IOKit not permitted in Sandbox?

Question

I'm new to using IOKit and have noticed what I think is the sandbox making it fail.

Here is the test I'm trying (in Pascal) which runs fine outside the sandbox but when I enable it IOServiceOpen returns the error kIOReturnNotPermitted every time.

Is IOKit not safe in the sandbox for certain services? I was trying to get some fan speeds/cpu temperatures and I see there are some apps in the AppStore (sandboxed) doing this so I believe it's possible. The only one I could confirm appears to have an XPC service bundled with the app as a helper so maybe that's a clue to make IOKit work? I tried basically all the entitlements and none of them seemed to help any.

Thanks for any ideas you may have.

procedure TestIOKit;
var
    err: kern_return_t;
    masterPort: mach_port_t;
    iterator: io_iterator_t;
    device: io_object_t;
    matchingDictionary: CFMutableDictionaryRef;
    conn: io_connect_t;
begin
    IOMasterPort(0, masterPort);
    matchingDictionary := IOServiceMatching('AppleSMC');
    err := IOServiceGetMatchingServices(masterPort, matchingDictionary, iterator);
    if err <> kIOReturnSuccess then
        writeln('IOServiceGetMatchingServices: ', err);

    device := IOIteratorNext(iterator);
    IOObjectRelease(iterator);
  if device = 0 then
        writeln('no smc found');

    err := IOServiceOpen(device, mach_task_self_, 0, conn);
  if err <> kIOReturnSuccess then
        writeln('IOServiceOpen: ', err);
end;

Answer 1

I found the same problem trying to read SMC keys in order get sensor temps and fan speeds from inside an OSX Yosemite 'Today extension'. The extension needs to be sandboxed, and I was also getting the kIOReturnNotPermitted error every time I tried to read the temp and fan sensors.

The only way I got it working was by creating a XPC service that manages all the SMC stuff, configured as a launch agent. This way, the sandboxed app (the 'today' extension) asks the XPC service for all the relevant data, instead of messing with IOKit directly.

So far, it seems to be working properly.

Answer 2

You don't need an XPC (not sure I understand that answer given it would also need to be sandboxed).

You can use this temporary entitlement although I don't hold any hope of apple approving it for MAS - you'd need to make your case to try and justify its use in iTunes connect. I have a similar problem and it's the only "solution" i've found so far:

com.apple.security.temporary-exception.sbpl string (allow iokit-open)

Answer 3

I don't see the answer from Luis Glez provide a solution but wrong information.

In fact there is currently no way to access this I/O Kit functionality from a sandboxed app neither would it be approved by Apple for the App Store. If you check sandbox status of the app from from Luis Glez you will see that it's not sandboxed at all. Also it's not available at the App Store and I assume this is the reason.

Terminal:

codesign --display --entitlements - VitalStats.app

There was a recent discussion on the Developer Forums and someone from Apple confirmed that there is no way.

https://devforums.apple.com/message/1082393#1082393