To enrich the future with more information, the above mentioned solution idea: You may be able to make some headway using a NE transparent proxy system extension and then looking at each flow’s metadata did manifest in the Open-Source Implementation of Private Internet Access for macOS. If you follow that code line's implementation, ultimately it ends up using the sourceAppSigningIdentifier property of the metadata to route or block or ignore the flow.

I have re-generated my Provisioning Profiles after your message @kthchew - just to make sure I got the updates on the website side - but on Tahoe 26.0 this is still not working. Apps with the PP do not start as before, manually trying to install the Provisioning Profile says the "Provisioning profile does not allow this device" on the VM. I can't speak for Tahoe 26.1 beta myself, but this is definitely not fixed.

Thanks Quinn, that's very good to hear. What about the notarization part? Are my expectations to notarize a closed-source 3rd party xcframework irrealistic? I think if it were notarized, it wouldn't remain quarantined, because GateKeeper would check its notarization ticket, see it's valid and would remove it automatically from quarantine. "Trusting" a 3rd-party developer is ultimately trusting their security practices as well - which I would prefer to never do, irrespective of how much I trust the individuals, as that sets me up for external risk exposure, one I wouldn't be able to fix before it hits my machine given that I don't see the framework source code. E.g. me running the code on my machine happens earlier than my final product notarized or checked by Apple, depending on Developer ID or App Store Distribution - so I would get infected before I would realize what's going on, given that it's closed source.

Thank you for your answer! When Process runs the executable, the kernel opens the file, runs the requirement check against the file, and then launches the file. This is completely new to me, I admit, I was unaware of these being separate operations. Now I looked into this more, and I see there are separate functions on Darwin-level for opening a file open() and launching a file exec..(). [I guess?] However I'm not seeing a function for launching an opened file (as you said above) in Darwin - my Internet search results do bring up fexecve but that appears to be unsupported in Darwin. Am I poking at the right place or should I just stop going further? I'm interested in this topic because I wonder if I can implement Process/launchRequirement in some secure way before macOS 14.4.

I really recommend going back to reading my original post. I asked a yes or no question, does Apple's clipboard history in Tahoe support the NSPasteboard.org protocols, because my code seems to be confirming that. (Not to mention their own Passwords app's items don't show up on the clipboard either.) You are adding your own agenda about security and bugs. I've never implied either of those things, and was not talking about them either.

But there's definitely no kind of data security going on or anything. You put something on the pasteboard, it's there for all apps to see. I've never said this wasn't the case. I said it doesn't show up in macOS Tahoe's clipboard history, just like it doesn't show up in the clipboard history of 3rd-party apps supporting NSPasteboard.org's protocols.

I'm having a similar problem, however it only happens when my screen is being shared or recorded in any way.

Those are really good questions Quinn! I believe this issue not to be Security Theatre because of the following: I am using SMJobSubmit to deploy a helper tool into the user or the system domain for a one-time use, as needed. The executable is planned to be distributed inside the main app bundle because of this. I am unable to copy it to a protected location without SMJobSubmit anyways - if my memory serves me right, as that is again a privileged operation. I think this setup allows for a very easy way to replace the executable, allowing execution of arbitrary code as root. (Someone downloads the app, it's in the ~/Downloads folder and then that's not a protected location. Only App Bundle Protection would prevent someone from doing this, but regardless, replacing the executable this way is not a privileged operation still.) Specifically, the attack I'm trying to protect the app against is running the app, getting the SMJobSubmit popup, and then accidentally allowing a replaced executable to run with elevated privileges. I understand based on the first point you provided (TOC/TOU) that my check might be timed wrong - and somewhat impossible to time right. To be honest, my trust in spawn constraints has shaken too now - its implementation is private, so I don't even know if that times the checks right. Do you have any insight on that? And also, if you don't think this defense idea makes sense is there then some other way to protect against the issue? The only alternative I can think of is SMJobBless, because that has requirements to embed a code requirement in the app and the helper tool (probably for this exact reason) both. However I don't need ongoing privileges, and the daemon then have to clean up itself seemed like unnecessary hassle.

