[sandboxed-tor-browser/master] Keep the PaX attributes around, regardless of browser version. - tor-commits

20 Dec 2016

commit ff38c2a7695e27bf164569a1b34387449a78f285
Author: Yawning Angel yawning@schwanenlied.me
Date:   Tue Dec 20 08:24:53 2016 +0000
Keep the PaX attributes around, regardless of browser version.
This won't work even with ESR52, and will probably require a JIT rewrite
    because of the way the JIT expects to be able to modify mapping
    permissions.
---
 ChangeLog                                                     | 5 ++---
 src/cmd/sandboxed-tor-browser/internal/sandbox/application.go | 6 ++----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9128892..1d9cb6f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,9 +13,8 @@ Changes in version 0.0.3 - UNRELEASED:
  * Include the git revision as a static asset, and display it as part of
    the `--version` output.
  * Fix a nil pointer deref on SIGINT received durring bootstrap.
- * Per the browser developers, the initial 7.0 alpha builds will not be ESR52
-   based, with a switch mid-alpha series, so keep the Grsec PaX override
-   around till 7.0.0 release.
+ * Don't remove the PaX overrides ever, because until the JIT gets rewritten
+   Firefox won't play nice with MPROTECT.
Changes in version 0.0.2 - 2016-12-10:
  * Bug #20780: Shuffle and persist the ordering of internal bridges.
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 9df10e6..4cff1c7 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -337,10 +337,8 @@ func applyPaXAttributes(manif *config.Manifest, f string) error {
sz, _ := syscall.Getxattr(f, paxAttr, nil)
-	// Strip off the attribute if this is a non-grsec kernel, or the bundle is
-	// sufficiently recent to the point where the required W^X fixes are present
-	// in the JIT.
-	if !IsGrsecKernel() || manif.BundleVersionAtLeast("7.0.0") {
+	// Strip off the attribute if this is a non-grsec kernel.
+	if !IsGrsecKernel() {
    	if sz > 0 {
    		log.Printf("sandbox: Removing Tor Browser PaX attributes.")
    		syscall.Removexattr(f, paxAttr)

    