grsecurity: Add paxctl, paxmark and stdenv.needsPax to stdenv

author: Ricardo M. Correia <rcorreia@wizy.org> 2014-02-17 19:29:43 +0100
committer: Ricardo M. Correia <rcorreia@wizy.org> 2014-05-15 13:25:46 +0200
commit: 8d5ce245a29751db6c30f48cd102630d8922c3f2 (patch)
tree: 79474866c47fef755b2afddf2f1ffbfe24c4db24 /pkgs/stdenv
parent: 4be7e939a055f835d441b0891313e071d94e2e71 (diff)
3 files changed, 21 insertions, 2 deletions
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 14da127b9e052..1e2d76bb9810f 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
+
+, skipPaxMarking ? false
 }:
 
 let
@@ -157,6 +159,9 @@ let
            || system == "armv6l-linux"
            || system == "armv7l-linux";
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = isLinux && !skipPaxMarking;
+
       # For convenience, bring in the library functions in lib/ so
       # packages don't have to do that themselves.
       inherit lib;
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index 1d79a45678c21..ce83b1f696109 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
     if [ "$i" = / ]; then i=; fi
     addToSearchPath PATH $i/bin
+    addToSearchPath PATH $i/sbin
 done
 
 if [ "$NIX_DEBUG" = 1 ]; then
@@ -293,6 +294,18 @@ stripDirs() {
     fi
 }
 
+# PaX-mark binaries
+paxmark() {
+    local flags="$1"
+    shift
+
+    if [ -z "@needsPax@" ]; then
+        return
+    fi
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
 
 ######################################################################
 # Textual substitution functions.
diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 1c6a93b222d2e..23cccf223f4f5 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -210,6 +210,7 @@ rec {
     extraAttrs = {
       glibc = stdenvLinuxGlibc;   # Required by gcc47 build
     };
+    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
     inherit fetchurl;
   };
 
@@ -268,7 +269,7 @@ rec {
 
     initialPath =
       ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
 
     gcc = wrapGCC rec {
       inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@@ -295,7 +296,7 @@ rec {
       inherit (stdenvLinuxBoot4Pkgs)
         gzip bzip2 xz bash coreutils diffutils findutils gawk
         gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
     };
   };
author	Ricardo M. Correia <rcorreia@wizy.org>	2014-02-17 19:29:43 +0100
committer	Ricardo M. Correia <rcorreia@wizy.org>	2014-05-15 13:25:46 +0200
commit	8d5ce245a29751db6c30f48cd102630d8922c3f2 (patch)
tree	79474866c47fef755b2afddf2f1ffbfe24c4db24 /pkgs/stdenv
parent	4be7e939a055f835d441b0891313e071d94e2e71 (diff)