Question: Only allow executables owned by root when santad is not connected

[alessandrogario]

trafficstars

Would you see any advantage in only allowing executable owned (user and group) by root when the santad executable is not connected to santa-driver?

[russellhancox]

I gave this some thought. I can definitely see why it could be desirable but it scares me somewhat as I can imagine there being some hard-to-track-down edge cases that this could cause problems with. And because it's a change to the driver it can't easily be made configurable (we could add a sysctl, I suppose)

Is there something specific this is aiming to protect against? The thing that comes to mind is some malware that loads during bootup before santad is running but if you've got a LaunchDaemon that loads before santad you probably had root to begin with so getting a root-owned file isn't a stretch. Or you kill santad and execute something but the same applies.

A while back I did consider adding a mode where santa-driver, during bootup while santad isn't connected, would auto-allow anything from SIP-protected directories and /L/Extensions/santa-driver.kext and hold other executions until santad starts. I think this would solve the examples I mention above but I didn't get around to implementing it because it's even more likely to break.

[pmarkowsky]

Closing this, as it's been open for 5 years. Please feel free to reopen if there's more to add.