FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 05-16-2012, 02:39 PM
Hinnerk van Bruinehsen
 
Default Paxmarkings on mail-client/thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.

What would be the workflow for reporting that. Should I file a bugreport?

With kind regards

Hinnerk

PS: It follows a "proof of concept"-ebuild (just the diff) that works
for me:


- --- /usr/portage/mail-client/thunderbird/thunderbird-12.0.1.ebuild
2012-05-08 11:31:16.000000000 +0200
+++ thunderbird-12.0.1.ebuild 2012-05-16 16:34:26.111099366 +0200
@@ -33,7 +33,8 @@
KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~x86 ~x86-fbsd ~amd64-linux
~x86-linux"
SLOT="0"
LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
- -IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal
mozdom +webm"
+IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal mozdom
+pax_kernel +webm"

PATCH="thunderbird-10.0-patches-0.1"
PATCHFF="firefox-12.0-patches-0.1"
@@ -174,6 +175,12 @@
mozconfig_use_enable lightning calendar
mozconfig_use_enable gconf

+ if use pax_kernel; then
+ mozconfig_annotate ' --disable-methodjit
+ mozconfig_annotate ' --disable-tracejit
+ fi
+
+
# Bug #72667
if use mozdom; then
MEXTENSIONS="${MEXTENSIONS},inspector"
@@ -281,7 +288,6 @@
-i "${ED}"/usr/share/applications/${PN}.desktop
fi

- - pax-mark m "${ED}"/${MOZILLA_FIVE_HOME}/thunderbird-bin

share_plugins_dir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPs7wqAAoJEJwwOFaNFkYcv3YH/RL+anFbid1yfjOOKcdt0+hz
ovGJ83rPmFS6HQLDZ986LQgmTBDsDcDfAyhdzv+SbYQZNTRe29 yGi4h+Z30b87Id
tF5YdPWYF1jp53o5DTiBMFMl//xZQAD/ZUXOkQhHrect5ZCSW69wm9h8vG/SOQrO
vCZ15Oya1ae7OugoSg0vI0Q9tIj9YKlcEYwzQdXh5ZkQZDYI2k cf1vepaMav/EoQ
YSG7+fGoMIz97wrqWjsNcTW2MDJSbFGi62PUlRWhbB6SIlwStW L7hD4grWNnAJad
j6+FzpZ88ZXB8fRKJ4meudTIeY1XFUzCNoIk72vIuD4dDMH9s1 p9hH96vBbZUX0=
=AonK
-----END PGP SIGNATURE-----
 
Old 05-16-2012, 04:12 PM
"PaX Team"
 
Default Paxmarkings on mail-client/thunderbird

On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:

> at the moment the thunderbird-ebuild in the tree does a "pax mark m"
> on the binary.
> At least for me thunderbird works fine if I just disable jit.

there're a few packages that define a local 'jit' USE flag, i'd say
thunderbird/firefox/etc should use it as well to disable JIT related
options and avoid the pax-mark (not sure why pax-kernel came to mean
this, that's for kernel modules, not userland, and this JIT stuff is
useful for more kernels than just PaX based ones).

> What would be the workflow for reporting that. Should I file a bugreport?

this i don't know, but probably bugzilla
 
Old 05-16-2012, 09:29 PM
"Anthony G. Basile"
 
Default Paxmarkings on mail-client/thunderbird

On 05/16/2012 12:12 PM, PaX Team wrote:

On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:


at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.


there're a few packages that define a local 'jit' USE flag, i'd say
thunderbird/firefox/etc should use it as well to disable JIT related
options and avoid the pax-mark (not sure why pax-kernel came to mean
this, that's for kernel modules, not userland, and this JIT stuff is
useful for more kernels than just PaX based ones).


What would be the workflow for reporting that. Should I file a bugreport?


this i don't know, but probably bugzilla



USE="pax_kernel" is supposed to mean "we are compiling this binary
because it may be run under a pax enabled kernel". I say "may" here
because people can have several kernels on their box, some may have pax
and some may not. So, if you expect the binary might break without pax
markings when running on a pax kernel, then set this flag. Since PT_PAX
markings are ignored by a vanilla kernel, no harm done.


This flag was introduced to distinguish the above from USE="hardened"
which only refers to the toolchain, and the goodies it brings along.


