Giters

google / santa

A binary authorization and monitoring system for macOS

Home Page:https://santa.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

How to Allow debugserver Output

eopeter opened this issue · comments

commented

Running into a situation where when I am running a debugger in IntelliJ in lockdown mode, the output gets blocked. I added a compiler rule as below for the debugserver binary but no dice

$ santactl fileinfo  /Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver 
Path                   : /Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver
SHA-256                : c7fe54274e6bda205aa0eda81d12b11216a8c080e0103e76cdcab7fae8ea3585
SHA-1                  : c40969d0aa732f19ca48580b9b6148c8c35c845a
Bundle Name            : debugserver
Bundle Version         : 2
Team ID                : 59GAB85EFG
Signing ID             : com.apple.debugserver
Type                   : Executable (arm64, x86_64, arm64e)
Code-signed            : Yes
Rule                   : Allowed (Compiler)
Signing Chain:
    1. SHA-256             : d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57
       SHA-1               : efdbc9139dd98dbae5a9c7165a096511b15eaef9
       Common Name         : Software Signing
       Organization        : Apple Inc.
       Organizational Unit : Apple Software
       Valid From          : 2020/10/29 14:32:38 -0400
       Valid Until         : 2026/10/24 13:39:41 -0400

    2. SHA-256             : 5bdab1288fc16892fef50c658db54f1e2e19cf8f71cc55f77de2b95e051e2562
       SHA-1               : 1d010078a61f4fa4694aff4db1ac266ce1b45946
       Common Name         : Apple Code Signing Certification Authority
       Organization        : Apple Inc.
       Organizational Unit : Apple Certification Authority
       Valid From          : 2011/10/24 13:39:41 -0400
       Valid Until         : 2026/10/24 13:39:41 -0400

    3. SHA-256             : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
       SHA-1               : 611e5b662c593a08ff58d14ae22452d198df6c60
       Common Name         : Apple Root CA
       Organization        : Apple Inc.
       Organizational Unit : Apple Certification Authority
       Valid From          : 2006/04/25 17:40:36 -0400
       Valid Until         : 2035/02/09 16:40:36 -0500
commented

@eopeter can you share the block logline? This is usually in /var/db/santa/santa.log if you're using text logs.

Also if there's a temporary file being generated by the debugserver can you share the fileinfo for that?

If you have EnableDebugLogging set to <true/> in your config profile. Then the output from

sudo log stream --level debug --style compact --predicate 'sender == "com.google.santa.daemon"' would also be helpful.

Also #1299 might help here.

commented

@pmarkowsky this is the block log line:

[2024-03-08T21:32:59.120Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=16571|pidversion=7889775|ppid=16570|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
commented

For the following Log Line
[2024-03-08T21:49:36.208Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=54767|pidversion=7967827|ppid=54766|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
I got the following logstream around the same time

2024-03-08 16:49:36.004 Df com.google.santa.daemon[398:a07a6d] D com.google.santa.daemon: Watching compiler pid=54763
2024-03-08 16:49:59.660 Df com.google.santa.daemon[398:a08476] D com.google.santa.daemon: No changes to set of watched paths
commented 
2024-03-08 16:58:10.815 Df com.google.santa.daemon[398:a12cb3] I com.google.santa.daemon: Flushing caches
2024-03-08 16:59:39.252 Df com.google.santa.daemon[398:a14ee5] D com.google.santa.daemon: Watching compiler pid=75687
2024-03-08 16:59:59.666 Df com.google.santa.daemon[398:a15750] D com.google.santa.daemon: No changes to set of watched paths.

happened with

[2024-03-08T21:59:39.461Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=75693|pidversion=8009807|ppid=75691|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main

The stream log entries only happens after the cache is flushed. Not on all DENY

commented

@pmarkowsky does this logs provide any insight?