1 files changed, 43 insertions, 0 deletions

diff --git a/desktop/package/Entitlements.plist b/desktop/package/Entitlements.plist
new file mode 100644
index 00000000..8c5c4268
--- /dev/null
+++ b/desktop/package/Entitlements.plist
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- Disable app sandbox :( -->
+	<key>com.apple.security.app-sandbox</key>
+	<false/>
+
+	<!-- Required for running PyInstaller python code with hardened runtime -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+	<!-- Both OnionShare and Tor need network server and client -->
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<!-- In share mode, users need to be able to select files, and in receive mode,
+       users need to be able to choose a folder to save files to -->
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+
+	<!-- Flask needs to read this mime.types file when starting an HTTP server -->
+	<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
+	<array>
+		<string>/private/etc/apache2/mime.types</string>
+	</array>
+
+	<!-- For OnionShare to be able to connect to Tor Browser's tor control port,
+	     it needs to read it's control_auth_cookie file -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
+	<array>
+		<string>/Library/Application Support/TorBrowser-Data/Tor/control_auth_cookie</string>
+	</array>
+
+	<!-- In receive mode, OnionShare needs to be able to write to ~/OnionShare -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+	<array>
+		<string>/OnionShare/</string>
+	</array>
+</dict>
+</plist>