I made it work by switching from using the Security Foundation framework to Authorization Services Framework: private func obtainSystemDaemonModificationRights_authServices() -> AuthorizationRef! { var authRef: AuthorizationRef? let createStatus = AuthorizationCreate(nil, nil, [], &authRef) guard createStatus == errAuthorizationSuccess, authRef != nil else { Logger.app.error("Failed to create authorization object! [\(createStatus)]") fatalError() } kSMRightModifySystemDaemons.withCString { rightCStringPtr in var rightItem = AuthorizationItem(name: rightCStringPtr, valueLength: 0, value: nil, flags: 0) withUnsafeMutablePointer(to: &rightItem) { rightItemPtr in var rights = AuthorizationRights(count: 1, items: rightItemPtr) var flags: AuthorizationFlags = [.extendRights, .interactionAllowed] var environment = AuthorizationEnvironment(count: 0, items: nil) let copyStatus = AuthorizationCopyRights(authRef!, &rights, &environment, flags, nil) guard copyStatus == errAuthorizationSuccess else { Logger.app.error("Failed to copy authorization right! [\(copyStatus)]") fatalError() } } } return authRef! } I don't know upfront what the difference is, but I'm probably making a programming error while using SFAuthorization. Furthermore, swapping only the most necessary code parts to SFAuthorization version doesn't work either, and this change immediately makes the above function fail with error code 2 again: withUnsafeMutablePointer(to: &rightItem) { rightItemPtr in var rights = AuthorizationRights(count: 1, items: rightItemPtr) var flags: AuthorizationFlags = [.extendRights, .interactionAllowed] var environment = AuthorizationEnvironment(count: 0, items: nil) // let copyStatus = AuthorizationCopyRights(authRef!, // &rights, // &environment, // flags, // nil) // guard copyStatus == errAuthorizationSuccess else { // Logger.app.error("Failed to copy authorization right! [\(copyStatus)]") // fatalError() // } let authorization = SFAuthorization() try! authorization!.obtain(withRights: &rights, flags: flags, environment: &environment, authorizedRights: nil) authRef = authorization!.authorizationRef() } As some (maybe coincidental) info, I noticed that SMJobSubmit was deprecated in macOS 10.10, and SFAuthorization.obtain was introduced in that same version.

I have created a very minimal reproducer app, using Xcode 16.2. Created a SwiftUI macOS app from the Xcode template. Removed the App Sandbox entitlement. Modified ContentView.swift to contain this code: import SwiftUI import ServiceManagement import SecurityFoundation import os extension Logger { static let app = Logger(subsystem: "smplayground", category: "any") } struct ContentView: View { var body: some View { VStack { Button(action: { self.submitJob() }) { Text("Submit Job") } } .padding() } func submitJob() { let plist = [ "Label": "com.example.exampled", "ProgramArguments": ["echo", "hahaha"] ] as [String: Any] let authRef = obtainSystemDaemonModificationRights() var submissionError: Unmanaged<CFError>? let submissionResult = SMJobSubmit(kSMDomainSystemLaunchd, plist as CFDictionary, authRef, &submissionError) if submissionResult { Logger.app.info("System successfully submitted the job.") } else { if let error = submissionError?.takeRetainedValue() { Logger.app.error("Failed to submit job! [\(error, privacy: .public)]") } } } private func obtainSystemDaemonModificationRights() -> AuthorizationRef! { let authorization = SFAuthorization() var authRef: AuthorizationRef? do { try authorization?.obtain(withRight: kSMRightModifySystemDaemons, flags: [.extendRights, .interactionAllowed]) authRef = authorization?.authorizationRef() } catch let error { Logger.app.error("Failed to obtain necessary right to submit job! [\(error, privacy: .public)]") fatalError() } return authRef! } } The error is the exact same, and I'm using a built-in application, echo. When swapping the submitJob() function to this implementation (so not obtaining admin rights and submitting in user domain): func submitJob() { let plist = [ "Label": "com.example.exampled", "ProgramArguments": ["echo", "hahaha"] ] as [String: Any] var submissionError: Unmanaged<CFError>? let submissionResult = SMJobSubmit(kSMDomainUserLaunchd, plist as CFDictionary, nil, &submissionError) if submissionResult { Logger.app.info("System successfully submitted the job.") } else { if let error = submissionError?.takeRetainedValue() { Logger.app.error("Failed to submit job! [\(error, privacy: .public)]") } } } the submission is successful. Let me know if I should open a DTS incident, I am happy to, however I do want to have the solution publicly documented, so I am posting my progress here.

Here are the logs with the profile installed, it indeed revealed a single extra line related to Service Management before both my SMJobRemove and SMJobSubmit calls: authd default com.apple.Authorization 2024-12-20 00:40:35.015306 -0800 authd Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client ‘redacted/path/tp/RedactedAppName.app' [874] for authorization created by ‘redacted/path/to/RedactedAppName.app' [874] (3,0) (engine 31) error com.apple.os_debug_log 2024-12-20 00:40:35.018568 -0800 RedactedAppName assertion failed: 23G93: ServiceManagement + 24216 [A64F7B28-7DFF-3137-A74B-BEB900AE33A2]: 0xffffffffffff159e app error com.redacted.redactedAppName 2024-12-20 00:40:35.018699 -0800 RedactedAppName Failed to remove job! [Error Domain=CFErrorDomainLaunchd Code=2 "(null)"] app debug com.redacted.redactedAppName 2024-12-20 00:40:35.018888 -0800 RedactedAppName Job's property list is [["ProgramArguments": <__NSArrayI 0x6000002a5880>( /redacted/path/to/RedactedAppName.app/Contents/MacOS/redactedDaemonName, —redactedFlagPassedToExecutable ) , "KeepAlive": 0, "Label": com.redacted.redactedAppName.redactedDaemonName, "RunAtLoad": 1]]. app default com.redacted.redactedAppName 2024-12-20 00:40:35.018913 -0800 RedactedAppName Will not re-request authorization right, already got it. error com.apple.os_debug_log 2024-12-20 00:40:35.019021 -0800 RedactedAppName assertion failed: 23G93: ServiceManagement + 24216 [A64F7B28-7DFF-3137-A74B-BEB900AE33A2]: 0xffffffffffff159e app error com.redacted.redactedAppName 2024-12-20 00:40:35.019047 -0800 RedactedAppName Failed to submit job! [Error Domain=CFErrorDomainLaunchd Code=2 "(null)"] logging info com.apple.libspindump 2024-12-20 00:40:35.019144 -0800 RedactedAppName Reporting HID response delay 4657124658-4743569411 connection default com.apple.xpc 2024-12-20 00:40:35.019155 -0800 RedactedAppName [0x600003dc1c20] activating connection: mach=true listener=false peer=false name=com.apple.spindump logging info com.apple.spindump 2024-12-20 00:40:35.019840 -0800 spindump RedactedAppName [874]: slow hid response: start, <private> 4657124658-4743569411: 3.6s (threshold 0.5s) logging default com.apple.spindump 2024-12-20 00:40:35.021972 -0800 spindump RedactedAppName [874]: slow hid response: not sampling due to conditions 0x8002 logging info com.apple.spindump 2024-12-20 00:40:35.025126 -0800 spindump RedactedAppName [874]: spin stop logging info com.apple.spindump 2024-12-20 00:40:35.025181 -0800 spindump RedactedAppName [874]: Didn't receive spin start notification when we want to see spins, turning spin notifications on cas info com.apple.launchservices 2024-12-20 00:40:35.026494 -0800 launchservicesd Moving App:"RedactedAppName" asn:0x0-41041 pid:874 refs=9 @ 0x12c7605d0 to front of visible list. cas info com.apple.launchservices 2024-12-20 00:40:35.026702 -0800 launchservicesd SetFrontReservationExists(), newValue=NO, app=App:"RedactedAppName" asn:0x0-41041 pid:874 refs=9 @ 0x12c7605d0 ( was YES) particularly these two lines: assertion failed: 23G93: ServiceManagement + 24216 [A64F7B28-7DFF-3137-A74B-BEB900AE33A2]: 0xffffffffffff159e and assertion failed: 23G93: ServiceManagement + 24216 [A64F7B28-7DFF-3137-A74B-BEB900AE33A2]: 0xffffffffffff159e seem to be interesting, however they provide no immediate extra information to me (other than 23G93 is the macOS version I'm running, 14.6.1). I'm hoping it might make more sense to you.

Thank you Kevin for your detailed answer, however there are a few points I don't fully understand so I would appreciate some more clarity around them. Stop using SMJobSubmit. That API was deprecated in 10.10 (seven years ago) and I believe we'd been recommending against it for several years. To my knowledge SMJobSubmit is the only way other than AuthorizationExecuteWithPrivileges (an even older API) that allows one to get one-time throwaway root permissions to run a single executable. I'm saying this based on your colleague's answer here, and his very extensive and educational post here. Your recommended replacement, SMAppService, is vastly different from SMJobSubmit: It's not possible to gain one-time privileges, other than a very awkward solution of registering a daemon and having the daemon clean up itself in some way. Registering a daemon is a very unfriendly user experience: the user sees an extremely small notification in the top right corner (if they even see it), where they must hover to even reveal the in-notification button to approve the daemon or have to directly go to system settings and approve the daemon. I trust we can agree how much better of an API SMJobSubmit is from user experience sense. Sadly, the first point above is also true for SMJobBless - it's a long shot for such a simple thing as running an executable once. Not to mention, to this day, this is the documentation header for SMJobSubmit, copied from the macOS 15.2 SDK: @discussion This routine is deprecated and will be removed in a future release. A replacement will be provided by libxpc. Said replacement hasn't been provided yet to my knowledge, I checked the XPC framework's functions and objects. I hope you understand my reasons behind having SMJobSubmit as the ideal and easiest solution here. About SMJobSubmit is "hard coding" the executable path, which means the user renaming your app (or any other manipulation) will both break your job and create an "opening" which could allow an attacker to "insert" their executable in place of your job. I'm aware this can be a problem, but after all, SMJobSubmit is a launchd interface (its job CFDictionary is a launchd.plist AFAIK), and for launchd.plist-s Spawn Constraints have been introduced in macOS 14.0. My idea has been to include a Spawn Constraints key in the job plist according to Apple Documentation however I haven't gotten that far yet. Also, it doesn't really matter whether the user renames the app I'm creating, since the executable to submit is inside the app bundle and I'm submitting a path computed by Bundle.path and co. I don't think it's possible for that to break, unless the user tampers with the bundle itself, which is protected in macOS by default with the App Management privacy feature, as far as I understood its purposes based on this WWDC video. When I attempt to modify another app's bundle from Terminal for example, I get operation not permitted, unless Terminal was given App Management rights. These above put confidence in me that SMJobSubmit can be used in a secure way. I wouldn't have started this project with SMJobSubmit if I hadn't been convinced that it's compatible with the security hardening interfaces macOS provides by its latest SDKs (environment/launch/spawn constraints, XPC connection validation, etc.) I'll now go ahead and try your suggested debugging methods, thanks for the Profile especially, I wasn't aware this profile existed.

Thank you, Quinn. SMJobSubmit, even if deprecated, seems to be a routine aimed at this exact solution. Also, Sparkle's solution as hinted by you also provides some nice ideas on how to get a more trustable authorization experience: https://github.com/sparkle-project/Sparkle/blob/2.x/InstallerLauncher/SUInstallerLauncher.m#L158. Plus, even obtaining the right in it's most basic form (security authorize -u com.apple.ServiceManagement.daemons.modify) presents a more specialized dialog, "is trying to add a new helper tool" rather than "wants to make changes".

I'm also seeing sandboxed daemons behaving weirdly. When calling do { try SMAppService.daemon(plistName: "com.example.daemon").register() } catch let error { [...] } the dialog in the right top corner saying Background Items Added and "Example App" added items that can run in the background for all users Do you want to allow this? appears. Despite that, the register() method throws the SMAppServiceDomain Code=1 error, which is operation not permitted. Right after in the catch block, querying the .status of the daemon, I receive a value of 2, which corresponds to .requiresApproval. I think this is a bug here, as the daemon's registration is successful, but the method still throws.