SecEntitlements.h
1 /* 2 * Copyright (c) 2008-2010,2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25 /* This file contains the names of all known entitlements currently 26 in use on the system. */ 27 28 #ifndef _SECURITY_SECENTITLEMENTS_H_ 29 #define _SECURITY_SECENTITLEMENTS_H_ 30 31 #include <CoreFoundation/CFString.h> 32 33 __BEGIN_DECLS 34 35 /* Allow other tasks to get this task's name port. This is needed so the app 36 can be debugged. */ 37 #define kSecEntitlementGetTaskAllow CFSTR("get-task-allow") 38 39 /* The identifier of this application, typically the same as the 40 CFBundleIdentifier. On iOS, the identifier is prefixed with the team-id and 41 for some uses, the same applies to macOS. 42 43 This is used as the default access group for any keychain items this 44 application creates and accesses unless there is a 45 keychain-access-group-entitlement. 46 47 Note that iOS and macOS uses different value for the same constant. 48 */ 49 50 #define kSecEntitlementAppleApplicationIdentifier CFSTR("com.apple.application-identifier") 51 #define kSecEntitlementBasicApplicationIdentifier CFSTR("application-identifier") 52 #if TARGET_OS_IPHONE 53 #define kSecEntitlementApplicationIdentifier kSecEntitlementBasicApplicationIdentifier 54 #else 55 #define kSecEntitlementApplicationIdentifier kSecEntitlementAppleApplicationIdentifier 56 #endif 57 58 /* Marzipan apps distributed through the App Store cannot share an application 59 identifier with their iOS versions, so they have an associated application 60 identifier which matches the iOS identifier. It will be preferred, when 61 present, over the 'regular' application identifier. This avoids developers 62 having to jump through hoops to port iOS apps to the Mac. */ 63 #define kSecEntitlementAssociatedApplicationIdentifier CFSTR("com.apple.developer.associated-application-identifier") 64 65 /* The value should be an array of strings. Each string is the name of an 66 access group that the application has access to. The 67 application-identifier is implicitly added to this list. When creating 68 a new keychain item use the kSecAttrAccessGroup attribute (defined in 69 <Security/SecItem.h>) to specify its access group. If omitted, the 70 access group defaults to the first access group in this list or the 71 application-identifier if there is no keychain-access-groups entitlement. */ 72 #define kSecEntitlementKeychainAccessGroups CFSTR("keychain-access-groups") 73 74 /* The value should be an array of strings. Each string is the name of an 75 access group that the application has access to. The first of 76 kSecEntitlementKeychainAccessGroups, 77 kSecEntitlementApplicationIdentifier or 78 kSecEntitlementAppleSecurityApplicationGroups to have a value becomes the default 79 application group for keychain clients that don't specify an explicit one. */ 80 #define kSecEntitlementAppleSecurityApplicationGroups CFSTR("com.apple.security.application-groups") 81 82 #define kSecEntitlementNetworkExtensionAccessGroups CFSTR("com.apple.networkextension.keychain") 83 84 /* Boolean entitlement, if present the application with the entitlement is 85 allowed to modify the which certificates are trusted as anchors using 86 the SecTrustStoreSetTrustSettings() and SecTrustStoreRemoveCertificate() 87 SPIs. */ 88 #define kSecEntitlementModifyAnchorCertificates CFSTR("modify-anchor-certificates") 89 90 #define kSecEntitlementDebugApplications CFSTR("com.apple.springboard.debugapplications") 91 92 #define kSecEntitlementOpenSensitiveURL CFSTR("com.apple.springboard.opensensitiveurl") 93 94 /* Boolean entitlement, if present allows the application to wipe the keychain 95 and truststore. */ 96 #define kSecEntitlementWipeDevice CFSTR("com.apple.springboard.wipedevice") 97 98 #define kSecEntitlementRemoteNotificationConfigure CFSTR("com.apple.remotenotification.configure") 99 100 #define kSecEntitlementMigrateKeychain CFSTR("migrate-keychain") 101 102 #define kSecEntitlementRestoreKeychain CFSTR("restore-keychain") 103 104 /* Entitlement needed to call SecKeychainSyncUpdate SPI. */ 105 #define kSecEntitlementKeychainSyncUpdates CFSTR("keychain-sync-updates") 106 107 /* Boolean entitlement, if present you get access to the SPIs for keychain sync circle manipulation */ 108 #define kSecEntitlementKeychainCloudCircle CFSTR("keychain-cloud-circle") 109 110 /* Boolean entitlement, if present you get access to the SPIs for keychain initial sync */ 111 #define kSecEntitlementKeychainInitialSync CFSTR("com.apple.private.security.initial-sync") 112 113 /* Associated Domains entitlement (contains