如何将我的 dext 与 DriverKit 中的 USB 设备匹配?
How to match my dext with an USB device in DriverKit?
我正在编写一个驱动程序包扩展,其目标是阻止 USB 设备,例如闪存驱动器。作为起点,我选择了位于 https://developer.apple.com/documentation/driverkit/communicating_between_a_driverkit_extension_and_a_client_app?language=objc
的示例项目
为了不禁用键盘或鼠标,首先我尝试将我的 dext 与单个具体的 USB 驱动器相匹配,我在注册表中找到了它的 vendorId(了解十六进制到十进制的转换)。问题是当U盘插入时,系统与我的dext不匹配,继续用系统一
怎么了?为此需要配置文件吗?甚至可以通过这种方式匹配任何设备吗?
驾驶员权利文件:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idVendor</key>
<integer>9128</integer>
</dict>
</array>
</dict>
</plist>
Info.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>IOKitPersonalities</key>
<dict>
<key>DeviceControlDriver</key>
<dict>
<key>idVendor</key>
<integer>9128</integer>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleIdentifierKernel</key>
<string>com.apple.kpi.iokit</string>
<key>IOClass</key>
<string>IOUserService</string>
<key>IOProviderClass</key>
<string>IOUSBHostDevice</string>
<key>IOUserClass</key>
<string>DeviceControlDriver</string>
<key>IOUserServerName</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>UserClientProperties</key>
<dict>
<key>IOClass</key>
<string>IOUserUserClient</string>
<key>IOUserClass</key>
<string>DeviceControlDriver</string>
</dict>
</dict>
</dict>
<key>OSBundleUsageDescription</key>
<string></string>
</dict>
</plist>
这里有一些 sub-questions,我将尝试单独解决它们:
In effort not to disable a keyboard or a mouse, firstly I am trying to match my dext with a single concrete USB drive, whose vendorId I found in the registry (being aware of hexa to decimal conversions). The problem is that when the flash drive is plugged in, the system doesn't match my dext and continues with the system one.
[…]
<key>idVendor</key>
<integer>9128</integer>
…
<key>IOProviderClass</key>
<string>IOUSBHostDevice</string>
在 macOS 上匹配 USB 设备遵循非常的特定规则。如果您不遵循 this documentation from Apple 中概述的匹配模式之一,匹配通常会失败。
您正在尝试单独匹配 idVendor;这行不通,您需要匹配 idVendor + idProduct 或列出的其他模式之一。
What's wrong? Is a provisioning profile required for this?
Is it even possible to match any device this way?
如果您希望在启用 SIP 的情况下分发您的驱动程序,甚至 运行 它,您将需要一个配置文件。请注意,Apple 通常只为特定请求的供应商 ID 颁发权利;如果您的需求超出此范围,则需要直接与 Apple 联系。
对于没有有效代码签名的本地测试,您可以禁用SIP;您仍然需要在签名中嵌入有效的权利,但您可以使用与权利不匹配的配置文件。
I am writing a driverkit extension whose goal is to block USB devices, such as flash drives.
请注意,这将是有限的效果,如 3rd party kexts and DriverKit extensions are not considered for matching during early system boot。这意味着任何可以由 Apple 的驱动程序声明并且在 macOS 启动时已经连接的设备将始终匹配 Apple 自己的驱动程序,而不是你的。
对于 USB,您可以通过使用 USBDeviceReEnumerate 函数强制 re-enumeration 在某种程度上解决这个问题。请注意,这模拟了硬拔出,因此对于已安装的存储设备,您应该首先干净地卸载,例如。
我正在编写一个驱动程序包扩展,其目标是阻止 USB 设备,例如闪存驱动器。作为起点,我选择了位于 https://developer.apple.com/documentation/driverkit/communicating_between_a_driverkit_extension_and_a_client_app?language=objc
的示例项目为了不禁用键盘或鼠标,首先我尝试将我的 dext 与单个具体的 USB 驱动器相匹配,我在注册表中找到了它的 vendorId(了解十六进制到十进制的转换)。问题是当U盘插入时,系统与我的dext不匹配,继续用系统一
怎么了?为此需要配置文件吗?甚至可以通过这种方式匹配任何设备吗?
驾驶员权利文件:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idVendor</key>
<integer>9128</integer>
</dict>
</array>
</dict>
</plist>
Info.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>IOKitPersonalities</key>
<dict>
<key>DeviceControlDriver</key>
<dict>
<key>idVendor</key>
<integer>9128</integer>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleIdentifierKernel</key>
<string>com.apple.kpi.iokit</string>
<key>IOClass</key>
<string>IOUserService</string>
<key>IOProviderClass</key>
<string>IOUSBHostDevice</string>
<key>IOUserClass</key>
<string>DeviceControlDriver</string>
<key>IOUserServerName</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>UserClientProperties</key>
<dict>
<key>IOClass</key>
<string>IOUserUserClient</string>
<key>IOUserClass</key>
<string>DeviceControlDriver</string>
</dict>
</dict>
</dict>
<key>OSBundleUsageDescription</key>
<string></string>
</dict>
</plist>
这里有一些 sub-questions,我将尝试单独解决它们:
In effort not to disable a keyboard or a mouse, firstly I am trying to match my dext with a single concrete USB drive, whose vendorId I found in the registry (being aware of hexa to decimal conversions). The problem is that when the flash drive is plugged in, the system doesn't match my dext and continues with the system one.
[…]
<key>idVendor</key> <integer>9128</integer> … <key>IOProviderClass</key> <string>IOUSBHostDevice</string>
在 macOS 上匹配 USB 设备遵循非常的特定规则。如果您不遵循 this documentation from Apple 中概述的匹配模式之一,匹配通常会失败。
您正在尝试单独匹配 idVendor;这行不通,您需要匹配 idVendor + idProduct 或列出的其他模式之一。
What's wrong? Is a provisioning profile required for this? Is it even possible to match any device this way?
如果您希望在启用 SIP 的情况下分发您的驱动程序,甚至 运行 它,您将需要一个配置文件。请注意,Apple 通常只为特定请求的供应商 ID 颁发权利;如果您的需求超出此范围,则需要直接与 Apple 联系。
对于没有有效代码签名的本地测试,您可以禁用SIP;您仍然需要在签名中嵌入有效的权利,但您可以使用与权利不匹配的配置文件。
I am writing a driverkit extension whose goal is to block USB devices, such as flash drives.
请注意,这将是有限的效果,如 3rd party kexts and DriverKit extensions are not considered for matching during early system boot。这意味着任何可以由 Apple 的驱动程序声明并且在 macOS 启动时已经连接的设备将始终匹配 Apple 自己的驱动程序,而不是你的。
对于 USB,您可以通过使用 USBDeviceReEnumerate 函数强制 re-enumeration 在某种程度上解决这个问题。请注意,这模拟了硬拔出,因此对于已安装的存储设备,您应该首先干净地卸载,例如。