Suspending USB Device

I'm working on a system management tool that should be able to Allow/Deny mass storage and portable devices.

In case if it is a USB flash drive I can detect Mount events using Endpoint Security framework. Then using IOServiceGetMatchingServices I can find the actual device that is trying to mount new volume, check if it is an allowed device and Allow or Deny mount.

But in case if it is an iPhone/iPad or Android device I can't rely on that solution as they don't mount new volumes but user can copy files to the phone. To cover this case I could respond with Deny for the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event. But at that moment I know nothing about the device, only its class which is the same for a mouse and for iPhone.

I can add a notification for adding new USB devices, but then I would need somehow to understand that it is a phone/tablet and disconnect or suspend needed USB Device.

How could I disconnect or suspend a USB Device having only io_object_t?

Up vote post of buddax2 Down vote post of buddax2
658 views
Posted by
buddax2
Reply
Add a Comment

Accepted Reply

I’m not aware of any mechanism to completely disconnect an I/O service. There might be something within the USB family, which is an area of I/O Kit that I don’t have significant experience with.

The traditional approach for this is to create a KEXT (a DEXT nowadays) that matches against the service and thus prevents the system’s built-in driver from matching. There’s also USBDeviceReEnumerate, which allows you to kick an existing driver off a USB device.

Honestly, I think the world would be a better place if the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event came with enough context to allow you to make an informed decision there. Providing an io_object_t for the driver would be tricky [1] but it could give you a registry entry ID instead [2]. If you agree, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because an io_object_t is effectively a Mach port right name.

[2] See IORegistryEntryGetRegistryEntryID and, critically, IORegistryEntryIDMatching.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

How could I disconnect or suspend a USB Device having only io_object_t?

If you had an io_object_t, you could interrogate the I/O registry for a world of interesting info. However, I suspect you meant to say having only an es_event_iokit_open_t?, which makes this problem harder. Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Yeah, I already saw a similar thread about es_event_iokit_open_t and that there is no way to get to the actual device from it.

    buddax2
Add a Comment

I think about a solution where I watch for connected devices using IOServiceAddMatchingNotification and as a result I will get io_object_t. But I can't find any documentation or code examples how to tell the system to disconnect io_object_t.

Posted by
buddax2
Up vote reply of buddax2 Down vote reply of buddax2
Add a Comment

I’m not aware of any mechanism to completely disconnect an I/O service. There might be something within the USB family, which is an area of I/O Kit that I don’t have significant experience with.

The traditional approach for this is to create a KEXT (a DEXT nowadays) that matches against the service and thus prevents the system’s built-in driver from matching. There’s also USBDeviceReEnumerate, which allows you to kick an existing driver off a USB device.

Honestly, I think the world would be a better place if the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event came with enough context to allow you to make an informed decision there. Providing an io_object_t for the driver would be tricky [1] but it could give you a registry entry ID instead [2]. If you agree, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because an io_object_t is effectively a Mach port right name.

[2] See IORegistryEntryGetRegistryEntryID and, critically, IORegistryEntryIDMatching.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

I submitted this basic concept as an enhancement request 3.5 years ago (FB7613675 March 4, 2020), still shows as open.

Posted by
mdolan
Up vote reply of mdolan Down vote reply of mdolan
Add a Comment

I submitted this basic concept as an enhancement request 3.5 years ago

Thanks for that. I can’t say anything concrete about its state other than to confirm that it landed in the right place.

buddax2, I still recommend that you file your own ER for this. Sometimes a new ER, with a new explanation of what’s required and the impact of not having it, is enough to push the feature ‘over the edge’.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the response @eskimo. I submitted the request FB13379845.

Posted by
buddax2
Up vote reply of buddax2 Down vote reply of buddax2
Add a Comment