Good news! The Firefox and Thunderbird ebuilds in the portage tree disable JIT by default, using the two configuration options I’ve posted about before. Instead of using the pax_kernel USE flag, they incorporate the jit flag, which is by default disabled on the hardened profile. So, to make the long story short - if you have selected the hardened profile, your Firefox and Thunderbird will work without use of RWX memory pages and with correctly enforced mprotect() restrictions…by default! Happy days :)
From the firefox-13.0.ebuild:# Both methodjit and tracejit conflict with PaX mozconfig_use_enable jit methodjit mozconfig_use_enable jit tracejit
You can quickly check that you are using hardened profile by running:
# eselect profile list Available profile symlink targets: [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/selinux [3] default/linux/amd64/10.0/desktop [4] default/linux/amd64/10.0/desktop/gnome [5] default/linux/amd64/10.0/desktop/kde [6] default/linux/amd64/10.0/developer [7] default/linux/amd64/10.0/no-multilib [8] default/linux/amd64/10.0/server [9] hardened/linux/amd64 [10] hardened/linux/amd64/selinux [11] hardened/linux/amd64/no-multilib * [12] hardened/linux/amd64/no-multilib/selinux
Bear in mind, that using video plugins, flash or java, will very likely crash your browser. An answer to that could be to use Flash/Java in a different web browser, such as Chromium, which requires RWX pages anyway. Alternatively, one could use a browser that cannot benefit from other hardening options during compilation, simply because its source code is not available, for instance - Opera.
If you experience random Firefox or Thunderbird crashes, make sure that you have all of the aforementioned plugins disabled first, and then try again.