name: macos-entitlements-generator
description: 为macOS应用程序生成具有适当沙盒能力的entitlements.plist文件
allowed-tools: Read, Write, Edit, Bash, Glob, Grep
tags: [macos, entitlements, sandbox, security, apple]
macos-entitlements-generator
为macOS应用程序生成具有适当沙盒能力的entitlements.plist文件。此技能配置应用程序沙盒、强化运行时以及应用程序功能所需的具体权限。
能力
- 生成entitlements.plist配置
- 配置应用程序沙盒权限
- 设置强化运行时权限
- 配置文件访问权限
- 启用网络访问
- 配置硬件访问(摄像头、麦克风)
- 设置应用程序间通信
- 生成开发和分发权限
输入模式
{
"type": "object",
"properties": {
"projectPath": {
"type": "string",
"description": "Xcode项目路径"
},
"appFeatures": {
"type": "array",
"items": {
"enum": [
"network-client", "network-server",
"file-read", "file-write",
"downloads-read", "downloads-write",
"pictures-read", "pictures-write",
"music-read", "music-write",
"movies-read", "movies-write",
"user-selected-files",
"camera", "microphone",
"usb", "bluetooth",
"print", "calendar", "contacts",
"location", "apple-events",
"jit", "unsigned-memory"
]
}
},
"appGroups": {
"type": "array",
"items": { "type": "string" },
"description": "应用程序组标识符"
},
"keychainGroups": {
"type": "array",
"items": { "type": "string" },
"description": "钥匙串访问组"
},
"disableSandbox": {
"type": "boolean",
"default": false,
"description": "禁用沙盒(不推荐)"
},
"isMASApp": {
"type": "boolean",
"default": false,
"description": "面向Mac应用商店"
}
},
"required": ["projectPath", "appFeatures"]
}
输出模式
{
"type": "object",
"properties": {
"success": { "type": "boolean" },
"files": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": { "type": "string" },
"type": { "enum": ["entitlements", "info-plist-additions"] }
}
}
},
"warnings": {
"type": "array",
"items": { "type": "string" }
}
},
"required": ["success"]
}
Entitlements.plist 示例
具有网络访问的基本应用程序
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- 应用程序沙盒 -->
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- 网络访问 -->
<key>com.apple.security.network.client</key>
<true/>
<!-- 用户选择的文件(通过打开/保存面板) -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
</dict>
</plist>
具有摄像头/麦克风的媒体应用程序
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- 摄像头访问 -->
<key>com.apple.security.device.camera</key>
<true/>
<!-- 麦克风访问 -->
<key>com.apple.security.device.microphone</key>
<true/>
<!-- 流媒体网络 -->
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<!-- 保存录制内容 -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.files.movies.read-write</key>
<true/>
</dict>
</plist>
具有JIT的开发者工具
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- JIT编译(Mac应用商店不允许) -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<!-- 为插件禁用库验证 -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<!-- 文件访问 -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
具有强化运行时的应用程序(直接分发)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- 强化运行时(公证必需) -->
<key>com.apple.security.cs.allow-jit</key>
<false/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<false/>
<key>com.apple.security.cs.disable-library-validation</key>
<false/>
<!-- 应用程序特定需求 -->
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
应用程序组和钥匙串
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- 与扩展共享数据的应用程序组 -->
<key>com.apple.security.application-groups</key>
<array>
<string>$(TeamIdentifierPrefix)com.mycompany.myapp</string>
</array>
<!-- 钥匙串访问组 -->
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.mycompany.myapp</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
常见权限键
文件系统
| 键 |
描述 |
files.user-selected.read-only |
读取用户选择的文件 |
files.user-selected.read-write |
读写用户选择的文件 |
files.downloads.read-only |
读取下载文件夹 |
files.downloads.read-write |
读写下载文件夹 |
files.pictures.read-only |
读取图片文件夹 |
files.music.read-only |
读取音乐文件夹 |
files.movies.read-only |
读取电影文件夹 |
网络
| 键 |
描述 |
network.client |
传出连接 |
network.server |
传入连接 |
硬件
| 键 |
描述 |
device.camera |
摄像头访问 |
device.microphone |
麦克风访问 |
device.usb |
USB设备访问 |
device.bluetooth |
蓝牙访问 |
print |
打印 |
强化运行时
| 键 |
描述 |
cs.allow-jit |
允许JIT编译 |
cs.allow-unsigned-executable-memory |
允许未签名的可执行内存 |
cs.disable-library-validation |
加载任意插件 |
cs.disable-executable-page-protection |
禁用W^X |
隐私键(Info.plist)
使用某些权限时,添加相应的隐私描述:
<!-- Info.plist 补充内容 -->
<key>NSCameraUsageDescription</key>
<string>此应用需要摄像头访问以进行视频通话。</string>
<key>NSMicrophoneUsageDescription</key>
<string>此应用需要麦克风访问以进行音频录制。</string>
<key>NSAppleEventsUsageDescription</key>
<string>此应用需要控制其他应用程序以实现自动化。</string>
<key>NSLocationUsageDescription</key>
<string>此应用需要您的位置以获取本地天气。</string>
最佳实践
- 请求最小权限:仅应用程序所需
- 使用用户选择的文件:优先于广泛的文件夹访问
- 记录权限使用:向苹果审核人员解释
- 在沙盒中测试:始终测试沙盒化行为
- 分离开发/生产权限:各自不同需求
- 检查MAS限制:某些权限被禁止
相关技能
macos-notarization-workflow - 代码签名和公证macos-codesign-workflow - 代码签名security-hardening process - 安全审计
相关代理
swiftui-macos-expert - macOS开发desktop-security-auditor - 安全审查