Hardened Runtime Entitlements

Manage security protections and resource access for your macOS apps.

Overview

The Hardened Runtime, along with System Integrity Protection (SIP), protects the runtime integrity of your software by preventing certain classes of exploits, like code injection, dynamically linked library (DLL) hijacking, and process memory space tampering. To enable the Hardened Runtime for your app, navigate in Xcode to your target’s Signing & Capabilities information and click the + button. In the window that appears, choose Hardened Runtime.

Screenshot highlighting where to click to add a new capability in Xcode’s Signing & Capabilities tab.

The Hardened Runtime doesn’t affect the operation of most apps, but it does disallow certain less common capabilities, like just-in-time (JIT) compilation. If your app relies on a capability that the Hardened Runtime restricts, add an entitlement to disable an individual protection. You add an entitlement by enabling one of the runtime exceptions or access permissions listed in Xcode. Make sure to use only the entitlements that are absolutely necessary for your app’s functionality.

Screenshot of Xcode showing some of the entitlements used for exceptions to the Hardened Runtime.

You add entitlements only to executables. Shared libraries, frameworks, and in-process plug-ins inherit the entitlements of their host executable.

Topics

Runtime Exceptions

Allow Execution of JIT-compiled Code Entitlement

A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.

Key: com.apple.security.cs.allow-jit
Allow Unsigned Executable Memory Entitlement

A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag.

Key: com.apple.security.cs.allow-unsigned-executable-memory
Allow DYLD Environment Variables Entitlement

A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process.

Key: com.apple.security.cs.allow-dyld-environment-variables
Disable Library Validation Entitlement

A Boolean value that indicates whether the app may load arbitrary plug-ins or frameworks, without requiring code signing.

Key: com.apple.security.cs.disable-library-validation
Disable Executable Memory Protection Entitlement

A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution.

Key: com.apple.security.cs.disable-executable-page-protection
Debugging Tool Entitlement

A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.

Key: com.apple.security.cs.debugger

Resource Access

Audio Input Entitlement

A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.

Key: com.apple.security.device.audio-input
Camera Entitlement

A Boolean value that indicates whether the app may capture movies and still images using the built-in camera.

Key: com.apple.security.device.camera
Location Entitlement

A Boolean value that indicates whether the app may access location information from Location Services.

Key: com.apple.security.personal-information.location
Address Book Entitlement

A Boolean value that indicates whether the app may have read-write access to contacts in the user's address book.

Key: com.apple.security.personal-information.addressbook
Calendars Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's calendar.

Key: com.apple.security.personal-information.calendars
Photos Library Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's Photos library.

Key: com.apple.security.personal-information.photos-library
Apple Events Entitlement

A Boolean value that indicates whether the app may prompt the user for permission to send Apple Events to other apps.

Key: com.apple.security.automation.apple-events

See Also

Secure Code

Code Signing Services

Examine and validate signed code running on the system.

Notarizing macOS Software Before Distribution

Give users even more confidence in your macOS software by submitting it to Apple for notarization.

Preparing Your App to Work with Pointer Authentication

Test your app against the arm64e architecture to ensure that it works seamlessly with enhanced security features.

App Sandbox Entitlements

Manage access to system resources and user data in macOS apps to contain damage if an app becomes compromised.