Hello,
Is it possible for a Network Extension (running in its sandbox) to act as a client for an XPC service hosted by a Launch Daemon (e.g., to offload data processing)? Are there any specific sandbox restrictions or entitlement requirements for this type of XPC communication?
Thank you in advance!
Is it possible for a Network Extension … to act as a client for an XPC service hosted by a Launch Daemon … ?
Yes.
The trick is to use an app group. Sign your client with an app group ID and then, in the MachServices property of the launchd daemon, set the XPC endpoint name to be a ‘child’ of that app group ID. See the discussion in App Groups Entitlement.
App groups are a bit tricky on the Mac. See App Groups: macOS vs iOS: Working Towards Harmony for the full backstory.
Given that your client is sandboxed, it must claim access to that app group ID. And in that case I strongly recommend that you authorise that claim via a provisioning profile.
Your launchd daemon is (presumably) not sandboxed so it doesn’t need to claim access to the app group ID. However, if you decide to make that claim then my recommendation applies there as well: Authorise the claim with a provisioning profile.
If you claim access to an app group and don’t authorise that claim, the system will drop the entitlements-validate flag for your process, which can cause all sorts of weird issues. See App Groups: macOS vs iOS: Working Towards Harmony for more about that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"