santad: Add pid_suspend protection for other processes

[russellhancox]

No description provided.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces anti-suspend signing ID protection, allowing Santa to prevent suspension of specified processes identified by their signing IDs. The feature includes configuration management through SNTConfigurator, endpoint security API extensions for event muting, and implementation in the tamper resistance module with KVO-based runtime updates.

Changes

Cohort / File(s)	Summary
Configuration Management Source/common/SNTConfigurator.h, Source/common/SNTConfigurator.mm	Added KVO-compliant antiSuspendSigningIDs property and getter that reads from config state with kAntiSuspendSigningIDsKey constant and type validation.
Endpoint Security API Source/common/es/EndpointSecurityAPI.h, Source/common/es/EndpointSecurityAPI.mm, Source/common/es/MockEndpointSecurityAPI.h	Added MuteTargetPathEvents method overload that accepts an event type set, converts to vector, and calls underlying ES mute API; mock updated for testing.
Endpoint Security Client Source/common/es/SNTEndpointSecurityClient.mm, Source/common/es/SNTEndpointSecurityClientBase.h	Added protocol method muteTargetPaths:forEvents: overload that iterates paths and calls MuteTargetPathEvents for event-specific muting.
Tamper Resistance Implementation Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.h, Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.mm	Extended initializer to accept antiSuspendSigningIDs, added mutable signing ID set with mutex synchronization, setter method, conditional muting of suspend/resume events based on signing ID matching, and new enable logic for path-prefix muting.
Integration & Build Source/santad/Santad.mm, Source/santad/BUILD	Updated tamper client initialization with signing IDs, added KVO observer for configuration changes that updates live client via setAntiSuspendSigningIDs:, and added dependencies for configurator, signing ID helpers, and Abseil containers/synchronization.
Test Coverage Source/santad/EventProviders/SNTEndpointSecurityTamperResistanceTest.mm	Updated test instantiation to pass antiSuspendSigningIDs parameter; added tests verifying muting behavior with signing ID initialization and runtime setter, plus three new suspend/resume scenarios testing matching/non-matching signing IDs and platform binary handling.

Sequence Diagram(s)

sequenceDiagram
    participant Config as SNTConfigurator
    participant Observer as KVO Observer
    participant TamperClient as SNTEndpointSecurityTamperResistance
    participant ESAPI as EndpointSecurityAPI
    participant Kernel as Endpoint Security Kernel

    Config->>Observer: antiSuspendSigningIDs changed
    Observer->>TamperClient: setAntiSuspendSigningIDs:newValue
    TamperClient->>TamperClient: Update _antiSuspendSigningIDs (mutex-guarded)
    TamperClient->>ESAPI: MuteTargetPathEvents(client, "/", kPrefix, {SUSPEND_RESUME})
    ESAPI->>Kernel: es_mute_path_events(mute_action)
    Kernel-->>ESAPI: mute confirmation
    ESAPI-->>TamperClient: return success
    
    Note over TamperClient,Kernel: Subsequent SUSPEND_RESUME events reach TamperClient for signing ID matching
    TamperClient->>TamperClient: Match signing ID against _antiSuspendSigningIDs
    alt Signing ID matches configured list
        TamperClient->>Kernel: Deny suspension
    else Signing ID does not match
        TamperClient->>Kernel: Allow suspension
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Move ES client base classes to Source/common/es/ #854: Modifies the same SNTEndpointSecurityTamperResistance initializer signature and related endpoint security interfaces.
• Decouple metrics from ES classes #852: Updates SNTEndpointSecurityTamperResistance public API and implementation, affecting core functionality of the tamper resistance module.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No description was provided by the author, making it impossible to evaluate relevance to the changeset.	Add a pull request description explaining the feature, its purpose, and how the antiSuspendSigningIDs configuration works.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding pid_suspend protection for processes via configurable signing IDs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rah/snt-355-add-ability-to-protect-other-systems-from-pidsuspend

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.mm`:
- Around line 262-277: The ReaderMutexLock is being constructed with
_antiSuspendMutex by value but requires a pointer; update the
absl::ReaderMutexLock construction in SNTEndpointSecurityTamperResistance.mm
(the block using absl::ReaderMutexLock lock(_antiSuspendMutex)) to pass the
address of the mutex (use &_antiSuspendMutex) so the lock acquires the correct
mutex; ensure no other occurrences of absl::ReaderMutexLock in this file use the
mutex without the address-of operator.
- Around line 168-178: In muteAllProcessesForSuspendResumeIfNeeded, the
absl::ReaderMutexLock is being constructed with the mutex object instead of its
address; update the construction to pass a pointer to _antiSuspendMutex (i.e.,
use & _antiSuspendMutex) so the ReaderMutexLock is initialized with the mutex
address, leaving the surrounding check of _antiSuspendSigningIDs and the call to
[super muteTargetPaths:forEvents:] unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ccce4027-22c1-4107-aeff-c8abd0cc7c7b

📥 Commits

Reviewing files that changed from the base of the PR and between 09c57fb and 7d3c412.

📒 Files selected for processing (12)

• Source/common/SNTConfigurator.h
• Source/common/SNTConfigurator.mm
• Source/common/es/EndpointSecurityAPI.h
• Source/common/es/EndpointSecurityAPI.mm
• Source/common/es/MockEndpointSecurityAPI.h
• Source/common/es/SNTEndpointSecurityClient.mm
• Source/common/es/SNTEndpointSecurityClientBase.h
• Source/santad/BUILD
• Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.h
• Source/santad/EventProviders/SNTEndpointSecurityTamperResistance.mm
• Source/santad/EventProviders/SNTEndpointSecurityTamperResistanceTest.mm
• Source/santad/Santad.mm