IOKit not permitted in Sandbox?

StackOverflow https://stackoverflow.com/questions/23244349

  •  08-07-2023
  •  | 
  •  

Question

I'm new to using IOKit and have noticed what I think is the sandbox making it fail.

Here is the test I'm trying (in Pascal) which runs fine outside the sandbox but when I enable it IOServiceOpen returns the error kIOReturnNotPermitted every time.

Is IOKit not safe in the sandbox for certain services? I was trying to get some fan speeds/cpu temperatures and I see there are some apps in the AppStore (sandboxed) doing this so I believe it's possible. The only one I could confirm appears to have an XPC service bundled with the app as a helper so maybe that's a clue to make IOKit work? I tried basically all the entitlements and none of them seemed to help any.

Thanks for any ideas you may have.

procedure TestIOKit;
var
    err: kern_return_t;
    masterPort: mach_port_t;
    iterator: io_iterator_t;
    device: io_object_t;
    matchingDictionary: CFMutableDictionaryRef;
    conn: io_connect_t;
begin
    IOMasterPort(0, masterPort);
    matchingDictionary := IOServiceMatching('AppleSMC');
    err := IOServiceGetMatchingServices(masterPort, matchingDictionary, iterator);
    if err <> kIOReturnSuccess then
        writeln('IOServiceGetMatchingServices: ', err);

    device := IOIteratorNext(iterator);
    IOObjectRelease(iterator);
  if device = 0 then
        writeln('no smc found');

    err := IOServiceOpen(device, mach_task_self_, 0, conn);
  if err <> kIOReturnSuccess then
        writeln('IOServiceOpen: ', err);
end;
Was it helpful?

Solution

I found the same problem trying to read SMC keys in order get sensor temps and fan speeds from inside an OSX Yosemite 'Today extension'. The extension needs to be sandboxed, and I was also getting the kIOReturnNotPermitted error every time I tried to read the temp and fan sensors.

The only way I got it working was by creating a XPC service that manages all the SMC stuff, configured as a launch agent. This way, the sandboxed app (the 'today' extension) asks the XPC service for all the relevant data, instead of messing with IOKit directly.

So far, it seems to be working properly.

OTHER TIPS

You don't need an XPC (not sure I understand that answer given it would also need to be sandboxed).

You can use this temporary entitlement although I don't hold any hope of apple approving it for MAS - you'd need to make your case to try and justify its use in iTunes connect. I have a similar problem and it's the only "solution" i've found so far:

com.apple.security.temporary-exception.sbpl string (allow iokit-open)

I don't see the answer from Luis Glez provide a solution but wrong information.

In fact there is currently no way to access this I/O Kit functionality from a sandboxed app neither would it be approved by Apple for the App Store. If you check sandbox status of the app from from Luis Glez you will see that it's not sandboxed at all. Also it's not available at the App Store and I assume this is the reason.

Terminal:

codesign --display --entitlements - VitalStats.app

There was a recent discussion on the Developer Forums and someone from Apple confirmed that there is no way.

https://devforums.apple.com/message/1082393#1082393

The solution is very simple. You need to add a few lines in the file entitlements

<key>com.apple.security.temporary-exception.sbpl</key>
<array>
    <string>(allow iokit-open)</string>
    <string>(allow iokit-set-properties (iokit-property "ConsoleUID"))</string>
    <string>(allow mach-lookup (global-name "com.apple.AssetCacheLocatorService"))</string>
</array>

Screenshot

My app was just rejected for using IOKit in general. Does anyone else have the same problem? The app was approved for 60 earlier builds, but all of the sudden, Apple seems to have a problem with that now. I use IOKit to read battery information like current voltage etc.

Rejected because of 1.1.6 - Safety.

Thank you for your submission. During our review, we found that your app is not appropriate for the App Store.

We encourage you to review your app concept and evaluate whether you can incorporate different content and features to bring it into compliance with the App Store Review Guidelines.

For those who may still look for answer, in Catalina, the problem might be that the app first needs to get the Input Monitoring permission, if it's not granted or denied - You would certainly get kIOReturnNotPermitted error.

To try if this is the case, go to System Settings, Privacy, select Input Monitoring and check if Your app is allowed.

After granting the permission the error should disappear

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top