6

I'm new to using IOKit and have noticed what I think is the sandbox making it fail.

Here is the test I'm trying (in Pascal) which runs fine outside the sandbox but when I enable it IOServiceOpen returns the error kIOReturnNotPermitted every time.

Is IOKit not safe in the sandbox for certain services? I was trying to get some fan speeds/cpu temperatures and I see there are some apps in the AppStore (sandboxed) doing this so I believe it's possible. The only one I could confirm appears to have an XPC service bundled with the app as a helper so maybe that's a clue to make IOKit work? I tried basically all the entitlements and none of them seemed to help any.

Thanks for any ideas you may have.

procedure TestIOKit;
var
    err: kern_return_t;
    masterPort: mach_port_t;
    iterator: io_iterator_t;
    device: io_object_t;
    matchingDictionary: CFMutableDictionaryRef;
    conn: io_connect_t;
begin
    IOMasterPort(0, masterPort);
    matchingDictionary := IOServiceMatching('AppleSMC');
    err := IOServiceGetMatchingServices(masterPort, matchingDictionary, iterator);
    if err <> kIOReturnSuccess then
        writeln('IOServiceGetMatchingServices: ', err);

    device := IOIteratorNext(iterator);
    IOObjectRelease(iterator);
  if device = 0 then
        writeln('no smc found');

    err := IOServiceOpen(device, mach_task_self_, 0, conn);
  if err <> kIOReturnSuccess then
        writeln('IOServiceOpen: ', err);
end;
GenericPtr
  • 677
  • 1
  • 8
  • 18
  • If you haven't already, pop open the `Console` app and search for `sandbox`. You should get a message with a backtrace there every time you have a sandbox violation. – gaige May 23 '14 at 20:05

6 Answers6

5

I found the same problem trying to read SMC keys in order get sensor temps and fan speeds from inside an OSX Yosemite 'Today extension'. The extension needs to be sandboxed, and I was also getting the kIOReturnNotPermitted error every time I tried to read the temp and fan sensors.

The only way I got it working was by creating a XPC service that manages all the SMC stuff, configured as a launch agent. This way, the sandboxed app (the 'today' extension) asks the XPC service for all the relevant data, instead of messing with IOKit directly.

So far, it seems to be working properly.

Luixel
  • 74
  • 1
  • 4
  • I thought that may have been the answer but I didn't want to commit to learning XPC services until I was sure. Thanks! – GenericPtr Oct 29 '14 at 00:30
  • 2
    Don’t we need to make XPC service sandboxed? I have tried your answer but when there is sandbox enable in XPC service IOServiceOpen() does not work. So will apple approve my app if i have sandbox disable in XPC service? or am i missing something here? – Bhumit Mehta Jan 27 '15 at 05:26
  • Yes, as far as I know, it has to be sandboxed. In order to get it working, I had to add a temporary exception in the XPC Service Entitlements File: (com.apple.security.temporary-exception.mach-lookup.global-name: (String) ‘your XPCService identifier’). It works fine if you don’t use the Mac App Store for distribution. I’m not sure if this is allowed for MAS distribution, though. – Luixel Jan 27 '15 at 08:54
  • So there is no way to fetch sensor temps and fan speeds with sandbox? is there any other to fetch these values that you are aware of? – Bhumit Mehta Jan 28 '15 at 08:04
3

You don't need an XPC (not sure I understand that answer given it would also need to be sandboxed).

You can use this temporary entitlement although I don't hold any hope of apple approving it for MAS - you'd need to make your case to try and justify its use in iTunes connect. I have a similar problem and it's the only "solution" i've found so far:

com.apple.security.temporary-exception.sbpl string (allow iokit-open)
Rhys Lewis
  • 453
  • 4
  • 20
1

I don't see the answer from Luis Glez provide a solution but wrong information.

In fact there is currently no way to access this I/O Kit functionality from a sandboxed app neither would it be approved by Apple for the App Store. If you check sandbox status of the app from from Luis Glez you will see that it's not sandboxed at all. Also it's not available at the App Store and I assume this is the reason.

Terminal:

codesign --display --entitlements - VitalStats.app

There was a recent discussion on the Developer Forums and someone from Apple confirmed that there is no way.

https://devforums.apple.com/message/1082393#1082393

Marc T.
  • 5,090
  • 1
  • 23
  • 40
1

The solution is very simple. You need to add a few lines in the file entitlements

<key>com.apple.security.temporary-exception.sbpl</key>
<array>
    <string>(allow iokit-open)</string>
    <string>(allow iokit-set-properties (iokit-property "ConsoleUID"))</string>
    <string>(allow mach-lookup (global-name "com.apple.AssetCacheLocatorService"))</string>
</array>

Screenshot

nab0y4enko
  • 369
  • 3
  • 5
1

My app was just rejected for using IOKit in general. Does anyone else have the same problem? The app was approved for 60 earlier builds, but all of the sudden, Apple seems to have a problem with that now. I use IOKit to read battery information like current voltage etc.

Rejected because of 1.1.6 - Safety.

Thank you for your submission. During our review, we found that your app is not appropriate for the App Store.

We encourage you to review your app concept and evaluate whether you can incorporate different content and features to bring it into compliance with the App Store Review Guidelines.

inexcitus
  • 2,471
  • 2
  • 26
  • 41
  • 1
    Yes, I was unable to generate a concept that was compliant with the app store regulations for reading, monitoring and controlling fan speeds and temps. – Rhys Lewis Feb 17 '19 at 12:52
0

For those who may still look for answer, in Catalina, the problem might be that the app first needs to get the Input Monitoring permission, if it's not granted or denied - You would certainly get kIOReturnNotPermitted error.

To try if this is the case, go to System Settings, Privacy, select Input Monitoring and check if Your app is allowed.

After granting the permission the error should disappear

olegthesoundman
  • 95
  • 10