diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-07-23 16:09:48 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-07-23 19:09:48 +0200 |
commit | c6ccc96397e8df77aff2c73d3457c1ecb99d3f8e (patch) | |
tree | e2590740f5bade2b7bc16fbf9e432fa33d4d9688 /doc | |
parent | edbaba6d3cf84ca86a6fb939ec6099f20c691ed6 (diff) |
nixpkgs manual: document the paxctl setup-hook
Diffstat (limited to 'doc')
-rw-r--r-- | doc/stdenv.xml | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/stdenv.xml b/doc/stdenv.xml index b075e0219a545..ee01dcf01df7e 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1319,6 +1319,25 @@ someVar=$(stripHash $name; echo $strippedName) <envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.</para></listitem> </varlistentry> + <varlistentry> + <term>paxctl</term> + <listitem><para>Defines the <varname>paxmark</varname> helper for + setting per-executable PaX flags on Linux (where it is available by + default; on all other platforms, <varname>paxmark</varname> is a no-op). + For example, to disable secure memory protections on the executable + <replaceable>foo</replaceable>: + <programlisting> + postFixup = '' + paxmark m $out/bin/<replaceable>foo</replaceable> + ''; + </programlisting> + The <literal>m</literal> flag is the most common flag and is typically + required for applications that employ JIT compilation or otherwise need to + execute code generated at run-time. Disabling PaX protections should be + considered a last resort: if possible, problematic features should be + disabled or patched to work with PaX.</para></listitem> + </varlistentry> + </variablelist> </para> |