How to Allow debugserver Output
eopeter opened this issue · comments
Running into a situation where when I am running a debugger in IntelliJ in lockdown mode, the output gets blocked. I added a compiler rule as below for the debugserver binary but no dice
$ santactl fileinfo /Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver
Path : /Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver
SHA-256 : c7fe54274e6bda205aa0eda81d12b11216a8c080e0103e76cdcab7fae8ea3585
SHA-1 : c40969d0aa732f19ca48580b9b6148c8c35c845a
Bundle Name : debugserver
Bundle Version : 2
Team ID : 59GAB85EFG
Signing ID : com.apple.debugserver
Type : Executable (arm64, x86_64, arm64e)
Code-signed : Yes
Rule : Allowed (Compiler)
Signing Chain:
1. SHA-256 : d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57
SHA-1 : efdbc9139dd98dbae5a9c7165a096511b15eaef9
Common Name : Software Signing
Organization : Apple Inc.
Organizational Unit : Apple Software
Valid From : 2020/10/29 14:32:38 -0400
Valid Until : 2026/10/24 13:39:41 -0400
2. SHA-256 : 5bdab1288fc16892fef50c658db54f1e2e19cf8f71cc55f77de2b95e051e2562
SHA-1 : 1d010078a61f4fa4694aff4db1ac266ce1b45946
Common Name : Apple Code Signing Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2011/10/24 13:39:41 -0400
Valid Until : 2026/10/24 13:39:41 -0400
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 17:40:36 -0400
Valid Until : 2035/02/09 16:40:36 -0500
@eopeter can you share the block logline? This is usually in /var/db/santa/santa.log if you're using text logs.
Also if there's a temporary file being generated by the debugserver can you share the fileinfo for that?
If you have EnableDebugLogging
set to <true/>
in your config profile. Then the output from
sudo log stream --level debug --style compact --predicate 'sender == "com.google.santa.daemon"'
would also be helpful.
Also #1299 might help here.
@pmarkowsky this is the block log line:
[2024-03-08T21:32:59.120Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=16571|pidversion=7889775|ppid=16570|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
For the following Log Line
[2024-03-08T21:49:36.208Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=54767|pidversion=7967827|ppid=54766|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
I got the following logstream around the same time
2024-03-08 16:49:36.004 Df com.google.santa.daemon[398:a07a6d] D com.google.santa.daemon: Watching compiler pid=54763
2024-03-08 16:49:59.660 Df com.google.santa.daemon[398:a08476] D com.google.santa.daemon: No changes to set of watched paths
2024-03-08 16:58:10.815 Df com.google.santa.daemon[398:a12cb3] I com.google.santa.daemon: Flushing caches
2024-03-08 16:59:39.252 Df com.google.santa.daemon[398:a14ee5] D com.google.santa.daemon: Watching compiler pid=75687
2024-03-08 16:59:59.666 Df com.google.santa.daemon[398:a15750] D com.google.santa.daemon: No changes to set of watched paths.
happened with
[2024-03-08T21:59:39.461Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=75693|pidversion=8009807|ppid=75691|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
The stream log entries only happens after the cache is flushed. Not on all DENY
@pmarkowsky does this logs provide any insight?