Skip to content

Commit 2be9b2f

Browse files
ProtonkProtonk
committed
Remove allow-dyld-env entitlement; doc clarifications
1 parent f63f8bd commit 2be9b2f

File tree

4 files changed

+3
-5
lines changed

4 files changed

+3
-5
lines changed

PolicyWitness.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@ Ports (v1):
186186
- `dylib_load`: load a dylib and optionally call a symbol (uses `com.apple.security.cs.disable-library-validation`).
187187
- `debug_wait`: sleep before sandbox apply for debugger attach (uses `com.apple.security.get-task-allow`).
188188
- `execmem_probe`: attempt a JIT mapping (`MAP_JIT`, `PROT_READ|PROT_WRITE`) and report success/failure (requires `com.apple.security.cs.allow-jit`; falls back to legacy RWX if available).
189-
- `dyld_env`: report expected `DYLD_*` env vars (uses `com.apple.security.cs.allow-dyld-environment-variables`).
189+
- `dyld_env`: report expected `DYLD_*` env vars (observation only; for actual `DYLD_*` injection use an external runner installed with `--env DYLD_*`).
190190

191191
Convenience flag (injects instrumentation into the request JSON at runtime):
192192

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ PolicyWitness treats entitlements as a first-class input alongside SBPL. Registe
3131

3232
Instrumentation ports are part of the debuggable runner, allowing closer inspection.
3333

34-
- `dyld_env`: report expected `DYLD_*` env vars (`com.apple.security.cs.allow-dyld-environment-variables`); set via an external runner with `policy-witness runner install --env KEY=VALUE`.
34+
- `dyld_env`: report expected `DYLD_*` env vars (observation only); to set them, use an external runner installed with `--env KEY=VALUE`.
3535
- `dylib_load`: load a dylib and optionally call a symbol (`com.apple.security.cs.disable-library-validation`)
3636
- `debug_wait`: pause before sandbox apply for debugger attach (`com.apple.security.get-task-allow`)
3737
- `execmem_probe`: attempt JIT `mmap` (MAP_JIT, PROT_READ|PROT_WRITE) and report success/failure (`com.apple.security.cs.allow-jit`; falls back to legacy RWX if available)

runner/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ Supported ports (v1):
9595
- `debug_wait`: sleep for `sleep_ms` before sandbox apply to allow debugger
9696
attach (uses `com.apple.security.get-task-allow`).
9797
- `execmem_probe`: attempt a JIT mapping (`MAP_JIT`, `PROT_READ|PROT_WRITE`) and report success/failure (uses
98-
`com.apple.security.cs.allow-unsigned-executable-memory`).
98+
`com.apple.security.cs.allow-jit`).
9999
- `dyld_env`: report whether expected `DYLD_*` env vars are present; the runner
100100
cannot set these at runtime, so use an external runner with launchd
101101
`EnvironmentVariables`.

runner/services/PWRunner/Entitlements.plist

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@
33
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
44
<plist version="1.0">
55
<dict>
6-
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
7-
<true/>
86
<key>com.apple.security.cs.allow-jit</key>
97
<true/>
108
<key>com.apple.security.cs.disable-library-validation</key>

0 commit comments

Comments
 (0)