Hello,
If a user allows access to, for example, Removable Volumes (TCC permission) to the main app, does these permissions will be inherited by a bundled Finder Extension from the main app?
More specific, I have an app that bundles a Finder Extension and both the main app and the bundled extension need access to Removable Volumes. Only the main app can request it, since the main app is the only that can prompt the user. If the user allows, will the bundled extension also receive the permissions?
If not, is there any workaround?
Regards.
If a user allows access to, for example, Removable Volumes (TCC permission) to the main app, does these permissions will be inherited by a bundled Finder Extension from the main app?
This is the kind of question where that can only really be answered by testing it yourself. The general "philosophy" of the system is basically that TCC permission can/should be "inherited" by the "responsible" process. Depending on the situation, that includes case like:
-
By default, processes inheriting the permissions of their parent process.
-
Executable app bundles (or extensions) inheriting the same permission granted to the application they're "inside".
However, the actually behavior for any given case depends on:
-
Whatever intentional choices the relevant engineering team made.
-
Whether or not their a bugs that interfere with that goal.
My expectation is that an extension would inherit Removable Volume authorization, however, the only way to actually know what will happen... is to test it.
Having said that:
More specific, I have an app that bundles a Finder Extension and both the main app and the bundled extension need access to Removable Volumes.
Why? What are you actually trying to do here?
As a side comment, assuming you're talking about a "Finder Sync Extension", it sounds like you might be trying to use that extension point as a relatively "general" mechanism for expanding the Finder. Unfortunately, I'm afraid that is not a role they were ever intended to fill and they are in fact very bad at it.
The Finder Sync Extension point was built with a VERY specific and narrow use case in mind. It was ONLY intended to allow application like "Dropbox" to provide custom badging and other UI tweaks for the specific directory hierarchy that app "owned". Outside of that use case, they don't work very well. For example:
-There are multiple directories (for example, "Applications") that simply will not work with the extension point, due to the internal implementation details of the Finder.
-They don't support any kind of nesting. Note that this means that modifying a large hierarchy can completely break the functionality of any extensions trying to operate inside that hierarchy and this this failure will basically be "invisible" to the innner extension.
Only the main app can request it, since the main app is the only that can prompt the user. If the user allows, will the bundled extension also receive the permissions?
Yes, that's what I would expect.
If not, is there any workaround?
Probably, though the details depend a lot on what you're trying to do. How is your extension point "getting" it's reference to the target volume? And are you monitoring a specific volume or trying to do something more general?
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware
