hardened jdk

Robert Connolly robert at linuxfromscratch.org
Thu May 17 05:20:42 PDT 2007

Sun's Java can build with any/all hardening options, but creates non-pic 
shared objects during the build, so it has to be built on a non-pax kernel. 
No extra patches or Sed commands needed, it was strait forward.

There are binary packages here:

$ cat jdk-1.5.0_11-linux-i586-hardened.tar.md5
ede68cb1bccf7e8ad6ff17782eaa36db  jdk-1.5.0_11-linux-i586-hardened.tar
$ cat jdk-1.5.0_11-linux-i586-hardened.tar.sha1
17c3fbbfd0a41cbd3185d6b76f5aee3928a7feb7  jdk-1.5.0_11-linux-i586-hardened.tar

$ cat jdk-1.5.0_11-linux-i586-hardened/README.1st
May 17th, 2007

Review the license terms and conditions at:

I do not know if this package is in conformance with Sun's licenses because
there are about 20 different licenses, and I don't know which ones apply here.
However, I do believe this package is in the spirit of Sun's intentions,
because it is provided for Non-Commercial Educational Java Development
Research use. I built and distributed this package so that PaX users would
have a JDK version with PT_PAX program headers, so legacy marking support
would not be needed.

This package was essentially built with:
 'gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2'
 'ld -z relro -z now -z combreloc -pie'

All the programs are position independent executable shared objects.

The 'i486-pc-linux-gnu-gcc-4.1.2.specs' file is the GCC specs used to build
this package.

This package was built with the following:
                Binutils-2.17 with PT_PAX patch
                Glibc-2.5 with PT_PAX patch
                        Glibc configured with --enable-kernel=
                Xorg-7.1, with a couple newer package versions, installed
                        to /usr

Note: The JDK build system uses '-march=i586 -O3'.

I used the Beyond Linux From Scratch svn-20071505 JDK-1.5.0_11 instructions.

I make no claims regarding the stability or security of this package. I made
no source code modifications except what are in the Beyond Linux From Scratch

These files contain the filenames and checksums of the sources and patches I

You will almost certainly need to use the 'paxctl' program, not 'chpax', which
is available at the PaX web site.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070517/b7d21155/attachment.sig>

More information about the hlfs-dev mailing list