4 Replies
      Latest reply on Oct 31, 2019 2:02 AM by eskimo
      cappuccino Level 1 Level 1 (0 points)

        According to WWDC 2019 Session 701 Advances in macOS Security, user intent for accessing protected locations is inferred when the user opens a file or folder using an NSOpenPanel. The app's access to those protected locations seems to persist across launches, and across reboots of macOS.

         

        Where are those access permissions stored? How can they be reset for testing, or when a user no longer wants a certain app to have access to a file or folder? They don't seem to be stored in TCC.db or be resetable through tccutil.

        • Re: Reset access obtained through inferred user intent on Catalina
          cappuccino Level 1 Level 1 (0 points)

          ... still looking for a way to do this. Is everyone just using VMs to test and debug their non-sandboxed apps that rely on inferred user consent? There must be a simple way to reset the the implicitly granted access permissions that I'm missing

          • Re: Reset access obtained through inferred user intent on Catalina
            eskimo Apple Staff Apple Staff (12,425 points)

            Are you talking about a sandboxed apps?  Or the new Files and Folders privilege?

            Share and Enjoy

            Quinn “The Eskimo!”
            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
            let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: Reset access obtained through inferred user intent on Catalina
                cappuccino Level 1 Level 1 (0 points)

                Actually, neither When a user selects a “protected” file or folder in an NSOpenPanel in a non-sandboxed app on Catalina, consent is inferred and the app can access it. This access seems to implicitly persists across app launches and reinstalls (i.e. no security-scoped bookmarks). The access is not reflected in System Preferences > Security. And I haven’t found a way to reset it (e.g. tccutil), which is the reason for this posting

                  • Re: Reset access obtained through inferred user intent on Catalina
                    eskimo Apple Staff Apple Staff (12,425 points)

                    When a user selects a “protected” file or folder in an NSOpenPanel in a non-sandboxed app on Catalina, consent is inferred and the app can access it.

                    Ah yes, that.  I ran into that yesterday as part of a DTS incident and did some poking around.  Are far as I can tell this is stored in the com.apple.macl extended attribute on the file itself.  Here’s that attribute on a newly created file on my desktop:

                    $ xattr -l test.txt
                    com.apple.macl:
                    00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
                    00000010  CA 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
                    00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
                    00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
                    00000040  00 00 00 00 00 00 00 00                          |........|
                    00000048

                    And here’s what I see after selecting it with the open panel in my test app:

                    $ xattr -l test.txt
                    com.apple.macl:
                    00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
                    00000010  CA 1B 01 00 B7 E7 6D 68 EA 39 44 EF AE F3 F8 90  |......mh.9D.....|
                    00000020  69 AC 56 11 00 00 00 00 00 00 00 00 00 00 00 00  |i.V.............|
                    00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
                    00000040  00 00 00 00 00 00 00 00                          |........|
                    00000048

                    It seems that 01 00 is a header of some form and B7E76D68-EA39-44EF-AEF3-F89069AC5611 is a UUID associated with my test app.  I dug into how that UUID is set up and, well, it’s complex, and more of an implementation detail than I care to go into here on DevForums.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"