JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

treewide: remove paxutils from stdenv

Browse Source 
More then one year ago we removed grsecurity kernels from nixpkgs:
https://github.com/NixOS/nixpkgs/pull/25277

This removes now also paxutils from stdenv.
This commit is contained in:
Jörg Thalheim 2018-12-22 12:49:41 +01:00
parent 0a2efa121d
commit 1b146a8c6f
No known key found for this signature in database
GPG Key ID: CA4106B8D7CC79FA
65 changed files with 17 additions and 687 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/stdenv.xml
View File

@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
paxctl
</term>
<listitem>
<para>
Defines the <varname>paxmark</varname> helper for setting per-executable
PaX flags on Linux (where it is available by default; on all other
platforms, <varname>paxmark</varname> is a no-op). For example, to
disable secure memory protections on the executable
<replaceable>foo</replaceable>
<programlisting>
postFixup = ''
paxmark m $out/bin/<replaceable>foo</replaceable>
'';
</programlisting>
The <literal>m</literal> flag is the most common flag and is typically
required for applications that employ JIT compilation or otherwise need
to execute code generated at run-time. Disabling PaX protections should
be considered a last resort: if possible, problematic features should be
disabled or patched to work with PaX.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
autoPatchelfHook

2
pkgs/applications/altcoins/parity-ui/default.nix
View File

@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
paxmark m $out/share/parity-ui/parity-ui
mkdir -p $out/bin
ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
'';

3
pkgs/applications/editors/atom/default.nix
View File

@ -70,9 +70,6 @@ let
ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
paxmark m $share/atom
paxmark m $share/resources/app/apm/bin/node
'';
meta = with stdenv.lib; {

2
pkgs/applications/networking/browsers/chromium/common.nix
View File

@ -282,8 +282,6 @@ let
MENUNAME="Chromium"
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
)
'' + optionalString (target == "mksnapshot" || target == "chrome") ''
paxmark m "${buildPath}/${target}"
'';
targets = extraAttrs.buildTargets or [];
commands = map buildCommand targets;

8
pkgs/applications/networking/browsers/firefox/common.nix
View File

@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
doCheck = false; # "--disable-tests" above
preInstall = ''
# The following is needed for startup cache creation on grsecurity kernels.
paxmark m dist/bin/xpcshell
'';
installPhase = if stdenv.isDarwin then ''
mkdir -p $out/Applications
cp -LR dist/Firefox.app $out/Applications
'' else null;
postInstall = lib.optionalString stdenv.isLinux ''
# For grsecurity kernels
paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
# Remove SDK cruft. FIXME: move to a separate output?
rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*

2
pkgs/applications/networking/instant-messengers/discord/default.nix
View File

@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
$out/opt/discord/Discord
paxmark m $out/opt/discord/Discord
wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
ln -s $out/opt/discord/Discord $out/bin/

1
pkgs/applications/networking/instant-messengers/franz/default.nix
View File

@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
'';
postFixup = ''
paxmark m $out/opt/franz/Franz
wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
'';

1
pkgs/applications/networking/instant-messengers/wavebox/default.nix
View File

@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
'';
postFixup = ''
paxmark m $out/opt/wavebox/Wavebox
makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
--prefix PATH : ${xdg_utils}/bin
'';

9
pkgs/applications/networking/mailreaders/thunderbird/default.nix
View File

@ -108,18 +108,9 @@ in stdenv.mkDerivation rec {
cd ../objdir
'';
preInstall =
''
# The following is needed for startup cache creation on grsecurity kernels.
paxmark m ../objdir/dist/bin/xpcshell
'';
dontWrapGApps = true; # we do it ourselves
postInstall =
''
# For grsecurity kernels
paxmark m $out/lib/thunderbird/thunderbird
# TODO: Move to a dev output?
rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl

1
pkgs/applications/office/mendeley/default.nix
View File

@ -112,7 +112,6 @@ stdenv.mkDerivation {
patchelf --set-interpreter $interpreter \
--set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
$out/bin/mendeleydesktop
paxmark m $out/bin/mendeleydesktop
wrapProgram $out/bin/mendeleydesktop \
--add-flags "--unix-distro-build" \

3
pkgs/applications/virtualization/qemu/default.nix
View File

@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
postFixup =
''
for exe in $out/bin/qemu-system-* ; do
paxmark m $exe
done
# copy qemu-ga (guest agent) to separate output
mkdir -p $ga/bin
cp $out/bin/qemu-ga $ga/bin/

8
pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix
View File

@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
installPhase = ''
cd ..
# Set PaX markings
exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file"
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
done
mv $sourceRoot $out
rm -rf $out/demo

5
pkgs/development/compilers/gcc/builder.sh
View File

@ -282,11 +282,6 @@ postInstall() {
fi
done
# Disable RANDMMAP on grsec, which causes segfaults when using
# precompiled headers.
# See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
# Two identical man pages are shipped (moving and compressing is done later)
ln -sf gcc.1 "$out"/share/man/man1/g++.1
}

2
pkgs/development/compilers/ghc/8.2.2-binary.nix
View File

@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
--replace-needed libtinfo.so libtinfo.so.5 \
--interpreter ${glibcDynLinker} {} \;
paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
'';

5
pkgs/development/compilers/ghc/8.2.2.nix
View File

@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/ghc/8.4.4.nix
View File

@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/ghc/8.6.1.nix
View File

@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/ghc/8.6.2.nix
View File

@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/ghc/8.6.3.nix
View File

@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/ghc/head.nix
View File

@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

5
pkgs/development/compilers/jetbrains-jdk/default.nix
View File

@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
installPhase = ''
cd ..
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file"
done
mv $sourceRoot $out
jrePath=$out/jre
'';

25
pkgs/development/compilers/julia/0004-hardened.patch
View File

@ -1,25 +0,0 @@
From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Wed, 1 Feb 2017 06:09:49 -0600
Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index 0e28cc87b..aab8cfa8d 100644
--- a/Makefile
+++ b/Makefile
@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
+ @paxctl -czexm $(JULIA_EXECUTABLE_$*)
julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
--
2.11.0

7
pkgs/development/compilers/julia/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, fetchzip
# build tools
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
, gfortran, m4, makeWrapper, patchelf, perl, which, python2
# libjulia dependencies
, libunwind, readline, utf8proc, zlib
, llvm
@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
patches = [
./0001.1-use-system-utf8proc.patch
./0002-use-system-suitesparse.patch
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
];
postPatch = ''
patchShebangs . contrib
@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
++ stdenv.lib.optional stdenv.needsPax paxctl;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
makeFlags =
let

7
pkgs/development/compilers/julia/shared.nix
View File

@ -5,7 +5,7 @@
}:
{ stdenv, fetchurl, fetchzip
# build tools
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
, gfortran, m4, makeWrapper, patchelf, perl, which, python2
, llvm, cmake
# libjulia dependencies
, libunwind, readline, utf8proc, zlib
@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
patches = [
./0001.1-use-system-utf8proc.patch
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
];
postPatch = ''
patchShebangs . contrib
@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
++ stdenv.lib.optional stdenv.needsPax paxctl;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
makeFlags =
let

6
pkgs/development/compilers/llvm/3.5/llvm.nix
View File

@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/JIT/JITTests
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/Support/SupportTests
'';
enableParallelBuilding = true;

2
pkgs/development/compilers/llvm/3.7/llvm.nix
View File

@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
'';
enableParallelBuilding = true;

2
pkgs/development/compilers/llvm/3.8/llvm.nix
View File

@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
'';
postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''

2
pkgs/development/compilers/llvm/3.9/llvm.nix
View File

@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
'';
postInstall = ""

6
pkgs/development/compilers/llvm/4/llvm.nix
View File

@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
'';
preCheck = ''

6
pkgs/development/compilers/llvm/5/llvm.nix
View File

@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
'';
preCheck = ''

6
pkgs/development/compilers/llvm/6/llvm.nix
View File

@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
'';
preCheck = ''

6
pkgs/development/compilers/llvm/7/llvm.nix
View File

@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
'';
preCheck = ''

9
pkgs/development/compilers/openjdk/11.nix
View File

@ -21,7 +21,6 @@ let
update = ".0.1";
build = "13";
repover = "jdk-${major}${update}+${build}";
paxflags = if stdenv.isi686 then "msp" else "m";
openjdk = stdenv.mkDerivation {
name = "openjdk-${major}${update}-b${build}";
@ -106,14 +105,6 @@ let
rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
''}
# Set PaX markings
exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
echo "to mark: *$exes*"
for file in $exes; do
echo "marking *$file*"
paxmark ${paxflags} "$file"
done
ln -s $out/lib/openjdk/bin $out/bin
'';

9
pkgs/development/compilers/openjdk/8.nix
View File

@ -25,7 +25,6 @@ let
build = "26";
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
repover = "jdk8u${update}-b${build}";
paxflags = if stdenv.isi686 then "msp" else "m";
jdk8 = fetchurl {
url = "${baseurl}/archive/${repover}.tar.gz";
sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
@ -176,14 +175,6 @@ let
rm -rf $out/lib/openjdk/jre/lib/cmm
ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
# Set PaX markings
exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
echo "to mark: *$exes*"
for file in $exes; do
echo "marking *$file*"
paxmark ${paxflags} "$file"
done
# Remove duplicate binaries.
for i in $(cd $out/lib/openjdk/bin && echo *); do
if [ "$i" = java ]; then continue; fi

8
pkgs/development/compilers/openjdk/bootstrap.nix
View File

@ -36,13 +36,5 @@ let
patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
done
# Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do
isELF "$elf" || continue
paxmark m "$elf"
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''}
done
'';
in bootstrap

8
pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
View File

@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec {
installPhase = ''
cd ..
# Set PaX markings
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file" || true
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
done
if test -z "$installjdk"; then
mv $sourceRoot/jre $out
else

9
pkgs/development/compilers/swift/default.nix
View File

@ -27,7 +27,6 @@
, git
, libgit2
, fetchFromGitHub
, paxctl
, findutils
, makeWrapper
, gnumake
@ -150,7 +149,7 @@ stdenv.mkDerivation rec {
findutils
makeWrapper
gnumake
] ++ stdenv.lib.optional stdenv.needsPax paxctl;
];
# TODO: Revisit what's propagated and how
propagatedBuildInputs = [
@ -218,9 +217,6 @@ stdenv.mkDerivation rec {
substituteInPlace swift/utils/build-script-impl \
--replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
'' + stdenv.lib.optionalString stdenv.needsPax ''
patch -p1 -d swift -i ${./patches/build-script-pax.patch}
'' + ''
patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
@ -266,9 +262,6 @@ stdenv.mkDerivation rec {
tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
find $out -type d -empty -delete
paxmark pmr $out/bin/swift
paxmark pmr $out/bin/*
# TODO: Use wrappers to get these on the PATH for swift tools, instead
ln -s ${clang}/bin/* $out/bin/
ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar

33
pkgs/development/compilers/swift/patches/build-script-pax.patch
View File

@ -1,33 +0,0 @@
--- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600
+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600
@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
fi
}
+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
+isELF() {
+ local fn="$1"
+ local fd
+ local magic
+ exec {fd}< "$fn"
+ read -n 4 -u $fd magic
+ exec {fd}<&-
+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
+}
+
#
# Configure and build each product
#
@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
fi
call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
+
+ while IFS= read -r -d $'\0' i; do
+ if ! isELF "$i"; then continue; fi
+ echo "setting pax flags on $i"
+ paxctl -czexm "$i" || true
+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
fi
done
done

4
pkgs/development/compilers/terra/default.nix
View File

@ -51,10 +51,6 @@ stdenv.mkDerivation rec {
''
;
postFixup = ''
paxmark m $bin/bin/terra
'';
buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
meta = with stdenv.lib; {

4
pkgs/development/compilers/tinycc/default.nix
View File

@ -33,10 +33,6 @@ stdenv.mkDerivation rec {
doCheck = true;
checkTarget = "test";
postFixup = ''
paxmark m $out/bin/tcc
'';
meta = {
description = "Small, fast, and embeddable C compiler and interpreter";

2
pkgs/development/interpreters/python/cpython/2.7/boot.nix
View File

@ -77,8 +77,6 @@ stdenv.mkDerivation rec {
''
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
paxmark E $out/bin/python2.7
rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
'';

2
pkgs/development/interpreters/python/cpython/2.7/default.nix
View File

@ -229,8 +229,6 @@ in stdenv.mkDerivation ({
ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

1
pkgs/development/interpreters/python/cpython/3.5/default.nix
View File

@ -143,7 +143,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

1
pkgs/development/interpreters/python/cpython/3.6/default.nix
View File

@ -164,7 +164,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

1
pkgs/development/interpreters/python/cpython/3.7/default.nix
View File

@ -154,7 +154,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

3
pkgs/development/interpreters/spidermonkey/1.8.5.nix
View File

@ -59,9 +59,6 @@ stdenv.mkDerivation rec {
preCheck = ''
rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522
paxmark mr shell/js
paxmark mr jsapi-tests/jsapi-tests
'';
meta = with stdenv.lib; {

