Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Firefox won't compile on hardened profile (http://www.linux-archive.org/gentoo-hardened/632991-firefox-wont-compile-hardened-profile.html)

Grant 02-14-2012 07:39 PM

Firefox won't compile on hardened profile
 
Firefox won't compile on my system due to the issue described here:

http://www.gossamer-threads.com/lists/gentoo/hardened/245060

They seem to be able to make it compile by enabling softmode. That
doesn't work for me, I have the same issue in softmode. I think this
is because of my hardened profile. Is there any way to fix this or
should I look for a different browser?

- Grant

Alex Efros 02-14-2012 07:44 PM

Firefox won't compile on hardened profile
 
Hi!

On Tue, Feb 14, 2012 at 12:39:04PM -0800, Grant wrote:
> Is there any way to fix this or should I look for a different browser?

Use firefox-bin. Or you have to compile it yourself?

--
WBR, Alex.

Grant 02-14-2012 07:49 PM

Firefox won't compile on hardened profile
 
>> Is there any way to fix this or should I look for a different browser?
>
> Use firefox-bin. Or you have to compile it yourself?

You're right, I should have said:

Is there any way to fix this or should I use firefox-bin?

:)

- Grant

Ewald Tienkamp 02-14-2012 08:18 PM

Firefox won't compile on hardened profile
 
The following was received from Grant, on 02/14/12 21:39:
> Firefox won't compile on my system due to the issue described here:
>
> http://www.gossamer-threads.com/lists/gentoo/hardened/245060

FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system using
the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax enabled.

--
Ewald Tienkamp
ewald@tienkamp.nl

Grant 02-14-2012 08:59 PM

Firefox won't compile on hardened profile
 
>> Firefox won't compile on my system due to the issue described here:
>>
>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>
> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system using
> the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax enabled.

To confirm, you aren't on a hardened profile?

- Grant

Ewald Tienkamp 02-14-2012 10:26 PM

Firefox won't compile on hardened profile
 
The following was received from Grant, on 02/14/12 22:59:
>>> Firefox won't compile on my system due to the issue described
>>> here:
>>>
>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>
>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax
>> enabled.
>
> To confirm, you aren't on a hardened profile?

I am on a hardened profile, currently using
hardened/linux/amd64/no-multilib/selinux profile, only running stable
software.

--
Ewald Tienkamp

Grant 02-15-2012 03:39 PM

Firefox won't compile on hardened profile
 
>>>> Firefox won't compile on my system due to the issue described
>>>> here:
>>>>
>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax
>>> enabled.
>>
>> To confirm, you aren't on a hardened profile?
>
> I am on a hardened profile, currently using
> hardened/linux/amd64/no-multilib/selinux profile, only running stable
> software.

I don't get it then. Does anyone know why I can't compile Firefox as
described in the link above? This sums it up:

"firefox-9.0 ebuild stalls at the install phase while xpcshell command
tops CPU usage for hours."

Although xpcshell doesn't use any CPU for me. It just sits there and
the install phase doesn't proceed.

- Grant

Hinnerk van Bruinehsen 02-15-2012 04:10 PM

Firefox won't compile on hardened profile
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15.02.2012 17:39, Grant wrote:
>>>>> Firefox won't compile on my system due to the issue
>>>>> described here:
>>>>>
>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>
>>>>
>>>>>
FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>> grsec/pax enabled.
>>>
>>> To confirm, you aren't on a hardened profile?
>>
>> I am on a hardened profile, currently using
>> hardened/linux/amd64/no-multilib/selinux profile, only running
>> stable software.
>
> I don't get it then. Does anyone know why I can't compile Firefox
> as described in the link above? This sums it up:
>
> "firefox-9.0 ebuild stalls at the install phase while xpcshell
> command tops CPU usage for hours."
>
> Although xpcshell doesn't use any CPU for me. It just sits there
> and the install phase doesn't proceed.
>
> - Grant
>

