From 4b827afe202d614360c3d79f3be1ffc97cfc534d Mon Sep 17 00:00:00 2001
From: Karol Mazurek <51202595+Karmaz95@users.noreply.github.com>
Date: Fri, 25 Jul 2025 08:07:46 +0200
Subject: [PATCH] Create TCC CheatSheet.md

---
 IX. TCC/mac/TCC CheatSheet.md | 150 ++++++++++++++++++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 IX. TCC/mac/TCC CheatSheet.md

diff --git a/IX. TCC/mac/TCC CheatSheet.md b/IX. TCC/mac/TCC CheatSheet.md
new file mode 100644
index 0000000..ddf5098
--- /dev/null
+++ b/IX. TCC/mac/TCC CheatSheet.md	
@@ -0,0 +1,150 @@
+| TCC Service | Combined Description |
+| :-- | :-- |
+| kTCCService | Serves as a general identifier for TCC services. |
+| kTCCServiceAccessibility | Enables apps to control the computer, often for assistive tools like screen readers or automation scripts. Apps may prompt: "Allows client to control computer." |
+| kTCCServiceAddressBook | Permits access to contacts; prompts might say: "Client would like to access your contacts." |
+| kTCCServiceAll | Grants broad access to all TCC-protected resources. |
+| kTCCServiceAppleEvents | Allows sending Apple Events for app control; e.g., "Client wants access to control indirect_object_identifier, providing access to its documents and actions." |
+| kTCCServiceAudioCapture | Enables audio input capture, useful for recording apps. |
+| kTCCServiceBluetoothAlways | Provides ongoing Bluetooth access; prompts: "Client would like to use Bluetooth." |
+| kTCCServiceBluetoothPeripheral | Facilitates connections to Bluetooth devices. |
+| kTCCServiceBluetoothWhileInUse | Limits Bluetooth access to active app use. |
+| kTCCServiceCalendar | Allows calendar access; e.g., "Client would like to access your calendar." |
+| kTCCServiceCalls | Handles call-related functionalities. |
+| kTCCServiceCamera | Grants camera access; common prompt: "Client would like to access the camera." |
+| kTCCServiceContactlessAccess | Supports features like NFC or contactless interactions. |
+| kTCCServiceContactsFull | Provides complete contacts access; e.g., "Client would like to access all of your contacts information." |
+| kTCCServiceContactsLimited | Offers restricted contacts access; e.g., "Client would like to access your contacts basic information." |
+| kTCCServiceCrashDetection | Enables crash detection capabilities. |
+| kTCCServiceDeveloperTool | Allows running non-secure software locally; e.g., "Allows client to run software that does not meet the system’s security policy." |
+| kTCCServiceEndpointSecurityClient | Provides endpoint security features. |
+| kTCCServiceExposureNotification | Manages exposure alerts, such as for health notifications. |
+| kTCCServiceExposureNotificationRegion | Handles region-based exposure notifications. |
+| kTCCServiceFaceID | Permits Face ID usage. |
+| kTCCServiceFacebook | Integrates with Facebook features. |
+| kTCCServiceFallDetection | Supports fall detection sensors. |
+| kTCCServiceFileProviderDomain | Allows access to managed file domains; e.g., "Client wants to access files managed by indirect_object_identifier." |
+| kTCCServiceFileProviderPresence | Tracks file usage in providers; e.g., "Do you want to allow client to see when you are using files managed by it?" |
+| kTCCServiceFinancialData | Enables access to financial information. |
+| kTCCServiceFocusStatus | Shares Focus mode status; e.g., "Allow client to share that you have notifications silenced when using Focus?" |
+| kTCCServiceFSKitBlockDevice | Manages block devices in FSKit. |
+| kTCCServiceGameCenterFriends | Connects to Game Center friends; e.g., "Allow client to connect you with your Game Center friends?" |
+| kTCCServiceKeyboardNetwork | Permits network access for keyboards. |
+| kTCCServiceLinkedIn | Integrates with LinkedIn. |
+| kTCCServiceListenEvent | Monitors keyboard or system events; e.g., "Allows client to monitor your keyboard." |
+| kTCCServiceLiverpool | Internal identifier for Liverpool-related features. |
+| kTCCServiceLocation | Accesses location data; e.g., "Client would like to use your current location." |
+| kTCCServiceMediaLibrary | Grants media library access; e.g., "Client would like to access Apple Music, your music and video activity, and your media library." |
+| kTCCServiceMicrophone | Allows microphone use; e.g., "Client would like to access the microphone." |
+| kTCCServiceMotion | Accesses motion and fitness data; e.g., "Client would like to access your Motion \& Fitness Activity." |
+| kTCCServiceMSO | Supports mobile service operator features. |
+| kTCCServiceNearbyInteraction | Enables nearby device interactions. |
+| kTCCServicePasteboard | Accesses clipboard data. |
+| kTCCServicePhotos | Permits photo library access; e.g., "Client would like to access your Photos." |
+| kTCCServicePhotosAdd | Allows adding to photos; e.g., "Client would like to add to your Photos." |
+| kTCCServicePostEvent | Enables sending keystrokes or events; e.g., "Allows client to send keystrokes." |
+| kTCCServicePrototype3Rights | Internal prototype rights (version 3); e.g., "Client would like authorization to Test Service Proto3Right." |
+| kTCCServicePrototype4Rights | Internal prototype rights (version 4); e.g., "Client would like authorization to Test Service Proto4Right." |
+| kTCCServiceReminders | Accesses reminders; e.g., "Client would like to access your reminders." |
+| kTCCServiceRemoteDesktop | Supports remote desktop access. |
+| kTCCServiceScreenCapture | Enables screen recording; e.g., "Client would like to capture the contents of the system display." |
+| kTCCServiceSecureElementAccess | Handles secure elements like NFC. |
+| kTCCServiceSensorKit* (various) | Provides access to sensor data (e.g., ambient light, pedometer, heart rate); specific variants target metrics like elevation, motion, or watch-based stats. |
+| kTCCServiceShareKit | Enables content sharing via ShareKit. |
+| kTCCServiceSinaWeibo | Integrates with Sina Weibo. |
+| kTCCServiceSiri | Allows Siri interactions; e.g., "Would you like to use client with Siri?" |
+| kTCCServiceSpeechRecognition | Enables speech recognition; e.g., "Client would like to access Speech Recognition." |
+| kTCCServiceSystemPolicyAllFiles | Grants full disk access; e.g., "Client would like Full Disk Access." |
+| kTCCServiceSystemPolicyAppBundles | Allows modifying app bundles; e.g., "Client would like to modify apps on your Mac." |
+| kTCCServiceSystemPolicyAppData | Accesses app-specific data. |
+| kTCCServiceSystemPolicyDesktopFolder | Accesses Desktop files; e.g., "Client would like to access files in your Desktop folder." |
+| kTCCServiceSystemPolicyDeveloperFiles | Accesses development files; e.g., "Client would like to access a file used in Software Development." |
+| kTCCServiceSystemPolicyDocumentsFolder | Accesses Documents; e.g., "Client would like to access files in your Documents folder." |
+| kTCCServiceSystemPolicyDownloadsFolder | Accesses Downloads; e.g., "Client would like to access files in your Downloads folder." |
+| kTCCServiceSystemPolicyNetworkVolumes | Accesses network volumes; e.g., "Client would like to access files on a network volume." |
+| kTCCServiceSystemPolicyRemovableVolumes | Accesses removable volumes; e.g., "Client would like to access files on a removable volume." |
+| kTCCServiceSystemPolicySysAdminFiles | Allows admin tasks; e.g., "Client would like to administer your computer." |
+| kTCCServiceTencentWeibo | Integrates with Tencent Weibo. |
+| kTCCServiceTwitter | Integrates with Twitter (now X). |
+| kTCCServiceUbiquity | Enables iCloud syncing. |
+| kTCCServiceUserAvailability | Accesses availability info; e.g., "Client would like to access your Availability." |
+| kTCCServiceUserTracking | Handles user tracking features. |
+| kTCCServiceVirtualMachineNetworking | Supports VM networking. |
+| kTCCServiceVoiceBanking | Enables voice-based banking. |
+| kTCCServiceWebBrowserPublicKeyCredential | Manages passkeys; e.g., "Would you like to allow client to access and use your saved passkeys?" |
+| kTCCServiceWebKitIntelligentTrackingPrevention | Provides tracking prevention in WebKit. |
+| kTCCServiceWillow | Internal identifier for Home-related data; e.g., "Client would like to access your Home data." |
+
+### Practical Applications of TCC Services
+
+TCC ensures apps can't access private data without approval, which is crucial for security research. Here's why certain services are commonly requested:
+
+- Assistive technologies rely on accessibility permissions to enable features like voice commands.
