This is a stable amd64 hardened desktop. firefox 34.0.5-r1 started fine, 35.0 gives : Jan 13 18:01:35 t44 kernel: [75298.492027] PAX: execution attempt in: <anonymous mapping>, 27031167000-27031168000 27031167000 Jan 13 18:01:35 t44 kernel: [75298.492034] PAX: terminating task: /usr/lib64/firefox/firefox(firefox):10216, uid/euid: 1000/1000, PC: 0000027031167240, SP: 000003a68ec818e8 Jan 13 18:01:35 t44 kernel: [75298.492038] PAX: bytes at PC: 49 bb 6e ba 47 29 70 02 00 00 49 ba 40 72 16 31 70 02 00 00 Jan 13 18:01:35 t44 kernel: [75298.492065] PAX: bytes at SP-8: 000003a68ec81a80 0000027025653653 0000000100000001 000003a68ec81a18 00000270194b0a00 410132611ad24500 0000027019442088 0000000000000008 000002701201e150 000002702fd49300 0000027000000000 Jan 13 18:01:35 t44 kernel: [75298.492426] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/firefox/firefox[firefox:10216] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kdeinit4[kdeinit4:2865] uid/euid:1000/1000 gid/egid:1000/1000 Jan 13 18:01:52 t44 smartd[3391]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 39 to 40 Jan 13 18:01:52 t44 smartd[3391]: Device: /dev/sda [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 39 to 40 Jan 13 18:02:04 t44 kernel: [75327.631660] PAX: execution attempt in: <anonymous mapping>, 2ac418e0000-2ac418e1000 2ac418e0000 Jan 13 18:02:04 t44 kernel: [75327.631666] PAX: terminating task: /usr/lib64/firefox/firefox(firefox):10293, uid/euid: 1000/1000, PC: 000002ac418e0240, SP: 000003cd95b38f28 Jan 13 18:02:04 t44 kernel: [75327.631668] PAX: bytes at PC: 49 bb 6e ba b7 39 ac 02 00 00 49 ba 40 02 8e 41 ac 02 00 00 Jan 13 18:02:04 t44 kernel: [75327.631682] PAX: bytes at SP-8: 000003cd95b390c0 000002ac35d53653 0000000000000001 000002ac2e4324a0 000003cd95b38f60 000002ac20749d08 000002ac00000001 000002ac2b4d23a0 000002ac22342260 000002ac40449300 0000000000000000 Jan 13 18:02:04 t44 kernel: [75327.631904] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/firefox/firefox[firefox:10293] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:10286] uid/euid:1000/1000 gid/egid:1000/1000 tfoerste@t44 ~ $ emerge --info firefox Portage 2.2.14 (python 3.3.5-final-0, hardened/linux/amd64, gcc-4.8.3, glibc-2.19-r1, 3.17.7-hardened-r1 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.17.7-hardened-r1-x86_64-Intel-R-_Core-TM-_i5-4300U_CPU_@_1.90GHz-with-gentoo-2.2 KiB Mem: 12033700 total, 3625248 free KiB Swap: 16777212 total, 16757856 free Timestamp of tree: Tue, 13 Jan 2015 16:15:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.2_p53 dev-java/java-config: 2.2.0 dev-lang/perl: 5.18.2-r2 dev-lang/python: 2.7.9-r1, 3.3.5-r1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.13.6 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo toralf ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going=y --nospinner --tree --quiet-build --deep --autounmask --autounmask-unrestricted-atoms --autounmask-write" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.netcologne.de/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.mirror.dkm.cz/pub/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X acl aes-ni alsa amd64 apache2 avx avx2 berkdb bzip2 cli corefonts cracklib crypt cups cxx dbus dnssec dri drmkms dvd ecc ffmpeg fontconfig fortran fpm gdbm git gtk gudev gui hardened iconv isag jpeg justify libvirtd logrotate macvtap mbox minizip mmx modules multilib mysql ncurses nls nptl ogg opengl openmp pam pax_kernel pcre plasma png policykit qemu qt3support qt4 readline session spice sse sse2 sse4 sse4_1 sse4_2 ssh-askpass ssl ssse3 tcpd theora thinkpad threads tk tls truetype uml unicode urandom usb usbredir uxa v4l v4l2 vaapi video vorbis xa xattr xmp xscreensaver xtpax xvfb xvmc zenmap zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= www-client/firefox-35.0 was built with the following: USE="dbus hardened minimal -bindist -custom-cflags -custom-optimization -debug (-gmp-autoupdate) -gstreamer -jit (-pgo) -pulseaudio (-selinux) -startup-notification -system-cairo -system-icu -system-jpeg -system-libvpx -system-sqlite -test -wifi" ABI_X86="64" LINGUAS="en_GB -af -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -vi -xh -zh_CN -zh_TW" CFLAGS="-pipe -march=native -mno-avx" CXXFLAGS="-pipe -march=native -mno-avx" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,relro,-z,now"
