Hi, On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote: > On 05/16/2012 12:12 PM, PaX Team wrote: > > On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote: > > > >> at the moment the thunderbird-ebuild in the tree does a "pax mark m" > >> on the binary. > >> At least for me thunderbird works fine if I just disable jit. > > > > there're a few packages that define a local 'jit' USE flag, i'd say > > thunderbird/firefox/etc should use it as well to disable JIT related > > options and avoid the pax-mark (not sure why pax-kernel came to mean > > this, that's for kernel modules, not userland, and this JIT stuff is > > useful for more kernels than just PaX based ones). > > > > This flag was introduced to distinguish the above from USE="hardened" > which only refers to the toolchain, and the goodies it brings along. > > Having said that, its clearly better to disable JIT and not pax mark > then vice versa. We have jit disabled by default in the hardened profiles. >
...so in the above example it's better to define the 'jit' flag in the ebuild for thunderbird rather than using 'pax_kernel'? Or should '-jit' and 'pax_kernel' result in disabling JIT in the ebuilds? I do exactly same stuff (if 'pax_kernel': disable_jit() :) ) for firefox on my local overlay which allows me to run latest Firefox with mprotect on and no paxmarkings (I don't care about plugins on FF). Judging by what you've said, it'd be better to simply use 'jit' flag for it as it's disabled on the hardened profiles anyway... In theory we could then have the jit flag on both, Thunderbird and Firefox, which would allow the hardened users to benefit from mprotect, however any use of flash/java on FF would result in a crash anyway...but it's nice to have the choice me thinks... :) Cheers, Radek
