---
title: SecHostCreateGuest
framework: security
role: symbol
role_heading: Function
path: security/sechostcreateguest
---

# SecHostCreateGuest

Creates a new guest and describes its initial properties.

## Declaration

```occ
OSStatus SecHostCreateGuest(SecGuestRef host, uint32_t status, CFURLRef path, CFDictionaryRef attributes, SecCSFlags flags, SecGuestRef *newGuest);
```

## Parameters

- `host`: A guest code object identifying the code that is to be the direct host of the new guest. Pass doc://com.apple.security/documentation/Security/kSecNoGuest if the process calling this function is to be the host. To create a guest of another guest (extending the hosting chain), pass the guest code object of the guest that is to act as the new guest’s host. If the specified host already has a dedicated guest, then that dedicated guest becomes the actual host of the new guest (unless the dedicated guest also has a dedicated guest, in which case the same algorithm is replied recursively). See doc://com.apple.security/documentation/Security/kSecCSDedicatedHost for a discussion of dedicated hosts.
- `status`: Code status flags for the new guest (see doc://com.apple.security/documentation/Security/SecCodeStatus). Note that certain code status flags can be set only once, by the caller of the doc://com.apple.security/documentation/Security/SecHostCreateGuest function when it creates the guest. In particular, if you do not set the doc://com.apple.security/documentation/Security/SecCodeStatus/valid flag during creation of the guest, then the new guest is created dynamically invalid and can never become dynamically valid.
- `path`: The canonical path to the guest’s code on disk. This is the path you would pass to the doc://com.apple.security/documentation/Security/SecStaticCodeCreateWithPath(_:_:_:) function to make a static code object reference. You must use an absolute path.
- `attributes`: A key-value dictionary of attributes that can be used to identify this particular guest among all of the caller’s guests. The doc://com.apple.security/documentation/Security/kSecGuestAttributeCanonical attribute—containing the guest’s code object (that is, the doc://com.apple.security/documentation/Security/SecGuestRef object returned in the newGuest parameter) is automatically added to the guest’s attributes. Pass NULL for this parameter if you do not want to establish any other attributes for this guest. Although you can specify any key-value pairs in this attributes dictionary, the keys in doc://com.apple.security/documentation/Security/guest-attribute-dictionary-keys are conventionally used for this purpose.
- `flags`: Optional flags; see doc://com.apple.security/documentation/Security/SecCSFlags and doc://com.apple.security/documentation/Security/guest-creation-flags for possible values. Pass doc://com.apple.security/documentation/Security/SecCSFlags/kSecCSDefaultFlags for standard behavior. Pass doc://com.apple.security/documentation/Security/kSecCSDedicatedHost to make the code specified in the host parameter the dedicated host for the new guest.
- `newGuest`: On return, the guest code object that identifies the new guest.

## Mentioned in

Hosting Guest Code

## Return Value

Return Value A result code. See Code Signing Services Result Codes.

## Discussion

Discussion Code that calls this function becomes a code host operating in proxy hosting mode. Subsequently, Code Signing Services caches information about guest code provided by the host when it calls the SecHostCreateGuest, SecHostSetGuestStatus, and SecHostRemoveGuest functions. Code Signing Services uses this information to report hosting status to callers directly without consulting the host. A code host running in proxy hosting mode cannot switch to dynamic hosting mode.

## See Also

### Related Documentation

- [SecHostSelectGuest](security/sechostselectguest.md)
- [SecHostSetHostingPort](security/sechostsethostingport.md)
- [SecHostRemoveGuest](security/sechostremoveguest.md)