Firefox 10.0.1 – MPROTECT strikes again!

LMAX Exchange

It’s been a while and Firefox has moved from version 5 to version
10.0.1, now that’s a pace! 😉 But the important bits are…enforcing
MPROTECT has never been easier…well, almost. 😉

Thanks to this attachment in this bug, the latest version of Firefox compiles fine on hardened profiles (or simply on grsec kernels).

In order to enable MPROTECT restrictions, edit the ebuild and at the top add pax_kernel flag to IUSE so it reads like this:

IUSE="bindist +crashreporter +ipc +minimal pgo selinux system-sqlite +webm pax_kernel"

also, add the following snippet in src_configure() before the # Finalize and report settings line:

if use pax_kernel; then
   mozconfig_annotate '' --disable-methodjit
   mozconfig_annotate '' --disable-tracejit

…and get rid of the following lines in src_install():

# Pax mark xpcshell for hardened support, only used for startupcache creation.
pax-mark m "${S}/${obj_dir}"/dist/bin/xpcshell

and this:

# Required in order to use plugins and even run firefox on hardened.
pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin,plugin-container}

wan’t be able to run Java or Flash as they require RWX mappings which
will be not allowed when MPROTECT is enforced. If you need to use them,
you can use different browser for it, for instance Chromium.

Now digest your local ebuild:

# ebuild /usr/local/portage/www-client/firefox/firefox-10.0.1.ebuild digest
>>> Creating Manifest for /usr/local/portage/www-client/firefox

you’re ready to emerge! ;] Once done, start Firefox. If you’re starting
it from the command line, you’ll see the following (expected) error:

LLVM ERROR: Allocation failed when allocating new memory in the JIT
Can't allocate RWX Memory: Operation not permitted

which is exactly what we wanted 🙂 …and to verify that it works as expected:

$ for pid in $(ps -ef | grep [f]irefox | awk '{print $2}'); do cat /proc/$pid/status | grep PaX; done
PaX: PeMRs

Note the capital ‘M‘ – you’re mprotected! ;]

Any opinions, news, research, analyses, prices or other information ("information") contained on this Blog, constitutes marketing communication and it has not been prepared in accordance with legal requirements designed to promote the independence of investment research. Further, the information contained within this Blog does not contain (and should not be construed as containing) investment advice or an investment recommendation, or an offer of, or solicitation for, a transaction in any financial instrument. LMAX Group has not verified the accuracy or basis-in-fact of any claim or statement made by any third parties as comments for every Blog entry.

LMAX Group will not accept liability for any loss or damage, including without limitation to, any loss of profit, which may arise directly or indirectly from use of or reliance on such information. No representation or warranty is given as to the accuracy or completeness of the above information. While the produced information was obtained from sources deemed to be reliable, LMAX Group does not provide any guarantees about the reliability of such sources. Consequently any person acting on it does so entirely at his or her own risk. It is not a place to slander, use unacceptable language or to promote LMAX Group or any other FX and CFD provider and any such postings, excessive or unjust comments and attacks will not be allowed and will be removed from the site immediately.