strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
office-gobmx/hardened_runtime.xcent.in
Stephan Bergmann a6b85de6b7 Explicitly require com.apple.security.cs.allow-jit 
...in addition to com.apple.security.cs.disable-executable-page-protection, even
if the latter should already encompass the former:  Ideally, and going forward,
we should only need allow-jit, see 2c366aae92 "Use
a less extreme entitlement for our run-time machine code generation".  However,
that change revealed two reasons why we still need disable-executable-page-
protection for the time being:

For one, we apparently need it for old macOS versions that reject the mmap
MAP_JIT from the above change, see 6cab5c9170
"tdf#134754: Gracefully handle EINVAL from mmap MAP_JIT on old macOS".  And for
another, we apparently need it for an in-process JVM, at least with certain Java
versions, see 247a530447 "tdf#135479: Seems we
need the more broad entitlement for Java's sake".

So explicitly list both allow-jit (with the intention of keeping it going
forward) and disable-executable-page-protection (with the intention of
eventually being able to drop it).

Change-Id: I417e95ee20a8a47b55d2a04fa7f564977a0b675e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107410
Reviewed-by: Tor Lillqvist <tml@collabora.com>
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Jenkins
2020-12-08 15:35:29 +01:00

20 lines
930 B
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- AppleScript support -->
<key>com.apple.security.automation.apple-events</key>
<true/>
<!-- Needed for our C++/binary UNO bridge runtime machine code generation: -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<!-- Needed for our C++/binary UNO bridge runtime machine code generation on old macOS that
reject mmap MAP_JIT (macOS <= 10.13?); and for in-process JVM: -->
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<!-- allow use of third-party plugins/frameworks (aka Java) -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
@GET_TASK_ALLOW_ENTITLEMENT@
</dict>
</plist>
Reference in a new issue View git blame Copy permalink