Wednesday, 15 February 2012

Firefox 10.0.1 - MPROTECT strikes again!

It's been a while and Firefox has moved from version 5 to version 10.0.1, now that's a pace! ;) But the important bits are...enforcing MPROTECT has never been easier...well, almost. ;)

Thanks to this attachment in this bug, the latest version of Firefox compiles fine on hardened profiles (or simply on grsec kernels).

In order to enable MPROTECT restrictions, edit the ebuild and at the top add pax_kernel flag to IUSE so it reads like this:

IUSE="bindist +crashreporter +ipc +minimal pgo selinux system-sqlite +webm pax_kernel"

also, add the following snippet in src_configure() before the # Finalize and report settings line:

if use pax_kernel; then
   mozconfig_annotate '' --disable-methodjit
   mozconfig_annotate '' --disable-tracejit

...and get rid of the following lines in src_install():

# Pax mark xpcshell for hardened support, only used for startupcache creation.
pax-mark m "${S}/${obj_dir}"/dist/bin/xpcshell

and this:

# Required in order to use plugins and even run firefox on hardened.
pax-mark m "${ED}"${MOZILLA_FIVE_HOME}/{firefox,firefox-bin,plugin-container}

NOTE:You wan't be able to run Java or Flash as they require RWX mappings which will be not allowed when MPROTECT is enforced. If you need to use them, you can use different browser for it, for instance Chromium.

Now digest your local ebuild:

# ebuild /usr/local/portage/www-client/firefox/firefox-10.0.1.ebuild digest
>>> Creating Manifest for /usr/local/portage/www-client/firefox

...and you're ready to emerge! ;] Once done, start Firefox. If you're starting it from the command line, you'll see the following (expected) error:

LLVM ERROR: Allocation failed when allocating new memory in the JIT
Can't allocate RWX Memory: Operation not permitted

which is exactly what we wanted :) ...and to verify that it works as expected:

$ for pid in $(ps -ef | grep [f]irefox | awk '{print $2}'); do cat /proc/$pid/status | grep PaX; done
PaX: PeMRs

Note the capital 'M' - you're mprotected! ;]