mirror of
https://github.com/Karmaz95/Snake_Apple.git
synced 2026-03-30 14:00:16 +02:00
11 KiB
11 KiB
| TCC Service | Combined Description |
|---|---|
| kTCCService | Serves as a general identifier for TCC services. |
| kTCCServiceAccessibility | Enables apps to control the computer, often for assistive tools like screen readers or automation scripts. Apps may prompt: "Allows client to control computer." |
| kTCCServiceAddressBook | Permits access to contacts; prompts might say: "Client would like to access your contacts." |
| kTCCServiceAll | Grants broad access to all TCC-protected resources. |
| kTCCServiceAppleEvents | Allows sending Apple Events for app control; e.g., "Client wants access to control indirect_object_identifier, providing access to its documents and actions." |
| kTCCServiceAudioCapture | Enables audio input capture, useful for recording apps. |
| kTCCServiceBluetoothAlways | Provides ongoing Bluetooth access; prompts: "Client would like to use Bluetooth." |
| kTCCServiceBluetoothPeripheral | Facilitates connections to Bluetooth devices. |
| kTCCServiceBluetoothWhileInUse | Limits Bluetooth access to active app use. |
| kTCCServiceCalendar | Allows calendar access; e.g., "Client would like to access your calendar." |
| kTCCServiceCalls | Handles call-related functionalities. |
| kTCCServiceCamera | Grants camera access; common prompt: "Client would like to access the camera." |
| kTCCServiceContactlessAccess | Supports features like NFC or contactless interactions. |
| kTCCServiceContactsFull | Provides complete contacts access; e.g., "Client would like to access all of your contacts information." |
| kTCCServiceContactsLimited | Offers restricted contacts access; e.g., "Client would like to access your contacts basic information." |
| kTCCServiceCrashDetection | Enables crash detection capabilities. |
| kTCCServiceDeveloperTool | Allows running non-secure software locally; e.g., "Allows client to run software that does not meet the system’s security policy." |
| kTCCServiceEndpointSecurityClient | Provides endpoint security features. |
| kTCCServiceExposureNotification | Manages exposure alerts, such as for health notifications. |
| kTCCServiceExposureNotificationRegion | Handles region-based exposure notifications. |
| kTCCServiceFaceID | Permits Face ID usage. |
| kTCCServiceFacebook | Integrates with Facebook features. |
| kTCCServiceFallDetection | Supports fall detection sensors. |
| kTCCServiceFileProviderDomain | Allows access to managed file domains; e.g., "Client wants to access files managed by indirect_object_identifier." |
| kTCCServiceFileProviderPresence | Tracks file usage in providers; e.g., "Do you want to allow client to see when you are using files managed by it?" |
| kTCCServiceFinancialData | Enables access to financial information. |
| kTCCServiceFocusStatus | Shares Focus mode status; e.g., "Allow client to share that you have notifications silenced when using Focus?" |
| kTCCServiceFSKitBlockDevice | Manages block devices in FSKit. |
| kTCCServiceGameCenterFriends | Connects to Game Center friends; e.g., "Allow client to connect you with your Game Center friends?" |
| kTCCServiceKeyboardNetwork | Permits network access for keyboards. |
| kTCCServiceLinkedIn | Integrates with LinkedIn. |
| kTCCServiceListenEvent | Monitors keyboard or system events; e.g., "Allows client to monitor your keyboard." |
| kTCCServiceLiverpool | Internal identifier for Liverpool-related features. |
| kTCCServiceLocation | Accesses location data; e.g., "Client would like to use your current location." |
| kTCCServiceMediaLibrary | Grants media library access; e.g., "Client would like to access Apple Music, your music and video activity, and your media library." |
| kTCCServiceMicrophone | Allows microphone use; e.g., "Client would like to access the microphone." |
| kTCCServiceMotion | Accesses motion and fitness data; e.g., "Client would like to access your Motion & Fitness Activity." |
| kTCCServiceMSO | Supports mobile service operator features. |
| kTCCServiceNearbyInteraction | Enables nearby device interactions. |
| kTCCServicePasteboard | Accesses clipboard data. |
| kTCCServicePhotos | Permits photo library access; e.g., "Client would like to access your Photos." |
| kTCCServicePhotosAdd | Allows adding to photos; e.g., "Client would like to add to your Photos." |
| kTCCServicePostEvent | Enables sending keystrokes or events; e.g., "Allows client to send keystrokes." |
| kTCCServicePrototype3Rights | Internal prototype rights (version 3); e.g., "Client would like authorization to Test Service Proto3Right." |
| kTCCServicePrototype4Rights | Internal prototype rights (version 4); e.g., "Client would like authorization to Test Service Proto4Right." |
| kTCCServiceReminders | Accesses reminders; e.g., "Client would like to access your reminders." |
| kTCCServiceRemoteDesktop | Supports remote desktop access. |
| kTCCServiceScreenCapture | Enables screen recording; e.g., "Client would like to capture the contents of the system display." |
| kTCCServiceSecureElementAccess | Handles secure elements like NFC. |
| kTCCServiceSensorKit* (various) | Provides access to sensor data (e.g., ambient light, pedometer, heart rate); specific variants target metrics like elevation, motion, or watch-based stats. |
| kTCCServiceShareKit | Enables content sharing via ShareKit. |
| kTCCServiceSinaWeibo | Integrates with Sina Weibo. |
| kTCCServiceSiri | Allows Siri interactions; e.g., "Would you like to use client with Siri?" |
| kTCCServiceSpeechRecognition | Enables speech recognition; e.g., "Client would like to access Speech Recognition." |
| kTCCServiceSystemPolicyAllFiles | Grants full disk access; e.g., "Client would like Full Disk Access." |
| kTCCServiceSystemPolicyAppBundles | Allows modifying app bundles; e.g., "Client would like to modify apps on your Mac." |
| kTCCServiceSystemPolicyAppData | Accesses app-specific data. |
| kTCCServiceSystemPolicyDesktopFolder | Accesses Desktop files; e.g., "Client would like to access files in your Desktop folder." |
| kTCCServiceSystemPolicyDeveloperFiles | Accesses development files; e.g., "Client would like to access a file used in Software Development." |
| kTCCServiceSystemPolicyDocumentsFolder | Accesses Documents; e.g., "Client would like to access files in your Documents folder." |
| kTCCServiceSystemPolicyDownloadsFolder | Accesses Downloads; e.g., "Client would like to access files in your Downloads folder." |
| kTCCServiceSystemPolicyNetworkVolumes | Accesses network volumes; e.g., "Client would like to access files on a network volume." |
| kTCCServiceSystemPolicyRemovableVolumes | Accesses removable volumes; e.g., "Client would like to access files on a removable volume." |
| kTCCServiceSystemPolicySysAdminFiles | Allows admin tasks; e.g., "Client would like to administer your computer." |
| kTCCServiceTencentWeibo | Integrates with Tencent Weibo. |
| kTCCServiceTwitter | Integrates with Twitter (now X). |
| kTCCServiceUbiquity | Enables iCloud syncing. |
| kTCCServiceUserAvailability | Accesses availability info; e.g., "Client would like to access your Availability." |
| kTCCServiceUserTracking | Handles user tracking features. |
| kTCCServiceVirtualMachineNetworking | Supports VM networking. |
| kTCCServiceVoiceBanking | Enables voice-based banking. |
| kTCCServiceWebBrowserPublicKeyCredential | Manages passkeys; e.g., "Would you like to allow client to access and use your saved passkeys?" |
| kTCCServiceWebKitIntelligentTrackingPrevention | Provides tracking prevention in WebKit. |
| kTCCServiceWillow | Internal identifier for Home-related data; e.g., "Client would like to access your Home data." |
Practical Applications of TCC Services
TCC ensures apps can't access private data without approval, which is crucial for security research. Here's why certain services are commonly requested:
- Assistive technologies rely on accessibility permissions to enable features like voice commands.
- Video apps need camera and microphone access for calls or recordings.
- Productivity tools use calendar, contacts, or reminders to sync schedules and people.
- Device integrations, like Bluetooth or motion sensors, support wearables and fitness tracking.
- File-related permissions are vital for apps handling documents, downloads, or network storage.
- Advanced features, such as screen capture or Siri, enhance sharing and voice control in collaborative or automated workflows.
These permissions appear in System Settings under Privacy & Security, updating dynamically as apps request them.
Retrieving the Latest TCC Service List
To get an up-to-date list directly from your system (tested on macOS Ventura and later), use these methods. Ensure Terminal has Full Disk Access for queries.
- Database Query:
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"
This pulls from the user-level / system-level database.
- Extract from Framework:
strings /System/Library/PrivateFrameworks/TCC.framework/Support/tccd | grep -iEo "^kTCCService.*" | sort -u
This scans for service strings in the TCC framework.
Modifying TCC Permissions via Command Line
TCC stores data in SQLite databases at ~/Library/Application Support/com.apple.TCC/TCC.db (user-specific) and /Library/Application Support/com.apple.TCC/TCC.db (system-wide). The key table is access, with fields like service (permission type), client (app bundle ID or path), client_type (0 for bundle ID, 1 for path), and auth_value (2 for allowed, 0 for denied).
Viewing Permissions
List apps with Full Disk Access:
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'SELECT client FROM access WHERE auth_value > 0 AND service = "kTCCServiceSystemPolicyAllFiles"'
Check system database similarly.
Editing Permissions
- Deny a permission (sets
auth_valueto 0):
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db 'UPDATE access SET auth_value = 0 WHERE client = "com.example.app" AND service = "kTCCServiceCamera"'
- Delete a specific entry:
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client = 'com.example.app' AND service = 'kTCCServiceCamera'"
- Add an entry (requires code signing requirement blob via
codesignandcsreq): First, extract the blob for the app and target:
codesign -dr - /Path/To/App.app 2>&1 | awk -F ' => ' '/designated/{print $2}' | csreq -r- -b /tmp/csreq.bin
xxd -p /tmp/csreq.bin | tr -d '\n' # Output for INSERT
Then insert (adapt values accordingly).
For simpler resets, use Apple's tccutil reset command to revoke permissions for a service or all for an app tccutil reset All com.apple.Terminal.