Search code examples
macosusbiokitentitlementsdriverkit

How to match my dext with an USB device in DriverKit?

I am writing a driverkit extension whose goal is to block USB devices, such as flash drives. As a starting point, I chose example project at https://developer.apple.com/documentation/driverkit/communicating_between_a_driverkit_extension_and_a_client_app?language=objc

In effort not to disable a keyboard or a mouse, firstly I am trying to match my dext with a single concrete USB drive, whose vendorId I found in the registry (being aware of hexa to decimal conversions). The problem is that when the flash drive is plugged in, the system doesn't match my dext and continues with the system one.

What's wrong? Is a provisioning profile required for this? Is it even possible to match any device this way?

Driver's entitlement file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.developer.driverkit</key>
    <true/>
    <key>com.apple.developer.driverkit.transport.usb</key>
    <array>
        <dict>
            <key>idVendor</key>
            <integer>9128</integer>
        </dict>
    </array>
</dict>
</plist>

Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>$(DEVELOPMENT_LANGUAGE)</string>
    <key>CFBundleExecutable</key>
    <string>$(EXECUTABLE_NAME)</string>
    <key>CFBundleIdentifier</key>
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>$(PRODUCT_NAME)</string>
    <key>CFBundlePackageType</key>
    <string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleVersion</key>
    <string>1</string>
    <key>IOKitPersonalities</key>
    <dict>
        <key>DeviceControlDriver</key>
        <dict>
            <key>idVendor</key>
            <integer>9128</integer>
            <key>CFBundleIdentifier</key>
            <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
            <key>CFBundleIdentifierKernel</key>
            <string>com.apple.kpi.iokit</string>
            <key>IOClass</key>
            <string>IOUserService</string>
            <key>IOProviderClass</key>
            <string>IOUSBHostDevice</string>
            <key>IOUserClass</key>
            <string>DeviceControlDriver</string>
            <key>IOUserServerName</key>
            <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
            <key>UserClientProperties</key>
            <dict>
                <key>IOClass</key>
                <string>IOUserUserClient</string>
                <key>IOUserClass</key>
                <string>DeviceControlDriver</string>
            </dict>
        </dict>
    </dict>
    <key>OSBundleUsageDescription</key>
    <string></string>
</dict>
</plist>
Solution

  • There are a few sub-questions here, and I'll try to address them individually:

    In effort not to disable a keyboard or a mouse, firstly I am trying to match my dext with a single concrete USB drive, whose vendorId I found in the registry (being aware of hexa to decimal conversions). The problem is that when the flash drive is plugged in, the system doesn't match my dext and continues with the system one.

    […]

                <key>idVendor</key>
            <integer>9128</integer>
…
            <key>IOProviderClass</key>
            <string>IOUSBHostDevice</string>

    Matching USB devices on macOS follows very specific rules. If you do not follow one of the matching patterns outlined in this documentation from Apple, matching will generally fail.

    You're attempting to match on idVendor alone; this will not work, you will need to match on either idVendor + idProduct or one of the other patterns listed.

    What's wrong? Is a provisioning profile required for this? Is it even possible to match any device this way?

    If you wish to distribute your driver, or even run it locally with SIP enabled, you will require a provisioning profile. Note that Apple generally issues entitlements for specific requested vendor IDs only; if your needs go beyond that you'll need to get in touch with Apple directly.

    For local testing without valid code signing, you can disable SIP; you will still require valid embedded entitlements in the signature, but you can use a provisioning profile which doesn't match the entitlements.

    I am writing a driverkit extension whose goal is to block USB devices, such as flash drives.

    Note that this will be of somewhat limited effectiveness, as 3rd party kexts and DriverKit extensions are not considered for matching during early system boot. This means that any devices which can be claimed by Apple's drivers and which are already connected at the time macOS starts up will always match Apple's own drivers, not yours.

    For USB, you can to some extent work around this by forcing re-enumeration using the USBDeviceReEnumerate function. Note that this simulates a hard unplug, so for mounted storage devices, you should unmount cleanly first, for example.