Compiling Firefox
I want to compile Firefox 3.6 on Debian Squeeze and place everything
in the /opt directory. I want the compiled browser to have some
security modifications. The first thing i have added to mozconfig is
the following three lines:
export CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all"
export CXXFLAGS="${CFLAGS}"
export CPPFLAGS="${CFLAGS}
This makes hardening-check on firefox-bin output the following:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: no, not found!
Immediate binding: no, not found!
I don't know what flags should be passed to gcc for activating
"Position Independent Executable", "Read-only relocations" and
"Immediate binding" or if it is a good idea at all? Is it enough to
activate the options i have to make the browser more secure?
I have to choose between using the system libraries for nspr, nss,
jpeg, zlib, bz2 and png like this:
ac_add_options --with-system-nspr
ac_add_options --with-system-nss
ac_add_options --with-system-jpeg
ac_add_options --with-system-zlib
ac_add_options --with-system-bz2
ac_add_options --with-system-png
or using the code shipped with Firefox for the same functionality. So
far i have not been able to build Firefox without using system nspr
and nss, the Mozilla version of these will not compile on Debian. What
is most secure, using the system libraries or the Mozilla libraries?
I do not enable flash, java or javascript in the browser, but i still
thinking about configuring TOMOYO Linux for Firefox as an extra layer
of security. Anyone with experience in TOMOYO that can tell pros and
cons?
Reply to: