New TCC Modify syestem extension event doesn't send svent when tcc db changed with sqlite

App & System Services Core OS
idanbiton
idanbiton OP
Created 1w
Replies 2
Boosts 0
Views 62
Participants 2

Hey, we also opened a bug regarding this behavior on April, back when you introduce the new event on MacOs 15.4

The bug ticket is: FB17139326

Starting macOs 15.4 you added a new event for the system extension framework named: tcc_modify The event should be triggered every-time there is a change regarding the tcc db (granted / revoked using various ways). One of the ways you can grant / revoke tcc db permission is by changing the user sqlite with root permissions. You can change various permissions regarding the user for example the apps that allowed to use microphone permissions.

It is expected that when granted / revoked permissions using sqlite for microphone we will get notify from the system extension for tcc modify event.

but the actual result is that the permission is added without any tcc modify event.

We wanted to know if this is intentional that changing the user tcc db with root permissions, using sqlite and not conventional methods (user popup / settings), suppose to not initiate an event, and we should monitor them using other methods.

Thank you, Idan

Replies  2
Boosts  0
Views  62
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w
is by changing the user sqlite with root permissions.

You can? I thought that only worked if you have SIP disabled?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
idanbiton
idanbiton OP
1w

Hey @DTS Engineer, so there are 2 tcc db's:

  1. /Library/Application\ Support/com.apple.TCC/TCC.db - This one is the system one that has the permissions for FDA and etc.

This one can't be changed because it's SIP protected (at least if you are not Csaba Fitzl ;) )

  1. /Users/<user>/Library/Application\ Support/com.apple.TCC/TCC.db

This one is the user tcc db, it contains permissions to desktop / microphone and etc. this one can be changed if 1. you are root 2. you have FDA so if for example a user let the terminal app FDA permissions and uses sudo they can change this tcc db and add / delete values from it.

So we are interested in the user tcc db to know if someone for example added microphone permissions for unwanted app.

0
New TCC Modify syestem extension event doesn't send svent when tcc db changed with sqlite
First post date Last post date
 
 
Q