diff options
65 files changed, 17 insertions, 687 deletions
diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 1c18fab8669..564471bbbbc 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -2435,30 +2435,6 @@ addEnvHooks "$hostOffset" myBashFunction </varlistentry> <varlistentry> <term> - paxctl - </term> - <listitem> - <para> - Defines the <varname>paxmark</varname> helper for setting per-executable - PaX flags on Linux (where it is available by default; on all other - platforms, <varname>paxmark</varname> is a no-op). For example, to - disable secure memory protections on the executable - <replaceable>foo</replaceable> -<programlisting> - postFixup = '' - paxmark m $out/bin/<replaceable>foo</replaceable> - ''; - </programlisting> - The <literal>m</literal> flag is the most common flag and is typically - required for applications that employ JIT compilation or otherwise need - to execute code generated at run-time. Disabling PaX protections should - be considered a last resort: if possible, problematic features should be - disabled or patched to work with PaX. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> autoPatchelfHook </term> <listitem> diff --git a/pkgs/applications/altcoins/parity-ui/default.nix b/pkgs/applications/altcoins/parity-ui/default.nix index ec2e571e3f0..c59b2ccb8ac 100644 --- a/pkgs/applications/altcoins/parity-ui/default.nix +++ b/pkgs/applications/altcoins/parity-ui/default.nix @@ -34,8 +34,6 @@ in stdenv.mkDerivation rec { find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \; - paxmark m $out/share/parity-ui/parity-ui - mkdir -p $out/bin ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui ''; diff --git a/pkgs/applications/editors/atom/default.nix b/pkgs/applications/editors/atom/default.nix index 710c3ca335a..13dc9e1285b 100644 --- a/pkgs/applications/editors/atom/default.nix +++ b/pkgs/applications/editors/atom/default.nix @@ -70,9 +70,6 @@ let ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \; - - paxmark m $share/atom - paxmark m $share/resources/app/apm/bin/node ''; meta = with stdenv.lib; { diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index bcf6df7417f..0c199dab6bc 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -282,8 +282,6 @@ let MENUNAME="Chromium" process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1" ) - '' + optionalString (target == "mksnapshot" || target == "chrome") '' - paxmark m "${buildPath}/${target}" ''; targets = extraAttrs.buildTargets or []; commands = map buildCommand targets; diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 2a2f71d419f..8f135614f4d 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -263,20 +263,12 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; doCheck = false; # "--disable-tests" above - preInstall = '' - # The following is needed for startup cache creation on grsecurity kernels. - paxmark m dist/bin/xpcshell - ''; - installPhase = if stdenv.isDarwin then '' mkdir -p $out/Applications cp -LR dist/Firefox.app $out/Applications '' else null; postInstall = lib.optionalString stdenv.isLinux '' - # For grsecurity kernels - paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container} - # Remove SDK cruft. FIXME: move to a separate output? rm -rf $out/share/idl $out/include $out/lib/firefox-devel-* diff --git a/pkgs/applications/networking/instant-messengers/discord/default.nix b/pkgs/applications/networking/instant-messengers/discord/default.nix index 09ead9b3de6..4b1af80d624 100644 --- a/pkgs/applications/networking/instant-messengers/discord/default.nix +++ b/pkgs/applications/networking/instant-messengers/discord/default.nix @@ -32,8 +32,6 @@ stdenv.mkDerivation rec { patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \ $out/opt/discord/Discord - paxmark m $out/opt/discord/Discord - wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath} ln -s $out/opt/discord/Discord $out/bin/ diff --git a/pkgs/applications/networking/instant-messengers/franz/default.nix b/pkgs/applications/networking/instant-messengers/franz/default.nix index 2f3870d7899..4b8670f23d4 100644 --- a/pkgs/applications/networking/instant-messengers/franz/default.nix +++ b/pkgs/applications/networking/instant-messengers/franz/default.nix @@ -54,7 +54,6 @@ in stdenv.mkDerivation rec { ''; postFixup = '' - paxmark m $out/opt/franz/Franz wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin ''; diff --git a/pkgs/applications/networking/instant-messengers/wavebox/default.nix b/pkgs/applications/networking/instant-messengers/wavebox/default.nix index b85e9d3d4cb..d7d882564e7 100644 --- a/pkgs/applications/networking/instant-messengers/wavebox/default.nix +++ b/pkgs/applications/networking/instant-messengers/wavebox/default.nix @@ -52,7 +52,6 @@ in stdenv.mkDerivation rec { ''; postFixup = '' - paxmark m $out/opt/wavebox/Wavebox makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \ --prefix PATH : ${xdg_utils}/bin ''; diff --git a/pkgs/applications/networking/mailreaders/thunderbird/default.nix b/pkgs/applications/networking/mailreaders/thunderbird/default.nix index c048c2938a9..b53c7b910f6 100644 --- a/pkgs/applications/networking/mailreaders/thunderbird/default.nix +++ b/pkgs/applications/networking/mailreaders/thunderbird/default.nix @@ -100,7 +100,7 @@ in stdenv.mkDerivation rec { '' cxxLib=$( echo -n ${gcc}/include/c++/* ) archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine ) - + test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml configureScript="$(realpath ./configure)" @@ -108,18 +108,9 @@ in stdenv.mkDerivation rec { cd ../objdir ''; - preInstall = - '' - # The following is needed for startup cache creation on grsecurity kernels. - paxmark m ../objdir/dist/bin/xpcshell - ''; - dontWrapGApps = true; # we do it ourselves postInstall = '' - # For grsecurity kernels - paxmark m $out/lib/thunderbird/thunderbird - # TODO: Move to a dev output? rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl diff --git a/pkgs/applications/office/mendeley/default.nix b/pkgs/applications/office/mendeley/default.nix index aa9317d2ffd..9c4c22dabe9 100644 --- a/pkgs/applications/office/mendeley/default.nix +++ b/pkgs/applications/office/mendeley/default.nix @@ -112,7 +112,6 @@ stdenv.mkDerivation { patchelf --set-interpreter $interpreter \ --set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \ $out/bin/mendeleydesktop - paxmark m $out/bin/mendeleydesktop wrapProgram $out/bin/mendeleydesktop \ --add-flags "--unix-distro-build" \ diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 1cd85cead12..49ddab1d6d2 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -125,9 +125,6 @@ stdenv.mkDerivation rec { postFixup = '' - for exe in $out/bin/qemu-system-* ; do - paxmark m $exe - done # copy qemu-ga (guest agent) to separate output mkdir -p $ga/bin cp $out/bin/qemu-ga $ga/bin/ diff --git a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix index eb614b0784f..531cf3a8051 100644 --- a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix +++ b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix @@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec { installPhase = '' cd .. - # Set PaX markings - exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} - done - mv $sourceRoot $out rm -rf $out/demo diff --git a/pkgs/development/compilers/gcc/builder.sh b/pkgs/development/compilers/gcc/builder.sh index 75e70006d74..07a003691d6 100644 --- a/pkgs/development/compilers/gcc/builder.sh +++ b/pkgs/development/compilers/gcc/builder.sh @@ -282,11 +282,6 @@ postInstall() { fi done - # Disable RANDMMAP on grsec, which causes segfaults when using - # precompiled headers. - # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31 - paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus} - # Two identical man pages are shipped (moving and compressing is done later) ln -sf gcc.1 "$out"/share/man/man1/g++.1 } diff --git a/pkgs/development/compilers/ghc/8.2.2-binary.nix b/pkgs/development/compilers/ghc/8.2.2-binary.nix index 039eea744f3..f52d8fd4a11 100644 --- a/pkgs/development/compilers/ghc/8.2.2-binary.nix +++ b/pkgs/development/compilers/ghc/8.2.2-binary.nix @@ -105,8 +105,6 @@ stdenv.mkDerivation rec { --replace-needed libtinfo.so libtinfo.so.5 \ --interpreter ${glibcDynLinker} {} \; - paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 - sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 ''; diff --git a/pkgs/development/compilers/ghc/8.2.2.nix b/pkgs/development/compilers/ghc/8.2.2.nix index 3b9fecd55e1..3e355dc302d 100644 --- a/pkgs/development/compilers/ghc/8.2.2.nix +++ b/pkgs/development/compilers/ghc/8.2.2.nix @@ -238,11 +238,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.4.4.nix b/pkgs/development/compilers/ghc/8.4.4.nix index 4db5c07b460..c5fe3c925f0 100644 --- a/pkgs/development/compilers/ghc/8.4.4.nix +++ b/pkgs/development/compilers/ghc/8.4.4.nix @@ -214,11 +214,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.1.nix b/pkgs/development/compilers/ghc/8.6.1.nix index 5710c60338a..b54164ccc69 100644 --- a/pkgs/development/compilers/ghc/8.6.1.nix +++ b/pkgs/development/compilers/ghc/8.6.1.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.2.nix b/pkgs/development/compilers/ghc/8.6.2.nix index 914d6ae08fa..07d4420804d 100644 --- a/pkgs/development/compilers/ghc/8.6.2.nix +++ b/pkgs/development/compilers/ghc/8.6.2.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.3.nix b/pkgs/development/compilers/ghc/8.6.3.nix index b29b7facd1f..4e1f0dd9fc7 100644 --- a/pkgs/development/compilers/ghc/8.6.3.nix +++ b/pkgs/development/compilers/ghc/8.6.3.nix @@ -192,11 +192,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix index 42119682892..65a4a0c4ecd 100644 --- a/pkgs/development/compilers/ghc/head.nix +++ b/pkgs/development/compilers/ghc/head.nix @@ -177,11 +177,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/jetbrains-jdk/default.nix b/pkgs/development/compilers/jetbrains-jdk/default.nix index 39fab8b25d8..876e474bed9 100644 --- a/pkgs/development/compilers/jetbrains-jdk/default.nix +++ b/pkgs/development/compilers/jetbrains-jdk/default.nix @@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec { installPhase = '' cd .. - exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" - done - mv $sourceRoot $out jrePath=$out/jre ''; diff --git a/pkgs/development/compilers/julia/0004-hardened.patch b/pkgs/development/compilers/julia/0004-hardened.patch deleted file mode 100644 index 901f967c9d5..00000000000 --- a/pkgs/development/compilers/julia/0004-hardened.patch +++ /dev/null @@ -1,25 +0,0 @@ -From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001 -From: Will Dietz <w@wdtz.org> -Date: Wed, 1 Feb 2017 06:09:49 -0600 -Subject: [PATCH] Set pax flags