spectre

author: netblue30 <netblue30@yahoo.com> 2018-03-24 15:13:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-03-24 15:13:01 -0400
commit: f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce (patch)
tree: 9a355be5eb185f77766a0b97831fabbc7aefc781
parent: Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download: firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.gz
firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.zst
firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.zip
2 files changed, 47 insertions, 0 deletions
diff --git a/README.md b/README.md
index f0c6d04e8..d3f5db872 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,52 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
+## Spectre mitigation
+If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
+The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
+on older versions, for example on Debian stable running on gcc 6.3.0.  This is how you check it:
+`````
+$ ./configure --prefix=/usr
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables...
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking for a BSD-compatible install... /usr/bin/install -c
+checking for ranlib... ranlib
+checking for Spectre mitigation support in gcc compiler... yes
+[...]
+Configuration options:
+   prefix: /usr
+   sysconfdir: /etc
+   seccomp: -DHAVE_SECCOMP
+   <linux/seccomp.h>: -DHAVE_SECCOMP_H
+   apparmor:
+   global config: -DHAVE_GLOBALCFG
+   chroot: -DHAVE_CHROOT
+   bind: -DHAVE_BIND
+   network: -DHAVE_NETWORK
+   user namespace: -DHAVE_USERNS
+   X11 sandboxing support: -DHAVE_X11
+   whitelisting: -DHAVE_WHITELIST
+   private home support: -DHAVE_PRIVATE_HOME
+   file transfer support: -DHAVE_FILE_TRANSFER
+   overlayfs support: -DHAVE_OVERLAYFS
+   git install support:
+   busybox workaround: no
+   Spectre compiler patch: yes
+   EXTRA_LDFLAGS:
+   EXTRA_CFLAGS:  -mindirect-branch=thunk
+   fatal warnings:
+   Gcov instrumentation:
+   Install contrib scripts: yes
+`````
 ## AppImage development
 Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
diff --git a/RELNOTES b/RELNOTES
index 94614b19d..681e2a865 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,6 +9,7 @@ firejail (0.9.53) baseline; urgency=low
     All users of Firefox-based browsers who use addons and plugins
     that read/write from ${HOME} will need to uncomment the includes for
     firefox-common-addons.inc in firefox-common.profile.
+  * Spectre mitigation patch for gcc compiler
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for Firefox, Chromium, Transmission
author	netblue30 <netblue30@yahoo.com>	2018-03-24 15:13:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-03-24 15:13:01 -0400
commit	f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce (patch)
tree	9a355be5eb185f77766a0b97831fabbc7aefc781
parent	Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download	firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.gz firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.tar.zst firejail-f44c1cecff6e3f1e7ae989a08057019fa3ffb1ce.zip

diff --git a/README.md b/README.md index f0c6d04e8..d3f5db872 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,52 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.53	99	# Current development version: 0.9.53
100		100
		101	## Spectre mitigation
		102
		103	If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
		104	The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
		105	on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it:
		106	`````
		107	$ ./configure --prefix=/usr
		108	checking for gcc... gcc
		109	checking whether the C compiler works... yes
		110	checking for C compiler default output file name... a.out
		111	checking for suffix of executables...
		112	checking whether we are cross compiling... no
		113	checking for suffix of object files... o
		114	checking whether we are using the GNU C compiler... yes
		115	checking whether gcc accepts -g... yes
		116	checking for gcc option to accept ISO C89... none needed
		117	checking for a BSD-compatible install... /usr/bin/install -c
		118	checking for ranlib... ranlib
		119	checking for Spectre mitigation support in gcc compiler... yes
		120	[...]
		121	Configuration options:
		122	prefix: /usr
		123	sysconfdir: /etc
		124	seccomp: -DHAVE_SECCOMP
		125	<linux/seccomp.h>: -DHAVE_SECCOMP_H
		126	apparmor:
		127	global config: -DHAVE_GLOBALCFG
		128	chroot: -DHAVE_CHROOT
		129	bind: -DHAVE_BIND
		130	network: -DHAVE_NETWORK
		131	user namespace: -DHAVE_USERNS
		132	X11 sandboxing support: -DHAVE_X11
		133	whitelisting: -DHAVE_WHITELIST
		134	private home support: -DHAVE_PRIVATE_HOME
		135	file transfer support: -DHAVE_FILE_TRANSFER
		136	overlayfs support: -DHAVE_OVERLAYFS
		137	git install support:
		138	busybox workaround: no
		139	Spectre compiler patch: yes
		140	EXTRA_LDFLAGS:
		141	EXTRA_CFLAGS: -mindirect-branch=thunk
		142	fatal warnings:
		143	Gcov instrumentation:
		144	Install contrib scripts: yes
		145	`````
		146
101	## AppImage development	147	## AppImage development
102		148
103	Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.	149	Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.


diff --git a/RELNOTES b/RELNOTES index 94614b19d..681e2a865 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -9,6 +9,7 @@ firejail (0.9.53) baseline; urgency=low
9	All users of Firefox-based browsers who use addons and plugins	9	All users of Firefox-based browsers who use addons and plugins
10	that read/write from ${HOME} will need to uncomment the includes for	10	that read/write from ${HOME} will need to uncomment the includes for
11	firefox-common-addons.inc in firefox-common.profile.	11	firefox-common-addons.inc in firefox-common.profile.
		12	* Spectre mitigation patch for gcc compiler
12	* AppArmor support for overlayfs and chroot sandboxes	13	* AppArmor support for overlayfs and chroot sandboxes
13	* AppArmor support for AppImages	14	* AppArmor support for AppImages
14	* Enable AppArmor by default for Firefox, Chromium, Transmission	15	* Enable AppArmor by default for Firefox, Chromium, Transmission