From 5d779a24cceb894fb21fcb462cef7070d023e48d Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Wed, 6 Dec 2023 16:01:04 +0200
Subject: [PATCH] macos: Update our macOS entitlements

Our entitlements were last updated when Dangerzone was considering
using HyperKit to spawn VMs (9158d02, on 2021-06-30). Now that we use
Docker Desktop, we can make them stricter.

Fixes #638
---
 CHANGELOG.md                     |  4 ++++
 install/macos/entitlements.plist | 10 +++-------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c132d89f2..03381e687 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -128,6 +128,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
   officially communicated on the advisory date and is only included here since
   this is the first release since it was announced.
 
+### Changed
+
+- Make our macOS entitlements stricter, by enabling App Sandbox ([issue #638](https://github.com/freedomofpress/dangerzone/issues/638))
+
 ## Dangerzone 0.5.0
 
 ### Added
diff --git a/install/macos/entitlements.plist b/install/macos/entitlements.plist
index 03da557f5..6be6c92ea 100644
--- a/install/macos/entitlements.plist
+++ b/install/macos/entitlements.plist
@@ -2,8 +2,8 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
     <dict>
-        <!-- <key>com.apple.security.app-sandbox</key>
-        <true/> -->
+        <key>com.apple.security.app-sandbox</key>
+        <true/>
         <key>com.apple.security.inherit</key>
         <true/>
         <key>com.apple.security.files.user-selected.read-write</key>
@@ -12,9 +12,5 @@
         <true/>
         <key>com.apple.security.network.server</key>
         <true/>
-        <key>com.apple.security.hypervisor</key>
-        <true/>
-        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-        <true/>
     </dict>
-</plist>
\ No newline at end of file
+</plist>