-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to get transitive rules working with XCode #1180
Comments
A few thoughts here 1. can you run
|
Below is some output from eslogger (man that is a chatty tool!). I started it just before launching XCode and creating a new test project called "test4" and stopped it shortly after the Santa block message appeared. Afraid this is all new to me so I'm not sure what you would want me to clear out of that log to tidy it up, but this is the bundle path that Santa blocked (escaped so you can use it to search in the eslogger output) so you can see where it is referenced in the log.
|
Another thing we should do is look at the daemon logs. Can you run You should see the messages for creating transitive rules if this is happening. |
For some reason that specific command didn't show any logs, so I used a broader one I was using to test client certificate auth previously, but it includes the daemon logs. I don't see much in there about transitive rules. |
On this one @pmarkowsky, I'm afraid I'm not a developer and I'm new to macOS, so while I'll figure out getting SIP disabled and running the script, I'm not sure what I would do to update/modify it to do what we need sorry! Even though transitive rules appear to be enabled, I am wondering if there is something I can add as a compiler rule to do a basic test that should work without fail to create a transitive rule? Like for example TextEdit then create a file and chmod it to make it executable. |
I realized I should have asked you to add the e.g.
I'd say lets try that first and see if we can get some logging. Then if need be we can try and get the dtrace script working. |
That did it thanks, I've attached the output as I create a new macOS project in XCode and it attempts to launch. Lots of 'Unable to create SNTFileInfo while attempting to create transitive rule' messages but they're all for temporary files so I suspect this might be normal? PS. Am I OK to add that EnableDebugLogging key to the documentation or is it not intended for broad use? |
@p-harrison we just released Santa 2023.8 would you mind retesting? Curious if the fix for #561 also helps here. |
Feel free to add that to the documentation. |
Hey @pmarkowsky unfortunately the issue persists with 2023.8, no sign of any transitive rules across our device fleet. I'm not sure if it is relevant, but perhaps it's an edge case. As we have a small ruleset and small number of devices, our Santa server does not do incremental sync of rules, instead we call for a clean_sync in the Preflight stage of every sync and send down the full ruleset. I can see now that might be an issue if transitive rules are also reset as part of a clean sync (are they?) but I would assume we should still see transitive rules being created in between syncs, which we are not. Are the errors from the debug logs like Shout if there is anything else I can do to help testing. |
Thanks for trying this. Essentially what I've been seeing is that the race for renames seems to be somewhat problematic. In which we check a file and don't find it. Part of the issue is that we're checking the source of the rename vs. the destination of the rename. However even when swapping santa to use the destination of the rename this it doesn't always work.
They are flushed as part of a clean sync since we delete the rules when a clean sync is requested.
I have a private branch with some more detailed logging if I can get it cleaned up and into a PR then it'd be good to retest to make sure you're seeing the same behavior and that there isn't yet another thing. |
Hey @pmarkowsky, I'm just revisiting this issue to try and get our developers onboarded to Santa. This might sound like an unreasonable ask, so you can tell me to take a walk by all means, but would there be any merit to me sharing details of our Sync Server so you can point a test Santa client at it and see if there's a bug that is causing Transitive Rule not to function in our setup? Cheers, |
@p-harrison things have been kinda hectic. I'd be happy to hop on a video chat, but not sure I could commit to much more right now. |
Wonder if somebody could tell me where I might be going wrong here please?
I'm trying to enable transitive rules for XCode for our devs. I'm testing on a clean macOS 13.5.2 and have installed a fresh copy of XCode 14.3.1. Santa 2023.7. I create a new SwiftUI macOS app with the default 'hello world' code. A Santa block pops up a few seconds later as XCode tries to compile and display a preview of the app I guess.
Here are some excerpts from my santa.log where the path to the test app is mentioned.
santactl status -
I have compiler rules added for ld, codesign, clang and XCode and Santa seems to have picked those up as can be seen in santa.log. But no transitive rules are being created at all.
Any suggestions?
The text was updated successfully, but these errors were encountered: