XPC Service responsible PID

We'd like to retrieve the responsible PID and path for XPC Service processes programmatically. This information can be printed with launchctl procinfo. I know there's the private responsibility API that is used by Activity Monitor.

Is there any public API available?

Also, EndpointSecurity provides NOTIFY and AUTH event types for UIPC, i.e. sockets, but there does not seem to exist an equivalent for XPC.

Is there no way to track this kind of process relationship with officially supported API?
Up vote post of vlbenfed Down vote post of vlbenfed
907 views
Posted by
vlbenfed
Reply
Add a Comment

Replies

I just filed enhancement requests FB8447047 (officially supported API) and FB8447115 (EndpointSecurity XPC connection events) and ask everyone else interested in resolving this issue to do the same in order to increase visibility at Apple.
Posted by
vlbenfed
Post not yet marked as solved Up vote reply of vlbenfed Down vote reply of vlbenfed
Add a Comment
I have some good news on this front. The macOS SDK in Xcode 12.2 beta adds a new field to the es_process_t type, responsible_audit_token. Check it out!

Note I believe the runtime support is present in 11.0b6 and later but, regardless, the canonical way to check for the presence of responsible_audit_token is look for a message version of 4 or greater.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment