Will DeepGuard on macOS ever support wildcard?
Comments
-
Hello!
Thanks for the report! To be honest, it does not ring a bell that DeepGuard has support for such rules/policies. I've taken a stroll in the DeepGuard policy decision making code. As far as I can see it currently supports
- prefix matching (/Applications/AppName.app/*)
- full path matching (/Applications/AppName.app/Contents/MacOS/AppName)
- suffix matching (*/MacOS/AppName)
I believe we will need to teach DeepGuard to be aware of regex/wildcard matching if we want to achieve that. I'll make a note to discuss it with the rest of the team.
Best regards, Arthur
F-Secure Technology, Mac Team
-
Hi Arthur,
thanks for the quick reply❤️
Recently I was looking at the sandbox profile that comes with macOS, and found that if we want to achieve the same purpose through DeepGuard (for example read App bundle at any location), we either need to:
- write rules multiple times (give the process r/o access to each path we monitor)
- or choose to give the process greater permissions (give the global r/o access)
I think matching keywords (or regex/wildcard) can avoid such problem. For example
accountsd(/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd) needs to access the photo library (.photoslibrary/private/com.apple.accountsd), since users are free to place their photo library anywhere, we either need to giveaccountsdr/w access to every folder we monitor, or giveaccountsdthe global r/w access. But policy like this would be more suitable:allow regex "*.photoslibrary/private/com.apple.accountsd/*" "/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd" rwI really appreciate the work you and your team have done to make DeepGuard one of the few macOS security softwares that lets us monitoring of file system access. Looking forward to hearing good news from you soon!
Best regards,
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!