You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to configure a File Access Authorization rule that prevents reads of a particular path for all applications. Ideally, I would like to display Santa warnings via the TTY, but not pop the GUI dialog indicating that something has been blocked. In order to achieve this, I set EnableSilentMode to true and left EnableSilentTTYMode default. This has the desired effect of hiding the GUI dialog, but also allows any GUI application can access this file — negating many of the security goals of this rule.
maxb@computer ~ 14:53
% cat ~/test.txt
cat: /Users/maxb/test.txt: Operation not permitted
Santa
Access to a file has been denied.
Accessed Path: /Users/maxb/test.txt
Rule Version: temp_version
Rule Name: BlockRead
Process Path: /bin/cat
Identifier: ff7f9cd03fe753b39c51718bdbea7cc797eb4ed92f26dd488775d8ed5fc8b960
Parent: zsh
Chrome, which can view this file without being blocked (the bug):
If I set EnableSilentMode to be false, then Chrome is unable to access this file, as expected. I believe that this option is somehow disabling the rule entirely (no logs are emitted to the filelog about blocking Chrome from accessing test.txt, even though there should be). The same behavior does not appear to be present for EnableSilentTTYMode — access to the file is blocked regardless of whether a warning is emitted to the TTY.
The text was updated successfully, but these errors were encountered:
I was able to reproduce the issue. The problem is actually that when EnableSilentMode is true, some extra logic is run that causes a crash when no TTY is attached to the process, so the action gets implicitly allowed.
I'm trying to configure a File Access Authorization rule that prevents reads of a particular path for all applications. Ideally, I would like to display Santa warnings via the TTY, but not pop the GUI dialog indicating that something has been blocked. In order to achieve this, I set
EnableSilentMode
totrue
and leftEnableSilentTTYMode
default. This has the desired effect of hiding the GUI dialog, but also allows any GUI application can access this file — negating many of the security goals of this rule.My configuration (distributed via a profile):
Successful block for a CLI app:
Chrome, which can view this file without being blocked (the bug):
Santa versions:
If I set
EnableSilentMode
to befalse
, then Chrome is unable to access this file, as expected. I believe that this option is somehow disabling the rule entirely (no logs are emitted to the filelog about blocking Chrome from accessingtest.txt
, even though there should be). The same behavior does not appear to be present forEnableSilentTTYMode
— access to the file is blocked regardless of whether a warning is emitted to the TTY.The text was updated successfully, but these errors were encountered: