-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"deadline reached" in a File Access Authorization rule #1094
Comments
What macOS version are you running on? |
macOS 13.3.1 (a) Santa 2023.4 |
Thank you for the report and detailed logs. This has uncovered an issue with how binaries that are originally in the ES default mute set are handled for the file access feature. Unfortunately it seems the only workaround for now is to ensure that watch paths do not contain binaries that would need to be inspected by critical system daemons. In the given config, the watch path In the original comment, you mention that iTerm2 crashes, but that is not the exact behavior I see, instead, it is immediately closing after opening, presumably because of failing to conenct to the iTermServer.... Could you confirm this is your case too? Are you seeing iTerm2 logs in We're looking to get this addressed in the next release. |
Another suggestion for the config as a workaround is to more specifically target files and subpaths within that directory that would exclude the binaries by using multiple entries within the |
Thanks for taking a look! Yep, I guess "crash" isn't the right term. When I open iTerm2, it immediately displays an error message in a popup, and closes when I dismiss that message. I don't see any iTerm2 logs in Just to confirm, the system daemons that cannot access watched files are all the binaries in this list, right? |
Pretty much (Technically, the list linked is a hardcoded backup of paths in the ES default mute set used as a fallback in the event that the list cannot be dynamically gathered via In case you were thinking about creating exceptions for these processes in the watch config - that unfortunately will not help as a workaround. The issue with how Santa responds to these events with small deadlines prevents that exception mechanism as being a viable alternative. |
I have a File Access Authorization rule that blocks access to certain files, even though the rule is in audit-only mode.
Are there steps I can take to get more debugging information out of Santa?
Version
Reproduction steps
FileAccessPolicy
Behavior
iTerm is unable to read some of its local state in
~/Library/Application Support/iTerm2
, and crashes.Santa still records
FILE_ACCESS
logs withdecision=AUDIT_ONLY
, but I guess by then it's too late to respond to the file event?Logs
Santa logs from the macOS system log:
/var/db/santa/santa.log
iTerm.app stderr
The text was updated successfully, but these errors were encountered: