Reset access obtained through inferred user intent on Catalina

Question

Created Oct ’19

Replies 4

Boosts 0

Views 4.9k

Participants 2

According to WWDC 2019 Session 701 Advances in macOS Security, user intent for accessing protected locations is inferred when the user opens a file or folder using an

NSOpenPanel

. The app's access to those protected locations seems to persist across launches, and across reboots of macOS.

Where are those access permissions stored? How can they be reset for testing, or when a user no longer wants a certain app to have access to a file or folder? They don't seem to be stored in

TCC.db

or be resetable through

tccutil

.

Answered by DTS Engineer in 391506022

When a user selects a “protected” file or folder in an NSOpenPanel in a non-sandboxed app on Catalina, consent is inferred and the app can access it.

Ah yes, that. I ran into that yesterday as part of a DTS incident and did some poking around. Are far as I can tell this is stored in the

com.apple.macl

extended attribute on the file itself. Here’s that attribute on a newly created file on my desktop:

$ xattr -l test.txt
com.apple.macl:
00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
00000010  CA 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00                          |........|
00000048

And here’s what I see after selecting it with the open panel in my test app:

$ xattr -l test.txt
com.apple.macl:
00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
00000010  CA 1B 01 00 B7 E7 6D 68 EA 39 44 EF AE F3 F8 90  |......mh.9D.....|
00000020  69 AC 56 11 00 00 00 00 00 00 00 00 00 00 00 00  |i.V.............|
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00                          |........|
00000048

It seems that 01 00 is a header of some form and B7E76D68-EA39-44EF-AEF3-F89069AC5611 is a UUID associated with my test app. I dug into how that UUID is set up and, well, it’s complex, and more of an implementation detail than I care to go into here on DevForums.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

cappuccino OP

Oct ’19

... still looking for a way to do this. Is everyone just using VMs to test and debug their non-sandboxed apps that rely on inferred user consent? There must be a simple way to reset the the implicitly granted access permissions that I'm missing 🤔

0

Answer 2

DTS Engineer OP

Apple

Oct ’19

Are you talking about a sandboxed apps? Or the new Files and Folders privilege?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

cappuccino OP

Oct ’19

Actually, neither 😉 When a user selects a “protected” file or folder in an NSOpenPanel in a non-sandboxed app on Catalina, consent is inferred and the app can access it. This access seems to implicitly persists across app launches and reinstalls (i.e. no security-scoped bookmarks). The access is not reflected in System Preferences > Security. And I haven’t found a way to reset it (e.g. tccutil), which is the reason for this posting 😊

0

Answer 4

DTS Engineer OP

Apple

Oct ’19

Accepted Answer

When a user selects a “protected” file or folder in an NSOpenPanel in a non-sandboxed app on Catalina, consent is inferred and the app can access it.

Ah yes, that. I ran into that yesterday as part of a DTS incident and did some poking around. Are far as I can tell this is stored in the

com.apple.macl

extended attribute on the file itself. Here’s that attribute on a newly created file on my desktop:

$ xattr -l test.txt
com.apple.macl:
00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
00000010  CA 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00                          |........|
00000048

And here’s what I see after selecting it with the open panel in my test app:

$ xattr -l test.txt
com.apple.macl:
00000000  01 00 14 FD 16 DD 15 52 4F 5B B1 04 EF 01 B7 F9  |.......RO[......|
00000010  CA 1B 01 00 B7 E7 6D 68 EA 39 44 EF AE F3 F8 90  |......mh.9D.....|
00000020  69 AC 56 11 00 00 00 00 00 00 00 00 00 00 00 00  |i.V.............|
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00                          |........|
00000048

It seems that 01 00 is a header of some form and B7E76D68-EA39-44EF-AEF3-F89069AC5611 is a UUID associated with my test app. I dug into how that UUID is set up and, well, it’s complex, and more of an implementation detail than I care to go into here on DevForums.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0