# Deploy paxctl-ng XATTR markings on Dillo browser

## miroR

The inner workings of the Dillo browser (which I really need in my environment: sea-calm secure in comparison with the big harvesting browsers), some of those inner workings of Dillo are provided by these:

```

# ls -lR /usr/lib64/dillo/dpi/

/usr/lib64/dillo/dpi/:

total 36

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 bookmarks

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 cookies

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 datauri

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 downloads

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 file

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 ftp

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 hello

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 https

drwxr-xr-x 2 root root 4096 2015-07-05 07:33 vsource

/usr/lib64/dillo/dpi/bookmarks:

total 52

-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi

/usr/lib64/dillo/dpi/cookies:

total 48

-rwxr-xr-x 1 root root 47240 2015-07-05 07:33 cookies.dpi

/usr/lib64/dillo/dpi/datauri:

total 36

-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 datauri.filter.dpi

/usr/lib64/dillo/dpi/downloads:

total 52

-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 downloads.dpi

/usr/lib64/dillo/dpi/file:

total 44

-rwxr-xr-x 1 root root 42872 2015-07-05 07:33 file.dpi

/usr/lib64/dillo/dpi/ftp:

total 36

-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 ftp.filter.dpi

/usr/lib64/dillo/dpi/hello:

total 32

-rwxr-xr-x 1 root root 30584 2015-07-05 07:33 hello.filter.dpi

/usr/lib64/dillo/dpi/https:

total 40

-rwxr-xr-x 1 root root 38776 2015-07-05 07:33 https.filter.dpi

/usr/lib64/dillo/dpi/vsource:

total 36

-rwxr-xr-x 1 root root 34688 2015-07-05 07:33 vsource.filter.dpi

#

```

I had to do this on those:

```

for i in $(ls -1 /usr/lib64/dillo/dpi/) ; do

   ls -l /usr/lib64/dillo/dpi/$i ;

   for j in $(ls -1 /usr/lib64/dillo/dpi/$i/) ; do

      paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;

      ask ;

      if [ "$?" == 0 ] ; then

         paxctl-ng -F /usr/lib64/dillo/dpi/$i/$j ;

         read FAKE

         paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;

         read FAKE

      fi

   done

done

```

(

I placed this function in my ~root/.bashrc (it's from Mendel Cooper's Advanced Bash Scripting Guide):

```

function ask()

{

    echo -n "$@" '[y/n] ' ; read ans

    case "$ans" in

        y*|Y*) return 0 ;;

        *) return 1 ;;

    esac

}

)

```

Why? Because they all looked like this:

```

-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi

/usr/lib64/dillo/dpi/bookmarks/bookmarks.dpi:

   PT_PAX    : -e---

   XATTR_PAX : not found

```

id est, set for only with the old paxctl managed PT_PAX flags, not for the new, recommended XATTR_PAX flags, managed by paxctl-ng.

They now do (see paxctl-ng -h, for the -F flag). I think I should file a bug, as the transition should have been under way long since (I noticed that in some other packages, can't remember for sure, was it clamav?). But waiting first for other opinions to possibly weigh in. (Maybe I'm not abreast with the development, or I missed something somewhere.)

I've been trying to report how Dillo behaves on the Dillo mailing list, see, exampli gratia:

Github et alia login/cookies issue 

http://lists.dillo.org/pipermail/dillo-dev/2015-July/010582.html

with references in the Grsecurity Forums:

Deply RBAC on Dillo browser

https://forums.grsecurity.net/viewtopic.php?f=5&t=4228&p=15351

(and if you're coming from anywhere there, this text I prepared at least a day

ago, and all the Dillo binaries in the:

```

/usr/lib64/dillo/dpi/*/ 

```

have been dealt with '-F', copy PT_PAX to XATTR_PAX, and with '-m', disable MPROTECT, before those reports.

If a kind visitor reads there in either Dillo mailing list or Grsecurity Foruns, a good news: all works well now on Gentoo Forums...  :Wink:  . None of those ugly cookies.dpi lines ...

Miles to go before some rest, but we're getting there...

----------

