Endpoint security extension not being granted FDA since Ventura beta 9

Since Ventura Beta 9 our endpoint-client system extension seems to be failing due to lacking FDA TCC permission.

The same notarized app seems to had no issues running on Ventura beta8 or earlier.

es_new_client seems to be failing with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED due to system extension not being granted FDA.

This causes our extension to fail early and take up cpu core + quite a bit of Logd spam:

error 18:24:37.120364+0200 com.vendor.endpoint Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access
error 18:24:37.120407+0200 kernel Task has not been granted user permission to connect

Any help or insight would be much appreciated. Have a nice day.

log_tcc.txt

Sidenote: We have noticed that a new TCC policy type has appeared for our endpoint extension, kTCCServiceEndpointSecurityClient but we haven't found documentation regarding what it is for.

Up vote post of pruzinat Down vote post of pruzinat
2.1k views
Posted by
pruzinat
Reply
Add a Comment

Accepted Reply

Apparently fixed in beta 10, will wait for confirmation and remove post.

Posted by
pruzinat
Up vote reply of pruzinat Down vote reply of pruzinat
Post marked as solved

  • Problem seems to be fixed, since neither fix(es) nor the problem has been acknowledged in beta logs I will be waiting for a writeup when CeeVeeeEeee is made public.

    pruzinat

  • I have updated Ventura to 13.2.1 and still the issue exists. Please help. ***.xxxx(6272) deny(1) system-privilege 1016 2023-03-22 13:01:27.675 E kernel[0:1f68e] (EndpointSecurity) Task has not been granted user permission to connect 2023-03-22 13:01:27.675 E ***.***[6272:1f68e] (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access 2023-03-22 13:01:27.676 E ***.***[6272:1f68e] Failed to create new ES client: 4

    akshay_vyas_v
Add a Comment

Replies

Apparently fixed in beta 10, will wait for confirmation and remove post.

Posted by
pruzinat
Up vote reply of pruzinat Down vote reply of pruzinat
Post marked as solved

  • Problem seems to be fixed, since neither fix(es) nor the problem has been acknowledged in beta logs I will be waiting for a writeup when CeeVeeeEeee is made public.

    pruzinat

  • I have updated Ventura to 13.2.1 and still the issue exists. Please help. ***.xxxx(6272) deny(1) system-privilege 1016 2023-03-22 13:01:27.675 E kernel[0:1f68e] (EndpointSecurity) Task has not been granted user permission to connect 2023-03-22 13:01:27.675 E ***.***[6272:1f68e] (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access 2023-03-22 13:01:27.676 E ***.***[6272:1f68e] Failed to create new ES client: 4

    akshay_vyas_v
Add a Comment

So, to summarise:

  • 13.0b9 introduced this bug (r. 100223230).

  • We got a bunch of bug reports about this. Thanks folks!

  • My reading of the bug is that it’s fixed in 13.0b10.

  • That seems to have been born out by your experience.

The only weird part about this thread is the first time anyone has mentioned this on DevForums (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hello, we also used the kTCCServiceSystemPolicyAllFiles key in the TCC.db "access" table to verify if the user has been granted full disk access privileges for our extension using ES client. Now in beta 10 or extension is listed under key kTCCServiceEndpointSecurityClient. Does this also now signal that Full Disk Access has been granted?

Frank Fenn

Sophos Inc.

Posted by
frankfenn
Post not yet marked as solved Up vote reply of frankfenn Down vote reply of frankfenn
Add a Comment

*shrug*

The format and location of the TCC database is not considered API, so it’s not something I’ve spent a lot of time looking at. Do you actually have code to read this when your product is deployed? Or are you just reading it internally while testing?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • yes, we are actually using a sqlite3 query (SELECT client,auth_value FROM access WHERE service == 'kTCCServiceSystemPolicyAllFiles) within code in order to determine if a user enabled full disk access for our processes that need it. We choose this path since there is no API available to query specific aspects of system preferences.

    Frank Fenn

    Sophos Inc.

    frankfenn

  • Merely opening the file for reading should give you your answer (denied access and created TCC record for FDA).

    pruzinat

  • The format and location of the TCC database is not considered API, so it’s not something I’ve spent a lot of time looking at

    Suppose you have a security product doing a scan of your computer and upon initiation of that scan, contents of $HOME is enumerated and user is spammed with every TCC access dialogue in the book (Downloads, Contacts, ...). Yes please, give us an API to do this transparently so that we don't have to access SIP protected files in order to gain FDA and forego the rest.

    pruzinat
Add a Comment

Hi All,

We are facing the same problem(FDA access gone for System Extension) post upgrading from Monterey 12.6 to Ventura 13.0 .

Thanks & Regards,

Mohmad Vasim

Posted by
MohmadVasim
Up vote reply of MohmadVasim Down vote reply of MohmadVasim
Add a Comment

pruzinat wrote:

Yes please, give us an API to do this transparently so that we don't have to access SIP protected files in order to gain FDA and forego the rest.

If you’d like to see such support added in the future, I encourage you to file an enhancement request describing your requirements.  Please be clear about what you mean by “this” though. A request for an API to enable Full Disk Access will be rejected because the whole point of Full Disk Access is to put the user in charge of which programs are allowed to do what. OTOH, an API to return the status of Full Disk Access for your own program is more worthwhile.

Please post your bug number, just for the record.

MohmadVasim wrote:

We are facing the same problem(FDA access gone for System Extension) post upgrading from Monterey 12.6 to Ventura 13.0 .

Right. There are two interrelated problems here:

  • The one I discussed above (r. 100223230) which, AFAIK, is fixed.

  • A second problem, where Full Disk Access is dropped when you upgrade from macOS 12 to macOS 13.

There’s a different thread that’s dedicated to the second issue. I’ll post an update over there shortly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment