Privileged helper can't access downloads folder on Catalina

Hey there,


I'm having trouble with an macOS app and it's connected privileged helper tool. It looks like there is a problem with the new TCC - Files And Folders security layer. The console says pretty clear:


-[TCCDAccessIdentity staticCode]: static code for:

identifier /Library/PrivilegedHelperTools/com.my.HelperTool, type: 1: 0x7fdd0b61d300 at /Library/PrivilegedHelperTools/com.my.HelperTool


Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client /Library/PrivilegedHelperTools/com.my.HelperTool in background session


Resetting permissions via tccutil didn't help.

The app and the helper tool is successfully codesigned and notarized (but not sandboxed). Any tips how to satisfy TCC? Anything I can check? Any documentation beside WWDC 2019 – Advances in macOS Security?


Btw. I'm on Catalina 10.15.4


thanks a lot,

Gary

Up vote post of garygru Down vote post of garygru
3.2k views
Posted by
garygru
Reply
Add a Comment

Replies

If you manually add the helper tool to System Preferences > Security & Privacy > Privacy > Full Disk Access, does the problem go away?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Yes this helps as a workaround (but that's not what we want to let our customers do. Also we only need access to the downloads folder).


Our helper tool has different jobs to do (e.g. installing something). I now found out that one job triggers something so that everything works afterwards. The console says:


tccd: Making {ID: com.me.app, PID[1873], auid: 501, euid: 501, binary path: '/Applications/my.app/...'}

responsible for Privileged Helper {ID: com.my.HelperTool, PID[1930], auid: 0, euid: 0, binary path: '/Library/PrivilegedHelperTools/com.my.HelperTool'}; PID[1873]; rv = 0


I'm still wondering, which action is required to make the app responsible for the helper tool.

Posted by
garygru
Up vote reply of garygru Down vote reply of garygru
Add a Comment

The tricky part here is that the Files and Folders privilege is per user but a privileged helper tool runs as a 

launchd
daemon, which is system wide. When the system launches your privileged helper tool, which users Files and Folders privilege should it honour?

What is your daemon doing with the Downloads folder?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Ok, thanks for explanation. Our App is downloading plugin installers. The privileged helper is then running the installers (i.e. needs permission to read and execute). I've found that when the app lets the helper tool do a chmod and a chown on the installer binaries the installation process is not blocked anymore. tccd then also prints into the console that our app is responsible for the privileged helper (like in the message above). Is that a way to handle that thing or is this just a coincidence?


I still see those messages: Sandbox: installd(629) System Policy: deny(1) file-read-data /Users/gary/Downloads/MyInstaller.pkg


Btw. the Files&Folders privilege is not shown for the app and the privileged helper as well.


Edit: Now that I have added the Privacy - Downloads Folder Usage Description to the plist of the app, the modal Downloads Access dialog appeared and the app is shown and checked in System Preferences > Security > Files & Folders.

Posted by
garygru
Up vote reply of garygru Down vote reply of garygru

  • Hi, I think I have the same issue, hopefully you are still reading the forums. Are you saying just adding "Privacy - Downloads Folder Usage Description" to the plist of the app causes the access dialog to come up when the helper goes to read a file in the user's Download folder?

    thanks

    James
    essexs
Add a Comment

Looks like this is still not solved but I'm getting near. I now encounter the following problem:


My helper tool has more than one SMAuthorizedClients i.e. the helper tool can be installed by more than one app (the app installer and the app itself). The installation of the helper is done via SMJobBless as known from EvenBetterAuthorization example.

The problem is that the first app which calls SMJobBless is "responsible" for the helper tool, the other app is not working correctly until a restart or a manual launchctl unload / load cycle.


Now my question:

How do I enforce to "bless" the helper tool or make my app responsible without reinstalling the helper tool?

Or is it possible to just install the helper tool and let the blessing be done later?

Posted by
garygru
Up vote reply of garygru Down vote reply of garygru
Add a Comment

Hi Gary,

I've encountered a similar problem, which I made a separate thread about here: https://developer.apple.com/forums/thread/702907

Were you ever able to solve your problem?

Posted by
Andrewfromvictoria
Up vote reply of Andrewfromvictoria Down vote reply of Andrewfromvictoria
Add a Comment