TCC Databases

Hello,

There is something i do not understand about TCC:

  • I have allowed Terminal app to Full Disk Access.
  • I was able to open my current user's TCC.db file with sqlite3 from terminal.
  • I was able to delete entries in access table with sqlite3.
  • I had no errors, but these changes haven't been applied.

My question is why was I able to modify TCC.db file ? Is there a specific thing to do to flush privileges ?

I have a second question: When an application fires an NSOPenDialog on a cocoa application, the selected file access rule bypasses TCC. This is normal because this is an intent from user. But this file access seems to be stored somewhere because if i reboot computer, my cocoa application can read this file again, without NSOpenDialog opening. I have tried to look in current user's TCC.db file but i did not found anything. My question is: where is this information stored ?

Thanks

And i have a third question: When i try to access to ~/Library/Containers/anotherapp/ from terminal, i have a TCC popup: "Terminal would like to access data from other apps". Let's suppose I accept: I don't see where the information is stored. What should i do if I want to change my choice later ? There are no entry in "System Settings/Privacy & Security/Files and Folders" for this parameter. Is it stored in user TCC.db file too ? I don't see any entry for it. Thanks

Regarding question 1, I can’t answer questions about the TCC database because the location and format of that is an implementation detail, and thus not something that DTS supports.

Regarding question 2, again, this is also very much an implementation detail. Last I checked, this access was persisted via an extended attribute on the file itself.

Regarding question 3, last I checked this wasn’t persistent. It’s very much like the ‘admin files’ privilege [1], that is, the user grants the privilege which is granted for a period of time and then revoked.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] That is, the client of the NSSystemAdministrationUsageDescription property.

TCC Databases
 
 
Q