diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2014-06-16 10:23:36 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2014-06-16 10:23:36 +0200 |
| commit | 1b78ca58bccd564350b52d00471399305e4eab23 (patch) | |
| tree | f6b4ad22cce7f0dc87a9fe5d55a6baf661753221 /pkgs/development/compilers | |
| parent | 5e16c9428b3acda3614a14b6c2c28488162ec62a (diff) | |
| parent | 9757785295b95aa67d0c824dae73721fe47e7d5b (diff) | |
| download | nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar.gz nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar.bz2 nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar.lz nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar.xz nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.tar.zst nixpkgs-1b78ca58bccd564350b52d00471399305e4eab23.zip | |
Merge #2798: stdenv and a few other big updates
Stdenv-changing things:
- gcc 4.8.2 -> 4.8.3
- long-running grsecurity branch
Others:
- pkgconfig update
- CVE for libtasn1, dbus
Conflicts (simple):
pkgs/development/compilers/ghc/7.6.3.nix
Diffstat (limited to 'pkgs/development/compilers')
18 files changed, 154 insertions, 96 deletions
diff --git a/pkgs/development/compilers/gcc/4.6/builder.sh b/pkgs/development/compilers/gcc/4.6/builder.sh index bdf15be5a99..de4566c12dd 100644 --- a/pkgs/development/compilers/gcc/4.6/builder.sh +++ b/pkgs/development/compilers/gcc/4.6/builder.sh @@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then # The path to the Glibc binaries such as `crti.o'. glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib" - + else # Hack: support impure environments. extraFlags="-isystem /usr/include" @@ -214,7 +214,7 @@ postInstall() { # previous gcc. rm -rf $out/libexec/gcc/*/*/install-tools rm -rf $out/lib/gcc/*/*/install-tools - + # More dependencies with the previous gcc or some libs (gccbug stores the build command line) rm -rf $out/bin/gccbug # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out @@ -240,6 +240,11 @@ postInstall() { fi done + # Disable RANDMMAP on grsec, which causes segfaults when using + # precompiled headers. + # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31 + paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus} + eval "$postInstallGhdl" } diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index af111322698..ef75cf71f58 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -99,7 +99,7 @@ let version = "4.6.3"; withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else ""; withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else ""; withFloat = if gccFloat != null then " --with-float=${gccFloat}" else ""; - in + in (withArch + withCpu + withAbi + diff --git a/pkgs/development/compilers/gcc/4.8/bug-58800.patch b/pkgs/development/compilers/gcc/4.8/bug-58800.patch deleted file mode 100644 index c8e8666761a..00000000000 --- a/pkgs/development/compilers/gcc/4.8/bug-58800.patch +++ /dev/null @@ -1,79 +0,0 @@ -Index: gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h -=================================================================== ---- gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h (revision 203872) -+++ gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h (revision 203873) -@@ -2279,7 +2279,7 @@ - _RandomAccessIterator __last) - { - _RandomAccessIterator __mid = __first + (__last - __first) / 2; -- std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2)); -+ std::__move_median_to_first(__first, __first + 1, __mid, __last - 1); - return std::__unguarded_partition(__first + 1, __last, *__first); - } - -@@ -2291,7 +2291,7 @@ - _RandomAccessIterator __last, _Compare __comp) - { - _RandomAccessIterator __mid = __first + (__last - __first) / 2; -- std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2), -+ std::__move_median_to_first(__first, __first + 1, __mid, __last - 1, - __comp); - return std::__unguarded_partition(__first + 1, __last, *__first, __comp); - } -Index: gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc -=================================================================== ---- gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc (revision 0) -+++ gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc (revision 203873) -@@ -0,0 +1,52 @@ -+// Copyright (C) 2013 Free Software Foundation, Inc. -+// -+// This file is part of the GNU ISO C++ Library. This library is free -+// software; you can redistribute it and/or modify it under the -+// terms of the GNU General Public License as published by the -+// Free Software Foundation; either version 3, or (at your option) -+// any later version. -+ -+// This library is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+ -+// You should have received a copy of the GNU General Public License along -+// with this library; see the file COPYING3. If not see -+// <http://www.gnu.org/licenses/>. -+ -+// 25.3.2 [lib.alg.nth.element] -+ -+// { dg-options "-std=gnu++11" } -+ -+#include <algorithm> -+#include <testsuite_hooks.h> -+#include <testsuite_iterators.h> -+ -+using __gnu_test::test_container; -+using __gnu_test::random_access_iterator_wrapper; -+ -+typedef test_container<int, random_access_iterator_wrapper> Container; -+ -+void test01() -+{ -+ std::vector<int> v = { -+ 207089, -+ 202585, -+ 180067, -+ 157549, -+ 211592, -+ 216096, -+ 207089 -+ }; -+ -+ Container con(v.data(), v.data() + 7); -+ -+ std::nth_element(con.begin(), con.begin() + 3, con.end()); -+} -+ -+int main() -+{ -+ test01(); -+ return 0; -+} diff --git a/pkgs/development/compilers/gcc/4.8/builder.sh b/pkgs/development/compilers/gcc/4.8/builder.sh index b781fa6c7ef..7c9b9420dda 100644 --- a/pkgs/development/compilers/gcc/4.8/builder.sh +++ b/pkgs/development/compilers/gcc/4.8/builder.sh @@ -239,6 +239,11 @@ postInstall() { fi done + # Disable RANDMMAP on grsec, which causes segfaults when using + # precompiled headers. + # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31 + paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus} + eval "$postInstallGhdl" } diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 902cba392f8..58732f1a0be 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -54,7 +54,7 @@ assert langGo -> langCC; with stdenv.lib; with builtins; -let version = "4.8.2"; +let version = "4.8.3"; # Whether building a cross-compiler for GNU/Hurd. crossGNU = cross != null && cross.config == "i586-pc-gnu"; @@ -64,7 +64,7 @@ let version = "4.8.2"; */ enableParallelBuilding = !profiledCompiler; - patches = [ ./bug-58800.patch ] # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58800 + patches = [] ++ optional enableParallelBuilding ./parallel-bconfig.patch ++ optional (cross != null) ./libstdc++-target.patch # ++ optional noSysDirs ./no-sys-dirs.patch @@ -212,7 +212,7 @@ stdenv.mkDerivation ({ src = fetchurl { url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2"; - sha256 = "1j6dwgby4g3p3lz7zkss32ghr45zpdidrg8xvazvn91lqxv25p09"; + sha256 = "07hg10zs7gnqz58my10ch0zygizqh0z0bz6pv4pgxx45n48lz3ka"; }; inherit patches; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index 92afc0f4b88..5d02088c44c 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-gcc=${stdenv.gcc}/bin/gcc" ]; + NIX_CFLAGS_COMPILE = "-fomit-frame-pointer"; + meta = { inherit homepage; description = "The Glasgow Haskell Compiler"; diff --git a/pkgs/development/compilers/ghc/6.12.3.nix b/pkgs/development/compilers/ghc/6.12.3.nix index 05ceba030b9..08c9c1739ed 100644 --- a/pkgs/development/compilers/ghc/6.12.3.nix +++ b/pkgs/development/compilers/ghc/6.12.3.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation rec { "--with-gcc=${stdenv.gcc}/bin/gcc" ]; + NIX_CFLAGS_COMPILE = "-fomit-frame-pointer"; + # required, because otherwise all symbols from HSffi.o are stripped, and # that in turn causes GHCi to abort stripDebugFlags=["-S" "--keep-file-symbols"]; diff --git a/pkgs/development/compilers/ghc/7.0.4.nix b/pkgs/development/compilers/ghc/7.0.4.nix index 1cafdd51bee..ab69df12aa8 100644 --- a/pkgs/development/compilers/ghc/7.0.4.nix +++ b/pkgs/development/compilers/ghc/7.0.4.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation rec { "--with-gcc=${stdenv.gcc}/bin/gcc" ]; + NIX_CFLAGS_COMPILE = "-fomit-frame-pointer"; + # required, because otherwise all symbols from HSffi.o are stripped, and # that in turn causes GHCi to abort stripDebugFlags=["-S" "--keep-file-symbols"]; diff --git a/pkgs/development/compilers/ghc/7.2.2.nix b/pkgs/development/compilers/ghc/7.2.2.nix index c6ec0cb75c4..7e714ae3b78 100644 --- a/pkgs/development/compilers/ghc/7.2.2.nix +++ b/pkgs/development/compilers/ghc/7.2.2.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation rec { "--with-gcc=${stdenv.gcc}/bin/gcc" ]; + NIX_CFLAGS_COMPILE = "-fomit-frame-pointer"; + # required, because otherwise all symbols from HSffi.o are stripped, and # that in turn causes GHCi to abort stripDebugFlags=["-S" "--keep-file-symbols"]; diff --git a/pkgs/development/compilers/ghc/7.6.3.nix b/pkgs/development/compilers/ghc/7.6.3.nix index 1839c982e99..dc84446a276 100644 --- a/pkgs/development/compilers/ghc/7.6.3.nix +++ b/pkgs/development/compilers/ghc/7.6.3.nix @@ -1,6 +1,13 @@ -{ stdenv, fetchurl, ghc, perl, gmp, ncurses }: +{ stdenv, fetchurl, ghc, perl, gmp, ncurses, binutils }: -stdenv.mkDerivation rec { +let + # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed + # to the gold linker). It prevents binaries' stacks from being marked as + # executable, which fails to run on a grsecurity/PaX kernel. + ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack"; + cFlags = "-Wa,--noexecstack"; + +in stdenv.mkDerivation rec { version = "7.6.3"; name = "ghc-${version}"; @@ -12,21 +19,40 @@ stdenv.mkDerivation rec { buildInputs = [ ghc perl gmp ncurses ]; - buildMK = '' libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib" libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include" + + '' + stdenv.lib.optionalString stdenv.isLinux '' + # Set ghcFlags for building ghc itself + SRC_HC_OPTS += ${ghcFlags} + SRC_CC_OPTS += ${cFlags} ''; preConfigure = '' echo "${buildMK}" > mk/build.mk sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure + + '' + stdenv.lib.optionalString stdenv.isLinux '' + # Set ghcFlags for binaries that ghc builds + sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper + '' + stdenv.lib.optionalString (!stdenv.isDarwin) '' export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}" ''; configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc"; + postInstall = '' + # ghci uses mmap with rwx protection at it implements dynamic + # linking on its own. See: + # - https://bugs.gentoo.org/show_bug.cgi?id=299709 + # - https://ghc.haskell.org/trac/ghc/ticket/4244 + # Therefore, we have to pax-mark the resulting binary. + # Haddock also seems to run with ghci, so mark it as well. + paxmark m $out/lib/${name}/{ghc,haddock} + ''; + # required, because otherwise all symbols from HSffi.o are stripped, and # that in turn causes GHCi to abort stripDebugFlags=["-S" "--keep-file-symbols"]; diff --git a/pkgs/development/compilers/icedtea/default.nix b/pkgs/development/compilers/icedtea/default.nix index a8f9617a634..56c9e69c9a4 100644 --- a/pkgs/development/compilers/icedtea/default.nix +++ b/pkgs/development/compilers/icedtea/default.nix @@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation { "--disable-downloading" "--without-rhino" - # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl" + "--with-pax=paxctl" "--with-jdk-home=${jdkPath}" ]; diff --git a/pkgs/development/compilers/jdk/jdk7-linux.nix b/pkgs/development/compilers/jdk/jdk7-linux.nix index f8b65166ea6..7683ad81e59 100644 --- a/pkgs/development/compilers/jdk/jdk7-linux.nix +++ b/pkgs/development/compilers/jdk/jdk7-linux.nix @@ -2,6 +2,7 @@ , stdenv , requireFile , unzip +, file , xlibs ? null , installjdk ? true , pluginSupport ? true @@ -71,10 +72,20 @@ stdenv.mkDerivation rec { else abort "jdk requires i686-linux or x86_64 linux"; - buildInputs = if installjce then [ unzip ] else []; + nativeBuildInputs = [ file ] + ++ stdenv.lib.optional installjce unzip; installPhase = '' cd .. + + # Set PaX markings + exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') + for file in $exes; do + paxmark m "$file" + # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. + ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} + done + if test -z "$installjdk"; then mv $sourceRoot/jre $out else diff --git a/pkgs/development/compilers/llvm/3.3/llvm.nix b/pkgs/development/compilers/llvm/3.3/llvm.nix index e40014a960c..d0f8fcb3bf8 100644 --- a/pkgs/development/compilers/llvm/3.3/llvm.nix +++ b/pkgs/development/compilers/llvm/3.3/llvm.nix @@ -22,11 +22,20 @@ in stdenv.mkDerivation rec { cmakeFlags = with stdenv; [ "-DCMAKE_BUILD_TYPE=Release" + "-DLLVM_BUILD_TESTS=ON" "-DLLVM_ENABLE_FFI=ON" "-DLLVM_BINUTILS_INCDIR=${binutils}/include" "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON"; + postBuild = '' + paxmark m bin/{lli,llvm-rtdyld} + + paxmark m unittests/ExecutionEngine/JIT/JITTests + paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests + paxmark m unittests/Support/SupportTests + ''; + enableParallelBuilding = true; doCheck = true; diff --git a/pkgs/development/compilers/llvm/3.4/dragonegg.nix b/pkgs/development/compilers/llvm/3.4/dragonegg.nix index f8ea44793de..577533c2e52 100644 --- a/pkgs/development/compilers/llvm/3.4/dragonegg.nix +++ b/pkgs/development/compilers/llvm/3.4/dragonegg.nix @@ -1,10 +1,18 @@ -{stdenv, fetch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}: +{stdenv, fetch, fetchpatch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}: stdenv.mkDerivation rec { name = "dragonegg-${version}"; src = fetch "dragonegg" "1733czbvby1ww3xkwcwmm0km0bpwhfyxvf56wb0zv5gksp3kbgrl"; + patches = [(fetchpatch { + url = "https://llvm.org/viewvc/llvm-project/dragonegg/trunk/src/x86/ABIHack.inc" + + "?r1=208730&r2=208729&view=patch"; + sha256 = "1al82gqz90hzjx24p0wls029lw2bgnlgd209kgvxsp82p4z1v1c1"; + name = "bug-18548.patch"; + })]; + patchFlags = "-p2"; + # The gcc the plugin will be built for (the same used building dragonegg) GCC = "gcc"; diff --git a/pkgs/development/compilers/llvm/3.4/llvm.nix b/pkgs/development/compilers/llvm/3.4/llvm.nix index 3aea2a12a11..52617acad43 100644 --- a/pkgs/development/compilers/llvm/3.4/llvm.nix +++ b/pkgs/development/compilers/llvm/3.4/llvm.nix @@ -36,15 +36,25 @@ in stdenv.mkDerivation rec { mkdir -p $out/ ln -sv $PWD/lib $out ''; - postBuild = "rm -fR $out"; cmakeFlags = with stdenv; [ "-DCMAKE_BUILD_TYPE=Release" + "-DLLVM_BUILD_TESTS=ON" "-DLLVM_ENABLE_FFI=ON" "-DLLVM_BINUTILS_INCDIR=${binutils}/include" "-DCMAKE_CXX_FLAGS=-std=c++11" ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON"; + postBuild = '' + rm -fR $out + + paxmark m bin/{lli,llvm-rtdyld} + + paxmark m unittests/ExecutionEngine/JIT/JITTests + paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests + paxmark m unittests/Support/SupportTests + ''; + enableParallelBuilding = true; passthru.src = src; diff --git a/pkgs/development/compilers/openjdk/bootstrap.nix b/pkgs/development/compilers/openjdk/bootstrap.nix index 01ed43069b6..222ab010c26 100644 --- a/pkgs/development/compilers/openjdk/bootstrap.nix +++ b/pkgs/development/compilers/openjdk/bootstrap.nix @@ -1,4 +1,4 @@ -{ runCommand, glibc, fetchurl }: +{ stdenv, runCommand, glibc, fetchurl, file }: let # !!! These should be on nixos.org @@ -18,4 +18,12 @@ in runCommand "openjdk-bootstrap" {} '' xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv mv openjdk-bootstrap $out + + # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings: + exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') + for file in $exes; do + paxmark m "$file" + # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. + ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} + done '' diff --git a/pkgs/development/compilers/openjdk/default.nix b/pkgs/development/compilers/openjdk/default.nix index 50f01f41372..fbbae495666 100644 --- a/pkgs/development/compilers/openjdk/default.nix +++ b/pkgs/development/compilers/openjdk/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups -, which, jdk, nettools, xorg +, which, jdk, nettools, xorg, file , fontconfig, cpio, cacert, perl, setJavaClassPath }: let @@ -19,6 +19,9 @@ let build = "43"; + # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. + paxflags = if stdenv.isi686 then "msp" else "m"; + in stdenv.mkDerivation rec { @@ -35,7 +38,7 @@ stdenv.mkDerivation rec { [ unzip procps ant which zip cpio nettools alsaLib xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir - fontconfig perl + fontconfig perl file ]; NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama"; @@ -49,7 +52,7 @@ stdenv.mkDerivation rec { openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk ''; - patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ]; + patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ]; NIX_NO_SELF_RPATH = true; @@ -72,6 +75,14 @@ stdenv.mkDerivation rec { configurePhase = "true"; + preBuild = '' + # We also need to PaX-mark in the middle of the build + substituteInPlace hotspot/make/linux/makefiles/launcher.make \ + --replace XXX_PAXFLAGS_XXX ${paxflags} + substituteInPlace jdk/make/common/Program.gmk \ + --replace XXX_PAXFLAGS_XXX ${paxflags} + ''; + installPhase = '' mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk @@ -98,6 +109,14 @@ stdenv.mkDerivation rec { rm -rf $out/lib/openjdk/jre/bin ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin + # Set PaX markings + exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') + echo "to mark: *$exes*" + for file in $exes; do + echo "marking *$file*" + paxmark ${paxflags} "$file" + done + # Remove duplicate binaries. for i in $(cd $out/lib/openjdk/bin && echo *); do if [ "$i" = java ]; then continue; fi diff --git a/pkgs/development/compilers/openjdk/paxctl.patch b/pkgs/development/compilers/openjdk/paxctl.patch new file mode 100644 index 00000000000..12528a601cc --- /dev/null +++ b/pkgs/development/compilers/openjdk/paxctl.patch @@ -0,0 +1,28 @@ +diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make +index 34bbcd6..41b9332 100644 +--- a/hotspot/make/linux/makefiles/launcher.make ++++ b/hotspot/make/linux/makefiles/launcher.make +@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE) + $(QUIETLY) echo Linking launcher... + $(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK) + $(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER) ++ paxctl -c $(LAUNCHER) ++ paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER) + $(QUIETLY) $(LINK_LAUNCHER/POST_HOOK) + + $(LAUNCHER): $(LAUNCHER_SCRIPT) +diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk +index 091800d..1de8cb4 100644 +--- a/jdk/make/common/Program.gmk ++++ b/jdk/make/common/Program.gmk +@@ -60,6 +60,10 @@ ACTUAL_PROGRAM = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME) + program_default_rule: all + + program: $(ACTUAL_PROGRAM) ++ if [[ "$(PROGRAM)" = "java" ]]; then \ ++ paxctl -c $(ACTUAL_PROGRAM); \ ++ paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \ ++ fi + + # Work-around for missing processor specific mapfiles + ifndef CROSS_COMPILE_ARCH |