Function

SMJobBless(_:_:_:_:)

Submits the executable for the given label as a launchd job.

Declaration

func SMJobBless(_ domain: CFString!, _ executableLabel: CFString, _ auth: AuthorizationRef!, _ outError: UnsafeMutablePointer<Unmanaged<CFError>?>!) -> Bool

Parameters

domain

The job's domain. Only kSMDomainSystemLaunchd is supported.

executableLabel

The label of the privileged executable to install. This label must be one of the keys found in the SMPrivilegedExecutables dictionary in the application's Info.plist.

auth

An authorization reference containing the kSMRightBlessPrivilegedHelper right.

outError

An output reference to a CFErrorRef describing the specific error encountered while submitting the executable tool, or NULL if successful. It is the responsibility of the application to release the error reference. This argument may be NULL.

Return Value

True if the job was successfully submitted, otherwise false.

Discussion

SMJobBless submits the executable for the given label as a launchd job. This function obviates the need for a setuid helper invoked via AuthorizationExecuteWithPrivileges() in order to install a launchd plist.

If the job is already installed, success is returned.

In order to use this function the following requirements must be met:

  1. The calling application and target executable tool must both be signed.

  2. The calling application's Info.plist must include a "SMPrivilegedExecutables" dictionary of strings. Each string is a textual representation of a code signing requirement used to determine whether the application owns the privileged tool once installed (i.e. in order for subsequent versions to update the installed version).

Each key of SMPrivilegedExecutables is a reverse-DNS label for the helper tool (must be globally unique).

  1. The helper tool must have an embedded Info.plist containing an "SMAuthorizedClients" array of strings. Each string is a textual representation of a code signing requirement describing a client which is allowed to add and remove the tool.

  2. The helper tool must have an embedded launchd plist. The only required key in this plist is the Label key. When the launchd plist is extracted and written to disk, the key for ProgramArguments will be set to an array of 1 element pointing to a standard location. You cannot specify your own program arguments, so do not rely on custom command line arguments being passed to your tool. Pass any parameters via IPC.

  3. The helper tool must reside in the Contents/Library/LaunchServices directory inside the application bundle, and its name must be its launchd job label. So if your launchd job label is "com.apple.Mail.helper", this must be the name of the tool in your application bundle.