Skip to content

v4.2.14-56d617b

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 Mar 22:06
· 300 commits to main since this release
Immutable release. Only release title and notes can be modified.
v4.2.14-56d617b
56d617b
This commit was signed with the committer’s verified signature.
craigjbass Craig J. Bass
SSH Key Fingerprint: 7pzEignCyELNpXvYQiXNLwrYZtuNVaxDWLPVRyZZ/Lc
Verified
Learn about vigilant mode.

⚠️ This release is affected by GHSA-w253-42qp-5f2x. Update to v5.0.5-caaf673 or later.

Caution

This release is affected by GHSA-92f3-38m7-579h — dual-path ES events (rename, link, copyfile, exchangedata, clone) only checked the source path against policies. Update to v5.0.4 or later.

v4.2.14 — 26 March 2026

Jail reinstated on restart

The process jail is now reinstated automatically when opfilter restarts or is updated. Previously, processes that were jailed during a session would lose their confinement on restart — any process already running when the extension came back up would not be re-jailed until it triggered a new file-system event.

A background sweep timer (10-second interval, .background priority) now scans the full process tree and jails any process that matches a jail rule but is not yet tracked. Once a matching process is found, a cascading BFS pass walks the process tree downward, jailing all descendants under the same rule. Both the sweep and cascade clear the ES authorisation cache after each batch so enforcement takes effect immediately.

Security fix — GHSA-fpmv-5wgw-qhhr

A security vulnerability affecting all prior versions has been resolved. See the security advisory for full details.

Apple platform binary allowlist fix

Apple-signed binaries carry an empty team_id in their code signature. The policy convention in ClearanceKit represents these as teamID: "apple", but this normalisation was previously applied inconsistently — and the platformBinary allowlist flag checked for an empty team ID rather than "apple", meaning the entire baseline allowlist of Apple system processes was silently failing to match after normalisation was introduced.

Both issues are now resolved: normalisation is applied consistently at every point where a team ID is derived (initial process tree build, XPC process list, ES fork/exec events, and ES auth events), and platformBinary entries correctly require teamID == "apple". Unsigned processes (empty team ID and signing ID) are correctly excluded.

Process Tree panel

A new Process Tree panel in the Monitor sidebar shows a sortable snapshot of every process currently tracked by the extension's internal process tree. Columns include PID, version, parent PID, process name, path, signing ID, team ID, UID, and GID. Loads on appear; a Refresh button re-fetches the current state.

Metrics improvements

  • Jail metrics tracked per-second and surfaced in the pipeline chart as two new series: Jail events and Jail denies. Both are included in the pipeline_metrics log line.
  • Rolling-average gauges above the chart show the 10-point average rate for each series, scaled to the peak rate seen in the current history window.
  • Accurate sample timestamps captured at timer-fire via CLOCK_REALTIME, threaded through to the GUI x-axis and included as ts= in the log line.
  • Chart series renamed: Hot pathSimple events, Slow pathAncestry events.

TLA+ formal model

The TLA+ specification has been replaced with a comprehensive model covering both ES adapter clients, all locks, and all semaphores in the pipeline.

Assets 4
Loading