Open zaqes opened 3 months ago
I'm running v. 2.6.3 on Sonoma 14.5 (23F79) and, likewise, rules are not being pruned for executables that have been removed and no longer 'statable'
While running the following:
log stream --level debug --predicate="subsystem='com.objective-see.lulu'"
it indicates that it's checking if something at the path was deleted. However, it gives no indication of the return of each check and if it matches with reality.
Thanks for the bug report! I will look into this more and try to figure out what isn't working.
Question, can you give me a specific example of a program/app you installed, had a rule for, then deleted? So I can attempt to specifically replicate the issue? 🙏🏽
The logic to cleanup rules is here: https://github.com/objective-see/LuLu/blob/e5b11e09184c39d8a8bd7222ea4c005296aa5504/LuLu/Extension/Rules.m#L1153
...noting this, as you should yes see a log message about a check if its being removed: "checking if ... was deleted"
.
The code then checks if the path (that you would see in the previous log message) has been removed via:
if(YES != [NSFileManager.defaultManager fileExistsAtPath:rule.path]) {
os_log_debug(logHandle, "%{public}@ is gone, will delete rule", rule.path);
...
[self.rules removeObjectForKey:key];
....
Can you confirm that you see a log message checking for the item you deleted? And post it? (maybe the path is messed up or something)...but then that the second log message ("....is gone, will delete rule"
) doesn't show up?
Finally I'm guessing you also see this log message "cleaned up/deleted 0 rules"
?
Thanks you!
The cleanup routine fails universally. Every time it is selected it consistently reports that it, "Cleaned up 0 rules" regardless of changes. I notice this inaccuracy most frequently when updating Homebrew.
For example, PHP gets updated. It creates a new path for the new version at /opt/homebrew/Cellar/php/8.3.9/bin/php, removes the prior version at /opt/homebrew/Cellar/php/8.3.8. It changes the symlink of /opt/homebrew/bin/php to now point to the new version path.
The approved rule for /opt/homebrew/Cellar/php/8.3.8/bin/php remains in place. Executing the cleanup finds nothing to be removed. I have to manually remove the rule pointing to the now missing /opt/homebrew/Cellar/php/8.3.8/bin/php binary.
This isn't in anyway unique to PHP. While watching the log stream I'll remove the installation that has an allow rule already in place and run a 'cleanup':
user@host:~ $ ls /opt/homebrew/Cellar/php/8.3.9/bin/php
/opt/homebrew/Cellar/php/8.3.9/bin/php
user@host:~ $ brew uninstall php
Uninstalling /opt/homebrew/Cellar/php/8.3.9... (524 files, 88.7MB)
Warning: The following php configuration files have not been removed!
If desired, remove them manually with `rm -rf`:
/opt/homebrew/etc/php
/opt/homebrew/etc/php/8.1
/opt/homebrew/etc/php/8.1/conf.d
/opt/homebrew/etc/php/8.1/conf.d/ext-opcache.ini
/opt/homebrew/etc/php/8.1/pear.conf
/opt/homebrew/etc/php/8.1/pear.conf.default
/opt/homebrew/etc/php/8.1/php-fpm.conf
/opt/homebrew/etc/php/8.1/php-fpm.conf.default
/opt/homebrew/etc/php/8.1/php-fpm.d
/opt/homebrew/etc/php/8.1/php-fpm.d/www.conf
/opt/homebrew/etc/php/8.1/php-fpm.d/www.conf.default
/opt/homebrew/etc/php/8.1/php.ini
/opt/homebrew/etc/php/8.1/php.ini-production
/opt/homebrew/etc/php/8.2
/opt/homebrew/etc/php/8.2/conf.d
/opt/homebrew/etc/php/8.2/conf.d/ext-opcache.ini
/opt/homebrew/etc/php/8.2/pear.conf
/opt/homebrew/etc/php/8.2/pear.conf.default
/opt/homebrew/etc/php/8.2/php-fpm.conf
/opt/homebrew/etc/php/8.2/php-fpm.conf.default
/opt/homebrew/etc/php/8.2/php-fpm.d
/opt/homebrew/etc/php/8.2/php-fpm.d/www.conf
/opt/homebrew/etc/php/8.2/php-fpm.d/www.conf.default
/opt/homebrew/etc/php/8.2/php.ini
/opt/homebrew/etc/php/8.2/php.ini-production
/opt/homebrew/etc/php/8.2/php.ini-production.default
/opt/homebrew/etc/php/8.2/php.ini.default
/opt/homebrew/etc/php/8.3
/opt/homebrew/etc/php/8.3/conf.d
/opt/homebrew/etc/php/8.3/conf.d/ext-opcache.ini
/opt/homebrew/etc/php/8.3/pear.conf
/opt/homebrew/etc/php/8.3/pear.conf.default
/opt/homebrew/etc/php/8.3/php-fpm.conf
/opt/homebrew/etc/php/8.3/php-fpm.conf.default
/opt/homebrew/etc/php/8.3/php-fpm.d
/opt/homebrew/etc/php/8.3/php-fpm.d/www.conf
/opt/homebrew/etc/php/8.3/php-fpm.d/www.conf.default
/opt/homebrew/etc/php/8.3/php.ini
/opt/homebrew/etc/php/8.3/php.ini-production
==> Autoremoving 30 unneeded formulae:
aom
apr
apr-util
argon2
aspell
autoconf
brotli
curl
freetds
gd
giflib
gmp
highway
imath
jpeg-xl
krb5
libavif
libnghttp2
libpq
libsodium
libtool
libvmaf
little-cms2
m4
openexr
openldap
rtmpdump
tidy-html5
unixodbc
webp
Uninstalling /opt/homebrew/Cellar/gmp/6.3.0... (22 files, 3.3MB)
Uninstalling /opt/homebrew/Cellar/argon2/20190702_1... (13 files, 688.6KB)
Uninstalling /opt/homebrew/Cellar/apr-util/1.6.3_1... (55 files, 915.5KB)
Uninstalling /opt/homebrew/Cellar/curl/8.8.0... (527 files, 4.3MB)
Uninstalling /opt/homebrew/Cellar/freetds/1.4.19... (1,424 files, 16MB)
Warning: The following may be freetds configuration files and have not been removed!
If desired, remove them manually with `rm -rf`:
/opt/homebrew/etc/freetds.conf
Uninstalling /opt/homebrew/Cellar/libsodium/1.0.20... (78 files, 888.8KB)
Uninstalling /opt/homebrew/Cellar/autoconf/2.72... (72 files, 3.6MB)
Uninstalling /opt/homebrew/Cellar/libpq/16.3... (2,383 files, 29.6MB)
Uninstalling /opt/homebrew/Cellar/aspell/0.60.8.1_1... (768 files, 322.9MB)
Uninstalling /opt/homebrew/Cellar/tidy-html5/5.8.0... (15 files, 3MB)
Uninstalling /opt/homebrew/Cellar/gd/2.3.3_6... (34 files, 1.5MB)
Uninstalling /opt/homebrew/Cellar/rtmpdump/2.4-20151223_3... (21 files, 654.1KB)
Uninstalling /opt/homebrew/Cellar/libavif/1.0.4... (20 files, 556.5KB)
Uninstalling /opt/homebrew/Cellar/unixodbc/2.3.12... (48 files, 2.3MB)
Uninstalling /opt/homebrew/Cellar/libnghttp2/1.61.0... (14 files, 807.3KB)
Uninstalling /opt/homebrew/Cellar/krb5/1.21.3... (163 files, 5.6MB)
Uninstalling /opt/homebrew/Cellar/apr/1.7.4... (60 files, 1.4MB)
Uninstalling /opt/homebrew/Cellar/openldap/2.6.8... (342 files, 7.8MB)
Warning: The following openldap configuration files have not been removed!
If desired, remove them manually with `rm -rf`:
/opt/homebrew/etc/openldap
/opt/homebrew/etc/openldap/ldap.conf
/opt/homebrew/etc/openldap/ldap.conf.default
/opt/homebrew/etc/openldap/schema
/opt/homebrew/etc/openldap/schema/README
/opt/homebrew/etc/openldap/schema/README.default
/opt/homebrew/etc/openldap/schema/collective.ldif
/opt/homebrew/etc/openldap/schema/collective.ldif.default
/opt/homebrew/etc/openldap/schema/collective.schema
/opt/homebrew/etc/openldap/schema/collective.schema.default
/opt/homebrew/etc/openldap/schema/corba.ldif
/opt/homebrew/etc/openldap/schema/corba.ldif.default
/opt/homebrew/etc/openldap/schema/corba.schema
/opt/homebrew/etc/openldap/schema/corba.schema.default
/opt/homebrew/etc/openldap/schema/core.ldif
/opt/homebrew/etc/openldap/schema/core.ldif.default
/opt/homebrew/etc/openldap/schema/core.schema
/opt/homebrew/etc/openldap/schema/core.schema.default
/opt/homebrew/etc/openldap/schema/cosine.ldif
/opt/homebrew/etc/openldap/schema/cosine.ldif.default
/opt/homebrew/etc/openldap/schema/cosine.schema
/opt/homebrew/etc/openldap/schema/cosine.schema.default
/opt/homebrew/etc/openldap/schema/dsee.ldif
/opt/homebrew/etc/openldap/schema/dsee.ldif.default
/opt/homebrew/etc/openldap/schema/dsee.schema
/opt/homebrew/etc/openldap/schema/dsee.schema.default
/opt/homebrew/etc/openldap/schema/duaconf.ldif
/opt/homebrew/etc/openldap/schema/duaconf.ldif.default
/opt/homebrew/etc/openldap/schema/duaconf.schema
/opt/homebrew/etc/openldap/schema/duaconf.schema.default
/opt/homebrew/etc/openldap/schema/dyngroup.ldif
/opt/homebrew/etc/openldap/schema/dyngroup.ldif.default
/opt/homebrew/etc/openldap/schema/dyngroup.schema
/opt/homebrew/etc/openldap/schema/dyngroup.schema.default
/opt/homebrew/etc/openldap/schema/inetorgperson.ldif
/opt/homebrew/etc/openldap/schema/inetorgperson.ldif.default
/opt/homebrew/etc/openldap/schema/inetorgperson.schema
/opt/homebrew/etc/openldap/schema/inetorgperson.schema.default
/opt/homebrew/etc/openldap/schema/java.ldif
/opt/homebrew/etc/openldap/schema/java.ldif.default
/opt/homebrew/etc/openldap/schema/java.schema
/opt/homebrew/etc/openldap/schema/java.schema.default
/opt/homebrew/etc/openldap/schema/misc.ldif
/opt/homebrew/etc/openldap/schema/misc.ldif.default
