Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS 13/14 missing permission for kTCCServiceScreenCapture #9529

Closed
3 of 13 tasks
ReenigneArcher opened this issue Mar 18, 2024 · 2 comments
Closed
3 of 13 tasks

macOS 13/14 missing permission for kTCCServiceScreenCapture #9529

ReenigneArcher opened this issue Mar 18, 2024 · 2 comments
Labels
bug report OS: macOS

Comments

@ReenigneArcher
Copy link

Description

When building my application in macOS-13 or macOS-14 using Macports, unit tests fail due to missing permission of kTCCServiceScreenCapture.

I ran the below code before and after my test code, and discovered the cause.

sudo sqlite3 \
  "/Library/Application Support/com.apple.TCC/TCC.db" \
  "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"

Before results:

kTCCServiceScreenCapture|/bin/bash|1|2|0|1||||UNUSED||0|1599831148
kTCCServiceScreenCapture|/usr/local/opt/runner/provisioner/provisioner|1|2|4|1|||0|UNUSED||0|1687786159
kTCCServiceScreenCapture|com.apple.screensharing.agent|0|2|4|1|||0|UNUSED||0|1708076718
kTCCServiceScreenCapture|com.devexpress.testcafe-browser-tools|0|2|3|1|��||0|UNUSED||0|1687952810

After results:

kTCCServiceScreenCapture|/bin/bash|1|2|0|1||||UNUSED||0|1599831148
kTCCServiceScreenCapture|/opt/off/opt/runner/provisioner/provisioner|1|0|4|1|��||0|UNUSED||0|1710767319
kTCCServiceScreenCapture|/usr/local/opt/runner/provisioner/provisioner|1|2|4|1|||0|UNUSED||0|1687786159
kTCCServiceScreenCapture|com.apple.screensharing.agent|0|2|4|1|||0|UNUSED||0|1708076718
kTCCServiceScreenCapture|com.devexpress.testcafe-browser-tools|0|2|3|1|��||0|UNUSED||0|1687952810

The difference being that /opt/off/opt/runner/provisioner/provisioner has requested permission after my test.

For some reason Macports is using /opt/off/opt/runner/provisioner/provisioner on macOS-13 and 14, but not on 12.

As a workaround, I did the following.

      - name: Fix screen capture permissions
        if: ${{ matrix.os_version != 12 }}  # macOS-12 is okay
        run: |
          # https://apple.stackexchange.com/questions/362865/macos-list-apps-authorized-for-full-disk-access

          # permissions for screen capture
          values="'kTCCServiceScreenCapture','/opt/off/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
          if [[ "${{ matrix.os_version }}" == "14" ]]; then
            # TCC access table in Sonoma has extra 4 columns: pid, pid_version, boot_uuid, last_reminded
            values="${values},NULL,NULL,'UNUSED',${values##*,}"
          fi

          # system and user databases
          dbPaths=(
            "/Library/Application Support/com.apple.TCC/TCC.db"
            "$HOME/Library/Application Support/com.apple.TCC/TCC.db"
          )

          sqlQuery="INSERT OR IGNORE INTO access VALUES($values);"

          for dbPath in "${dbPaths[@]}"; do
            echo "Column names for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "PRAGMA table_info(access);"
            echo "Current permissions for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"
            sudo sqlite3 "$dbPath" "$sqlQuery"
            echo "Updated permissions for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"
          done

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • macOS 11
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

Image: macos-13
Version: 20240219.1
Included Software: https://github.com/actions/runner-images/blob/macos-13/20240219.1/images/macos/macos-13-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/macos-13%2F20240219.1

Is it regression?

Unknown.

Expected behavior

Permission should already be defined for /opt/off/opt/runner/provisioner/provisioner like the /usr/local/opt/runner/provisioner/provisioner.

Actual behavior

Permission is not defined.

Repro steps

  1. Build app in Macports that requires screen sharing permission.
  2. Run test on app
@ReenigneArcher ReenigneArcher mentioned this issue Mar 18, 2024
Closed
4 tasks
@Vyazovoy Vyazovoy mentioned this issue Mar 18, 2024
Open
10 tasks
@Alexey-Ayupov
Copy link
Collaborator

Hello @ReenigneArcher. The Macports is not part of our software installed list and we wouldn't like to add permission for this application. Also the current images of macOS 13 and 14 allow runtime TCC.db updating, so you can continue using your workaround.
If you have any other questions feel free to reach us.

@ReenigneArcher
Copy link
Author

I'm aware that Macports is not part of the included software, but I assume the /opt/off/opt/runner/provisioner/provisioner is?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report OS: macOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(macOS): update kTCCServiceScreenCapture permissions ReenigneArcher/runner-images
2 participants
@ReenigneArcher @Alexey-Ayupov