ah, should mention: $> sudo paxctl-ng -pemrs `which firefox` helps
(In reply to Toralf Förster from comment #1) > ah, should mention: > > $> sudo paxctl-ng -pemrs `which firefox` > > helps This is not a solution. We need to figure out why you are the only one that is hitting this at moment. Do you have any plugins or extensions installed? If so please list. Kernel config: /proc/config.gz Vanilla Kernel ASLR: Full GCC stack protector support: Enabled Strict user copy checks: Enabled Restrict /dev/mem access: Enabled Restrict /dev/kmem access: Enabled * Selinux: Disabled SELinux infomation available here: http://selinuxproject.org/ * grsecurity / PaX: Custom GRKERNSEC Non-executable kernel pages: Disabled Non-executable pages: Enabled Paging Based Non-executable pages: Enabled Restrict MPROTECT: Enabled Address Space Layout Randomization: Enabled Randomize Kernel Stack: Enabled Randomize User Stack: Enabled Randomize MMAP Stack: Enabled Sanitize freed memory: Enabled Sanitize Kernel Stack: Enabled Prevent userspace pointer deref: Enabled Prevent kobject refcount overflow: Enabled Bounds check heap object copies: Enabled JIT Hardening: No BPF JIT Thread Stack Random Gaps: Enabled Disable writing to kmem/mem/port: Enabled Disable privileged I/O: Enabled Harden module auto-loading: Enabled Chroot Protection: Enabled Deter ptrace process snooping: Enabled Larger Entropy Pools: Disabled TCP/UDP Blackhole: Enabled Deter Exploit Bruteforcing: Enabled Hide kernel symbols: Enabled firefox 32062 Full RELRO Canary found PaX enabled PIE enabled Yes bull Downloads # paxctl-ng -v `which firefox` /usr/bin/firefox: open(O_RDWR) failed: cannot change PT_PAX flags PT_PAX : -e--- XATTR_PAX : not found
Created attachment 394524 [details] kernel .config plugins are : OpenH264 Video Codec 1.1 Shockwave Flash 11.2 r202 adblock edge 1.2.7 firetray 0.5.4 flashblock 1.5.18 https everywhere 4.0.2 noscript 2.6.9.11
just for 36.0.1: t44 ~ # paxctl-ng -v -perms /usr/lib64/firefox/firefox /usr/lib64/firefox/firefox: open(O_RDWR) failed: cannot change PT_PAX flags PT_PAX : pemrs
(In reply to Toralf Förster from comment #4) > just for 36.0.1: > > t44 ~ # paxctl-ng -v -perms /usr/lib64/firefox/firefox > /usr/lib64/firefox/firefox: > open(O_RDWR) failed: cannot change PT_PAX flags > PT_PAX : pemrs This is most likely one of the extensions causing an issue. Can you restore the default permissions and test firefox --safe-mode please
(In reply to Jory A. Pratt from comment #5) > This is most likely one of the extensions causing an issue. Can you restore > the default permissions and test firefox --safe-mode please Your're right - firetray-0.5.4 was the culprit
(In reply to Toralf Förster from comment #6) > (In reply to Jory A. Pratt from comment #5) > > This is most likely one of the extensions causing an issue. Can you restore > > the default permissions and test firefox --safe-mode please > > Your're right - firetray-0.5.4 was the culprit I highly doubt it is firetray. I use firetray in thunderbird without an issue. The most likely is adobe software.
(In reply to Jory A. Pratt from comment #7) > I highly doubt it is firetray. I use firetray in thunderbird without an > issue. The most likely is adobe software. I tested it 2 times in a row - it is FireTray 0.5.4 here. BTW I have a similar PAX issue with thunderbird - when I upgrade it next time, I'll test, if it is the same issue there too.
with the latest changes to firefox-37.0.1 : 06 Apr 2015; Ian Stakenvicius (_AxS_) <axs@gentoo.org> firefox-37.0.1.ebuild, +files/firefox-37.0-jemalloc_configure_unbashify.patch: firefox-37 works now that jit is forced-on, removing mask now firefox starts w/o any need of $> paxctl-ng -v -perms /usr/lib64/firefox/firefox any longer
