Validation fails for sandboxed Mach service

[andreasley]

I'm trying to communicate with a bundled Mach service that is installed using SMAppService. Both the main .app and the Mach service are sandboxed.

Here's how I configure the XPCServer in the Mach service:

try XPCServer.forMachService(withCriteria: .forDaemon(withClientRequirement: .sameTeamIdentifier))

Unfortunately, this fails. The function validateThisProcessIsAnSMAppServiceDaemon() returns a .failure because the Sandbox prevents it from reading Library/LaunchDaemons/ in the main app's bundle.

Logged messages:

Sandbox: Some Daemon(58726) deny(1) file-read-data /Users/someuser/Library/Developer/Xcode/DerivedData/Some_App-liughliuhliuagsiudfasdfj/Build/Products/Debug/Some App.app/Contents/Library/LaunchDaemons

SecureXPC.XPCError.misconfiguredServer(description: "An SMAppService daemon must have a property list within its parent bundle\'s Contents/Library/LaunchDaemons /\ndirectory.\nParent bundle: file:///Users/someuser/Library/Developer/Xcode/DerivedData/Some_App-liughliuhliuagsiudfasdfj/Build/Products/Debug/Some%20App.app/")

I'd like keep the service sandboxed (XPC worked fine when using Apple's XPCSession).

Failed attempts:

I've tried to find a Sandbox exception entitlement that allows reading a bundle-relative path. There doesn't seem to be one.

Is there perhaps another solution or did I miss anything?

[andreasley]

I've realized that simply creating a named Mach service is possible, so I'm doing just that:

try XPCServer.forMachService(withCriteria: .init(machServiceName: "com.somecompany.someapp.someservice", clientRequirement: .sameTeamIdentifier))

Thanks for this great library!