I can compile Icecat with a customized ebuild. since it's basically
the same as Firefox, maybe that helps. Basically it disables jit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPO+caAAoJEJwwOFaNFkYcuugH/jTv4dy6tQ6PnC6ZqHioUOiK
U6xdXra8jxS1Wi9y6iVr1mRmycXZZv8GD5ZLjs4BJl3Uofyfoq LmjTt0R+myn5R9
1ovZD9y1tTYIRRnA+HI7d7ZuNLwTULLcCmmXL7/TIg/1spi7K5JCKmbTGLPvcAJ+
MyrLSeiyCTK6iI384legi13Mw7B7k4G6Y0ZS1izZah/zno0uiPawLjcIE6LJPsMP
UhOMiW4YY5Xn+jdNqaHWN/87E3+Y+OUWCLqrP+8itK2afQoj5l4zs9b8JUcdEHPs
Y5JgI5dtGrWndkJMklerzSXQ20/8EKg1lJCxmHS7Ii85Icd3RxF3xwE2PjAVI1U=
=zfn0
-----END PGP SIGNATURE-----
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/www-client/icecat/icecat-10.0-r1.ebuild,v 1.1 2012/02/13 17:25:09 polynomial-c Exp $

EAPI="3"
VIRTUALX_REQUIRED="pgo"
WANT_AUTOCONF="2.1"

# This list can be updated with scripts/get_langs.sh from the mozilla overlay
MOZ_LANGS=(af ak ar as ast be bg bn-BD bn-IN br bs ca cs csb cy da de el en
en-GB en-US en-ZA eo es-AR es-CL es-ES es-MX et eu fa fi fr fy-NL ga-IE gd gl
gu-IN he hi-IN hr hu hy-AM id is it ja kk kn ko ku lg lt lv mai mk ml mr nb-NO
nl nn-NO nso or pa-IN pl pt-BR pt-PT rm ro ru si sk sl son sq sr sv-SE ta ta-LK
te th tr uk vi zh-CN zh-TW zu)

# Convert the ebuild version to the upstream mozilla version, used by mozlinguas
MOZ_PV="${PV/_alpha/a}" # Handle alpha for SRC_URI
MOZ_PV="${MOZ_PV/_beta/b}" # Handle beta for SRC_URI
MOZ_PV="${MOZ_PV/_rc/rc}" # Handle rc for SRC_URI

# Patch version
PATCH="firefox-10.0-patches-0.5"
# Upstream ftp release URI that's used by mozlinguas.eclass
# We don't use the http mirror because it deletes old tarballs.
MOZ_FTP_URI="ftp://ftp.mozilla.org/pub/firefox/releases"

inherit check-reqs flag-o-matic toolchain-funcs eutils gnome2-utils mozconfig-3 multilib pax-utils fdo-mime autotools python virtualx nsplugins mozlinguas

DESCRIPTION="GNU project's edition of Mozilla Firefox"
HOMEPAGE="http://www.gnu.org/software/gnuzilla/"

KEYWORDS="~amd64 ~ppc ~ppc64 ~x86"
SLOT="0"
LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
IUSE="+crashreporter +ipc pgo methodjit tracejit pax_kernel selinux
system-sqlite +webm"

# More URIs appended below...
SRC_URI="${SRC_URI}
mirror://gnu/gnuzilla/${MOZ_PV}/${PN}-${MOZ_PV}.tar.xz
http://dev.gentoo.org/~anarchy/mozilla/patchsets/${PATCH}.tar.xz
http://dev.gentoo.org/~polynomial-c/mozilla/ff1001.diff"

ASM_DEPEND=">=dev-lang/yasm-1.1"

