Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/java-11-openjdk.git#3ad7305a74c731e98ecb906804db60a45cffddd1
This commit is contained in:
parent
be78a65a84
commit
433bf3fadd
@ -259,7 +259,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global minorver 0
|
%global minorver 0
|
||||||
%global buildver 11
|
%global buildver 11
|
||||||
%global rpmrelease 4
|
%global rpmrelease 5
|
||||||
#%%global tagsuffix ""
|
#%%global tagsuffix ""
|
||||||
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
|
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
@ -1102,6 +1102,8 @@ Source15: TestSecurityProperties.java
|
|||||||
# NSS via SunPKCS11 Provider (disabled comment
|
# NSS via SunPKCS11 Provider (disabled comment
|
||||||
# due to memory leak).
|
# due to memory leak).
|
||||||
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
|
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
|
||||||
|
# enable build of spectre/meltdown hardened alt-java
|
||||||
|
Patch600: rh1750419-redhat_alt_java.patch
|
||||||
|
|
||||||
# Ignore AWTError when assistive technologies are loaded
|
# Ignore AWTError when assistive technologies are loaded
|
||||||
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
||||||
@ -1125,8 +1127,6 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch
|
|||||||
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
||||||
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
|
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
|
||||||
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
|
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
|
||||||
# RH1566890: CVE-2018-3639
|
|
||||||
Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
|
|
||||||
# PR3695: Allow use of system crypto policy to be disabled by the user
|
# PR3695: Allow use of system crypto policy to be disabled by the user
|
||||||
Patch7: pr3695-toggle_system_crypto_policy.patch
|
Patch7: pr3695-toggle_system_crypto_policy.patch
|
||||||
|
|
||||||
@ -1393,7 +1393,6 @@ pushd %{top_level_dir_name}
|
|||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
@ -1401,6 +1400,7 @@ pushd %{top_level_dir_name}
|
|||||||
popd # openjdk
|
popd # openjdk
|
||||||
|
|
||||||
%patch1000
|
%patch1000
|
||||||
|
%patch600
|
||||||
|
|
||||||
# Extract systemtap tapsets
|
# Extract systemtap tapsets
|
||||||
%if %{with_systemtap}
|
%if %{with_systemtap}
|
||||||
@ -1566,7 +1566,6 @@ ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
|
|||||||
|
|
||||||
# Create fake alt-java as a placeholder for future alt-java
|
# Create fake alt-java as a placeholder for future alt-java
|
||||||
pushd ${JAVA_HOME}
|
pushd ${JAVA_HOME}
|
||||||
cp -a bin/java bin/%{alt_java_name}
|
|
||||||
# add alt-java man page
|
# add alt-java man page
|
||||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||||
@ -1975,6 +1974,11 @@ require "copy_jdk_configs.lua"
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 01 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-5
|
||||||
|
- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch
|
||||||
|
- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
|
||||||
|
- no longer copying of java->alt-java as it is created by patch600
|
||||||
|
|
||||||
* Mon Nov 23 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-4
|
* Mon Nov 23 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-4
|
||||||
- Create a copy of java as alt-java with alternatives and man pages
|
- Create a copy of java as alt-java with alternatives and man pages
|
||||||
- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
|
- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
|
||||||
|
@ -1,61 +0,0 @@
|
|||||||
diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp
|
|
||||||
--- openjdk/src/hotspot/os/linux/os_linux.cpp
|
|
||||||
+++ openjdk/src/hotspot/os/linux/os_linux.cpp
|
|
||||||
@@ -107,6 +107,8 @@
|
|
||||||
# include <inttypes.h>
|
|
||||||
# include <sys/ioctl.h>
|
|
||||||
|
|
||||||
+#include <sys/prctl.h>
|
|
||||||
+
|
|
||||||
#ifndef _GNU_SOURCE
|
|
||||||
#define _GNU_SOURCE
|
|
||||||
#include <sched.h>
|
|
||||||
@@ -4984,6 +4986,48 @@
|
|
||||||
extern void report_error(char* file_name, int line_no, char* title,
|
|
||||||
char* format, ...);
|
|
||||||
|
|
||||||
+/* Per task speculation control */
|
|
||||||
+#ifndef PR_GET_SPECULATION_CTRL
|
|
||||||
+# define PR_GET_SPECULATION_CTRL 52
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SET_SPECULATION_CTRL
|
|
||||||
+# define PR_SET_SPECULATION_CTRL 53
|
|
||||||
+#endif
|
|
||||||
+/* Speculation control variants */
|
|
||||||
+#ifndef PR_SPEC_STORE_BYPASS
|
|
||||||
+# define PR_SPEC_STORE_BYPASS 0
|
|
||||||
+#endif
|
|
||||||
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
|
|
||||||
+
|
|
||||||
+#ifndef PR_SPEC_NOT_AFFECTED
|
|
||||||
+# define PR_SPEC_NOT_AFFECTED 0
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SPEC_PRCTL
|
|
||||||
+# define PR_SPEC_PRCTL (1UL << 0)
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SPEC_ENABLE
|
|
||||||
+# define PR_SPEC_ENABLE (1UL << 1)
