Open Radar

 
The low-level Swift API for XPC (XPCSession and XPCListener) provides no way for the listener to validate an incoming connection or message request (as is best practice for Mach services such as launch daemons).  By comparison, the NSXPCConnection class provides the -setCodeSigningRequirement: method, and the low-level C API provides xpc_connection_set_peer_code_signing_requirement(), but the Swift API does not expose the underlying connection to permit the equivalent operation.  Furthermore, Apple added the low-level C API  xpc_listener_set_peer_code_signing_requirement() in macOS 14.4, but no equivalent was provided for XPCListener.

As a specific example, Xcode's XPC Service template includes this code:

let listener = try XPCListener(service: serviceName) { request in
    request.accept { message in
        performCalculation(with: message)
    }
}

but there is no way for the incomingSessionHandler closure to inspect the IncomingMessageRequest and make an informed decision on whether to accept or reject the message.

For the specific use case of validating the connection, I would expect to see one of the following:
* a property on XPCListener to set a peer code signing requirement, or an optional parameter in its initializer;
* a method on the XPCListener.IncomingMessageRequest that evaluates a peer code signing requirement for the underlying connection, which would allow the incomingSessionHandler to reject a message;
* as a fallback, the equivalent of SecCodeCreateWithXPCMessage or direct access to the sending process' audit token, although Apple seems to be moving away from these in favor of providing higher-level solutions.