---
title: Defining launch environment and library constraints
framework: security
role: article
role_heading: Article
path: security/defining-launch-environment-and-library-constraints
---

# Defining launch environment and library constraints

Restrict your app’s components to their expected contexts.

## Overview

Overview You define launch environment and library constraints in constraint dictionaries that you either save in launchd property list files, or in separate property list files that you use in code signing. The constraint dictionaries you create contain facts and operations. Facts are assertions that properties of the executable the operating system is launching, or the library your process is loading, match conditions you specify. Operations allow for rich combinations of facts. The top level of a constraint dictionary is implicitly an $and operation that includes all of the facts and operations in the dictionary. When one process tries to launch another process — by calling execve(_:_:_:) or posix_spawn(_:_:_:_:_:_:) — the operating system checks that the executable file satisfies its own self constraint. It also checks that the parent process’s executable satisfies the executable’s parent constraint, and that the responsible process’s executable satsifies the executable’s responsible process constraint. If any of these launch constraints aren’t satisfied, the operating system doesn’t run the program. Your process can load a dynamic library if all of the facts and operations at the top level of the library constraint dictionary are true for the file that contains the library. If any part of the library constraint isn’t true, your process doesn’t load the library. launchd tests constraints that you specify in launchd property list files when it needs to start your launch daemon or agent. If the executable specified in the launchd property list doesn’t satisfy the constraint in the property list, then launchd doesn’t start the process. Constrain the executable’s launch environment Construct the launch constraint by adding keys and values that represent constraint facts, and operators that combine facts using logical operations. Use facts from the list below in your launch constraint. A single executable file can contain multiple code directory hashes, for different CPU architectures and hash algorithms. Identify an executable’s code directory hash using a collection of valid hashes and the $in operation. Team identifiers are present in executables signed by code signing identities for development, TestFlight, App Store, or Developer ID. Use values from the table below with the validation-category fact.  |   |   |   |   |   |   |   |   |  This example of a launch constraint uses a team-identifier fact to require that an executable’s signed with the Team ID 8XCUU22SN2. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>   <key>team-identifier</key>   <string>8XCUU22SN2</string> </dict> </plist> Build complex checks with operators Constraint dictionaries can include any of the following operators, to build complex checks. An operator can take the place of a value in a fact, in which case each of the values in the operator expression applies to the fact that contains the operator. An operator can also take the place of the fact key itself, in which case the values of the operator expression are themselves key-value pairs that name facts. As dictionaries only contain one instance of any particular key, use operators to compose multiple tests that use the same fact.  |  |   |  |   |  |   |  |   |  |   |  |   |  |   |  |   |  |   |  |   |  |   |  |  The launch constraint in the example below uses the $or operator to require that an executable’s either signed with the Team ID 8XCUU22SN2, or is an operating system executable. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>   <key>$or</key>   <dict>     <key>team-identifier</key>     <string>8XCUU22SN2</string>     <key>validation-category</key>     <integer>1</integer>   </dict> </dict> </plist> Construct an entitlements query An entitlements query is an array of query operations. Each operation is an array with two entries: an integer operation code, and a parameter that can be an integer, a string, or a Boolean value. The operations either select specific information about the entitlements, or match the currently-selected information against a value specified in the parameter. The kernel executes your query in a virtual machine (VM) that has a context that includes an entitlements state and a validity flag. The initial value of the state is the executable’s entitlements dictionary, and the query execution is valid. The VM processes each operation in the query in sequence. A select operation updates the state by fetching specific information from the current state, or marks the execution as invalid if it can’t find the requested information. A match operation marks the execution as valid if the current state’s value matches the operation’s parameter, and invalid otherwise. If the execution remains valid until the VM executes all of the operations in the query, then the executable satisfies the query. Use the following operation codes in entitlements queries:  |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |   |  |  |  When you write an entitlements $query using the match type operation (Operation code 11 in the table above), use one of the values in this table as the parameter:  |   |   |   |   |   |  The launch constraint in the example below uses an entitlements fact and the $query operator to require that an executable has the Camera entitlement (com.apple.security.device.camera) with the Boolean value true. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>   <key>entitlements</key>   <dict>     <key>$query</key>     <array>       <array>         <integer>1</integer>         <string>com.apple.security.device.camera</string>       </array>       <array>         <integer>5</integer>         <true/>       </array>     </array>   </dict> </dict> </plist>