Hi, Firefox 5 doesn't compile on grsec enabled kernels due to the jit optimization which creates RWX memory mapping not liked by PaX :) To compile it under a hardened kernel, one need to disable jit during source configuration, please see the attached ebuild. Once jit is disabled, firefox compiles and runs fine. I've added jit flag to the ebuild which is automatically disabled on hardened profiles. The additional positive outcome of that is that firefox runs fine with mprotect enabled, however Java or Flash plugins will crash it. I realize that from user experience point of view, it's better to have mprotect disabled, but maybe at least it's worth giving the end user information that it would be possible if they're not going to use java or flash? Thanks, radegand Reproducible: Always Steps to Reproduce: Emerge firefox 5 on a hardened system running Gentoo hardened-sources. Actual Results: Emerge is killed with the following error from PaX: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0 xpcshell[10891]: segfault at 41ea0ddc ip 00006b9475051ed4 sp 000078b37e81b6f0 error 4 in libxul.so[6b9474031000+1823000] grsec: Segmentation fault occurred at 0000000041ea0ddc in /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0 Expected Results: Successful compilation of Firefox :)
Created attachment 278123 [details] proposed ebuild
Created attachment 278125 [details] original build log
Created attachment 278127 [details] emerge --info
(In reply to comment #0) > I've added jit flag to the ebuild which is automatically disabled on hardened > profiles. The additional positive outcome of that is that firefox runs fine > with mprotect enabled, however Java or Flash plugins will crash it. hmm, where are they crashing exactly? not allowing runtime codegen should be gracefully handled by both java and flash these days, so something's still not right somewhere if you see the whole app crash...
*** This bug has been marked as a duplicate of bug 372947 ***