Unable to get transitive rules working with XCode

[p-harrison]

Wonder if somebody could tell me where I might be going wrong here please?

I'm trying to enable transitive rules for XCode for our devs. I'm testing on a clean macOS 13.5.2 and have installed a fresh copy of XCode 14.3.1. Santa 2023.7. I create a new SwiftUI macOS app with the default 'hello world' code. A Santa block pops up a few seconds later as XCode tries to compile and display a preview of the app I guess.

Here are some excerpts from my santa.log where the path to the test app is mentioned.

[2023-09-12T12:06:43.297Z] I santad: action=EXEC|decision=ALLOW|reason=COMPILER|sha256=aaeefef12648420e157784162635089f256eaa9e8d086eb555768c677a5ab56e|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|teamid=59GAB85EFG|pid=38336|pidversion=94281|ppid=38266|uid=501|user=philipharrison|gid=20|group=staff|mode=U|path=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang|args=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -Xlinker -reproducible -target arm64-apple-macos13.3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.sdk -L/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/EagerLinkingTBDs/Debug -L/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug -F/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/EagerLinkingTBDs/Debug -F/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug -filelist /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2.LinkFileList -Xlinker -rpath -Xlinker @executable_path/../Frameworks -Xlinker -object_path_lto -Xlinker /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2_lto.o -Xlinker -export_dynamic -Xlinker -no_deduplicate -fobjc-link-runtime -L/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/macosx -L/usr/lib/swift -Xlinker -add_ast_path -Xlinker /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2.swiftmodule -Xlinker -no_adhoc_codesign -Xlinker -dependency_info -Xlinker /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2_dependency_info.dat -o /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2

[2023-09-12T12:06:43.306Z] I santad: action=EXEC|decision=ALLOW|reason=COMPILER|sha256=153185ffbfd1ed8b92fc77cd0c62e79154dc0773197ecede11f5f4e9240aacff|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|teamid=59GAB85EFG|pid=38337|pidversion=94283|ppid=38336|uid=501|user=philipharrison|gid=20|group=staff|mode=U|path=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld|args=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld -demangle -lto_library /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/libLTO.dylib -dynamic -arch arm64 -platform_version macos 13.3.0 13.3 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.sdk -o /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2 -L/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/EagerLinkingTBDs/Debug -L/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug -L/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/macosx -L/usr/lib/swift -reproducible -filelist /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2.LinkFileList -rpath @executable_path/../Frameworks -object_path_lto /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2_lto.o -export_dynamic -no_deduplicate -add_ast_path /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2.swiftmodule -no_adhoc_codesign -dependency_info /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/Objects-normal/arm64/test2_dependency_info.dat -framework Foundation -lobjc -lSystem /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/14.0.3/lib/darwin/libclang_rt.osx.a -F/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/EagerLinkingTBDs/Debug -F/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug

[2023-09-12T12:06:43.730Z] I santad: action=EXEC|decision=ALLOW|reason=COMPILER|sha256=d38f10f7a233bd75a6eb846259096adcb82de2a67e20552cecdaecd116045bad|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=38338|pidversion=94285|ppid=38266|uid=501|user=philipharrison|gid=20|group=staff|mode=U|path=/usr/bin/codesign|args=/usr/bin/codesign --force --sign - --entitlements /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Intermediates.noindex/test2.build/Debug/test2.build/test2.app.xcent --timestamp=none --generate-entitlement-der /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app

[2023-09-12T12:06:43.741Z] I santad: action=RENAME|path=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2.cstemp|newpath=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2|pid=38338|ppid=38266|process=codesign|processpath=/usr/bin/codesign|uid=501|user=philipharrison|gid=20|group=staff

[2023-09-12T12:06:43.778Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=5aa99b2a6f5bc7de487b6a778b755b222d67e8ca59b14ca33ad35be9716215d0|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=38339|pidversion=94288|ppid=38266|uid=501|user=philipharrison|gid=20|group=staff|mode=U|path=/usr/bin/touch|args=/usr/bin/touch -c /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app

[2023-09-12T12:06:43.778Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=a26cd92c30ab84c49b9b761d4ac456dbc7ed662afb6b0be806f6f2d3330bb6e4|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=38340|pidversion=94289|ppid=38266|uid=501|user=philipharrison|gid=20|group=staff|mode=U|path=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister|args=/System/Library/Frameworks/CoreServices.framework/Versions/Current/Frameworks/LaunchServices.framework/Versions/Current/Support/lsregister -f -R -trusted /Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app

[2023-09-12T12:06:44.339Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|sha256=745e6cba6a27f9f4586bc543f08e74b8847caf08f29d1bd29cacab9fa95e13fe|pid=38353|pidversion=94320|ppid=1|uid=501|user=philipharrison|gid=20|group=staff|mode=L|path=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2|args=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2 -NSDocumentRevisionsDebugMode YES -ApplePersistenceIgnoreStateQuietly YES

[2023-09-12T12:06:44.763Z] I santad: action=BUNDLE|sha256=745e6cba6a27f9f4586bc543f08e74b8847caf08f29d1bd29cacab9fa95e13fe|bundlehash=52d6853f48958ebc313d10771bccc4b2900693b843e3f9b253982ccb5d3c1679|bundlename=test2|bundleid=test2.test2|bundlepath=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app|path=/Users/philipharrison/Library/Developer/Xcode/DerivedData/test2-hawowrtrqculmwfhrgzaaffptfsw/Build/Intermediates.noindex/Previews/test2/Products/Debug/test2.app/Contents/MacOS/test2

santactl status -

>>> Daemon Info
  Mode                      | Lockdown
  Log Type                  | file
  File Logging              | No
  USB Blocking              | No
  Watchdog CPU Events       | 0  (Peak: 13.44%)
  Watchdog RAM Events       | 0  (Peak: 36.11MB)
>>> Cache Info
  Root cache count          | 58
  Non-root cache count      | 2
>>> Database Info
  Binary Rules              | 175
  Certificate Rules         | 5
  TeamID Rules              | 61
  SigningID Rules           | 38
  Compiler Rules            | 4
  Transitive Rules          | 0
  Events Pending Upload     | 1
>>> Watch Items
  Enabled                   | No
>>> Sync Info
  Sync Server               | https://**********.azure-api.net/
  Clean Sync Required       | No
  Last Successful Full Sync | 2023/09/12 13:07:15 +0100
  Last Successful Rule Sync | 2023/09/12 13:07:15 +0100
  Push Notifications        | Disconnected
  Bundle Scanning           | Yes
  Transitive Rules          | Yes

I have compiler rules added for ld, codesign, clang and XCode and Santa seems to have picked those up as can be seen in santa.log. But no transitive rules are being created at all.

Any suggestions?

[pmarkowsky]

A few thoughts here

1. can you run sudo eslogger exec close (⚠️ This is very noisy) and clean up the log to just have events and send the output to us?

This will show us if there's something about the events preventing transitive rules from being created.

2. You could also update and modify the dtrace script below

This checks for mmaps or other syscalls that we're not accounting for before the 2023.8 release.

Note you'd need to reboot and disable SIP for this to work.

To run you'd need to do the following:

chmod +x ./dtrace_script.d
sudo ./dtrace_script.d

#!/usr/sbin/dtrace -s
/*
 * Custom dtrace script to watch program execution for debugging transitive allowlisting
 */ 

int procs[int, int]; 
int names_to_watch[string];
string my_fds[int, int];
// map of pid, address -> filename
string mmaped_files[int, int];
int syscalls[string];

BEGIN {
  names_to_watch["asm"] = 1;
  names_to_watch["compile"] = 1;
  names_to_watch["link"] = 1;
  names_to_watch["go"] = 1;
}

syscall::open:entry  
/ procs[ppid, pid] == 1 || names_to_watch[execname] == 1 /
{
	  last_open_path = copyinstr(arg0);
	  printf("PPID: %d PID: %d  %s open %s", ppid, pid, execname, last_open_path)
}

syscall::open:return
/ procs[ppid, pid] == 1 || names_to_watch[execname] == 1 /
{
	  my_fds[pid,arg0] = last_open_path;
}

syscall::close:entry  
/ procs[ppid, pid] == 1 /
{
	  printf("PPID: %d PID: %d  %s closed %s", ppid, pid, execname, my_fds[pid,arg0]);
}

syscall::mmap:entry  
/ procs[ppid, pid] == 1 || names_to_watch[execname] == 1 /
{
	last_mmaped_file = my_fds[pid, arg4];
	printf("PPID: %d PID: %d  %s mmaped %s with flags: %d", ppid, pid, execname, last_mmaped_file, arg2);
}

syscall::mmap:return
/ procs[ppid, pid] == 1 || names_to_watch[execname] == 1 /
{
	printf("PPID: %d PID: %d  %s mmaped %s at addr: %0x", ppid, pid, execname, last_mmaped_file, arg0);
        mmaped_files[pid, arg0] = last_mmaped_file;
}

syscall::munmap:entry
/ procs[ppid, pid] == 1 && mmaped_files[pid, arg0] != 0 /
{
	printf("PPID: %d PID: %d  %s unmmaped %s at addr: %0x", ppid, pid, execname, mmaped_files[pid, arg0], arg0);
        mmaped_files[pid, arg0] = 0;
}

syscall::rename:entry  
/ procs[ppid, pid] == 1 || names_to_watch[execname] == 1 /
{
          old_path = copyinstr(arg0);
          new_path = copyinstr(arg1);
	  printf("PPID: %d PID: %d  %s renamed  %s to %s", ppid, pid, execname, old_path, new_path);
}

syscall::write:entry
/ procs[ppid, pid] == 1 && arg0 > 2 /
{
	  printf("PPID: %d PID: %d  %s writes to %s", ppid, pid, execname, my_fds[pid, arg0]);
}

syscall::*:entry 
/ procs[ppid, pid] == 1 || names_to_watch[execname] /
{

  @call_counts_per_function[probefunc] = count();
}


proc:::exec 
/ execname == "go" || procs[ppid, pid] == 1 /
{
  last_exec_pid = pid;
  old_name = execname;
  procs[ppid, pid] =  1;
}

proc:::exec-success
 / procs[ppid, pid] == 1 /
{
	printf("PPID: %d PID: %d %s exec %s", ppid, pid, old_name, execname)
}

END {
  printa(@call_counts_per_function);
}

[p-harrison]

Below is some output from eslogger (man that is a chatty tool!). I started it just before launching XCode and creating a new test project called "test4" and stopped it shortly after the Santa block message appeared. Afraid this is all new to me so I'm not sure what you would want me to clear out of that log to tidy it up, but this is the bundle path that Santa blocked (escaped so you can use it to search in the eslogger output) so you can see where it is referenced in the log.

