Allow execution of JIT-compiled code entitlement

Discussion

You can create memory that’s both writable and executable by passing the MAP_JIT flag to the mmap() system function. The Hardened Runtime disallows this by default, because it creates a security risk. However, some apps and system frameworks rely on this functionality, typically for performance reasons. Examples include:

• The fast-path of the JavaScriptCore framework

• Certain Python frameworks

• Perl-compatible regular expressions (PCRE)

• An app that creates a dynamically-compiled, proprietary macro language

Without the Allow execution of JIT-compiled code entitlement, frameworks that rely on just-in-time (JIT) compilation may fall back to an interpreter. Other code using JIT compilation may crash or behave in unexpected ways.

Digital rights management (DRM) solutions that currently use unsigned executable memory should instead change to using the MAP_JIT flag and the entitlement.

To add the entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Allow Execution of JIT-compiled Code.

See Also

Hardened runtime

• Allow Unsigned Executable Memory Entitlement
• Allow DYLD environment variables entitlement
• Disable Library Validation Entitlement
• Disable Executable Memory Protection Entitlement
• Debugging tool entitlement