hoakley February 1, 2019 Macs, Technology

Solving problems with Mojave’s privacy protection

Some of the most intractable problems in Mojave are those arising from its new privacy protection. The Privacy pane in Security & Privacy and the command tool tccutil intentionally give users, sysadmins and developers almost no help. Most of the lists in the Privacy pane aren’t directly controlled by the user, and all tccutil seems able to do is wipe the contents of those lists. When you have a problem, you’re stuffed.

Until now, the only steps you can take beyond those involve reading the entitlements and other settings for the app, and wading through the log. Because of the way that the protection works, you can’t tell how it has handled an app or command tool’s request to access protected data or services unless you browse through thousands of entries in the log. Even using Consolation, that is far from easy.

I have now extended my free app Taccy, which already helps you examine entitlements and settings in an app, to provide customised access to the unified log which should make troubleshooting privacy control a great deal easier. If you’re familiar with Cirrus, which does the same for iCloud, then you’ll already be familiar with this new feature.

Taccy’s new log browser window gives instant access to selected log entries from the main subsystems involved in privacy protection: TCC, LaunchServices, securityd, and selected entries from tccd (the service at the heart of privacy protection) and sandboxd. The best way to explain this is to demonstrate its use.

I opened my app xattred when the system clock reached 17:04:00, then about 16 seconds later, had navigated it to open a file in my protected Calendars folder. This all worked fine, as xattred has the correct settings and info strings to ensure that TCC should let it do that.

I then opened the new version of Taccy, opened a log window, ensured the time period set went from 17:03:57 to 17:04:30, and clicked on its Get log button.

I show you here just a short excerpt from the log extract in Taccy, which shows what happened when I tried to access the Calendars folder. Although I have abbreviated some of the entries (marked with square brackets []), these are consecutive entries and haven’t been edited to remove intervening ‘noise’.

Accessing the Calendars folder is, for a hardened app, considered to be a request to the sandbox which it runs in, so the first entries show that being passed to TCC:
16.287 sandbox request approval 16.287 sandbox TCCAccessRequest() IPC 16.287 TCC Sending 0/7 synchronous to com.apple.tccd: request[] contents = "service" [] "kTCCServiceCalendar" [] "function" [] "TCCAccessRequest" []

The TCC service daemon asks for a SecTrust evaluation, and handles the request:
16.287 tccd SecTrustEvaluateIfNecessary 16.287 TCC tccd[369](501): handling request [] {service="kTCCServiceCalendar" function="TCCAccessRequest" [] 16.287 TCC handle_TCCAccessRequest: [] 16.287 TCC PID[119] is checking access for target PID[28287] 16.288 TCC Created SecCodeRef 0x7fae04a4edc0 for PID[28287]. 16.288 tccd SecTrustEvaluateIfNecessary 16.288 tccd SecTrustEvaluateIfNecessary

securityd checks the certificate:
16.289 securityd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (tccd[369]/0#-1 LF=0) 16.289 securityd cert[2]: AnchorTrusted =(leaf)[force]> 0 16.290 tccd SecTrustEvaluateIfNecessary

TCC confirms that this is valid static code, then handles the request to access the Calendars folder:
16.291 TCC matchesCodeRequirementData: SecStaticCodeCheckValidity() [] from co.eclecticlight.xattred []; result: 0 16.291 TCC Handling access request to kTCCServiceCalendar, from co.eclecticlight.xattred [] 16.291 securityd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (tccd[369]/0#-1 LF=0) 16.291 securityd cert[2]: AnchorTrusted =(leaf)[force]> 0

Finally, TCC grants the request, and tells the sandbox it can go ahead:
16.291 TCC Received synchronous reply [] "result" []: true 16.292 sandbox kTCCServiceCalendar granted by TCC for xattred

Note that in Taccy’s log window, each source of entries appears in a contrasting colour, for example with TCC shown in red. With the click of a checkbox, you can select which sources will be shown. If you’ve got lots of entries from other processes accessing TCC at the same time, you can use the standard Find feature to locate those entries which refer to the app that you’re assessing.

Among the crucially important log entries you’ll see when you use this are those which reveal TCC’s Attribution Chain, for example
16.273 TCC AttributionChain: ACC:{ID: co.eclecticlight.xattred, PID[28287], auid: 501, euid: 501, binary path: '/Applications/xattred.app/Contents/MacOS/xattred'}, REQ:{ID: com.apple.sandboxd, PID[119], auid: 0, euid: 0, binary path: '/usr/libexec/sandboxd'}
which shows that a request from sandboxd is being attributed by TCC to xattred, whose entitlements will determine the outcome. Attribution Chains are vital information when trying to discover why a command tool isn’t being given access to protected data, as it is normally the head of that chain, such as Terminal.app, whose privacy settings determine access for commands being run from that.

This new feature should make Taccy a much more versatile tool for anyone wanting to investigate problems with privacy protection in Mojave, and for those wanting to investigate TCC further. It is now available from here: taccy10b7
and from Downloads above.

13Comments

Add yours

1

Solving problems with Mojave’s privacy protection – The Eclectic Light Company – Jerry's Mac Blog on February 1, 2019 at 6:35 pm

[…] Source: Solving problems with Mojave’s privacy protection – The Eclectic Light Company […]

LikeLike
2

Alan S on February 2, 2019 at 4:53 am

I’ve noticed that inter-application operations, such as using /usr/bin/open to display a directory in Finder or an HTML file in Safari, which used to be pretty quick, now take a minute or multiple minutes. I suspect that privacy protection may be the reason.

https://cbfiddle.com/IDEAShowInFinder.rtf

LikeLiked by 1 person
- 3
  
  hoakley on February 2, 2019 at 8:45 am
  
  Thank you.
  Any delay which you’re seeing isn’t the result of the open command. When run direct as a command in Terminal, it works instantly as ever. However, it looks like you’re running this via IDEA, which is where the problem seems to be occurring. I suggest that you raise this issue with its developers, who may be familiar with it, and its solution.
  There’s nothing too obvious from the log excerpt which you provided, though. More thorough testing and log study may be necessary.
  Howard.
  
  LikeLike
  - 4
    
    Alan S on February 2, 2019 at 4:37 pm
    
    /usr/bin/open is mentioned here:
    
    19-02-01 20:46:02.401 TCC AttributionChain: RESP:{ID: ??, PID[1104], auid: 501, euid: 501, responsible path: ‘/Applications/SharedApplications/IntelliJ IDEA/MyIDEA 59.app/Contents/MacOS/idea’, binary path: ‘/Applications/SharedApplications/IntelliJ IDEA/MyIDEA 59.app/Contents/MacOS/idea’}, ACC:{ID: com.apple.open, PID[43472], auid: 501, euid: 501, binary path: ‘/usr/bin/open’}, REQ:{ID: com.apple.appleeventsd, PID[75], auid: 55, euid: 55, binary path: ‘/System/Library/CoreServices/appleeventsd’}
    
    Presumably this is after IDEA has done its work.
    
    The last TCC log messsage is 32 seconds later (at 20:46:34), at which time Finder is activated.
    
    When called from terminal, the equivalent log messages span about 1 second.
    
    LikeLiked by 1 person
    - 5
      
      hoakley on February 2, 2019 at 10:26 pm
      
      That is actually while IDEA has done its work: I presume that it is calling the open command within the app. That entry records TCC finding the Attribution Chain for the open command, and locating that in the app MyIDEA 59.app. That app appears to be using Automation services to do that, and taking a very long time to be allowed to do that.
      Is MyIDEA 59.app signed, and if so, using what type of certificate? Does it get added to the Automation list in the Privacy pane? I presume that you don’t see any dialogs, which is worrying if that app isn’t already listed in Automation there.
      What do the developers say? Are others having similar problems with TCC in Mojave?
      Howard.
      
      LikeLike
6

Alan S on February 2, 2019 at 11:34 pm

I believe that it is /usr/bin/open that is using Automation services and that IDEA execs /usr/bin/open. What I can say for sure I that I have my own Java application that does this and the TCC log messages are about the same. The IDEA application is my own custom version of IDEA and is not signed. When my own application runs /usr/bin/open to display a web page in Safari, sometimes it is fast and sometimes slow. First impression is that when signed, it is very fast, and when unsigned (running under IDEA as a Java program), Safari is activated right away, but it takes 20 seconds or before the requested web page is displayed. In the latter case, TCC does not actually know anything about my application, as it is executed by java with no custom Info.plist. Perhaps unsigned applications are scanned each time?

