Hi Kevin, in a current FF 9 release I see the following prefs :
javascript.options.jitprofiling.chrome;true javascript.options.jitprofiling.content;true javascript.options.methodjit.chrome;true javascript.options.methodjit.content;true javascript.options.methodjit_always;false javascript.options.tracejit.chrome;true javascript.options.tracejit.content;true does setting these options to false let Firefox run under PAX with RWX disabled ? (also please note that there is no more tracejit in Firefox 10 and later) thanks ! ian ----- Original Message ----- From: "Kevin Chadwick" <ma1l1i...@yahoo.co.uk> To: dev-security@lists.mozilla.org Sent: Tuesday, January 24, 2012 2:53:24 PM Subject: Please bring back JIT options in about:config for PAX/Grsecurity compatibility (Hardened Linux) Currently the only web browser I've found that runs with grsecurity/pax with all security features such as "PAX" Mprotect and RANDMMAP is Opera. "http://pax.grsecurity.net/docs/mprotect.txt" "http://en.wikibooks.org/wiki/Grsecurity/Appendix/PaX_Flags" I care more about security than javascript speed but I don't wish to spend the time or energy fixing and compiling firefox to work with a secure linux kernel that avoids so many 0-day exploits. I run firefox in a sandbox for the occasional time flash is required and I am being pushed towards the closed source Opera for general use by my businesses when I'd prefer to stick with firefox outside the sandbox which I have been using since firebird. A bug has been opened in the past but was mistaken for firefoxes mprotect and incorrectly closed. The problem is Just In Time execution which requires write and execute at the same time which should be optional and not explicitly compiled in. Users should atleast be able to allow RWX via paxctl, load up firefox set methodjit and tracejit off in about:config and re-enable the security (disable RWX). It used to be possible "http://hardenedgentoo.blogspot.com/2010/07/grsecurity-firefox-mprotect-and-you.html" Then it got harder for firefox 4 "http://hardenedgentoo.blogspot.com/2011/06/enabling-mprotect-on-firefox-4.html" Then a little easier for firefox 5 but still required a compile. "http://hardenedgentoo.blogspot.com/2011/06/firefox-5-with-mprotect-onof-course.html" The attached patch works with firefox 9 and was sent across the Gentoo Hardened mailing list as a remedy which sets the compilation flags for disabling methodjit and tracejit, fixing the problem for those willing to compile. Here's a link to that mail: "http://archives.gentoo.org/gentoo-hardened/msg_5e24471b3e46343505cba250e922a2fd.xml" ______________________________________________________________________________________ Can config options disabling tracejit and methodjit be provided to fix this for default binary users? ______________________________________________________________________________________ It would also give a boost to firefox in security circles making a box running firefox and grsecurity less likely to be root owned than one running Google chrome which has JIT hardening but would have a real hard time making their sandbox compatible with PAX. "http://archives.gentoo.org/gentoo-hardened/msg_6433316b9968b19a09f80e29951e8347.xml" -- Kc _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security