Default MPROTECT restriction for Firefox and Thunderbird on Gentoo Hardened

LMAX Exchange

Good news! The Firefox and Thunderbird ebuilds in the portage tree
disable JIT by default, using the two configuration options I’ve posted
about before. Instead of using the pax_kernel USE flag, they incorporate the jit
flag, which is by default disabled on the hardened profile. So, to
make the long story short – if you have selected the hardened profile,
your Firefox and Thunderbird will work without use of RWX memory pages
and with correctly enforced mprotect() restrictions…by default! Happy
days 🙂

From the firefox-13.0.ebuild:

# Both methodjit and tracejit conflict with PaX
mozconfig_use_enable jit methodjit
mozconfig_use_enable jit tracejit

You can quickly check that you are using hardened profile by running:

# eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/selinux
[3] default/linux/amd64/10.0/desktop
[4] default/linux/amd64/10.0/desktop/gnome
[5] default/linux/amd64/10.0/desktop/kde
[6] default/linux/amd64/10.0/developer
[7] default/linux/amd64/10.0/no-multilib
[8] default/linux/amd64/10.0/server
[9] hardened/linux/amd64
[10] hardened/linux/amd64/selinux
[11] hardened/linux/amd64/no-multilib *
[12] hardened/linux/amd64/no-multilib/selinux

Bear
in mind, that using video plugins, flash or java, will very likely
crash your browser. An answer to that could be to use Flash/Java in a
different web browser, such as Chromium, which requires RWX pages
anyway. Alternatively, one could use a browser that cannot benefit from
other hardening options during compilation, simply because its source
code is not available, for instance – Opera.

If you experience
random Firefox or Thunderbird crashes, make sure that you have all of
the aforementioned plugins disabled first, and then try again.

LMAX Exchange Staff Blogs Radek Madej   Foreign Exchange   LMAX Exchange  

Any opinions, news, research, analyses, prices or other information ("information") contained on this Blog, constitutes marketing communication and it has not been prepared in accordance with legal requirements designed to promote the independence of investment research. Further, the information contained within this Blog does not contain (and should not be construed as containing) investment advice or an investment recommendation, or an offer of, or solicitation for, a transaction in any financial instrument. LMAX Group has not verified the accuracy or basis-in-fact of any claim or statement made by any third parties as comments for every Blog entry.

LMAX Group will not accept liability for any loss or damage, including without limitation to, any loss of profit, which may arise directly or indirectly from use of or reliance on such information. No representation or warranty is given as to the accuracy or completeness of the above information. While the produced information was obtained from sources deemed to be reliable, LMAX Group does not provide any guarantees about the reliability of such sources. Consequently any person acting on it does so entirely at his or her own risk. It is not a place to slander, use unacceptable language or to promote LMAX Group or any other FX and CFD provider and any such postings, excessive or unjust comments and attacks will not be allowed and will be removed from the site immediately.