On a hardened Gentoo system with PaX enabled, /usr/lib64/xulrunner-1.9.2/plugin-container needs paxctl -m. Otherwise, the plugin-container will be killed immediately by PaX when loading the adobe flash plugin or Java. However, as plugins now run in plugin-container and no longer directly in firefox, it should be possible (and highly recommended for security reasons) to compile firefox itself in a way which doesn't need paxctl -m any longer, and to install the firefox executable without paxctl -m. (see discussion in bug 278698, #34 and following, especially #37)
(In reply to comment #0) > On a hardened Gentoo system with PaX enabled, > /usr/lib64/xulrunner-1.9.2/plugin-container needs paxctl -m. Otherwise, the > plugin-container will be killed immediately by PaX when loading the adobe flash > plugin or Java. > > However, as plugins now run in plugin-container and no longer directly in > firefox, it should be possible (and highly recommended for security reasons) to > compile firefox itself in a way which doesn't need paxctl -m any longer, and to > install the firefox executable without paxctl -m. > (see discussion in bug 278698, #34 and following, especially #37) > I am happy to accomidate you with plugin-container, but changing firefox is not gonna happen. It is needed for most javascript as it is nothing but xulrunner renamed and copied into applications folder.
Fixed in xulrunner-1.9.2.8-r1. Leaving open in case hardened team still wants/needs.
(In reply to comment #1) > I am happy to accomidate you with plugin-container, but changing firefox is not > gonna happen. It is needed for most javascript as it is nothing but xulrunner > renamed and copied into applications folder. well, javascript.options.jit.{chrome,content} let one disable the JIT compiler engine, would that enable running FF with MPROTECT on?
I'll try if nobody else does, but it will take some time (I'm just moving my home from Austria to Germany, there are more urgent things to do now...)
Works for me. Just tried a dozen pages with both jit options set to false and MPROTECT enabled, didn't have any problems. However, you *first* have to set the options to false (with MPROTECT disabled) and then reenable MPROTECT: With MPROTECT enabled and jit still true, firefox doesn't even come up, so you can't edit about:config.
(In reply to comment #5) > Works for me. Just tried a dozen pages with both jit options set to false > and MPROTECT enabled, didn't have any problems. any benchmark results perhaps so users know what the tradeoff is? ;)
Could you send me some Javasoft benchmark URL's? I'm on a fast machine, I didn't notice any differences for pages using just a little bit of JavaScript...
(In reply to comment #7) > Could you send me some Javasoft benchmark URL's? > > I'm on a fast machine, I didn't notice any differences for pages using > just a little bit of JavaScript... this one was recently released: http://krakenbenchmark.mozilla.com/index.html
Tried it. About a factor 6 in speed: 73249.8 ms compared to 12591.4 ms, both +- 3 %. Individual tests ranging from same speed to a factor of 15. I'm more worried about the difference in memory: Without jit, firefox grew to just below 8 GB vsize, with jit, max. vsize was just above 2 GB.
(In reply to comment #5) > Works for me. Just tried a dozen pages with both jit options set to false > and MPROTECT enabled, didn't have any problems. > > However, you *first* have to set the options to false > (with MPROTECT disabled) and then reenable MPROTECT: > With MPROTECT enabled and jit still true, > firefox doesn't even come up, so you can't edit about:config. Add the lines to /usr/lib/firefox/defaults/preferences/firefox-nojit.js pref("javascript.options.jit.content", false); pref("javascript.options.jit.chrome", false); as opposed to user_pref; Now you won't have to cycle MPROTECT every time you add a new profile to firefox or use the useradd command. (In reply to comment #1) > (In reply to comment #0) > > On a hardened Gentoo system with PaX enabled, > > /usr/lib64/xulrunner-1.9.2/plugin-container needs paxctl -m. Otherwise, the > > plugin-container will be killed immediately by PaX when loading the adobe flash > > plugin or Java. > > > > However, as plugins now run in plugin-container and no longer directly in > > firefox, it should be possible (and highly recommended for security reasons) to > > compile firefox itself in a way which doesn't need paxctl -m any longer, and to > > install the firefox executable without paxctl -m. > > (see discussion in bug 278698, #34 and following, especially #37) > > > I am happy to accomidate you with plugin-container, but changing firefox is not > gonna happen. It is needed for most javascript as it is nothing but xulrunner > renamed and copied into applications folder. > I don't see why this couldn't be done with a USE flag though it might be considered as improper due to how your are simply flipping a preference option.
If mozilla team is needed later please re-add us, we will be more then happy to take a patch.
Current versions are fine.
