Hello,
The man page for xpcservices.plist states that:
Services embedded in an application bundle will only be visible to the containing application (...)
What exactly "visible" means? Doest that mean that there is a mechanism to prevent other programs than the embedding application to access the XPCService's mach port or it just means that the XPCService is not listed (e.g. launchctl list) and if attacker can guess the mach port they can access it?
I'm asking to understand if there is a security gain using the -[NSXPCConnection setCodeSigningRequirement:] for embedded XPCServices.
Doest that mean that there is a mechanism to prevent other programs than the embedding application to access the XPCService's mach port
Yes. To understand how this works you need some background on how Mach bootstrap namespaces work. A good place to start here is the old-but-still-kinda-useful Technote 2083 Daemons and Agents. And some of the background in XPC and App-to-App Communication might be helpful.
macOS maintains a hierarchy of Mach bootstrap namespaces. The XPC services embedded within your app are registered in a namespace that’s unique to your app [1]. No other process runs in that exact namespace, not even a child process that you spawn, and thus other process can’t connect to the XPC service.
But, honestly, if you’re trying to satisfy your security auditors, I recommend that you not take my word for it (-: Build some test projects to confirm my assertions. And if you’re feeling especially enthusiastic, add them to your test suite.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] There are a bunch of subtle details I’m glossing over here, and this is one of the places where the age of TN2083 is telling )-: