Makes the calling thread the proxy for a specified guest.


OSStatus SecHostSelectGuest(SecGuestRef guestRef, SecCSFlags flags);



A guest code object identifying the code on whose behalf the calling thread is to act. To indicate that the calling thread will act on its own behalf, rather than for any guest, pass kSecNoGuest.


Optional flags; see SecCSFlags for possible values. Pass kSecCSDefaultFlags for standard behavior.

Return Value


The specified guest must be dynamically valid. This function works both for hosts acting in proxy mode and those acting in dynamic mode. The selected guest setting remains in effect until it is changed or the thread terminates.

This function tells the system that your application is acting on behalf of the selected guest (or on its own behalf if you specify kSecNoGuest for the guestRef parameter). This function acts on a per-thread basis; that is, each of your application’s threads can call this function to select a guest for that thread. Thereafter, the system assumes that any action taken by your application on that thread is on behalf of the selected guest. For example, if your application attempts to access the keychain, the system assumes that the selected guest is the application that is attempting to access the keychain and acts accordingly. You can call this function as often as necessary to act on behalf of as many guests as you wish.

Note that if you are using blocks to implement concurrency, you can’t tell which thread your code will be running on. Therefore, you must make this function call at the beginning of each block to be sure that the guest selection is set correctly for the thread.

See Also

Guest Management


Retrieves the code object for the host of specified guest code.


Removes a guest from a host.


Retrieves the handle for the guest currently selected for the calling thread.


Tells code signing services that the calling code will directly respond to hosting inquiries over the given port.


Asks the kernel to accept the signing information currently attached to a code object and uses it to validate memory page-ins.