IOHIDDevice entitlements

Hi,

our audio plugins communicate with a controlling hardware device via Apples IOHIDDevice API, which according to
https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
should be sandbox excepted by the

com.apple.security.device.usb
key, which I have test-wise placed and enabled, but communication can’t be established from inside a sandboxed DAW (checked with Ableton Live).
Any expertise on this?

Thanks & cheers,

Hagen.

Entitlements are only effective if applied to the main executable of a process. I’m not an expert on audio plug-ins, but my general understanding is that these plug-ins are not main executables but rather libraries (

MH_BUNDLE
or
MH_DYLIB
) that are loaded within a host app. If that’s the case here then it’s the host app’s entitlements that apply; the plug-in’s entitlements are simply ignored.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Quinn, but I think you are wrong here:

https://developer.apple.com/library/archive/technotes/tn2247

is indicating the possibilty to control sandbox exceptions.

Thanks & cheers,

Hagen.

[TN2247] is indicating the possibilty to control sandbox exceptions.

Right. But all of its discussion around entitlements is focused on the application that’s hosting the plug-ins. I searched the technote for entitlement and here’s all the relevant quotes:

  • The application indicates what services it requires access to via entitlements that are attached to the application through its code signature.

  • If an application wishes to open Audio Components that are not Sandbox Safe, the application must be signed with the entitlement

    com.apple.security.temporary-exception.audio-unit-host
    .
  • When an application with the

    com.apple.security.temporary-exception.audio-unit-host
    entitlement

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,

I probably don't get you quite right here.

Amongst the audio plugin development community there are ongoing discussions

i.e.

https://forum.juce.com/t/macos-plugins-in-sandboxed-daw/36999

https://forum.juce.com/t/garageband-x-sandboxing/11739

and others, which indicate that the entitlements can be successfully set for individual bundles (wether .vst/ .vst3/ .component/ or .aax); this also is in accordance to our own findings - except for IOHIDDevice access, which can't be accessed; even when the sandbox is excepted by setting the plugins com.apple.security.device.usb entitlement.

Now, my question is: should this work (i.e. is there something wrong on our side or is there a bug in Apples sandbox)? or is this not suppose to work and how can we achieve in this case IOHiddevice communication from within a sandboxed plugin? So far to me Apples sandboxing does not look being entirely thought thru (what is with other hardware/kext/IOKit access?) but I strongly hope I am wrong here.

Having said that, an entire product line is depending on being able to communicate from our audio plugins with our controlling hardware.


Or, maybe we are not using the correct (sandbox except-able) API? I see there are more HID related frameworks (i.e. HIDDriverKit.framework vs. IOKit.framework), where we are currently using the later...?!


On the other hand, according to the sandbox profiles located at

/System/Library/Sandbox/Profiles/application.sb

there seem to be a separate (but nowhere mentioned) "com.apple.security.device.hid" entitlement. Is this the one to use? Can these profiles be "trusted" in any way? Where is the actual documentation?


I am blindly tumbling around, waisting my time with simple question... Just because Apples seems to be too ignorrant to provide adequate documentation. Those "maybe this or that" are so tiring and far away from being professional and in the end the cause of bad or wrong development decisions.


Thanks & cheers,

Hagen.

You can set entitlements on any Mach-O image, but the system only honours entitlements on main executables. Entitlements on other types of code are simply ignored.

Indeed, the mechanism described in TN2247 confirms this. In the Audio Components That Are Not Sandbox Safe section, where the audio component declares the resources it needs, it does not do that using entitlements but rather via the

resourceUsage
property in its
Info.plist
. Also note how in the Hosting Audio Components in a Sandboxed Application section it talks about disabling the sandbox on the host application, which is a very different proposition from honouring the plug-in’s entitlements.

Having said that, an entire product line is depending on being able to communicate from our audio plugins with our controlling hardware.

Given that, I’m going to recommend that you open a DTS tech support incident and discuss this with our audio expert.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Hagen,

I'm in the same predicament, have you ever gotten this to work? Or are plugins at the mercy of the DAW's entitlements?

IOHIDDevice entitlements
 
 
Q