I've done some testing with using separate entitlements for the parent process and plugin-container process. Setting com.apple.security.cs.allow-dyld-environment-variables=false for the parent process works as expected and DYLD_INSERT_LIBRARIES can not be used to inject a dylib. This only works if com.apple.security.get-task-allow=false which is what we use for production. Landing this depends on bug 1593072 to update the build automation to support separate entitlement files.
Bug 1562756 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I've done some testing with using separate entitlements for the parent process and plugin-container process. Setting ````com.apple.security.cs.allow-dyld-environment-variables=false```` for the parent process works as expected and ````DYLD_INSERT_LIBRARIES```` can not be used to inject a dylib. This only works if ````com.apple.security.get-task-allow=false```` which is what we use for production. get-task-allow is intended to be used for debugging. Landing this depends on bug 1593072 to update the build automation to support separate entitlement files.