commit ff38c2a7695e27bf164569a1b34387449a78f285 Author: Yawning Angel <yawning@schwanenlied.me> Date: Tue Dec 20 08:24:53 2016 +0000 Keep the PaX attributes around, regardless of browser version. This won't work even with ESR52, and will probably require a JIT rewrite because of the way the JIT expects to be able to modify mapping permissions. --- ChangeLog | 5 ++--- src/cmd/sandboxed-tor-browser/internal/sandbox/application.go | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9128892..1d9cb6f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,9 +13,8 @@ Changes in version 0.0.3 - UNRELEASED: * Include the git revision as a static asset, and display it as part of the `--version` output. * Fix a nil pointer deref on SIGINT received durring bootstrap. - * Per the browser developers, the initial 7.0 alpha builds will not be ESR52 - based, with a switch mid-alpha series, so keep the Grsec PaX override - around till 7.0.0 release. + * Don't remove the PaX overrides ever, because until the JIT gets rewritten + Firefox won't play nice with MPROTECT. Changes in version 0.0.2 - 2016-12-10: * Bug #20780: Shuffle and persist the ordering of internal bridges. diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 9df10e6..4cff1c7 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -337,10 +337,8 @@ func applyPaXAttributes(manif *config.Manifest, f string) error { sz, _ := syscall.Getxattr(f, paxAttr, nil) - // Strip off the attribute if this is a non-grsec kernel, or the bundle is - // sufficiently recent to the point where the required W^X fixes are present - // in the JIT. - if !IsGrsecKernel() || manif.BundleVersionAtLeast("7.0.0") { + // Strip off the attribute if this is a non-grsec kernel. + if !IsGrsecKernel() { if sz > 0 { log.Printf("sandbox: Removing Tor Browser PaX attributes.") syscall.Removexattr(f, paxAttr)