The Curious Case of the Responsible Process
As it turns out, permissions are inherited by child processes. And when a process is about to access some protected resource, the TCC subsystem figure’s out which process is the responsible one, and uses that as basis for requesting and persisting the result.
[…]
In the case of an application embedding and launching helper executables this behavior of course makes sense, but it can be a bit surprising in cases such as launching apps from the terminal.
[…]
As it turned out, since Qt Creator was launching user applications when running and debugging, it was effectively becoming the responsible process for all these user applications. And if one of them required a permission that needed a corresponding usage description, then the only way to make the application work was to add the description to the responsible process; Qt Creator.
[…]
Somehow
lldbwas circumventing the logic that was deciding which process was the responsible one.Luckily LLDB is part of the open source LLVM project, so I was able to track it down to this change, with the magic formula:
int responsibility_spawnattrs_setdisclaim(posix_spawnattr_t attrs, int disclaim);
He says it “just works” with Xcode, though he isn’t sure why, but my experience is that often neither Xcode nor the app prompts for Automation or Contacts access when running an app or testing and so the APIs just fail.
Via Peter Steinberger (tweet):
If you’re building a macOS CLI that uses AppleScript, you need to embed an Info.plist into your binary, sign it with proper entitlements, and optionally use the undocumented
responsibility_spawnattrs_setdisclaimAPI to avoid permission dialogs that blames the hosting app.[…]
Getting AppleScript to work in a CLI tool turned out to be a maze of undocumented APIs, security permissions, and macOS quirks that nobody warns you about.
Previously:
- Claude Code Experience
- DropDMG 3.6.9
- Avoiding AppleScript Security and Privacy Requests
- Mojave Privacy Protection Aftermath
- AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms
1 Comment RSS · Twitter · Mastodon
I'm getting flashbacks reading this. TCC is my nemesis.
And yes, Qt Creator has been granted every single permission imaginable because of all of the software I'm developing in it! So has iTerm.
