1 |
Hi, |
2 |
|
3 |
On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote: |
4 |
> On 05/16/2012 12:12 PM, PaX Team wrote: |
5 |
> > On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote: |
6 |
> > |
7 |
> >> at the moment the thunderbird-ebuild in the tree does a "pax mark m" |
8 |
> >> on the binary. |
9 |
> >> At least for me thunderbird works fine if I just disable jit. |
10 |
> > |
11 |
> > there're a few packages that define a local 'jit' USE flag, i'd say |
12 |
> > thunderbird/firefox/etc should use it as well to disable JIT related |
13 |
> > options and avoid the pax-mark (not sure why pax-kernel came to mean |
14 |
> > this, that's for kernel modules, not userland, and this JIT stuff is |
15 |
> > useful for more kernels than just PaX based ones). |
16 |
> > |
17 |
> |
18 |
> This flag was introduced to distinguish the above from USE="hardened" |
19 |
> which only refers to the toolchain, and the goodies it brings along. |
20 |
> |
21 |
> Having said that, its clearly better to disable JIT and not pax mark |
22 |
> then vice versa. We have jit disabled by default in the hardened profiles. |
23 |
> |
24 |
|
25 |
...so in the above example it's better to define the 'jit' flag in the ebuild |
26 |
for thunderbird rather than using 'pax_kernel'? Or should '-jit' and |
27 |
'pax_kernel' result in disabling JIT in the ebuilds? |
28 |
|
29 |
I do exactly same stuff (if 'pax_kernel': disable_jit() :) ) for firefox on my |
30 |
local overlay which allows me to run latest Firefox with mprotect on and no |
31 |
paxmarkings (I don't care about plugins on FF). Judging by what you've said, |
32 |
it'd be better to simply use 'jit' flag for it as it's disabled on the hardened |
33 |
profiles anyway... |
34 |
|
35 |
In theory we could then have the jit flag on both, Thunderbird and Firefox, |
36 |
which would allow the hardened users to benefit from mprotect, however any use |
37 |
of flash/java on FF would result in a crash anyway...but it's nice to have the |
38 |
choice me thinks... :) |
39 |
|
40 |
Cheers, |
41 |
Radek |