On 17.05.2012 20:25, Radek Madej wrote: > Hi, > > On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote: >> On 05/16/2012 12:12 PM, PaX Team wrote: >>> On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote: >>> >>>> at the moment the thunderbird-ebuild in the tree does a "pax mark m" >>>> on the binary. >>>> At least for me thunderbird works fine if I just disable jit. >>> >>> there're a few packages that define a local 'jit' USE flag, i'd say >>> thunderbird/firefox/etc should use it as well to disable JIT related >>> options and avoid the pax-mark (not sure why pax-kernel came to mean >>> this, that's for kernel modules, not userland, and this JIT stuff is >>> useful for more kernels than just PaX based ones). >>> >> >> This flag was introduced to distinguish the above from USE="hardened" >> which only refers to the toolchain, and the goodies it brings along. >> >> Having said that, its clearly better to disable JIT and not pax mark >> then vice versa. We have jit disabled by default in the hardened profiles. >> > > ...so in the above example it's better to define the 'jit' flag in the ebuild > for thunderbird rather than using 'pax_kernel'? Or should '-jit' and > 'pax_kernel' result in disabling JIT in the ebuilds? > > I do exactly same stuff (if 'pax_kernel': disable_jit() :) ) for firefox on > my > local overlay which allows me to run latest Firefox with mprotect on and no > paxmarkings (I don't care about plugins on FF). Judging by what you've said, > it'd be better to simply use 'jit' flag for it as it's disabled on the > hardened > profiles anyway... > > In theory we could then have the jit flag on both, Thunderbird and Firefox, > which would allow the hardened users to benefit from mprotect, however any > use > of flash/java on FF would result in a crash anyway...but it's nice to have > the > choice me thinks... :) > > Cheers, > Radek > >
If I understand it correctly, it should be the following way: user pax_kernel to disable jit as the default and use jit to override pax_kernel so people who would like to use for example flash could enable it, if they want. This way hardened would be default which would be the behaviour I would expect for a hardened profile. The most important question for me is: should I file a bug for that? With kind regards, Hinnerk