2
pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
View File

@ -36,8 +36,6 @@ stdenv.mkDerivation rec {
postInstall = ''
# Hm, apparently --disable-gtk-doc is ignored...
rm -rf $out/share/gtk-doc
paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
'';
setupHook = ./setup-hook.sh;

7
pkgs/development/libraries/polkit/default.nix
View File

@ -72,13 +72,6 @@ stdenv.mkDerivation rec {
makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
# The following is required on grsecurity/PaX due to spidermonkey's JIT
postBuild = stdenv.lib.optionalString stdenv.isLinux ''
paxmark mr src/polkitbackend/.libs/polkitd
'' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
'';
installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
inherit doCheck;

1
pkgs/development/libraries/qt-5/5.11/default.nix
View File

@ -61,7 +61,6 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ];
};

48
pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch
View File

@ -1,48 +0,0 @@
diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
index e7e19f5059..934448c7d8 100644
--- a/src/3rdparty/chromium/v8/src/v8.gyp
+++ b/src/3rdparty/chromium/v8/src/v8.gyp
@@ -35,6 +35,7 @@
'v8_extra_library_files%': [],
'v8_experimental_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'v8_os_page_size%': 0,
},
'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
@@ -2576,7 +2577,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': [
'v8_base',
@@ -2606,5 +2607,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

3
pkgs/development/libraries/qt-5/5.6/default.nix
View File

@ -51,8 +51,7 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
qtwebengine = [ ./qtwebengine-seccomp.patch ]
++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebengine = [ ./qtwebengine-seccomp.patch ];
qtwebkit = [ ./qtwebkit.patch ];
};

46
pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch
View File

@ -1,46 +0,0 @@
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
@@ -33,6 +33,7 @@
'embed_script%': "",
'v8_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'remove_v8base_debug_symbols%': 0,
},
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
@@ -1913,7 +1914,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
'include_dirs+': [
@@ -1936,5 +1937,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

1
pkgs/development/libraries/qt-5/5.9/default.nix
View File

@ -43,7 +43,6 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ];
};

48
pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch
View File

@ -1,48 +0,0 @@
Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
===================================================================
--- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
@@ -36,6 +36,7 @@
'v8_experimental_extra_library_files%': [],
'v8_enable_inspector%': 0,
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
'v8_os_page_size%': 0,
},
@@ -2432,7 +2433,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': [
'v8_base',
@@ -2485,5 +2486,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

3
pkgs/development/libraries/qt-5/modules/qtwebengine.nix
View File

@ -14,7 +14,7 @@
, enableProprietaryCodecs ? true
, gn, darwin, openbsm
, ffmpeg ? null
, lib, stdenv # lib.optional, needsPax
, lib, stdenv
}:
with stdenv.lib;
@ -181,7 +181,6 @@ EOF
[Paths]
Prefix = ..
EOF
paxmark m $out/libexec/QtWebEngineProcess
'';
meta = with lib; {

2
pkgs/development/tools/analysis/valgrind/default.nix
View File

@ -73,8 +73,6 @@ stdenv.mkDerivation rec {
--replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
--replace 'obj:/usr/lib' 'obj:*/lib'
done
paxmark m $out/lib/valgrind/*-*-linux
'';
meta = {

5
pkgs/development/tools/misc/binutils/default.nix
View File

@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
# Make binutils output deterministic by default.
./deterministic.patch
# Always add PaX flags section to ELF files.
# This is needed, for instance, so that running "ldd" on a binary that is
# PaX-marked to disable mprotect doesn't fail with permission denied.
./pt-pax-flags.patch
# Bfd looks in BINDIR/../lib for some plugins that don't
# exist. This is pointless (since users can't install plugins
# there) and causes a cycle between the lib and bin outputs, so