LikeLiked by 1 person
- 7
  
  hoakley on February 2, 2019 at 11:49 pm
  
  This is where the undocumented Attribution Chain comes into play. When you run a command tool like open, it doesn’t have any means of supporting consent dialogs, as it has no GUI. What TCC does is construct an Attribution Chain, which tries to take the responsibility to an app like Terminal which provides the environment for running the command. If that app at the top of the Attribution Chain is signed and has been added to the Full Disk Access list, then access is normally given very quickly.
  Although TCC doesn’t require the app to be signed, and will work perfectly well with unsigned apps, this is where problems seem to occur. TCC tracks apps in Full Disk Access using their app id, which it can only rely on if that app is signed. So at the very least, every time that you change a scripted app which is at the head of the Attribution Chain, TCC is going to want to perform a full check, and may (for instance) wait until it has verified that app fully.
  You can sometimes solve this by adding the command to the Full Disk Access list, or by ensuring the head of the chain is added. It may even be worth creating your own signing certificate and Info.plist and signing the app to speed things up.
  You may find IDEA’s developers have more experience of dealing with this now.
  Howard.
  
  LikeLike
8

Alan S on February 2, 2019 at 11:53 pm

For what its worth, the custom IDEA application already has Full Disk Access. I needed that so that a program of mine could read Time Machine backup files.

LikeLiked by 1 person
9

cwinte on February 6, 2019 at 11:06 am

Hi, on IoW? I am assuming you are Howard of MacUser who I always read with interest (ex-Cowes man myself, now London edge). I am interested in how taccy gets access to unified log as I’d like to examine the options of getting access from terminal LNAV (lower-case, it’s on github) without dumping yet another stream out just to read back in to sqlite which lnav uses for logs etc. Lnav allows SQL commands, scripts and filtering and a whole lot of things I find very useful in getting to grips with system activity.
Perhaps an URL or 2 would make a good start for me though there I am pretty sure there is a huge amount in unified logging to ingest (only just forcing myself forward from El Cap on my backup MBP!).

LikeLiked by 1 person
- 10
  
  hoakley on February 6, 2019 at 12:44 pm
  
  Yes, the same, and down in Wroxall.
  I have a lot of posts here on the unified log. A good series to start with is:
  macOS Unified log: 1 why, what and how
  macOS Unified log: 2 content and extraction
  macOS Unified log: 3 finding your way
  If you look in the Mac problem-solving page at the top, you’ll see dozens more.
  Essentially, there are only two ways to access the unified log: the stunted Console app, and the log command. Unified logs are stored in proprietary compressed binary format, which as far as I know hasn’t been reverse-engineered. My apps use the log show command, with compound predicates to reduce the size of the extract, which is retrieved in JSON, parsed into a Dictionary, and processed from there.
  Howard.
  
  LikeLike
11

cwinte on February 6, 2019 at 5:20 pm

Thanks for the useful info. Interesting that there is “volatile” log info, which I assume never makes it to long term storage and so I assume this lives in some fifo ram pipe/db from which other stuff gets written to the longer term stores. Think I recalled that in the Apple docs I read some years back. [I really must read the links you sent!] Anyway just o amplify where I’m headed : I like the way I can access (in EL Cap) the last n (<7) days of logs e.g. /bin/lnav /var/log/system.log /var/log/system.log.0.gz
and run queries and get real time updating monitor/filters in a very small resource footprint.
I was really hoping to avoid extracting a log stream, to disk though maybe that is what Apple are doing anyway to store down their non-volatile data. Since Lnav works in a JSON world so maybe there is some mileage here… I asked the developer where he is at with the unified log. Lnav currently reads, parses and imports many log formats into a unified time sequence, much as the old Console did. I've not looked at the Lnav code at all but it sounds similar to your tool which may be some consolation (!sorry!) and I am keen to have a look at soon. This is a bit off topic so I will desist!

LikeLiked by 1 person
- 12
  
  cwinte on February 6, 2019 at 5:31 pm
  
  Your exposition on the logging is great, wish I’d kept my ramblings to myself until I’d had a look. Well done!
  
  LikeLiked by 1 person
13

Michael Tsai - Blog - Mojave Privacy Protection Aftermath on February 7, 2019 at 8:30 pm

[…] Howard Oakley: […]

LikeLike

·Comments are closed.

Share this:

Related