

* More changes after rebase, add basic macOS 15 support

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-11, macos-12, macos-13, macos-14]
+        os: [macos-12, macos-13, macos-14]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
@@ -31,7 +31,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-11, macos-12, macos-13, macos-14]
+        os: [macos-12, macos-13, macos-14]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3

Source/common/Platform.h

@@ -17,13 +17,6 @@
 
 #include <Availability.h>
 
-#if defined(MAC_OS_VERSION_12_0) && \
-    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_12_0
-#define HAVE_MACOS_12 1
-#else
-#define HAVE_MACOS_12 0
-#endif
-
 #if defined(MAC_OS_VERSION_13_0) && \
     MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_13_0
 #define HAVE_MACOS_13 1
@@ -38,4 +31,11 @@
 #define HAVE_MACOS_14 0
 #endif
 
+#if defined(MAC_OS_VERSION_15_0) && \
+    MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_15_0
+#define HAVE_MACOS_15 1
+#else
+#define HAVE_MACOS_15 0
+#endif
+
 #endif

Source/common/SNTMetricSet.m

@@ -639,20 +639,9 @@ - (NSDictionary *)export {
 NSDictionary *SNTMetricConvertDatesToISO8601Strings(NSDictionary *metrics) {
   NSMutableDictionary *mutableMetrics = [metrics mutableCopy];
 
-  id formatter;
-
-  if (@available(macOS 10.13, *)) {
-    NSISO8601DateFormatter *isoFormatter = [[NSISO8601DateFormatter alloc] init];
-
-    isoFormatter.formatOptions =
-      NSISO8601DateFormatWithInternetDateTime | NSISO8601DateFormatWithFractionalSeconds;
-    formatter = isoFormatter;
-  } else {
-    NSDateFormatter *localFormatter = [[NSDateFormatter alloc] init];
-    [localFormatter setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"];
-    [localFormatter setTimeZone:[NSTimeZone timeZoneWithName:@"UTC"]];
-    formatter = localFormatter;
-  }
+  NSISO8601DateFormatter *formatter = [[NSISO8601DateFormatter alloc] init];
+  formatter.formatOptions =
+    NSISO8601DateFormatWithInternetDateTime | NSISO8601DateFormatWithFractionalSeconds;
 
   for (NSString *metricName in mutableMetrics[@"metrics"]) {
     NSMutableDictionary *metric = mutableMetrics[@"metrics"][metricName];

Source/common/TestUtils.mm

@@ -117,21 +117,27 @@ void SleepMS(long ms) {
 }
 
 uint32_t MaxSupportedESMessageVersionForCurrentOS() {
-  // Notes:
-  //   1. ES message v3 was only in betas.
-  //   2. Message v7 appeared in macOS 13.3, v8 in macOS 15, but features from
-  //      those versions are not currently used. Leaving off support here so as
-  //      to not require adding unnecessary test JSON files.
+  // Note 1: This function only returns a subset of versions. This is due to the
+  // minimum supported OS build version as well as features in latest versions
+  // not currently being used. Capping the max means unnecessary duuplicate test
+  // JSON files are not needed.
+  //
+  // Note 2: The following table maps ES message versions to lmin macOS version:
+  //   ES Version | macOS Version
+  //            1 | 10.15.0
+  //            2 | 10.15.4
+  //            3 | Only in a beta
+  //            4 | 11.0
+  //            5 | 12.3
+  //            6 | 13.0
+  //            7 | 14.0
+  //            8 | 15.0
   if (@available(macOS 13.0, *)) {
     return 6;
   } else if (@available(macOS 12.3, *)) {
     return 5;
-  } else if (@available(macOS 11.0, *)) {
-    return 4;
-  } else if (@available(macOS 10.15.4, *)) {
-    return 2;
   } else {
-    return 1;
+    return 4;
   }
 }
 
@@ -250,7 +256,6 @@ uint32_t MinSupportedESMessageVersion(es_event_type_t event_type) {
     case ES_EVENT_TYPE_NOTIFY_GET_TASK_READ:
     case ES_EVENT_TYPE_NOTIFY_GET_TASK_INSPECT: return 4;
 
