From b732715f737595884dd54d1f7860982652b2482f Mon Sep 17 00:00:00 2001
From: Doug Nazar <nazard@nazar.ca>
Date: Fri, 9 Apr 2021 04:59:53 -0400
Subject: orc: Add support for MacOS Hardened runtime.

---
 meson.build       |  1 +
 orc/orccodemem.c  | 12 +++++++++++-
 orc/orccompiler.c | 15 +++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/meson.build b/meson.build
index c089a2a..d175b53 100644
--- a/meson.build
+++ b/meson.build
@@ -121,6 +121,7 @@ cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
 cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
 cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
 cdata.set('HAVE_MMAP', cc.has_function('mmap'))
+cdata.set('HAVE_PTHREAD_JIT', cc.has_function('pthread_jit_write_protect_np'))
 
 cdata.set('HAVE_SYS_TIME_H', cc.has_header('sys/time.h'))
 cdata.set('HAVE_UNISTD_H', cc.has_header('unistd.h'))
diff --git a/orc/orccodemem.c b/orc/orccodemem.c
index a996e76..728f347 100644
--- a/orc/orccodemem.c
+++ b/orc/orccodemem.c
@@ -264,11 +264,15 @@ orc_code_region_allocate_codemem_dual_map (OrcCodeRegion *region,
 #define MAP_ANONYMOUS MAP_ANON
 #endif
 
+#ifndef MAP_JIT
+#define MAP_JIT 0
+#endif
+
 static int
 orc_code_region_allocate_codemem_anon_map (OrcCodeRegion *region)
 {
   region->exec_ptr = mmap (NULL, SIZE, PROT_READ|PROT_WRITE|PROT_EXEC,
-      MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+      MAP_PRIVATE|MAP_ANONYMOUS|MAP_JIT, -1, 0);
   if (region->exec_ptr == MAP_FAILED) {
     ORC_WARNING("failed to create write/exec map. err=%i", errno);
     return FALSE;
@@ -300,9 +304,15 @@ orc_code_region_allocate_codemem (OrcCodeRegion *region)
 
   if (orc_code_region_allocate_codemem_anon_map (region)) return;
 
+#ifdef __APPLE__
+  ORC_ERROR("Failed to create write and exec mmap regions.  This "
+      "is probably because the Hardened Runtime is enabled without "
+      "the com.apple.security.cs.allow-jit entitlement.");
+#else
   ORC_ERROR("Failed to create write and exec mmap regions.  This "
       "is probably because SELinux execmem check is enabled (good) "
       "and $TMPDIR and $HOME are mounted noexec (bad).");
+#endif
 }
 
 #endif
diff --git a/orc/orccompiler.c b/orc/orccompiler.c
index 7f7b4d4..a391e86 100644
--- a/orc/orccompiler.c
+++ b/orc/orccompiler.c
@@ -6,6 +6,10 @@
 #include <stdlib.h>
 #include <stdarg.h>
 
+#if defined(HAVE_PTHREAD_JIT)
+  #include <pthread.h>
+#endif
+
 #if defined(HAVE_CODEMEM_VIRTUALALLOC)
 #include <windows.h>
   #ifdef ORC_WINAPI_ONLY_APP
@@ -122,6 +126,11 @@ _orc_compiler_init (void)
     }
   }
 #endif
+
+#if defined(HAVE_PTHREAD_JIT)
+  ORC_INFO("pthread_jit_write_protect_supported_np() = %i",
+      pthread_jit_write_protect_supported_np());
+#endif
 }
 
 int
@@ -447,6 +456,9 @@ orc_program_compile_full (OrcProgram *program, OrcTarget *target,
   program->orccode->code_size = compiler->codeptr - compiler->code;
   orc_code_allocate_codemem (program->orccode, program->orccode->code_size);
 
+#if defined(HAVE_PTHREAD_JIT)
+  pthread_jit_write_protect_np(0);
+#endif
 #if defined(HAVE_CODEMEM_VIRTUALALLOC)
   /* Ensure that code region is writable before memcpy */
   _set_virtual_protect (program->orccode->code, program->orccode->code_size,
@@ -463,6 +475,9 @@ orc_program_compile_full (OrcProgram *program, OrcTarget *target,
     compiler->target->flush_cache (program->orccode);
   }
 
+#if defined(HAVE_PTHREAD_JIT)
+  pthread_jit_write_protect_np(1);
+#endif
 #if defined(HAVE_CODEMEM_VIRTUALALLOC)
   /* Code region is now ready for execution */
  if (!_set_virtual_protect (program->orccode->exec, program->orccode->code_size,
-- 
cgit v1.2.3