santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Transitive rules with Xcode

Open leohidalgo opened this issue 4 years ago • 4 comments

Hi, I'm having trouble with transitive rules again, everything was working ok until the last Catalina update, 10.15.4.

The problem:

  • I added compilation rules for codesign and ld, these work the first time I compile with Xcode.
  • I remove DerivedData and compile again and Santa tells me that the execution has been blocked.
  • I add the same compilation rules again and Santa lets me run

With each iteration the number of binary rules increases.

santactl status

>>> Daemon Info
  Driver Connected          | Yes
  Mode                      | Lockdown
  File Logging              | Yes
  Watchdog CPU Events       | 6  (Peak: 47.38%)
  Watchdog RAM Events       | 0  (Peak: 65.54MB)
>>> Database Info
  Binary Rules              | 102
  Certificate Rules         | 42
  Compiler Rules            | 2
  Transitive Rules          | 73

santactl version

santa-driver    | un-needed (SystemExtension being used)
santad          | 1.12
santactl        | 1.12
SantaGUI        | 1.12

Issue related: #407

Update: With 0.9.33 version everything work ok, any idea what might be happening with latest version?

leohidalgo avatar Mar 27 '20 03:03 leohidalgo

Sorry for the delayed response, I've been trying to reproduce this with no luck.

Do you see log lines matching action=WRITE for the binary that's being executed?

It's odd that you're seeing the number of binary rules go up; the rules made in transitive mode should show up as transitive rules not binary rules.

russellhancox avatar Apr 06 '20 16:04 russellhancox

Version 1.12 should log an info message when it creates transitive rules. Is anything being logged?

Something like this will show you logs for the last hour:

log show --info --predicate 'message CONTAINS[c] "santa"' --last 1h

tburgin avatar Apr 06 '20 20:04 tburgin

Do you see log lines matching action=WRITE for the binary that's being executed?

No, only I see WRITE when I add a ruler again, but all I have to do is remove DerivedData and it blocks me again.

Now I try with Santa 1.13, I format my MacBook and I problem is the same.

Log: $ cat santa.log | grep Demo.app/Demo https://pastebin.com/4njEAx7u

Mobileconfig: https://pastebin.com/bYR7yeBy

leohidalgo avatar Apr 19 '20 04:04 leohidalgo

Version 1.12 should log an info message when it creates transitive rules. Is anything being logged?

Something like this will show you logs for the last hour:

log show --info --predicate 'message CONTAINS[c] "santa"' --last 1h

Log when it fails https://pastebin.com/YRkBP9bF

Log when it success https://pastebin.com/TeAy2xqw

leohidalgo avatar Apr 19 '20 17:04 leohidalgo

Closing as the issue is 3 years old.

This seems very similar to the transitive allow listing discussion in #561.

pmarkowsky avatar Apr 21 '23 16:04 pmarkowsky