-#if HAVE_MACOS_12
     // The following events are available beginning in macOS 12.0
     case ES_EVENT_TYPE_NOTIFY_SETUID:
     case ES_EVENT_TYPE_NOTIFY_SETGID:
@@ -260,7 +265,6 @@ uint32_t MinSupportedESMessageVersion(es_event_type_t event_type) {
     case ES_EVENT_TYPE_NOTIFY_SETREGID:
     case ES_EVENT_TYPE_AUTH_COPYFILE:
     case ES_EVENT_TYPE_NOTIFY_COPYFILE: return 4;
-#endif
 
 #if HAVE_MACOS_13
     // The following events are available beginning in macOS 13.0
@@ -305,6 +309,10 @@ uint32_t MinSupportedESMessageVersion(es_event_type_t event_type) {
     case ES_EVENT_TYPE_NOTIFY_XPC_CONNECT: return 7;
 #endif
 
+#if HAVE_MACOS_15
+    case ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE: return 8;
+#endif
+
     default: return UINT32_MAX;
   }
 }

Source/gui/BUILD

@@ -119,7 +119,7 @@ macos_application(
         "//conditions:default": None,
     }),
     infoplists = ["Info.plist"],
-    minimum_os_version = "11.0",
+    minimum_os_version = "12.0",
     provisioning_profile = select({
         "//:adhoc_build": None,
         "//conditions:default": "//profiles:santa_dev",

Source/gui/main.m

@@ -28,24 +28,22 @@ @implementation SNTSystemExtensionDelegate
 
 - (OSSystemExtensionReplacementAction)request:(OSSystemExtensionRequest *)request
                   actionForReplacingExtension:(OSSystemExtensionProperties *)old
-                                withExtension:
-                                  (OSSystemExtensionProperties *)new API_AVAILABLE(macos(10.15)) {
+                                withExtension:(OSSystemExtensionProperties *)new {
   NSLog(@"SystemExtension \"%@\" request for replacement", request.identifier);
   return OSSystemExtensionReplacementActionReplace;
 }
 
-- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request API_AVAILABLE(macos(10.15)) {
+- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request {
   NSLog(@"SystemExtension \"%@\" request needs user approval", request.identifier);
 }
 
-- (void)request:(OSSystemExtensionRequest *)request
-  didFailWithError:(NSError *)error API_AVAILABLE(macos(10.15)) {
+- (void)request:(OSSystemExtensionRequest *)request didFailWithError:(NSError *)error {
   NSLog(@"SystemExtension \"%@\" request did fail: %@", request.identifier, error);
   exit((int)error.code);
 }
 
 - (void)request:(OSSystemExtensionRequest *)request
-  didFinishWithResult:(OSSystemExtensionRequestResult)result API_AVAILABLE(macos(10.15)) {
+  didFinishWithResult:(OSSystemExtensionRequestResult)result {
   NSLog(@"SystemExtension \"%@\" request did finish: %ld", request.identifier, (long)result);
   exit(0);
 }

Source/santabundleservice/BUILD

@@ -35,7 +35,7 @@ macos_command_line_application(
         "--options library,kill,runtime",
     ],
     infoplists = ["Info.plist"],
-    minimum_os_version = "11.0",
+    minimum_os_version = "12.0",
     provisioning_profile = select({
         "//:adhoc_build": None,
         "//conditions:default": "//profiles:santa_dev",

Source/santactl/BUILD

@@ -94,7 +94,7 @@ macos_command_line_application(
         "--options library,kill,runtime",
     ],
     infoplists = ["Info.plist"],
-    minimum_os_version = "11.0",
+    minimum_os_version = "12.0",
     provisioning_profile = select({
         "//:adhoc_build": None,
         "//conditions:default": "//profiles:santa_dev",

