deadline exceeded in monitor mode still ends up denying execution

[jessepeterson]

When deadlines are exceeded here:

santa/Source/santad/EventProviders/SNTEndpointSecurityClient.mm

Lines 296 to 299 in e8db89c

	LOGE(@"SNTEndpointSecurityClient: deadline reached: deny pid=%d, event type: %d ret=%d",
	audit_token_to_pid(deadlineMsg->process->audit_token), deadlineMsg->event_type, res);
	dispatch_semaphore_signal(deadlineExpiredSema);
	});

The process is still denied execution even if Santa is in monitor mode.

Also: these denials are not logged in the normal ALLOW/DENY logging (that end up in /var/db/santa/santa.log* files.

[russellhancox]

The process is still denied execution even if Santa is in monitor mode.

That's correct and working as intended. Monitor mode is intended to allow through things that we didn't have explicit rules for but it still applies block rules and we don't want to allow working around those rules by making everything slow enough that we can't finish processing in time.

Also: these denials are not logged in the normal ALLOW/DENY logging (that end up in /var/db/santa/santa.log* files.

That's working as designed but should be fixed. Before ULS the two kinds of logs ended up in the same file so it was still together. Now that these log lines end up in the system log it's not the right solution.

[mlw]

The process is still denied execution even if Santa is in monitor mode.

One thing we might want to consider is whether or not FailClosed config option should apply

[russellhancox]

Also: these denials are not logged in the normal ALLOW/DENY logging (that end up in /var/db/santa/santa.log* files.

I want to make sure we're clear about this: the normal ALLOW/DENY logging is happening but we're logging the decision Santa came to about the file but what we're logging is incorrect because prior to us responding that the exec should be allowed we've already denied exec because we'd have gone over deadline while processing. This is arguably worse.