Will DeepGuard on macOS ever support wildcard?

Hi dev team,

I would like to give read only access to any App_Bundle (.app/*), is it possible that we use wildcard to achieve this purpose?

By now I can only use the allow path "any" policy, but this will give all read access to the program.

Best regards,

Comments

  • ArthurVal
    ArthurVal Posts: 230 F-Secure Employee

    Hello!

    Thanks for the report! To be honest, it does not ring a bell that DeepGuard has support for such rules/policies. I've taken a stroll in the DeepGuard policy decision making code. As far as I can see it currently supports

    • prefix matching (/Applications/AppName.app/*)
    • full path matching (/Applications/AppName.app/Contents/MacOS/AppName)
    • suffix matching (*/MacOS/AppName)

    I believe we will need to teach DeepGuard to be aware of regex/wildcard matching if we want to achieve that. I'll make a note to discuss it with the rest of the team.

    Best regards, Arthur

    Mac R&D Team

    66f2e490
  • 66f2e490
    66f2e490 Posts: 45 Contributor

    Hi Arthur,

    thanks for the quick reply❤️

    Recently I was looking at the sandbox profile that comes with macOS, and found that if we want to achieve the same purpose through DeepGuard (for example read App bundle at any location), we either need to:

    1. write rules multiple times (give the process r/o access to each path we monitor)
    2. or choose to give the process greater permissions (give the global r/o access)

    I think matching keywords (or regex/wildcard) can avoid such problem. For example accountsd (/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd) needs to access the photo library (.photoslibrary/private/com.apple.accountsd), since users are free to place their photo library anywhere, we either need to give accountsd r/w access to every folder we monitor, or give accountsd the global r/w access. But policy like this would be more suitable:

    allow regex "*.photoslibrary/private/com.apple.accountsd/*" "/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd" rw

    I really appreciate the work you and your team have done to make DeepGuard one of the few macOS security softwares that lets us monitoring of file system access. Looking forward to hearing good news from you soon!

    Best regards,

    ArthurVal