santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Feature Request: Wait for launch instead of blocking

Open danpalmer opened this issue 3 years ago • 3 comments

The loop I find myself in often with Santa is something like this...

  1. Launch binary
  2. Receive Santa block message
  3. Get an exception
  4. Go to 1

Step 3 is often very fast, as pre-existing exemptions may exist that I can use just by clicking the necessary button in another tool (upvote). However when step 1 is slow, for example in parts of the Android development and emulation workflow, having to go through this flow twice for each binary can be a huge pain point.

Instead of Santa preventing launch of a binary, would it be possible for Santa to temporarily hard-block the launch, such that when the exception is received and Santa allows running, the process can be allowed to continue as if the launch had just been "slow"?

This would likely cause the launching application to hang, but that's often not a problem and for cases where there's a long sequence of steps and waiting to get the binary to launch, it's probably desirable.

My motivation for this was debugging an Android app in Android Studio using an emulator system. There have so far been 6 binaries that needed approving before I could launch them, each one on the critical path, meaning that each time I had to go through the steps of configuring and launching the emulator, wait for the emulator to try to start up, only to be met by another binary that needed approving. Each binary was already available to run so having Santa allow them to run took only a few seconds.

For more details I'm contactable at my username @ google.com.

danpalmer avatar Aug 03 '22 14:08 danpalmer

An alternative that might be more approachable would be to instead provide some way to "prime" the exception mechanism (e.g. upvote) via santactl. One implementation might be adding a flag to the santactl fileinfo command to upload event details when the santa decision for that file would be to block its execution.

mlw avatar Jul 20 '23 00:07 mlw

That would also be nice, but wouldn't change my typical use-case here of running something like a big compile with multiple tools involved, and needing to get a Santa exception for each tool that runs. Generally I don't know these sorts of things ahead of the run.

danpalmer avatar Jul 30 '23 22:07 danpalmer

This will be difficult to do as requested. The APIs available require a decision to be made on new execs within some amount of time (it's variable and can decrease, but ~45s is normal). So it would be potentially possible to have some Santa mode where a user could be presented with a dialog to try and race the clock. An important caveat though is that Santa cannot permit a user the full allotted time because of ramifications imposed by the system if a response deadline is missed, so the actual amount of time would be lower. Complicating things further would be how to handle systems under load where the number of events to process are high, driving down available decision times even further. There are non-standard, non-supported ways to bypass the deadline mechanism, but would require a non-trivial amount of effort and we'd be at the whims of any future OS change to not break the bypass...

mlw avatar Aug 18 '23 18:08 mlw