Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279036 - www-client/mozilla-firefox-3.5.1 fails to start on hardened environment
Summary: www-client/mozilla-firefox-3.5.1 fails to start on hardened environment
Status: RESOLVED DUPLICATE of bug 278698
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-25 12:07 UTC by Thomas Sachau
Modified: 2009-07-25 12:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sachau gentoo-dev 2009-07-25 12:07:13 UTC
Firefox does refuse to start, with strace, there are many lines like this:

mmap2(0xe8d00000, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8d14000
munmap(0xe8d14000, 2097152)             = 0
mmap2(NULL, 3145728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8c14000
munmap(0xe8c14000, 3145728)             = 0
mmap2(0xe8d00000, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8d14000
munmap(0xe8d14000, 2097152)             = 0
mmap2(NULL, 3145728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8c14000
munmap(0xe8c14000, 3145728)             = 0
mmap2(0xe8d00000, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8d14000
munmap(0xe8d14000, 2097152)             = 0
mmap2(NULL, 3145728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8c14000
munmap(0xe8c14000, 3145728)             = 0
mmap2(0xe8d00000, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8d14000
munmap(0xe8d14000, 2097152)             = 0
mmap2(NULL, 3145728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8c14000
munmap(0xe8c14000, 3145728)             = 0
mmap2(0xe8d00000, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8d14000
munmap(0xe8d14000, 2097152)             = 0
mmap2(NULL, 3145728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffe8c14000
munmap(0xe8c14000, 3145728)

setting paxctl -r (disabling RANDMMAP) on the binary does allow firefox to start and run. Here some lines from #gentoo-hardened:

<ncopa> i saw you have issues with firefox 3.5
<ncopa> like i have with webkit and midori
<ncopa> its the jit feature i think
<ncopa> that generates executable code on the fly
<ncopa> which pax by design does not allow
<ncopa> so looks like we have to choose between disable pax (reduce security) or disable jit (slow)
<Tommy[D]> ncopa: paxctl -r /usr/lib/mozilla-firefox/firefox is another possible workaround
<Tommy[D]> at least firefox does work with it
<ncopa> thats turning off pax features
<ncopa>  = reduces security
<ncopa> for the entire firefox binary
<ncopa> i was thinking that it would be nice to have the jit part running as a separate process
<ncopa> separate executable
<ncopa> that way we could paxctl -r /path/to/jit-executable
<ncopa> and most of the browser code would still run with randmmap
Comment 1 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-07-25 12:33:29 UTC

*** This bug has been marked as a duplicate of bug 278698 ***