Skip to content

Commit

Permalink
Automate TCC permission grants if SIP is disabled.
Browse files Browse the repository at this point in the history
Closes #21.
  • Loading branch information
kdeldycke committed Mar 11, 2022
1 parent 72d789c commit 0959511
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 50 deletions.
7 changes: 4 additions & 3 deletions install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@ if [ $? != 0 ]; then
fi

# Check if SIP is going to let us mess with some part of the system.
if [[ "$(csrutil status | grep --quiet "disabled"; echo $?)" -ne 0 ]]; then
echo "System Integrity Protection (SIP) is enabled."
else
SIP_DISABLED=$(csrutil status | grep --quiet "enabled"; echo $?)
if [[ ${SIP_DISABLED} -ne 0 ]]; then
echo "System Integrity Protection (SIP) is disabled."
else
echo "System Integrity Protection (SIP) is enabled."
fi


Expand Down
98 changes: 51 additions & 47 deletions macos-config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,63 +34,67 @@ HOST_UUID=$(ioreg -d2 -c IOPlatformExpertDevice | awk -F\" '/IOPlatformUUID/{pri
###############################################################################
# Permissions and Access #
###############################################################################
# XXX tccutil commands below only works if SIP is disabled.

# CLI to open the automation preference panel:
# ❯ open "x-apple.systempreferences:com.apple.preference.security?Privacy_Automation"

#
# Raw list of permission names:
# ❯ strings /System/Library/PrivateFrameworks/TCC.framework/Versions/Current/Resources/tccd | grep "^kTCCService[A-Z a-z]" | sort | uniq

# Ask for the administrator password upfront
sudo -v

# List existing entries for debug.
sudo tccutil --list

# Add Terminal as a developer tool. Any app referenced in the hidden Developer
# Tools category will be able to bypass GateKeeper.
# Source: an Apple Xcode engineer at:
# https://news.ycombinator.com/item?id=23278629
# https://news.ycombinator.com/item?id=23273867
sudo spctl developer-mode enable-terminal
sudo tccutil --service "kTCCServiceDeveloperTool" --insert "com.apple.Terminal"
sudo tccutil --service "kTCCServiceDeveloperTool" --enable "com.apple.Terminal"

# Since 10.15, BSD-userland processes now also deal with sandboxing, since the
# BSD syscall ABI is now reimplemented in terms of macOS security capabilities.
# Source: https://news.ycombinator.com/item?id=23274213
#
# Also, some plist preferences files are not readable either by the user or root
# unless the Terminal.app gets Full Disk Access permission.
#
# ❯ cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
#
# ❯ sudo cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# Password:
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
# tccutil commands below only works if SIP is disabled.
if [[ ${SIP_DISABLED} -ne 0 ]]; then
echo "System Integrity Protection (SIP) is disabled."

# List existing entries for debug.
sudo tccutil --list

# Add Terminal as a developer tool. Any app referenced in the hidden Developer
# Tools category will be able to bypass GateKeeper.
# Source: an Apple Xcode engineer at:
# https://news.ycombinator.com/item?id=23278629
# https://news.ycombinator.com/item?id=23273867
sudo spctl developer-mode enable-terminal
sudo tccutil --service "kTCCServiceDeveloperTool" --insert "com.apple.Terminal"
sudo tccutil --service "kTCCServiceDeveloperTool" --enable "com.apple.Terminal"

# Since 10.15, BSD-userland processes now also deal with sandboxing, since the
# BSD syscall ABI is now reimplemented in terms of macOS security capabilities.
# Source: https://news.ycombinator.com/item?id=23274213
#
# Also, some plist preferences files are not readable either by the user or root
# unless the Terminal.app gets Full Disk Access permission.
#
# ❯ cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
#
# ❯ sudo cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# Password:
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted

# Grant Full Disk Access permission
for app (
"com.apple.Terminal"
"/Applications/BlockBlock.app"
"/Applications/KnockKnock.app"
); do
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --insert "${app}"
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --enable "${app}"
done

# Grant Full Disk Access permission
for app (
"com.apple.Terminal"
"/Applications/BlockBlock.app"
"/Applications/KnockKnock.app"
); do
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --insert "${app}"
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --enable "${app}"
done
# Grant Accessibility permission
for app (
"/Applications/Amethyst.app"
"/Library/Application Support/Logitech.localized/Logitech Options.localized/Logi Options Daemon.app"
"/Applications/Logi Options.app"
"/Applications/MonitorControl.app"
); do
sudo tccutil --insert "${app}"
sudo tccutil --enable "${app}"
done

# Grant Accessibility permission
for app (
"/Applications/Amethyst.app"
"/Library/Application Support/Logitech.localized/Logitech Options.localized/Logi Options Daemon.app"
"/Applications/Logi Options.app"
"/Applications/MonitorControl.app"
); do
sudo tccutil --insert "${app}"
sudo tccutil --enable "${app}"
done
fi


###############################################################################
Expand Down

0 comments on commit 0959511

Please sign in to comment.