Re: [gentoo-hardened] hardened-sources & tp_smapi, firefox-9.0 install stucks - gentoo-hardened

From:	Radek Madej <radegand@××.pl>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] hardened-sources & tp_smapi, firefox-9.0 install stucks
Date:	Mon, 23 Jan 2012 22:20:49
Message-Id:	`1491638.9hoDyJUfdL@quad`
In Reply to:	Re: [gentoo-hardened] hardened-sources & tp_smapi, firefox-9.0 install stucks by Christian Apeltauer

1

On Tuesday 10 January 2012 13:32:26 Christian Apeltauer wrote:

2

>

3

> Hello hardened-list,

4

>  I would like to point out that I am still able to run icecat-9.0.1

5

> without any pax feature disabled by patching the ebuild as shown by the

6

> attached patch. Basically I applied the patch from Bug #396275 and

7

> disabled both methodjit and tracejit. And now icecat (including

8

> addons like noscript) runs without being pax-marked.

9

>  I am well aware of the warnings that the Javascript engine runs slower

10

> without methodjit (by the way, why was that USE flag dropped?). I use

11

> Javascript only when absolutely necessary, so I might not be the best

12

> judge, but I don't see any noticeable impact on performance. Neither do

13

> I use flash plugin or something like that, so neither can I say whether

14

> flash will work without pax-marking.

15

>  May solution may not be workable for everybody. But I don't see a

16

> reason why not to give it a try for ones like me who want a browser with

17

> reasonable JS management (as provided by the noscript addon) but do not

18

> need all the flashy extras. It should be up to the user to decide which

19

> features to enable.

20

>  Best regards

21

> 	Christian Apeltauer

22

23

Hi,

24

25

I can confirm that it does work indeed, with either firefox-9.0 or icecat-9.0.1 

26

from portage tree - thanks for sharing! :)

27

28

Plugins are an issue, disabling mprotect on the 'plugin-container' binary 

29

let's java & flash run (I've only done some a simple test though). Due to easy 

30

JS and content-policy management in firefox I also use it as a 'secure' browser 

31

so don't care much about the plugins which run fine for instance in chrome 

32

which needs to be paxmarked anyway...

33

34

Wouldn't it make sense to disable jit on pax_kernels and let users decide if 

35

they want to further pax-mark the plugin-container binary, via ebuild message 

36

for example?

37

38

I've removed all the paxmarking from ebuild and added sth like:

39

40

if use pax_kernel; then                                                                                                                                                     

41

    mozconfig_annotate '' --disable-methodjit                                                                                                                               

42

    mozconfig_annotate '' --disable-tracejit                                                                                                                                

43

fi

44

45

...and now I'm a happy firefox user :)

46

47

Cheers,

48

Radek

Gentoo Archives: gentoo-hardened

Replies

1	On Tuesday 10 January 2012 13:32:26 Christian Apeltauer wrote:
2	>
3	> Hello hardened-list,
4	> I would like to point out that I am still able to run icecat-9.0.1
5	> without any pax feature disabled by patching the ebuild as shown by the
6	> attached patch. Basically I applied the patch from Bug #396275 and
7	> disabled both methodjit and tracejit. And now icecat (including
8	> addons like noscript) runs without being pax-marked.
9	> I am well aware of the warnings that the Javascript engine runs slower
10	> without methodjit (by the way, why was that USE flag dropped?). I use
11	> Javascript only when absolutely necessary, so I might not be the best
12	> judge, but I don't see any noticeable impact on performance. Neither do
13	> I use flash plugin or something like that, so neither can I say whether
14	> flash will work without pax-marking.
15	> May solution may not be workable for everybody. But I don't see a
16	> reason why not to give it a try for ones like me who want a browser with
17	> reasonable JS management (as provided by the noscript addon) but do not
18	> need all the flashy extras. It should be up to the user to decide which
19	> features to enable.
20	> Best regards
21	> Christian Apeltauer
22
23	Hi,
24
25	I can confirm that it does work indeed, with either firefox-9.0 or icecat-9.0.1
26	from portage tree - thanks for sharing! :)
27
28	Plugins are an issue, disabling mprotect on the 'plugin-container' binary
29	let's java & flash run (I've only done some a simple test though). Due to easy
30	JS and content-policy management in firefox I also use it as a 'secure' browser
31	so don't care much about the plugins which run fine for instance in chrome
32	which needs to be paxmarked anyway...
33
34	Wouldn't it make sense to disable jit on pax_kernels and let users decide if
35	they want to further pax-mark the plugin-container binary, via ebuild message
36	for example?
37
38	I've removed all the paxmarking from ebuild and added sth like:
39
40	if use pax_kernel; then
41	mozconfig_annotate '' --disable-methodjit
42	mozconfig_annotate '' --disable-tracejit
43	fi
44
45	...and now I'm a happy firefox user :)
46
47	Cheers,
48	Radek