Skip to content

v5.0.5-caaf673

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Apr 18:42
· 132 commits to main since this release
Immutable release. Only release title and notes can be modified.
v5.0.5-caaf673
caaf673
This commit was signed with the committer’s verified signature.
craigjbass Craig J. Bass
SSH Key Fingerprint: 7pzEignCyELNpXvYQiXNLwrYZtuNVaxDWLPVRyZZ/Lc
Verified
Learn about vigilant mode.

ClearanceKit 5.0.5

Security

A vulnerability in platform binary identity verification has been fixed. Processes with an empty Team ID were incorrectly treated as Apple platform binaries, allowing a local unprivileged attacker to create an ad-hoc signed binary with a spoofed Signing ID and bypass FAA protections for any protected path. The fix uses the authoritative is_platform_binary flag from Endpoint Security for live events, and an anchor apple codesigning requirement check for processes enumerated at startup.

Users running 5.0.4 or earlier should update.

Reported by @BlueGreenMagick in GHSA-w253-42qp-5f2x.

Write-only rules

Rules can now be configured to enforce only on write operations while allowing reads unconditionally. This enables patterns like the SSH known_hosts carve-out — where any process may read the file but only sshd may write it — without needing separate rules for read access. The toggle is available in the rule editor, exported in ClearanceKit and Santa mobileconfigs, parsed from MDM policy plists, and accessible via the MCP add_rule / update_rule tools.

Rule evaluation order

Rules are now evaluated by most-specific path prefix first, regardless of their position in the array. A rule for /Users/*/Documents/Work takes precedence over a broader /Users/*/Documents rule even if the broader rule appears first. Where two rules have equal specificity, earlier position in the array still wins.

New presets and built-ins

Built-in rule: PAM configuration write protection (/etc/pam.d) — prevents unauthorised modification of PAM authentication configuration.

New app presets (experimental): Firefox, Docker, 1Password 7, 1Password 8, Calendar.

New system hardening presets (experimental): SSH Keys, Launch Item Protection, Cron/At Job Protection, Password Hash Protection, Keychain Write Protection, Spotlight Importer Protection, Audio Plugin Protection, In-Memory Code Loading Protection, AWS Credential Protection.

Other changes

  • Universal wildcard *:* is now accepted in ProcessSignature matching, allowing rules that permit any signed process regardless of team or signing ID
  • localizationswitcherd added to the baseline allowlist
  • Messages preset gains QuickLook signatures; Safari preset gains SafariServices and a Cookies.binarycookies rule; Chrome preset narrowed to Chrome-specific paths
  • MCP list_events now surfaces deny detail
  • Fixed: ESJailAdapter was not forwarding accessKind to file auth events

Contributors

BlueGreenMagick
Assets 6
Loading