google
Document transitive allowlisting limitations
Transitive allowlisting is a powerful feature to allow developers to live in LOCKDOWN mode. However there are certain limitations in the current implementation that developers need to be aware of to ensure the feature can work properly.
This largely means that Santa must be given a (brief) opportunity to create a transitive rule before any resultant binary is executed.
Solving this completely is likely not desirable. It would require a large amount of synchronization between Santa's event stream processing compiler operations and the event stream responsible for authorizing execs. This would require a lot of contention that would likely degrade build performance in unacceptable ways.
Related: #1327
See this comment for more details related specifically to the Go toolchain's go run tool: https://github.com/google/santa/issues/1327#issuecomment-2059265255
More broadly this would also apply to things like cargo run, but even for tight execution loops, such as clang ./foo.c; ./a.out would be susceptible to the same race.