On 17.05.2012 20:25, Radek Madej wrote:
> On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote:
>> On 05/16/2012 12:12 PM, PaX Team wrote:
>>> On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:
>>>> at the moment the thunderbird-ebuild in the tree does a "pax mark m"
>>>> on the binary.
>>>> At least for me thunderbird works fine if I just disable jit.
>>> there're a few packages that define a local 'jit' USE flag, i'd say
>>> thunderbird/firefox/etc should use it as well to disable JIT related
>>> options and avoid the pax-mark (not sure why pax-kernel came to mean
>>> this, that's for kernel modules, not userland, and this JIT stuff is
>>> useful for more kernels than just PaX based ones).
>> This flag was introduced to distinguish the above from USE="hardened"
>> which only refers to the toolchain, and the goodies it brings along.
>> Having said that, its clearly better to disable JIT and not pax mark
>> then vice versa. We have jit disabled by default in the hardened profiles.
> ...so in the above example it's better to define the 'jit' flag in the ebuild
> for thunderbird rather than using 'pax_kernel'? Or should '-jit' and
> 'pax_kernel' result in disabling JIT in the ebuilds?
> I do exactly same stuff (if 'pax_kernel': disable_jit()
) for firefox on my
> local overlay which allows me to run latest Firefox with mprotect on and no
> paxmarkings (I don't care about plugins on FF). Judging by what you've said,
> it'd be better to simply use 'jit' flag for it as it's disabled on the hardened
> profiles anyway...
> In theory we could then have the jit flag on both, Thunderbird and Firefox,
> which would allow the hardened users to benefit from mprotect, however any use
> of flash/java on FF would result in a crash anyway...but it's nice to have the
> choice me thinks...
If I understand it correctly, it should be the following way:
user pax_kernel to disable jit as the default and use jit to override
pax_kernel so people who would like to use for example flash could
enable it, if they want.
This way hardened would be default which would be the behaviour I would
expect for a hardened profile.
The most important question for me is: should I file a bug for that?
With kind regards,