fs_snapshot_create required entitlements

In `man fs_snapshot_create` is stated "All snapshot functions require superuser privileges and also require an additional entitlement."

Which entitlement is it?


Background:

I want to write a tool to create snapshots without `tmutil localsnapshot /` because I noticed that these snapshots are deleted randomly. So I had the idea to check if this only applies to snapshots created with `tmutil` or to APFS-snapshots in general... if it's `tmutil`-related I could circumvent it by using my own app – because for me snapshots are pretty useless if they vanish magically.

Answered by DTS Engineer in 269529022

The entitlement is a special entitlement that Apple that developers can request by contacting DTS. Note that it's currently only being granted to backup application developers and only after very close review.


One other note- the current man page is not 100% accurate. fs_snapshot_list does NOT require the enitlement and can be used by any app. However, if you're looking at the data it returns keep in mind that the size it returns is the size of the snapshot metadata, NOT the size that will be freed if/when that snapshot it deleted.


-Keivn

Accepted Answer

The entitlement is a special entitlement that Apple that developers can request by contacting DTS. Note that it's currently only being granted to backup application developers and only after very close review.


One other note- the current man page is not 100% accurate. fs_snapshot_list does NOT require the enitlement and can be used by any app. However, if you're looking at the data it returns keep in mind that the size it returns is the size of the snapshot metadata, NOT the size that will be freed if/when that snapshot it deleted.


-Keivn

Does this mean even for local development, we will need to get the entitlement file? Can the request by directly made in the Apple developer portal?

Does this mean even for local development, we will need to get the entitlement file?

Yes.

Note The “entitlement file” isn’t the issue here. Entitlements must be whitelisted by your provisioning profile. For special entitlements like this one, Apple must specifically grant you the ability to add the entitlement to your provisioning profile.

Can the request by directly made in the Apple developer portal?

No.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I do find this quite annoying, that even when I fully disable system integrity protection I still cannot use the snapshot functionality without the entitlement. Is there no way to get this functionality even if I want to use it on my own computer? Is it something that can be set up while booted in the recovery OS? I get Apple doesn't want to make it easy for people to send malicious code to other people that deletes their backups that came in the form of snapshots, but come on, you make it possible to delete snapshots in the Terminal, why not make it easy to create snapshots too? When I watched the presentation on APFS and learned about snapshots I was super excited that this functionality was coming in APFS, and now it's almost 4 years later and I still can't use the functionality myself.

The closest you can get is to use the `tmutil` tool to make a snapshot. You can't control the aging of that snap though and Time Machine will delete it after 24 hours or so.


In order to have full control you need to be invited to have the entitlement.

You need the com.apple.developer.vfs.snapshot entitlement to manipulate snapshots. Check out https://github.com/ahl/apfs for a sample program. You have to sign with this special entitlement and (for local development) disable both SIP and AMFI.

fs_snapshot_create required entitlements
 
 
Q