System XPC services

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

System XPC services

Postby scknight » Fri Nov 18, 2016 6:07 pm

Are there restrictions on who can connect to "com.apple." system XPC services? If so what is it that enforces that? Something in the XPC library or something kernel level related to the mach messages that are being sent underneath?
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: System XPC services

Postby scknight » Fri Nov 18, 2016 6:22 pm

Just noticed this in system logs that I didn't see before posting

Nov 18 13:14:34 nsurlsessiond[225]: Process with pid 25966 does not have a bundle ID, rejecting connection

I was trying to go directly to "com.apple.nsurlsessiond". I'm not exactly sure why the error is happening but I can clearly tell it's happening in the daemon itself in the xpc listener:shouldAcceptNewConnection: method
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: System XPC services

Postby morpheus » Sun Nov 20, 2016 1:07 am

The Bundle ID one is easy to get around - but the main restrictions are via sandbox. You can use sbtool on a PID with the "mach" argument, and it will tell you which services are and/or aren't accessible to a given PID.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: System XPC services

Postby scknight » Mon Nov 21, 2016 8:03 pm

I don't think nsurlsessiond is sandboxed in any way. At least sbtool doesn't find anything and nothing I've seen so far indicates that it is. On macOS there are two processes running one is an instance of nsurlsessiond launched with --privileged and the other launched as the logged in user. When connecting over xpc with NSXPCConnection you can pass an option of Privileged. I'm not that familiar with that process but it determines whether it tries to connect to the one created on login or the system one. The logged in user one works and the system one fails. The system one ends up making a call to

https://developer.apple.com/reference/s ... attributes

and I think that's what's preventing my normal process from connecting to the system process.
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest