treewide: remove paxutils from stdenv
More then one year ago we removed grsecurity kernels from nixpkgs: https://github.com/NixOS/nixpkgs/pull/25277 This removes now also paxutils from stdenv.
This commit is contained in:
parent
0a2efa121d
commit
1b146a8c6f
@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
|
||||||
<term>
|
|
||||||
paxctl
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Defines the <varname>paxmark</varname> helper for setting per-executable
|
|
||||||
PaX flags on Linux (where it is available by default; on all other
|
|
||||||
platforms, <varname>paxmark</varname> is a no-op). For example, to
|
|
||||||
disable secure memory protections on the executable
|
|
||||||
<replaceable>foo</replaceable>
|
|
||||||
<programlisting>
|
|
||||||
postFixup = ''
|
|
||||||
paxmark m $out/bin/<replaceable>foo</replaceable>
|
|
||||||
'';
|
|
||||||
</programlisting>
|
|
||||||
The <literal>m</literal> flag is the most common flag and is typically
|
|
||||||
required for applications that employ JIT compilation or otherwise need
|
|
||||||
to execute code generated at run-time. Disabling PaX protections should
|
|
||||||
be considered a last resort: if possible, problematic features should be
|
|
||||||
disabled or patched to work with PaX.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>
|
<term>
|
||||||
autoPatchelfHook
|
autoPatchelfHook
|
||||||
|
@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
|
find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
|
||||||
|
|
||||||
paxmark m $out/share/parity-ui/parity-ui
|
|
||||||
|
|
||||||
mkdir -p $out/bin
|
mkdir -p $out/bin
|
||||||
ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
|
ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
|
||||||
'';
|
'';
|
||||||
|
@ -70,9 +70,6 @@ let
|
|||||||
ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
|
ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
|
||||||
|
|
||||||
find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
|
find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
|
||||||
|
|
||||||
paxmark m $share/atom
|
|
||||||
paxmark m $share/resources/app/apm/bin/node
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
|
@ -282,8 +282,6 @@ let
|
|||||||
MENUNAME="Chromium"
|
MENUNAME="Chromium"
|
||||||
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
|
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
|
||||||
)
|
)
|
||||||
'' + optionalString (target == "mksnapshot" || target == "chrome") ''
|
|
||||||
paxmark m "${buildPath}/${target}"
|
|
||||||
'';
|
'';
|
||||||
targets = extraAttrs.buildTargets or [];
|
targets = extraAttrs.buildTargets or [];
|
||||||
commands = map buildCommand targets;
|
commands = map buildCommand targets;
|
||||||
|
@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
|
|||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
doCheck = false; # "--disable-tests" above
|
doCheck = false; # "--disable-tests" above
|
||||||
|
|
||||||
preInstall = ''
|
|
||||||
# The following is needed for startup cache creation on grsecurity kernels.
|
|
||||||
paxmark m dist/bin/xpcshell
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = if stdenv.isDarwin then ''
|
installPhase = if stdenv.isDarwin then ''
|
||||||
mkdir -p $out/Applications
|
mkdir -p $out/Applications
|
||||||
cp -LR dist/Firefox.app $out/Applications
|
cp -LR dist/Firefox.app $out/Applications
|
||||||
'' else null;
|
'' else null;
|
||||||
|
|
||||||
postInstall = lib.optionalString stdenv.isLinux ''
|
postInstall = lib.optionalString stdenv.isLinux ''
|
||||||
# For grsecurity kernels
|
|
||||||
paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
|
|
||||||
|
|
||||||
# Remove SDK cruft. FIXME: move to a separate output?
|
# Remove SDK cruft. FIXME: move to a separate output?
|
||||||
rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
|
rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
|
||||||
|
|
||||||
|
@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
|
|||||||
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
|
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
|
||||||
$out/opt/discord/Discord
|
$out/opt/discord/Discord
|
||||||
|
|
||||||
paxmark m $out/opt/discord/Discord
|
|
||||||
|
|
||||||
wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
|
wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
|
||||||
|
|
||||||
ln -s $out/opt/discord/Discord $out/bin/
|
ln -s $out/opt/discord/Discord $out/bin/
|
||||||
|
@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
postFixup = ''
|
postFixup = ''
|
||||||
paxmark m $out/opt/franz/Franz
|
|
||||||
wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
|
wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
postFixup = ''
|
postFixup = ''
|
||||||
paxmark m $out/opt/wavebox/Wavebox
|
|
||||||
makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
|
makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
|
||||||
--prefix PATH : ${xdg_utils}/bin
|
--prefix PATH : ${xdg_utils}/bin
|
||||||
'';
|
'';
|
||||||
|
@ -100,7 +100,7 @@ in stdenv.mkDerivation rec {
|
|||||||
''
|
''
|
||||||
cxxLib=$( echo -n ${gcc}/include/c++/* )
|
cxxLib=$( echo -n ${gcc}/include/c++/* )
|
||||||
archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
|
archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
|
||||||
|
|
||||||
test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
|
test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
|
||||||
|
|
||||||
configureScript="$(realpath ./configure)"
|
configureScript="$(realpath ./configure)"
|
||||||
@ -108,18 +108,9 @@ in stdenv.mkDerivation rec {
|
|||||||
cd ../objdir
|
cd ../objdir
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preInstall =
|
|
||||||
''
|
|
||||||
# The following is needed for startup cache creation on grsecurity kernels.
|
|
||||||
paxmark m ../objdir/dist/bin/xpcshell
|
|
||||||
'';
|
|
||||||
|
|
||||||
dontWrapGApps = true; # we do it ourselves
|
dontWrapGApps = true; # we do it ourselves
|
||||||
postInstall =
|
postInstall =
|
||||||
''
|
''
|
||||||
# For grsecurity kernels
|
|
||||||
paxmark m $out/lib/thunderbird/thunderbird
|
|
||||||
|
|
||||||
# TODO: Move to a dev output?
|
# TODO: Move to a dev output?
|
||||||
rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
|
rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
|
||||||
|
|
||||||
|
@ -112,7 +112,6 @@ stdenv.mkDerivation {
|
|||||||
patchelf --set-interpreter $interpreter \
|
patchelf --set-interpreter $interpreter \
|
||||||
--set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
|
--set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
|
||||||
$out/bin/mendeleydesktop
|
$out/bin/mendeleydesktop
|
||||||
paxmark m $out/bin/mendeleydesktop
|
|
||||||
|
|
||||||
wrapProgram $out/bin/mendeleydesktop \
|
wrapProgram $out/bin/mendeleydesktop \
|
||||||
--add-flags "--unix-distro-build" \
|
--add-flags "--unix-distro-build" \
|
||||||
|
@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
postFixup =
|
postFixup =
|
||||||
''
|
''
|
||||||
for exe in $out/bin/qemu-system-* ; do
|
|
||||||
paxmark m $exe
|
|
||||||
done
|
|
||||||
# copy qemu-ga (guest agent) to separate output
|
# copy qemu-ga (guest agent) to separate output
|
||||||
mkdir -p $ga/bin
|
mkdir -p $ga/bin
|
||||||
cp $out/bin/qemu-ga $ga/bin/
|
cp $out/bin/qemu-ga $ga/bin/
|
||||||
|
@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
|
|||||||
installPhase = ''
|
installPhase = ''
|
||||||
cd ..
|
cd ..
|
||||||
|
|
||||||
# Set PaX markings
|
|
||||||
exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
|
|
||||||
for file in $exes; do
|
|
||||||
paxmark m "$file"
|
|
||||||
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
|
|
||||||
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
|
|
||||||
done
|
|
||||||
|
|
||||||
mv $sourceRoot $out
|
mv $sourceRoot $out
|
||||||
|
|
||||||
rm -rf $out/demo
|
rm -rf $out/demo
|
||||||
|
@ -282,11 +282,6 @@ postInstall() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# Disable RANDMMAP on grsec, which causes segfaults when using
|
|
||||||
# precompiled headers.
|
|
||||||
# See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
|
|
||||||
paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
|
|
||||||
|
|
||||||
# Two identical man pages are shipped (moving and compressing is done later)
|
# Two identical man pages are shipped (moving and compressing is done later)
|
||||||
ln -sf gcc.1 "$out"/share/man/man1/g++.1
|
ln -sf gcc.1 "$out"/share/man/man1/g++.1
|
||||||
}
|
}
|
||||||
|
@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
|
|||||||
--replace-needed libtinfo.so libtinfo.so.5 \
|
--replace-needed libtinfo.so libtinfo.so.5 \
|
||||||
--interpreter ${glibcDynLinker} {} \;
|
--interpreter ${glibcDynLinker} {} \;
|
||||||
|
|
||||||
paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
|
|
||||||
|
|
||||||
sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
|
sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
|
||||||
sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
|
sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
|
||||||
'';
|
'';
|
||||||
|
@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
|
|||||||
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
for bin in "$out"/lib/${name}/bin/*; do
|
|
||||||
isELF "$bin" || continue
|
|
||||||
paxmark m "$bin"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Install the bash completion file.
|
# Install the bash completion file.
|
||||||
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
|
||||||
|
|
||||||
|
@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
|
|||||||
installPhase = ''
|
installPhase = ''
|
||||||
cd ..
|
cd ..
|
||||||
|
|
||||||
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
|
|
||||||
for file in $exes; do
|
|
||||||
paxmark m "$file"
|
|
||||||
done
|
|
||||||
|
|
||||||
mv $sourceRoot $out
|
mv $sourceRoot $out
|
||||||
jrePath=$out/jre
|
jrePath=$out/jre
|
||||||
'';
|
'';
|
||||||
|
@ -1,25 +0,0 @@
|
|||||||
From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Will Dietz <w@wdtz.org>
|
|
||||||
Date: Wed, 1 Feb 2017 06:09:49 -0600
|
|
||||||
Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
|
|
||||||
|
|
||||||
---
|
|
||||||
Makefile | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
|
||||||
index 0e28cc87b..aab8cfa8d 100644
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
|
|
||||||
|
|
||||||
julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
|
|
||||||
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
|
|
||||||
+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
|
|
||||||
+ @paxctl -czexm $(JULIA_EXECUTABLE_$*)
|
|
||||||
|
|
||||||
julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
|
|
||||||
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
{ stdenv, fetchurl, fetchzip
|
{ stdenv, fetchurl, fetchzip
|
||||||
# build tools
|
# build tools
|
||||||
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
|
, gfortran, m4, makeWrapper, patchelf, perl, which, python2
|
||||||
# libjulia dependencies
|
# libjulia dependencies
|
||||||
, libunwind, readline, utf8proc, zlib
|
, libunwind, readline, utf8proc, zlib
|
||||||
, llvm
|
, llvm
|
||||||
@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
|
|||||||
patches = [
|
patches = [
|
||||||
./0001.1-use-system-utf8proc.patch
|
./0001.1-use-system-utf8proc.patch
|
||||||
./0002-use-system-suitesparse.patch
|
./0002-use-system-suitesparse.patch
|
||||||
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
|
];
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
patchShebangs . contrib
|
patchShebangs . contrib
|
||||||
@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
|
|||||||
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
|
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
|
||||||
;
|
;
|
||||||
|
|
||||||
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
|
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
|
||||||
++ stdenv.lib.optional stdenv.needsPax paxctl;
|
|
||||||
|
|
||||||
makeFlags =
|
makeFlags =
|
||||||
let
|
let
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
}:
|
}:
|
||||||
{ stdenv, fetchurl, fetchzip
|
{ stdenv, fetchurl, fetchzip
|
||||||
# build tools
|
# build tools
|
||||||
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
|
, gfortran, m4, makeWrapper, patchelf, perl, which, python2
|
||||||
, llvm, cmake
|
, llvm, cmake
|
||||||
# libjulia dependencies
|
# libjulia dependencies
|
||||||
, libunwind, readline, utf8proc, zlib
|
, libunwind, readline, utf8proc, zlib
|
||||||
@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
patches = [
|
patches = [
|
||||||
./0001.1-use-system-utf8proc.patch
|
./0001.1-use-system-utf8proc.patch
|
||||||
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
|
];
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
patchShebangs . contrib
|
patchShebangs . contrib
|
||||||
@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
|
|||||||
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
|
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
|
||||||
;
|
;
|
||||||
|
|
||||||
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
|
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
|
||||||
++ stdenv.lib.optional stdenv.needsPax paxctl;
|
|
||||||
|
|
||||||
makeFlags =
|
makeFlags =
|
||||||
let
|
let
|
||||||
|
@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
|
|
||||||
paxmark m unittests/ExecutionEngine/JIT/JITTests
|
|
||||||
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
|
|
||||||
paxmark m unittests/Support/SupportTests
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
|
postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
|
||||||
|
@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
postInstall = ""
|
postInstall = ""
|
||||||
|
@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
|
|
||||||
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
|
|
||||||
paxmark m unittests/Support/SupportTests
|
|
||||||
paxmark m bin/lli-child-target
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preCheck = ''
|
preCheck = ''
|
||||||
|
@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
|
|
||||||
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
|
|
||||||
paxmark m unittests/Support/SupportTests
|
|
||||||
paxmark m bin/lli-child-target
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preCheck = ''
|
preCheck = ''
|
||||||
|
@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
|
|
||||||
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
|
|
||||||
paxmark m unittests/Support/SupportTests
|
|
||||||
paxmark m bin/lli-child-target
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preCheck = ''
|
preCheck = ''
|
||||||
|
@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec {
|
|||||||
|
|
||||||
postBuild = ''
|
postBuild = ''
|
||||||
rm -fR $out
|
rm -fR $out
|
||||||
|
|
||||||
paxmark m bin/{lli,llvm-rtdyld}
|
|
||||||
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
|
|
||||||
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
|
|
||||||
paxmark m unittests/Support/SupportTests
|
|
||||||
paxmark m bin/lli-child-target
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preCheck = ''
|
preCheck = ''
|
||||||
|
@ -21,7 +21,6 @@ let
|
|||||||
update = ".0.1";
|
update = ".0.1";
|
||||||
build = "13";
|
build = "13";
|
||||||
repover = "jdk-${major}${update}+${build}";
|
repover = "jdk-${major}${update}+${build}";
|
||||||
paxflags = if stdenv.isi686 then "msp" else "m";
|
|
||||||
|
|
||||||
openjdk = stdenv.mkDerivation {
|
openjdk = stdenv.mkDerivation {
|
||||||
name = "openjdk-${major}${update}-b${build}";
|
name = "openjdk-${major}${update}-b${build}";
|
||||||
@ -106,14 +105,6 @@ let
|
|||||||
rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
|
rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
|
||||||
''}
|
''}
|
||||||
|
|
||||||
# Set PaX markings
|
|
||||||
exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
|
|
||||||
echo "to mark: *$exes*"
|
|
||||||
for file in $exes; do
|
|
||||||
echo "marking *$file*"
|
|
||||||
paxmark ${paxflags} "$file"
|
|
||||||
done
|
|
||||||
|
|
||||||
ln -s $out/lib/openjdk/bin $out/bin
|
ln -s $out/lib/openjdk/bin $out/bin
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -25,7 +25,6 @@ let
|
|||||||
build = "26";
|
build = "26";
|
||||||
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
|
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
|
||||||
repover = "jdk8u${update}-b${build}";
|
repover = "jdk8u${update}-b${build}";
|
||||||
paxflags = if stdenv.isi686 then "msp" else "m";
|
|
||||||
jdk8 = fetchurl {
|
jdk8 = fetchurl {
|
||||||
url = "${baseurl}/archive/${repover}.tar.gz";
|
url = "${baseurl}/archive/${repover}.tar.gz";
|
||||||
sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
|
sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
|
||||||
@ -176,14 +175,6 @@ let
|
|||||||
rm -rf $out/lib/openjdk/jre/lib/cmm
|
rm -rf $out/lib/openjdk/jre/lib/cmm
|
||||||
ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
|
ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
|
||||||
|
|
||||||
# Set PaX markings
|
|
||||||
exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
|
|
||||||
echo "to mark: *$exes*"
|
|
||||||
for file in $exes; do
|
|
||||||
echo "marking *$file*"
|
|
||||||
paxmark ${paxflags} "$file"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Remove duplicate binaries.
|
# Remove duplicate binaries.
|
||||||
for i in $(cd $out/lib/openjdk/bin && echo *); do
|
for i in $(cd $out/lib/openjdk/bin && echo *); do
|
||||||
if [ "$i" = java ]; then continue; fi
|
if [ "$i" = java ]; then continue; fi
|
||||||
|
@ -36,13 +36,5 @@ let
|
|||||||
patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
|
patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
|
||||||
patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
|
patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
|
||||||
done
|
done
|
||||||
|
|
||||||
# Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
|
|
||||||
find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do
|
|
||||||
isELF "$elf" || continue
|
|
||||||
paxmark m "$elf"
|
|
||||||
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
|
|
||||||
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''}
|
|
||||||
done
|
|
||||||
'';
|
'';
|
||||||
in bootstrap
|
in bootstrap
|
||||||
|
@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec {
|
|||||||
installPhase = ''
|
installPhase = ''
|
||||||
cd ..
|
cd ..
|
||||||
|
|
||||||
# Set PaX markings
|
|
||||||
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
|
|
||||||
for file in $exes; do
|
|
||||||
paxmark m "$file" || true
|
|
||||||
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
|
|
||||||
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
|
|
||||||
done
|
|
||||||
|
|
||||||
if test -z "$installjdk"; then
|
if test -z "$installjdk"; then
|
||||||
mv $sourceRoot/jre $out
|
mv $sourceRoot/jre $out
|
||||||
else
|
else
|
||||||
|
@ -27,7 +27,6 @@
|
|||||||
, git
|
, git
|
||||||
, libgit2
|
, libgit2
|
||||||
, fetchFromGitHub
|
, fetchFromGitHub
|
||||||
, paxctl
|
|
||||||
, findutils
|
, findutils
|
||||||
, makeWrapper
|
, makeWrapper
|
||||||
, gnumake
|
, gnumake
|
||||||
@ -150,7 +149,7 @@ stdenv.mkDerivation rec {
|
|||||||
findutils
|
findutils
|
||||||
makeWrapper
|
makeWrapper
|
||||||
gnumake
|
gnumake
|
||||||
] ++ stdenv.lib.optional stdenv.needsPax paxctl;
|
];
|
||||||
|
|
||||||
# TODO: Revisit what's propagated and how
|
# TODO: Revisit what's propagated and how
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
@ -218,9 +217,6 @@ stdenv.mkDerivation rec {
|
|||||||
substituteInPlace swift/utils/build-script-impl \
|
substituteInPlace swift/utils/build-script-impl \
|
||||||
--replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
|
--replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
|
||||||
patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
|
patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
|
||||||
'' + stdenv.lib.optionalString stdenv.needsPax ''
|
|
||||||
patch -p1 -d swift -i ${./patches/build-script-pax.patch}
|
|
||||||
'' + ''
|
|
||||||
patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
|
patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
|
||||||
patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
|
patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
|
||||||
patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
|
patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
|
||||||
@ -266,9 +262,6 @@ stdenv.mkDerivation rec {
|
|||||||
tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
|
tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
|
||||||
find $out -type d -empty -delete
|
find $out -type d -empty -delete
|
||||||
|
|
||||||
paxmark pmr $out/bin/swift
|
|
||||||
paxmark pmr $out/bin/*
|
|
||||||
|
|
||||||
# TODO: Use wrappers to get these on the PATH for swift tools, instead
|
# TODO: Use wrappers to get these on the PATH for swift tools, instead
|
||||||
ln -s ${clang}/bin/* $out/bin/
|
ln -s ${clang}/bin/* $out/bin/
|
||||||
ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar
|
ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
--- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600
|
|
||||||
+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600
|
|
||||||
@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
|
|
||||||
+isELF() {
|
|
||||||
+ local fn="$1"
|
|
||||||
+ local fd
|
|
||||||
+ local magic
|
|
||||||
+ exec {fd}< "$fn"
|
|
||||||
+ read -n 4 -u $fd magic
|
|
||||||
+ exec {fd}<&-
|
|
||||||
+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#
|
|
||||||
# Configure and build each product
|
|
||||||
#
|
|
||||||
@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
|
|
||||||
fi
|
|
||||||
|
|
||||||
call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
|
|
||||||
+
|
|
||||||
+ while IFS= read -r -d $'\0' i; do
|
|
||||||
+ if ! isELF "$i"; then continue; fi
|
|
||||||
+ echo "setting pax flags on $i"
|
|
||||||
+ paxctl -czexm "$i" || true
|
|
||||||
+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
@ -51,10 +51,6 @@ stdenv.mkDerivation rec {
|
|||||||
''
|
''
|
||||||
;
|
;
|
||||||
|
|
||||||
postFixup = ''
|
|
||||||
paxmark m $bin/bin/terra
|
|
||||||
'';
|
|
||||||
|
|
||||||
buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
|
buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
|
@ -33,10 +33,6 @@ stdenv.mkDerivation rec {
|
|||||||
doCheck = true;
|
doCheck = true;
|
||||||
checkTarget = "test";
|
checkTarget = "test";
|
||||||
|
|
||||||
postFixup = ''
|
|
||||||
paxmark m $out/bin/tcc
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = {
|
meta = {
|
||||||
description = "Small, fast, and embeddable C compiler and interpreter";
|
description = "Small, fast, and embeddable C compiler and interpreter";
|
||||||
|
|
||||||
|
@ -77,8 +77,6 @@ stdenv.mkDerivation rec {
|
|||||||
''
|
''
|
||||||
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
|
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
|
||||||
|
|
||||||
paxmark E $out/bin/python2.7
|
|
||||||
|
|
||||||
rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
|
rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -229,8 +229,6 @@ in stdenv.mkDerivation ({
|
|||||||
ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
|
ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
|
||||||
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
|
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
|
||||||
|
|
||||||
paxmark E $out/bin/python${majorVersion}
|
|
||||||
|
|
||||||
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
||||||
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
||||||
|
|
||||||
|
@ -143,7 +143,6 @@ in stdenv.mkDerivation {
|
|||||||
touch $out/lib/python${majorVersion}/test/__init__.py
|
touch $out/lib/python${majorVersion}/test/__init__.py
|
||||||
|
|
||||||
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
||||||
paxmark E $out/bin/python${majorVersion}
|
|
||||||
|
|
||||||
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
||||||
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
||||||
|
@ -164,7 +164,6 @@ in stdenv.mkDerivation {
|
|||||||
touch $out/lib/python${majorVersion}/test/__init__.py
|
touch $out/lib/python${majorVersion}/test/__init__.py
|
||||||
|
|
||||||
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
||||||
paxmark E $out/bin/python${majorVersion}
|
|
||||||
|
|
||||||
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
||||||
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
||||||
|
@ -154,7 +154,6 @@ in stdenv.mkDerivation {
|
|||||||
touch $out/lib/python${majorVersion}/test/__init__.py
|
touch $out/lib/python${majorVersion}/test/__init__.py
|
||||||
|
|
||||||
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
|
||||||
paxmark E $out/bin/python${majorVersion}
|
|
||||||
|
|
||||||
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
|
||||||
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
|
||||||
|
@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
|
|||||||
# so the failure of that test does not matter much.
|
# so the failure of that test does not matter much.
|
||||||
configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++
|
configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++
|
||||||
stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [
|
stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [
|
||||||
"--with-cpu-arch=armv5t"
|
"--with-cpu-arch=armv5t"
|
||||||
"--disable-tracejit" ];
|
"--disable-tracejit" ];
|
||||||
|
|
||||||
# hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393
|
# hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393
|
||||||
@ -59,9 +59,6 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
preCheck = ''
|
preCheck = ''
|
||||||
rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522
|
rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522
|
||||||
|
|
||||||
paxmark mr shell/js
|
|
||||||
paxmark mr jsapi-tests/jsapi-tests
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
|
@ -36,8 +36,6 @@ stdenv.mkDerivation rec {
|
|||||||
postInstall = ''
|
postInstall = ''
|
||||||
# Hm, apparently --disable-gtk-doc is ignored...
|
# Hm, apparently --disable-gtk-doc is ignored...
|
||||||
rm -rf $out/share/gtk-doc
|
rm -rf $out/share/gtk-doc
|
||||||
|
|
||||||
paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
setupHook = ./setup-hook.sh;
|
setupHook = ./setup-hook.sh;
|
||||||
|
@ -72,13 +72,6 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
|
makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
|
||||||
|
|
||||||
# The following is required on grsecurity/PaX due to spidermonkey's JIT
|
|
||||||
postBuild = stdenv.lib.optionalString stdenv.isLinux ''
|
|
||||||
paxmark mr src/polkitbackend/.libs/polkitd
|
|
||||||
'' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
|
|
||||||
paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
|
|
||||||
'';
|
|
||||||
|
|
||||||
installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
|
installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
|
||||||
|
|
||||||
inherit doCheck;
|
inherit doCheck;
|
||||||
|
@ -61,7 +61,6 @@ let
|
|||||||
qtscript = [ ./qtscript.patch ];
|
qtscript = [ ./qtscript.patch ];
|
||||||
qtserialport = [ ./qtserialport.patch ];
|
qtserialport = [ ./qtserialport.patch ];
|
||||||
qttools = [ ./qttools.patch ];
|
qttools = [ ./qttools.patch ];
|
||||||
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
|
|
||||||
qtwebkit = [ ./qtwebkit.patch ];
|
qtwebkit = [ ./qtwebkit.patch ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,48 +0,0 @@
|
|||||||
diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
|
|
||||||
index e7e19f5059..934448c7d8 100644
|
|
||||||
--- a/src/3rdparty/chromium/v8/src/v8.gyp
|
|
||||||
+++ b/src/3rdparty/chromium/v8/src/v8.gyp
|
|
||||||
@@ -35,6 +35,7 @@
|
|
||||||
'v8_extra_library_files%': [],
|
|
||||||
'v8_experimental_extra_library_files%': [],
|
|
||||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
|
||||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
|
||||||
'v8_os_page_size%': 0,
|
|
||||||
},
|
|
||||||
'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
|
|
||||||
@@ -2576,7 +2577,7 @@
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
- 'target_name': 'mksnapshot',
|
|
||||||
+ 'target_name': 'mksnapshot_u',
|
|
||||||
'type': 'executable',
|
|
||||||
'dependencies': [
|
|
||||||
'v8_base',
|
|
||||||
@@ -2606,5 +2607,26 @@
|
|
||||||
}],
|
|
||||||
],
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ 'target_name': 'mksnapshot',
|
|
||||||
+ 'type': 'executable',
|
|
||||||
+ 'dependencies': ['mksnapshot_u'],
|
|
||||||
+ 'actions': [
|
|
||||||
+ {
|
|
||||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
|
||||||
+ 'inputs': [
|
|
||||||
+ '<(mksnapshot_u_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'outputs': [
|
|
||||||
+ '<(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'action': [
|
|
||||||
+ 'sh',
|
|
||||||
+ '-c',
|
|
||||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
],
|
|
||||||
}
|
|
@ -51,8 +51,7 @@ let
|
|||||||
qtscript = [ ./qtscript.patch ];
|
qtscript = [ ./qtscript.patch ];
|
||||||
qtserialport = [ ./qtserialport.patch ];
|
qtserialport = [ ./qtserialport.patch ];
|
||||||
qttools = [ ./qttools.patch ];
|
qttools = [ ./qttools.patch ];
|
||||||
qtwebengine = [ ./qtwebengine-seccomp.patch ]
|
qtwebengine = [ ./qtwebengine-seccomp.patch ];
|
||||||
++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
|
|
||||||
qtwebkit = [ ./qtwebkit.patch ];
|
qtwebkit = [ ./qtwebkit.patch ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,46 +0,0 @@
|
|||||||
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
|
|
||||||
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
|
|
||||||
@@ -33,6 +33,7 @@
|
|
||||||
'embed_script%': "",
|
|
||||||
'v8_extra_library_files%': [],
|
|
||||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
|
||||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
|
||||||
'remove_v8base_debug_symbols%': 0,
|
|
||||||
},
|
|
||||||
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
|
|
||||||
@@ -1913,7 +1914,7 @@
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
- 'target_name': 'mksnapshot',
|
|
||||||
+ 'target_name': 'mksnapshot_u',
|
|
||||||
'type': 'executable',
|
|
||||||
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
|
|
||||||
'include_dirs+': [
|
|
||||||
@@ -1936,5 +1937,26 @@
|
|
||||||
}],
|
|
||||||
],
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ 'target_name': 'mksnapshot',
|
|
||||||
+ 'type': 'executable',
|
|
||||||
+ 'dependencies': ['mksnapshot_u'],
|
|
||||||
+ 'actions': [
|
|
||||||
+ {
|
|
||||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
|
||||||
+ 'inputs': [
|
|
||||||
+ '<(mksnapshot_u_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'outputs': [
|
|
||||||
+ '<(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'action': [
|
|
||||||
+ 'sh',
|
|
||||||
+ '-c',
|
|
||||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
],
|
|
||||||
}
|
|
@ -43,7 +43,6 @@ let
|
|||||||
qtscript = [ ./qtscript.patch ];
|
qtscript = [ ./qtscript.patch ];
|
||||||
qtserialport = [ ./qtserialport.patch ];
|
qtserialport = [ ./qtserialport.patch ];
|
||||||
qttools = [ ./qttools.patch ];
|
qttools = [ ./qttools.patch ];
|
||||||
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
|
|
||||||
qtwebkit = [ ./qtwebkit.patch ];
|
qtwebkit = [ ./qtwebkit.patch ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,48 +0,0 @@
|
|||||||
Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
|
|
||||||
===================================================================
|
|
||||||
--- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
|
|
||||||
+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
|
|
||||||
@@ -36,6 +36,7 @@
|
|
||||||
'v8_experimental_extra_library_files%': [],
|
|
||||||
'v8_enable_inspector%': 0,
|
|
||||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
|
||||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
|
||||||
'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
|
|
||||||
'v8_os_page_size%': 0,
|
|
||||||
},
|
|
||||||
@@ -2432,7 +2433,7 @@
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
- 'target_name': 'mksnapshot',
|
|
||||||
+ 'target_name': 'mksnapshot_u',
|
|
||||||
'type': 'executable',
|
|
||||||
'dependencies': [
|
|
||||||
'v8_base',
|
|
||||||
@@ -2485,5 +2486,26 @@
|
|
||||||
}],
|
|
||||||
],
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ 'target_name': 'mksnapshot',
|
|
||||||
+ 'type': 'executable',
|
|
||||||
+ 'dependencies': ['mksnapshot_u'],
|
|
||||||
+ 'actions': [
|
|
||||||
+ {
|
|
||||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
|
||||||
+ 'inputs': [
|
|
||||||
+ '<(mksnapshot_u_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'outputs': [
|
|
||||||
+ '<(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ 'action': [
|
|
||||||
+ 'sh',
|
|
||||||
+ '-c',
|
|
||||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
+ ],
|
|
||||||
+ },
|
|
||||||
],
|
|
||||||
}
|
|
@ -14,7 +14,7 @@
|
|||||||
, enableProprietaryCodecs ? true
|
, enableProprietaryCodecs ? true
|
||||||
, gn, darwin, openbsm
|
, gn, darwin, openbsm
|
||||||
, ffmpeg ? null
|
, ffmpeg ? null
|
||||||
, lib, stdenv # lib.optional, needsPax
|
, lib, stdenv
|
||||||
}:
|
}:
|
||||||
|
|
||||||
with stdenv.lib;
|
with stdenv.lib;
|
||||||
@ -181,7 +181,6 @@ EOF
|
|||||||
[Paths]
|
[Paths]
|
||||||
Prefix = ..
|
Prefix = ..
|
||||||
EOF
|
EOF
|
||||||
paxmark m $out/libexec/QtWebEngineProcess
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
|
@ -73,8 +73,6 @@ stdenv.mkDerivation rec {
|
|||||||
--replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
|
--replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
|
||||||
--replace 'obj:/usr/lib' 'obj:*/lib'
|
--replace 'obj:/usr/lib' 'obj:*/lib'
|
||||||
done
|
done
|
||||||
|
|
||||||
paxmark m $out/lib/valgrind/*-*-linux
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
meta = {
|
meta = {
|
||||||
|
@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
|
|||||||
# Make binutils output deterministic by default.
|
# Make binutils output deterministic by default.
|
||||||
./deterministic.patch
|
./deterministic.patch
|
||||||
|
|
||||||
# Always add PaX flags section to ELF files.
|
|
||||||
# This is needed, for instance, so that running "ldd" on a binary that is
|
|
||||||
# PaX-marked to disable mprotect doesn't fail with permission denied.
|
|
||||||
./pt-pax-flags.patch
|
|
||||||
|
|
||||||
# Bfd looks in BINDIR/../lib for some plugins that don't
|
# Bfd looks in BINDIR/../lib for some plugins that don't
|
||||||
# exist. This is pointless (since users can't install plugins
|
# exist. This is pointless (since users can't install plugins
|
||||||
# there) and causes a cycle between the lib and bin outputs, so
|
# there) and causes a cycle between the lib and bin outputs, so
|
||||||
|
@ -1,233 +0,0 @@
|
|||||||
--- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100
|
|
||||||
+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100
|
|
||||||
@@ -1266,6 +1266,9 @@
|
|
||||||
/* Should the PT_GNU_RELRO segment be emitted? */
|
|
||||||
bfd_boolean relro;
|
|
||||||
|
|
||||||
+ /* Segment flags for the PT_PAX_FLAGS segment. */
|
|
||||||
+ unsigned int pax_flags;
|
|
||||||
+
|
|
||||||
/* Symbol version definitions in external objects. */
|
|
||||||
Elf_Internal_Verdef *verdef;
|
|
||||||
|
|
||||||
--- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400
|
|
||||||
+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400
|
|
||||||
@@ -1085,6 +1085,7 @@
|
|
||||||
case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
|
|
||||||
case PT_GNU_STACK: pt = "STACK"; break;
|
|
||||||
case PT_GNU_RELRO: pt = "RELRO"; break;
|
|
||||||
+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
|
|
||||||
default: pt = NULL; break;
|
|
||||||
}
|
|
||||||
return pt;
|
|
||||||
@@ -2346,6 +2347,9 @@
|
|
||||||
case PT_GNU_RELRO:
|
|
||||||
return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
|
|
||||||
|
|
||||||
+ case PT_PAX_FLAGS:
|
|
||||||
+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
|
|
||||||
+
|
|
||||||
default:
|
|
||||||
/* Check for any processor-specific program segment types. */
|
|
||||||
bed = get_elf_backend_data (abfd);
|
|
||||||
@@ -3326,6 +3330,11 @@
|
|
||||||
++segs;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ {
|
|
||||||
+ /* We need a PT_PAX_FLAGS segment. */
|
|
||||||
+ ++segs;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
for (s = abfd->sections; s != NULL; s = s->next)
|
|
||||||
{
|
|
||||||
if ((s->flags & SEC_LOAD) != 0
|
|
||||||
@@ -3945,6 +3954,20 @@
|
|
||||||
pm = &m->next;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ {
|
|
||||||
+ amt = sizeof (struct elf_segment_map);
|
|
||||||
+ m = bfd_zalloc (abfd, amt);
|
|
||||||
+ if (m == NULL)
|
|
||||||
+ goto error_return;
|
|
||||||
+ m->next = NULL;
|
|
||||||
+ m->p_type = PT_PAX_FLAGS;
|
|
||||||
+ m->p_flags = elf_tdata (abfd)->pax_flags;
|
|
||||||
+ m->p_flags_valid = 1;
|
|
||||||
+
|
|
||||||
+ *pm = m;
|
|
||||||
+ pm = &m->next;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
free (sections);
|
|
||||||
elf_tdata (abfd)->segment_map = mfirst;
|
|
||||||
}
|
|
||||||
@@ -5129,7 +5152,8 @@
|
|
||||||
5. PT_GNU_STACK segments do not include any sections.
|
|
||||||
6. PT_TLS segment includes only SHF_TLS sections.
|
|
||||||
7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
|
|
||||||
- 8. PT_DYNAMIC should not contain empty sections at the beginning
|
|
||||||
+ 8. PT_PAX_FLAGS segments do not include any sections.
|
|
||||||
+ 9. PT_DYNAMIC should not contain empty sections at the beginning
|
|
||||||
(with the possible exception of .dynamic). */
|
|
||||||
#define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \
|
|
||||||
((((segment->p_paddr \
|
|
||||||
@@ -5138,6 +5162,7 @@
|
|
||||||
&& (section->flags & SEC_ALLOC) != 0) \
|
|
||||||
|| IS_COREFILE_NOTE (segment, section)) \
|
|
||||||
&& segment->p_type != PT_GNU_STACK \
|
|
||||||
+ && segment->p_type != PT_PAX_FLAGS \
|
|
||||||
&& (segment->p_type != PT_TLS \
|
|
||||||
|| (section->flags & SEC_THREAD_LOCAL)) \
|
|
||||||
&& (segment->p_type == PT_LOAD \
|
|
||||||
--- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100
|
|
||||||
+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100
|
|
||||||
@@ -5764,18 +5764,32 @@
|
|
||||||
&& ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
|
|
||||||
+
|
|
||||||
+ if (info->execheap)
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
|
|
||||||
+ else if (info->noexecheap)
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
|
|
||||||
+
|
|
||||||
/* Determine any GNU_STACK segment requirements, after the backend
|
|
||||||
has had a chance to set a default segment size. */
|
|
||||||
if (info->execstack)
|
|
||||||
+ {
|
|
||||||
elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
|
|
||||||
+ }
|
|
||||||
else if (info->noexecstack)
|
|
||||||
+ {
|
|
||||||
elf_stack_flags (output_bfd) = PF_R | PF_W;
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
{
|
|
||||||
bfd *inputobj;
|
|
||||||
asection *notesec = NULL;
|
|
||||||
int exec = 0;
|
|
||||||
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
|
|
||||||
for (inputobj = info->input_bfds;
|
|
||||||
inputobj;
|
|
||||||
inputobj = inputobj->link_next)
|
|
||||||
@@ -5789,7 +5803,11 @@
|
|
||||||
if (s)
|
|
||||||
{
|
|
||||||
if (s->flags & SEC_CODE)
|
|
||||||
- exec = PF_X;
|
|
||||||
+ {
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
|
|
||||||
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
|
|
||||||
+ exec = PF_X;
|
|
||||||
+ }
|
|
||||||
notesec = s;
|
|
||||||
}
|
|
||||||
else if (bed->default_execstack)
|
|
||||||
--- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100
|
|
||||||
+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100
|
|
||||||
@@ -2293,6 +2293,7 @@
|
|
||||||
return "GNU_EH_FRAME";
|
|
||||||
case PT_GNU_STACK: return "GNU_STACK";
|
|
||||||
case PT_GNU_RELRO: return "GNU_RELRO";
|
|
||||||
+ case PT_PAX_FLAGS: return "PAX_FLAGS";
|
|
||||||
|
|
||||||
default:
|
|
||||||
if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
|
|
||||||
--- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100
|
|
||||||
+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100
|
|
||||||
@@ -313,6 +313,14 @@
|
|
||||||
flags. */
|
|
||||||
unsigned int noexecstack: 1;
|
|
||||||
|
|
||||||
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
|
|
||||||
+ flags. */
|
|
||||||
+ unsigned int execheap: 1;
|
|
||||||
+
|
|
||||||
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
|
|
||||||
+ flags. */
|
|
||||||
+ unsigned int noexecheap: 1;
|
|
||||||
+
|
|
||||||
/* TRUE if PT_GNU_RELRO segment should be created. */
|
|
||||||
unsigned int relro: 1;
|
|
||||||
|
|
||||||
--- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100
|
|
||||||
+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100
|
|
||||||
@@ -423,6 +423,7 @@
|
|
||||||
#define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */
|
|
||||||
#define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */
|
|
||||||
#define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */
|
|
||||||
+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */
|
|
||||||
|
|
||||||
/* Program segment permissions, in program header p_flags field. */
|
|
||||||
|
|
||||||
@@ -433,6 +434,19 @@
|
|
||||||
#define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */
|
|
||||||
#define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */
|
|
||||||
|
|
||||||
+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
|
|
||||||
+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
|
|
||||||
+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
|
|
||||||
+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
|
|
||||||
+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
|
|
||||||
+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
|
|
||||||
+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
|
|
||||||
+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
|
|
||||||
+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
|
|
||||||
+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
|
|
||||||
+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
|
|
||||||
+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
|
|
||||||
+
|
|
||||||
/* Values for section header, sh_type field. */
|
|
||||||
|
|
||||||
#define SHT_NULL 0 /* Section header table entry unused */
|
|
||||||
--- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200
|
|
||||||
+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200
|
|
||||||
@@ -2139,6 +2139,16 @@
|
|
||||||
link_info.noexecstack = TRUE;
|
|
||||||
link_info.execstack = FALSE;
|
|
||||||
}
|
|
||||||
+ else if (strcmp (optarg, "execheap") == 0)
|
|
||||||
+ {
|
|
||||||
+ link_info.execheap = TRUE;
|
|
||||||
+ link_info.noexecheap = FALSE;
|
|
||||||
+ }
|
|
||||||
+ else if (strcmp (optarg, "noexecheap") == 0)
|
|
||||||
+ {
|
|
||||||
+ link_info.noexecheap = TRUE;
|
|
||||||
+ link_info.execheap = FALSE;
|
|
||||||
+ }
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if test -n "$COMMONPAGESIZE"; then
|
|
||||||
--- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100
|
|
||||||
+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100
|
|
||||||
@@ -1073,6 +1073,8 @@
|
|
||||||
$$ = exp_intop (0x6474e550);
|
|
||||||
else if (strcmp (s, "PT_GNU_STACK") == 0)
|
|
||||||
$$ = exp_intop (0x6474e551);
|
|
||||||
+ else if (strcmp (s, "PT_PAX_FLAGS") == 0)
|
|
||||||
+ $$ = exp_intop (0x65041580);
|
|
||||||
else
|
|
||||||
{
|
|
||||||
einfo (_("\
|
|
||||||
--- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100
|
|
||||||
+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100
|
|
||||||
@@ -1793,8 +1793,12 @@
|
|
||||||
fprintf (file, _("\
|
|
||||||
-z muldefs Allow multiple definitions\n"));
|
|
||||||
fprintf (file, _("\
|
|
||||||
+ -z execheap Mark executable as requiring executable heap\n"));
|
|
||||||
+ fprintf (file, _("\
|
|
||||||
-z execstack Mark executable as requiring executable stack\n"));
|
|
||||||
fprintf (file, _("\
|
|
||||||
+ -z noexecheap Mark executable as not requiring executable heap\n"));
|
|
||||||
+ fprintf (file, _("\
|
|
||||||
-z noexecstack Mark executable as not requiring executable stack\n"));
|
|
||||||
}
|
|
||||||
|
|
@ -88,7 +88,6 @@ in
|
|||||||
doCheck = false; # fails 4 out of 1453 tests
|
doCheck = false; # fails 4 out of 1453 tests
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
paxmark m $out/bin/node
|
|
||||||
PATH=$out/bin:$PATH patchShebangs $out
|
PATH=$out/bin:$PATH patchShebangs $out
|
||||||
|
|
||||||
${optionalString enableNpm ''
|
${optionalString enableNpm ''
|
||||||
|
@ -59,7 +59,7 @@ in lib.init bootStages ++ [
|
|||||||
extraNativeBuildInputs = old.extraNativeBuildInputs
|
extraNativeBuildInputs = old.extraNativeBuildInputs
|
||||||
++ lib.optionals
|
++ lib.optionals
|
||||||
(hostPlatform.isLinux && !buildPlatform.isLinux)
|
(hostPlatform.isLinux && !buildPlatform.isLinux)
|
||||||
[ buildPackages.patchelf buildPackages.paxctl ]
|
[ buildPackages.patchelf ]
|
||||||
++ lib.optional
|
++ lib.optional
|
||||||
(let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
|
(let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
|
||||||
buildPackages.updateAutotoolsGnuConfigScriptsHook
|
buildPackages.updateAutotoolsGnuConfigScriptsHook
|
||||||
|
@ -130,9 +130,6 @@ let
|
|||||||
# The derivation's `system` is `buildPlatform.system`.
|
# The derivation's `system` is `buildPlatform.system`.
|
||||||
inherit (buildPlatform) system;
|
inherit (buildPlatform) system;
|
||||||
|
|
||||||
# Whether we should run paxctl to pax-mark binaries.
|
|
||||||
needsPax = isLinux;
|
|
||||||
|
|
||||||
inherit (import ./make-derivation.nix {
|
inherit (import ./make-derivation.nix {
|
||||||
inherit lib config stdenv;
|
inherit lib config stdenv;
|
||||||
}) mkDerivation;
|
}) mkDerivation;
|
||||||
|
@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi
|
|||||||
BASH="$SHELL"
|
BASH="$SHELL"
|
||||||
export CONFIG_SHELL="$SHELL"
|
export CONFIG_SHELL="$SHELL"
|
||||||
|
|
||||||
# Dummy implementation of the paxmark function. On Linux, this is
|
|
||||||
# overwritten by paxctl's setup hook.
|
|
||||||
paxmark() { true; }
|
|
||||||
|
|
||||||
|
|
||||||
# Execute the pre-hook.
|
# Execute the pre-hook.
|
||||||
if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi
|
if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi
|
||||||
|
@ -216,7 +216,7 @@ in
|
|||||||
inherit (prevStage)
|
inherit (prevStage)
|
||||||
ccWrapperStdenv
|
ccWrapperStdenv
|
||||||
gcc-unwrapped coreutils gnugrep
|
gcc-unwrapped coreutils gnugrep
|
||||||
perl paxctl gnum4 bison;
|
perl gnum4 bison;
|
||||||
# This also contains the full, dynamically linked, final Glibc.
|
# This also contains the full, dynamically linked, final Glibc.
|
||||||
binutils = prevStage.binutils.override {
|
binutils = prevStage.binutils.override {
|
||||||
# Rewrap the binutils with the new glibc, so both the next
|
# Rewrap the binutils with the new glibc, so both the next
|
||||||
@ -250,7 +250,7 @@ in
|
|||||||
isl = isl_0_17;
|
isl = isl_0_17;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
|
extraNativeBuildInputs = [ prevStage.patchelf ] ++
|
||||||
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
|
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
|
||||||
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
|
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
|
||||||
prevStage.updateAutotoolsGnuConfigScriptsHook;
|
prevStage.updateAutotoolsGnuConfigScriptsHook;
|
||||||
@ -325,7 +325,7 @@ in
|
|||||||
initialPath =
|
initialPath =
|
||||||
((import ../common-path.nix) {pkgs = prevStage;});
|
((import ../common-path.nix) {pkgs = prevStage;});
|
||||||
|
|
||||||
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
|
extraNativeBuildInputs = [ prevStage.patchelf ] ++
|
||||||
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
|
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
|
||||||
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
|
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
|
||||||
prevStage.updateAutotoolsGnuConfigScriptsHook;
|
prevStage.updateAutotoolsGnuConfigScriptsHook;
|
||||||
@ -349,7 +349,7 @@ in
|
|||||||
# Simple executable tools
|
# Simple executable tools
|
||||||
concatMap (p: [ (getBin p) (getLib p) ]) [
|
concatMap (p: [ (getBin p) (getLib p) ]) [
|
||||||
gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
|
gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
|
||||||
gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl
|
gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed
|
||||||
]
|
]
|
||||||
# Library dependencies
|
# Library dependencies
|
||||||
++ map getLib (
|
++ map getLib (
|
||||||
@ -368,7 +368,7 @@ in
|
|||||||
inherit (prevStage)
|
inherit (prevStage)
|
||||||
gzip bzip2 xz bash coreutils diffutils findutils gawk
|
gzip bzip2 xz bash coreutils diffutils findutils gawk
|
||||||
gnumake gnused gnutar gnugrep gnupatch patchelf
|
gnumake gnused gnutar gnugrep gnupatch patchelf
|
||||||
attr acl paxctl zlib pcre;
|
attr acl zlib pcre;
|
||||||
${localSystem.libc} = getLibc prevStage;
|
${localSystem.libc} = getLibc prevStage;
|
||||||
} // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
|
} // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
|
||||||
# Need to get rid of these when cross-compiling.
|
# Need to get rid of these when cross-compiling.
|
||||||
|
@ -109,8 +109,6 @@ stdenv.mkDerivation rec {
|
|||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
paxmark pms $out/sbin/grub-{probe,bios-setup}
|
|
||||||
|
|
||||||
# Avoid a runtime reference to gcc
|
# Avoid a runtime reference to gcc
|
||||||
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
|
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
|
||||||
'';
|
'';
|
||||||
|
@ -90,10 +90,6 @@ stdenv.mkDerivation rec {
|
|||||||
doCheck = false;
|
doCheck = false;
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
paxmark pms $out/sbin/grub-{probe,bios-setup}
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
|
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
|
||||||
homepage = https://github.com/Sirrix-AG/TrustedGRUB2;
|
homepage = https://github.com/Sirrix-AG/TrustedGRUB2;
|
||||||
|
Loading…
Reference in New Issue
Block a user