Property List Key

Allow Execution of JIT-compiled Code Entitlement

A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.

Details

Key
com.apple.security.cs.allow-jit
Type
boolean

Discussion

You can create memory that’s both writable and executable by passing the MAP_JIT flag to the mmap() system function. The Hardened Runtime disallows this by default, because it creates a security risk. However, some apps and system frameworks rely on this functionality, typically for performance reasons. Examples include:

  • The fast-path of the JavaScriptCore framework

  • Certain Python frameworks

  • Perl-compatible regular expressions (PCRE)

  • An app that creates a dynamically-compiled, proprietary macro language

Without the Allow Execution of JIT-compiled Code Entitlement, frameworks that rely on just-in-time (JIT) compilation may fall back to an interpreter. Other code using JIT compilation may crash or behave in unexpected ways.

Digital rights management (DRM) solutions that currently use unsigned executable memory should instead change to using the MAP_JIT flag and the entitlement.

To add the entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Allow Execution of JIT-compiled Code.

See Also

Hardened Runtime

Apple Events Entitlement

A Boolean value that indicates whether the app may prompt the user for permission to send Apple Events to other apps.

Key: com.apple.security.automation.apple-events
Allow DYLD Environment Variables Entitlement

A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process.

Key: com.apple.security.cs.allow-dyld-environment-variables
Allow Unsigned Executable Memory Entitlement

A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag.

Key: com.apple.security.cs.allow-unsigned-executable-memory
Debugging Tool Entitlement

A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.

Key: com.apple.security.cs.debugger
Disable Executable Memory Protection Entitlement

A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution.

Key: com.apple.security.cs.disable-executable-page-protection
Disable Library Validation Entitlement

A Boolean value that indicates whether the app may load arbitrary plug-ins or frameworks, without requiring code signing.

Key: com.apple.security.cs.disable-library-validation
Audio Input Entitlement

A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.

Key: com.apple.security.device.audio-input
Photos Library Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's Photos library.

Key: com.apple.security.personal-information.photos-library