Add client_mode config var with discrete MONITOR and LOCKDOWN modes

trailofbits / sinter

A user-mode application authorization system for MacOS written in Swift

https://blog.trailofbits.com/2020/08/12/sinter-new-user-mode-security-enforcement-for-macos/

GNU Affero General Public License v3.0

301 stars 15 forks source link

Add client_mode config var with discrete MONITOR and LOCKDOWN modes #57

Closed mike-myers-tob closed 4 years ago

mike-myers-tob commented 4 years ago

Closes #56 by changing blocking behavior thusly:

The config now allows for a variable called client_mode which can be a 1 (MONITOR) or 2 (LOCKDOWN). If missing, Sinter defaults to the MONITOR mode.

LOCKDOWN mode works as before: there are implicit blocking rules like any binary with a missing or invalid signature.

MONITOR mode now works by simply logging these violations, and not blocking execution of any binary.