# Mesa 7.10 needed for WebGL + bugfixes
RDEPEND="
>=sys-devel/binutils-2.16.1
>=dev-libs/nss-3.13.1
>=dev-libs/nspr-4.8.8
>=dev-libs/glib-2.26:2
>=media-libs/mesa-7.10
media-libs/libpng[apng]
virtual/libffi
system-sqlite? ( >=dev-db/sqlite-3.7.7.1[fts3,secure-delete,threadsafe,unlock-notify,debug=] )
webm? ( >=media-libs/libvpx-0.9.7
media-libs/alsa-lib )
crashreporter? ( net-misc/curl )
selinux? ( sec-policy/selinux-mozilla )"
# We don't use PYTHON_DEPEND/PYTHON_USE_WITH for some silly reason
DEPEND="${RDEPEND}
dev-util/pkgconfig
pgo? (
=dev-lang/python-2*[sqlite]
>=sys-devel/gcc-4.5 )
webm? ( x86? ( ${ASM_DEPEND} )
amd64? ( ${ASM_DEPEND} ) )"

QA_PRESTRIPPED="usr/$(get_libdir)/${PN}/${PN}"

pkg_setup() {
moz_pkgsetup

# Avoid PGO profiling problems due to enviroment leakage
# These should *always* be cleaned up anyway
unset DBUS_SESSION_BUS_ADDRESS
DISPLAY
ORBIT_SOCKETDIR
SESSION_MANAGER
XDG_SESSION_COOKIE
XAUTHORITY

if use pgo ; then
einfo
ewarn "You will do a double build for profile guided optimization."
ewarn "This will result in your build taking at least twice as long as before."
fi

# Ensure we have enough disk space to compile
if use pgo || use debug || use test ; then
CHECKREQS_DISK_BUILD="8G"
else
CHECKREQS_DISK_BUILD="4G"
fi
check-reqs_pkg_setup
}

src_unpack() {
unpack ${A}

# Unpack language packs
mozlinguas_src_unpack
}

src_prepare() {
# Make this a 10.0.1 release
epatch "${DISTDIR}"/ff1001.diff

# Fix preferences location
sed -i 's|defaults/pref/|defaults/preferences/|' browser/installer/packages-static || die "sed failed"
# Apply our patches
EPATCH_EXCLUDE="2000-firefox_gentoo_install_dirs.patch"
EPATCH_SUFFIX="patch"
EPATCH_FORCE="yes"
epatch "${WORKDIR}/firefox"

epatch "${FILESDIR}"/2000-icecat-6_gentoo_install_dirs.patch

# Allow user to apply any additional patches without modifing ebuild
epatch_user

# Fix rebranding
sed -i 's|$(DIST)/bin/firefox|$(DIST)/bin/icecat|' browser/app/Makefile.in

# Enable gnomebreakpad
if use debug ; then
sed -i -e "s:GNOME_DISABLE_CRASH_DIALOG=1:GNOME_DISABLE_CRAS H_DIALOG=0:g"
"${S}"/build/unix/run-mozilla.sh || die "sed failed!"
fi

# Disable gnomevfs extension
sed -i -e "s:gnomevfs::" "${S}/"browser/confvars.sh
-e "s:gnomevfs::" "${S}/"xulrunner/confvars.sh
|| die "Failed to remove gnomevfs extension"

# Ensure that are plugins dir is enabled as default
sed -i -e "s:/usr/lib/mozilla/plugins:/usr/$(get_libdir)/nsbrowser/plugins:"
"${S}"/xpcom/io/nsAppFileLocationProvider.cpp || die "sed failed to replace plugin path!"

# Fix sandbox violations during make clean, bug 372817
sed -e "s:(/no-such-file):${T}1:g"
-i "${S}"/config/rules.mk
-i "${S}"/js/src/config/rules.mk
-i "${S}"/nsprpub/configure{.in,}
|| die

#Fix compilation with curl-7.21.7 bug 376027
sed -e '/#include <curl/types.h>/d'
-i "${S}"/toolkit/crashreporter/google-breakpad/src/common/linux/http_upload.cc
-i "${S}"/toolkit/crashreporter/google-breakpad/src/common/linux/libcurl_wrapper.cc
-i "${S}"/config/system-headers
-i "${S}"/js/src/config/system-headers || die "Sed failed"

eautoreconf
}

src_configure() {
# We will build our own .mozconfig
rm "${S}"/.mozconfig

MOZILLA_FIVE_HOME="/usr/$(get_libdir)/${PN}"
MEXTENSIONS="default"

####################################
#
# mozconfig, CFLAGS and CXXFLAGS setup
#
####################################

mozconfig_init
mozconfig_config

# It doesn't compile on alpha without this LDFLAGS
use alpha && append-ldflags "-Wl,--no-relax"

# Specific settings for icecat
echo "export MOZ_PHOENIX=1" >> "${S}"/.mozconfig
echo "mk_add_options MOZ_PHOENIX=1" "${S}"/.mozconfig
mozconfig_annotate ' --with-branding=browser/branding/unofficial
mozconfig_annotate ' --disable-official-branding
mozconfig_annotate ' --with-user-appdir=.icecat

mozconfig_annotate ' --prefix="${EPREFIX}"/usr
mozconfig_annotate ' --libdir="${EPREFIX}"/usr/$(get_libdir)
mozconfig_annotate ' --enable-extensions="${MEXTENSIONS}"
mozconfig_annotate ' --disable-gconf
mozconfig_annotate ' --disable-mailnews
mozconfig_annotate ' --enable-canvas
mozconfig_annotate ' --enable-safe-browsing
mozconfig_annotate ' --with-system-png
mozconfig_annotate ' --enable-system-ffi

# Other browser-specific settings
mozconfig_annotate ' --with-default-mozilla-five-home=${MOZILLA_FIVE_HOME}
mozconfig_annotate ' --target="${CTARGET:-${CHOST}}"

mozconfig_use_enable system-sqlite

# Allow for a proper pgo build
if use pgo ; then
echo "mk_add_options PROFILE_GEN_SCRIPT='$(PYTHON) $(OBJDIR)/_profile/pgo/profileserver.py'" >> "${S}"/.mozconfig
fi

if use pax_kernel; then
mozconfig_annotate ' --disable-methodjit
mozconfig_annotate ' --disable-tracejit
fi


# Finalize and report settings
mozconfig_final

if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3 ]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
}

src_compile() {
if use pgo; then
addpredict /root
addpredict /etc/gconf
# Reset and cleanup environment variables used by GNOME/XDG
gnome2_environment_reset

# icecat tries to use dri stuff when it's run, see bug 380283
shopt -s nullglob
cards=$(echo -n /dev/dri/card* | sed 's/ /:/g')
if test -n "${cards}"; then
# FOSS drivers are fine
addpredict "${cards}"
else
cards=$(echo -n /dev/ati/card* /dev/nvidiactl* | sed 's/ /:/g')
if test -n "${cards}"; then
# Binary drivers seem to cause access violations anyway, so
# let's use indirect rendering so that the device files aren't
# touched at all. See bug 394715.
export LIBGL_ALWAYS_INDIRECT=1
fi
fi
shopt -u nullglob

CC="$(tc-getCC)" CXX="$(tc-getCXX)" LD="$(tc-getLD)"
MOZ_MAKE_FLAGS="${MAKEOPTS}"
Xemake -f client.mk profiledbuild || die "Xemake failed"
else
CC="$(tc-getCC)" CXX="$(tc-getCXX)" LD="$(tc-getLD)"
MOZ_MAKE_FLAGS="${MAKEOPTS}"
emake -f client.mk || die "emake failed"
fi

}

src_install() {
MOZILLA_FIVE_HOME="/usr/$(get_libdir)/${PN}"

# MOZ_BUILD_ROOT, and hence OBJ_DIR change depending on arch, compiler, pgo, etc.
local obj_dir="$(echo */config.log)"
obj_dir="${obj_dir%/*}"
cd "${S}/${obj_dir}"

# Pax mark xpcshell for hardened support, only used for startupcache creation.
pax-mark m "${S}/${obj_dir}"/dist/bin/xpcshell

# Add our default prefs for firefox + xulrunner
cp "${FILESDIR}"/gentoo-default-prefs.js-1
"${S}/${obj_dir}/dist/bin/defaults/pref/all-gentoo.js" || die

MOZ_MAKE_FLAGS="${MAKEOPTS}"
emake DESTDIR="${D}" install || die "emake install failed"

# Install language packs
mozlinguas_src_install

local size sizes icon_path icon name

sizes="16 32 48"
icon_path="${S}/browser/branding/unofficial"

# Install icons and .desktop for menu entry
for size in ${sizes}; do
insinto "/usr/share/icons/hicolor/${size}x${size}/apps"
newins "${icon_path}/default${size}.png" "${PN}.png" || die
done
# The 128x128 icon has a different name
insinto "/usr/share/icons/hicolor/128x128/apps"
newins "${icon_path}/mozicon128.png" "${PN}.png" || die
# Install a 48x48 icon into /usr/share/pixmaps for legacy DEs
newicon "${icon_path}/content/icon48.png" "${PN}.png" || die
newmenu "${FILESDIR}/icon/${PN}.desktop" "${PN}.desktop" || die
sed -e "/^Icon/s:${PN}-icon:${PN}:" -i
"${ED}/usr/share/applications/${PN}.desktop" || die

# Add StartupNotify=true bug 237317
if use startup-notification ; then
echo "StartupNotify=true" >> "${ED}/usr/share/applications/${PN}.desktop"
fi

# Required in order to use plugins and even run firefox on hardened.
pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{${PN}{,-bin},plugin-container}

# Plugins dir
share_plugins_dir
}

pkg_preinst() {
gnome2_icon_savelist
}

pkg_postinst() {
# Update mimedb for the new .desktop file
fdo-mime_desktop_database_update
gnome2_icon_cache_update
}

pkg_postrm() {
gnome2_icon_cache_update
}

Radek Madej 02-15-2012 07:38 PM

Firefox won't compile on hardened profile
 
Hi,

On Wednesday 15 February 2012 18:10:51 Hinnerk van Bruinehsen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15.02.2012 17:39, Grant wrote:
> >
> > I don't get it then. Does anyone know why I can't compile Firefox
> > as described in the link above? This sums it up:
> >
> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
> > command tops CPU usage for hours."
> >
> > Although xpcshell doesn't use any CPU for me. It just sits there
> > and the install phase doesn't proceed.
> >
> > - Grant
>
> I can compile Icecat with a customized ebuild. since it's basically
> the same as Firefox, maybe that helps. Basically it disables jit.
>

You can't compile it on a grsec kernel because of this bug: :)
https://bugs.gentoo.org/show_bug.cgi?id=396275

It's odd that it hangs at xpcshell for you as it's already paxmarked in the
ebuild...

Anyway, I'd suggest:

1) keyword firefox so you can get the latest one, which currently is the
10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
compile just fine on hardened.

2) As suggested, disabling JIT will do the trick and it seems like recent
versions of Firefox can actually have it disabled properly. So the ebuild for
icecat/firefox will work for you, you just need this in src_configure() :

if use pax_kernel; then
mozconfig_annotate ' --disable-methodjit
mozconfig_annotate ' --disable-tracejit
fi

3) the other benefit of disabling jit completely is that you can now disable
the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
:) Unless you want to use FF for flash or java that is... ;)

Cheers,
Radek

Radek Madej 02-15-2012 09:15 PM

Firefox won't compile on hardened profile
 
On Wednesday 15 February 2012 20:38:21 Radek Madej wrote:
>
> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild
> for icecat/firefox will work for you, you just need this in src_configure()
> :
>
> if use pax_kernel; then
> mozconfig_annotate ' --disable-methodjit
> mozconfig_annotate ' --disable-tracejit
> fi
>

I forgot to add that you also need to add the pax_kernel flag to IUSE in the
ebuild (see the previously attached ebuild for icecat)

Cheers,
Radek


All times are GMT. The time now is 02:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.