From c6ccc96397e8df77aff2c73d3457c1ecb99d3f8e Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sat, 23 Jul 2016 16:09:48 +0200
Subject: nixpkgs manual: document the paxctl setup-hook

---
 doc/stdenv.xml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'doc')

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index b075e0219a5..ee01dcf01df 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1319,6 +1319,25 @@ someVar=$(stripHash $name; echo $strippedName)
     <envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.</para></listitem>
   </varlistentry>
 
+  <varlistentry>
+    <term>paxctl</term>
+    <listitem><para>Defines the <varname>paxmark</varname> helper for
+    setting per-executable PaX flags on Linux (where it is available by
+    default; on all other platforms, <varname>paxmark</varname> is a no-op).
+    For example, to disable secure memory protections on the executable
+    <replaceable>foo</replaceable>:
+    <programlisting>
+      postFixup = ''
+        paxmark m $out/bin/<replaceable>foo</replaceable>
+      '';
+    </programlisting>
+    The <literal>m</literal> flag is the most common flag and is typically
+    required for applications that employ JIT compilation or otherwise need to
+    execute code generated at run-time.  Disabling PaX protections should be
+    considered a last resort: if possible, problematic features should be
+    disabled or patched to work with PaX.</para></listitem>
+  </varlistentry>
+
 </variablelist>
 
 </para>
-- 
cgit 1.4.1