Extended Attributes and TCC on macOS

Introduction

Hermes Generating TCC Popups

Hermes Generating a TCC Popup

Root Cause Analysis

LsTest Generating a TCC Popup
let attributes = try fileManager.attributesOfItem(atPath: fullPath)
FileAttributeKey Structure

Comparing Attributes

Denying LsTest Access to TCC-Protected Folders
/Users/slyd0g/Downloads[__C.NSFileAttributeKey(_rawValue: NSFileOwnerAccountID): 501, __C.NSFileAttributeKey(_rawValue: NSFileGroupOwnerAccountID): 20, __C.NSFileAttributeKey(_rawValue: NSFilePosixPermissions): 448, __C.NSFileAttributeKey(_rawValue: NSFileGroupOwnerAccountName): staff, __C.NSFileAttributeKey(_rawValue: NSFileOwnerAccountName): slyd0g, __C.NSFileAttributeKey(_rawValue: NSFileCreationDate): 2020-01-01 08:00:00 +0000, __C.NSFileAttributeKey(_rawValue: NSFileSize): 192, __C.NSFileAttributeKey(_rawValue: NSFileSystemNumber): 16777221, __C.NSFileAttributeKey(_rawValue: NSFileExtensionHidden): 0, __C.NSFileAttributeKey(_rawValue: NSFileSystemFileNumber): 492303, __C.NSFileAttributeKey(_rawValue: NSFileType): NSFileTypeDirectory, __C.NSFileAttributeKey(_rawValue: NSFileModificationDate): 2022-03-04 06:02:47 +0000, __C.NSFileAttributeKey(_rawValue: NSFileProtectionKey): NSFileProtectionCompleteUntilFirstUserAuthentication, __C.NSFileAttributeKey(_rawValue: NSFileReferenceCount): 6]
Allowing LsTest Access to TCC-Protected Folders
/Users/slyd0g/Downloads[__C.NSFileAttributeKey(_rawValue: NSFileOwnerAccountID): 501, __C.NSFileAttributeKey(_rawValue: NSFileGroupOwnerAccountName): staff, __C.NSFileAttributeKey(_rawValue: NSFileProtectionKey): NSFileProtectionCompleteUntilFirstUserAuthentication, __C.NSFileAttributeKey(_rawValue: NSFileExtendedAttributes): {"com.apple.macl" = {length = 72, bytes = 0x0400859d 0df21250 44afa8ed e5ec9f0d ... 00000000 00000000 };}, __C.NSFileAttributeKey(_rawValue: NSFilePosixPermissions): 448, __C.NSFileAttributeKey(_rawValue: NSFileReferenceCount): 6, __C.NSFileAttributeKey(_rawValue: NSFileCreationDate): 2020-01-01 08:00:00 +0000, __C.NSFileAttributeKey(_rawValue: NSFileSystemFileNumber): 492303, __C.NSFileAttributeKey(_rawValue: NSFileType): NSFileTypeDirectory, __C.NSFileAttributeKey(_rawValue: NSFileModificationDate): 2022-03-04 06:02:47 +0000, __C.NSFileAttributeKey(_rawValue: NSFileExtensionHidden): 0, __C.NSFileAttributeKey(_rawValue: NSFileSystemNumber): 16777221, __C.NSFileAttributeKey(_rawValue: NSFileGroupOwnerAccountID): 20, __C.NSFileAttributeKey(_rawValue: NSFileSize): 192, __C.NSFileAttributeKey(_rawValue: NSFileOwnerAccountName): slyd0g]

Investigating Extended Attributes with xattr

sudo tccutil reset All 
Extended Attributes for Downloads, Documents, and Desktop
Enumerating Entitlements of xattr
__C.NSFileAttributeKey(_rawValue: NSFileExtendedAttributes): {"com.apple.macl" = {length = 72, bytes = 0x0400859d 0df21250 44afa8ed e5ec9f0d ... 00000000 00000000 };}
Enumerating Extended Attribute Values with xattr
xattr Enumerating Extended Attribute Binary Value

Fixing Hermes ls Implementation

Tracking TCC Permissions with Global Variables
Checking Enumerated TCC Permissions within `ls` command

Conclusion

Enumerating Extended Attribute Value Causes TCC Popup

References

--

--

I break computers and skateboards and write about the former

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store