Skip to content
This repository was archived by the owner on Feb 5, 2025. It is now read-only.
This repository was archived by the owner on Feb 5, 2025. It is now read-only.

EnableSilentMode for File Access Authorization disables authorization rules for GUI apps #1419

Closed
#1420
Closed
EnableSilentMode for File Access Authorization disables authorization rules for GUI apps#1419
#1420
@maxb-openai

Description

@maxb-openai
maxb-openai
opened on Aug 20, 2024

I'm trying to configure a File Access Authorization rule that prevents reads of a particular path for all applications. Ideally, I would like to display Santa warnings via the TTY, but not pop the GUI dialog indicating that something has been blocked. In order to achieve this, I set EnableSilentMode to true and left EnableSilentTTYMode default. This has the desired effect of hiding the GUI dialog, but also allows any GUI application can access this file — negating many of the security goals of this rule.

My configuration (distributed via a profile):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>ClientMode</key>
    <integer>1</integer>
    <key>MachineOwner</key>
    <string>$USERNAME</string>
    <key>EventLogType</key>
    <string>filelog</string>
    <key>FileAccessPolicy</key>
    <dict>
      <key>Version</key>
      <string>v0.1-experimental</string>
      <key>WatchItems</key>
      <dict>
        <key>BlockRead</key>
        <dict>
          <key>Paths</key>
          <array>
            <dict>
              <key>Path</key>
              <string>/Users/maxb/test.txt</string>
              <key>IsPrefix</key>
              <false/>
            </dict>
          </array>
          <key>Options</key>
          <dict>
            <key>AllowReadAccess</key>
            <false/>
            <key>AuditOnly</key>
            <false/>
            <key>EnableSilentMode</key>
            <true/>
          </dict>
          <key>Processes</key>
          <array>
          </array>
        </dict>
      </dict>
    </dict>
  </dict>
</plist>

Successful block for a CLI app:

maxb@computer  ~  14:53
% cat ~/test.txt
cat: /Users/maxb/test.txt: Operation not permitted

Santa

Access to a file has been denied.

Accessed Path: /Users/maxb/test.txt
Rule Version:  temp_version
Rule Name:     BlockRead

Process Path:  /bin/cat
Identifier:    ff7f9cd03fe753b39c51718bdbea7cc797eb4ed92f26dd488775d8ed5fc8b960
Parent:        zsh

Chrome, which can view this file without being blocked (the bug):
Screenshot 2024-08-20 at 14 55 49

Santa versions:

santad          | 2024.7 (build 658067667)
santactl        | 2024.7 (build 658067667)
SantaGUI        | 2024.7 (build 658067667)

If I set EnableSilentMode to be false, then Chrome is unable to access this file, as expected. I believe that this option is somehow disabling the rule entirely (no logs are emitted to the filelog about blocking Chrome from accessing test.txt, even though there should be). The same behavior does not appear to be present for EnableSilentTTYMode — access to the file is blocked regardless of whether a warning is emitted to the TTY.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions