[AltDaemon] Replaces local socket communication with XPC

Allows AltDaemon to be launched on demand + reject any connections not made from AltStore.

AltDaemon/AltDaemon-Bridging-Header.h

@@ -10,6 +10,23 @@
 #import "NSError+ALTServerError.h"
 #import "CFNotificationName+AltStore.h"
 
+// libproc
+int proc_pidpath(int pid, void * buffer, uint32_t buffersize);
+
+// Security.framework
+CF_ENUM(uint32_t) {
+    kSecCSInternalInformation = 1 << 0,
+    kSecCSSigningInformation = 1 << 1,
+    kSecCSRequirementInformation = 1 << 2,
+    kSecCSDynamicInformation = 1 << 3,
+    kSecCSContentInformation = 1 << 4,
+    kSecCSSkipResourceDirectory = 1 << 5,
+    kSecCSCalculateCMSDigest = 1 << 6,
+};
+
+OSStatus SecStaticCodeCreateWithPath(CFURLRef path, uint32_t flags, void ** __nonnull CF_RETURNS_RETAINED staticCode);
+OSStatus SecCodeCopySigningInformation(void *code, uint32_t flags, CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information);
+
 NS_ASSUME_NONNULL_BEGIN
 
 @interface AKDevice : NSObject

AltDaemon/AppManager.swift

@@ -75,7 +75,8 @@ struct AppManager
                 // Remove all inactive profiles (if active profiles are provided), and the previous profiles.
                 for fileURL in profileURLs
                 {
-                    guard let profile = ALTProvisioningProfile(url: fileURL) else { continue }
+                    // Use memory mapping to reduce peak memory usage and stay within limit.
+                    guard let profile = try? ALTProvisioningProfile(url: fileURL, options: [.mappedIfSafe]) else { continue }
                     
                     if installingBundleIDs.contains(profile.bundleIdentifier) || (activeProfiles?.contains(profile.bundleIdentifier) == false && profile.isFreeProvisioningProfile)
                     {

AltDaemon/DaemonRequestHandler.swift

@@ -1,6 +1,6 @@
 //
-//  ConnectionManager.swift
-//  AltServer
+//  DaemonRequestHandler.swift
+//  AltDaemon
 //
 //  Created by Riley Testut on 6/1/20.
 //  Copyright © 2019 Riley Testut. All rights reserved.
@@ -11,7 +11,7 @@ import Foundation
 typealias DaemonConnectionManager = ConnectionManager<DaemonRequestHandler>
 
 private let connectionManager = ConnectionManager(requestHandler: DaemonRequestHandler(),
-                                                  connectionHandlers: [LocalConnectionHandler()])
+                                                  connectionHandlers: [XPCConnectionHandler()])
 
 extension DaemonConnectionManager
 {

AltDaemon/LocalConnectionHandler.swift

@@ -1,108 +0,0 @@
-//
-//  LocalConnectionHandler.swift
-//  AltDaemon
-//
-//  Created by Riley Testut on 6/2/20.
-//  Copyright © 2020 Riley Testut. All rights reserved.
-//
-
-import Foundation
-import Network
-
-private let ReceivedLocalServerConnectionRequest: @convention(c) (CFNotificationCenter?, UnsafeMutableRawPointer?, CFNotificationName?, UnsafeRawPointer?, CFDictionary?) -> Void =
-{ (center, observer, name, object, userInfo) in
-    guard let name = name, let observer = observer else { return }
-    
-    let connection = unsafeBitCast(observer, to: LocalConnectionHandler.self)
-    connection.handle(name)
-}
-
-class LocalConnectionHandler: ConnectionHandler
-{
-    var connectionHandler: ((Connection) -> Void)?
-    var disconnectionHandler: ((Connection) -> Void)?
-    
-    private let dispatchQueue = DispatchQueue(label: "io.altstore.LocalConnectionListener", qos: .utility)
-    
-    deinit
-    {
-        self.stopListening()
-    }
-        
-    func startListening()
-    {
-        let notificationCenter = CFNotificationCenterGetDarwinNotifyCenter()
-        let observer = Unmanaged.passUnretained(self).toOpaque()
-        
-        CFNotificationCenterAddObserver(notificationCenter, observer, ReceivedLocalServerConnectionRequest, CFNotificationName.localServerConnectionAvailableRequest.rawValue, nil, .deliverImmediately)
-        CFNotificationCenterAddObserver(notificationCenter, observer, ReceivedLocalServerConnectionRequest, CFNotificationName.localServerConnectionStartRequest.rawValue, nil, .deliverImmediately)
-    }
-    
-    func stopListening()
-    {
-        let notificationCenter = CFNotificationCenterGetDarwinNotifyCenter()
-        let observer = Unmanaged.passUnretained(self).toOpaque()
-        
-        CFNotificationCenterRemoveObserver(notificationCenter, observer, .localServerConnectionAvailableRequest, nil)
-        CFNotificationCenterRemoveObserver(notificationCenter, observer, .localServerConnectionStartRequest, nil)
-    }
-    
-    fileprivate func handle(_ notification: CFNotificationName)
-    {
-        switch notification
-        {
-        case .localServerConnectionAvailableRequest:
-            let notificationCenter = CFNotificationCenterGetDarwinNotifyCenter()
-            CFNotificationCenterPostNotification(notificationCenter, .localServerConnectionAvailableResponse, nil, nil, true)
-
-        case .localServerConnectionStartRequest:
-            let connection = NWConnection(host: "localhost", port: NWEndpoint.Port(rawValue: ALTDeviceListeningSocket)!, using: .tcp)
-            self.start(connection)
-
-        default: break
-        }
-    }
-}
-
-private extension LocalConnectionHandler
-{
-    func start(_ nwConnection: NWConnection)
-    {
-        print("Starting connection to:", nwConnection)
-        
-        // Use same instance for all callbacks.
-        let connection = NetworkConnection(nwConnection)
-        
-        nwConnection.stateUpdateHandler = { [weak self] (state) in
-            switch state
-            {
-            case .setup, .preparing: break
-                
-            case .ready:
-                print("Connected to client:", nwConnection.endpoint)
-                self?.connectionHandler?(connection)
-                
-            case .waiting:
-                print("Waiting for connection...")
-                
-            case .failed(let error):
-                print("Failed to connect to service \(nwConnection.endpoint).", error)
-                self?.disconnect(connection)
-                
-            case .cancelled:
-                self?.disconnect(connection)
-                
-            @unknown default: break
-            }
-        }
-        
-        nwConnection.start(queue: self.dispatchQueue)
-    }
-    
-    func disconnect(_ connection: Connection)
-    {
-        connection.disconnect()
-        
-        self.disconnectionHandler?(connection)
-    }
-}

AltDaemon/XPCConnectionHandler.swift

@@ -0,0 +1,90 @@
+//
+//  XPCConnectionHandler.swift
+//  AltDaemon
+//
+//  Created by Riley Testut on 9/14/20.
+//  Copyright © 2020 Riley Testut. All rights reserved.
+//
+
+import Foundation
+import Security
+
+class XPCConnectionHandler: NSObject, ConnectionHandler
+{
+    var connectionHandler: ((Connection) -> Void)?
+    var disconnectionHandler: ((Connection) -> Void)?
+    
+    private let dispatchQueue = DispatchQueue(label: "io.altstore.XPCConnectionListener", qos: .utility)
+    private let listener = NSXPCListener.makeListener(machServiceName: XPCConnection.machServiceName)
+    
+    deinit
+    {
+        self.stopListening()
+    }
+        
+    func startListening()
+    {
+        self.listener.delegate = self
+        self.listener.resume()
+    }
+    
+    func stopListening()
+    {
+        self.listener.suspend()
+    }
+}
+
+private extension XPCConnectionHandler
+{
+    func disconnect(_ connection: Connection)
+    {
+        connection.disconnect()
+        
+        self.disconnectionHandler?(connection)
+    }
+}
+
+extension XPCConnectionHandler: NSXPCListenerDelegate
+{
+    func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool
+    {
+        let maximumPathLength = 4 * UInt32(MAXPATHLEN)
+        
+        let pathBuffer = UnsafeMutablePointer<CChar>.allocate(capacity: Int(maximumPathLength))
+        defer { pathBuffer.deallocate() }
+        
+        proc_pidpath(newConnection.processIdentifier, pathBuffer, maximumPathLength)
+        
+        let path = String(cString: pathBuffer)
+        let fileURL = URL(fileURLWithPath: path)
+                
+        var code: UnsafeMutableRawPointer?
+        defer { code.map { Unmanaged<AnyObject>.fromOpaque($0).release() } }
+        
+        var status = SecStaticCodeCreateWithPath(fileURL as CFURL, 0, &code)
+        guard status == 0 else { return false }
+        
+        var signingInfo: CFDictionary?
+        defer { signingInfo.map { Unmanaged<AnyObject>.passUnretained($0).release() } }
+        
+        status = SecCodeCopySigningInformation(code, kSecCSInternalInformation | kSecCSSigningInformation, &signingInfo)
+        guard status == 0 else { return false }
+        
+        // Only accept connections from AltStore.
+        guard
+            let codeSigningInfo = signingInfo as? [String: Any],
+            let bundleIdentifier = codeSigningInfo["identifier"] as? String,
+            bundleIdentifier.contains("com.rileytestut.AltStore")
+        else { return false }
+        
+        let connection = XPCConnection(newConnection)
+        newConnection.invalidationHandler = { [weak self, weak connection] in
+            guard let self = self, let connection = connection else { return }
+            self.disconnect(connection)
+        }
+
+        self.connectionHandler?(connection)
+        
+        return true
+    }
+}

AltDaemon/package/Library/LaunchDaemons/com.rileytestut.altdaemon.plist

@@ -14,8 +14,13 @@
 	<key>UserName</key>
 	<string>mobile</string>
 	<key>KeepAlive</key>
-    <true/>
+	<false/>
 	<key>RunAtLoad</key>
-    <true/>
+	<false/>
+	<key>MachServices</key>
+	<dict>
+		<key>cy:io.altstore.altdaemon</key>
+		<true/>
+	</dict>
 </dict>
 </plist>