Security

apple_bundle::entitlements::security

Struct Security 

Source 
pub struct Security {
    pub app_sandbox: Option<AppSandbox>,
    pub hardened_runtime: Option<HardenedRuntime>,
    pub app_groups: Option<Vec<String>>,
    pub keychain_access_groups: Option<Vec<String>>,
    pub data_protection: Option<DataProtection>,
    pub devicecheck_appattest: Option<DeviceCheckAppAttest>,
    pub security_smartcard: Option<bool>,
}
Expand description

Security

Fields§

§app_sandbox: Option<AppSandbox>

Restrict access to system resources and user data in macOS apps to contain damage if an app becomes compromised.

App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

§Important

To distribute a macOS app through the Mac App Store, you must enable the App Sandbox capability.

§Framework

  • Security
§hardened_runtime: Option<HardenedRuntime>

Manage security protections and resource access for your macOS apps.

The Hardened Runtime, along with System Integrity Protection (SIP), protects the runtime integrity of your software by preventing certain classes of exploits, like code injection, dynamically linked library (DLL) hijacking, and process memory space tampering. To enable the Hardened Runtime for your app, navigate in Xcode to your target’s Signing & Capabilities information and click the + button. In the window that appears, choose Hardened Runtime.

The Hardened Runtime doesn’t affect the operation of most apps, but it does disallow certain less common capabilities, like just-in-time (JIT) compilation. If your app relies on a capability that the Hardened Runtime restricts, add an entitlement to disable an individual protection. You add an entitlement by enabling one of the runtime exceptions or access permissions listed in Xcode. Make sure to use only the entitlements that are absolutely necessary for your app’s functionality.

You add entitlements only to executables. Shared libraries, frameworks, and in-process plug-ins inherit the entitlements of their host executable.

§Important

To upload a macOS app to be notarized, you must enable the Hardened Runtime capability. For more information about notarization, see Notarizing macOS Software Before Distribution.

§Framework

  • Security
§app_groups: Option<Vec<String>>

A list of identifiers specifying the groups your app belongs to.

App groups allow multiple apps produced by a single development team to access shared containers and communicate using interprocess communication (IPC). Apps may belong to one or more app groups.

For iOS, format the identifier as follows:

group.<group name>

For macOS:

<team identifier>.<group name>

Apps within an app group share access to a group container. For more information about container creation, location, and deletion, see containerURL(forSecurityApplicationGroupIdentifier:).

Apps within a group can communicate with other members in the group using IPC mechanisms including Mach IPC, POSIX semaphores and shared memory, and UNIX domain sockets. In macOS, use app groups to enable IPC communication between two sandboxed apps, or between a sandboxed app and a non-sandboxed app.

App groups also act as keychain access groups. For more information about the relationship between app groups and keychain access groups, see Sharing Access to Keychain Items Among a Collection of Apps.

To add this entitlement to your app, enable the App Groups capability in Xcode, and add the groups your app belongs to.

§Availability

  • iOS 3.0+
  • macOS 10.7+
  • tvOS 9.0+
  • watchOS 2.0+

§Framework

  • Foundation
§keychain_access_groups: Option<Vec<String>>

The identifiers for the keychain groups that the app may share items with.

To add this entitlement to your app, enable the Keychain Sharing capability in Xcode.

§Availability

  • iOS 3.0+
  • macOS 10.7+
  • tvOS 9.0+
  • watchOS 2.0+

§Framework

  • Security
§data_protection: Option<DataProtection>

The level of data protection for sensitive user data when an app accesses it on a device.

To add this entitlement to your app, enable the Data Protection capability in Xcode.

§Availability

  • iOS 3.0+
  • tvOS 9.0+
  • watchOS 2.0+

§Framework

  • Foundation
§devicecheck_appattest: Option<DeviceCheckAppAttest>

The environment for an app that uses the App Attest service to validate itself

To add this entitlement to your app, add the key to your app’s entitlements file manually, choose the String type, and set the associated value to either development or production. If you omit the entitlement during development, your app uses the App Attest sandbox servers by default. You can test your app during development against the App Attest production servers by setting the entitlement to production.

After distributing your app through TestFlight, the App Store, or the Apple Developer Enterprise Program, your app ignores the entitlement you set and uses the production environment.

§Availability

  • iOS 14.0+

§Framework

  • DeviceCheck
§security_smartcard: Option<bool>

A Boolean that indicates whether your app has access to smart card slots and smart cards.

Add this entitlement to your app with a value of true if you want to use the TKSmartCardSlotManager class. For an app without the entitlement, the slot manager’s default value is nil. The system also requires this entitlement for sandboxed applications that access smart cards using legacy PCSC framework APIs.

§Availability

  • macOS 10.10+

§Framework

  • CryptoTokenKit

Trait Implementations§

Source§

impl Clone for Security

Source§

fn clone(&self) -> Security

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Security

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for Security

Source§

fn default() -> Security

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for Security

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl PartialEq for Security

Source§

fn eq(&self, other: &Security) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Security

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Eq for Security

Source§

impl StructuralPartialEq for Security

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,