diff options
Diffstat (limited to 'pkgs/development')
48 files changed, 10 insertions, 611 deletions
diff --git a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix index eb614b0784f99..531cf3a80517f 100644 --- a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix +++ b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix @@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec { installPhase = '' cd .. - # Set PaX markings - exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} - done - mv $sourceRoot $out rm -rf $out/demo diff --git a/pkgs/development/compilers/gcc/builder.sh b/pkgs/development/compilers/gcc/builder.sh index 75e70006d749f..07a003691d6b2 100644 --- a/pkgs/development/compilers/gcc/builder.sh +++ b/pkgs/development/compilers/gcc/builder.sh @@ -282,11 +282,6 @@ postInstall() { fi done - # Disable RANDMMAP on grsec, which causes segfaults when using - # precompiled headers. - # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31 - paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus} - # Two identical man pages are shipped (moving and compressing is done later) ln -sf gcc.1 "$out"/share/man/man1/g++.1 } diff --git a/pkgs/development/compilers/ghc/8.2.2-binary.nix b/pkgs/development/compilers/ghc/8.2.2-binary.nix index 039eea744f36a..f52d8fd4a11f6 100644 --- a/pkgs/development/compilers/ghc/8.2.2-binary.nix +++ b/pkgs/development/compilers/ghc/8.2.2-binary.nix @@ -105,8 +105,6 @@ stdenv.mkDerivation rec { --replace-needed libtinfo.so libtinfo.so.5 \ --interpreter ${glibcDynLinker} {} \; - paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 - sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 ''; diff --git a/pkgs/development/compilers/ghc/8.2.2.nix b/pkgs/development/compilers/ghc/8.2.2.nix index 3b9fecd55e107..3e355dc302d6f 100644 --- a/pkgs/development/compilers/ghc/8.2.2.nix +++ b/pkgs/development/compilers/ghc/8.2.2.nix @@ -238,11 +238,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.4.4.nix b/pkgs/development/compilers/ghc/8.4.4.nix index 4db5c07b4601d..c5fe3c925f00a 100644 --- a/pkgs/development/compilers/ghc/8.4.4.nix +++ b/pkgs/development/compilers/ghc/8.4.4.nix @@ -214,11 +214,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.1.nix b/pkgs/development/compilers/ghc/8.6.1.nix index 5710c60338a8f..b54164ccc696d 100644 --- a/pkgs/development/compilers/ghc/8.6.1.nix +++ b/pkgs/development/compilers/ghc/8.6.1.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.2.nix b/pkgs/development/compilers/ghc/8.6.2.nix index 914d6ae08facb..07d4420804ddf 100644 --- a/pkgs/development/compilers/ghc/8.6.2.nix +++ b/pkgs/development/compilers/ghc/8.6.2.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.3.nix b/pkgs/development/compilers/ghc/8.6.3.nix index b29b7facd1f47..4e1f0dd9fc723 100644 --- a/pkgs/development/compilers/ghc/8.6.3.nix +++ b/pkgs/development/compilers/ghc/8.6.3.nix @@ -192,11 +192,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix index 42119682892dc..65a4a0c4ecdb7 100644 --- a/pkgs/development/compilers/ghc/head.nix +++ b/pkgs/development/compilers/ghc/head.nix @@ -177,11 +177,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/jetbrains-jdk/default.nix b/pkgs/development/compilers/jetbrains-jdk/default.nix index 39fab8b25d8f6..876e474bed973 100644 --- a/pkgs/development/compilers/jetbrains-jdk/default.nix +++ b/pkgs/development/compilers/jetbrains-jdk/default.nix @@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec { installPhase = '' cd .. - exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" - done - mv $sourceRoot $out jrePath=$out/jre ''; diff --git a/pkgs/development/compilers/julia/0004-hardened.patch b/pkgs/development/compilers/julia/0004-hardened.patch deleted file mode 100644 index 901f967c9d554..0000000000000 --- a/pkgs/development/compilers/julia/0004-hardened.patch +++ /dev/null @@ -1,25 +0,0 @@ -From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001 -From: Will Dietz <w@wdtz.org> -Date: Wed, 1 Feb 2017 06:09:49 -0600 -Subject: [PATCH] Set pax flags on julia binaries to disable memory protection. - ---- - Makefile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Makefile b/Makefile -index 0e28cc87b..aab8cfa8d 100644 ---- a/Makefile -+++ b/Makefile -@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in - - julia-ui-release julia-ui-debug : julia-ui-% : julia-src-% - @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$* -+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)" -+ @paxctl -czexm $(JULIA_EXECUTABLE_$*) - - julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples - @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE) --- -2.11.0 - diff --git a/pkgs/development/compilers/julia/default.nix b/pkgs/development/compilers/julia/default.nix index 086570f5ce20a..4c0b1359bd8d2 100644 --- a/pkgs/development/compilers/julia/default.nix +++ b/pkgs/development/compilers/julia/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, fetchzip # build tools -, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl +, gfortran, m4, makeWrapper, patchelf, perl, which, python2 # libjulia dependencies , libunwind, readline, utf8proc, zlib , llvm @@ -75,7 +75,7 @@ stdenv.mkDerivation rec { patches = [ ./0001.1-use-system-utf8proc.patch ./0002-use-system-suitesparse.patch - ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; + ]; postPatch = '' patchShebangs . contrib @@ -96,8 +96,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ; - nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] - ++ stdenv.lib.optional stdenv.needsPax paxctl; + nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]; makeFlags = let diff --git a/pkgs/development/compilers/julia/shared.nix b/pkgs/development/compilers/julia/shared.nix index 70ff40cd7ec5a..95b45adcc6fc7 100644 --- a/pkgs/development/compilers/julia/shared.nix +++ b/pkgs/development/compilers/julia/shared.nix @@ -5,7 +5,7 @@ }: { stdenv, fetchurl, fetchzip # build tools -, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl +, gfortran, m4, makeWrapper, patchelf, perl, which, python2 , llvm, cmake # libjulia dependencies , libunwind, readline, utf8proc, zlib @@ -95,7 +95,7 @@ stdenv.mkDerivation rec { patches = [ ./0001.1-use-system-utf8proc.patch - ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; + ]; postPatch = '' patchShebangs . contrib @@ -117,8 +117,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ; - nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] - ++ stdenv.lib.optional stdenv.needsPax paxctl; + nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]; makeFlags = let diff --git a/pkgs/development/compilers/llvm/3.5/llvm.nix b/pkgs/development/compilers/llvm/3.5/llvm.nix index 388da007d33d5..2645469767ad1 100644 --- a/pkgs/development/compilers/llvm/3.5/llvm.nix +++ b/pkgs/development/compilers/llvm/3.5/llvm.nix @@ -81,12 +81,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - - paxmark m unittests/ExecutionEngine/JIT/JITTests - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/Support/SupportTests ''; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/3.7/llvm.nix b/pkgs/development/compilers/llvm/3.7/llvm.nix index e540469c6278f..a6fd18f94d68b 100644 --- a/pkgs/development/compilers/llvm/3.7/llvm.nix +++ b/pkgs/development/compilers/llvm/3.7/llvm.nix @@ -89,8 +89,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/3.8/llvm.nix b/pkgs/development/compilers/llvm/3.8/llvm.nix index c246bfe496ed3..fcb4214a1de8e 100644 --- a/pkgs/development/compilers/llvm/3.8/llvm.nix +++ b/pkgs/development/compilers/llvm/3.8/llvm.nix @@ -97,8 +97,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) '' diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix index 3cc1a4d6ccec5..00c56e49e374e 100644 --- a/pkgs/development/compilers/llvm/3.9/llvm.nix +++ b/pkgs/development/compilers/llvm/3.9/llvm.nix @@ -141,8 +141,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; postInstall = "" diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix index 7d93fec6a125e..aac9c4275ad46 100644 --- a/pkgs/development/compilers/llvm/4/llvm.nix +++ b/pkgs/development/compilers/llvm/4/llvm.nix @@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix index 5277205f8803c..9e181a1202bae 100644 --- a/pkgs/development/compilers/llvm/5/llvm.nix +++ b/pkgs/development/compilers/llvm/5/llvm.nix @@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/6/llvm.nix b/pkgs/development/compilers/llvm/6/llvm.nix index 192439b019bcf..328f95f11b34a 100644 --- a/pkgs/development/compilers/llvm/6/llvm.nix +++ b/pkgs/development/compilers/llvm/6/llvm.nix @@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/7/llvm.nix b/pkgs/development/compilers/llvm/7/llvm.nix index d085f3af0eaba..2ef6b147214c9 100644 --- a/pkgs/development/compilers/llvm/7/llvm.nix +++ b/pkgs/development/compilers/llvm/7/llvm.nix @@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/openjdk/11.nix b/pkgs/development/compilers/openjdk/11.nix index 42208ecf8d950..a389f0f5ca1a2 100644 --- a/pkgs/development/compilers/openjdk/11.nix +++ b/pkgs/development/compilers/openjdk/11.nix @@ -21,7 +21,6 @@ let update = ".0.1"; build = "13"; repover = "jdk-${major}${update}+${build}"; - paxflags = if stdenv.isi686 then "msp" else "m"; openjdk = stdenv.mkDerivation { name = "openjdk-${major}${update}-b${build}"; @@ -106,14 +105,6 @@ let rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so ''} - # Set PaX markings - exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - echo "to mark: *$exes*" - for file in $exes; do - echo "marking *$file*" - paxmark ${paxflags} "$file" - done - ln -s $out/lib/openjdk/bin $out/bin ''; diff --git a/pkgs/development/compilers/openjdk/8.nix b/pkgs/development/compilers/openjdk/8.nix index d26627ff5b9c3..19b16921e3293 100644 --- a/pkgs/development/compilers/openjdk/8.nix +++ b/pkgs/development/compilers/openjdk/8.nix @@ -25,7 +25,6 @@ let build = "26"; baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u"; repover = "jdk8u${update}-b${build}"; - paxflags = if stdenv.isi686 then "msp" else "m"; jdk8 = fetchurl { url = "${baseurl}/archive/${repover}.tar.gz"; sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d"; @@ -176,14 +175,6 @@ let rm -rf $out/lib/openjdk/jre/lib/cmm ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm - # Set PaX markings - exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - echo "to mark: *$exes*" - for file in $exes; do - echo "marking *$file*" - paxmark ${paxflags} "$file" - done - # Remove duplicate binaries. for i in $(cd $out/lib/openjdk/bin && echo *); do if [ "$i" = java ]; then continue; fi diff --git a/pkgs/development/compilers/openjdk/bootstrap.nix b/pkgs/development/compilers/openjdk/bootstrap.nix index 1b20ca6cc6060..e58888cc9ed85 100644 --- a/pkgs/development/compilers/openjdk/bootstrap.nix +++ b/pkgs/development/compilers/openjdk/bootstrap.nix @@ -36,13 +36,5 @@ let patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true done - - # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings: - find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do - isELF "$elf" || continue - paxmark m "$elf" - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''} - done ''; in bootstrap diff --git a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix index 5d55e0554e555..8e04b776ed8ac 100644 --- a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix +++ b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix @@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec { installPhase = '' cd .. - # Set PaX markings - exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" || true - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} - done - if test -z "$installjdk"; then mv $sourceRoot/jre $out else diff --git a/pkgs/development/compilers/swift/default.nix b/pkgs/development/compilers/swift/default.nix index bbfa1be8f921e..02b100fe61305 100644 --- a/pkgs/development/compilers/swift/default.nix +++ b/pkgs/development/compilers/swift/default.nix @@ -27,7 +27,6 @@ , git , libgit2 , fetchFromGitHub -, paxctl , findutils , makeWrapper , gnumake @@ -150,7 +149,7 @@ stdenv.mkDerivation rec { findutils makeWrapper gnumake - ] ++ stdenv.lib.optional stdenv.needsPax paxctl; + ]; # TODO: Revisit what's propagated and how propagatedBuildInputs = [ @@ -218,9 +217,6 @@ stdenv.mkDerivation rec { substituteInPlace swift/utils/build-script-impl \ --replace '/usr/include/c++' "${clang.cc.gcc}/include/c++" patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch} - '' + stdenv.lib.optionalString stdenv.needsPax '' - patch -p1 -d swift -i ${./patches/build-script-pax.patch} - '' + '' patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch} patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch} patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch} @@ -266,9 +262,6 @@ stdenv.mkDerivation rec { tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX find $out -type d -empty -delete - paxmark pmr $out/bin/swift - paxmark pmr $out/bin/* - # TODO: Use wrappers to get these on the PATH for swift tools, instead ln -s ${clang}/bin/* $out/bin/ ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar diff --git a/pkgs/development/compilers/swift/patches/build-script-pax.patch b/pkgs/development/compilers/swift/patches/build-script-pax.patch deleted file mode 100644 index 1f47bf8ee0452..0000000000000 --- a/pkgs/development/compilers/swift/patches/build-script-pax.