Hello, I am having some issues with running an XPC server on an endpoint security and connecting to it from the sandboxed host application.
I tried doing the following:
setting xpc server in endpoint security extension entitlements:
<key>com.apple.developer.endpoint-security.client</key>
<true/>
<key>com.apple.security.xpc.server</key>
<true/>
Adding the mach service with the plist:
<dict>
<key>NSExtension</key>
<dict>
<key>NSExtensionPointIdentifier</key>
<string>com.apple.system-extension-endpoint-security</string>
<key>NSExtensionPrincipalClass</key>
<string>$(PRODUCT_MODULE_NAME).ESFExtension</string>
</dict>
<key>NSEndpointSecurityMachServiceName</key>
<string>[TEAMID]com.[UNIQUE_ID]</string>
</dict>
</plist>
Putting a mach-lookup in sandboxed host application entitlements
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.exception.mach-lookup.global-name</key>
<array>
<string>[TEAMID]com.[UNIQUE_ID]</string>
</array>
</dict>
Creating the server in the system extension using xpc_connection_create_mach_service(_service_name.c_str(), dispatch_get_main_queue(), XPC_CONNECTION_MACH_SERVICE_LISTENER);
with _service_name
being the same as in the mach-lookup
entitlement.
And connecting to it in the host app with:
xpc_connection_create_mach_service([self.serviceName UTF8String], dispatch_get_main_queue(), 0);
My problem is I get an xpc error 159 (sandbox restriction) in the lookup
(libxpc.dylib) [com.apple.xpc:connection] [0x600001a7db30] failed to do a bootstrap look-up: xpc_error=[159: Unknown error: 159]
I tried putting the sysex and the host app in the same app group, and it didn't help and I also read this is bad practice to have an app group between a sandboxed app and a system extension so I removed it.
I tried adding a temporary-exception
and with it, the code works properly.
I tried with the XPC_CONNECTION_MACH_SERVICE_PRIVILEGED
flag but it still didn't work.
Is it possible to have an XPC connection between a ES sysex and it's host app? Should the service name have a prefix of the bundle name or does it must have a certain pattern? Do I need to add some capability in the Certificates, Identifiers & Profiles?
Thanks for helping.