Source/santad/BUILD

@@ -838,7 +838,7 @@ macos_bundle(
     }),
     infoplists = ["Info.plist"],
     linkopts = ["-execute"],
-    minimum_os_version = "11.0",
+    minimum_os_version = "12.0",
     provisioning_profile = select({
         "//:adhoc_build": None,
         "//conditions:default": "//profiles:daemon_dev",
@@ -929,7 +929,6 @@ santa_unit_test(
 santa_unit_test(
     name = "SantadTest",
     srcs = ["SantadTest.mm"],
-    minimum_os_version = "11.0",
     sdk_dylibs = [
         "bsm",
         "EndpointSecurity",
@@ -965,7 +964,6 @@ santa_unit_test(
     srcs = [
         "SNTApplicationCoreMetricsTest.mm",
     ],
-    minimum_os_version = "11.0",
     deps = [
         ":SNTApplicationCoreMetrics",
         "//Source/common:SNTCommonEnums",

Source/santad/DataLayer/SNTRuleTable.m

@@ -33,13 +33,7 @@
 // Consider transitive rules out of date if they haven't been used in six months.
 static const NSUInteger kTransitiveRuleExpirationSeconds = 6 * 30 * 24 * 3600;
 
-static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABLE(macos(12.0)) {
-  // Note: This function uses API introduced in macOS 12, but we want to continue to support
-  // building in older environments. API Availability checks do not help for this use case,
-  // instead we use the following preprocessor macros to conditionally compile these API. The
-  // drawback here is that if a pre-macOS 12 SDK is used to build Santa and it is then deployed
-  // on macOS 12 or later, the dynamic mute set will not be computed.
-#if HAVE_MACOS_12
+static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) {
   // Create a temporary ES client in order to grab the default set of muted paths.
   // TODO(mlw): Reorganize this code so that a temporary ES client doesn't need to be created
   es_client_t *client = NULL;
@@ -69,7 +63,6 @@ static void addPathsFromDefaultMuteSet(NSMutableSet *criticalPaths) API_AVAILABL
 
   es_release_muted_paths(mps);
   es_delete_client(client);
-#endif
 }
 
 @interface SNTRuleTable ()
@@ -125,10 +118,8 @@ + (NSArray *)criticalSystemBinaryPaths {
     NSMutableSet *superSet = [NSMutableSet setWithSet:fallbackDefaultMuteSet];
     [superSet unionSet:santaDefinedCriticalPaths];
 
-    if (@available(macOS 12.0, *)) {
-      // Attempt to add the real default mute set
-      addPathsFromDefaultMuteSet(superSet);
-    }
+    // Attempt to add the real default mute set
+    addPathsFromDefaultMuteSet(superSet);
 
     criticalPaths = [superSet allObjects];
   });

Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.mm

@@ -156,19 +156,11 @@
 }
 
 uint32_t EndpointSecurityAPI::ExecFDCount(const es_event_exec_t *event) {
-  if (@available(macOS 11.0, *)) {
-    return es_exec_fd_count(event);
-  } else {
-    return 0;
-  }
+  return es_exec_fd_count(event);
 }
 
 const es_fd_t *EndpointSecurityAPI::ExecFD(const es_event_exec_t *event, uint32_t index) {
-  if (@available(macOS 11.0, *)) {
-    return es_exec_fd(event, index);
-  } else {
-    return NULL;
-  }
+  return es_exec_fd(event, index);
 }
 
 }  // namespace santa::santad::event_providers::endpoint_security

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm

@@ -834,17 +834,12 @@ - (void)handleMessage:(santa::santad::event_providers::endpoint_security::Messag
 
 - (void)enable {
   std::set<es_event_type_t> events = {
-    ES_EVENT_TYPE_AUTH_CLONE,    ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
-    ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,   ES_EVENT_TYPE_AUTH_RENAME,
-    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK, ES_EVENT_TYPE_NOTIFY_EXIT,
+    ES_EVENT_TYPE_AUTH_CLONE,        ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CREATE,
+    ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,
+    ES_EVENT_TYPE_AUTH_RENAME,       ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
+    ES_EVENT_TYPE_NOTIFY_EXIT,
   };
 
-#if HAVE_MACOS_12
-  if (@available(macOS 12.0, *)) {
-    events.insert(ES_EVENT_TYPE_AUTH_COPYFILE);
-  }
-#endif
-
   if (!self.isSubscribed) {
     if ([super subscribe:events]) {
       self.isSubscribed = true;

Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizerTest.mm

@@ -729,17 +729,12 @@ - (void)testApplyPolicyToMessage {
 
 - (void)testEnable {
   std::set<es_event_type_t> expectedEventSubs = {
-    ES_EVENT_TYPE_AUTH_CLONE,    ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
-    ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,   ES_EVENT_TYPE_AUTH_RENAME,
-    ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK, ES_EVENT_TYPE_NOTIFY_EXIT,
+    ES_EVENT_TYPE_AUTH_CLONE,        ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CREATE,
+    ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,     ES_EVENT_TYPE_AUTH_OPEN,
+    ES_EVENT_TYPE_AUTH_RENAME,       ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
+    ES_EVENT_TYPE_NOTIFY_EXIT,
   };
 
-#if HAVE_MACOS_12
-  if (@available(macOS 12.0, *)) {
-    expectedEventSubs.insert(ES_EVENT_TYPE_AUTH_COPYFILE);
-  }
-#endif
-
   auto mockESApi = std::make_shared<MockEndpointSecurityAPI>();
   EXPECT_CALL(*mockESApi, ClearCache)
     .After(EXPECT_CALL(*mockESApi, Subscribe(testing::_, expectedEventSubs))
@@ -944,42 +939,40 @@ - (void)testPopulatePathTargets {
     XCTAssertFalse(targets[0].devnoIno.has_value());
   }
 
-  if (@available(macOS 12.0, *)) {
+  {
+    esMsg.event_type = ES_EVENT_TYPE_AUTH_COPYFILE;
+    esMsg.event.copyfile.source = &testFile1;
+    esMsg.event.copyfile.target_dir = &testDir;
+    esMsg.event.copyfile.target_name = testTok;
+
+    {
+      esMsg.event.copyfile.target_file = nullptr;
+
+      std::vector<PathTarget> targets;
+      PopulatePathTargets(msg, targets);
+
+      XCTAssertEqual(targets.size(), 2);
+      XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
+      XCTAssertTrue(targets[0].isReadable);
+      XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
+      XCTAssertCppStringEqual(targets[1].path, dirTok);
+      XCTAssertFalse(targets[1].isReadable);
+      XCTAssertFalse(targets[1].devnoIno.has_value());
+    }
+
     {
-      esMsg.event_type = ES_EVENT_TYPE_AUTH_COPYFILE;
-      esMsg.event.copyfile.source = &testFile1;
-      esMsg.event.copyfile.target_dir = &testDir;
-      esMsg.event.copyfile.target_name = testTok;
-
-      {
-        esMsg.event.copyfile.target_file = nullptr;
-
-        std::vector<PathTarget> targets;
-        PopulatePathTargets(msg, targets);
-
-        XCTAssertEqual(targets.size(), 2);
-        XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
-        XCTAssertTrue(targets[0].isReadable);
-        XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
-        XCTAssertCppStringEqual(targets[1].path, dirTok);
-        XCTAssertFalse(targets[1].isReadable);
-        XCTAssertFalse(targets[1].devnoIno.has_value());
-      }
-
-      {
-        esMsg.event.copyfile.target_file = &testFile2;
-
-        std::vector<PathTarget> targets;
-        PopulatePathTargets(msg, targets);
-
-        XCTAssertEqual(targets.size(), 2);
-        XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
-        XCTAssertTrue(targets[0].isReadable);
-        XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
-        XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
-        XCTAssertFalse(targets[1].isReadable);
-        XCTAssertFalse(targets[1].devnoIno.has_value());
-      }
+      esMsg.event.copyfile.target_file = &testFile2;
+
+      std::vector<PathTarget> targets;
+      PopulatePathTargets(msg, targets);
+
+      XCTAssertEqual(targets.size(), 2);
+      XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
+      XCTAssertTrue(targets[0].isReadable);
+      XCTAssertEqual(targets[0].devnoIno.value(), FileID(testFile1));
+      XCTAssertCStringEqual(targets[1].path.c_str(), testFile2.path.data);
+      XCTAssertFalse(targets[1].isReadable);
+      XCTAssertFalse(targets[1].devnoIno.has_value());
     }
   }
 }