EnableSilentMode for File Access Authorization disables authorization rules for GUI apps

[maxb-openai]

I'm trying to configure a File Access Authorization rule that prevents reads of a particular path for all applications. Ideally, I would like to display Santa warnings via the TTY, but not pop the GUI dialog indicating that something has been blocked. In order to achieve this, I set EnableSilentMode to true and left EnableSilentTTYMode default. This has the desired effect of hiding the GUI dialog, but also allows any GUI application can access this file — negating many of the security goals of this rule.

My configuration (distributed via a profile):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>ClientMode</key>
    <integer>1</integer>
    <key>MachineOwner</key>
    <string>$USERNAME</string>
    <key>EventLogType</key>
    <string>filelog</string>
    <key>FileAccessPolicy</key>
    <dict>
      <key>Version</key>
      <string>v0.1-experimental</string>
      <key>WatchItems</key>
      <dict>
        <key>BlockRead</key>
        <dict>
          <key>Paths</key>
          <array>
            <dict>
              <key>Path</key>
              <string>/Users/maxb/test.txt</string>
              <key>IsPrefix</key>
              <false/>
            </dict>
          </array>
          <key>Options</key>
          <dict>
            <key>AllowReadAccess</key>
            <false/>
            <key>AuditOnly</key>
            <false/>
            <key>EnableSilentMode</key>
            <true/>
          </dict>
          <key>Processes</key>
          <array>
          </array>
        </dict>
      </dict>
    </dict>
  </dict>
</plist>

Successful block for a CLI app:

maxb@computer  ~  14:53
% cat ~/test.txt
cat: /Users/maxb/test.txt: Operation not permitted

Santa

Access to a file has been denied.

Accessed Path: /Users/maxb/test.txt
Rule Version:  temp_version
Rule Name:     BlockRead

Process Path:  /bin/cat
Identifier:    ff7f9cd03fe753b39c51718bdbea7cc797eb4ed92f26dd488775d8ed5fc8b960
Parent:        zsh

Chrome, which can view this file without being blocked (the bug):

Santa versions:

santad          | 2024.7 (build 658067667)
santactl        | 2024.7 (build 658067667)
SantaGUI        | 2024.7 (build 658067667)

If I set EnableSilentMode to be false, then Chrome is unable to access this file, as expected. I believe that this option is somehow disabling the rule entirely (no logs are emitted to the filelog about blocking Chrome from accessing test.txt, even though there should be). The same behavior does not appear to be present for EnableSilentTTYMode — access to the file is blocked regardless of whether a warning is emitted to the TTY.

[mlw]

I was able to reproduce the issue. The problem is actually that when EnableSilentMode is true, some extra logic is run that causes a crash when no TTY is attached to the process, so the action gets implicitly allowed.

[maxb-openai]

Thank you @mlw for the super prompt fix here! Much appreciated.