I have an application on Mac which requires elevated privileges to perform certain tasks. To accomplish this, I carry a binary executable inside my App bundle and whenever the elevation is required I submit this executable to launchd using SMJobSubmit(). Along with this executable file, I also submit a plist file with certain arguments to the executable to tell it what all it needs to do.
My concern is that how can I make sure that the executable run is the one that I intend to run. What if someone replaces the executable with a malicious one which if granted the root privileges could play havoc? Does launchd or SMJobSubmit provide any immunity, or do I have to validate signatures and checksums at my end? And curiously, I could not find a single discussion online regarding this problem, maybe I am missing something trivial here.
This blog gives a nice example of using SMJobSubmit. I have implemented on the same lines.
Judging by the information in the link you provided, all SMJobSubmit does is install a temporary launchd daemon which relies on the user to authenticate the install as legitimate. I'm not sure how you envision your executable being replaced but if you want to protect against tampering you can generate a checksum of the file and compare it against an embedded checksum generated against the true binary file beforehand.
Then again if an attacker has access to your entire source they can just replace the source code checksum and the binary checksum to match, or skip the check altogether...