firefox 5.0 ebuild has three fatal problems on systems with execute protection (PaX): 1. Emerge stops with an error because during install, work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell violates the execute protection and gets killed. Applying paxctl -m to it and restarting the emerge helps. 2. At the end of the emerge, there is a warning that paxctl -m firefox failed and firefox will probably not work. I checked: /usr/lib64/firefox/firefox-bin indeed doesn't have paxctl -m set and fails. Setting it cures the problem. Interestingly, the error message says "firefox", but paxctl should be applied to "firefox-bin"?! 3. The ebuild forgets to set paxctl -m on /usr/lib64/firefox/plugin-container. This causes flash or java plugins being killed by the kernel. Again, applying paxctl manually helps.
I can confirm that part 1 is needed indeed to complete the emerge. Part 2 is about applying paxctl to a shell wrapper instead of the binary, this needs to be fixed aswell - alternatively ship a preferences file to disable jit maybe. Part 3 is correct, too.
Created attachment 278177 [details, diff] Patch based on the information provided by the bug submitter Patch based on the information provided by the bug submitter
see also bugs: https://bugs.gentoo.org/show_bug.cgi?id=373029 https://bugs.gentoo.org/show_bug.cgi?id=373071
with attached patch firefox builds ok, but it doesnt start.
*** This bug has been marked as a duplicate of bug 372947 ***
Please un-duplicate and reopen (and I think it should be assigned to firefox, not to hardened gentoo). * Item 3 of this bug is not contained at all in 372947, and is a fatal issue, so this report is a superset of 372947. * The solution in 372947 doesn't apply to this report at all: 372947's proposed solution depends on the "hardened" USE flag and doesn't change anything on non-hardened systems. However, not all PaX systems are "hardened": "hardened" means "hardened toolchain" and "pie executables", but I have PaX with normal toolchain and standard (non-pie) executables, and hence don't have "hardened" set! * 372947 is quite unclear (looks like a space problem at the first glance) and doesn't mention PaX, neither in the header nor in the text, although the problem is all about paxctl. * 372947 tries to solve the problem in a completely different way: As far as I can tell, 372947 tries to compile firefox without JIT, hoping to make it work without setting paxctl -m for it. This report is about adding the necessary paxctl's to the ebuild to make firefox with JIT work (I could live with the other no-JIT no-paxctl solution, too, but my item 3 needs paxctl for flash and java anyway, hence there is no gain in compiling firefox without JIT).