Page 1 of 1

System XPC services

PostPosted: Fri Nov 18, 2016 6:07 pm
by scknight
Are there restrictions on who can connect to "com.apple." system XPC services? If so what is it that enforces that? Something in the XPC library or something kernel level related to the mach messages that are being sent underneath?

Re: System XPC services

PostPosted: Fri Nov 18, 2016 6:22 pm
by scknight
Just noticed this in system logs that I didn't see before posting

Nov 18 13:14:34 nsurlsessiond[225]: Process with pid 25966 does not have a bundle ID, rejecting connection

I was trying to go directly to "com.apple.nsurlsessiond". I'm not exactly sure why the error is happening but I can clearly tell it's happening in the daemon itself in the xpc listener:shouldAcceptNewConnection: method

Re: System XPC services

PostPosted: Sun Nov 20, 2016 1:07 am
by morpheus
The Bundle ID one is easy to get around - but the main restrictions are via sandbox. You can use sbtool on a PID with the "mach" argument, and it will tell you which services are and/or aren't accessible to a given PID.

Re: System XPC services

PostPosted: Mon Nov 21, 2016 8:03 pm
by scknight
I don't think nsurlsessiond is sandboxed in any way. At least sbtool doesn't find anything and nothing I've seen so far indicates that it is. On macOS there are two processes running one is an instance of nsurlsessiond launched with --privileged and the other launched as the logged in user. When connecting over xpc with NSXPCConnection you can pass an option of Privileged. I'm not that familiar with that process but it determines whether it tries to connect to the one created on login or the system one. The logged in user one works and the system one fails. The system one ends up making a call to

https://developer.apple.com/reference/s ... attributes

and I think that's what's preventing my normal process from connecting to the system process.