Accessibility Permissions for the app deployed in macOS

[abdullah-lt]

Description

I have an app that requires screen recording and full disk permission to work correctly. If the macOS machine had SIP disabled, I would have been able to do it by updating db entries of TCC.db.

Area for Triage:
Apple

Question, Bug, or Feature?:
Question

Virtual environments affected

• macOS 10.15
• Ubuntu 16.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 20.04 LTS
• Windows Server 2016 R2
• Windows Server 2019

Expected behavior
Allow access to permissions as requested by the app deployed in the VM.

Actual behavior
When the app is run, a dialog box appears and ask to Grant Access.

Repro steps
Deploy an App that records the system (using ffmpeg)

[abdullah-lt]

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select * from access;" | grep kTCCServiceScreenCapture

kTCCServiceScreenCapture|com.apple.screensharing.agent|0|1|1||||UNUSED||0|1597306440

I think if we allow terminal to have screen recording permissions than the application will be able to do screen recording.
Is it possible to update TCC.db entries ?

[miketimofeev]

Hi @abdullah-lt!
We're not going to disable SIP in the nearest feature, please take a look at this comment
#650 (comment)

However, we will consider updating TCC.db entry.
Could you provide a test scenario so we can reproduce it on the VM, capture required permissions, and add them to the TCC.db?

[abdullah-lt]

Hi @miketimofeev
Here is the sample repo I created to reproduce it on the VM
https://github.com/LambdaTest/lambda-github-actions

Recorder is a golang binary which records video for 5 seconds. Here is the code if you are interested in reading it.

package main
import (
	"bytes"
	"fmt"
	"os/exec"
	"strings"
)
func main() {
	args := strings.Split("-f avfoundation -i 0 -pix_fmt yuv420p -r 25 -t 5 testing_out.mov", " ")
	cmd := exec.Command("ffmpeg",  args...)
	fmt.Println("starting video recording")
	var out bytes.Buffer
	var stderr bytes.Buffer
	cmd.Stdout = &out
	cmd.Stderr = &stderr
	err := cmd.Run()
	if err != nil {
		print("error is", err.Error(), stderr.String())
		return
	}
	print("result", out.String())
}

• The sample workflow will do following steps

1. Install ffmpeg
2. Start golang binary that records video for 5 seconds
3. Upload the video(testing_out.mov) as output artifcats

Also as per this link, we were able to update TCC.db but now we can't. Any reason why it is now disabled ?

[miketimofeev]

@abdullah-lt sorry, I meant not the repo that shows an inability to insert anything into TCC.db, but the repo that tries to capture the screen and fails with an error. Because to add something to TCC.db we need to know the exact application name\path and required service to access, like
/bin/bash and kTCCServiceSystemPolicyAllFiles

Start golang binary that records video for 5 seconds

Does this binary use some macOS software to capture the screen or the binary itself do all the job?

Also as per this link, we were able to update TCC.db but now we can't. Any reason why it is now disabled?

In the link, we updated not the /Library/Application\ Support/com.apple.TCC/TCC.db but $HOME/Library/Application\ Support/com.apple.TCC/TCC.db and this db in $HOME can be updated with SIP enabled, but it contains only user-specific records, which are not enough, unfortunately.

[abdullah-lt]

@miketimofeev I have updated the above repo. Let me know if you require some more input.

Does this binary use some macOS software to capture the screen or the binary itself do all the job

It uses FFmpeg to capture video which is installed using brew

[miketimofeev]

@abdullah-lt thanks! I've cloned your repo and run

chmod +x Recorder
brew install ffmpeg
./Recorder

Then I logoned to the test VM and there were no security pop-ups there even though the Recorder process was running

[abdullah-lt]

@miketimofeev That's strange. My actions are running from last 20 minutes and is stuck (probably waiting for access).
Could you please check if the video file (testing_out.mov) is created.

[miketimofeev]

@abdullah-lt strange indeed. My action based on your repo is also stuck and in the test VM, which took the run, there are no pop-ups neither testing_out.mov

[abdullah-lt]

@miketimofeev The only thing I can think of is that somehow the system automatically denied screen recording permission to the terminal. Then the Recorder binary will be stuck forever waiting for permission. Could you try running ffmpeg command directly on the terminal which will give you better output on what is happening

ffmpeg -f avfoundation -i 0 -pix_fmt yuv420p -r 25 -t 5 testing_out.mov

If this doesn't work, just replace -i flag value with "1" instead of "0"

If the command is still stuck, then just enable the screen recording permission for the terminal and again run the above command. It should work then and will create a file testing_out.mov

I have verified the same on my catalina system

[miketimofeev]

@abdullah-lt the problem is that it's not executed by the terminal directly, there is a level of abstraction that includes runner, which does all the job. So if I run ffmpeg -f avfoundation -i 0 -pix_fmt yuv420p -r 25 -t 5 testing_out.mov directly from VM terminal it asks for permission


