summaryrefslogtreecommitdiff
path: root/hardened_runtime.xcent.in
AgeCommit message (Collapse)Author
2020-12-08Explicitly require com.apple.security.cs.allow-jitStephan Bergmann
...in addition to com.apple.security.cs.disable-executable-page-protection, even if the latter should already encompass the former: Ideally, and going forward, we should only need allow-jit, see 2c366aae9263dc4115b054fe74b90cabea61fa0b "Use a less extreme entitlement for our run-time machine code generation". However, that change revealed two reasons why we still need disable-executable-page- protection for the time being: For one, we apparently need it for old macOS versions that reject the mmap MAP_JIT from the above change, see 6cab5c9170dc167838f1aebafc47153cd84713b4 "tdf#134754: Gracefully handle EINVAL from mmap MAP_JIT on old macOS". And for another, we apparently need it for an in-process JVM, at least with certain Java versions, see 247a5304475b9a045a08cbb5e74aec4b99127511 "tdf#135479: Seems we need the more broad entitlement for Java's sake". So explicitly list both allow-jit (with the intention of keeping it going forward) and disable-executable-page-protection (with the intention of eventually being able to drop it). Change-Id: I417e95ee20a8a47b55d2a04fa7f564977a0b675e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/107410 Reviewed-by: Tor Lillqvist <tml@collabora.com> Reviewed-by: Stephan Bergmann <sbergman@redhat.com> Tested-by: Jenkins
2020-09-23tdf#135479: Seems we need the more broad entitlement for Java's sakeTor Lillqvist
Sad, but OK. This reverts part of 2c366aae9263dc4115b054fe74b90cabea61fa0b. Change-Id: I6b74c871e3ec2408f833a5e2b652fd19cb7a2c0e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103230 Tested-by: Tor Lillqvist <tml@collabora.com> Reviewed-by: Tor Lillqvist <tml@collabora.com>
2020-04-30Use a less extreme entitlement for our run-time machine code generationTor Lillqvist
See https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-executable-page-protection and https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-jit Change-Id: I192038efa9cff4fb723bf4bdc8644f0b09f0fcda Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93181 Tested-by: Jenkins Reviewed-by: Tor Lillqvist <tml@collabora.com>
2020-04-29Enable debugging of a hardened process on macOSTor Lillqvist
Add the com.apple.security.get-task-allow entitlement when not building for release. Change-Id: I1b05d8c48f0f2d587325d7dfc800bb4880a7fcaf Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93159 Tested-by: Tor Lillqvist <tml@collabora.com> Reviewed-by: Tor Lillqvist <tml@collabora.com>
generated by cgit (git 2.34.1) at 2024-12-28 22:58:13 +0000