bdash

I've recently been working to understand what triggers certain TCC prompts on macOS. During this investigation I noticed something that many prior analyses of TCC overlook: TCC prompts can be triggered not only by system frameworks, but by the Sandbox kernel extension in response to rules defined by the platform sandbox policy.

My latest blog post documents the sandbox features behind this and provides examples of some of the responsible sandbox policies.

https://bdash.net.nz/posts/tcc-and-the-platform-sandbox-policy/

TCC and the macOS Platform Sandbox Policy // Mark Rowe

How some macOS privacy prompts are triggered from within the kernel via sandbox policies

Dec 2, 2024 at 4:24amWeb
Show threadCsaba FitzlApr 11, 2025
@mrowe Hi! How did you get the storage-class locations/details?
Show threadbdashApr 11, 2025
@theevilbit I’ve written a decompiler for sandbox profiles which made it possible to analyze the logic the system sandbox policy uses to assign storage classes.