A simple trick to improve Firefox security

Firefox can run with add-ons disabled and what not, but if you run Firefox under Gentoo Linux, using the hardened profile, you can use a simple trick to have two different instances of Firefox available, with different enforcement of memory permissions and the usual PaX features:

PaX features disabled via PT_PAX_FLAGS, will allow most plugins to run without issues (although, for example acroread will require specific permissions on its own binary to run):

paxctl -pemrxs /usr/lib/mozilla-firefox/firefox-bin

Recommended settings (that might slow down Firefox in some systems, with noticeable overhead when there's a heavy use of Javascript or AJAX functionality):

paxctl -PEmRXs /usr/lib/mozilla-firefox/firefox-bin

For Acrobat Reader (only Address Space Layout Randomization -ASLR- can be enabled without affecting the functionality, blame the poorly compiled binary):

paxctl -pemRXs /opt/Acrobat7/Reader/intellinux/bin/acroread

You should try to use a different PDF application anyway, if you really trust any of them :)

Description of the PT_PAX_FLAGS flags:

PaX control v0.4
Copyright 2004,2005,2006 PaX Team 

usage: paxctl  

options:
      -p: disable PAGEEXEC            -P: enable PAGEEXEC
      -e: disable EMUTRMAP            -E: enable EMUTRMAP
      -m: disable MPROTECT            -M: enable MPROTECT
      -r: disable RANDMMAP            -R: enable RANDMMAP
      -x: disable RANDEXEC            -X: enable RANDEXEC
      -s: disable SEGMEXEC            -S: enable SEGMEXEC

      -v: view flags                  -z: restore default flags
      -q: suppress error messages     -Q: report flags in short format
      -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
      -C: create PT_PAX_FLAGS (see manpage!)

Simply copy the firefox-bin binary to firefox-secure and apply the different flags as necessary.