--- name: macos-entitlements-generator description: Generate entitlements.plist with appropriate sandbox capabilities for macOS applications allowed-tools: Read, Write, Edit, Bash, Glob, Grep tags: [macos, entitlements, sandbox, security, apple] --- # macos-entitlements-generator Generate entitlements.plist with appropriate sandbox capabilities for macOS applications. This skill configures the App Sandbox, hardened runtime, and specific entitlements required for app functionality. ## Capabilities - Generate entitlements.plist configuration - Configure App Sandbox entitlements - Set up hardened runtime entitlements - Configure file access permissions - Enable network access - Configure hardware access (camera, microphone) - Set up inter-app communication - Generate both development and distribution entitlements ## Input Schema ```json { "type": "object", "properties": { "projectPath": { "type": "string", "description": "Path to the Xcode project" }, "appFeatures": { "type": "array", "items": { "enum": [ "network-client", "network-server", "file-read", "file-write", "downloads-read", "downloads-write", "pictures-read", "pictures-write", "music-read", "music-write", "movies-read", "movies-write", "user-selected-files", "camera", "microphone", "usb", "bluetooth", "print", "calendar", "contacts", "location", "apple-events", "jit", "unsigned-memory" ] } }, "appGroups": { "type": "array", "items": { "type": "string" }, "description": "App group identifiers" }, "keychainGroups": { "type": "array", "items": { "type": "string" }, "description": "Keychain access groups" }, "disableSandbox": { "type": "boolean", "default": false, "description": "Disable sandbox (not recommended)" }, "isMASApp": { "type": "boolean", "default": false, "description": "Target Mac App Store" } }, "required": ["projectPath", "appFeatures"] } ``` ## Output Schema ```json { "type": "object", "properties": { "success": { "type": "boolean" }, "files": { "type": "array", "items": { "type": "object", "properties": { "path": { "type": "string" }, "type": { "enum": ["entitlements", "info-plist-additions"] } } } }, "warnings": { "type": "array", "items": { "type": "string" } } }, "required": ["success"] } ``` ## Entitlements.plist Examples ### Basic App with Network Access ```xml com.apple.security.app-sandbox com.apple.security.network.client com.apple.security.files.user-selected.read-write ``` ### Media App with Camera/Microphone ```xml com.apple.security.app-sandbox com.apple.security.device.camera com.apple.security.device.microphone com.apple.security.network.client com.apple.security.network.server com.apple.security.files.user-selected.read-write com.apple.security.files.movies.read-write ``` ### Developer Tool with JIT ```xml com.apple.security.app-sandbox com.apple.security.cs.allow-jit com.apple.security.cs.disable-library-validation com.apple.security.files.user-selected.read-write com.apple.security.network.client ``` ### App with Hardened Runtime (Direct Distribution) ```xml com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-library-validation com.apple.security.automation.apple-events com.apple.security.device.audio-input ``` ### App Groups and Keychain ```xml com.apple.security.app-sandbox com.apple.security.application-groups $(TeamIdentifierPrefix)com.mycompany.myapp keychain-access-groups $(AppIdentifierPrefix)com.mycompany.myapp com.apple.security.network.client ``` ## Common Entitlement Keys ### File System | Key | Description | |-----|-------------| | `files.user-selected.read-only` | Read user-selected files | | `files.user-selected.read-write` | Read/write user-selected files | | `files.downloads.read-only` | Read Downloads folder | | `files.downloads.read-write` | Read/write Downloads folder | | `files.pictures.read-only` | Read Pictures folder | | `files.music.read-only` | Read Music folder | | `files.movies.read-only` | Read Movies folder | ### Network | Key | Description | |-----|-------------| | `network.client` | Outgoing connections | | `network.server` | Incoming connections | ### Hardware | Key | Description | |-----|-------------| | `device.camera` | Camera access | | `device.microphone` | Microphone access | | `device.usb` | USB device access | | `device.bluetooth` | Bluetooth access | | `print` | Printing | ### Hardened Runtime | Key | Description | |-----|-------------| | `cs.allow-jit` | Allow JIT compilation | | `cs.allow-unsigned-executable-memory` | Allow unsigned executable memory | | `cs.disable-library-validation` | Load arbitrary plugins | | `cs.disable-executable-page-protection` | Disable W^X | ## Privacy Keys (Info.plist) When using certain entitlements, add corresponding privacy descriptions: ```xml NSCameraUsageDescription This app needs camera access for video calls. NSMicrophoneUsageDescription This app needs microphone access for audio recording. NSAppleEventsUsageDescription This app needs to control other applications for automation. NSLocationUsageDescription This app needs your location for local weather. ``` ## Best Practices 1. **Request minimum permissions**: Only what the app needs 2. **Use user-selected files**: Prefer over broad folder access 3. **Document entitlement usage**: Explain to Apple reviewers 4. **Test in sandbox**: Always test sandboxed behavior 5. **Separate dev/prod entitlements**: Different needs for each 6. **Check MAS restrictions**: Some entitlements are prohibited ## Related Skills - `macos-notarization-workflow` - Code signing and notarization - `macos-codesign-workflow` - Code signing - `security-hardening` process - Security audit ## Related Agents - `swiftui-macos-expert` - macOS development - `desktop-security-auditor` - Security review