It’s been a while and Firefox has moved from version 5 to version 10.0.1, now that’s a pace! ;) But the important bits are…enforcing MPROTECT has never been easier…well, almost. ;)
Thanks to this attachment in this bug, the latest version of Firefox compiles fine on hardened profiles (or simply on grsec kernels).
In order to enable MPROTECT restrictions, edit the ebuild and at the top
add pax_kernel flag to IUSE so it reads like this:IUSE="bindist +crashreporter +ipc +minimal pgo selinux system-sqlite +webm pax_kernel"
also, add the following snippet in src_configure() before the #
Finalize and report settings line:if use pax_kernel; then mozconfig_annotate '' --disable-methodjit mozconfig_annotate '' --disable-tracejitfi
…and get rid of the following lines in src_install():# Pax mark xpcshell for hardened support, only used for startupcache creation. pax-mark m "${S}/${obj_dir}"/dist/bin/xpcshell
and this:# Required in order to use plugins and even run firefox on hardened. pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin,plugin-container}
NOTE:You wan’t be able to run Java or Flash as they require RWX mappings
which will be not allowed when MPROTECT is enforced. If you need to use
them, you can use different browser for it, for instance Chromium.
Now digest your local ebuild:# ebuild /usr/local/portage/www-client/firefox/firefox-10.0.1.ebuild digest>>> Creating Manifest for /usr/local/portage/www-client/firefox
…and you’re ready to emerge! ;] Once done, start Firefox. If you’re
starting it from the command line, you’ll see the following (expected)
error:LLVM ERROR: Allocation failed when allocating new memory in the JITCan't allocate RWX Memory: Operation not permitted
which is exactly what we wanted :) …and to verify that it works as
expected:$ for pid in $(ps -ef | grep [f]irefox | awk '{print $2}'); do cat /proc/$pid/status | grep PaX; donePaX: PeMRs
Note the capital ‘M’ - you’re mprotected! ;]