Suspending USB Device

I'm working on a system management tool that should be able to Allow/Deny mass storage and portable devices.

In case if it is a USB flash drive I can detect Mount events using Endpoint Security framework. Then using IOServiceGetMatchingServices I can find the actual device that is trying to mount new volume, check if it is an allowed device and Allow or Deny mount.

But in case if it is an iPhone/iPad or Android device I can't rely on that solution as they don't mount new volumes but user can copy files to the phone. To cover this case I could respond with Deny for the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event. But at that moment I know nothing about the device, only its class which is the same for a mouse and for iPhone.

I can add a notification for adding new USB devices, but then I would need somehow to understand that it is a phone/tablet and disconnect or suspend needed USB Device.

How could I disconnect or suspend a USB Device having only io_object_t?

Answered by DTS Engineer in 771513022

I’m not aware of any mechanism to completely disconnect an I/O service. There might be something within the USB family, which is an area of I/O Kit that I don’t have significant experience with.

The traditional approach for this is to create a KEXT (a DEXT nowadays) that matches against the service and thus prevents the system’s built-in driver from matching. There’s also USBDeviceReEnumerate, which allows you to kick an existing driver off a USB device.

Honestly, I think the world would be a better place if the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event came with enough context to allow you to make an informed decision there. Providing an io_object_t for the driver would be tricky [1] but it could give you a registry entry ID instead [2]. If you agree, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because an io_object_t is effectively a Mach port right name.

[2] See IORegistryEntryGetRegistryEntryID and, critically, IORegistryEntryIDMatching.

How could I disconnect or suspend a USB Device having only io_object_t?

If you had an io_object_t, you could interrogate the I/O registry for a world of interesting info. However, I suspect you meant to say having only an es_event_iokit_open_t?, which makes this problem harder. Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I think about a solution where I watch for connected devices using IOServiceAddMatchingNotification and as a result I will get io_object_t. But I can't find any documentation or code examples how to tell the system to disconnect io_object_t.

Accepted Answer

I’m not aware of any mechanism to completely disconnect an I/O service. There might be something within the USB family, which is an area of I/O Kit that I don’t have significant experience with.

The traditional approach for this is to create a KEXT (a DEXT nowadays) that matches against the service and thus prevents the system’s built-in driver from matching. There’s also USBDeviceReEnumerate, which allows you to kick an existing driver off a USB device.

Honestly, I think the world would be a better place if the ES_EVENT_TYPE_AUTH_IOKIT_OPEN event came with enough context to allow you to make an informed decision there. Providing an io_object_t for the driver would be tricky [1] but it could give you a registry entry ID instead [2]. If you agree, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because an io_object_t is effectively a Mach port right name.

[2] See IORegistryEntryGetRegistryEntryID and, critically, IORegistryEntryIDMatching.

I submitted this basic concept as an enhancement request 3.5 years ago (FB7613675 March 4, 2020), still shows as open.

I submitted this basic concept as an enhancement request 3.5 years ago

Thanks for that. I can’t say anything concrete about its state other than to confirm that it landed in the right place.

buddax2, I still recommend that you file your own ER for this. Sometimes a new ER, with a new explanation of what’s required and the impact of not having it, is enough to push the feature ‘over the edge’.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the response @eskimo. I submitted the request FB13379845.

Suspending USB Device
 
 
Q