Collection of scripts for determining which Entitlements macOS (Mach-O) binaries have.
Inspired by:
For lists of and descriptions of Entitlements see:
- Apple Developer Documentation
- Notarization: the hardened runtime by Howard Oakley
- The ‘hardened runtime’ explained by Howard Oakley
- Hardened Runtime by Apple
- Your Apps and the Future of macOS Security (WWDC2018 Session 702) (22:00 mark) by Apple
- Formerly
com.apple.security.cs.disable-library-validation
- Can load arbitrary unsigned plugins/frameworks
- About com.apple.private.security.clear-library-validation by Csaba Fitzl
- Allow DYLD Environment Variables Entitlement
- Allows injecting Dynamic Libraries (dylib's) via the
DYLD_INSERT_LIBRARIES
environment variable - DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX by Csaba Fitzl
- Allows other processes to attach via a debugger
- Allow Unsigned Executable Memory Entitlement
- Allows overriding or patching C code
- Via
NSCreateObjectFileImageFromMemory
(which is fundamentally insecure) - Or use the DVDPlayback framework
- Via
com.apple.security.files.downloads.read-only
- May have access to files the user has selected in an open or save dialog
- May have access to files the user has selected in an open or save dialog
- May have TCC access to some protected portions of the OS