Use a less extreme entitlement for our run-time machine code generation

See https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-executable-page-protection and https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-jit Change-Id: I192038efa9cff4fb723bf4bdc8644f0b09f0fcda Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93181 Tested-by: Jenkins Reviewed-by: Tor Lillqvist <tml@collabora.com>
2020-04-29 20:12:21 +03:00 · 2020-04-29 20:12:21 +03:00 · 2c366aae92
commit 2c366aae92
parent 639eab5d0b
2 changed files with 7 additions and 1 deletions
--- a/bridges/source/cpp_uno/shared/vtablefactory.cxx
+++ b/bridges/source/cpp_uno/shared/vtablefactory.cxx
@ -77,6 +77,11 @@ extern "C" void * allocExec(
    std::size_t n = (*size + (pagesize - 1)) & ~(pagesize - 1);
    void * p;
 #if defined SAL_UNX
+#if defined MACOSX
+    p = mmap(
+        nullptr, n, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANON | MAP_JIT, -1,
+        0);
+#else
    p = mmap(
        nullptr, n, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1,
        0);
@ -88,6 +93,7 @@ extern "C" void * allocExec(
        munmap (p, n);
        p = nullptr;
    }
+#endif
 #elif defined _WIN32
    p = VirtualAlloc(nullptr, n, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 #endif
--- a/hardened_runtime.xcent.in
+++ b/hardened_runtime.xcent.in
@ -6,7 +6,7 @@
        <key>com.apple.security.automation.apple-events</key>
        <true/>
        <!-- Needed for our runtime machine code generation -->
-        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <key>com.apple.security.cs.allow-jit</key>
        <true/>
        <!-- allow use of third-party plugins/frameworks (aka Java) -->
        <key>com.apple.security.cs.disable-library-validation</key>