A classic filesystem race condition in Metal-based macOS applications that can lead to bypassing of macOS’ Transparency Consent and Control privacy framework (TCC). Applications that rely on the Metal framework will look for and process the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable to write debugging data to as that application, even if the given filepath already exists. This gives them a limited file write primitive where they can control the destination but not the contents. It turns out you can also control the contents too however, as the way the file I/O was done is it would open a temporary file to write the contents to, then rename it to the final path. Where the old and new path for the rename, you can open and obtain a file descriptor to write to the temporary file in a safe directory, and symlink the path off to some other privileged location between the old and new path being resolved.

This yields an arbitrary file write as the given metal application, bypassing TCC.