macOS development - File and Folder & Disk full access

Article Directory

First, Permission Description
Second, the `` file and folder permissions

1, requires authorization directory
2, authorize action
3, no authorization directory

Third, the full disk access

1, manual additions and deletions
2, and file and folder permissions related
3, under the SIP can not command full disk access
4, judge authorized full access to the disk

First, Permission Description

About two rights, I do not see specific proposals to Apple developers.
According to: https://support.apple.com/zh-cn/guide/mac-help/mh32356/mac , for users, these two rights are

Complete Disk Access : display can access the App all the files on your computer, including other App (such as "mail", "information", Safari browser and "family") on the data, the data time machine backup and this Mac part of the management settings for all users.

Files and folders : This display can be accessed on the Mac App different locations of files and folders. If you want to block access to files and folders, deselect the App.

Related url Jump:

/*
    Privacy_AllFiles 完全磁盘访问权限
    Privacy_Assistive 文件和文件夹
*/
NSString *urlString = @"x-apple.systempreferences:com.apple.preference.security?Privacy_Assistive";
    [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:urlString]];

Second, the `文件和文件夹`authority

1, requires authorization directory

Reference from: https://nektony.com/duplicate-finder-free/folders-permission

Here Insert Picture Description

文件和文件夹 Rights, mainly for the following few folders (there are other folders like to inform):

Desttop Folder Desktop folder, ~/Desktop
Documents Folder "documents" folder, ~/Documents
Downloads Foder download folder, ~/Downloads
Removable Volumes removable volume (e.g., U-disk), as /Volumes/SSWD
Network Volumes server files

2, authorize action

In the SIP open state, when the above-mentioned application to access the folder, the pop-up window will prompt the user to authorize:

Here Insert Picture Description

The results will be displayed in the authorization 系统偏好设置-> 安全性与隐私-> 隐私-> 文件和文件夹in.

3, no authorization directory

Since the directory is not clear what specific authorization is required, so the test the following directories, they are not required files and folders or a full disk access

/Applications
~
~/Library
~/Library/Containers
~/Library/WebKit
~/Library/QuickTime You can read data
~/Pictures
~/Music
~/Library/Mobile Documents
~/Library/Mobile\ Documents/com\~apple\~ScriptEditor2/Documents

Third, the full disk access

1, manual additions and deletions

In the Preferences panel can manually add and remove applications.

Click Add, open the folder to select.

Here Insert Picture Description

2, and file and folder permissions related

Have full access to disks, files and folders will be displayed.

Has been authorized, full disk access, the access to the desktop, etc., will not continue to require authorization.

Here Insert Picture Description

3, under the SIP can not command full disk access

1）
tccutil reset all com.ms.VideoEditDemo

2）

$ tccutil reset AllFiles
tccutil: Failed to reset database

$ tccutil reset Assistive
tccutil: Failed to reset database

Above commands is not the same as removing the microphone permission to remove full access to the disk and folder permissions. Manual removal is the best way.

Non-SIP to be tested.

4, judge authorized full access to the disk

provided by @HsiangHo

typedef NS_ENUM(NSUInteger, FDAAuthorizationStatus) {
    FDAAuthorizationStatusNotDetermined = 0,
    FDAAuthorizationStatusDenied,  
    FDAAuthorizationStatusAuthorized
} NS_SWIFT_NAME(AuthorizationStatus);

NS_ASSUME_NONNULL_BEGIN

@interface FullDiskAccessAuthorizer : NSObject

+ (instancetype)sharedInstance;
- (FDAAuthorizationStatus)authorizationStatus;
- (void)requestAuthorization;

@end


#import "FullDiskAccessAuthorizer.h"
#import <pwd.h>
#import <Cocoa/Cocoa.h>

static FullDiskAccessAuthorizer *instance;
@implementation FullDiskAccessAuthorizer

+ (instancetype)sharedInstance {
    @synchronized (self) {
        if(nil == instance) {
            instance = [[FullDiskAccessAuthorizer alloc] init];
        }
        return instance;
    }
}

- (FDAAuthorizationStatus)authorizationStatus {
    
    NSString *userHomePath = NSHomeDirectory();
    
    BOOL isSandboxed = (nil != NSProcessInfo.processInfo.environment[@"APP_SANDBOX_CONTAINER_ID"]);
    
    NSLog(@"isSandboxed : %d",isSandboxed);
    
    if (isSandboxed)
    {
        struct passwd *pw = getpwuid(getuid());
        assert(pw);
        userHomePath = [NSString stringWithUTF8String:pw->pw_dir];
    }

    NSString *path = [userHomePath stringByAppendingPathComponent:@"Library/Safari"];
    
    NSLog(@"userHomePath : %@, path : %@",userHomePath,path);
    
    BOOL fileExists = [[NSFileManager defaultManager] fileExistsAtPath:path];
    NSArray<NSString *> *paths = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:path error:nil];
    
    NSLog(@"paths : %@",paths);
    
    if (paths == nil && fileExists){
        return FDAAuthorizationStatusDenied;
    } else if (fileExists) {
        return FDAAuthorizationStatusAuthorized;
    } else {
        return FDAAuthorizationStatusNotDetermined;
    }
}

- (void)requestAuthorization {
    if (@available(macOS 10.14, *)){
        [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:@"x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles"]];
    }
}

@end