array of fully-qualified domain names) */ 114 #define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains") 115 116 /* Entitlement needed to call swcd and swcagent processes. */ 117 #define kSecEntitlementPrivateAssociatedDomains CFSTR("com.apple.private.associated-domains") 118 119 /* Entitlement to control usage of system keychain */ 120 #define kSecEntitlementPrivateSystemKeychain CFSTR("com.apple.private.system-keychain") 121 122 /* Entitlement to control usage of syncbubble keychain migration */ 123 #define kSecEntitlementPrivateKeychainSyncBubble CFSTR("com.apple.private.syncbubble-keychain") 124 125 /* Entitlement to control usage of system keychain migration */ 126 #define kSecEntitlementPrivateKeychainMigrateSystemKeychain CFSTR("com.apple.private.migrate-musr-system-keychain") 127 128 /* Entitlement to control usage of system keychain migration */ 129 #define kSecEntitlementPrivateNetworkExtension CFSTR("com.apple.developer.networking.networkextension") 130 131 /* Entitlement to control usage of deletion of keychain items on app uninstallation */ 132 #define kSecEntitlementPrivateUninstallDeletion CFSTR("com.apple.private.uninstall.deletion") 133 134 /* Entitlement to control usage of deletion of keychain items wholesale */ 135 #define kSecEntitlementPrivateDeleteAll CFSTR("com.apple.private.security.delete.all") 136 137 /* Entitlement to allow access to circle joining APIs in SOSCC */ 138 #define kSecEntitlementCircleJoin CFSTR("com.apple.private.keychain.circle.join") 139 140 /* Entitlement to deny use of keychain APIs, only effective on iOS keychain */ 141 #define kSecEntitlementKeychainDeny CFSTR("com.apple.private.keychain.deny") 142 143 /* Entitlement to control use of keychain certificate fetching functions */ 144 #define kSecEntitlementPrivateCertificateAllAccess CFSTR("com.apple.private.keychain.certificates") 145 146 /* Entitlement to control use of CKKS */ 147 #define kSecEntitlementPrivateCKKS CFSTR("com.apple.private.ckks") 148 149 /* Entitlement to allow manipulation of backup keybags in keychain table */ 150 #define kSecEntitlementBackupTableOperations CFSTR("com.apple.private.keychain.backuptableops") 151 152 /* Entitlement to allow use of CKKS plaintext fields */ 153 #define kSecEntitlementPrivateCKKSPlaintextFields CFSTR("com.apple.private.ckks.plaintextfields") 154 155 /* Entitlement to allow use of inet expansion fields */ 156 #define kSecEntitlementPrivateInetExpansionFields CFSTR("com.apple.private.keychain.inet_expansion_fields") 157 158 /* Entitlement to allow use of CKKS 'current item' changing SPI */ 159 #define kSecEntitlementPrivateCKKSWriteCurrentItemPointers CFSTR("com.apple.private.ckks.currentitempointers_write") 160 161 /* Entitlement to allow use of CKKS 'current item' reading SPI */ 162 #define kSecEntitlementPrivateCKKSReadCurrentItemPointers CFSTR("com.apple.private.ckks.currentitempointers_read") 163 164 /* Entitlement to allow use of sysbound field */ 165 #define kSecEntitlementPrivateSysBound CFSTR("com.apple.private.keychain.sysbound") 166 167 #define kSecEntitlementBackupTableOperationsDeleteAll CFSTR("com.apple.private.keychain.backuptableops.deleteall") 168 169 /* Entitlement to allow executing keychain control actions */ 170 #define kSecEntitlementKeychainControl CFSTR("com.apple.private.keychain.keychaincontrol") 171 172 /* Entitlement to allow deletion of app clip keychain items */ 173 #define kSecEntitlementPrivateAppClipDeletion CFSTR("com.apple.private.keychain.appclipdeletion") 174 175 /* Entitlement to allow use of performance-impacting API */ 176 #define kSecEntitlementPrivatePerformanceImpactingAPI CFSTR("com.apple.private.keychain.performance_impacting_api") 177 178 /* Entitlements to allow executing SecItemUpdateTokenItemsForAccessGroups SPI */ 179 #define kSecEntitlementUpdateTokenItems CFSTR("com.apple.private.keychain.allow-update-tokens") 180 181 /* Entitlement to control access to login keychain master key stashing (loginwindow) */ 182 #define kSecEntitlementPrivateStash CFSTR("com.apple.private.securityd.stash") 183 184 #if __OBJC__ 185 /* Entitlement to control use of OT */ 186 #define kSecEntitlementPrivateOctagon @"com.apple.private.octagon" 187 188 /* Entitlement to control use of Escrow Update */ 189 #define kSecEntitlementPrivateEscrowRequest @"com.apple.private.escrow-update" 190 191 /* Entitlement for macOS securityd to connect to stash agent */ 192 #define kSecEntitlementPrivateStashService @"com.apple.private.securityd.stash-agent-client" 193 #endif 194 195 __END_DECLS 196 197 #endif /* !_SECURITY_SECENTITLEMENTS_H_ */