Enhancement request: Possible to create rules to block/allow execution based on parent process

[vector-sec]

Do you think it would be possible to add the ability for Santa to block a process based on its parent?

An example use-case would be blocking bash from starting from Microsoft Office products to try to make malicious office documents less effective.

[russellhancox]

I think this would be possible, but it will require tracking which processes are unable to spawn and coming up with a reasonable system for describing these.

The easiest method I can think of would be to add a new ruletype: WHITELIST_PREVENT_EXEC which would allow a process to run but prevent it from execve'ing any other process. When santad responds with this either it or santa-driver can keep a map in memory of pids which aren't allowed to be the parent of any other process. The difficulty is that we can't (currently, at least) track when these processes die and need to be removed from the list.

We'll need to give this some more thought.

[built2order]

I'd very much like to allow an application based on it's parent, such as launchd_sim.

As a developer, I want to compile and test an application from a location that may be denied using a scope (ie. regex) based policy.

Application: Test Filename: Test Path: /Users/xxx/Library/Developer/CoreSimulator/Devices/xxx/data/Containers/Bundle/Application/xxx/Test.app/Test Publisher: Not code-signed Parent: launchd_sim (x)