Cannot communicate with SystemExtension from Application

Code Block

So I'm having issues communicating with a endpoint security system extension via XPC. Both the application and the extension are signed, notarized, and members of the same group ID. I've confirmed that the extension is running with systemextensionsctl list and launchctl list. I've also confirmed that the xpc end is available with launchctl procinfo <extension_pid>. The mach service name is correct according to this post (TEAMID.bundleID.xpc). I also use the NSXPCConnection
Code Block
NSXPCConnection.Options.privileged
option when creating the connection. When I use
Code Block
connection.remoteObjectProxyWithErrorHandler
, I received an error "Couldn't communicate with a helper application". This error message is very vague and does not help me further troubleshoot. Are there any other logs that I should be looking at in the console app?

Replies

There’s a couple of ‘obvious’ things to check here…

First, is your app sandboxed? If so, it won’t be able to connect to arbitrary XPC services. You can resolve this by either disabling the App Sandbox or by punching a hole through it using the com.apple.security.temporary-exception.mach-lookup.global-name entitlement.

Second, are you sure your ES extension is actually running? You can check that using ps. You can then use launchctl to check that it’s Mach service is registered under the right name:

Code Block
% sudo launchctl list


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Both the application and the extension are NOT sandboxed. I can confirm that the extension is running with ps and launchctl list. This is where its confusing. The output from launchctl shows that the mach service is TEAMID.com.plato.logger. But if I run
Code Block
launchctl procinfo pid
the XPC endpoint shown in the output is TEAMID.com.plato.logger.xpc . Which is the correct name to use with the constructor for NSXPCConnection ?

Both the application and the extension are NOT sandboxed.

Cool.

Which is the correct name to use with the constructor for
NSXPCConnection?

Have you set NSEndpointSecurityMachServiceName (per the EndpointSecurity man page? If so, what to?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
So I didn't have the NSEndpointSecurityMachServiceName defined previously. I added it with the value $(TeamIdentifierPrefix)com.plato.logger.xpc and still received the same error message. I confirmed that I am using the correct service name with the NSXPCConnection constructor. The only other message I noticed in the console app was from taskgated-helper: "Unsatisfied entitlements: com.apple.security.application-groups". I re-confirmed that the entitlements for both the application and the extension have the "App Groups" key. The first entry is set to
Code Block
$(TeamIdentifierPrefix)group.com.plato
. I also confirmed that the App Groups capability was enabled for the application and extension app ID, in the apple developer certificates console. I'm really not sure what the issue is...
See this post for an explanation as to why you’re getting the mysterious taskgated-helper message.

As to your original issue, I don’t have an immediate answer for you. There’s a bunch of different factors in play here and I’ve not explored this specific issue before. I recommend that you open a DTS tech support incident about this, which will allow me to allocate the time to research it properly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
  • Was this ever addressed? I'm having the same exact issue and would greatly appreciate a solution or clarity.

Add a Comment

Was this ever addressed? I'm having the same exact issue and would greatly appreciate a solution or clarity.

Was this ever addressed?

Speaking from my perspective, I’ve no idea )-: Unfortunately I don’t have a good way to map from user names here on DevForums to DTS TSIs, so I can’t tell whether xorrior opened one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"