Having said that, its clearly better to disable JIT and not pax mark
then vice versa. We have jit disabled by default in the hardened profiles.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 
Old 05-17-2012, 06:25 PM
Radek Madej
 
Default Paxmarkings on mail-client/thunderbird

Hi,

On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote:
> On 05/16/2012 12:12 PM, PaX Team wrote:
> > On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:
> >
> >> at the moment the thunderbird-ebuild in the tree does a "pax mark m"
> >> on the binary.
> >> At least for me thunderbird works fine if I just disable jit.
> >
> > there're a few packages that define a local 'jit' USE flag, i'd say
> > thunderbird/firefox/etc should use it as well to disable JIT related
> > options and avoid the pax-mark (not sure why pax-kernel came to mean
> > this, that's for kernel modules, not userland, and this JIT stuff is
> > useful for more kernels than just PaX based ones).
> >
>
> This flag was introduced to distinguish the above from USE="hardened"
> which only refers to the toolchain, and the goodies it brings along.
>
> Having said that, its clearly better to disable JIT and not pax mark
> then vice versa. We have jit disabled by default in the hardened profiles.
>

...so in the above example it's better to define the 'jit' flag in the ebuild
for thunderbird rather than using 'pax_kernel'? Or should '-jit' and
'pax_kernel' result in disabling JIT in the ebuilds?

I do exactly same stuff (if 'pax_kernel': disable_jit() ) for firefox on my
local overlay which allows me to run latest Firefox with mprotect on and no
paxmarkings (I don't care about plugins on FF). Judging by what you've said,
it'd be better to simply use 'jit' flag for it as it's disabled on the hardened
profiles anyway...

In theory we could then have the jit flag on both, Thunderbird and Firefox,
which would allow the hardened users to benefit from mprotect, however any use
of flash/java on FF would result in a crash anyway...but it's nice to have the
choice me thinks...

Cheers,
Radek
 
Old 05-17-2012, 08:47 PM
Hinnerk van Bruinehsen
 
Default Paxmarkings on mail-client/thunderbird

On 17.05.2012 20:25, Radek Madej wrote:
> Hi,
>
> On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote:
>> On 05/16/2012 12:12 PM, PaX Team wrote:
>>> On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:
>>>
>>>> at the moment the thunderbird-ebuild in the tree does a "pax mark m"
>>>> on the binary.
>>>> At least for me thunderbird works fine if I just disable jit.
>>>
>>> there're a few packages that define a local 'jit' USE flag, i'd say
>>> thunderbird/firefox/etc should use it as well to disable JIT related
>>> options and avoid the pax-mark (not sure why pax-kernel came to mean
>>> this, that's for kernel modules, not userland, and this JIT stuff is
>>> useful for more kernels than just PaX based ones).
>>>
>>
>> This flag was introduced to distinguish the above from USE="hardened"
>> which only refers to the toolchain, and the goodies it brings along.
>>
>> Having said that, its clearly better to disable JIT and not pax mark
>> then vice versa. We have jit disabled by default in the hardened profiles.
>>
>
> ...so in the above example it's better to define the 'jit' flag in the ebuild
> for thunderbird rather than using 'pax_kernel'? Or should '-jit' and
> 'pax_kernel' result in disabling JIT in the ebuilds?
>
> I do exactly same stuff (if 'pax_kernel': disable_jit() ) for firefox on my
> local overlay which allows me to run latest Firefox with mprotect on and no
> paxmarkings (I don't care about plugins on FF). Judging by what you've said,
> it'd be better to simply use 'jit' flag for it as it's disabled on the hardened
> profiles anyway...
>
> In theory we could then have the jit flag on both, Thunderbird and Firefox,
> which would allow the hardened users to benefit from mprotect, however any use
> of flash/java on FF would result in a crash anyway...but it's nice to have the
> choice me thinks...
>
> Cheers,
> Radek
>
>

If I understand it correctly, it should be the following way:

user pax_kernel to disable jit as the default and use jit to override
pax_kernel so people who would like to use for example flash could
enable it, if they want.

This way hardened would be default which would be the behaviour I would
expect for a hardened profile.

The most important question for me is: should I file a bug for that?

With kind regards,

Hinnerk
 

Thread Tools




All times are GMT. The time now is 10:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org