HardenedRuntime

apple_bundle::entitlements::security

Struct HardenedRuntime 

Source 
pub struct HardenedRuntime {
Show 13 fields
    pub allow_execution_of_jit_compiled_code: Option<bool>,
    pub allow_unsigned_executable_memory: Option<bool>,
    pub allow_dyld_environment_variables: Option<bool>,
    pub disable_library_validation: Option<bool>,
    pub disable_executable_memory_protection: Option<bool>,
    pub debugging_tool: Option<bool>,
    pub audioinput: Option<bool>,
    pub camera: Option<bool>,
    pub location: Option<bool>,
    pub address_book: Option<bool>,
    pub calendars: Option<bool>,
    pub photos_library: Option<bool>,
    pub apple_events: Option<bool>,

}
Expand description

Hardened Runtime

Fields§

§allow_execution_of_jit_compiled_code: Option<bool>

A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.

You can create memory that’s both writable and executable by passing the MAP_JIT flag to the mmap() system function. The Hardened Runtime disallows this by default, because it creates a security risk. However, some apps and system frameworks rely on this functionality, typically for performance reasons. Examples include:

  • The fast-path of the JavaScriptCore framework
  • Certain Python frameworks
  • Perl-compatible regular expressions (PCRE)
  • An app that creates a dynamically-compiled, proprietary macro language

Without the Allow Execution of JIT-compiled Code Entitlement, frameworks that rely on just-in-time (JIT) compilation may fall back to an interpreter. Other code using JIT compilation may crash or behave in unexpected ways.

Digital rights management (DRM) solutions that currently use unsigned executable memory should instead change to using the MAP_JIT flag and the entitlement.

To add the entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Allow Execution of JIT-compiled Code.

§Availability

  • macOS 10.7+

§Framework

  • Security
§allow_unsigned_executable_memory: Option<bool>

A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag.

In rare cases, an app might need to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory (which is fundamentally insecure), or use the DVDPlayback framework. Add the Allow Unsigned Executable Memory Entitlement to enable these use cases. Otherwise, the app might crash or behave in unexpected ways.

§Important

Including this entitlement exposes your app to common vulnerabilities in memory-unsafe code languages. Carefully consider whether your app needs this exception.

To add the entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Allow Unsigned Executable Memory.

§Availability

  • macOS 10.7+

§Framework

  • Security
§allow_dyld_environment_variables: Option<bool>

A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process.

If your app relies on dynamic linker variables to modify its behavior at runtime, add the Allow DYLD Environment Variables Entitlement to your app. This causes the macOS dynamic linker (dyld) to read from environment variables that begin with DLYD_. See the dyld man page for a list of these variables.

Injecting libraries or changing search paths with this feature may still require another entitlement. For example, you also need the Disable Library Validation Entitlement if an injected library isn’t signed with the expected team ID.

To add the entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Allow DYLD Environment Variables.

§Availability

  • macOS 10.7+

§Framework

  • Security
§disable_library_validation: Option<bool>

A Boolean value that indicates whether the app loads arbitrary plug-ins or frameworks, without requiring code signing.

The Hardened Runtime enables library validation by default. This security-hardening feature prevents a program from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same Team ID as the main executable. The macOS dynamic linker (dyld) provides a detailed error message when the system prevents code from loading due to library validation. Use the Disable Library Validation Entitlement if your program loads plug-ins that are signed by other third-party developers.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Disable Library Validation.

§Important

Because library validation is such an important security-hardening feature, Gatekeeper runs extra security checks on programs that have it disabled. If your program is blocked by Gatekeeper, check whether you’ve unnecessarily disabled library validation.

§Availability

  • macOS 10.7+

§Framework

  • Security
§disable_executable_memory_protection: Option<bool>

A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution.

The system causes an app that attempts to directly modify sections of its own executable files on disk to forcefully exit. Use the Disable Executable Memory Protection Entitlement to enable this kind of unsafe software update. Even with this entitlement, however, updates that modify some files but not others may cause unexpected app state. Ensure that you perform updates atomically, with the final app bundle swapped out after app exit.

The entitlement effectively encompasses the behavior provided by the Allow Unsigned Executable Memory Entitlement, but not the Disable Library Validation Entitlement.

§Warning

The Disable Executable Memory Protection Entitlement is an extreme entitlement that removes a fundamental security protection from your app, making it possible for an attacker to rewrite your app’s executable code without detection. Prefer narrower entitlements if possible.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Disable Executable Memory Protection.

§Availability

  • macOS 10.7+

§Framework

  • Security
§debugging_tool: Option<bool>

A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.

Apps with the Debugging Tool Entitlement can call task_for_pid() to retrieve a valid task port for unsigned and third-party apps with the Get Task Allow entitlement set to true. However, even with the debugging tool entitlement, a debugger can’t get the task ports of processes that don’t have the Get Task Allow entitlement, and that are therefore protected by System Integrity Protection. See the man page for taskgated(8) for more information about getting task ports.

Xcode automatically adds the Get Task Allow entitlement to apps that you build for debugging, while removing the entitlement before App Store submission. This enables Xcode itself to attach to and debug your app during development.

When a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator’s credentials. If authorization succeeds, the debugger receives a 10-hour session before authorization expires.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Debugging Tool.

§Availability

  • macOS 10.7+

§Framework

  • Security
§audioinput: Option<bool>

A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Resource Access, select Audio Input.

§Availability

  • macOS 10.7+

§Framework

  • Security
§camera: Option<bool>

A Boolean value that indicates whether the app may capture movies and still images using the built-in camera.

To add this entitlement to your app, first enable the App Sandbox or Hardened Runtime capability in Xcode, and then select Camera.

§Availability

  • macOS 10.7+

§Framework

  • Security
§location: Option<bool>

A Boolean value that indicates whether the app may access location information from Location Services.

To add this entitlement to your app, first enable the App Sandbox or Hardened Runtime capability in Xcode, and then select Location.

§Availability

  • macOS 10.7+

§Framework

  • Security
§address_book: Option<bool>

A Boolean value that indicates whether the app may have read-write access to contacts in the user’s address book.

To add this entitlement to your app, enable the App Sandbox capability in Xcode and then select Contacts, or enable the Hardened Runtime capability and then select Address Book.

§Availability

  • macOS 10.7+

§Framework

  • Security
§calendars: Option<bool>

A Boolean value that indicates whether the app may have read-write access to the user’s calendar.

To add this entitlement to your app, first enable the App Sandbox or Hardened Runtime capability in Xcode, and then select Calendar.

§Availability

  • macOS 10.7+

§Framework

  • Security
§photos_library: Option<bool>

A Boolean value that indicates whether the app has read-write access to the user’s Photos library.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode. Then, under Resource Access, select Photos Library.

§Availability

  • macOS 10.7+

§Framework

  • Security
§apple_events: Option<bool>

A Boolean value that indicates whether the app may prompt the user for permission to send Apple events to other apps.

Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID.

To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Resource Access, select Apple Events.

§Availability

  • macOS 10.7+

§Framework

  • Security

Trait Implementations§

Source§

impl Clone for HardenedRuntime

Source§

fn clone(&self) -> HardenedRuntime

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for HardenedRuntime

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for HardenedRuntime

Source§

fn default() -> HardenedRuntime

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for HardenedRuntime

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl PartialEq for HardenedRuntime

Source§

fn eq(&self, other: &HardenedRuntime) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for HardenedRuntime

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Eq for HardenedRuntime

Source§

impl StructuralPartialEq for HardenedRuntime

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,