on julia binaries to disable memory protection. - ---- - Makefile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Makefile b/Makefile -index 0e28cc87b..aab8cfa8d 100644 ---- a/Makefile -+++ b/Makefile -@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in - - julia-ui-release julia-ui-debug : julia-ui-% : julia-src-% - @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$* -+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)" -+ @paxctl -czexm $(JULIA_EXECUTABLE_$*) - - julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples - @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE) --- -2.11.0 - diff --git a/pkgs/development/compilers/julia/default.nix b/pkgs/development/compilers/julia/default.nix index 086570f5ce2..4c0b1359bd8 100644 --- a/pkgs/development/compilers/julia/default.nix +++ b/pkgs/development/compilers/julia/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, fetchzip # build tools -, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl +, gfortran, m4, makeWrapper, patchelf, perl, which, python2 # libjulia dependencies , libunwind, readline, utf8proc, zlib , llvm @@ -75,7 +75,7 @@ stdenv.mkDerivation rec { patches = [ ./0001.1-use-system-utf8proc.patch ./0002-use-system-suitesparse.patch - ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; + ]; postPatch = '' patchShebangs . contrib @@ -96,8 +96,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ; - nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] - ++ stdenv.lib.optional stdenv.needsPax paxctl; + nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]; makeFlags = let diff --git a/pkgs/development/compilers/julia/shared.nix b/pkgs/development/compilers/julia/shared.nix index 70ff40cd7ec..95b45adcc6f 100644 --- a/pkgs/development/compilers/julia/shared.nix +++ b/pkgs/development/compilers/julia/shared.nix @@ -5,7 +5,7 @@ }: { stdenv, fetchurl, fetchzip # build tools -, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl +, gfortran, m4, makeWrapper, patchelf, perl, which, python2 , llvm, cmake # libjulia dependencies , libunwind, readline, utf8proc, zlib @@ -95,7 +95,7 @@ stdenv.mkDerivation rec { patches = [ ./0001.1-use-system-utf8proc.patch - ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; + ]; postPatch = '' patchShebangs . contrib @@ -117,8 +117,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ; - nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] - ++ stdenv.lib.optional stdenv.needsPax paxctl; + nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]; makeFlags = let diff --git a/pkgs/development/compilers/llvm/3.5/llvm.nix b/pkgs/development/compilers/llvm/3.5/llvm.nix index 388da007d33..2645469767a 100644 --- a/pkgs/development/compilers/llvm/3.5/llvm.nix +++ b/pkgs/development/compilers/llvm/3.5/llvm.nix @@ -81,12 +81,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - - paxmark m unittests/ExecutionEngine/JIT/JITTests - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/Support/SupportTests ''; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/3.7/llvm.nix b/pkgs/development/compilers/llvm/3.7/llvm.nix index e540469c627..a6fd18f94d6 100644 --- a/pkgs/development/compilers/llvm/3.7/llvm.nix +++ b/pkgs/development/compilers/llvm/3.7/llvm.nix @@ -89,8 +89,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/3.8/llvm.nix b/pkgs/development/compilers/llvm/3.8/llvm.nix index c246bfe496e..fcb4214a1de 100644 --- a/pkgs/development/compilers/llvm/3.8/llvm.nix +++ b/pkgs/development/compilers/llvm/3.8/llvm.nix @@ -97,8 +97,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) '' diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix index 3cc1a4d6cce..00c56e49e37 100644 --- a/pkgs/development/compilers/llvm/3.9/llvm.nix +++ b/pkgs/development/compilers/llvm/3.9/llvm.nix @@ -141,8 +141,6 @@ in stdenv.mkDerivation rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} ''; postInstall = "" diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix index 7d93fec6a12..aac9c4275ad 100644 --- a/pkgs/development/compilers/llvm/4/llvm.nix +++ b/pkgs/development/compilers/llvm/4/llvm.nix @@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix index 5277205f880..9e181a1202b 100644 --- a/pkgs/development/compilers/llvm/5/llvm.nix +++ b/pkgs/development/compilers/llvm/5/llvm.nix @@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/6/llvm.nix b/pkgs/development/compilers/llvm/6/llvm.nix index 192439b019b..328f95f11b3 100644 --- a/pkgs/development/compilers/llvm/6/llvm.nix +++ b/pkgs/development/compilers/llvm/6/llvm.nix @@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/llvm/7/llvm.nix b/pkgs/development/compilers/llvm/7/llvm.nix index d085f3af0ea..2ef6b147214 100644 --- a/pkgs/development/compilers/llvm/7/llvm.nix +++ b/pkgs/development/compilers/llvm/7/llvm.nix @@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec { postBuild = '' rm -fR $out - - paxmark m bin/{lli,llvm-rtdyld} - paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests - paxmark m unittests/ExecutionEngine/Orc/OrcJITTests - paxmark m unittests/Support/SupportTests - paxmark m bin/lli-child-target ''; preCheck = '' diff --git a/pkgs/development/compilers/openjdk/11.nix b/pkgs/development/compilers/openjdk/11.nix index 42208ecf8d9..a389f0f5ca1 100644 --- a/pkgs/development/compilers/openjdk/11.nix +++ b/pkgs/development/compilers/openjdk/11.nix @@ -21,7 +21,6 @@ let update = ".0.1"; build = "13"; repover = "jdk-${major}${update}+${build}"; - paxflags = if stdenv.isi686 then "msp" else "m"; openjdk = stdenv.mkDerivation { name = "openjdk-${major}${update}-b${build}"; @@ -106,14 +105,6 @@ let rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so ''} - # Set PaX markings - exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - echo "to mark: *$exes*" - for file in $exes; do - echo "marking *$file*" - paxmark ${paxflags} "$file" - done - ln -s $out/lib/openjdk/bin $out/bin ''; diff --git a/pkgs/development/compilers/openjdk/8.nix b/pkgs/development/compilers/openjdk/8.nix index d26627ff5b9..19b16921e32 100644 --- a/pkgs/development/compilers/openjdk/8.nix +++ b/pkgs/development/compilers/openjdk/8.nix @@ -25,7 +25,6 @@ let build = "26"; baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u"; repover = "jdk8u${update}-b${build}"; - paxflags = if stdenv.isi686 then "msp" else "m"; jdk8 = fetchurl { url = "${baseurl}/archive/${repover}.tar.gz"; sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d"; @@ -176,14 +175,6 @@ let rm -rf $out/lib/openjdk/jre/lib/cmm ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm - # Set PaX markings - exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - echo "to mark: *$exes*" - for file in $exes; do - echo "marking *$file*" - paxmark ${paxflags} "$file" - done - # Remove duplicate binaries. for i in $(cd $out/lib/openjdk/bin && echo *); do if [ "$i" = java ]; then continue; fi diff --git a/pkgs/development/compilers/openjdk/bootstrap.nix b/pkgs/development/compilers/openjdk/bootstrap.nix index 1b20ca6cc60..e58888cc9ed 100644 --- a/pkgs/development/compilers/openjdk/bootstrap.nix +++ b/pkgs/development/compilers/openjdk/bootstrap.nix @@ -36,13 +36,5 @@ let patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true done - - # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings: - find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do - isELF "$elf" || continue - paxmark m "$elf" - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''} - done ''; in bootstrap diff --git a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix index 5d55e0554e5..8e04b776ed8 100644 --- a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix +++ b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix @@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec { installPhase = '' cd .. - # Set PaX markings - exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" || true - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} - done - if test -z "$installjdk"; then mv $sourceRoot/jre $out else diff --git a/pkgs/development/compilers/swift/default.nix b/pkgs/development/compilers/swift/default.nix index bbfa1be8f92..02b100fe613 100644 --- a/pkgs/development/compilers/swift/default.nix +++ b/pkgs/development/compilers/swift/default.nix @@ -27,7 +27,6 @@ , git , libgit2 , fetchFromGitHub -, paxctl , findutils , makeWrapper , gnumake @@ -150,7 +149,7 @@ stdenv.mkDerivation rec { findutils makeWrapper gnumake - ] ++ stdenv.lib.optional stdenv.needsPax paxctl; + ]; # TODO: Revisit what's propagated and how propagatedBuildInputs = [ @@ -218,9 +217,6 @@ stdenv.mkDerivation rec { substituteInPlace swift/utils/build-script-impl \ --replace '/usr/include/c++' "${clang.cc.gcc}/include/c++" patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch} - '' + stdenv.lib.optionalString stdenv.needsPax '' - patch -p1 -d swift -i ${./patches/build-script-pax.patch} - '' + '' patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch} patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch} patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch} @@ -266,9 +262,6 @@ stdenv.mkDerivation rec { tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX find $out -type d -empty -delete - paxmark pmr $out/bin/swift - paxmark pmr $out/bin/* - # TODO: Use wrappers to get these on the PATH for swift tools, instead ln -s ${clang}/bin/* $out/bin/ ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar diff --git a/pkgs/development/compilers/swift/patches/build-script-pax.patch b/pkgs/development/compilers/swift/patches/build-script-pax.patch deleted file mode 100644 index 1f47bf8ee04..00000000000 --- a/pkgs/development/compilers/swift/patches/build-script-pax.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600 -+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600 -@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() { - fi - } - -+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh -+isELF() { -+ local fn="$1" -+ local fd -+ local magic -+ exec {fd}< "$fn" -+ read -n 4 -u $fd magic -+ exec {fd}<&- -+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi -+} -+ - # - # Configure and build each product - # -@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do - fi - - call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]} -+ -+ while IFS= read -r -d $'\0' i; do -+ if ! isELF "$i"; then continue; fi -+ echo "setting pax flags on $i" -+ paxctl -czexm "$i" || true -+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0) - fi - done - done diff --git a/pkgs/development/compilers/terra/default.nix b/pkgs/development/compilers/terra/default.nix index 98795f96ffa..80d04080aac 100644 --- a/pkgs/development/compilers/terra/default.nix +++ b/pkgs/development/compilers/terra/default.nix @@ -51,10 +51,6 @@ stdenv.mkDerivation rec { '' ; - postFixup = '' - paxmark m $bin/bin/terra - ''; - buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ]; meta = with stdenv.lib; { diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix index da706d502e6..a5c3db65857 100644 --- a/pkgs/development/compilers/tinycc/default.nix +++ b/pkgs/development/compilers/tinycc/default.nix @@ -33,10 +33,6 @@ stdenv.mkDerivation rec { doCheck = true; checkTarget = "test"; - postFixup = '' - paxmark m $out/bin/tcc - ''; - meta = { description = "Small, fast, and embeddable C compiler and interpreter"; diff --git a/pkgs/development/interpreters/python/cpython/2.7/boot.nix b/pkgs/development/interpreters/python/cpython/2.7/boot.nix index 976d30819db..ccb366903c5 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/boot.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/boot.nix @@ -77,8 +77,6 @@ stdenv.mkDerivation rec { '' ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} - paxmark E $out/bin/python2.7 - rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev ''; diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index 63dad3bf42f..ff1497a24e4 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -229,8 +229,6 @@ in stdenv.mkDerivation ({ ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion} ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} - paxmark E $out/bin/python${majorVersion} - # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 92c277aacd4..19e9f3169c7 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -143,7 +143,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 4c9d0c2a896..692f5c263a3 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -164,7 +164,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/python/cpython/3.7/default.nix b/pkgs/development/interpreters/python/cpython/3.7/default.nix index d1403ba95e4..80d519b109e 100644 --- a/pkgs/development/interpreters/python/cpython/3.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.7/default.nix @@ -154,7 +154,6 @@ in stdenv.mkDerivation { touch $out/lib/python${majorVersion}/test/__init__.py ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" - paxmark E $out/bin/python${majorVersion} # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py diff --git a/pkgs/development/interpreters/spidermonkey/1.8.5.nix b/pkgs/development/interpreters/spidermonkey/1.8.5.nix index 46637195586..9c81b230ada 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.5.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.5.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation rec { # so the failure of that test does not matter much. configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++ stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [ - "--with-cpu-arch=armv5t" + "--with-cpu-arch=armv5t" "--disable-tracejit" ]; # hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393 @@ -59,9 +59,6 @@ stdenv.mkDerivation rec { preCheck = '' rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522 - - paxmark mr shell/js - paxmark mr jsapi-tests/jsapi-tests ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix index d4d4082509e..96c9d8e0c8e 100644 --- a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix +++ b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix @@ -36,8 +36,6 @@ stdenv.mkDerivation rec { postInstall = '' # Hm, apparently --disable-gtk-doc is ignored... rm -rf $out/share/gtk-doc - - paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner ''; setupHook = ./setup-hook.sh; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 8093aec6bcc..83f19e442c6 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -72,13 +72,6 @@ stdenv.mkDerivation rec { makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"; - # The following is required on grsecurity/PaX due to spidermonkey's JIT - postBuild = stdenv.lib.optionalString stdenv.isLinux '' - paxmark mr src/polkitbackend/.libs/polkitd - '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) '' - paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest - ''; - installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"]; inherit doCheck; diff --git a/pkgs/development/libraries/qt-5/5.11/default.nix b/pkgs/development/libraries/qt-5/5.11/default.nix index 6f90f1cea7f..5fbab32acda 100644 --- a/pkgs/development/libraries/qt-5/5.11/default.nix +++ b/pkgs/development/libraries/qt-5/5.11/default.nix @@ -61,7 +61,6 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index e1621b005c6..00000000000 --- a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp -index e7e19f5059..934448c7d8 100644 ---- a/src/3rdparty/chromium/v8/src/v8.gyp -+++ b/src/3rdparty/chromium/v8/src/v8.gyp -@@ -35,6 +35,7 @@ - 'v8_extra_library_files%': [], - 'v8_experimental_extra_library_files%': [], - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'v8_os_page_size%': 0, - }, - 'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'], -@@ -2576,7 +2577,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': [ - 'v8_base', -@@ -2606,5 +2607,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/5.6/default.nix b/pkgs/development/libraries/qt-5/5.6/default.nix index e815cc8f70f..9391999f1e9 100644 --- a/pkgs/development/libraries/qt-5/5.6/default.nix +++ b/pkgs/development/libraries/qt-5/5.6/default.nix @@ -51,8 +51,7 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = [ ./qtwebengine-seccomp.patch ] - ++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; + qtwebengine = [ ./qtwebengine-seccomp.patch ]; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index b3316188f7d..00000000000 --- a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100 -+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000 -@@ -33,6 +33,7 @@ - 'embed_script%': "", - 'v8_extra_library_files%': [], - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'remove_v8base_debug_symbols%': 0, - }, - 'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'], -@@ -1913,7 +1914,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'], - 'include_dirs+': [ -@@ -1936,5 +1937,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/5.9/default.nix b/pkgs/development/libraries/qt-5/5.9/default.nix index 6fcb7a0dc5e..4acc6a6393f 100644 --- a/pkgs/development/libraries/qt-5/5.9/default.nix +++ b/pkgs/development/libraries/qt-5/5.9/default.nix @@ -43,7 +43,6 @@ let qtscript = [ ./qtscript.patch ]; qtserialport = [ ./qtserialport.patch ]; qttools = [ ./qttools.patch ]; - qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch; qtwebkit = [ ./qtwebkit.patch ]; }; diff --git a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch deleted file mode 100644 index 5e170567ce5..00000000000 --- a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch +++ /dev/null @@ -1,48 +0,0 @@ -Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp -=================================================================== ---- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp -+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp -@@ -36,6 +36,7 @@ - 'v8_experimental_extra_library_files%': [], - 'v8_enable_inspector%': 0, - 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', -+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', - 'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)', - 'v8_os_page_size%': 0, - }, -@@ -2432,7 +2433,7 @@ - ] - }, - { -- 'target_name': 'mksnapshot', -+ 'target_name': 'mksnapshot_u', - 'type': 'executable', - 'dependencies': [ - 'v8_base', -@@ -2485,5 +2486,26 @@ - }], - ], - }, -+ { -+ 'target_name': 'mksnapshot', -+ 'type': 'executable', -+ 'dependencies': ['mksnapshot_u'], -+ 'actions': [ -+ { -+ 'action_name': 'paxmark_m_mksnapshot', -+ 'inputs': [ -+ '<(mksnapshot_u_exec)', -+ ], -+ 'outputs': [ -+ '<(mksnapshot_exec)', -+ ], -+ 'action': [ -+ 'sh', -+ '-c', -+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)', -+ ], -+ }, -+ ], -+ }, - ], - } diff --git a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix index 71ecde66a1f..a80488bad5e 100644 --- a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix +++ b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix @@ -14,7 +14,7 @@ , enableProprietaryCodecs ? true , gn, darwin, openbsm , ffmpeg ? null -, lib, stdenv # lib.optional, needsPax +, lib, stdenv }: with stdenv.lib; @@ -181,7 +181,6 @@ EOF [Paths] Prefix = .. EOF - paxmark m $out/libexec/QtWebEngineProcess ''; meta = with lib; { diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index 2e04cac6c49..78f40913eb5 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -73,8 +73,6 @@ stdenv.mkDerivation rec { --replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \ --replace 'obj:/usr/lib' 'obj:*/lib' done - - paxmark m $out/lib/valgrind/*-*-linux ''; meta = { diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 5d60903ee86..787a5dbc646 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -33,11 +33,6 @@ stdenv.mkDerivation rec { # Make binutils output deterministic by default. ./deterministic.patch - # Always add PaX flags section to ELF files. - # This is needed, for instance, so that running "ldd" on a binary that is - # PaX-marked to disable mprotect doesn't fail with permission denied. - ./pt-pax-flags.patch - # Bfd looks in BINDIR/../lib for some plugins that don't # exist. This is pointless (since users can't install plugins # there) and causes a cycle between the lib and bin outputs, so diff --git a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch b/pkgs/development/tools/misc/binutils/pt-pax-flags.patch deleted file mode 100644 index 3c060012ad0..00000000000 --- a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch +++ /dev/null @@ -1,233 +0,0 @@ ---- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100 -+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100 -@@ -1266,6 +1266,9 @@ - /* Should the PT_GNU_RELRO segment be emitted? */ - bfd_boolean relro; - -+ /* Segment flags for the PT_PAX_FLAGS segment. */ -+ unsigned int pax_flags; -+ - /* Symbol version definitions in external objects. */ - Elf_Internal_Verdef *verdef; - ---- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400 -+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400 -@@ -1085,6 +1085,7 @@ - case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break; - case PT_GNU_STACK: pt = "STACK"; break; - case PT_GNU_RELRO: pt = "RELRO"; break; -+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break; - default: pt = NULL; break; - } - return pt; -@@ -2346,6 +2347,9 @@ - case PT_GNU_RELRO: - return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro"); - -+ case PT_PAX_FLAGS: -+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags"); -+ - default: - /* Check for any processor-specific program segment types. */ - bed = get_elf_backend_data (abfd); -@@ -3326,6 +3330,11 @@ - ++segs; - } - -+ { -+ /* We need a PT_PAX_FLAGS segment. */ -+ ++segs; -+ } -+ - for (s = abfd->sections; s != NULL; s = s->next) - { - if ((s->flags & SEC_LOAD) != 0 -@@ -3945,6 +3954,20 @@ - pm = &m->next; - } - -+ { -+ amt = sizeof (struct elf_segment_map); -+ m = bfd_zalloc (abfd, amt); -+ if (m == NULL) -+ goto error_return; -+ m->next = NULL; -+ m->p_type = PT_PAX_FLAGS; -+ m->p_flags = elf_tdata (abfd)->pax_flags; -+ m->p_flags_valid = 1; -+ -+ *pm = m; -+ pm = &m->next; -+ } -+ - free (sections); - elf_tdata (abfd)->segment_map = mfirst; - } -@@ -5129,7 +5152,8 @@ - 5. PT_GNU_STACK segments do not include any sections. - 6. PT_TLS segment includes only SHF_TLS sections. - 7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments. -- 8. PT_DYNAMIC should not contain empty sections at the beginning -+ 8. PT_PAX_FLAGS segments do not include any sections. -+ 9. PT_DYNAMIC should not contain empty sections at the beginning - (with the possible exception of .dynamic). */ - #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \ - ((((segment->p_paddr \ -@@ -5138,6 +5162,7 @@ - && (section->flags & SEC_ALLOC) != 0) \ - || IS_COREFILE_NOTE (segment, section)) \ - && segment->p_type != PT_GNU_STACK \ -+ && segment->p_type != PT_PAX_FLAGS \ - && (segment->p_type != PT_TLS \ - || (section->flags & SEC_THREAD_LOCAL)) \ - && (segment->p_type == PT_LOAD \ ---- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100 -+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100 -@@ -5764,18 +5764,32 @@ - && ! (*bed->elf_backend_always_size_sections) (output_bfd, info)) - return FALSE; - -+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC; -+ -+ if (info->execheap) -+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT; -+ else if (info->noexecheap) -+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT; -+ - /* Determine any GNU_STACK segment requirements, after the backend - has had a chance to set a default segment size. */ - if (info->execstack) -+ { - elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X; -+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP; -+ } - else if (info->noexecstack) -+ { - elf_stack_flags (output_bfd) = PF_R | PF_W; -+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP; -+ } - else - { - bfd *inputobj; - asection *notesec = NULL; - int exec = 0; - -+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP; - for (inputobj = info->input_bfds; - inputobj; - inputobj = inputobj->link_next) -@@ -5789,7 +5803,11 @@ - if (s) - { - if (s->flags & SEC_CODE) -- exec = PF_X; -+ { -+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP; -+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP; -+ exec = PF_X; -+ } - notesec = s; - } - else if (bed->default_execstack) ---- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100 -+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100 -@@ -2293,6 +2293,7 @@ - return "GNU_EH_FRAME"; - case PT_GNU_STACK: return "GNU_STACK"; - case PT_GNU_RELRO: return "GNU_RELRO"; -+ case PT_PAX_FLAGS: return "PAX_FLAGS"; - - default: - if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC)) ---- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100 -@@ -313,6 +313,14 @@ - flags. */ - unsigned int noexecstack: 1; - -+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT -+ flags. */ -+ unsigned int execheap: 1; -+ -+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT -+ flags. */ -+ unsigned int noexecheap: 1; -+ - /* TRUE if PT_GNU_RELRO segment should be created. */ - unsigned int relro: 1; - ---- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100 -@@ -423,6 +423,7 @@ - #define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */ - #define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */ - #define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */ -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */ - - /* Program segment permissions, in program header p_flags field. */ - -@@ -433,6 +434,19 @@ - #define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */ - #define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */ - -+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */ -+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */ -+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */ -+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */ -+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */ -+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */ -+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */ -+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */ -+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */ -+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */ -+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */ -+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */ -+ - /* Values for section header, sh_type field. */ - - #define SHT_NULL 0 /* Section header table entry unused */ ---- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200 -+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200 -@@ -2139,6 +2139,16 @@ - link_info.noexecstack = TRUE; - link_info.execstack = FALSE; - } -+ else if (strcmp (optarg, "execheap") == 0) -+ { -+ link_info.execheap = TRUE; -+ link_info.noexecheap = FALSE; -+ } -+ else if (strcmp (optarg, "noexecheap") == 0) -+ { -+ link_info.noexecheap = TRUE; -+ link_info.execheap = FALSE; -+ } - EOF - - if test -n "$COMMONPAGESIZE"; then ---- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100 -+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100 -@@ -1073,6 +1073,8 @@ - $$ = exp_intop (0x6474e550); - else if (strcmp (s, "PT_GNU_STACK") == 0) - $$ = exp_intop (0x6474e551); -+ else if (strcmp (s, "PT_PAX_FLAGS") == 0) -+ $$ = exp_intop (0x65041580); - else - { - einfo (_("\ ---- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100 -+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100 -@@ -1793,8 +1793,12 @@ - fprintf (file, _("\ - -z muldefs Allow multiple definitions\n")); - fprintf (file, _("\ -+ -z execheap Mark executable as requiring executable heap\n")); -+ fprintf (file, _("\ - -z execstack Mark executable as requiring executable stack\n")); - fprintf (file, _("\ -+ -z noexecheap Mark executable as not requiring executable heap\n")); -+ fprintf (file, _("\ - -z noexecstack Mark executable as not requiring executable stack\n")); - } - diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index a9c08e1c5b7..e5c52f620ac 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -88,7 +88,6 @@ in doCheck = false; # fails 4 out of 1453 tests postInstall = '' - paxmark m $out/bin/node PATH=$out/bin:$PATH patchShebangs $out ${optionalString enableNpm '' diff --git a/pkgs/stdenv/cross/default.nix b/pkgs/stdenv/cross/default.nix index 4790145e01f..7d98e5cf488 100644 --- a/pkgs/stdenv/cross/default.nix +++ b/pkgs/stdenv/cross/default.nix @@ -59,7 +59,7 @@ in lib.init bootStages ++ [ extraNativeBuildInputs = old.extraNativeBuildInputs ++ lib.optionals (hostPlatform.isLinux && !buildPlatform.isLinux) - [ buildPackages.patchelf buildPackages.paxctl ] + [ buildPackages.patchelf ] ++ lib.optional (let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform)) buildPackages.updateAutotoolsGnuConfigScriptsHook diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index be9d38f9780..f77f43aea88 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -130,9 +130,6 @@ let # The derivation's `system` is `buildPlatform.system`. inherit (buildPlatform) system; - # Whether we should run paxctl to pax-mark binaries. - needsPax = isLinux; - inherit (import ./make-derivation.nix { inherit lib config stdenv; }) mkDerivation; diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index be96d018612..03fa589138d 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi BASH="$SHELL" export CONFIG_SHELL="$SHELL" -# Dummy implementation of the paxmark function. On Linux, this is -# overwritten by paxctl's setup hook. -paxmark() { true; } - # Execute the pre-hook. if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index 28c3b9f3fb4..12bf781de70 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -216,7 +216,7 @@ in inherit (prevStage) ccWrapperStdenv gcc-unwrapped coreutils gnugrep - perl paxctl gnum4 bison; + perl gnum4 bison; # This also contains the full, dynamically linked, final Glibc. binutils = prevStage.binutils.override { # Rewrap the binutils with the new glibc, so both the next @@ -250,7 +250,7 @@ in isl = isl_0_17; }; }; - extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++ + extraNativeBuildInputs = [ prevStage.patchelf ] ++ # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64. lib.optional (!localSystem.isx86 || localSystem.libc == "musl") prevStage.updateAutotoolsGnuConfigScriptsHook; @@ -325,7 +325,7 @@ in initialPath = ((import ../common-path.nix) {pkgs = prevStage;}); - extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++ + extraNativeBuildInputs = [ prevStage.patchelf ] ++ # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64. lib.optional (!localSystem.isx86 || localSystem.libc == "musl") prevStage.updateAutotoolsGnuConfigScriptsHook; @@ -349,7 +349,7 @@ in # Simple executable tools concatMap (p: [ (getBin p) (getLib p) ]) [ gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils - gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl + gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed ] # Library dependencies ++ map getLib ( @@ -368,7 +368,7 @@ in inherit (prevStage) gzip bzip2 xz bash coreutils diffutils findutils gawk gnumake gnused gnutar gnugrep gnupatch patchelf - attr acl paxctl zlib pcre; + attr acl zlib pcre; ${localSystem.libc} = getLibc prevStage; } // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) { # Need to get rid of these when cross-compiling. diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index 86287779792..d5079750859 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -109,8 +109,6 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; postInstall = '' - paxmark pms $out/sbin/grub-{probe,bios-setup} - # Avoid a runtime reference to gcc sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|" ''; diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index d4d79c6e59f..94beff8dfe3 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -90,10 +90,6 @@ stdenv.mkDerivation rec { doCheck = false; enableParallelBuilding = true; - postInstall = '' - paxmark pms $out/sbin/grub-{probe,bios-setup} - ''; - meta = with stdenv.lib; { description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)"; homepage = https://github.com/Sirrix-AG/TrustedGRUB2; |