From a6b85de6b7db0b034cb14c6324ddf5d27dcda1f5 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 8 Dec 2020 13:20:53 +0100 Subject: [PATCH] Explicitly require com.apple.security.cs.allow-jit ...in addition to com.apple.security.cs.disable-executable-page-protection, even if the latter should already encompass the former: Ideally, and going forward, we should only need allow-jit, see 2c366aae9263dc4115b054fe74b90cabea61fa0b "Use a less extreme entitlement for our run-time machine code generation". However, that change revealed two reasons why we still need disable-executable-page- protection for the time being: For one, we apparently need it for old macOS versions that reject the mmap MAP_JIT from the above change, see 6cab5c9170dc167838f1aebafc47153cd84713b4 "tdf#134754: Gracefully handle EINVAL from mmap MAP_JIT on old macOS". And for another, we apparently need it for an in-process JVM, at least with certain Java versions, see 247a5304475b9a045a08cbb5e74aec4b99127511 "tdf#135479: Seems we need the more broad entitlement for Java's sake". So explicitly list both allow-jit (with the intention of keeping it going forward) and disable-executable-page-protection (with the intention of eventually being able to drop it). Change-Id: I417e95ee20a8a47b55d2a04fa7f564977a0b675e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107410 Reviewed-by: Tor Lillqvist Reviewed-by: Stephan Bergmann Tested-by: Jenkins --- hardened_runtime.xcent.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hardened_runtime.xcent.in b/hardened_runtime.xcent.in index d270c93ec694..148134a32c77 100644 --- a/hardened_runtime.xcent.in +++ b/hardened_runtime.xcent.in @@ -5,7 +5,11 @@ com.apple.security.automation.apple-events - + + com.apple.security.cs.allow-jit + + com.apple.security.cs.disable-executable-page-protection