diff options
author | Stephan Bergmann <sbergman@redhat.com> | 2020-12-08 13:20:53 +0100 |
---|---|---|
committer | Stephan Bergmann <sbergman@redhat.com> | 2020-12-08 15:35:29 +0100 |
commit | a6b85de6b7db0b034cb14c6324ddf5d27dcda1f5 (patch) | |
tree | ab1f4e8d376d93e1226ed8e7d2ae6037677707f7 /hardened_runtime.xcent.in | |
parent | b43f7ac3636bee8611da5954e28d55a05a52c06e (diff) |
Explicitly require com.apple.security.cs.allow-jit
...in addition to com.apple.security.cs.disable-executable-page-protection, even
if the latter should already encompass the former: Ideally, and going forward,
we should only need allow-jit, see 2c366aae9263dc4115b054fe74b90cabea61fa0b "Use
a less extreme entitlement for our run-time machine code generation". However,
that change revealed two reasons why we still need disable-executable-page-
protection for the time being:
For one, we apparently need it for old macOS versions that reject the mmap
MAP_JIT from the above change, see 6cab5c9170dc167838f1aebafc47153cd84713b4
"tdf#134754: Gracefully handle EINVAL from mmap MAP_JIT on old macOS". And for
another, we apparently need it for an in-process JVM, at least with certain Java
versions, see 247a5304475b9a045a08cbb5e74aec4b99127511 "tdf#135479: Seems we
need the more broad entitlement for Java's sake".
So explicitly list both allow-jit (with the intention of keeping it going
forward) and disable-executable-page-protection (with the intention of
eventually being able to drop it).
Change-Id: I417e95ee20a8a47b55d2a04fa7f564977a0b675e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107410
Reviewed-by: Tor Lillqvist <tml@collabora.com>
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Jenkins
Diffstat (limited to 'hardened_runtime.xcent.in')
-rw-r--r-- | hardened_runtime.xcent.in | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/hardened_runtime.xcent.in b/hardened_runtime.xcent.in index d270c93ec694..148134a32c77 100644 --- a/hardened_runtime.xcent.in +++ b/hardened_runtime.xcent.in @@ -5,7 +5,11 @@ <!-- AppleScript support --> <key>com.apple.security.automation.apple-events</key> <true/> - <!-- Needed for our runtime machine code generation --> + <!-- Needed for our C++/binary UNO bridge runtime machine code generation: --> + <key>com.apple.security.cs.allow-jit</key> + <true/> + <!-- Needed for our C++/binary UNO bridge runtime machine code generation on old macOS that + reject mmap MAP_JIT (macOS <= 10.13?); and for in-process JVM: --> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <!-- allow use of third-party plugins/frameworks (aka Java) --> |