-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Santa should provide an option to block apple system binaries and kill them automatically when launched #1355
Comments
You can block Apple system binaries, using the binary SHA-256, the CDHash or a signing ID (with the prefix We do not, currently, attempt to kill already running processes. Issue #1291 is open to track possibly implementing this as a feature but it requires some thoughtful consideration as it can cause more problems than it solves. |
Wow quick response! Ah ha, I have been trying to block with the regular Do I have to revoke the rules I have already created without the #1291 this seems like a good idea, but it would have to be optional. |
This should do it:
No. You may want to, just so you know which rules are useful but it won't cause any problems at all. |
Unfortunately no luck with that command `sudo santactl rule --block --signingid /System/Library/CoreServices/CoreLocationAgent.app/Contents/MacOS/CoreLocationAgent Usage: santactl rule [options] One of: Optionally: Notes:
Importing / Exporting Rules:
` |
Ah, sorry, I missed an argument and forgot that the To block that particular daemon you can use:
|
Awesome that worked :) Thank you! |
If you block apple binaries they still run how does this happen? For example if you block one locationd and santa will show a prompt saying it blocked it but in activity monitor it will still be listed. |
In general, this shouldn't happen, however we'd need a lot more information to diagnose such a potential issue. What does your rule look like? What does the running process look like (i.e. are the properties of the running instance covered by the rule)? Was there already an instance running prior to Santa starting? Was Santa ever restarted (or crashed) allowing an opportunity for things like |
The frameworks provided by Apple only provide the guarantee that applications like Santa have the opportunity to prevent non-platform binaries from executing during the so called "early boot" phase - that is, while the system is coming up and system daemons are being speculatively launched. Platform binaries will launch normally and if Santa hasn't yet started, they will execute without intervention. While Santa is configured to launch as early as possible, there are many platform binaries that will launch sooner. Looking at the PID in the screenshots, this seems likely what happened as those are pretty low PID numbers. As mentioned by @russellhancox above, #1291 would help alleviate this issue, at least partially. But could definitely introduce other problems depending on what was being killed and when. To check how Santa would evaluate a binary with your local rules, you can share the output of
|
Outside of implementing #1291 to kill binaries that started before Santa had a chance to deny them (which is limited to platform binaries), is there anything more to do here? |
Nope! Everything is in #1291 :) |
Thanks! |
The text was updated successfully, but these errors were encountered: