2 Replies
      Latest reply on Aug 29, 2019 1:47 PM by MyCometG3
      MyCometG3 Level 1 Level 1 (0 points)

        I am trying to rewrite old FireWire CamCorder controll command line utilities into XPC Service.


        • Old utility was modified version of simpleAVCSample.c in legacy sample code
        • And existing command binary works on macOS 10.14
        • I tried same IOKit/IOCFPlugIn code in Application or XPCService
        • But they failed at following step
            kern_return_t result = IOCreatePlugInInterfaceForService(
                service, kIOFireWireAVCLibUnitTypeID, kIOCFPlugInInterfaceID, &interface,&score);
            // 0xe00002be = kIOReturnNoResources in IOReturn.h
        • And always console.app logged sandboxd rejected as:
            Sandbox: testAVC(8332) System Policy: deny(1) iokit-open IOFireWireAVCUserClient
            Violation:       System Policy: deny(1) iokit-open IOFireWireAVCUserClient
        • But this is always logged even if I DO NOT check sandbox entitlement.


        I also tried "com.apple.security.device.firewire" entitlement, because /System/Library/Sandbox/Profiles/Application.sb contains following part as:

        (when (entitlement "com.apple.security.device.firewire")
              (allow iokit-open (iokit-user-client-class "IOFireWireUserClient"))
              (allow iokit-open (iokit-user-client-class "IOFireWireAVCUserClient"))
              (allow iokit-open
                     (iokit-user-client-class "IOFireWireAVCProtocolUserClient"))
              (allow iokit-set-properties (iokit-property "SummonNub")))

        But it also does not help.


        Please give me some hint how to resolve IOCreatePlugInInterfaceForService() error.

        • Re: IOFireWireAVCUserClient question
          eskimo Apple Staff Apple Staff (12,715 points)

          But this is always logged even if I DO NOT check sandbox entitlement.

          That’s weird.  If you don’t have the sandbox enabled, you should never hit sandbox restrictions.  I recommend that you confirm that the sandbox really is disabled.  One good way to do this is to run codesign against your XPC Service’s pid.  For example:

          $ codesign -d --entitlements :- `pgrep Finder`
          … lots of entitlements! …

          You can then check for the presents of the App Sandbox entitlement (com.apple.security.app-sandbox).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: IOFireWireAVCUserClient question
              MyCometG3 Level 1 Level 1 (0 points)


              Thank you for your comment.


              I have figured out that

              - IOFireWireAVCUserClient seems to require NSCameraUsageDescription in Info.plist.

              - "missing - NSCameraUsageDescription" causes reject by sandboxd, in following sequence.

              - This behavior is independent from the check state of sandbox/hardened in capabilities.


              Anyway it works as intended now.




                18:55:37.759125 +0900 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.mycometg3.testAVC, type: 0: 0x7fc3ca40b230 at /path/to/testAVC.app

                18:55:37.769802 +0900 tccd Prompting for access to kTCCServiceCamera from ......testAVC.app/Contents/MacOS/testAVC

                18:55:37.770843 +0900 tccd Refusing TCCAccessRequest for service kTCCServiceCamera and client .....testAVC.app[26457] without NSCameraUsageDescription key

                18:55:37.771494 +0900 kernel sandboxd rejected approval request from testAVC for kTCCServiceCamera

                18:55:37.772322 +0900 testAVC IOCreatePlugInInterfaceForService returned -536870210/0xe00002be


                18:55:37.986210 +0900 sandboxd Sandbox: testAVC(26457) System Policy: deny(1) iokit-open IOFireWireAVCUserClient