+- Video apps need camera and microphone access for calls or recordings.
+- Productivity tools use calendar, contacts, or reminders to sync schedules and people.
+- Device integrations, like Bluetooth or motion sensors, support wearables and fitness tracking.
+- File-related permissions are vital for apps handling documents, downloads, or network storage.
+- Advanced features, such as screen capture or Siri, enhance sharing and voice control in collaborative or automated workflows.
+
+These permissions appear in System Settings under Privacy \& Security, updating dynamically as apps request them.
+
+### Retrieving the Latest TCC Service List
+
+To get an up-to-date list directly from your system (tested on macOS Ventura and later), use these methods. Ensure Terminal has Full Disk Access for queries.
+
+1. **Database Query**:
+
+```bash
+sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
+sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
+```
+
+This pulls from the user-level / system-level database.
+
+2. **Extract from Framework**:
+
+```bash
+strings /System/Library/PrivateFrameworks/TCC.framework/Support/tccd | grep -iEo "^kTCCService.*" | sort -u
+```
+
+This scans for service strings in the TCC framework.
+
+### Modifying TCC Permissions via Command Line
+
+TCC stores data in SQLite databases at `~/Library/Application Support/com.apple.TCC/TCC.db` (user-specific) and `/Library/Application Support/com.apple.TCC/TCC.db` (system-wide). The key table is `access`, with fields like `service` (permission type), `client` (app bundle ID or path), `client_type` (0 for bundle ID, 1 for path), and `auth_value` (2 for allowed, 0 for denied).
+
+#### Viewing Permissions
+
+List apps with Full Disk Access:
+
+```bash
+sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'SELECT client FROM access WHERE auth_value > 0 AND service = "kTCCServiceSystemPolicyAllFiles"'
+```
+
+Check system database similarly.
+
+#### Editing Permissions
+
+- Deny a permission (sets `auth_value` to 0):
+
+```bash
+sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'UPDATE access SET auth_value = 0 WHERE client = "com.example.app" AND service = "kTCCServiceCamera"'
+```
+
+- Delete a specific entry:
+
+```bash
+sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client = 'com.example.app' AND service = 'kTCCServiceCamera'"
+```
+
+- Add an entry (requires code signing requirement blob via `codesign` and `csreq`):
+First, extract the blob for the app and target:
+
+```bash
+codesign -dr - /Path/To/App.app 2>&1 | awk -F ' => ' '/designated/{print $2}' | csreq -r- -b /tmp/csreq.bin
+xxd -p /tmp/csreq.bin | tr -d '\n'  # Output for INSERT
+```
+
+Then insert (adapt values accordingly).
+
+For simpler resets, use Apple's `tccutil reset` command to revoke permissions for a service or all for an app `tccutil reset All com.apple.Terminal`.