Dunfey · Hotel WWDC as data, est. 1983
Front desk everything
Years
Topics

WWDC23 · 17 min · Privacy & Security

Protect your Mac app with environment constraints

Learn how to improve the security of your Mac app by adopting environment constraints. We’ll show you how to set limits on how processes are launched, make sure your Launch Agents and Launch Daemons aren’t tampered with, and prevent unwanted code from running in your address space.

Watch at developer.apple.com ↗

Transcript all transcripts

Chapters

Code shown on screen · 5 snippets

Example constraint xml · at 9:35 ↗ 
// Example constraint

<dict>
    <key>$or-array</key>
    <array>
        <array>
            <string>$and</string>
            <dict>
                <key>team-identifier</key>
                <string>M2657GZ2M9</string>
            </dict>
        </array>
        <array>
            <string>$and</string>
            <dict>
                <key>signing-identifier</key>
                <string>com.smith.libraryB</string>
                <key>team-identifier</key>
                <string>P9Z4AN7VHQ</string>
            </dict>
        </array>
        <array>
            <string>$and</string>
            <dict>
                <key>signing-identifier</key>
                <string>com.friday.libraryC</string>
                <key>team-identifier</key>
                <string>TA1570ZFMZ</string>
            </dict>
        </array>
    </array>
</dict>
Example parent launch constraint xml · at 11:02 ↗ 
<dict>
    <key>team-identifier</key>
    <string>M2657GZ2M9</string>
    <key>signing-identifier</key>
    <string>com.demo.MyDemo</string>
</dict>
Example process launch constraint xml · at 14:06 ↗ 
<dict>
    <key>team-identifier</key>
    <string>M2657GZ2M9</string>
    <key>signing-identifier</key>
    <dict>
        <key>$in</key>
        <array>
            <string>com.demo.MyDemo</string>
            <string>com.demo.DemoMenuBar</string>
            <string>demohelper</string>
        </array>
    </dict>
</dict>
Example launchd plist constraint xml · at 14:52 ↗ 
// Example launchd plist constraint

<dict>
    <key>Label</key>
    <string>com.demo.DemoMenuBar.agent</string>
    <key>BundleProgram</key>
    <string>Contents/Library/LaunchAgents/DemoMenuBar.app/Contents/MacOS/DemoMenuBar</string>
    <key>KeepAlive</key>
    <dict>
        <key>SuccessfulExit</key>
        <true/>
    </dict>
    <key>RunAtLoad</key>
    <true/>
    <key>SpawnConstraint</key>
    <dict>
        <key>team-identifier</key>
        <string>M2657GZ2M9</string>
        <key>signing-identifier</key>
        <string>com.demo.DemoMenuBar</string>
    </dict>
</dict>
Example library load constraint xml · at 15:29 ↗ 
// Example library load constraint

<dict>
    <key>team-identifier</key>
    <dict>
        <key>$in</key>
        <array>
            <string>M2657GZ2M9</string>
            <string>P9Z4AN7VHQ</string>
        </array>
    </dict>
</dict>

Resources