The compile process for firefox with hardened use flags on the hardened profile ends up relying on a file provided by upstream for the toolchain flags, and this file contains -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2: firefox-102.13.0/build/moz.configure/toolchain.configure This works great, theres no warnings, but I have to report that it overrides a recent feature from gentoo hardened, where gcc (or clang) is able to use _FORTIFY_SOURCE=3 from the fortify.h feature headers. I've found when a program supports 2, its very likely that it supports 3 as well, so I have made a patch to change a couple 2's to 3's, and recompiled. There were three other files for 3rd party vendored deps that needed a fix. Im not sure are even activated, I think the webRTC one is, and the libevent one was not, since it was behind a use system-libevent USE. firefox-102.13.0/third_party/libwebrtc/build/config/compiler/BUILD.gn firefox-102.13.0/ipc/chromium/src/third_party/libevent/configure.ac firefox-102.13.0/ipc/chromium/src/third_party/libevent/CMakeLists.txt This test was successful. consider me a _FORTIFY_SOURCE=3 firefox beta tester All the changes can be accomplished by sed'ding a 2 to a 3, but I made the patches manually for now. I can make them available here if need be, but its trivial. Reporting this here on a bug report so we have something to think about. Thanks Reproducible: Always
Does everything work fine at runtime?
Yep, I tested it, I'm running it on my main machine that I use for browsing a lot. everything seems totally fine, and I even attempted to test WebRTC but I dont think my network can cooperate with that for unrelated reasons. The WebRTC API is detected at least. No crashes. No weird messages. Things seem normal. I know its early, but all signs point to this being viable.
before I forget: [19:58:38] <+sam_> tbh I think a sed might be easiest [19:58:58] <+sam_> just for build/moz.configure/toolchain.configure, if hardened, /-D_FORTIFY_SOURCE=/s:2:3: not tested it yet
Created attachment 872557 [details, diff] firefox-fortify-source-3.patch (patch to ebuild)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=673ff5ed9ae5da6c5fd58bf9c0b2fe2c138742a8 commit 673ff5ed9ae5da6c5fd58bf9c0b2fe2c138742a8 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-10-12 10:38:36 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-10-12 10:39:58 +0000 www-client/firefox: add 118.0.2 - llvm-17 and rust-1.73 compatibility, - make 'hardened' use _FORTIFY_SOURCE=3. Closes: https://bugs.gentoo.org/910071 Closes: https://bugs.gentoo.org/915306 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-client/firefox/Manifest | 101 ++ www-client/firefox/firefox-118.0.2.ebuild | 1440 +++++++++++++++++++++++++++++ 2 files changed, 1541 insertions(+)
Will sync to ESR naturally with a version bump.
