Similar to #338245, could we please have the 'jit' flag for xulrunner for the same reasons as in the original bug? Disabling JIT on xulrunner allows firefox to run with MPROTECT enabled on grsecurity kernels, which greatly increases the security of the browser itself :) While the drawback is a slower JS, it'd be nice for end users to decide between the security versus performance tradeoff. Please note that in order for the MPROTECT to work, user has to disable all remaining JIT options using the about:config firefox functionality. To disable JIT in xulrunner a small patch (attached) and two additional 'configure' options are required: mozconfig_annotate '' --disable-jit mozconfig_annotate '' --disable-methodjit Thanks to zakalwe on #grsecurity for help and patch :) Thanks, radegand Reproducible: Always
Created attachment 273103 [details, diff] proposed patch
Created attachment 273105 [details] Ebuild that builds xulrunner without JIT ...Assuming that the patch above is in /etc/portage/patches/net-libs/xulrunner :)
We need to stay as close to upstream as possible. If we disable jit we will break more addons, this will leave many issues reported that would otherwise not be seen.
(In reply to comment #3) > We need to stay as close to upstream as possible. who's 'we'? this change is of interest to all hardened users. > If we disable jit we will break more addons, what addons *require* JIT compilation to be used (vs. the interpreter)? > this will leave many issues reported that would otherwise not be seen. what issues? and what's wrong with reporting issues? what's wrong with fixing them?
Please don't make hardened users have to jump hoops to have a working system by default with things we can simply control on a per profile basis. Perhaps the patch should work it's way upstream first and then we add a simple USE= flag for the people who don't want this yarr jit by default.
(In reply to comment #5) > Please don't make hardened users have to jump hoops to have a working system by > default with things we can simply control on a per profile basis. > > Perhaps the patch should work it's way upstream first and then we add a simple > USE= flag for the people who don't want this yarr jit by default. Makes sense...I was about to send the patch upstream but Firefox 5 came out in the meantime and it turns out to be that on FF5 you can disable jit simply at configure and no patch is actually needed :) So I think the point remains valid somehow... ;) please see bug 373029 for details - enabling jit on hardened-sources kernel prevents Firefox 5 from compiling. Cheers, radegand
I've removed the "hardened" USE-flag, and added a "+methodjit" USE-flag instead. firefox-bin and plugin-container are also 'pax-mark m' unconditionally again. Hint for those who want to disable methodjit: build with USE=pgo, it'll take 2x the time, but will lead to less slowdown. Closing as FIXED.
Can the same fix please be applied to www-client/icecat which still seems to suffer from this bug?
(In reply to comment #8) > Can the same fix please be applied to www-client/icecat which still seems to > suffer from this bug? Done with icecat-5.0-r1