Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

Firefox won't compile on hardened profile

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


emailgrant at gmail

Feb 14, 2012, 12:39 PM

Post #1 of 20 (1740 views)
Permalink
Firefox won't compile on hardened profile

Firefox won't compile on my system due to the issue described here:

http://www.gossamer-threads.com/lists/gentoo/hardened/245060

They seem to be able to make it compile by enabling softmode. That
doesn't work for me, I have the same issue in softmode. I think this
is because of my hardened profile. Is there any way to fix this or
should I look for a different browser?

- Grant


powerman at powerman

Feb 14, 2012, 12:44 PM

Post #2 of 20 (1695 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

Hi!

On Tue, Feb 14, 2012 at 12:39:04PM -0800, Grant wrote:
> Is there any way to fix this or should I look for a different browser?

Use firefox-bin. Or you have to compile it yourself?

--
WBR, Alex.


emailgrant at gmail

Feb 14, 2012, 12:49 PM

Post #3 of 20 (1699 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

>> Is there any way to fix this or should I look for a different browser?
>
> Use firefox-bin. Or you have to compile it yourself?

You're right, I should have said:

Is there any way to fix this or should I use firefox-bin?

:)

- Grant


ewald at tienkamp

Feb 14, 2012, 1:18 PM

Post #4 of 20 (1695 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

The following was received from Grant, on 02/14/12 21:39:
> Firefox won't compile on my system due to the issue described here:
>
> http://www.gossamer-threads.com/lists/gentoo/hardened/245060

FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system using
the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax enabled.

--
Ewald Tienkamp
ewald [at] tienkamp


emailgrant at gmail

Feb 14, 2012, 1:59 PM

Post #5 of 20 (1700 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

>> Firefox won't compile on my system due to the issue described here:
>>
>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>
> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system using
> the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax enabled.

To confirm, you aren't on a hardened profile?

- Grant


ewald at tienkamp

Feb 14, 2012, 3:26 PM

Post #6 of 20 (1688 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

The following was received from Grant, on 02/14/12 22:59:
>>> Firefox won't compile on my system due to the issue described
>>> here:
>>>
>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>
>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax
>> enabled.
>
> To confirm, you aren't on a hardened profile?

I am on a hardened profile, currently using
hardened/linux/amd64/no-multilib/selinux profile, only running stable
software.

--
Ewald Tienkamp


emailgrant at gmail

Feb 15, 2012, 8:39 AM

Post #7 of 20 (1689 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

>>>> Firefox won't compile on my system due to the issue described
>>>> here:
>>>>
>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3, grsec/pax
>>> enabled.
>>
>> To confirm, you aren't on a hardened profile?
>
> I am on a hardened profile, currently using
> hardened/linux/amd64/no-multilib/selinux profile, only running stable
> software.

I don't get it then. Does anyone know why I can't compile Firefox as
described in the link above? This sums it up:

"firefox-9.0 ebuild stalls at the install phase while xpcshell command
tops CPU usage for hours."

Although xpcshell doesn't use any CPU for me. It just sits there and
the install phase doesn't proceed.

- Grant


h.v.bruinehsen at fu-berlin

Feb 15, 2012, 9:10 AM

Post #8 of 20 (1684 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15.02.2012 17:39, Grant wrote:
>>>>> Firefox won't compile on my system due to the issue
>>>>> described here:
>>>>>
>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>
>>>>
>>>>>
FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>> grsec/pax enabled.
>>>
>>> To confirm, you aren't on a hardened profile?
>>
>> I am on a hardened profile, currently using
>> hardened/linux/amd64/no-multilib/selinux profile, only running
>> stable software.
>
> I don't get it then. Does anyone know why I can't compile Firefox
> as described in the link above? This sums it up:
>
> "firefox-9.0 ebuild stalls at the install phase while xpcshell
> command tops CPU usage for hours."
>
> Although xpcshell doesn't use any CPU for me. It just sits there
> and the install phase doesn't proceed.
>
> - Grant
>

I can compile Icecat with a customized ebuild. since it's basically
the same as Firefox, maybe that helps. Basically it disables jit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPO+caAAoJEJwwOFaNFkYcuugH/jTv4dy6tQ6PnC6ZqHioUOiK
U6xdXra8jxS1Wi9y6iVr1mRmycXZZv8GD5ZLjs4BJl3UofyfoqLmjTt0R+myn5R9
1ovZD9y1tTYIRRnA+HI7d7ZuNLwTULLcCmmXL7/TIg/1spi7K5JCKmbTGLPvcAJ+
MyrLSeiyCTK6iI384legi13Mw7B7k4G6Y0ZS1izZah/zno0uiPawLjcIE6LJPsMP
UhOMiW4YY5Xn+jdNqaHWN/87E3+Y+OUWCLqrP+8itK2afQoj5l4zs9b8JUcdEHPs
Y5JgI5dtGrWndkJMklerzSXQ20/8EKg1lJCxmHS7Ii85Icd3RxF3xwE2PjAVI1U=
=zfn0
-----END PGP SIGNATURE-----
Attachments: icecat-10.0-r1.ebuild (9.73 KB)
  icecat-10.0-r1.ebuild.sig (0.28 KB)


radegand at o2

Feb 15, 2012, 12:38 PM

Post #9 of 20 (1696 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

Hi,

On Wednesday 15 February 2012 18:10:51 Hinnerk van Bruinehsen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15.02.2012 17:39, Grant wrote:
> >
> > I don't get it then. Does anyone know why I can't compile Firefox
> > as described in the link above? This sums it up:
> >
> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
> > command tops CPU usage for hours."
> >
> > Although xpcshell doesn't use any CPU for me. It just sits there
> > and the install phase doesn't proceed.
> >
> > - Grant
>
> I can compile Icecat with a customized ebuild. since it's basically
> the same as Firefox, maybe that helps. Basically it disables jit.
>

You can't compile it on a grsec kernel because of this bug: :)
https://bugs.gentoo.org/show_bug.cgi?id=396275

It's odd that it hangs at xpcshell for you as it's already paxmarked in the
ebuild...

Anyway, I'd suggest:

1) keyword firefox so you can get the latest one, which currently is the
10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
compile just fine on hardened.

2) As suggested, disabling JIT will do the trick and it seems like recent
versions of Firefox can actually have it disabled properly. So the ebuild for
icecat/firefox will work for you, you just need this in src_configure() :

if use pax_kernel; then
mozconfig_annotate '' --disable-methodjit
mozconfig_annotate '' --disable-tracejit
fi

3) the other benefit of disabling jit completely is that you can now disable
the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
:) Unless you want to use FF for flash or java that is... ;)

Cheers,
Radek


radegand at o2

Feb 15, 2012, 2:15 PM

Post #10 of 20 (1690 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

On Wednesday 15 February 2012 20:38:21 Radek Madej wrote:
>
> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild
> for icecat/firefox will work for you, you just need this in src_configure()
> :
>
> if use pax_kernel; then
> mozconfig_annotate '' --disable-methodjit
> mozconfig_annotate '' --disable-tracejit
> fi
>

I forgot to add that you also need to add the pax_kernel flag to IUSE in the
ebuild (see the previously attached ebuild for icecat)

Cheers,
Radek


p.labushev at gmail

Feb 15, 2012, 11:42 PM

Post #11 of 20 (1692 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

16.02.2012 04:38, Radek Madej wrote:

> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> if use pax_kernel; then
> mozconfig_annotate '' --disable-methodjit
> mozconfig_annotate '' --disable-tracejit
> fi

Here's the hack I use not to modify the ebuilds:

# cat /etc/portage/bashrc
LC_ALL="C"

if [ X"$EBUILD_PHASE" != "X" ]; then
if [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PF}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PF}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${P}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${P}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PN}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PN}"
fi

if [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}"
fi
fi

# cat /etc/portage/bashrc.d/www-client/firefox.compile
disable_unsafe_options() {
[ -f "$S"/.mozconfig ] || die
sed -i 's/ac_add_options.*--enable-.*jit.*//' "$S"/.mozconfig
sed -i 's/ac_add_options.*--enable-jemalloc.*//' "$S"/.mozconfig
echo >> "$S"/.mozconfig
local OPTIONS
OPTIONS="$OPTIONS --disable-jemalloc"
OPTIONS="$OPTIONS --disable-ctypes"
OPTIONS="$OPTIONS --disable-tracejit"
OPTIONS="$OPTIONS --disable-methodjit"
OPTIONS="$OPTIONS --disable-jit"
local O
for O in $OPTIONS ; do
echo "ac_add_options $O # fortify" >> "$S"/.mozconfig
done
}

disable_unsafe_options
Attachments: signature.asc (0.82 KB)


emailgrant at gmail

Feb 16, 2012, 8:51 AM

Post #12 of 20 (1682 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

>> > I don't get it then. Does anyone know why I can't compile Firefox
>> > as described in the link above? This sums it up:
>> >
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> >
>> > Although xpcshell doesn't use any CPU for me. It just sits there
>> > and the install phase doesn't proceed.
>> >
>> > - Grant
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
>>
>
> You can't compile it on a grsec kernel because of this bug: :)
> https://bugs.gentoo.org/show_bug.cgi?id=396275
>
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> ebuild...
>
> Anyway, I'd suggest:
>
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.

9.0.1 and 10.0 have both failed to emerge on my system, but I haven't
tried 10.0.1. I'll do that right away.

> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> if use pax_kernel; then
> mozconfig_annotate '' --disable-methodjit
> mozconfig_annotate '' --disable-tracejit
> fi
>
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> :) Unless you want to use FF for flash or java that is... ;)

So I need to use paxctl -m if I want to use flash or java?

- Grant


emailgrant at gmail

Feb 17, 2012, 6:53 AM

Post #13 of 20 (1684 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

>> > I don't get it then. Does anyone know why I can't compile Firefox
>> > as described in the link above? This sums it up:
>> >
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> >
>> > Although xpcshell doesn't use any CPU for me. It just sits there
>> > and the install phase doesn't proceed.
>> >
>> > - Grant
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
>>
>
> You can't compile it on a grsec kernel because of this bug: :)
> https://bugs.gentoo.org/show_bug.cgi?id=396275
>
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> ebuild...
>
> Anyway, I'd suggest:
>
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.

10.0.1 fails the same way unfortunately.

- Grant


> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> if use pax_kernel; then
> mozconfig_annotate '' --disable-methodjit
> mozconfig_annotate '' --disable-tracejit
> fi
>
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> :) Unless you want to use FF for flash or java that is... ;)


atoth at atoth

Feb 19, 2012, 10:01 AM

Post #14 of 20 (1654 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

There's a snippet in your ebuild:
"append-flags -mno-avx"

What is the problem with avx? Is it an option counteracting with security?

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 15.(Sze) 18:10 időpontban Hinnerk van Bruinehsen ezt írta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15.02.2012 17:39, Grant wrote:
>>>>>> Firefox won't compile on my system due to the issue
>>>>>> described here:
>>>>>>
>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>
>>>>>
>>>>>>
> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>> grsec/pax enabled.
>>>>
>>>> To confirm, you aren't on a hardened profile?
>>>
>>> I am on a hardened profile, currently using
>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>> stable software.
>>
>> I don't get it then. Does anyone know why I can't compile Firefox
>> as described in the link above? This sums it up:
>>
>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> command tops CPU usage for hours."
>>
>> Although xpcshell doesn't use any CPU for me. It just sits there
>> and the install phase doesn't proceed.
>>
>> - Grant
>>
>
> I can compile Icecat with a customized ebuild. since it's basically
> the same as Firefox, maybe that helps. Basically it disables jit.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPO+caAAoJEJwwOFaNFkYcuugH/jTv4dy6tQ6PnC6ZqHioUOiK
> U6xdXra8jxS1Wi9y6iVr1mRmycXZZv8GD5ZLjs4BJl3UofyfoqLmjTt0R+myn5R9
> 1ovZD9y1tTYIRRnA+HI7d7ZuNLwTULLcCmmXL7/TIg/1spi7K5JCKmbTGLPvcAJ+
> MyrLSeiyCTK6iI384legi13Mw7B7k4G6Y0ZS1izZah/zno0uiPawLjcIE6LJPsMP
> UhOMiW4YY5Xn+jdNqaHWN/87E3+Y+OUWCLqrP+8itK2afQoj5l4zs9b8JUcdEHPs
> Y5JgI5dtGrWndkJMklerzSXQ20/8EKg1lJCxmHS7Ii85Icd3RxF3xwE2PjAVI1U=
> =zfn0
> -----END PGP SIGNATURE-----
>


emailgrant at gmail

Feb 19, 2012, 10:32 AM

Post #15 of 20 (1668 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

> There's a snippet in your ebuild:
> "append-flags -mno-avx"
>
> What is the problem with avx? Is it an option counteracting with security?

I'm sorry but I'm not sure what you mean. I should change the firefox ebuild?

- Grant


>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>> described here:
>>>>>>>
>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>
>>>>>>
>>>>>>>
>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>> grsec/pax enabled.
>>>>>
>>>>> To confirm, you aren't on a hardened profile?
>>>>
>>>> I am on a hardened profile, currently using
>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>> stable software.
>>>
>>> I don't get it then. Does anyone know why I can't compile Firefox
>>> as described in the link above? This sums it up:
>>>
>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>> command tops CPU usage for hours."
>>>
>>> Although xpcshell doesn't use any CPU for me. It just sits there
>>> and the install phase doesn't proceed.
>>>
>>> - Grant
>>>
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.


atoth at atoth

Feb 19, 2012, 11:06 AM

Post #16 of 20 (1670 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

The email I replied to was originally posted by "Hinnerk van Bruinehsen".

Let's see my question in details, that might clarify it. Here is the part
of the ebuild I'm asking questions about:

"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"

Break it down:

"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
"
The first part is a historical remnant from times before Zorry. We used
gcc-3.4.6 for a long time. It used a different implementation for SSP.

"
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"

The second part disables avx optimisations if the gcc version is newer
than 4.3. However avx support isn't around so long and it's not mature.
Avx is an instruction set extension, that is getting some attention
lately. I'm lucky to have a system, with a capable processor. The block
disabling the optimisations resides right besides the stack-protector
statement. That's why I thought some hardened floks put it there. And I'm
curious about the reason.

Of course it might be simply there, because enabling avx optimizations can
actually decrease performance. Like you can see it here:
http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1

Security is more important for me compared to speed. That's why I'm
interested in any security effect of a compiler option (like creating
textrels or so). If it's a security problem, I won't use corei7-avx, but
rather go for simple corei7.

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 19.(V) 19:32 időpontban Grant ezt írta:
>> There's a snippet in your ebuild:
>> "append-flags -mno-avx"
>>
>> What is the problem with avx? Is it an option counteracting with
>> security?
>
> I'm sorry but I'm not sure what you mean. I should change the firefox
> ebuild?
>
> - Grant
>
>
>>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>>> described here:
>>>>>>>>
>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>>
>>>>>>>
>>>>>>>>
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>>> grsec/pax enabled.
>>>>>>
>>>>>> To confirm, you aren't on a hardened profile?
>>>>>
>>>>> I am on a hardened profile, currently using
>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>>> stable software.
>>>>
>>>> I don't get it then.  Does anyone know why I can't compile Firefox
>>>> as described in the link above?  This sums it up:
>>>>
>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>>> command tops CPU usage for hours."
>>>>
>>>> Although xpcshell doesn't use any CPU for me.  It just sits there
>>>> and the install phase doesn't proceed.
>>>>
>>>> - Grant
>>>>
>>>
>>> I can compile Icecat with a customized ebuild. since it's basically
>>> the same as Firefox, maybe that helps. Basically it disables jit.
>
>


emailgrant at gmail

Feb 19, 2012, 11:19 AM

Post #17 of 20 (1668 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

> The email I replied to was originally posted by "Hinnerk van Bruinehsen".

Crazy, gmail is acting like it was in response to my message about
compiling firefox. Sorry about that.

- Grant


> Let's see my question in details, that might clarify it. Here is the part
> of the ebuild I'm asking questions about:
>
> "
>        if [[ $(gcc-major-version) -lt 4 ]]; then
>                append-cxxflags -fno-stack-protector
>        elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then
>                if use amd64 || use x86; then
>                        append-flags -mno-avx
>                fi
>        fi
> "
>
> Break it down:
>
> "
>        if [[ $(gcc-major-version) -lt 4 ]]; then
>                append-cxxflags -fno-stack-protector
> "
> The first part is a historical remnant from times before Zorry. We used
> gcc-3.4.6 for a long time. It used a different implementation for SSP.
>
> "
>        elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then
>                if use amd64 || use x86; then
>                        append-flags -mno-avx
>                fi
>        fi
> "
>
> The second part disables avx optimisations if the gcc version is newer
> than 4.3. However avx support isn't around so long and it's not mature.
> Avx is an instruction set extension, that is getting some attention
> lately. I'm lucky to have a system, with a capable processor. The block
> disabling the optimisations resides right besides the stack-protector
> statement. That's why I thought some hardened floks put it there. And I'm
> curious about the reason.
>
> Of course it might be simply there, because enabling avx optimizations can
> actually decrease performance. Like you can see it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why I'm
> interested in any security effect of a compiler option (like creating
> textrels or so). If it's a security problem, I won't use corei7-avx, but
> rather go for simple corei7.
>
> Regards:
> Dw.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2012.Február 19.(V) 19:32 időpontban Grant ezt írta:
>>> There's a snippet in your ebuild:
>>> "append-flags -mno-avx"
>>>
>>> What is the problem with avx? Is it an option counteracting with
>>> security?
>>
>> I'm sorry but I'm not sure what you mean.  I should change the firefox
>> ebuild?
>>
>> - Grant
>>
>>
>>>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>>>> described here:
>>>>>>>>>
>>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>>>> grsec/pax enabled.
>>>>>>>
>>>>>>> To confirm, you aren't on a hardened profile?
>>>>>>
>>>>>> I am on a hardened profile, currently using
>>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>>>> stable software.
>>>>>
>>>>> I don't get it then.  Does anyone know why I can't compile Firefox
>>>>> as described in the link above?  This sums it up:
>>>>>
>>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>>>> command tops CPU usage for hours."
>>>>>
>>>>> Although xpcshell doesn't use any CPU for me.  It just sits there
>>>>> and the install phase doesn't proceed.
>>>>>
>>>>> - Grant
>>>>>
>>>>
>>>> I can compile Icecat with a customized ebuild. since it's basically
>>>> the same as Firefox, maybe that helps. Basically it disables jit.


h.v.bruinehsen at fu-berlin

Feb 19, 2012, 1:22 PM

Post #18 of 20 (1657 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19.02.2012 20:06, "Tóth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part of the ebuild I'm asking questions about:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
> append-flags -mno-avx fi fi "
>
> Break it down:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector " The first part is a historical remnant from
> times before Zorry. We used gcc-3.4.6 for a long time. It used a
> different implementation for SSP.
>
> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
> "
>
> The second part disables avx optimisations if the gcc version is
> newer than 4.3. However avx support isn't around so long and it's
> not mature. Avx is an instruction set extension, that is getting
> some attention lately. I'm lucky to have a system, with a capable
> processor. The block disabling the optimisations resides right
> besides the stack-protector statement. That's why I thought some
> hardened floks put it there. And I'm curious about the reason.
>
> Of course it might be simply there, because enabling avx
> optimizations can actually decrease performance. Like you can see
> it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why
> I'm interested in any security effect of a compiler option (like
> creating textrels or so). If it's a security problem, I won't use
> corei7-avx, but rather go for simple corei7.
>
> Regards: Dw.

Hi,

that part is in the normal icecat-ebuild in the tree. It's also within
the firefox ebuild.
I don't know if it's needed, but mozilla herd as maintainers may be
the right people to ask.

Regards,

Hinnerk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPQWgMAAoJEJwwOFaNFkYc1UMH/3kAIY4TaptxnzmgcPMKswJS
GxkLqsLxYcO3WJpSpW6+U/fCfVdZko6Tz/qG5P6kiLNSdFTwz6gesH/DJnnNcBq5
wSh4k6MSyPw26ifdTBlp4Inhi2Gmn/ZhtpUQVKXjX3z7zHXXgj4TwBpGvojGbglO
pbSUxGhYy+qEDdufvqR50Ti67Gaxgcf7VYitfhUgDyMWMuGZIxRYeqQFpMI0jO9L
vIoD4fey0ZIEdTdiJpW6ONXvE76d3CJ86TFAqTUMyxqqUNBoPstH2Zh+btp5c03C
Pn6XGscSOxcpKLxbeBxRZHv9EfUqoCs9pc7gn/T6+r1s2t74hcHF+K5c/13Df+k=
=+Ef/
-----END PGP SIGNATURE-----


h.v.bruinehsen at fu-berlin

Feb 19, 2012, 2:01 PM

Post #19 of 20 (1658 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19.02.2012 20:06, "Tóth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part of the ebuild I'm asking questions about:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
> append-flags -mno-avx fi fi "
>
> Break it down:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector " The first part is a historical remnant from
> times before Zorry. We used gcc-3.4.6 for a long time. It used a
> different implementation for SSP.
>
> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
> "
>
> The second part disables avx optimisations if the gcc version is
> newer than 4.3. However avx support isn't around so long and it's
> not mature. Avx is an instruction set extension, that is getting
> some attention lately. I'm lucky to have a system, with a capable
> processor. The block disabling the optimisations resides right
> besides the stack-protector statement. That's why I thought some
> hardened floks put it there. And I'm curious about the reason.
>
> Of course it might be simply there, because enabling avx
> optimizations can actually decrease performance. Like you can see
> it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why
> I'm interested in any security effect of a compiler option (like
> creating textrels or so). If it's a security problem, I won't use
> corei7-avx, but rather go for simple corei7.
>
> Regards: Dw.

