But this is always logged even if I DO NOT check sandbox entitlement.
That’s weird. If you don’t have the sandbox enabled, you should never hit sandbox restrictions. I recommend that you confirm that the sandbox really is disabled. One good way to do this is to run
codesignagainst your XPC Service’s pid. For example:
$ codesign -d --entitlements :- `pgrep Finder` … lots of entitlements! …
You can then check for the presents of the App Sandbox entitlement (
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Thank you for your comment.
I have figured out that
- IOFireWireAVCUserClient seems to require NSCameraUsageDescription in Info.plist.
- "missing - NSCameraUsageDescription" causes reject by sandboxd, in following sequence.
- This behavior is independent from the check state of sandbox/hardened in capabilities.
Anyway it works as intended now.
18:55:37.759125 +0900 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.mycometg3.testAVC, type: 0: 0x7fc3ca40b230 at /path/to/testAVC.app
18:55:37.769802 +0900 tccd Prompting for access to kTCCServiceCamera from ......testAVC.app/Contents/MacOS/testAVC
18:55:37.770843 +0900 tccd Refusing TCCAccessRequest for service kTCCServiceCamera and client .....testAVC.app without NSCameraUsageDescription key
18:55:37.771494 +0900 kernel sandboxd rejected approval request from testAVC for kTCCServiceCamera
18:55:37.772322 +0900 testAVC IOCreatePlugInInterfaceForService returned -536870210/0xe00002be
18:55:37.986210 +0900 sandboxd Sandbox: testAVC(26457) System Policy: deny(1) iokit-open IOFireWireAVCUserClient