Recently, I got myself a VStarCam IP camera, model H6837WI, relatively cheap for what you get - a H264 capable, wireless/wired IP camera with two way audio, SD card recording and few other nice features. The software provided with the camera is Windows only, which is a system I don’t use very often at home ;) …so I started with exploring the camera’s web interface, by default run on port 81. It turned out that the quicktime plugin didn’t seem to work in any browser and other than getting the direct H264 stream, this was the only way to get live video feed without the proprietary software.

While I was waiting for my Raspberry Pi to arrive, I decided to put my Nokia N900 for a better use and create a Gentoo chroot on the SD card to give the hardened ARM toolchain a go. For the record, I found these two links to be particularly useful when working on the chroot. N900 is not the fastest arm board out there, but it was the only ARM board I had at hand…Anyway, creating Gentoo chroot on N900 is quite simple actually.

I have finally got my hands on the awesome Raspberry Pi board with a vicious plan of running a hardened Gentoo on it of course ;] But before that could happen, I had to get a decent SD card for it, which turned out to be not that obvious. There’s a wiki page with a list of SD cards that should and shouldn’t work with your Raspberry. There’s also a discussion thread on the Raspberry Pi forum about performance of various cards, which is vital to the overall performance of the system.

Good news! The Firefox and Thunderbird ebuilds in the portage tree disable JIT by default, using the two configuration options I’ve posted about before. Instead of using the pax_kernel USE flag, they incorporate the jit flag, which is by default disabled on the hardened profile. So, to make the long story short - if you have selected the hardened profile, your Firefox and Thunderbird will work without use of RWX memory pages and with correctly enforced mprotect() restrictions…by default!

It’s been a while and Firefox has moved from version 5 to version 10.0.1, now that’s a pace! ;) But the important bits are…enforcing MPROTECT has never been easier…well, almost. ;) Thanks to this attachment in this bug, the latest version of Firefox compiles fine on hardened profiles (or simply on grsec kernels). In order to enable MPROTECT restrictions, edit the ebuild and at the top add pax_kernel flag to IUSE so it reads like this: