qt5.6/5.7: PaX compat qtwebengine

* paxmark QtWebEngineProcess so it executes on PaX kernels
* when building on host w/PaX apply patch to fix mksnapshot

Patch taken from Gentoo[1], slightly modified to use paxctl directly.

[1] https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-qt/qtwebengine/files/qtwebengine-paxmark-mksnapshot.patch
This commit is contained in:
Will Dietz 2016-12-07 13:12:47 -06:00
parent 1c50bdd928
commit 7c29e476a7
5 changed files with 102 additions and 2 deletions

View File

@ -11,6 +11,7 @@
, coreutils
, pkgconfig, python2
, stdenv # lib.optional, needsPax
}:
qtSubmodule {
@ -60,11 +61,14 @@ qtSubmodule {
];
patches = [
./chromium-clang-update-py.patch
];
] ++ stdenv.lib.optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
postInstall = ''
cat > $out/libexec/qt.conf <<EOF
[Paths]
Prefix = ..
EOF
paxmark m $out/libexec/QtWebEngineProcess
'';
}

View File

@ -0,0 +1,46 @@
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
@@ -33,6 +33,7 @@
'embed_script%': "",
'v8_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'remove_v8base_debug_symbols%': 0,
},
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
@@ -1913,7 +1914,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
'include_dirs+': [
@@ -1936,5 +1937,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

View File

@ -90,7 +90,7 @@ let
qttranslations = callPackage ./qttranslations.nix {};
qtwayland = callPackage ./qtwayland.nix {};
qtwebchannel = callPackage ./qtwebchannel.nix {};
qtwebengine = callPackage ./qtwebengine.nix {};
qtwebengine = callPackage ./qtwebengine {};
qtwebkit = callPackage ./qtwebkit {};
qtwebsockets = callPackage ./qtwebsockets.nix {};
qtx11extras = callPackage ./qtx11extras.nix {};

View File

@ -11,6 +11,7 @@
, coreutils
, pkgconfig, python2
, stdenv # lib.optional, needsPax
}:
qtSubmodule {
@ -53,10 +54,13 @@ qtSubmodule {
libcap
pciutils
];
patches = stdenv.lib.optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
postInstall = ''
cat > $out/libexec/qt.conf <<EOF
[Paths]
Prefix = ..
EOF
paxmark m $out/libexec/QtWebEngineProcess
'';
}

View File

@ -0,0 +1,46 @@
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
@@ -33,6 +33,7 @@
'embed_script%': "",
'v8_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'remove_v8base_debug_symbols%': 0,
},
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
@@ -1913,7 +1914,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
'include_dirs+': [
@@ -1936,5 +1937,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}