[Libreoffice-commits] core.git: hardened_runtime.xcent.in

Stephan Bergmann (via logerrit) logerrit at kemper.freedesktop.org
Tue Dec 8 14:36:13 UTC 2020 

 hardened_runtime.xcent.in |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

New commits:
commit a6b85de6b7db0b034cb14c6324ddf5d27dcda1f5
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Tue Dec 8 13:20:53 2020 +0100
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Tue Dec 8 15:35:29 2020 +0100

    Explicitly require com.apple.security.cs.allow-jit
    
    ...in addition to com.apple.security.cs.disable-executable-page-protection, even
    if the latter should already encompass the former:  Ideally, and going forward,
    we should only need allow-jit, see 2c366aae9263dc4115b054fe74b90cabea61fa0b "Use
    a less extreme entitlement for our run-time machine code generation".  However,
    that change revealed two reasons why we still need disable-executable-page-
    protection for the time being:
    
    For one, we apparently need it for old macOS versions that reject the mmap
    MAP_JIT from the above change, see 6cab5c9170dc167838f1aebafc47153cd84713b4
    "tdf#134754: Gracefully handle EINVAL from mmap MAP_JIT on old macOS".  And for
    another, we apparently need it for an in-process JVM, at least with certain Java
    versions, see 247a5304475b9a045a08cbb5e74aec4b99127511 "tdf#135479: Seems we
    need the more broad entitlement for Java's sake".
    
    So explicitly list both allow-jit (with the intention of keeping it going
    forward) and disable-executable-page-protection (with the intention of
    eventually being able to drop it).
    
    Change-Id: I417e95ee20a8a47b55d2a04fa7f564977a0b675e
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107410
    Reviewed-by: Tor Lillqvist <tml at collabora.com>
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
    Tested-by: Jenkins

diff --git a/hardened_runtime.xcent.in b/hardened_runtime.xcent.in
index d270c93ec694..148134a32c77 100644
--- a/hardened_runtime.xcent.in
+++ b/hardened_runtime.xcent.in
@@ -5,7 +5,11 @@
         <!-- AppleScript support -->
         <key>com.apple.security.automation.apple-events</key>
         <true/>
-        <!-- Needed for our runtime machine code generation -->
+        <!-- Needed for our C++/binary UNO bridge runtime machine code generation: -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <!-- Needed for our C++/binary UNO bridge runtime machine code generation on old macOS that
+             reject mmap MAP_JIT (macOS <= 10.13?); and for in-process JVM: -->
         <key>com.apple.security.cs.disable-executable-page-protection</key>
         <true/>
         <!-- allow use of third-party plugins/frameworks (aka Java) -->

More information about the Libreoffice-commits mailing list