Skip to content

v5.0.1-55e1b25

Choose a tag to compare

View all tags
@github-actions github-actions released this 01 Apr 22:02
· 220 commits to main since this release
Immutable release. Only release title and notes can be modified.
v5.0.1-55e1b25
55e1b25
This commit was signed with the committer’s verified signature.
craigjbass Craig J. Bass
SSH Key Fingerprint: 7pzEignCyELNpXvYQiXNLwrYZtuNVaxDWLPVRyZZ/Lc
Verified
Learn about vigilant mode.

⚠️ This release is affected by GHSA-w253-42qp-5f2x. Update to v5.0.5-caaf673 or later.

Caution

This release is affected by GHSA-92f3-38m7-579h — dual-path ES events (rename, link, copyfile, exchangedata, clone) only checked the source path against policies. Update to v5.0.4 or later.

ClearanceKit 5.0

New App Protection Presets

  • Contacts — Protects /Users/*/Library/Application Support/AddressBook and the Contacts sandboxed container. Allows Contacts, contactsd, AddressBookSourceSync, ABAssistantService, accountsd, and Messages.
  • Messages — Protects /Users/*/Library/Messages (chat.db and attachments). Allows Messages, imagent, IMDPersistenceAgent, IMTransferAgent, IMTranscoderAgent, MessagesBlastDoorService, Contacts, and Spotlight indexing.
  • Slack — Protects Slack's application support and cache directories.
  • Mullvad VPN — Protects Mullvad VPN's application support directory.

Preset Updates

  • Mail — Added textunderstandingd and MailCacheDelete to signing ID list.
  • Notes — Added PaperKit.extension.ui to signing ID list.
  • Discord — Added com.apple.ditto to the ShipIt cache rule to support auto-updates.
  • Safari, Discord, Chrome — Removed processes already covered by the global allowlist.

Export as Santa

New export wizard that converts ClearanceKit policy into a Santa FileAccessPolicy mobileconfig deployable via MDM.

  • FAA rules export as PathsWithAllowedProcesses watch items with baseline allowlist entries inlined.
  • Jail rules export as ProcessesWithAllowedPaths watch items, with a warning that Santa does not confine subprocesses (unlike ClearanceKit's ancestor-based jail).
  • ClearanceKit path patterns are converted to glob(3)-compatible format (*** becomes *, ** becomes prefix match).
  • Warns when rules use ancestry matching, which Santa cannot represent.

Export as ClearanceKit Mobileconfig

New export wizard that serialises ClearanceKit policy into a managed preferences mobileconfig for MDM deployment.

  • Exports FAA rules, App Protections, Jail rules, global allowlist, and global ancestor allowlist.
  • Multi-step wizard with source selection, review, and detached protection warnings.

MCP Server

  • Built-in MCP server for app protections research workflow (add, update, remove, list rules; list events and presets).
  • Feature flag with tamper-resistant signature.

Other Changes

  • Process tree wizard for creating rules from running processes.
  • Search box in Process Tree view that filters across all columns.
  • Editing of allowlist and ancestor allowlist entries.
  • Added com.apple.XprotectFramework.AnalysisService to baseline allowlist.
  • Split FilterInteractor into FAAFilterInteractor and JailFilterInteractor for clearer separation.
  • Reorganised GUI sources around tab structure.
  • Removed jail experimental warning and feature toggle.
Assets 4
Loading