Good news! The Firefox and Thunderbird ebuilds in the portage tree
disable JIT by default, using the two configuration options I’ve posted
about before. Instead of using the pax_kernel USE flag, they incorporate the jit
flag, which is by default disabled on the hardened profile. So, to
make the long story short – if you have selected the hardened profile,
your Firefox and Thunderbird will work without use of RWX memory pages
and with correctly enforced mprotect() restrictions…by default! Happy
days 🙂
From the firefox-13.0.ebuild:
# Both methodjit and tracejit conflict with PaX
mozconfig_use_enable jit methodjit
mozconfig_use_enable jit tracejit
You can quickly check that you are using hardened profile by running:
# eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/selinux
[3] default/linux/amd64/10.0/desktop
[4] default/linux/amd64/10.0/desktop/gnome
[5] default/linux/amd64/10.0/desktop/kde
[6] default/linux/amd64/10.0/developer
[7] default/linux/amd64/10.0/no-multilib
[8] default/linux/amd64/10.0/server
[9] hardened/linux/amd64
[10] hardened/linux/amd64/selinux
[11] hardened/linux/amd64/no-multilib *
[12] hardened/linux/amd64/no-multilib/selinux
Bear
in mind, that using video plugins, flash or java, will very likely
crash your browser. An answer to that could be to use Flash/Java in a
different web browser, such as Chromium, which requires RWX pages
anyway. Alternatively, one could use a browser that cannot benefit from
other hardening options during compilation, simply because its source
code is not available, for instance – Opera.
If you experience
random Firefox or Thunderbird crashes, make sure that you have all of
the aforementioned plugins disabled first, and then try again.