apple_bundle/entitlements/security.rs
1use serde::{Deserialize, Serialize};
2
3/// Security
4#[derive(Serialize, Deserialize, Clone, Default, Debug, PartialEq, Eq)]
5pub struct Security {
6 /// Restrict access to system resources and user data in macOS apps to contain damage
7 /// if an app becomes compromised.
8 ///
9 /// App Sandbox provides protection to system resources and user data by limiting your
10 /// app’s access to resources requested through entitlements.
11 ///
12 /// ### Important
13 /// To distribute a macOS app through the Mac App Store, you must enable the App
14 /// Sandbox capability.
15 ///
16 /// ## Framework
17 /// * Security
18 #[serde(
19 rename = "AppSandbox",
20 serialize_with = "crate::serialize_option",
21 skip_serializing_if = "Option::is_none"
22 )]
23 pub app_sandbox: Option<AppSandbox>,
24 /// Manage security protections and resource access for your macOS apps.
25 ///
26 /// The Hardened Runtime, along with System Integrity Protection (SIP), protects the
27 /// runtime integrity of your software by preventing certain classes of exploits, like
28 /// code injection, dynamically linked library (DLL) hijacking, and process memory
29 /// space tampering. To enable the Hardened Runtime for your app, navigate in
30 /// Xcode to your target’s Signing & Capabilities information and click the + button.
31 /// In the window that appears, choose Hardened Runtime.
32 ///
33 /// The Hardened Runtime doesn’t affect the operation of most apps, but it does
34 /// disallow certain less common capabilities, like just-in-time (JIT) compilation.
35 /// If your app relies on a capability that the Hardened Runtime restricts, add an
36 /// entitlement to disable an individual protection. You add an entitlement by
37 /// enabling one of the runtime exceptions or access permissions listed in Xcode.
38 /// Make sure to use only the entitlements that are absolutely necessary for your
39 /// app’s functionality.
40 ///
41 /// You add entitlements only to executables.
42 /// Shared libraries, frameworks, and in-process plug-ins inherit the entitlements of
43 /// their host executable.
44 ///
45 /// ### Important
46 /// To upload a macOS app to be notarized, you must enable the Hardened Runtime
47 /// capability. For more information about notarization, see Notarizing macOS
48 /// Software Before Distribution.
49 ///
50 /// ## Framework
51 /// * Security
52 #[serde(
53 rename = "HardenedRuntime",
54 serialize_with = "crate::serialize_option",
55 skip_serializing_if = "Option::is_none"
56 )]
57 pub hardened_runtime: Option<HardenedRuntime>,
58 /// A list of identifiers specifying the groups your app belongs to.
59 ///
60 /// App groups allow multiple apps produced by a single development team to access
61 /// shared containers and communicate using interprocess communication (IPC). Apps
62 /// may belong to one or more app groups.
63 ///
64 /// For iOS, format the identifier as follows:
65 /// ```swift
66 /// group.<group name>
67 /// ```
68 ///
69 /// For macOS:
70 /// ```swift
71 /// <team identifier>.<group name>
72 /// ```
73 ///
74 /// Apps within an app group share access to a group container. For more information
75 /// about container creation, location, and deletion, see
76 /// containerURL(forSecurityApplicationGroupIdentifier:).
77 ///
78 /// Apps within a group can communicate with other members in the group using IPC
79 /// mechanisms including Mach IPC, POSIX semaphores and shared memory, and UNIX domain
80 /// sockets. In macOS, use app groups to enable IPC communication between two
81 /// sandboxed apps, or between a sandboxed app and a non-sandboxed app.
82 ///
83 /// App groups also act as keychain access groups.
84 /// For more information about the relationship between app groups and keychain access
85 /// groups, see Sharing Access to Keychain Items Among a Collection of Apps.
86 ///
87 /// To add this entitlement to your app, enable the App Groups capability in Xcode,
88 /// and add the groups your app belongs to.
89 ///
90 /// ## Availability
91 /// * iOS 3.0+
92 /// * macOS 10.7+
93 /// * tvOS 9.0+
94 /// * watchOS 2.0+
95 ///
96 /// ## Framework
97 /// * Foundation
98 #[serde(
99 rename = "com.apple.security.application-groups",
100 serialize_with = "crate::serialize_option",
101 skip_serializing_if = "Option::is_none"
102 )]
103 pub app_groups: Option<Vec<String>>,
104 /// The identifiers for the keychain groups that the app may share items with.
105 ///
106 /// To add this entitlement to your app, enable the Keychain Sharing capability in
107 /// Xcode.
108 ///
109 /// ## Availability
110 /// * iOS 3.0+
111 /// * macOS 10.7+
112 /// * tvOS 9.0+
113 /// * watchOS 2.0+
114 ///
115 /// ## Framework
116 /// * Security
117 #[serde(
118 rename = "keychain-access-groups",
119 serialize_with = "crate::serialize_option",
120 skip_serializing_if = "Option::is_none"
121 )]
122 pub keychain_access_groups: Option<Vec<String>>,
123 /// The level of data protection for sensitive user data when an app accesses it on a
124 /// device.
125 ///
126 /// To add this entitlement to your app, enable the Data Protection capability in
127 /// Xcode.
128 ///
129 /// ## Availability
130 /// * iOS 3.0+
131 /// * tvOS 9.0+
132 /// * watchOS 2.0+
133 ///
134 /// ## Framework
135 /// * Foundation
136 #[serde(
137 rename = "com.apple.developer.default-data-protection",
138 skip_serializing_if = "Option::is_none",
139 serialize_with = "crate::serialize_enum_option"
140 )]
141 pub data_protection: Option<DataProtection>,
142 /// The environment for an app that uses the App Attest service to validate itself
143 ///
144 /// To add this entitlement to your app, add the key to your app’s entitlements file
145 /// manually, choose the String type, and set the associated value to either
146 /// development or production. If you omit the entitlement during development,
147 /// your app uses the App Attest sandbox servers by default. You can test your app
148 /// during development against the App Attest production servers by setting the
149 /// entitlement to production.
150 ///
151 /// After distributing your app through TestFlight, the App Store, or the Apple
152 /// Developer Enterprise Program, your app ignores the entitlement you set and uses
153 /// the production environment.
154 ///
155 /// ## Availability
156 /// * iOS 14.0+
157 ///
158 /// ## Framework
159 /// * DeviceCheck
160 #[serde(
161 rename = "com.apple.developer.devicecheck.appattest-environment",
162 skip_serializing_if = "Option::is_none",
163 serialize_with = "crate::serialize_enum_option"
164 )]
165 pub devicecheck_appattest: Option<DeviceCheckAppAttest>,
166 /// A Boolean that indicates whether your app has access to smart card slots and smart
167 /// cards.
168 ///
169 /// Add this entitlement to your app with a value of true if you want to use the
170 /// TKSmartCardSlotManager class. For an app without the entitlement, the slot
171 /// manager’s default value is nil. The system also requires this entitlement for
172 /// sandboxed applications that access smart cards using legacy PCSC framework APIs.
173 ///
174 /// ## Availability
175 /// * macOS 10.10+
176 ///
177 /// ## Framework
178 /// * CryptoTokenKit
179 #[serde(
180 rename = "com.apple.security.smartcard",
181 serialize_with = "crate::serialize_option",
182 skip_serializing_if = "Option::is_none"
183 )]
184 pub security_smartcard: Option<bool>,
185}
186
187/// App Sandbox
188#[derive(Serialize, Deserialize, Clone, Default, Debug, PartialEq, Eq)]
189pub struct AppSandbox {
190 /// A Boolean value that indicates whether the app may use access control technology
191 /// to contain damage to the system and user data if an app is compromised.
192 ///
193 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode.
194 ///
195 /// ## Availability
196 /// * macOS 10.7+
197 ///
198 /// ## Framework
199 /// * Security
200 #[serde(
201 rename = "com.apple.security.app-sandbox",
202 serialize_with = "crate::serialize_option",
203 skip_serializing_if = "Option::is_none"
204 )]
205 pub app_sandbox: Option<bool>,
206 /// A Boolean value indicating whether your app may listen for incoming network
207 /// connections.
208 ///
209 /// Use this key to allow other computers to initiate network connections to your
210 /// sandboxed app.
211 ///
212 /// ### Note
213 /// For TCP sockets, the com.apple.security.network.server and
214 /// com.apple.security.network.client entitlements restrict only the initiation of a
215 /// network connection, not the flow of data. Outgoing and incoming connections
216 /// can both send and receive data.
217 ///
218 /// For UDP sockets, the network entitlements restrict both initiation and data flow.
219 /// For example, an app with only the server entitlement enabled can receive, but not
220 /// send, data. Apps using UDP usually require both entitlements.
221 ///
222 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode,
223 /// and under Network, select Incoming Connections (Server).
224 ///
225 /// ## Availability
226 /// * macOS 10.7+
227 ///
228 /// ## Framework
229 /// * Security
230 #[serde(
231 rename = "com.apple.security.network.server",
232 serialize_with = "crate::serialize_option",
233 skip_serializing_if = "Option::is_none"
234 )]
235 pub security_network_server: Option<bool>,
236 /// A Boolean value indicating whether your app may open outgoing network connections.
237 ///
238 /// Use this key to allow your sandboxed app to connect to a server process running on
239 /// another machine, or on the same machine.
240 ///
241 /// ### Note
242 /// For TCP sockets, the com.apple.security.network.client and
243 /// com.apple.security.network.server entitlements restrict only the initiation of a
244 /// network connection, not the flow of data. Outgoing and incoming connections
245 /// can both send and receive data.
246 ///
247 /// For UDP sockets, the network entitlements restrict both initiation and data flow.
248 /// For example, an app with only the client entitlement enabled can send, but not
249 /// receive, data. Apps using UDP usually require both entitlements.
250 ///
251 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode,
252 /// and under Network, select Outgoing Connections (Client).
253 ///
254 /// ## Availability
255 /// * macOS 10.7+
256 ///
257 /// ## Framework
258 /// * Security
259 #[serde(
260 rename = "com.apple.security.network.client",
261 serialize_with = "crate::serialize_option",
262 skip_serializing_if = "Option::is_none"
263 )]
264 pub security_network_client: Option<bool>,
265 /// A Boolean value that indicates whether the app may capture movies and still images
266 /// using the built-in camera.
267 ///
268 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
269 /// Runtime capability in Xcode, and then select Camera.
270 ///
271 /// In macOS 10.14 and later, the user must explicitly grant permission for each app
272 /// to access cameras. See Requesting Authorization for Media Capture on macOS.
273 ///
274 /// ## Availability
275 /// * macOS 10.7+
276 ///
277 /// ## Framework
278 /// * Security
279 #[serde(
280 rename = "com.apple.security.device.camera",
281 serialize_with = "crate::serialize_option",
282 skip_serializing_if = "Option::is_none"
283 )]
284 pub camera: Option<bool>,
285 /// A Boolean value that indicates whether the app may use the microphone.
286 ///
287 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
288 /// and under Hardware select Audio Input.
289 ///
290 /// ## Availability
291 /// * macOS 10.7+
292 ///
293 /// ## Framework
294 /// * Security
295 #[serde(
296 rename = "com.apple.security.device.microphone",
297 serialize_with = "crate::serialize_option",
298 skip_serializing_if = "Option::is_none"
299 )]
300 pub device_microphone: Option<bool>,
301 /// A Boolean value indicating whether your app may interact with USB devices.
302 ///
303 /// Use this key to allow your sandboxed app to interact with USB devices through USB
304 /// device access APIs.
305 ///
306 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode,
307 /// and under Hardware, select USB.
308 ///
309 /// ## Availability
310 /// * macOS 10.7+
311 ///
312 /// ## Framework
313 /// * Security
314 #[serde(
315 rename = "com.apple.security.device.usb",
316 serialize_with = "crate::serialize_option",
317 skip_serializing_if = "Option::is_none"
318 )]
319 pub device_usb: Option<bool>,
320 /// A Boolean value indicating whether your app may print a document.
321 ///
322 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode,
323 /// and under Hardware, select Printing.
324 ///
325 /// ## Availability
326 /// * macOS 10.7+
327 ///
328 /// ## Framework
329 /// * Security
330 #[serde(
331 rename = "com.apple.security.print",
332 serialize_with = "crate::serialize_option",
333 skip_serializing_if = "Option::is_none"
334 )]
335 pub print: Option<bool>,
336 /// A Boolean value indicating whether your app may interact with Bluetooth devices.
337 ///
338 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode,
339 /// and under Hardware, select Bluetooth.
340 ///
341 /// ## Availability
342 /// * macOS 10.7+
343 ///
344 /// ## Framework
345 /// * Security
346 #[serde(
347 rename = "com.apple.security.device.bluetooth",
348 serialize_with = "crate::serialize_option",
349 skip_serializing_if = "Option::is_none"
350 )]
351 pub bluetooth: Option<bool>,
352 /// A Boolean value that indicates whether the app may have read-write access to
353 /// contacts in the user's address book.
354 ///
355 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
356 /// and then select Contacts, or enable the Hardened Runtime capability and then
357 /// select Address Book.
358 ///
359 /// ## Availability
360 /// * macOS 10.7+
361 ///
362 /// ## Framework
363 /// * Security
364 #[serde(
365 rename = "com.apple.security.personal-information.addressbook",
366 serialize_with = "crate::serialize_option",
367 skip_serializing_if = "Option::is_none"
368 )]
369 pub address_book: Option<bool>,
370 /// A Boolean value that indicates whether the app may access location information
371 /// from Location Services.
372 ///
373 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
374 /// Runtime capability in Xcode, and then select Location.
375 ///
376 /// ## Availability
377 /// * macOS 10.7+
378 ///
379 /// ## Framework
380 /// * Security
381 #[serde(
382 rename = "com.apple.security.personal-information.location",
383 serialize_with = "crate::serialize_option",
384 skip_serializing_if = "Option::is_none"
385 )]
386 pub location: Option<bool>,
387 /// A Boolean value that indicates whether the app may have read-write access to the
388 /// user's calendar.
389 ///
390 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
391 /// Runtime capability in Xcode, and then select Calendar.
392 ///
393 /// ## Availability
394 /// * macOS 10.7+
395 ///
396 /// ## Framework
397 /// * Security
398 #[serde(
399 rename = "com.apple.security.personal-information.calendars",
400 serialize_with = "crate::serialize_option",
401 skip_serializing_if = "Option::is_none"
402 )]
403 pub calendars: Option<bool>,
404 /// A Boolean value that indicates whether the app may have read-only access to files
405 /// the user has selected using an Open or Save dialog.
406 ///
407 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
408 /// and set User Selected File to Read Only.
409 ///
410 /// ## Availability
411 /// * macOS 10.7+
412 ///
413 /// ## Framework
414 /// * Security
415 #[serde(
416 rename = "com.apple.security.files.user-selected.read-only",
417 serialize_with = "crate::serialize_option",
418 skip_serializing_if = "Option::is_none"
419 )]
420 pub files_user_selected_read_only: Option<bool>,
421 /// A Boolean value that indicates whether the app may have read-write access to files
422 /// the user has selected using an Open or Save dialog.
423 ///
424 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
425 /// and set User Selected File to Read/Write.
426 ///
427 /// ## Availability
428 /// * macOS 10.7+
429 ///
430 /// ## Framework
431 /// * Security
432 #[serde(
433 rename = "com.apple.security.files.user-selected.read-write",
434 serialize_with = "crate::serialize_option",
435 skip_serializing_if = "Option::is_none"
436 )]
437 pub files_user_selected_read_write: Option<bool>,
438 /// A Boolean value that indicates whether the app may have read-only access to the
439 /// Downloads folder.
440 ///
441 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
442 /// and set Downloads Folder to Read Only.
443 ///
444 /// ## Availability
445 /// * macOS 10.7+
446 ///
447 /// ## Framework
448 /// * Security
449 #[serde(
450 rename = "com.apple.security.files.downloads.read-only",
451 serialize_with = "crate::serialize_option",
452 skip_serializing_if = "Option::is_none"
453 )]
454 pub files_downloads_read_only: Option<bool>,
455 /// A Boolean value that indicates whether the app may have read-write access to the
456 /// Downloads folder.
457 ///
458 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
459 /// and set Downloads Folder to Read/Write.
460 ///
461 /// ## Availability
462 /// * macOS 10.7+
463 ///
464 /// ## Framework
465 /// * Security
466 #[serde(
467 rename = "com.apple.security.files.downloads.read-write",
468 serialize_with = "crate::serialize_option",
469 skip_serializing_if = "Option::is_none"
470 )]
471 pub files_downloads_read_write: Option<bool>,
472 /// A Boolean value that indicates whether the app may have read-only access to the
473 /// Pictures folder.
474 ///
475 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
476 /// and set Pictures Folder to Read Only.
477 ///
478 /// ## Availability
479 /// * macOS 10.7+
480 ///
481 /// ## Framework
482 /// * Security
483 #[serde(
484 rename = "com.apple.security.assets.pictures.read-only",
485 serialize_with = "crate::serialize_option",
486 skip_serializing_if = "Option::is_none"
487 )]
488 pub assets_pictures_read_only: Option<bool>,
489 /// A Boolean value that indicates whether the app may have read-write access to the
490 /// Pictures folder.
491 ///
492 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
493 /// and set Pictures Folder to Read/Write.
494 ///
495 /// ## Availability
496 /// * macOS 10.7+
497 ///
498 /// ## Framework
499 /// * Security
500 #[serde(
501 rename = "com.apple.security.assets.pictures.read-write",
502 serialize_with = "crate::serialize_option",
503 skip_serializing_if = "Option::is_none"
504 )]
505 pub assets_pictures_read_write: Option<bool>,
506 /// A Boolean value that indicates whether the app may have read-only access to the
507 /// Music folder.
508 ///
509 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
510 /// and set Music Folder to Read Only.
511 ///
512 /// ## Availability
513 /// * macOS 10.7+
514 ///
515 /// ## Framework
516 /// * Security
517 #[serde(
518 rename = "com.apple.security.assets.music.read-only",
519 serialize_with = "crate::serialize_option",
520 skip_serializing_if = "Option::is_none"
521 )]
522 pub assets_music_read_only: Option<bool>,
523 /// A Boolean value that indicates whether the app may have read-write access to the
524 /// Music folder.
525 ///
526 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
527 /// and set Music Folder to Read/Write.
528 ///
529 /// ## Availability
530 /// * macOS 10.7+
531 ///
532 /// ## Framework
533 /// * Security
534 #[serde(
535 rename = "com.apple.security.assets.music.read-write",
536 serialize_with = "crate::serialize_option",
537 skip_serializing_if = "Option::is_none"
538 )]
539 pub assets_music_read_write: Option<bool>,
540 /// A Boolean value that indicates whether the app may have read-only access to the
541 /// Movies folder.
542 ///
543 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
544 /// and set Movies Folder to Read Only.
545 ///
546 /// ## Availability
547 /// * macOS 10.7+
548 ///
549 /// ## Framework
550 /// * Security
551 #[serde(
552 rename = "com.apple.security.assets.movies.read-only",
553 serialize_with = "crate::serialize_option",
554 skip_serializing_if = "Option::is_none"
555 )]
556 pub assets_movies_read_only: Option<bool>,
557 /// A Boolean value that indicates whether the app may have read-write access to the
558 /// Movies folder.
559 ///
560 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
561 /// and set Movies Folder to Read/Write.
562 ///
563 /// ## Availability
564 /// * macOS 10.7+
565 ///
566 /// ## Framework
567 /// * Security
568 #[serde(
569 rename = "com.apple.security.assets.movies.read-write",
570 serialize_with = "crate::serialize_option",
571 skip_serializing_if = "Option::is_none"
572 )]
573 pub assets_movies_read_write: Option<bool>,
574 /// A Boolean value that indicates whether the app may have access to all files.
575 ///
576 /// ## Availability
577 /// * macOS 10.7–10.11
578 ///
579 /// ## Framework
580 /// * Security
581 #[deprecated(since = "macOS 10.7-10.11")]
582 #[serde(
583 rename = "com.apple.security.files.all",
584 serialize_with = "crate::serialize_option",
585 skip_serializing_if = "Option::is_none"
586 )]
587 pub all_files: Option<bool>,
588}
589
590/// Hardened Runtime
591#[derive(Serialize, Deserialize, Clone, Default, Debug, PartialEq, Eq)]
592pub struct HardenedRuntime {
593 /// A Boolean value that indicates whether the app may create writable and executable
594 /// memory using the MAP_JIT flag.
595 ///
596 /// You can create memory that’s both writable and executable by passing the MAP_JIT
597 /// flag to the mmap() system function. The Hardened Runtime disallows this by
598 /// default, because it creates a security risk. However, some apps and system
599 /// frameworks rely on this functionality, typically for performance reasons.
600 /// Examples include:
601 ///
602 /// * The fast-path of the JavaScriptCore framework
603 /// * Certain Python frameworks
604 /// * Perl-compatible regular expressions (PCRE)
605 /// * An app that creates a dynamically-compiled, proprietary macro language
606 ///
607 /// Without the Allow Execution of JIT-compiled Code Entitlement, frameworks that rely
608 /// on just-in-time (JIT) compilation may fall back to an interpreter. Other code
609 /// using JIT compilation may crash or behave in unexpected ways.
610 ///
611 /// Digital rights management (DRM) solutions that currently use unsigned executable
612 /// memory should instead change to using the MAP_JIT flag and the entitlement.
613 ///
614 /// To add the entitlement to your app, first enable the Hardened Runtime capability
615 /// in Xcode, and then under Runtime Exceptions, select Allow Execution of
616 /// JIT-compiled Code.
617 ///
618 /// ## Availability
619 /// * macOS 10.7+
620 ///
621 /// ## Framework
622 /// * Security
623 #[serde(
624 rename = "com.apple.security.cs.allow-jit",
625 serialize_with = "crate::serialize_option",
626 skip_serializing_if = "Option::is_none"
627 )]
628 pub allow_execution_of_jit_compiled_code: Option<bool>,
629 /// A Boolean value that indicates whether the app may create writable and executable
630 /// memory without the restrictions imposed by using the MAP_JIT flag.
631 ///
632 /// In rare cases, an app might need to override or patch C code, use the
633 /// long-deprecated NSCreateObjectFileImageFromMemory (which is fundamentally
634 /// insecure), or use the DVDPlayback framework. Add the Allow Unsigned Executable
635 /// Memory Entitlement to enable these use cases. Otherwise, the app might crash or
636 /// behave in unexpected ways.
637 ///
638 /// ### Important
639 /// Including this entitlement exposes your app to common vulnerabilities in
640 /// memory-unsafe code languages. Carefully consider whether your app needs this
641 /// exception.
642 ///
643 /// To add the entitlement to your app, first enable the Hardened Runtime capability
644 /// in Xcode, and then under Runtime Exceptions, select Allow Unsigned Executable
645 /// Memory.
646 ///
647 /// ## Availability
648 /// * macOS 10.7+
649 ///
650 /// ## Framework
651 /// * Security
652 #[serde(
653 rename = "com.apple.security.cs.allow-unsigned-executable-memory",
654 serialize_with = "crate::serialize_option",
655 skip_serializing_if = "Option::is_none"
656 )]
657 pub allow_unsigned_executable_memory: Option<bool>,
658 /// A Boolean value that indicates whether the app may be affected by dynamic linker
659 /// environment variables, which you can use to inject code into your app’s process.
660 ///
661 /// If your app relies on dynamic linker variables to modify its behavior at runtime,
662 /// add the Allow DYLD Environment Variables Entitlement to your app. This causes
663 /// the macOS dynamic linker (dyld) to read from environment variables that begin with
664 /// DLYD_. See the dyld man page for a list of these variables.
665 ///
666 /// Injecting libraries or changing search paths with this feature may still require
667 /// another entitlement. For example, you also need the Disable Library Validation
668 /// Entitlement if an injected library isn’t signed with the expected team ID.
669 ///
670 /// To add the entitlement to your app, first enable the Hardened Runtime capability
671 /// in Xcode, and then under Runtime Exceptions, select Allow DYLD Environment
672 /// Variables.
673 ///
674 /// ## Availability
675 /// * macOS 10.7+
676 ///
677 /// ## Framework
678 /// * Security
679 #[serde(
680 rename = "com.apple.security.cs.allow-dyld-environment-variables",
681 serialize_with = "crate::serialize_option",
682 skip_serializing_if = "Option::is_none"
683 )]
684 pub allow_dyld_environment_variables: Option<bool>,
685 /// A Boolean value that indicates whether the app loads arbitrary plug-ins or
686 /// frameworks, without requiring code signing.
687 ///
688 /// The Hardened Runtime enables library validation by default.
689 /// This security-hardening feature prevents a program from loading frameworks,
690 /// plug-ins, or libraries unless they’re either signed by Apple or signed with the
691 /// same Team ID as the main executable. The macOS dynamic linker (dyld) provides
692 /// a detailed error message when the system prevents code from loading due to library
693 /// validation. Use the Disable Library Validation Entitlement if your program
694 /// loads plug-ins that are signed by other third-party developers.
695 ///
696 /// To add this entitlement to your app, first enable the Hardened Runtime capability
697 /// in Xcode, and then under Runtime Exceptions, select Disable Library Validation.
698 ///
699 /// ### Important
700 /// Because library validation is such an important security-hardening feature,
701 /// Gatekeeper runs extra security checks on programs that have it disabled.
702 /// If your program is blocked by Gatekeeper, check whether you’ve unnecessarily
703 /// disabled library validation.
704 ///
705 /// ## Availability
706 /// * macOS 10.7+
707 ///
708 /// ## Framework
709 /// * Security
710 #[serde(
711 rename = "com.apple.security.cs.disable-library-validation",
712 serialize_with = "crate::serialize_option",
713 skip_serializing_if = "Option::is_none"
714 )]
715 pub disable_library_validation: Option<bool>,
716 /// A Boolean value that indicates whether to disable all code signing protections
717 /// while launching an app, and during its execution.
718 ///
719 /// The system causes an app that attempts to directly modify sections of its own
720 /// executable files on disk to forcefully exit. Use the Disable Executable Memory
721 /// Protection Entitlement to enable this kind of unsafe software update.
722 /// Even with this entitlement, however, updates that modify some files but not others
723 /// may cause unexpected app state. Ensure that you perform updates atomically,
724 /// with the final app bundle swapped out after app exit.
725 ///
726 /// The entitlement effectively encompasses the behavior provided by the Allow
727 /// Unsigned Executable Memory Entitlement, but not the Disable Library Validation
728 /// Entitlement.
729 ///
730 /// ### Warning
731 /// The Disable Executable Memory Protection Entitlement is an extreme entitlement
732 /// that removes a fundamental security protection from your app, making it possible
733 /// for an attacker to rewrite your app’s executable code without detection.
734 /// Prefer narrower entitlements if possible.
735 ///
736 /// To add this entitlement to your app, first enable the Hardened Runtime capability
737 /// in Xcode, and then under Runtime Exceptions, select Disable Executable Memory
738 /// Protection.
739 ///
740 /// ## Availability
741 /// * macOS 10.7+
742 ///
743 /// ## Framework
744 /// * Security
745 #[serde(
746 rename = "com.apple.security.cs.disable-executable-page-protection",
747 serialize_with = "crate::serialize_option",
748 skip_serializing_if = "Option::is_none"
749 )]
750 pub disable_executable_memory_protection: Option<bool>,
751 /// A Boolean value that indicates whether the app is a debugger and may attach to
752 /// other processes or get task ports.
753 ///
754 /// Apps with the Debugging Tool Entitlement can call task_for_pid() to retrieve a
755 /// valid task port for unsigned and third-party apps with the Get Task Allow
756 /// entitlement set to true. However, even with the debugging tool entitlement, a
757 /// debugger can’t get the task ports of processes that don’t have the Get Task Allow
758 /// entitlement, and that are therefore protected by System Integrity Protection.
759 /// See the man page for taskgated(8) for more information about getting task ports.
760 ///
761 /// Xcode automatically adds the Get Task Allow entitlement to apps that you build for
762 /// debugging, while removing the entitlement before App Store submission.
763 /// This enables Xcode itself to attach to and debug your app during development.
764 ///
765 /// When a non-root user runs an app with the debugging tool entitlement, the system
766 /// presents an authorization dialog asking for a system administrator’s credentials.
767 /// If authorization succeeds, the debugger receives a 10-hour session before
768 /// authorization expires.
769 ///
770 /// To add this entitlement to your app, first enable the Hardened Runtime capability
771 /// in Xcode, and then under Runtime Exceptions, select Debugging Tool.
772 ///
773 /// ## Availability
774 /// * macOS 10.7+
775 ///
776 /// ## Framework
777 /// * Security
778 #[serde(
779 rename = "com.apple.security.cs.debugger",
780 serialize_with = "crate::serialize_option",
781 skip_serializing_if = "Option::is_none"
782 )]
783 pub debugging_tool: Option<bool>,
784 /// A Boolean value that indicates whether the app may record audio using the built-in
785 /// microphone and access audio input using Core Audio.
786 ///
787 /// To add this entitlement to your app, first enable the Hardened Runtime capability
788 /// in Xcode, and then under Resource Access, select Audio Input.
789 ///
790 /// ## Availability
791 /// * macOS 10.7+
792 ///
793 /// ## Framework
794 /// * Security
795 #[serde(
796 rename = "com.apple.security.device.audio-input",
797 serialize_with = "crate::serialize_option",
798 skip_serializing_if = "Option::is_none"
799 )]
800 pub audioinput: Option<bool>,
801 /// A Boolean value that indicates whether the app may capture movies and still images
802 /// using the built-in camera.
803 ///
804 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
805 /// Runtime capability in Xcode, and then select Camera.
806 ///
807 /// ## Availability
808 /// * macOS 10.7+
809 ///
810 /// ## Framework
811 /// * Security
812 #[serde(
813 rename = "com.apple.security.device.camera",
814 serialize_with = "crate::serialize_option",
815 skip_serializing_if = "Option::is_none"
816 )]
817 pub camera: Option<bool>,
818 /// A Boolean value that indicates whether the app may access location information
819 /// from Location Services.
820 ///
821 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
822 /// Runtime capability in Xcode, and then select Location.
823 ///
824 /// ## Availability
825 /// * macOS 10.7+
826 ///
827 /// ## Framework
828 /// * Security
829 #[serde(
830 rename = "com.apple.security.personal-information.location",
831 serialize_with = "crate::serialize_option",
832 skip_serializing_if = "Option::is_none"
833 )]
834 pub location: Option<bool>,
835 /// A Boolean value that indicates whether the app may have read-write access to
836 /// contacts in the user's address book.
837 ///
838 /// To add this entitlement to your app, enable the App Sandbox capability in Xcode
839 /// and then select Contacts, or enable the Hardened Runtime capability and then
840 /// select Address Book.
841 ///
842 /// ## Availability
843 /// * macOS 10.7+
844 ///
845 /// ## Framework
846 /// * Security
847 #[serde(
848 rename = "com.apple.security.personal-information.addressbook",
849 serialize_with = "crate::serialize_option",
850 skip_serializing_if = "Option::is_none"
851 )]
852 pub address_book: Option<bool>,
853 /// A Boolean value that indicates whether the app may have read-write access to the
854 /// user's calendar.
855 ///
856 /// To add this entitlement to your app, first enable the App Sandbox or Hardened
857 /// Runtime capability in Xcode, and then select Calendar.
858 ///
859 /// ## Availability
860 /// * macOS 10.7+
861 ///
862 /// ## Framework
863 /// * Security
864 #[serde(
865 rename = "com.apple.security.personal-information.calendars",
866 serialize_with = "crate::serialize_option",
867 skip_serializing_if = "Option::is_none"
868 )]
869 pub calendars: Option<bool>,
870 /// A Boolean value that indicates whether the app has read-write access to the user's
871 /// Photos library.
872 ///
873 /// To add this entitlement to your app, first enable the Hardened Runtime capability
874 /// in Xcode. Then, under Resource Access, select Photos Library.
875 ///
876 /// ## Availability
877 /// * macOS 10.7+
878 ///
879 /// ## Framework
880 /// * Security
881 #[serde(
882 rename = "com.apple.security.personal-information.photos-library",
883 serialize_with = "crate::serialize_option",
884 skip_serializing_if = "Option::is_none"
885 )]
886 pub photos_library: Option<bool>,
887 /// A Boolean value that indicates whether the app may prompt the user for permission
888 /// to send Apple events to other apps.
889 ///
890 /// Your app doesn’t need the Apple Events Entitlement if it only sends Apple events
891 /// to itself or to other processes signed with the same team ID.
892 ///
893 /// To add this entitlement to your app, first enable the Hardened Runtime capability
894 /// in Xcode, and then under Resource Access, select Apple Events.
895 ///
896 /// ## Availability
897 /// * macOS 10.7+
898 ///
899 /// ## Framework
900 /// * Security
901 #[serde(
902 rename = "com.apple.security.automation.apple-events",
903 serialize_with = "crate::serialize_option",
904 skip_serializing_if = "Option::is_none"
905 )]
906 pub apple_events: Option<bool>,
907}
908
909/// Data Protection
910#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq)]
911pub enum DataProtection {
912 #[serde(rename = "NSFileProtectionCompleteUnlessOpen")]
913 FileProtectionCompleteUnlessOpen,
914 #[serde(rename = "NSFileProtectionCompleteUntilFirstUserAuthentication")]
915 FileProtectionCompleteUntilFirstUserAuthentication,
916 #[serde(rename = "NSFileProtectionNone")]
917 NSFileProtectionNone,
918 #[serde(rename = "NSFileProtectionComplete")]
919 NSFileProtectionComplete,
920}
921
922/// Device Check App Attest
923#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq)]
924pub enum DeviceCheckAppAttest {
925 /// The App Attest sandbox environment that you use to test a device without affecting
926 /// its risk metrics. Keys you create in the sandbox environment don’t work in the
927 /// production environment.
928 #[serde(rename = "development")]
929 Development,
930 /// The App Attest production environment. Keys you create in the production
931 /// environment don’t work in the sandbox environment.
932 #[serde(rename = "production")]
933 Production,
934}