Unable to access shared memory in a sandboxed XPC service

Hi,

I'm trying to upgrade my app ready for the mac app store.

After a lot of battles with fitting command line tools into the code signing frameworks required (inside out code signing, etc.) I finally found a way forward. It has literally taken me two years.

Now I'm trying to get the app to run in sandbox.

I'm having trouble accessing shared memory.

The architecture is this: a mac app, with a bundled XPC service (the "build engine") and that has bundled (signed) command line tools it runs.

The tools are in <XPC bundle>/Contents/MacOS as they should be and are code signed manually by a script I wrote with the hardened runtime option and with entitlements like this:

<?xml version="1.0" encoding="UTF-8"?>

<dict>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>DELETED FOR PRIVACY</string>

</array>

<key>com.apple.security.cs.allow-dyld-environment-variables</key>

<true/>

<key>com.apple.security.device.serial</key>

<true/>

<key>com.apple.security.device.usb</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

<key>com.apple.security.inherit</key>

<true/>

</dict>

</plist>

The same entitlements for both the XPC and it's bundled command line tools.


The XPC service passes data to the command line tools using shared memory. This should be possible in a sandboxed app with the use of application groups?

The error in the log is like this...



The error in the log is like this...

Like what?

In all honesty, it probably doesn't matter what the error in the log file is like. Have you confirmed that it is even possible to access shared memory in a sandboxed XPC service? Personally, I don't know.

It sounds like you are trying to do something really tricky, over and above shared memory in a sandboxed XPC service. What does this app do anyway? Have you confirmed that it is something that will obviously pass app review even if you can get it working?

And why are you asking about the hardened runtime? I'm sure Apple wants all developers to adopt the hardened runtime and I wouldn't dispute that it is a good idea. But it should be an afterthought that you wouldn't even see the point of mentioning. The fact that you did mention it suggests you are trying to do something clever to get around Mac App Store sandbox limitations. If that is true, it is dead in the water.

Unable to access shared memory in a sandboxed XPC service
 
 
Q