Entitlement values for the Enhanced Security and the Additional Runtime Platform Restrictions

So, for testing, I created a short Swift program that intentionally triggers a protection behind the platform restrictions entitlement:

import Foundation
import MachO

var port: mach_port_t = UInt32(MACH_PORT_NULL)
mach_port_allocate(mach_task_self_, MACH_PORT_RIGHT_RECEIVE, &port)
mach_port_insert_right(mach_task_self_, port, port, mach_msg_type_name_t(MACH_MSG_TYPE_MAKE_SEND))
mach_port_move_member(mach_task_self_, port, 1000)

In my testing, this crashes (as expected) with the EXC_GUARD exception type when com.apple.security.hardened-process.platform-restrictions is an integer set to 2 (just as the documentation and Xcode says). It does not crash when it is a boolean set to true.

That suggests to me that App Review is mistaken. I'd try replying to them and link them the documentation pages, asking them to double check.

If you haven't already, please file bugs on this and then post the bug number back here.

Answering your question here "officially":

So, my question is, which settings are actually correct to enable the Enhanced Security and the Additional Runtime Platform Restrictions?

Xcode is using the correct values:

<key>com.apple.security.hardened-process.enhanced-security-version</key>
<integer>1</integer>
...
<key>com.apple.security.hardened-process.platform-restrictions</key>
<integer>2</integer>

For obvious reason, App Review uses an automated system to validate that entitlements have the correct value and format, and that's what's causing the rejection. They're working to sort that out now.

I'd try replying to them and link them the documentation pages, asking them to double check.

Unfortunately, it doesn't help that the documentation has issues (r.162641480) as well and claims that one of those values should be a string.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware