App Sandbox USB device entitlement

Hi all,


I have a question regarding USB entitlement in sandboxed app, specifically this key: “com.apple.security.device.usb”

  • Does the entitlement include USB device enumeration?
  • Which classes of USB devices are included?


the documentation here https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW11

only mentined this:

"USB access enables the ability to interact with USB devices using USB device access APIs. On violation, 

sandboxd
names the I/O Kit class your code tried to access"


which doesnt really answer my questions. any help is appreciated


thanks!

Up vote post of gietal Down vote post of gietal
2.3k views
Posted by
gietal
Reply
Add a Comment

Replies

Does the entitlement include USB device enumeration?

What do you mean by USB device enumeration? In general USB devices show up in the I/O Registry, and that’s available to all sandboxed apps, even those without the 

com.apple.security.device.usb
entitlement.

Which classes of USB devices are included?

I don’t think there’s any restrictions here, although you will have the usual problems with devices that are in use by the system (mass storage being the most notable example).

If you want to see what entitlements like this do, you can take a look at their use in various profiles in 

/System//Library/Sandbox/Profiles
. For example, 
com.apple.security.device.usb
is only used in 
/System/Library/Sandbox/Profiles/application.sb
, where it gates access to 
IOHIDLibUserClient
, 
IOUSBDeviceUserClientV2
and 
IOUSBInterfaceUserClientV3
.

WARNING The location and contents of these sandbox profiles is not API. It’s fine to poke around in them to get a better understanding of how the system works, but your app should not rely on their fine structure.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment