Cannot reset privacy decisions for specific bundles with tccutil

Originator:blochberger.max
Number:rdar://6813106 Date Originated:2019-07-25
Status:Resolved Resolved:
Product:macOS Product Version:10.14.5
Classification: Reproducible:yes
 
Application developers need to test how their applications react to privacy decisions the user makes. Therefore, they should be able to revoke privacy consents. For that purpose Apple has provided the tccutil, which, according to its man page, should be able to reset specific privacy decisions for a specific application. Applications are identified by their bundle identifiers.

If I want to revoke access to the Contacts for Adium, I would invoke the tool with `tccutil reset AddressBook com.apple.Terminal`. However, tccutil fails with the following error: "No such bundle identifier". This happens for all applications.

Looking into how tccutil is implemented, looking up the bundle identifier is implemented by using `(NSBundle *)bundleWithIdentifier:(NSString *)identifier;` (https://developer.apple.com/documentation/foundation/nsbundle/1411929-bundlewithidentifier). This method however, cannot be used to find arbitrary bundles on the system. Calling `Bundle(identifier: "com.apple.Terminal)` in Swift (Playground or REPL) will return `nil`.

If the application was removed previously, the bundle identifier cannot be found that way either – as it is only kept in the TCC database. Resetting privileges of an application that was removed is also a use-case that is important for normal users (instead of the developer-specific use-case I described above).

In order to fix this problem, I suggest that the bundle identifier is directly looked up in the TCC database instead (`client` column of the `access` table).

Comments

tccutil works as expected in macOS 10.15 Catalina beta 4 (19A512f).

By blochberger.max at July 25, 2019, 10:22 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!