Update: according to [1] it's not security related, but a bug with
mozilla and the avx-extensions. It simply doesn't work together. Since
I have no Sandy Bridge CPU I'm not able to test anythin else...




[1] http://forums.gentoo.org/viewtopic-t-893300-start-0.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPQXFVAAoJEJwwOFaNFkYclboIAI4QIEs8IM8jQ8VU7b625qE8
q+G8kMyJR20V/0Etywv2uM54/gUuwNR/mP0YgEW9Bj7yuvAbpXKQPp1R7kXjFzyq
xNWRYNm6vMlByuakFoYzoB6w7CqqTFVG3dbnujdiVZJVG/+fDM0y/y0MWXIwl6VM
Ng5R5kfzTll/yyp4nYPuAoUinLEAgZy20UOgQJqU33y+AoDdoG4YwqFIrO9FkBFe
ewRLfrwuKpr/+KCm6hvEqavfv32bg5NJMPSAusYIfFSlftNzqoxoxSvVnzanp509
pde3CaSrMjUux5u6kR/IjJlnKP0lgwVr5kntkErSG3edV8YFXRRfFVrIF6chlvM=
=o5MX
-----END PGP SIGNATURE-----


atoth at atoth

Feb 19, 2012, 3:24 PM

Post #20 of 20 (1661 views)
Permalink
Re: Firefox won't compile on hardened profile [In reply to]

Thanks for the link! It's clear now. You need a recent CPU and a recent
gcc to trigger this.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 19.(V) 23:01 időpontban Hinnerk van Bruinehsen ezt írta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 19.02.2012 20:06, "Tóth Attila" wrote:
>> The email I replied to was originally posted by "Hinnerk van
>> Bruinehsen".
>>
>> Let's see my question in details, that might clarify it. Here is
>> the part of the ebuild I'm asking questions about:
>>
>> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
>> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
>> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
>> append-flags -mno-avx fi fi "
>>
>> Break it down:
>>
>> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
>> -fno-stack-protector " The first part is a historical remnant from
>> times before Zorry. We used gcc-3.4.6 for a long time. It used a
>> different implementation for SSP.
>>
>> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
>> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
>> "
>>
>> The second part disables avx optimisations if the gcc version is
>> newer than 4.3. However avx support isn't around so long and it's
>> not mature. Avx is an instruction set extension, that is getting
>> some attention lately. I'm lucky to have a system, with a capable
>> processor. The block disabling the optimisations resides right
>> besides the stack-protector statement. That's why I thought some
>> hardened floks put it there. And I'm curious about the reason.
>>
>> Of course it might be simply there, because enabling avx
>> optimizations can actually decrease performance. Like you can see
>> it here:
>> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>>
>> Security is more important for me compared to speed. That's why
>> I'm interested in any security effect of a compiler option (like
>> creating textrels or so). If it's a security problem, I won't use
>> corei7-avx, but rather go for simple corei7.
>>
>> Regards: Dw.
>
> Update: according to [1] it's not security related, but a bug with
> mozilla and the avx-extensions. It simply doesn't work together. Since
> I have no Sandy Bridge CPU I'm not able to test anythin else...
>
>
>
>
> [1] http://forums.gentoo.org/viewtopic-t-893300-start-0.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPQXFVAAoJEJwwOFaNFkYclboIAI4QIEs8IM8jQ8VU7b625qE8
> q+G8kMyJR20V/0Etywv2uM54/gUuwNR/mP0YgEW9Bj7yuvAbpXKQPp1R7kXjFzyq
> xNWRYNm6vMlByuakFoYzoB6w7CqqTFVG3dbnujdiVZJVG/+fDM0y/y0MWXIwl6VM
> Ng5R5kfzTll/yyp4nYPuAoUinLEAgZy20UOgQJqU33y+AoDdoG4YwqFIrO9FkBFe
> ewRLfrwuKpr/+KCm6hvEqavfv32bg5NJMPSAusYIfFSlftNzqoxoxSvVnzanp509
> pde3CaSrMjUux5u6kR/IjJlnKP0lgwVr5kntkErSG3edV8YFXRRfFVrIF6chlvM=
> =o5MX
> -----END PGP SIGNATURE-----
>
>

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.