Invalidate cached approvals in reaction to on-disk changes

trailofbits / sinter

A user-mode application authorization system for MacOS written in Swift

https://blog.trailofbits.com/2020/08/12/sinter-new-user-mode-security-enforcement-for-macos/

GNU Affero General Public License v3.0

301 stars 15 forks source link

Invalidate cached approvals in reaction to on-disk changes #42

Open mike-myers-tob opened 4 years ago

mike-myers-tob commented 4 years ago

Why

As a security engineer, I want previously cached approvals to be invalidated when the associated executable files on disk have been changed since the initial cached check so that these processes are subject to validation.

Acceptance Criteria

If executables related to a process that was previously approved are changed or updated, invalidate the approval cache so that the process and associated executables are checked again.

alessandrogario commented 4 years ago

The following events will invalidate the cache when the paths being modified affect binaries/bundles that are being tracked:

ES_EVENT_TYPE_NOTIFY_WRITE
ES_EVENT_TYPE_NOTIFY_UNLINK
ES_EVENT_TYPE_NOTIFY_RENAME
ES_EVENT_TYPE_NOTIFY_MMAP (if mapping is not read only)
ES_EVENT_TYPE_NOTIFY_LINK
ES_EVENT_TYPE_NOTIFY_TRUNCATE
ES_EVENT_TYPE_NOTIFY_CREATE
ES_EVENT_TYPE_NOTIFY_MOUNT
ES_EVENT_TYPE_NOTIFY_UNMOUNT