diff options
author | netblue30 <netblue30@yahoo.com> | 2018-03-24 15:13:01 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-03-24 15:13:01 -0400 |
commit | f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce (patch) | |
tree | 9a355be5eb185f77766a0b97831fabbc7aefc781 | |
parent | Merge branch 'master' of http://github.com/netblue30/firejail (diff) | |
download | firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.gz firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.zst firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.zip |
spectre
-rw-r--r-- | README.md | 46 | ||||
-rw-r--r-- | RELNOTES | 1 |
2 files changed, 47 insertions, 0 deletions
@@ -98,6 +98,52 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.53 | 99 | # Current development version: 0.9.53 |
100 | 100 | ||
101 | ## Spectre mitigation | ||
102 | |||
103 | If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. | ||
104 | The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it | ||
105 | on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it: | ||
106 | ````` | ||
107 | $ ./configure --prefix=/usr | ||
108 | checking for gcc... gcc | ||
109 | checking whether the C compiler works... yes | ||
110 | checking for C compiler default output file name... a.out | ||
111 | checking for suffix of executables... | ||
112 | checking whether we are cross compiling... no | ||
113 | checking for suffix of object files... o | ||
114 | checking whether we are using the GNU C compiler... yes | ||
115 | checking whether gcc accepts -g... yes | ||
116 | checking for gcc option to accept ISO C89... none needed | ||
117 | checking for a BSD-compatible install... /usr/bin/install -c | ||
118 | checking for ranlib... ranlib | ||
119 | checking for Spectre mitigation support in gcc compiler... yes | ||
120 | [...] | ||
121 | Configuration options: | ||
122 | prefix: /usr | ||
123 | sysconfdir: /etc | ||
124 | seccomp: -DHAVE_SECCOMP | ||
125 | <linux/seccomp.h>: -DHAVE_SECCOMP_H | ||
126 | apparmor: | ||
127 | global config: -DHAVE_GLOBALCFG | ||
128 | chroot: -DHAVE_CHROOT | ||
129 | bind: -DHAVE_BIND | ||
130 | network: -DHAVE_NETWORK | ||
131 | user namespace: -DHAVE_USERNS | ||
132 | X11 sandboxing support: -DHAVE_X11 | ||
133 | whitelisting: -DHAVE_WHITELIST | ||
134 | private home support: -DHAVE_PRIVATE_HOME | ||
135 | file transfer support: -DHAVE_FILE_TRANSFER | ||
136 | overlayfs support: -DHAVE_OVERLAYFS | ||
137 | git install support: | ||
138 | busybox workaround: no | ||
139 | Spectre compiler patch: yes | ||
140 | EXTRA_LDFLAGS: | ||
141 | EXTRA_CFLAGS: -mindirect-branch=thunk | ||
142 | fatal warnings: | ||
143 | Gcov instrumentation: | ||
144 | Install contrib scripts: yes | ||
145 | ````` | ||
146 | |||
101 | ## AppImage development | 147 | ## AppImage development |
102 | 148 | ||
103 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. | 149 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. |
@@ -9,6 +9,7 @@ firejail (0.9.53) baseline; urgency=low | |||
9 | All users of Firefox-based browsers who use addons and plugins | 9 | All users of Firefox-based browsers who use addons and plugins |
10 | that read/write from ${HOME} will need to uncomment the includes for | 10 | that read/write from ${HOME} will need to uncomment the includes for |
11 | firefox-common-addons.inc in firefox-common.profile. | 11 | firefox-common-addons.inc in firefox-common.profile. |
12 | * Spectre mitigation patch for gcc compiler | ||
12 | * AppArmor support for overlayfs and chroot sandboxes | 13 | * AppArmor support for overlayfs and chroot sandboxes |
13 | * AppArmor support for AppImages | 14 | * AppArmor support for AppImages |
14 | * Enable AppArmor by default for Firefox, Chromium, Transmission | 15 | * Enable AppArmor by default for Firefox, Chromium, Transmission |