And after I restarted the terminal it finally works.
I disabled SIP and checked what entries were added to TCC.db and it's

service|client|client_type|allowed|prompt_count|csreq|policy_id|indirect_object_identifier_type|indirect_object_identifier|indirect_object_code_identity|flags|last_modified
kTCCServiceScreenCapture|com.apple.Terminal|0|1|1|??
                                                    |||UNUSED||0|1599818715

Next, I prepared a VM with SIP disabled and run the following script in action:

sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "insert into access (service, client, client_type, allowed, prompt_count, indirect_object_identifier, flags) values ('kTCCServiceScreenCapture', 'com.apple.Terminal', 0, 1, 1, 'UNUSED', 0)"
brew install ffmpeg
ffmpeg -f avfoundation -i 0 -pix_fmt yuv420p -r 25 -t 5 testing_out.mov

with a bit better result

 configuration: --prefix=/usr/local/Cellar/ffmpeg/4.3.1 --enable-shared --enable-pthreads --enable-version3 --enable-avresample --cc=clang --host-cflags= --host-ldflags= --enable-ffplay --enable-gnutls --enable-gpl --enable-libaom --enable-libbluray --enable-libdav1d --enable-libmp3lame --enable-libopus --enable-librav1e --enable-librubberband --enable-libsnappy --enable-libsrt --enable-libtesseract --enable-libtheora --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-lzma --enable-libfontconfig --enable-libfreetype --enable-frei0r --enable-libass --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-librtmp --enable-libspeex --enable-libsoxr --enable-videotoolbox --disable-libjack --disable-indev=jack
  libavutil      56. 51.100 / 56. 51.100
  libavcodec     58. 91.100 / 58. 91.100
  libavformat    58. 45.100 / 58. 45.100
  libavdevice    58. 10.100 / 58. 10.100
  libavfilter     7. 85.100 /  7. 85.100
  libavresample   4.  0.  0 /  4.  0.  0
  libswscale      5.  7.100 /  5.  7.100
  libswresample   3.  7.100 /  3.  7.100
  libpostproc    55.  7.100 / 55.  7.100
[AVFoundation indev @ 0x7fade342a600] Configuration of video device failed, falling back to default.
[avfoundation @ 0x7fade3814600] Selected pixel format (yuv420p) is not supported by the input device.
[avfoundation @ 0x7fade3814600] Supported pixel formats:
[avfoundation @ 0x7fade3814600]   uyvy422
[avfoundation @ 0x7fade3814600]   yuyv422
[avfoundation @ 0x7fade3814600]   nv12
[avfoundation @ 0x7fade3814600]   0rgb
[avfoundation @ 0x7fade3814600]   bgr0
[avfoundation @ 0x7fade3814600] Overriding selected pixel format to use uyvy422 instead.

And then it stuck as before.
i -1 gives:

[AVFoundation indev @ 0x7fe240c05980] Invalid device index
1: Input/output error

I wonder if the issue is somehow related to non-interactive mode because it runs fine directly in the VM.

[miketimofeev]

@abdullah-lt looks like I've managed to find a solution 🥳
ffmpeg -f avfoundation -i 0 -pix_fmt uyvy422 -r 25 -t 5 testing_out.mov
works after adding this entry:
sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "insert into access (service, client, client_type, allowed, prompt_count, indirect_object_identifier, flags) values ('kTCCServiceScreenCapture', '/bin/bash', 1, 1, 1, 'UNUSED', 0)"
testing_out.mov created succesfully.
However, Recorder produces an error during the execution:

[avfoundation @ 0x7fa4da014400] Stream #0: not enough frames to estimate rate; consider increasing probesize
Input #0, avfoundation, from '0':
  Duration: N/A, start: 961.796167, bitrate: N/A
    Stream #0:0: Video: rawvideo (UYVY / 0x59565955), uyvy422, 1904x885, 1000k tbr, 1000k tbn, 1000k tbc
Stream mapping:
  Stream #0:0 -> #0:0 (rawvideo (native) -> h264 (libx264))
Press [q] to stop, [?] for help
[libx264 @ 0x7fa4dd84ce00] height not divisible by 2 (1904x885)
Error initializing output stream 0:0 -- Error while opening encoder for output stream #0:0 - maybe incorrect parameters such as bit_rate, rate, width or height
Conversion failed!

[abdullah-lt]

@miketimofeev That's great news. The above error looks like some encoding issue which can be solved by using a different encoder.

Would it be possible to add the above SQL entry to the mac machines, so that we can use the screen recording feature of Mac?

[miketimofeev]

@abdullah-lt yes, I've just added the entry. The new image will be available next week if nothing blocks the deployment. I'll let you know when it's done.

[abdullah-lt]

Thanks, @miketimofeev. Looking forward to it.

[miketimofeev]

@abdullah-lt we've successfully deployed the new image. Could you please check the behavior?

[abdullah-lt]

@miketimofeev I have tested the screen recording and it's working now. Thanks for the quick deployment. Should I close the issue now?

[miketimofeev]

@abdullah-lt great! Yes, the issue can be closed.
Thank you!