Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intellij IDE Debugging Blocked in Lockdown Mode #1181

Open
eopeter opened this issue Sep 13, 2023 · 6 comments
Open

Intellij IDE Debugging Blocked in Lockdown Mode #1181

eopeter opened this issue Sep 13, 2023 · 6 comments
Labels
question Any questions related to code / operation of Santa transitive allowlisting

Comments

@eopeter
Copy link

eopeter commented Sep 13, 2023
edited

What will be the correct rule to allow debugging in IntelliJ IDEA a temp output is blocked? See the message from Santa below for a Golang app executed from within IntelliJ in the IDE terminal:

debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-1403.0.17.67
 for x86_64.
Got a connection, launched process /private/var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker (pid = 62618).

Santa

This application has been blocked

Path:       /private/var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker
Identifier: 65f1fe5df81290c6cf12434e088576d9ae81a9de5f18fbc6c8bab0b4808f6b18
Parent:     debugserver (62617)

santactl fileinfo /private/var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker gave the following output:

Path                   : /var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker
SHA-256                : 65f1fe5df81290c6cf12434e088576d9ae81a9de5f18fbc6c8bab0b4808f6b18
SHA-1                  : 593ea43e632474253441b40ac2796269cc9a4b30
Type                   : Executable (x86_64)
Code-signed            : No
Rule                   : Blocked (Unknown)

Not sure if this is related to #561 as we have compiler rules already written for goland.

The Santa log entry is

[2023-09-13T12:43:21.565Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=65f1fe5df81290c6cf12434e088576d9ae81a9de5f18fbc6c8bab0b4808f6b18|pid=62618|pidversion=1883468|ppid=62617|uid=59003|user=user1|gid=20|group=staff|mode=L|path=/private/var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker|args=/private/var/folders/w5/pvflyg8942d4041xjq5vxdk4001slv/T/GoLand/___notify_docker
@pmarkowsky
Copy link
Contributor

My guess is that this is probably related to #561 given that this is go and its toolchain uses mmap.

Are your compiler rules working outside of Intellij? If you run /usr/bin/log --predicate 'sender=="com.google.santa.daemon" what do you get?

You should see some messages indicating we're creating a transitive rule.

@pmarkowsky pmarkowsky added question Any questions related to code / operation of Santa transitive allowlisting labels Sep 14, 2023
@eopeter
Copy link
Author

eopeter commented Oct 5, 2023

Any idea when the build that has the fix for #561 will be released?

@pmarkowsky
Copy link
Contributor

We just released it today https://github.com/google/santa/releases/2023.8

@pmarkowsky
Copy link
Contributor

@eopeter if you test this can you make sure to have <key>EnableDebugLogging</key><true/> in your application config.

This should tell us if you're making the transitive rule.

@eopeter
Copy link
Author

eopeter commented Oct 5, 2023

Will do

@eopeter
Copy link
Author

eopeter commented Dec 21, 2023

This is still not working. Is anyone successfully debugging using IntelliJ? I added a compiler rule for the DebugServer but it still does not resolve the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Any questions related to code / operation of Santa transitive allowlisting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pmarkowsky @eopeter