[DeepGuard on macOS] Will lots of ancestry lookup rules make system slow?

Good day, dev team! I was trying to give full access for systemmigrationd and system_installd, also their child processes. After reading rules that come with the FSP, I found following rules meet my need:

allow path "any" "any ancestor /System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd" rwc

allow path "any" "any ancestor /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd" rwc

However, related comments also mentioned that such rules require a large performance overhead:

; ancestry lookups are the most expensive, so they're put last


If I add a large number of ancestry lookup rules (like a hundred rules), will user experience a noticeable performance drop, especially in strict mode?

Best regards.

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 169 F-Secure Employee
    Answer ✓

    Hi, @66f2e490!

    Yes. I believe it is still the case that rules created based on ancestry lookups are more expensive that rules with specific process/parent paths. As far as I recall, the most expensive part is traveling the whole chain of ancestors till launchd is reached. And that indeed increases the time of deciding making which in turn could negatively affect the performance.

    Unfortunately, I don't have specific limits in number of ancestor rules which should should still provide usable experience. I think this is something for us to investigate to get a better understanding of that specific use case.

    And yes. I believe that DeepGuard supports EndpointSecurity file copy event. But as you mentioned it's only available starting from macOS 12 since this is the release where Apple added support for this event type.

    Best regards, Arthur

    Mac R&D Team

    FirmyJaims

Answers

  • 66f2e490
    66f2e490 Posts: 34 Enthusiast
    edited August 21

    Looks like DG can NOT catch any file write/create events of systemmigrationd.

    Does DG support "es_event_copyfile_t"? This event type was first introduced in macOS 12 beta 5.


    EDITED:

    digging w/ fs_usage, systemmigrationd only copies data to /private/var/folder/zz/../Cleanup At Startup/SMSandboxTools-tmp/

    After this, how does the system move files to the corresponding path, I haven't found it yet

    Best regards.