From faca292328384ee1150ce33ddd345148f872f6c3 Mon Sep 17 00:00:00 2001 From: Jiri Date: Mon, 7 Dec 2020 19:37:12 +0100 Subject: [PATCH] Replaced alt-java palceholder by real pathced alt-java - added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch - no longer copying of java->alt-java as it is created by patch600 --- java-latest-openjdk.spec | 10 ++- rh1750419-redhat_alt_java.patch | 109 ++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 rh1750419-redhat_alt_java.patch diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index c3902b6..0df8765 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -245,7 +245,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 9 -%global rpmrelease 2 +%global rpmrelease 3 # priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk %global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) @@ -1078,6 +1078,8 @@ Source14: TestECDSA.java # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of spectre/meltdown hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -1438,6 +1440,7 @@ pushd %{top_level_dir_name} popd # openjdk %patch1000 +%patch600 # Extract systemtap tapsets %if %{with_systemtap} @@ -1601,7 +1604,6 @@ ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat # Create fake alt-java as a placeholder for future alt-java pushd ${JAVA_HOME} -cp -a bin/java bin/%{alt_java_name} # add alt-java man page echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 @@ -2055,6 +2057,10 @@ require "copy_jdk_configs.lua" %endif %changelog +* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 + * Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling - Create a copy of java as alt-java with alternatives and man pages - java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..45c4ad3 --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,109 @@ +diff -r 1356affa5e44 make/modules/java.base/Launcher.gmk +--- openjdk/make/modules/java.base/Launcher.gmk ++++ openjdk/make/modules/java.base/Launcher.gmk +@@ -37,6 +37,13 @@ + + $(eval $(call SetupBuildLauncher, java, \ + CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ + EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ + VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ + OPTIMIZATION := HIGH, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,10 @@ + #include "jli_util.h" + #include "jni.h" + ++#if defined(linux) && defined(__x86_64) ++#include "alt_main.h" ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 +