Currently, the File Access Authorization feature does not operate on access attempts from binaries within the default mute set. This is largely due to two issues:
The basic mechanism used by Santa to auto-respond to messages about to miss a response deadline is not flexible enough to handle AUTH events with very low timeouts.
One option would be to maintain an ordered map with the key being the deadline and some polling method that ensures messages about to reach their deadline are responded to.
Minor: The message processing of AUTH events in the File Access Authorizer ES client should be done inline with the message callback (i.e. in the es_handler_block_t block given to es_new_client)
As of now, it doesn't appear that message processing requires any operations that would block in external processes. We could take advantage of the handler block running on a much higher priority queue to achieve more throughput, and only go async when logging.
Currently, the File Access Authorization feature does not operate on access attempts from binaries within the default mute set. This is largely due to two issues:
The basic mechanism used by Santa to auto-respond to messages about to miss a response deadline is not flexible enough to handle AUTH events with very low timeouts.
Minor: The message processing of AUTH events in the File Access Authorizer ES client should be done inline with the message callback (i.e. in the
es_handler_block_tblock given toes_new_client)