1 |
On Tuesday 10 January 2012 13:32:26 Christian Apeltauer wrote: |
2 |
> |
3 |
> Hello hardened-list, |
4 |
> I would like to point out that I am still able to run icecat-9.0.1 |
5 |
> without any pax feature disabled by patching the ebuild as shown by the |
6 |
> attached patch. Basically I applied the patch from Bug #396275 and |
7 |
> disabled both methodjit and tracejit. And now icecat (including |
8 |
> addons like noscript) runs without being pax-marked. |
9 |
> I am well aware of the warnings that the Javascript engine runs slower |
10 |
> without methodjit (by the way, why was that USE flag dropped?). I use |
11 |
> Javascript only when absolutely necessary, so I might not be the best |
12 |
> judge, but I don't see any noticeable impact on performance. Neither do |
13 |
> I use flash plugin or something like that, so neither can I say whether |
14 |
> flash will work without pax-marking. |
15 |
> May solution may not be workable for everybody. But I don't see a |
16 |
> reason why not to give it a try for ones like me who want a browser with |
17 |
> reasonable JS management (as provided by the noscript addon) but do not |
18 |
> need all the flashy extras. It should be up to the user to decide which |
19 |
> features to enable. |
20 |
> Best regards |
21 |
> Christian Apeltauer |
22 |
|
23 |
Hi, |
24 |
|
25 |
I can confirm that it does work indeed, with either firefox-9.0 or icecat-9.0.1 |
26 |
from portage tree - thanks for sharing! :) |
27 |
|
28 |
Plugins are an issue, disabling mprotect on the 'plugin-container' binary |
29 |
let's java & flash run (I've only done some a simple test though). Due to easy |
30 |
JS and content-policy management in firefox I also use it as a 'secure' browser |
31 |
so don't care much about the plugins which run fine for instance in chrome |
32 |
which needs to be paxmarked anyway... |
33 |
|
34 |
Wouldn't it make sense to disable jit on pax_kernels and let users decide if |
35 |
they want to further pax-mark the plugin-container binary, via ebuild message |
36 |
for example? |
37 |
|
38 |
I've removed all the paxmarking from ebuild and added sth like: |
39 |
|
40 |
if use pax_kernel; then |
41 |
mozconfig_annotate '' --disable-methodjit |
42 |
mozconfig_annotate '' --disable-tracejit |
43 |
fi |
44 |
|
45 |
...and now I'm a happy firefox user :) |
46 |
|
47 |
Cheers, |
48 |
Radek |