It’s been a while and Firefox has moved from version 5 to version
10.0.1, now that’s a pace! 😉 But the important bits are…enforcing
MPROTECT has never been easier…well, almost. 😉
Thanks to this attachment in this bug, the latest version of Firefox compiles fine on hardened profiles (or simply on grsec kernels).
In order to enable MPROTECT restrictions, edit the ebuild and at the top add pax_kernel flag to IUSE so it reads like this:
IUSE="bindist +crashreporter +ipc +minimal pgo selinux system-sqlite +webm pax_kernel"
also, add the following snippet in src_configure() before the # Finalize and report settings line:
if use pax_kernel; then
mozconfig_annotate '' --disable-methodjit
mozconfig_annotate '' --disable-tracejit
fi
…and get rid of the following lines in src_install():
# Pax mark xpcshell for hardened support, only used for startupcache creation.
pax-mark m "${S}/${obj_dir}"/dist/bin/xpcshell
and this:
# Required in order to use plugins and even run firefox on hardened.
pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin,plugin-container}
NOTE:You
wan’t be able to run Java or Flash as they require RWX mappings which
will be not allowed when MPROTECT is enforced. If you need to use them,
you can use different browser for it, for instance Chromium.
Now digest your local ebuild:
# ebuild /usr/local/portage/www-client/firefox/firefox-10.0.1.ebuild digest
>>> Creating Manifest for /usr/local/portage/www-client/firefox
…and
you’re ready to emerge! ;] Once done, start Firefox. If you’re starting
it from the command line, you’ll see the following (expected) error:
LLVM ERROR: Allocation failed when allocating new memory in the JIT
Can't allocate RWX Memory: Operation not permitted
which is exactly what we wanted 🙂 …and to verify that it works as expected:
$ for pid in $(ps -ef | grep [f]irefox | awk '{print $2}'); do cat /proc/$pid/status | grep PaX; done
PaX: PeMRs
Note the capital ‘M‘ – you’re mprotected! ;]