233
pkgs/development/tools/misc/binutils/pt-pax-flags.patch
View File

@ -1,233 +0,0 @@
--- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100
+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100
@@ -1266,6 +1266,9 @@
/* Should the PT_GNU_RELRO segment be emitted? */
bfd_boolean relro;
+ /* Segment flags for the PT_PAX_FLAGS segment. */
+ unsigned int pax_flags;
+
/* Symbol version definitions in external objects. */
Elf_Internal_Verdef *verdef;
--- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400
+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400
@@ -1085,6 +1085,7 @@
case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
case PT_GNU_STACK: pt = "STACK"; break;
case PT_GNU_RELRO: pt = "RELRO"; break;
+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
default: pt = NULL; break;
}
return pt;
@@ -2346,6 +2347,9 @@
case PT_GNU_RELRO:
return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
+ case PT_PAX_FLAGS:
+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
+
default:
/* Check for any processor-specific program segment types. */
bed = get_elf_backend_data (abfd);
@@ -3326,6 +3330,11 @@
++segs;
}
+ {
+ /* We need a PT_PAX_FLAGS segment. */
+ ++segs;
+ }
+
for (s = abfd->sections; s != NULL; s = s->next)
{
if ((s->flags & SEC_LOAD) != 0
@@ -3945,6 +3954,20 @@
pm = &m->next;
}
+ {
+ amt = sizeof (struct elf_segment_map);
+ m = bfd_zalloc (abfd, amt);
+ if (m == NULL)
+ goto error_return;
+ m->next = NULL;
+ m->p_type = PT_PAX_FLAGS;
+ m->p_flags = elf_tdata (abfd)->pax_flags;
+ m->p_flags_valid = 1;
+
+ *pm = m;
+ pm = &m->next;
+ }
+
free (sections);
elf_tdata (abfd)->segment_map = mfirst;
}
@@ -5129,7 +5152,8 @@
5. PT_GNU_STACK segments do not include any sections.
6. PT_TLS segment includes only SHF_TLS sections.
7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
- 8. PT_DYNAMIC should not contain empty sections at the beginning
+ 8. PT_PAX_FLAGS segments do not include any sections.
+ 9. PT_DYNAMIC should not contain empty sections at the beginning
(with the possible exception of .dynamic). */
#define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \
((((segment->p_paddr \
@@ -5138,6 +5162,7 @@
&& (section->flags & SEC_ALLOC) != 0) \
|| IS_COREFILE_NOTE (segment, section)) \
&& segment->p_type != PT_GNU_STACK \
+ && segment->p_type != PT_PAX_FLAGS \
&& (segment->p_type != PT_TLS \
|| (section->flags & SEC_THREAD_LOCAL)) \
&& (segment->p_type == PT_LOAD \
--- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100
+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100
@@ -5764,18 +5764,32 @@
&& ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
return FALSE;
+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
+
+ if (info->execheap)
+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
+ else if (info->noexecheap)
+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
+
/* Determine any GNU_STACK segment requirements, after the backend
has had a chance to set a default segment size. */
if (info->execstack)
+ {
elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
+ }
else if (info->noexecstack)
+ {
elf_stack_flags (output_bfd) = PF_R | PF_W;
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
+ }
else
{
bfd *inputobj;
asection *notesec = NULL;
int exec = 0;
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
for (inputobj = info->input_bfds;
inputobj;
inputobj = inputobj->link_next)
@@ -5789,7 +5803,11 @@
if (s)
{
if (s->flags & SEC_CODE)
- exec = PF_X;
+ {
+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
+ exec = PF_X;
+ }
notesec = s;
}
else if (bed->default_execstack)
--- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100
+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100
@@ -2293,6 +2293,7 @@
return "GNU_EH_FRAME";
case PT_GNU_STACK: return "GNU_STACK";
case PT_GNU_RELRO: return "GNU_RELRO";
+ case PT_PAX_FLAGS: return "PAX_FLAGS";
default:
if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
--- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100
@@ -313,6 +313,14 @@
flags. */
unsigned int noexecstack: 1;
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
+ flags. */
+ unsigned int execheap: 1;
+
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
+ flags. */
+ unsigned int noexecheap: 1;
+
/* TRUE if PT_GNU_RELRO segment should be created. */
unsigned int relro: 1;
--- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100
@@ -423,6 +423,7 @@
#define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */
#define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */
#define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */
+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */
/* Program segment permissions, in program header p_flags field. */
@@ -433,6 +434,19 @@
#define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */
#define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */
+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
+
/* Values for section header, sh_type field. */
#define SHT_NULL 0 /* Section header table entry unused */
--- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200
+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200
@@ -2139,6 +2139,16 @@
link_info.noexecstack = TRUE;
link_info.execstack = FALSE;
}
+ else if (strcmp (optarg, "execheap") == 0)
+ {
+ link_info.execheap = TRUE;
+ link_info.noexecheap = FALSE;
+ }
+ else if (strcmp (optarg, "noexecheap") == 0)
+ {
+ link_info.noexecheap = TRUE;
+ link_info.execheap = FALSE;
+ }
EOF
if test -n "$COMMONPAGESIZE"; then
--- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100
@@ -1073,6 +1073,8 @@
$$ = exp_intop (0x6474e550);
else if (strcmp (s, "PT_GNU_STACK") == 0)
$$ = exp_intop (0x6474e551);
+ else if (strcmp (s, "PT_PAX_FLAGS") == 0)
+ $$ = exp_intop (0x65041580);
else
{
einfo (_("\
--- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100
+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100
@@ -1793,8 +1793,12 @@
fprintf (file, _("\
-z muldefs Allow multiple definitions\n"));
fprintf (file, _("\
+ -z execheap Mark executable as requiring executable heap\n"));
+ fprintf (file, _("\
-z execstack Mark executable as requiring executable stack\n"));
fprintf (file, _("\
+ -z noexecheap Mark executable as not requiring executable heap\n"));
+ fprintf (file, _("\
-z noexecstack Mark executable as not requiring executable stack\n"));
}

