Configuring the hardened runtime
Protect the runtime integrity of your macOS app by restricting access to sensitive resources and preventing common exploits.
Overview
The Hardened Runtime is a collection of system-enforced restrictions that disable a set of functional capabilities, such as loading third-party frameworks, and prohibit access to restricted resources, such as the device’s built-in camera, to prevent certain classes of exploits from compromising the runtime integrity of your macOS app. If your app relies on something the Hardened Runtime restricts, you remove that specific protection by adding an entitlement to your app’s entitlements file. Xcode’s Hardened Runtime capability provides an easy way to manage those entitlements.
Before you select the required runtime exceptions and access to restricted resources that your app requires, follow the steps in the Add a capability section of Adding capabilities to your app to add the Hardened Runtime capability to the target of your macOS app. If you create a new macOS app using a template, Xcode automatically adds the Hardened Runtime capability to your app.
[Image]
Specify your app’s runtime exceptions
Before your app can perform functionality that depends upon one or more runtime exceptions, you must add the entitlements for those exceptions by performing the following:
Select your project in Xcode’s Project navigator.
Select the app’s target in the Targets list.
Click the Signing & Capabilities tab in the project editor.
Locate the Runtime Exceptions section of the Hardened Runtime capability.
Select one or more runtime exceptions by checking the corresponding checkboxes.
[Image]
Xcode automatically updates your app’s entitlements file to include the entitlements that correspond to the selected runtime exceptions, and sets the value of those entitlements to true.
The following table describes the runtime exceptions the Hardened Runtime supports:
Name | Functionality |
|---|---|
Allow Execution of JIT-compiled Code | Create writable and executable memory using the |
Allow Unsigned Executable Memory | Create writable and executable memory without the imposed restrictions of the |
Allow DYLD Environment Variables | Modify your app’s behavior at runtime using dynamic link variables. For more information, see Com.apple.security.cs.allow Dyld Environment Variables. |
Disable Library Validation | Load frameworks and plug-ins that are written by third-party developers. For more information, see Com.apple.security.cs.disable Library Validation. |
Disable Executable Memory Protection | Disable the protections that code-signing provides. For more information, see Com.apple.security.cs.disable Executable Page Protection. |
Debugging Tool | Attach to other processes or get task ports by indicating to the system that your app’s a debugger. For more information, see Com.apple.security.cs.debugger. |
Specify the resource access your app requires
If your app accesses restricted or sensitive resources, such as the user’s photo library or address book, you must include the entitlements that provide access to those resources by following these steps:
Select your project in Xcode’s Project navigator.
Select the app’s target in the Targets list.
Click the Signing & Capabilities tab in the project editor.
Locate the Resource Access section of the Hardened Runtime capability.
Select access to one or more resources by checking the corresponding checkboxes.
[Image]
After you select the required resource access, Xcode updates the entitlements file of your app to include the corresponding entitlements and sets the value of those entitlements to true.
The following table describes the resource access entitlements the Hardened Runtime supports:
Name | Functionality |
|---|---|
Audio Input | Record audio using the built-in microphone and access audio input using the Core Audio APIs. For more information, see Com.apple.security.device.audio Input. |
Camera | Capture images and movies with the built-in and external cameras. For more information, see Com.apple.security.device.camera. |
Location | Determine the user’s location using Location Services. For more information, see Com.apple.security.personal Information.location. |
Contacts | Enable read-write access to the user’s Contacts database. For more information, see Com.apple.security.personal Information.addressbook. |
Calendar | Enable read-write access to the user’s calendar. For more information, see Com.apple.security.personal Information.calendars. |
Photos Library | Enable read-write access to the user’s photo library. For more information, see Com.apple.security.personal Information.photos Library. |
Apple Events | Post Apple Events to other apps and processes. For more information, see Com.apple.security.automation.apple Events. |