search

actions / runner-images

GitHub Actions runner images
MIT License
10.09k stars 3.04k forks source link

macOS 13/14 missing permission for kTCCServiceScreenCapture #9529

Closed ReenigneArcher closed 7 months ago

ReenigneArcher commented 7 months ago

Description

When building my application in macOS-13 or macOS-14 using Macports, unit tests fail due to missing permission of kTCCServiceScreenCapture.

I ran the below code before and after my test code, and discovered the cause.

sudo sqlite3 \
  "/Library/Application Support/com.apple.TCC/TCC.db" \
  "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"

Before results:

kTCCServiceScreenCapture|/bin/bash|1|2|0|1||||UNUSED||0|1599831148
kTCCServiceScreenCapture|/usr/local/opt/runner/provisioner/provisioner|1|2|4|1|||0|UNUSED||0|1687786159
kTCCServiceScreenCapture|com.apple.screensharing.agent|0|2|4|1|||0|UNUSED||0|1708076718
kTCCServiceScreenCapture|com.devexpress.testcafe-browser-tools|0|2|3|1|��||0|UNUSED||0|1687952810

After results:

kTCCServiceScreenCapture|/bin/bash|1|2|0|1||||UNUSED||0|1599831148
kTCCServiceScreenCapture|/opt/off/opt/runner/provisioner/provisioner|1|0|4|1|��||0|UNUSED||0|1710767319
kTCCServiceScreenCapture|/usr/local/opt/runner/provisioner/provisioner|1|2|4|1|||0|UNUSED||0|1687786159
kTCCServiceScreenCapture|com.apple.screensharing.agent|0|2|4|1|||0|UNUSED||0|1708076718
kTCCServiceScreenCapture|com.devexpress.testcafe-browser-tools|0|2|3|1|��||0|UNUSED||0|1687952810

The difference being that /opt/off/opt/runner/provisioner/provisioner has requested permission after my test.

For some reason Macports is using /opt/off/opt/runner/provisioner/provisioner on macOS-13 and 14, but not on 12.

As a workaround, I did the following.

      - name: Fix screen capture permissions
        if: ${{ matrix.os_version != 12 }}  # macOS-12 is okay
        run: |
          # https://apple.stackexchange.com/questions/362865/macos-list-apps-authorized-for-full-disk-access

          # permissions for screen capture
          values="'kTCCServiceScreenCapture','/opt/off/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
          if [[ "${{ matrix.os_version }}" == "14" ]]; then
            # TCC access table in Sonoma has extra 4 columns: pid, pid_version, boot_uuid, last_reminded
            values="${values},NULL,NULL,'UNUSED',${values##*,}"
          fi

          # system and user databases
          dbPaths=(
            "/Library/Application Support/com.apple.TCC/TCC.db"
            "$HOME/Library/Application Support/com.apple.TCC/TCC.db"
          )

          sqlQuery="INSERT OR IGNORE INTO access VALUES($values);"

          for dbPath in "${dbPaths[@]}"; do
            echo "Column names for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "PRAGMA table_info(access);"
            echo "Current permissions for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"
            sudo sqlite3 "$dbPath" "$sqlQuery"
            echo "Updated permissions for $dbPath"
            echo "-------------------"
            sudo sqlite3 "$dbPath" "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"
          done

Platforms affected

Runner images affected

Image version and build link

Image: macos-13 Version: 20240219.1 Included Software: https://github.com/actions/runner-images/blob/macos-13/20240219.1/images/macos/macos-13-Readme.md Image Release: https://github.com/actions/runner-images/releases/tag/macos-13%2F20240219.1

Is it regression?

Unknown.

Expected behavior

Permission should already be defined for /opt/off/opt/runner/provisioner/provisioner like the /usr/local/opt/runner/provisioner/provisioner.

Actual behavior

Permission is not defined.

Repro steps

  1. Build app in Macports that requires screen sharing permission.
  2. Run test on app
Alexey-Ayupov commented 7 months ago

Hello @ReenigneArcher. The Macports is not part of our software installed list and we wouldn't like to add permission for this application. Also the current images of macOS 13 and 14 allow runtime TCC.db updating, so you can continue using your workaround. If you have any other questions feel free to reach us.

ReenigneArcher commented 7 months ago

I'm aware that Macports is not part of the included software, but I assume the /opt/off/opt/runner/provisioner/provisioner is?