1
pkgs/development/web/nodejs/nodejs.nix
View File

@ -88,7 +88,6 @@ in
doCheck = false; # fails 4 out of 1453 tests
postInstall = ''
paxmark m $out/bin/node
PATH=$out/bin:$PATH patchShebangs $out
${optionalString enableNpm ''

2
pkgs/stdenv/cross/default.nix
View File

@ -59,7 +59,7 @@ in lib.init bootStages ++ [
extraNativeBuildInputs = old.extraNativeBuildInputs
++ lib.optionals
(hostPlatform.isLinux && !buildPlatform.isLinux)
[ buildPackages.patchelf buildPackages.paxctl ]
[ buildPackages.patchelf ]
++ lib.optional
(let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
buildPackages.updateAutotoolsGnuConfigScriptsHook

3
pkgs/stdenv/generic/default.nix
View File

@ -130,9 +130,6 @@ let
# The derivation's `system` is `buildPlatform.system`.
inherit (buildPlatform) system;
# Whether we should run paxctl to pax-mark binaries.
needsPax = isLinux;
inherit (import ./make-derivation.nix {
inherit lib config stdenv;
}) mkDerivation;

4
pkgs/stdenv/generic/setup.sh
View File

@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi
BASH="$SHELL"
export CONFIG_SHELL="$SHELL"
# Dummy implementation of the paxmark function. On Linux, this is
# overwritten by paxctl's setup hook.
paxmark() { true; }
# Execute the pre-hook.
if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi

10
pkgs/stdenv/linux/default.nix
View File

@ -216,7 +216,7 @@ in
inherit (prevStage)
ccWrapperStdenv
gcc-unwrapped coreutils gnugrep
perl paxctl gnum4 bison;
perl gnum4 bison;
# This also contains the full, dynamically linked, final Glibc.
binutils = prevStage.binutils.override {
# Rewrap the binutils with the new glibc, so both the next
@ -250,7 +250,7 @@ in
isl = isl_0_17;
};
};
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook;
@ -325,7 +325,7 @@ in
initialPath =
((import ../common-path.nix) {pkgs = prevStage;});
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook;
@ -349,7 +349,7 @@ in
# Simple executable tools
concatMap (p: [ (getBin p) (getLib p) ]) [
gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl
gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed
]
# Library dependencies
++ map getLib (
@ -368,7 +368,7 @@ in
inherit (prevStage)
gzip bzip2 xz bash coreutils diffutils findutils gawk
gnumake gnused gnutar gnugrep gnupatch patchelf
attr acl paxctl zlib pcre;
attr acl zlib pcre;
${localSystem.libc} = getLibc prevStage;
} // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
# Need to get rid of these when cross-compiling.

2
pkgs/tools/misc/grub/2.0x.nix
View File

@ -109,8 +109,6 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
postInstall = ''
paxmark pms $out/sbin/grub-{probe,bios-setup}
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
'';

4
pkgs/tools/misc/grub/trusted.nix
View File

@ -90,10 +90,6 @@ stdenv.mkDerivation rec {
doCheck = false;
enableParallelBuilding = true;
postInstall = ''
paxmark pms $out/sbin/grub-{probe,bios-setup}
'';
meta = with stdenv.lib; {
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
homepage = https://github.com/Sirrix-AG/TrustedGRUB2;