Update Process.m

Shared/Libraries/FileMonitor/Process.m

@@ -158,6 +158,9 @@ -(id)init:(es_message_t*)message csOption:(NSUInteger)csOption
         //init uuid
         self.uid = audit_token_to_euid(process->audit_token);
 
+        //add cs flags
+        self.csFlags = [NSNumber numberWithUnsignedInt:process->codesigning_flags];
+
         //path
         self.path = convertStringToken(&process->executable->path);
 
@@ -168,6 +171,17 @@ -(id)init:(es_message_t*)message csOption:(NSUInteger)csOption
         // via inode, so will be same binary (though pid/args, etc will be different)
         cachedProcess = [processesCache objectForKey:inode];
 
+        //(basic) sanity check
+        // make sure cs flags still match
+        if(YES != [self.csFlags isEqualTo:cachedProcess.csFlags])
+        {
+            //unset
+            cachedProcess = nil;
+
+            //remove
+            [processesCache removeObjectForKey:inode];
+        }
+
         //generate name
         if(nil == cachedProcess)
         {
@@ -190,9 +204,6 @@ -(id)init:(es_message_t*)message csOption:(NSUInteger)csOption
             self.architecture = cachedProcess.architecture;
         }
 
-        //add cs flags
-        self.csFlags = [NSNumber numberWithUnsignedInt:process->codesigning_flags];
-
         //add signing id
         if(nil == cachedProcess)
         {