Prevent TCC Database Tampering

macOS Transparency, Consent, and Control (TCC) is the system that manages privacy permissions - deciding which apps can access the camera, microphone, contacts, calendar, location, and other sensitive data. All these permissions are stored in SQLite databases called TCC.db.

There are two TCC databases:

• System-level: /Library/Application Support/com.apple.TCC/TCC.db
• User-level: ~/Library/Application Support/com.apple.TCC/TCC.db

Attackers who can modify these databases can grant themselves access to any protected resource without triggering permission prompts. This allows malware to:

• Enable camera and microphone access silently
• Read contacts and calendar data
• Access photos and location data
• Bypass all TCC protections

Even with System Integrity Protection (SIP), the user-level TCC database can be vulnerable to tampering if the user has admin rights or if malware exploits vulnerabilities.

This file access rule locks down both TCC databases so only the system TCC daemon (tccd) can write to them, preventing unauthorized permission grants.

This rule protects the TCC database files including:

• TCC.db: The main SQLite database
• TCC.db-shm: SQLite shared memory file
• TCC.db-wal: SQLite write-ahead log

All three files must be protected for complete security, as SQLite uses all three files during operation.

The rule blocks write access but allows read access, so security tools can still audit TCC permissions.

Note: This does NOT prevent legitimate permission grants through System Settings or TCC prompts - those go through tccd which is explicitly allowed.

Only the TCC daemon (tccd) should legitimately write to these databases. However, some edge cases may need consideration:

• Security tools that audit TCC permissions (should only need read access)
• Migration tools when setting up new Macs (run during setup before this rule is active)
• MDM tools that pre-configure TCC (should use proper APIs, not direct database access)

If you have legitimate tools that need to modify TCC, work with the vendor to use proper Apple APIs instead of direct database manipulation.

1. Try to directly modify TCC.db: sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access" (read should work)
2. Try to write to TCC.db: sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client='test'" (should be blocked)
3. Grant permission through System Settings (should work normally)
4. Verify apps can still request TCC permissions through normal prompts (should work)

Monitor FAA events for blocked attempts to write to TCC.db files. This is a high-signal alert - any attempt to directly write to TCC.db is suspicious.

Look for:

• Scripts or compiled code trying to modify TCC.db
• Database tools (sqlite3, DB Browser) trying to write to TCC.db
• Unknown processes attempting TCC.db access

Legitimate TCC changes always go through tccd, never through direct database writes.