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600 -+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600 -@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() { - fi - } - -+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh -+isELF() { -+ local fn="$1" -+ local fd -+ local magic -+ exec {fd}< "$fn" -+ read -n 4 -u $fd magic -+ exec {fd}<&- -+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi -+} -+ - # - # Configure and build each product - # -@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do - fi - - call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]} -+ -+ while IFS= read -r -d $'\0' i; do -+ if ! isELF "$i"; then continue; fi -+ echo "setting pax flags on $i" -+ paxctl -czexm "$i" || true -+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0) - fi - done - done diff --git a/pkgs/development/compilers/terra/default.nix b/pkgs/development/compilers/terra/default.nix index 98795f96ffa5c..80d04080aac3c 100644 --- a/pkgs/development/compilers/terra/default.nix +++ b/pkgs/development/compilers/terra/default.nix @@ -51,10 +51,6 @@ stdenv.mkDerivation rec { '' ; - postFixup = '' - paxmark m $bin/bin/terra - ''; - buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ]; meta = with stdenv.lib; { diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix index da706d502e6ff..a5c3db65857f6 100644 --- a/pkgs/development/compilers/tinycc/default.nix +++ b/pkgs/development/compilers/tinycc/default.nix @@ -33,10 +33,6 @@ stdenv.mkDerivation rec { doCheck = true; checkTarget = "test"; - postFixup = '' - paxmark m $out/bin/tcc - ''; - meta = { description = "Small, fast, and embeddable C compiler and interpreter"; diff --git a/pkgs/development/interpreters/python/cpython/2.7/boot.nix b/pkgs/development/interpreters/python/cpython/2.7/boot.nix index 976d30819dbe3..ccb366903c5c3 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/boot.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/boot.nix @@ -77,8 +77,6 @@ stdenv.mkDerivation rec { '' ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} - paxmark E $out/bin/python2.7 - rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev ''; diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index 63dad3bf42fff..ff1497a24e46a 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -229,8 +229,6 @@ in stdenv.mkDerivation ({ ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion} ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} - paxmark E $out/bin/python${majorVersion} - # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 92c277aacd4fd..19e9f3169c7a1 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -143,7 +143,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 4c9d0c2a89621..692f5c263a3ef 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -164,7 +164,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.7/default.nix b/pkgs/development/interpreters/python/cpython/3.7/default.nix index d1403ba95e4e1..80d519b109e35 100644 --- a/pkgs/development/interpreters/python/cpython/3.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.7/default.nix @@ -154,7 +154,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/spidermonkey/1.8.5.nix b/pkgs/development/interpreters/spidermonkey/1.8.5.nix index 4663719558681..9c81b230ada2f 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.5.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.5.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation rec { # so the failure of that test does not matter much. configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++ stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [ - "--with-cpu-arch=armv5t" + "--with-cpu-arch=armv5t" "--disable-tracejit" ]; # hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393 @@ -59,9 +59,6 @@ stdenv.mkDerivation rec { preCheck = '' rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522 - - paxmark mr shell/js - paxmark mr jsapi-tests/jsapi-tests ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix index d4d4082509e4b..96c9d8e0c8e13 100644 --- a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix +++ b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix @@ -36,8 +36,6 @@ stdenv.mkDerivation rec { postInstall = '' # Hm, apparently --disable-gtk-doc is ignored... rm -rf $out/share/gtk-doc - - paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner ''; setupHook = ./setup-hook.sh; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 8093aec6bcc6a..83f19e442c605 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -72,13 +72,6 @@ stdenv.mkDerivation rec { makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"; - # The following is required on grsecurity/PaX due to spidermonkey's JIT - postBuild = stdenv.lib.optionalString stdenv.isLinux '' - paxmark mr src/polkitbackend/.libs/polkitd - '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) '' - paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest - ''; - installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"]; inherit doCheck; diff --git a/pkgs/development/libraries/qt-5/5.11/default.nix b/pkgs/development/libraries/qt-5/5.11/default.nix index 6f90f1cea7f02..5fbab32acda80 100644 --- a/pkgs/development/libraries/qt-5/5.11/default.nix +++ b/pkgs/development/libraries/qt-5/5.11/default.nix @@ -61,7 +61,6 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index e1621b005c618..0000000000000 --- a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp -index e7e19f5059..934448c7d8 100644 ---- a/src/3rdparty/chromium/v8/src/v8.gyp -+++ b/src/3rdparty/chromium/v8/src/v8.gyp -@@ -35,6 +35,7 @@ - 'v8_extra_library_files%': [], - 'v8_experimental_extra_library_files%': [], - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'v8_os_page_size%': 0, - }, - 'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'], -@@ -2576,7 +2577,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': [ - 'v8_base', -@@ -2606,5 +2607,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/5.6/default.nix b/pkgs/development/libraries/qt-5/5.6/default.nix index e815cc8f70f21..9391999f1e902 100644 --- a/pkgs/development/libraries/qt-5/5.6/default.nix +++ b/pkgs/development/libraries/qt-5/5.6/default.nix @@ -51,8 +51,7 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = [ ./qtwebengine-seccomp.patch ] - ++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; + qtwebengine = [ ./qtwebengine-seccomp.patch ]; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index b3316188f7d9f..0000000000000 --- a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100 -+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000 -@@ -33,6 +33,7 @@ - 'embed_script%': "", - 'v8_extra_library_files%': [], - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'remove_v8base_debug_symbols%': 0, - }, - 'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'], -@@ -1913,7 +1914,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'], - 'include_dirs+': [ -@@ -1936,5 +1937,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/5.9/default.nix b/pkgs/development/libraries/qt-5/5.9/default.nix index 6fcb7a0dc5eb4..4acc6a6393f19 100644 --- a/pkgs/development/libraries/qt-5/5.9/default.nix +++ b/pkgs/development/libraries/qt-5/5.9/default.nix @@ -43,7 +43,6 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index 5e170567ce5db..0000000000000 --- a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,48 +0,0 @@ -Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp -=================================================================== ---- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp -+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp -@@ -36,6 +36,7 @@ - 'v8_experimental_extra_library_files%': [], - 'v8_enable_inspector%': 0, - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)', - 'v8_os_page_size%': 0, - }, -@@ -2432,7 +2433,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': [ - 'v8_base', -@@ -2485,5 +2486,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix index 71ecde66a1f36..a80488bad5e16 100644 --- a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix +++ b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix @@ -14,7 +14,7 @@ , enableProprietaryCodecs ? true , gn, darwin, openbsm , ffmpeg ? null -, lib, stdenv # lib.optional, needsPax +, lib, stdenv }: with stdenv.lib; @@ -181,7 +181,6 @@ EOF [Paths] Prefix = .. EOF - paxmark m $out/libexec/QtWebEngineProcess ''; meta = with lib; { diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index 2e04cac6c4934..78f40913eb5fa 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -73,8 +73,6 @@ stdenv.mkDerivation rec { --replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \ --replace 'obj:/usr/lib' 'obj:*/lib' done - - paxmark m $out/lib/valgrind/*-*-linux ''; meta = { diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 5d60903ee86fb..787a5dbc646e3 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -33,11 +33,6 @@ stdenv.mkDerivation rec { # Make binutils output deterministic by default. ./deterministic.patch - # Always add PaX flags section to ELF files. - # This is needed, for instance, so that running "ldd" on a binary that is - # PaX-marked to disable mprotect doesn't fail with permission denied. - ./pt-pax-flags.patch - # Bfd looks in BINDIR/../lib for some plugins that don't # exist. This is pointless (since users can't install plugins # there) and causes a cycle between the lib and bin outputs, so diff --git a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch b/pkgs/development/tools/misc/binutils/pt-pax-flags.patch deleted file mode 100644 index 3c060012ad0ed..0000000000000 --- a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch +++ /dev/null @@ -1,233 +0,0 @@ ---- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100 -+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100 -@@ -1266,6 +1266,9 @@ - /* Should the PT_GNU_RELRO segment be emitted? */ - bfd_boolean relro; - -+ /* Segment flags for the PT_PAX_FLAGS segment. */ -+ unsigned int pax_flags; -+ - /* Symbol version definitions in external objects. */ - Elf_Internal_Verdef *verdef; - ---- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400 -+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400 -@@ -1085,6 +1085,7 @@ - case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break; - case PT_GNU_STACK: pt = "STACK"; break; - case PT_GNU_RELRO: pt = "RELRO"; break; -+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break; - default: pt = NULL; break; - } - return pt; -@@ -2346,6 +2347,9 @@ - case PT_GNU_RELRO: - return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro"); - -+ case PT_PAX_FLAGS: -+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags"); -+ - default: - /* Check for any processor-specific program segment types. */ - bed = get_elf_backend_data (abfd); -@@ -3326,6 +3330,11 @@ - ++segs; - } - -+ { -+ /* We need a PT_PAX_FLAGS segment. */ -+ ++segs; -+ } -+ - for (s = abfd->sections; s != NULL; s = s->next) - { - if ((s->flags & SEC_LOAD) != 0 -@@ -3945,6 +3954,20 @@ - pm = &m->next; - } - -+ { -+ amt = sizeof (struct elf_segment_map); -+ m = bfd_zalloc (abfd, amt); -+ if (m == NULL) -+ goto error_return; -+ m->next = NULL; -+ m->p_type = PT_PAX_FLAGS; -+ m->p_flags = elf_tdata (abfd)->pax_flags; -+ m->p_flags_valid = 1; -+ -+ *pm = m; -+ pm = &m->next; -+ } -+ - free (sections); - elf_tdata (abfd)->segment_map = mfirst; - } -@@ -5129,7 +5152,8 @@ - 5. PT_GNU_STACK segments do not include any sections. - 6. PT_TLS segment includes only SHF_TLS sections. - 7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments. -- 8. PT_DYNAMIC should not contain empty sections at the beginning -+ 8. PT_PAX_FLAGS segments do not include any sections. -+ 9. PT_DYNAMIC should not contain empty sections at the beginning - (with the possible exception of .dynamic). */ - #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \ - ((((segment->p_paddr \ -@@ -5138,6 +5162,7 @@ - && (section->flags & SEC_ALLOC) != 0) \ - || IS_COREFILE_NOTE (segment, section)) \ - && segment->p_type != PT_GNU_STACK \ -+ && segment->p_type != PT_PAX_FLAGS \ - && (segment->p_type != PT_TLS \ - || (section->flags & SEC_THREAD_LOCAL)) \ - && (segment->p_type == PT_LOAD \ ---- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100 -+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100 -@@ -5764,18 +5764,32 @@ - && ! (*bed->elf_backend_always_size_sections) (output_bfd, info)) - return FALSE; - -+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC; -+ -+ if (info->execheap) -+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT; -+ else if (info->noexecheap) -+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT; -+ - /* Determine any GNU_STACK segment requirements, after the backend - has had a chance to set a default segment size. */ - if (info->execstack) -+ { - elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X; -+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP; -+ } - else if (info->noexecstack) -+ { - elf_stack_flags (output_bfd) = PF_R | PF_W; -+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP; -+ } - else - { - bfd *inputobj; - asection *notesec = NULL; - int exec = 0; - -+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP; - for (inputobj = info->input_bfds; - inputobj; - inputobj = inputobj->link_next) -@@ -5789,7 +5803,11 @@ - if (s) - { - if (s->flags & SEC_CODE) -- exec = PF_X; -+ { -+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP; -+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP; -+ exec = PF_X; -+ } - notesec = s; - } - else if (bed->default_execstack) ---- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100 -+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100 -@@ -2293,6 +2293,7 @@ - return "GNU_EH_FRAME"; - case PT_GNU_STACK: return "GNU_STACK"; - case PT_GNU_RELRO: return "GNU_RELRO"; -+ case PT_PAX_FLAGS: return "PAX_FLAGS"; - - default: - if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC)) ---- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100 -@@ -313,6 +313,14 @@ - flags. */ - unsigned int noexecstack: 1; - -+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT -+ flags. */ -+ unsigned int execheap: 1; -+ -+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT -+ flags. */ -+ unsigned int noexecheap: 1; -+ - /* TRUE if PT_GNU_RELRO segment should be created. */ - unsigned int relro: 1; - ---- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100 -@@ -423,6 +423,7 @@ - #define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */ - #define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */ - #define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */ -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */ - - /* Program segment permissions, in program header p_flags field. */ - -@@ -433,6 +434,19 @@ - #define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */ - #define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */ - -+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */ -+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */ -+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */ -+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */ -+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */ -+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */ -+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */ -+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */ -+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */ -+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */ -+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */ -+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */ -+ - /* Values for section header, sh_type field. */ - - #define SHT_NULL 0 /* Section header table entry unused */ ---- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200 -+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200 -@@ -2139,6 +2139,16 @@ - link_info.noexecstack = TRUE; - link_info.execstack = FALSE; - } -+ else if (strcmp (optarg, "execheap") == 0) -+ { -+ link_info.execheap = TRUE; -+ link_info.noexecheap = FALSE; -+ } -+ else if (strcmp (optarg, "noexecheap") == 0) -+ { -+ link_info.noexecheap = TRUE; -+ link_info.execheap = FALSE; -+ } - EOF - - if test -n "$COMMONPAGESIZE"; then ---- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100 -@@ -1073,6 +1073,8 @@ - $$ = exp_intop (0x6474e550); - else if (strcmp (s, "PT_GNU_STACK") == 0) - $$ = exp_intop (0x6474e551); -+ else if (strcmp (s, "PT_PAX_FLAGS") == 0) -+ $$ = exp_intop (0x65041580); - else - { - einfo (_("\ ---- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100 -+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100 -@@ -1793,8 +1793,12 @@ - fprintf (file, _("\ - -z muldefs Allow multiple definitions\n")); - fprintf (file, _("\ -+ -z execheap Mark executable as requiring executable heap\n")); -+ fprintf (file, _("\ - -z execstack Mark executable as requiring executable stack\n")); - fprintf (file, _("\ -+ -z noexecheap Mark executable as not requiring executable heap\n")); -+ fprintf (file, _("\ - -z noexecstack Mark executable as not requiring executable stack\n")); - } - diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index a9c08e1c5b732..e5c52f620ac5e 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -88,7 +88,6 @@ in doCheck = false; # fails 4 out of 1453 tests postInstall = '' - paxmark m $out/bin/node PATH=$out/bin:$PATH patchShebangs $out ${optionalString enableNpm '' |