/opt/homebrew/etc/openldap/schema/misc.schema
/opt/homebrew/etc/openldap/schema/misc.schema.default
/opt/homebrew/etc/openldap/schema/msuser.ldif
/opt/homebrew/etc/openldap/schema/msuser.ldif.default
/opt/homebrew/etc/openldap/schema/msuser.schema
/opt/homebrew/etc/openldap/schema/msuser.schema.default
/opt/homebrew/etc/openldap/schema/namedobject.ldif
/opt/homebrew/etc/openldap/schema/namedobject.ldif.default
/opt/homebrew/etc/openldap/schema/namedobject.schema
/opt/homebrew/etc/openldap/schema/namedobject.schema.default
/opt/homebrew/etc/openldap/schema/nis.ldif
/opt/homebrew/etc/openldap/schema/nis.ldif.default
/opt/homebrew/etc/openldap/schema/nis.schema
/opt/homebrew/etc/openldap/schema/nis.schema.default
/opt/homebrew/etc/openldap/schema/openldap.ldif
/opt/homebrew/etc/openldap/schema/openldap.ldif.default
/opt/homebrew/etc/openldap/schema/openldap.schema
/opt/homebrew/etc/openldap/schema/openldap.schema.default
/opt/homebrew/etc/openldap/schema/pmi.ldif
/opt/homebrew/etc/openldap/schema/pmi.ldif.default
/opt/homebrew/etc/openldap/schema/pmi.schema
/opt/homebrew/etc/openldap/schema/pmi.schema.default
/opt/homebrew/etc/openldap/slapd.conf
/opt/homebrew/etc/openldap/slapd.conf.default
/opt/homebrew/etc/openldap/slapd.conf.default.default
/opt/homebrew/etc/openldap/slapd.ldif
/opt/homebrew/etc/openldap/slapd.ldif.default
/opt/homebrew/etc/openldap/slapd.ldif.default.default
Uninstalling /opt/homebrew/Cellar/libtool/2.4.7... (76 files, 3.8MB)
Uninstalling /opt/homebrew/Cellar/aom/3.9.1... (24 files, 10MB)
Uninstalling /opt/homebrew/Cellar/libvmaf/3.0.0... (235 files, 7.2MB)
Uninstalling /opt/homebrew/Cellar/m4/1.4.19... (14 files, 728.8KB)
Uninstalling /opt/homebrew/Cellar/jpeg-xl/0.10.3... (63 files, 28.3MB)
Uninstalling /opt/homebrew/Cellar/little-cms2/2.16... (23 files, 1.4MB)
Uninstalling /opt/homebrew/Cellar/highway/1.2.0... (75 files, 4.2MB)
Uninstalling /opt/homebrew/Cellar/brotli/1.1.0... (25 files, 1016.0KB)
Uninstalling /opt/homebrew/Cellar/webp/1.4.0... (64 files, 2.5MB)
Uninstalling /opt/homebrew/Cellar/openexr/3.2.4... (206 files, 8.0MB)
Uninstalling /opt/homebrew/Cellar/imath/3.1.11... (50 files, 943.1KB)
Uninstalling /opt/homebrew/Cellar/giflib/5.2.2... (20 files, 547KB)
user@host:~ $ ls /opt/homebrew/Cellar/php/8.3.9/bin/php
ls: /opt/homebrew/Cellar/php/8.3.9/bin/php: No such file or directory
user@host:~ $
After the PHP removal we search for PHP in the LuLu log stream while executing a cleanup:
user@host:~ $ log stream --level debug --predicate="subsystem='com.objective-see.lulu'" | less -p php
…
2024-07-07 09:59:38.318962+0200 0x8c060b Debug 0x284fd09 560 0 com.objective-see.lulu.extension: [com.objective-see.lulu:extension] checking if /opt/homebrew/Cellar/php/8.3.9/bin/php was deleted
…
The log doesn't seem to indicate what its test concluded. But the cleanup finds no rules to cleanup and the allowed PHP rule remains active despite nothing existing at that path.
One guess of mine was that LuLu didn't have, but needed, full disk access in order to stat the path. Granting that didn't change the issue.
Thanks, tracked down the bug and added a fix (plus other improvements, to handle directory rules, etc etc). Will be in the next released version.
Mahalo again for the bug report 🙏🏽
I removed an application and still the Clean Up didn't remove any rules related to that application