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SPEC_DISABLE
|
|
||||||
+# define PR_SPEC_DISABLE (1UL << 2)
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SPEC_FORCE_DISABLE
|
|
||||||
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
|
|
||||||
+#endif
|
|
||||||
+#ifndef PR_SPEC_DISABLE_NOEXEC
|
|
||||||
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+static void set_speculation() __attribute__((constructor));
|
|
||||||
+static void set_speculation() {
|
|
||||||
+ if ( prctl(PR_SET_SPECULATION_CTRL,
|
|
||||||
+ PR_SPEC_STORE_BYPASS,
|
|
||||||
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
// this is called _before_ most of the global arguments have been parsed
|
|
||||||
void os::init(void) {
|
|
||||||
char dummy; // used to get a guess on initial stack address
|
|
111
rh1750419-redhat_alt_java.patch
Normal file
111
rh1750419-redhat_alt_java.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
|
||||||
|
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
|
||||||
|
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
|
||||||
|
@@ -41,6 +41,15 @@
|
||||||
|
OPTIMIZATION := HIGH, \
|
||||||
|
))
|
||||||
|
|
||||||
|
+$(eval $(call SetupBuildLauncher, alt-java, \
|
||||||
|
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
|
||||||
|
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
|
||||||
|
+ LIBS_windows := user32.lib comctl32.lib, \
|
||||||
|
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
|
||||||
|
+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
|
||||||
|
+ OPTIMIZATION := HIGH, \
|
||||||
|
+))
|
||||||
|
+
|
||||||
|
ifeq ($(OPENJDK_TARGET_OS), windows)
|
||||||
|
$(eval $(call SetupBuildLauncher, javaw, \
|
||||||
|
CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
|
||||||
|
|
||||||
|
diff -r 25e94aa812b2 src/share/bin/alt_main.h
|
||||||
|
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
|
||||||
|
+++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100
|
||||||
|
@@ -0,0 +1,73 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
|
||||||
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
+ *
|
||||||
|
+ * This code is free software; you can redistribute it and/or modify it
|
||||||
|
+ * under the terms of the GNU General Public License version 2 only, as
|
||||||
|
+ * published by the Free Software Foundation. Oracle designates this
|
||||||
|
+ * particular file as subject to the "Classpath" exception as provided
|
||||||
|
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||||
|
+ *
|
||||||
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
+ * accompanied this code).
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License version
|
||||||
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
+ *
|
||||||
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
+ * or visit www.oracle.com if you need additional information or have any
|
||||||
|
+ * questions.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifdef REDHAT_ALT_JAVA
|
||||||
|
+
|
||||||
|
+#include <sys/prctl.h>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/* Per task speculation control */
|
||||||
|
+#ifndef PR_GET_SPECULATION_CTRL
|
||||||
|
+# define PR_GET_SPECULATION_CTRL 52
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SET_SPECULATION_CTRL
|
||||||
|
+# define PR_SET_SPECULATION_CTRL 53
|
||||||
|
+#endif
|
||||||
|
+/* Speculation control variants */
|
||||||
|
+#ifndef PR_SPEC_STORE_BYPASS
|
||||||
|
+# define PR_SPEC_STORE_BYPASS 0
|
||||||
|
+#endif
|
||||||
|
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
|
||||||
|
+
|
||||||
|
+#ifndef PR_SPEC_NOT_AFFECTED
|
||||||
|
+# define PR_SPEC_NOT_AFFECTED 0
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SPEC_PRCTL
|
||||||
|
+# define PR_SPEC_PRCTL (1UL << 0)
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SPEC_ENABLE
|
||||||
|
+# define PR_SPEC_ENABLE (1UL << 1)
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SPEC_DISABLE
|
||||||
|
+# define PR_SPEC_DISABLE (1UL << 2)
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SPEC_FORCE_DISABLE
|
||||||
|
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
|
||||||
|
+#endif
|
||||||
|
+#ifndef PR_SPEC_DISABLE_NOEXEC
|
||||||
|
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+static void set_speculation() __attribute__((constructor));
|
||||||
|
+static void set_speculation() {
|
||||||
|
+ if ( prctl(PR_SET_SPECULATION_CTRL,
|
||||||
|
+ PR_SPEC_STORE_BYPASS,
|
||||||
|
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif // REDHAT_ALT_JAVA
|
||||||
|
diff -r 25e94aa812b2 src/share/bin/main.c
|
||||||
|
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
|
||||||
|
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
|
||||||
|
@@ -34,6 +34,10 @@
|
||||||
|
#include "jli_util.h"
|
||||||
|
#include "jni.h"
|
||||||
|
|
||||||
|
+#if defined(linux) && defined(__x86_64)
|
||||||
|
+#include "alt_main.h"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef _MSC_VER
|
||||||
|
#if _MSC_VER > 1400 && _MSC_VER < 1600
|
||||||
|
|
Loading…
Reference in New Issue
Block a user