mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-03-30 14:00:16 +02:00
Create TCC CheatSheet.md
This commit is contained in:
Karol Mazurek
150
IX. TCC/mac/TCC CheatSheet.md
Normal file
150
IX. TCC/mac/TCC CheatSheet.md
Normal file
@@ -0,0 +1,150 @@
|
||||
| TCC Service | Combined Description |
|
||||
| :-- | :-- |
|
||||
| kTCCService | Serves as a general identifier for TCC services. |
|
||||
| kTCCServiceAccessibility | Enables apps to control the computer, often for assistive tools like screen readers or automation scripts. Apps may prompt: "Allows client to control computer." |
|
||||
| kTCCServiceAddressBook | Permits access to contacts; prompts might say: "Client would like to access your contacts." |
|
||||
| kTCCServiceAll | Grants broad access to all TCC-protected resources. |
|
||||
| kTCCServiceAppleEvents | Allows sending Apple Events for app control; e.g., "Client wants access to control indirect_object_identifier, providing access to its documents and actions." |
|
||||
| kTCCServiceAudioCapture | Enables audio input capture, useful for recording apps. |
|
||||
| kTCCServiceBluetoothAlways | Provides ongoing Bluetooth access; prompts: "Client would like to use Bluetooth." |
|
||||
| kTCCServiceBluetoothPeripheral | Facilitates connections to Bluetooth devices. |
|
||||
| kTCCServiceBluetoothWhileInUse | Limits Bluetooth access to active app use. |
|
||||
| kTCCServiceCalendar | Allows calendar access; e.g., "Client would like to access your calendar." |
|
||||
| kTCCServiceCalls | Handles call-related functionalities. |
|
||||
| kTCCServiceCamera | Grants camera access; common prompt: "Client would like to access the camera." |
|
||||
| kTCCServiceContactlessAccess | Supports features like NFC or contactless interactions. |
|
||||
| kTCCServiceContactsFull | Provides complete contacts access; e.g., "Client would like to access all of your contacts information." |
|
||||
| kTCCServiceContactsLimited | Offers restricted contacts access; e.g., "Client would like to access your contacts basic information." |
|
||||
| kTCCServiceCrashDetection | Enables crash detection capabilities. |
|
||||
| kTCCServiceDeveloperTool | Allows running non-secure software locally; e.g., "Allows client to run software that does not meet the system’s security policy." |
|
||||
| kTCCServiceEndpointSecurityClient | Provides endpoint security features. |
|
||||
| kTCCServiceExposureNotification | Manages exposure alerts, such as for health notifications. |
|
||||
| kTCCServiceExposureNotificationRegion | Handles region-based exposure notifications. |
|
||||
| kTCCServiceFaceID | Permits Face ID usage. |
|
||||
| kTCCServiceFacebook | Integrates with Facebook features. |
|
||||
| kTCCServiceFallDetection | Supports fall detection sensors. |
|
||||
| kTCCServiceFileProviderDomain | Allows access to managed file domains; e.g., "Client wants to access files managed by indirect_object_identifier." |
|
||||
| kTCCServiceFileProviderPresence | Tracks file usage in providers; e.g., "Do you want to allow client to see when you are using files managed by it?" |
|
||||
| kTCCServiceFinancialData | Enables access to financial information. |
|
||||
| kTCCServiceFocusStatus | Shares Focus mode status; e.g., "Allow client to share that you have notifications silenced when using Focus?" |
|
||||
| kTCCServiceFSKitBlockDevice | Manages block devices in FSKit. |
|
||||
| kTCCServiceGameCenterFriends | Connects to Game Center friends; e.g., "Allow client to connect you with your Game Center friends?" |
|
||||
| kTCCServiceKeyboardNetwork | Permits network access for keyboards. |
|
||||
| kTCCServiceLinkedIn | Integrates with LinkedIn. |
|
||||
| kTCCServiceListenEvent | Monitors keyboard or system events; e.g., "Allows client to monitor your keyboard." |
|
||||
| kTCCServiceLiverpool | Internal identifier for Liverpool-related features. |
|
||||
| kTCCServiceLocation | Accesses location data; e.g., "Client would like to use your current location." |
|
||||
| kTCCServiceMediaLibrary | Grants media library access; e.g., "Client would like to access Apple Music, your music and video activity, and your media library." |
|
||||
| kTCCServiceMicrophone | Allows microphone use; e.g., "Client would like to access the microphone." |
|
||||
| kTCCServiceMotion | Accesses motion and fitness data; e.g., "Client would like to access your Motion \& Fitness Activity." |
|
||||
| kTCCServiceMSO | Supports mobile service operator features. |
|
||||
| kTCCServiceNearbyInteraction | Enables nearby device interactions. |
|
||||
| kTCCServicePasteboard | Accesses clipboard data. |
|
||||
| kTCCServicePhotos | Permits photo library access; e.g., "Client would like to access your Photos." |
|
||||
| kTCCServicePhotosAdd | Allows adding to photos; e.g., "Client would like to add to your Photos." |
|
||||
| kTCCServicePostEvent | Enables sending keystrokes or events; e.g., "Allows client to send keystrokes." |
|
||||
| kTCCServicePrototype3Rights | Internal prototype rights (version 3); e.g., "Client would like authorization to Test Service Proto3Right." |
|
||||
| kTCCServicePrototype4Rights | Internal prototype rights (version 4); e.g., "Client would like authorization to Test Service Proto4Right." |
|
||||
| kTCCServiceReminders | Accesses reminders; e.g., "Client would like to access your reminders." |
|
||||
| kTCCServiceRemoteDesktop | Supports remote desktop access. |
|
||||
| kTCCServiceScreenCapture | Enables screen recording; e.g., "Client would like to capture the contents of the system display." |
|
||||
| kTCCServiceSecureElementAccess | Handles secure elements like NFC. |
|
||||
| kTCCServiceSensorKit* (various) | Provides access to sensor data (e.g., ambient light, pedometer, heart rate); specific variants target metrics like elevation, motion, or watch-based stats. |
|
||||
| kTCCServiceShareKit | Enables content sharing via ShareKit. |
|
||||
| kTCCServiceSinaWeibo | Integrates with Sina Weibo. |
|
||||
| kTCCServiceSiri | Allows Siri interactions; e.g., "Would you like to use client with Siri?" |
|
||||
| kTCCServiceSpeechRecognition | Enables speech recognition; e.g., "Client would like to access Speech Recognition." |
|
||||
| kTCCServiceSystemPolicyAllFiles | Grants full disk access; e.g., "Client would like Full Disk Access." |
|
||||
| kTCCServiceSystemPolicyAppBundles | Allows modifying app bundles; e.g., "Client would like to modify apps on your Mac." |
|
||||
| kTCCServiceSystemPolicyAppData | Accesses app-specific data. |
|
||||
| kTCCServiceSystemPolicyDesktopFolder | Accesses Desktop files; e.g., "Client would like to access files in your Desktop folder." |
|
||||
| kTCCServiceSystemPolicyDeveloperFiles | Accesses development files; e.g., "Client would like to access a file used in Software Development." |
|
||||
| kTCCServiceSystemPolicyDocumentsFolder | Accesses Documents; e.g., "Client would like to access files in your Documents folder." |
|
||||
| kTCCServiceSystemPolicyDownloadsFolder | Accesses Downloads; e.g., "Client would like to access files in your Downloads folder." |
|
||||
| kTCCServiceSystemPolicyNetworkVolumes | Accesses network volumes; e.g., "Client would like to access files on a network volume." |
|
||||
| kTCCServiceSystemPolicyRemovableVolumes | Accesses removable volumes; e.g., "Client would like to access files on a removable volume." |
|
||||
| kTCCServiceSystemPolicySysAdminFiles | Allows admin tasks; e.g., "Client would like to administer your computer." |
|
||||
| kTCCServiceTencentWeibo | Integrates with Tencent Weibo. |
|
||||
| kTCCServiceTwitter | Integrates with Twitter (now X). |
|
||||
| kTCCServiceUbiquity | Enables iCloud syncing. |
|
||||
| kTCCServiceUserAvailability | Accesses availability info; e.g., "Client would like to access your Availability." |
|
||||
| kTCCServiceUserTracking | Handles user tracking features. |
|
||||
| kTCCServiceVirtualMachineNetworking | Supports VM networking. |
|
||||
| kTCCServiceVoiceBanking | Enables voice-based banking. |
|
||||
| kTCCServiceWebBrowserPublicKeyCredential | Manages passkeys; e.g., "Would you like to allow client to access and use your saved passkeys?" |
|
||||
| kTCCServiceWebKitIntelligentTrackingPrevention | Provides tracking prevention in WebKit. |
|
||||
| kTCCServiceWillow | Internal identifier for Home-related data; e.g., "Client would like to access your Home data." |
|
||||
|
||||
### Practical Applications of TCC Services
|
||||
|
||||
TCC ensures apps can't access private data without approval, which is crucial for security research. Here's why certain services are commonly requested:
|
||||
|
||||
- Assistive technologies rely on accessibility permissions to enable features like voice commands.
|
||||
- Video apps need camera and microphone access for calls or recordings.
|
||||
- Productivity tools use calendar, contacts, or reminders to sync schedules and people.
|
||||
- Device integrations, like Bluetooth or motion sensors, support wearables and fitness tracking.
|
||||
- File-related permissions are vital for apps handling documents, downloads, or network storage.
|
||||
- Advanced features, such as screen capture or Siri, enhance sharing and voice control in collaborative or automated workflows.
|
||||
|
||||
These permissions appear in System Settings under Privacy \& Security, updating dynamically as apps request them.
|
||||
|
||||
### Retrieving the Latest TCC Service List
|
||||
|
||||
To get an up-to-date list directly from your system (tested on macOS Ventura and later), use these methods. Ensure Terminal has Full Disk Access for queries.
|
||||
|
||||
1. **Database Query**:
|
||||
|
||||
```bash
|
||||
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
|
||||
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
|
||||
```
|
||||
|
||||
This pulls from the user-level / system-level database.
|
||||
|
||||
2. **Extract from Framework**:
|
||||
|
||||
```bash
|
||||
strings /System/Library/PrivateFrameworks/TCC.framework/Support/tccd | grep -iEo "^kTCCService.*" | sort -u
|
||||
```
|
||||
|
||||
This scans for service strings in the TCC framework.
|
||||
|
||||
### Modifying TCC Permissions via Command Line
|
||||
|
||||
TCC stores data in SQLite databases at `~/Library/Application Support/com.apple.TCC/TCC.db` (user-specific) and `/Library/Application Support/com.apple.TCC/TCC.db` (system-wide). The key table is `access`, with fields like `service` (permission type), `client` (app bundle ID or path), `client_type` (0 for bundle ID, 1 for path), and `auth_value` (2 for allowed, 0 for denied).
|
||||
|
||||
#### Viewing Permissions
|
||||
|
||||
List apps with Full Disk Access:
|
||||
|
||||
```bash
|
||||
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'SELECT client FROM access WHERE auth_value > 0 AND service = "kTCCServiceSystemPolicyAllFiles"'
|
||||
```
|
||||
|
||||
Check system database similarly.
|
||||
|
||||
#### Editing Permissions
|
||||
|
||||
- Deny a permission (sets `auth_value` to 0):
|
||||
|
||||
```bash
|
||||
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'UPDATE access SET auth_value = 0 WHERE client = "com.example.app" AND service = "kTCCServiceCamera"'
|
||||
```
|
||||
|
||||
- Delete a specific entry:
|
||||
|
||||
```bash
|
||||
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client = 'com.example.app' AND service = 'kTCCServiceCamera'"
|
||||
```
|
||||
|
||||
- Add an entry (requires code signing requirement blob via `codesign` and `csreq`):
|
||||
First, extract the blob for the app and target:
|
||||
|
||||
```bash
|
||||
codesign -dr - /Path/To/App.app 2>&1 | awk -F ' => ' '/designated/{print $2}' | csreq -r- -b /tmp/csreq.bin
|
||||
xxd -p /tmp/csreq.bin | tr -d '\n' # Output for INSERT
|
||||
```
|
||||
|
||||
Then insert (adapt values accordingly).
|
||||
|
||||
For simpler resets, use Apple's `tccutil reset` command to revoke permissions for a service or all for an app `tccutil reset All com.apple.Terminal`.
|
||||
Reference in New Issue
Block a user