IOFireWireAVCUserClient question

I am trying to rewrite old FireWire CamCorder controll command line utilities into XPC Service.


  • Old utility was modified version of simpleAVCSample.c in legacy sample code
  • And existing command binary works on macOS 10.14
  • I tried same IOKit/IOCFPlugIn code in Application or XPCService
  • But they failed at following step
    kern_return_t result = IOCreatePlugInInterfaceForService(
        service, kIOFireWireAVCLibUnitTypeID, kIOCFPlugInInterfaceID, &interface,&score);
    // 0xe00002be = kIOReturnNoResources in IOReturn.h

And always console.app logged sandboxd rejected as:

    Sandbox: testAVC(8332) System Policy: deny(1) iokit-open IOFireWireAVCUserClient
    Violation:       System Policy: deny(1) iokit-open IOFireWireAVCUserClient

But this is always logged even if I DO NOT check sandbox entitlement.


I also tried "com.apple.security.device.firewire" entitlement, because /System/Library/Sandbox/Profiles/Application.sb contains following part as:

(when (entitlement "com.apple.security.device.firewire")
      (allow iokit-open (iokit-user-client-class "IOFireWireUserClient"))
      (allow iokit-open (iokit-user-client-class "IOFireWireAVCUserClient"))
      (allow iokit-open
             (iokit-user-client-class "IOFireWireAVCProtocolUserClient"))
      (allow iokit-set-properties (iokit-property "SummonNub")))

But it also does not help.


Please give me some hint how to resolve IOCreatePlugInInterfaceForService() error.

Up vote post of MyCometG3 Down vote post of MyCometG3
802 views
Posted by
MyCometG3
Reply
Add a Comment

Replies

But this is always logged even if I DO NOT check sandbox entitlement.

That’s weird. If you don’t have the sandbox enabled, you should never hit sandbox restrictions. I recommend that you confirm that the sandbox really is disabled. One good way to do this is to run 

codesign
against your XPC Service’s pid. For example: 
$ codesign -d --entitlements :- `pgrep Finder`
… lots of entitlements! …

You can then check for the presents of the App Sandbox entitlement (

com.apple.security.app-sandbox
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

Thank you for your comment.


I have figured out that

- IOFireWireAVCUserClient seems to require NSCameraUsageDescription in Info.plist.

- "missing - NSCameraUsageDescription" causes reject by sandboxd, in following sequence.

- This behavior is independent from the check state of sandbox/hardened in capabilities.


Anyway it works as intended now.

Regards,


//

18:55:37.759125 +0900 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.mycometg3.testAVC, type: 0: 0x7fc3ca40b230 at /path/to/testAVC.app

18:55:37.769802 +0900 tccd Prompting for access to kTCCServiceCamera from ......testAVC.app/Contents/MacOS/testAVC

18:55:37.770843 +0900 tccd Refusing TCCAccessRequest for service kTCCServiceCamera and client .....testAVC.app[26457] without NSCameraUsageDescription key

18:55:37.771494 +0900 kernel sandboxd rejected approval request from testAVC for kTCCServiceCamera

18:55:37.772322 +0900 testAVC IOCreatePlugInInterfaceForService returned -536870210/0xe00002be

<snip>

18:55:37.986210 +0900 sandboxd Sandbox: testAVC(26457) System Policy: deny(1) iokit-open IOFireWireAVCUserClient

//

Posted by
MyCometG3
Up vote reply of MyCometG3 Down vote reply of MyCometG3
Add a Comment