Default MPROTECT restriction for Firefox and Thunderbird on Gentoo Hardened

2012-06-05
2 min read

Good news! The Firefox and Thunderbird ebuilds in the portage tree disable JIT by default, using the two configuration options I’ve posted about before. Instead of using the pax_kernel USE flag, they incorporate the jit flag, which is by default disabled on the hardened profile. So, to make the long story short - if you have selected the hardened profile, your Firefox and Thunderbird will work without use of RWX memory pages and with correctly enforced mprotect() restrictions…by default! Happy days :)

From the firefox-13.0.ebuild:
# Both methodjit and tracejit conflict with PaX mozconfig_use_enable jit methodjit mozconfig_use_enable jit tracejit

You can quickly check that you are using hardened profile by running:

# eselect profile list Available profile symlink targets: [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/selinux [3] default/linux/amd64/10.0/desktop [4] default/linux/amd64/10.0/desktop/gnome [5] default/linux/amd64/10.0/desktop/kde [6] default/linux/amd64/10.0/developer [7] default/linux/amd64/10.0/no-multilib [8] default/linux/amd64/10.0/server [9] hardened/linux/amd64 [10] hardened/linux/amd64/selinux [11] hardened/linux/amd64/no-multilib * [12] hardened/linux/amd64/no-multilib/selinux

Bear in mind, that using video plugins, flash or java, will very likely crash your browser. An answer to that could be to use Flash/Java in a different web browser, such as Chromium, which requires RWX pages anyway. Alternatively, one could use a browser that cannot benefit from other hardening options during compilation, simply because its source code is not available, for instance - Opera.

If you experience random Firefox or Thunderbird crashes, make sure that you have all of the aforementioned plugins disabled first, and then try again.