Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confusing process information on brew install #215

Closed
torarnv opened this issue Sep 21, 2020 · 10 comments
Closed

Confusing process information on brew install #215

torarnv opened this issue Sep 21, 2020 · 10 comments

Comments

@torarnv
Copy link

torarnv commented Sep 21, 2020
edited

When doing e.g. brew install llvm, LuLu catches brew reaching out to its package repo. But the resulting dialogs are a bit confusing in what caused this:

Screen Shot 2020-09-21 at 17 13 10

Why is /usr/bin/cp and /usr/local/blame/rm blamed for the network connection?
@torarnv torarnv changed the title Confusing process information on `brew install\ Confusing process information on brew install Sep 21, 2020
@torarnv
Copy link
Author

torarnv commented Sep 21, 2020

Even more confusingly:

image

@ghost
Copy link

ghost commented Sep 21, 2020

Could it be the infamous notarization checks when binaries are run?

https://lapcatsoftware.com/articles/catalina-executables.html

IIRC there is a basic command to be able to turn that off in macOS, floating around on the Internet. Can't find it now but IIRC I've implemented it in my system...

@torarnv
Copy link
Author

torarnv commented Sep 21, 2020

If that was the case, wouldn't it reach out to Apple servers, not GitHub? I'm assuming this is actually LuLu catching Homebrew talking to GitHub to get the latest list of packages e.g.

@ghost
Copy link

ghost commented Sep 22, 2020

Oh my bad I didn't check the IP. Sorry for potentially useless comment.

objective-see pushed a commit that referenced this issue Sep 23, 2020
bug fixes, project cleanup
8e039b9 
-switched to using audit token vs pid (#215)
-show (error alerts) on main thread
-added 'kMDItemFSCreationDate' fallback when 'kMDItemDateAdded' is nil
@objective-see
Copy link
Owner

objective-see commented Sep 24, 2020
edited

Thanks for the feedback!
I've updated the code that maps a network flow to a process.

Before I was using the reported process id (pid), which could be problematic if the process forked/exec'd, or exited and the pid was re-used (LuLu would then report the wrong path 😅).

Good news, I refactored the code to now use the process's audit token (which should never be re-used). This should fix this issue!
...LuLu should now always report the correct path, etc. for the process responsible for generating the network flow.

Could you test the latest beta to confirm the fix?
https://bitbucket.org/objective-see/deploy/downloads/LuLu_2.0.0_BETA.zip

Mahalo again!

@torarnv
Copy link
Author

torarnv commented Sep 24, 2020

Much appreciated!!! This bug was making me a bit unweary about my system being compromised in some way, especially when I saw the network connections being reported for my own software 😄 Thanks for looking into it!!

Will test the beta and report back ASAP!

@torarnv
Copy link
Author

torarnv commented Sep 24, 2020

Looking good now! 😊

image

image

I guess there's nothing to do about brew exec'ing, hiding the "initiator" of the network connection.

So unless I specify a remote endpoint rule scope, /usr/bin/curlwill be allowed to reach out to any network address regardless of which script (hostile or not) is initiating it, do I understand that correctly? Is there any way to mitigate that?

Thanks!

@torarnv
Copy link
Author

torarnv commented Sep 24, 2020

(Not saying LuLu isn't excellent, just trying to understand the considerations and possible threat models) 😊

@objective-see
Copy link
Owner

Correct, hence the addition of endpoint rules :)
...or perhaps you could go w/ 'temporary' so just that instance of curl would be allowed.

@objective-see objective-see mentioned this issue Sep 24, 2020
Closed
@torarnv
Copy link
Author

torarnv commented Sep 24, 2020

Thanks! Love your tools, will bump my patreon tier! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@torarnv @objective-see