Skip to content

Glossary

Entitlement

A signed key-value pair inside a binary's code signature that grants a specific kernel- or daemon-checked privilege.

An entitlement is a key-value pair embedded in a Mach-O binary's code signature. The kernel and various daemons read entitlements to grant capabilities a process otherwise wouldn't have.

Examples:

  • com.apple.security.network.client — may open outbound network connections.
  • com.apple.security.files.user-selected.read-write — may read/write files the user picked in an open or save panel.
  • com.apple.security.cs.allow-jit — may map pages as read+write+execute (for a JavaScript engine).
  • com.apple.developer.kernel.extended-virtual-addressing — may use 52-bit virtual addresses on Apple Silicon.
  • com.apple.private.* — Apple-internal entitlements, refused to third-party signers.

The defining property is that entitlements are signed in. Adding or modifying an entitlement invalidates the binary's signature, so malware can't grant itself privileges — it would need Apple's (or your Developer ID's) signing key.

You can dump a binary's entitlements with:

codesign -d --entitlements - /path/to/binary

See also: code signing, AMFI, sandbox.