Midori doesn't work on hardened profile with pax enabled ago@E2160 ~ $ midori error: line 5: bad flagvector error: line 7: bad flagvector error: line 9: bad flagvector error: line 11: bad flagvector error: line 13: bad flagvector error: line 18: bad flagvector error: line 23: bad flagvector error: line 28: bad flagvector Killed Later: E2160 ago # paxctl -m /usr/bin/midori And midori works! Reproducible: Always
Created attachment 248516 [details] emerge --info
1. Try midori-9999, because we are about to bump midori into 0.2.8 and 9999 is closest to that right now. If the problem is still reproducible we move to 2. 2. hardened team: Should we "inherit pax-utils" and do pax-mark "${D}"/usr/bin/midori in src_install() of midori?
err... pax-mark -m "${D}"/usr/bin/midori
Created attachment 248536 [details] strace midori
(In reply to comment #2) > 1. Try midori-9999, because we are about to bump midori into 0.2.8 and 9999 is > closest to that right now. If the problem is still reproducible we move to 2. > I try with midori-9999, but the result at open is same.
+*midori-0.2.8 (29 Sep 2010) + + 29 Sep 2010; Samuli Suominen <ssuominen@gentoo.org> +midori-0.2.8.ebuild, + midori-9999.ebuild: + Version bump with missing dev-lang/vala depend wrt #336643 by Agostino + Sarubbo and pax-mark -m for hardened wrt #338561 by René Neumann.
for midori-9999 see bug 339078
Disabling executable memory protection in a browser is a pretty big deal, since it is usually the piece of software that is most exposed to external attacks. I didn't find mmap calls in midori source, so it's probably a problem in webkit. I wonder is this is similar to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=516057 incidentally, /usr/bin/jsc also segfaults on hardened Gentoo, so it could be that Midori tries to unconditionally initialize javascript support. I will file a separate bug about jsc failure.