Published on

Fixing macOS with Google Santa

Authors
  • avatar
    Name
    Teddy Xinyuan Chen
    Twitter

Santa is a fantastic binary blacklisting tool, and I use it to prevent annoying processes from running on macOS

Table of Contents

What to Block

contactsd

/System/Library/Frameworks/Contacts.framework/Support/contactsd

When you have 10+ accounts in System Settings > Internet Accounts and you're on crappy Intel CPU, contactsd will severely degrade your macOS experience.

The process is required by Mail.app, Messages.app (both app hang when it's blocked), but Calendar.app still functions with it, as long as you do not open the Inbox tab to accept event invitations.

To use Messages, use your phone with A series chip instead. To use Mail, use web mail or your phone, or other email clients, GUI to TUI.

contactsd can ressurect after reboots (or OS re-logins) (confirmed by Santa team in the Issue I opened), or when santa is outdated. So be sure to check if it's still running when you feel the system is slowed down considerably, and keep it up-to-date with Homebrew.

universalaccessd

This one is also CPU hungry, and I've yet to find anything not working after blocking it.

Apps that Like to Start Themselves

  • Music.app - when you accidentally pressed the play button on your keyboard when nothing's registered with the OS's media control (meaning nothing was playing).
  • OrbStack.app - I love it as the easist way to run Docker daemon on macOS but the self-starting thing gotta change. I can't stop it using other ways.

Sketchy Apps

  • Chinese software, like Sangfor EasyConnect VPN required by Fudan University. The installation .pkg messes with system trust store and registered multiple extremely sketchy processes to run as root with launchd that runs 24/7, no matter the GUI is running or not.
  • Apps that you once in a long time but don't want to uninstall

Other Great Tools

Blocking App's Network Access

  • LuLu
  • Surge or other rule-based proxy software. Maybe even privoxy can do this too. Surge supports process path based rules, making this easy (nssurge.com).

Blocking App's File Access

Have credentials files from AWS, GCP, or rclone, or even your SSH keys that you don't want just any processes to read?

IMO it's really hard to sandbox a process in macOS, so I suggest running them in isolation.

For SSH keys, Secretive.app uses macOS Secure Enclave to store your SSH keys and integrates that with the SSH agent, so you can relax a bit.

Conslusion

I believe that every OS needs a binary blacklisting tool like Santa. It gives you more control of your OS back to you, and I cannot imagine using macOS without it.