\/Users\/philipharrison\/Library\/Developer\/Xcode\/DerivedData\/test4-hjffqnzetvkyhsemjhdmosbqzvpb\/Build\/Intermediates.noindex\/Previews\/test4\/Products\/Debug\/test4.app

esloggeroutput.txt.zip

[pmarkowsky]

Another thing we should do is look at the daemon logs. Can you run log stream --predicate 'sender=="com.google.santa.daemon"'

You should see the messages for creating transitive rules if this is happening.

[p-harrison]

For some reason that specific command didn't show any logs, so I used a broader one I was using to test client certificate auth previously, but it includes the daemon logs. I don't see much in there about transitive rules.

logstream.txt

[p-harrison]

2. You could also update and modify the dtrace script below

This checks for mmaps or other syscalls that we're not accounting for before the 2023.8 release.

On this one @pmarkowsky, I'm afraid I'm not a developer and I'm new to macOS, so while I'll figure out getting SIP disabled and running the script, I'm not sure what I would do to update/modify it to do what we need sorry!

Even though transitive rules appear to be enabled, I am wondering if there is something I can add as a compiler rule to do a basic test that should work without fail to create a transitive rule? Like for example TextEdit then create a file and chmod it to make it executable.

[pmarkowsky]

For some reason that specific command didn't show any logs, so I used a broader one I was using to test client certificate auth previously, but it includes the daemon logs. I don't see much in there about transitive rules.

I realized I should have asked you to add the EnableDebugLogging key to your application config before asking for the logs.

e.g.

<key>EnableDebugLogging</key><true/>

I'd say lets try that first and see if we can get some logging. Then if need be we can try and get the dtrace script working.

[p-harrison]

I realized I should have asked you to add the EnableDebugLogging key to your application config before asking for the logs.

e.g.

<key>EnableDebugLogging</key><true/>

That did it thanks, I've attached the output as I create a new macOS project in XCode and it attempts to launch. Lots of 'Unable to create SNTFileInfo while attempting to create transitive rule' messages but they're all for temporary files so I suspect this might be normal?

PS. Am I OK to add that EnableDebugLogging key to the documentation or is it not intended for broad use?

debuglog.txt

[pmarkowsky]

@p-harrison we just released Santa 2023.8 would you mind retesting? Curious if the fix for #561 also helps here.

[pmarkowsky]

PS. Am I OK to add that EnableDebugLogging key to the documentation or is it not intended for broad use?

Feel free to add that to the documentation.

[p-harrison]

Hey @pmarkowsky unfortunately the issue persists with 2023.8, no sign of any transitive rules across our device fleet.

I'm not sure if it is relevant, but perhaps it's an edge case. As we have a small ruleset and small number of devices, our Santa server does not do incremental sync of rules, instead we call for a clean_sync in the Preflight stage of every sync and send down the full ruleset. I can see now that might be an issue if transitive rules are also reset as part of a clean sync (are they?) but I would assume we should still see transitive rules being created in between syncs, which we are not.

Are the errors from the debug logs like Unable to create SNTFileInfo while attempting to create transitive rule of concern or are they normal?

Shout if there is anything else I can do to help testing.

[pmarkowsky]

Are the errors from the debug logs like Unable to create SNTFileInfo while attempting to create transitive rule of concern or are they normal?

Thanks for trying this. Essentially what I've been seeing is that the race for renames seems to be somewhat problematic. In which we check a file and don't find it.

Part of the issue is that we're checking the source of the rename vs. the destination of the rename. However even when swapping santa to use the destination of the rename this it doesn't always work.

I can see now that might be an issue if transitive rules are also reset as part of a clean sync (are they?)

They are flushed as part of a clean sync since we delete the rules when a clean sync is requested.

Shout if there is anything else I can do to help testing.

I have a private branch with some more detailed logging if I can get it cleaned up and into a PR then it'd be good to retest to make sure you're seeing the same behavior and that there isn't yet another thing.

[p-harrison]

Hey @pmarkowsky, I'm just revisiting this issue to try and get our developers onboarded to Santa.

This might sound like an unreasonable ask, so you can tell me to take a walk by all means, but would there be any merit to me sharing details of our Sync Server so you can point a test Santa client at it and see if there's a bug that is causing Transitive Rule not to function in our setup?

Cheers,
Phil

[pmarkowsky]

@p-harrison things have been kinda hectic. I'd be happy to hop on a video chat, but not sure I could commit to much more right now.