-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delayed effect of a BlacklistRegex update via a PreFlight response #142
Comments
I've spent most of the morning trying to reproduce this and am unable. What version are you using? » defaults read /var/db/santa/config.plist | grep Blacklist
» santactl sync
Sync completed successfully
» defaults read /var/db/santa/config.plist | grep Blacklist
BlacklistRegex = "^.+/flargleblarg$";
» ./flargleblarg
-bash: ./flargleblarg: Operation not permitted
» grep flargleblarg /var/log/santa.log
[2017-01-31T17:11:22.437Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=722d1740a49812c67a1b3dad1893613b3615927942fe230189b54dc91525f8b1|path=/Users/rah/src/tmp/flargleblarg|pid=59447|ppid=59174|uid=139567|user=rah|gid=5000|group=eng|mode=M |
Sorry about the delay. Here are the answers: I am running some test with a Zentral branch that I am working on. Just sending a blacklist regex via the blacklist_regexp attribute of a Preflight response. Santa is running in MONITOR mode.
|
Ah, that makes sense: the exec after the regex changes is unaffected because it's cached (in the kernel) so the regex is never consulted. We handle this situation for blacklist rules by clearing the cache when a new blacklist rule arrives. We could probably fix this by clearing the cache whenever the whitelist/blacklist regexes are changed also. |
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes #142
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes #142
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
The updated regex is visible using
sudo defaults read /var/db/santa/config.plist
right after a sync. The previously blocked apps are allowed, as expected, but the apps which are supposed to be blocked by the new regex are still working. If santad is restarted, they are blocked (so, not a regex issue.)The text was updated successfully, but these errors were encountered: