diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index 1c18fab8669..564471bbbbc 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
-
-
- paxctl
-
-
-
- Defines the paxmark helper for setting per-executable
- PaX flags on Linux (where it is available by default; on all other
- platforms, paxmark is a no-op). For example, to
- disable secure memory protections on the executable
- foo
-
- postFixup = ''
- paxmark m $out/bin/foo
- '';
-
- The m flag is the most common flag and is typically
- required for applications that employ JIT compilation or otherwise need
- to execute code generated at run-time. Disabling PaX protections should
- be considered a last resort: if possible, problematic features should be
- disabled or patched to work with PaX.
-
-
-
autoPatchelfHook
diff --git a/pkgs/applications/altcoins/parity-ui/default.nix b/pkgs/applications/altcoins/parity-ui/default.nix
index ec2e571e3f0..c59b2ccb8ac 100644
--- a/pkgs/applications/altcoins/parity-ui/default.nix
+++ b/pkgs/applications/altcoins/parity-ui/default.nix
@@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
- paxmark m $out/share/parity-ui/parity-ui
-
mkdir -p $out/bin
ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
'';
diff --git a/pkgs/applications/editors/atom/default.nix b/pkgs/applications/editors/atom/default.nix
index 710c3ca335a..13dc9e1285b 100644
--- a/pkgs/applications/editors/atom/default.nix
+++ b/pkgs/applications/editors/atom/default.nix
@@ -70,9 +70,6 @@ let
ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
-
- paxmark m $share/atom
- paxmark m $share/resources/app/apm/bin/node
'';
meta = with stdenv.lib; {
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index bcf6df7417f..0c199dab6bc 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -282,8 +282,6 @@ let
MENUNAME="Chromium"
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
)
- '' + optionalString (target == "mksnapshot" || target == "chrome") ''
- paxmark m "${buildPath}/${target}"
'';
targets = extraAttrs.buildTargets or [];
commands = map buildCommand targets;
diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix
index 2a2f71d419f..8f135614f4d 100644
--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
doCheck = false; # "--disable-tests" above
- preInstall = ''
- # The following is needed for startup cache creation on grsecurity kernels.
- paxmark m dist/bin/xpcshell
- '';
-
installPhase = if stdenv.isDarwin then ''
mkdir -p $out/Applications
cp -LR dist/Firefox.app $out/Applications
'' else null;
postInstall = lib.optionalString stdenv.isLinux ''
- # For grsecurity kernels
- paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
-
# Remove SDK cruft. FIXME: move to a separate output?
rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
diff --git a/pkgs/applications/networking/instant-messengers/discord/default.nix b/pkgs/applications/networking/instant-messengers/discord/default.nix
index 09ead9b3de6..4b1af80d624 100644
--- a/pkgs/applications/networking/instant-messengers/discord/default.nix
+++ b/pkgs/applications/networking/instant-messengers/discord/default.nix
@@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
$out/opt/discord/Discord
- paxmark m $out/opt/discord/Discord
-
wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
ln -s $out/opt/discord/Discord $out/bin/
diff --git a/pkgs/applications/networking/instant-messengers/franz/default.nix b/pkgs/applications/networking/instant-messengers/franz/default.nix
index 2f3870d7899..4b8670f23d4 100644
--- a/pkgs/applications/networking/instant-messengers/franz/default.nix
+++ b/pkgs/applications/networking/instant-messengers/franz/default.nix
@@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
'';
postFixup = ''
- paxmark m $out/opt/franz/Franz
wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
'';
diff --git a/pkgs/applications/networking/instant-messengers/wavebox/default.nix b/pkgs/applications/networking/instant-messengers/wavebox/default.nix
index b85e9d3d4cb..d7d882564e7 100644
--- a/pkgs/applications/networking/instant-messengers/wavebox/default.nix
+++ b/pkgs/applications/networking/instant-messengers/wavebox/default.nix
@@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
'';
postFixup = ''
- paxmark m $out/opt/wavebox/Wavebox
makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
--prefix PATH : ${xdg_utils}/bin
'';
diff --git a/pkgs/applications/networking/mailreaders/thunderbird/default.nix b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
index c048c2938a9..b53c7b910f6 100644
--- a/pkgs/applications/networking/mailreaders/thunderbird/default.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
@@ -100,7 +100,7 @@ in stdenv.mkDerivation rec {
''
cxxLib=$( echo -n ${gcc}/include/c++/* )
archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
-
+
test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
configureScript="$(realpath ./configure)"
@@ -108,18 +108,9 @@ in stdenv.mkDerivation rec {
cd ../objdir
'';
- preInstall =
- ''
- # The following is needed for startup cache creation on grsecurity kernels.
- paxmark m ../objdir/dist/bin/xpcshell
- '';
-
dontWrapGApps = true; # we do it ourselves
postInstall =
''
- # For grsecurity kernels
- paxmark m $out/lib/thunderbird/thunderbird
-
# TODO: Move to a dev output?
rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
diff --git a/pkgs/applications/office/mendeley/default.nix b/pkgs/applications/office/mendeley/default.nix
index aa9317d2ffd..9c4c22dabe9 100644
--- a/pkgs/applications/office/mendeley/default.nix
+++ b/pkgs/applications/office/mendeley/default.nix
@@ -112,7 +112,6 @@ stdenv.mkDerivation {
patchelf --set-interpreter $interpreter \
--set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
$out/bin/mendeleydesktop
- paxmark m $out/bin/mendeleydesktop
wrapProgram $out/bin/mendeleydesktop \
--add-flags "--unix-distro-build" \
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 1cd85cead12..49ddab1d6d2 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
postFixup =
''
- for exe in $out/bin/qemu-system-* ; do
- paxmark m $exe
- done
# copy qemu-ga (guest agent) to separate output
mkdir -p $ga/bin
cp $out/bin/qemu-ga $ga/bin/
diff --git a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix
index eb614b0784f..531cf3a8051 100644
--- a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix
+++ b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix
@@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
installPhase = ''
cd ..
- # Set PaX markings
- exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
- for file in $exes; do
- paxmark m "$file"
- # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
- ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
- done
-
mv $sourceRoot $out
rm -rf $out/demo
diff --git a/pkgs/development/compilers/gcc/builder.sh b/pkgs/development/compilers/gcc/builder.sh
index 75e70006d74..07a003691d6 100644
--- a/pkgs/development/compilers/gcc/builder.sh
+++ b/pkgs/development/compilers/gcc/builder.sh
@@ -282,11 +282,6 @@ postInstall() {
fi
done
- # Disable RANDMMAP on grsec, which causes segfaults when using
- # precompiled headers.
- # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
- paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
-
# Two identical man pages are shipped (moving and compressing is done later)
ln -sf gcc.1 "$out"/share/man/man1/g++.1
}
diff --git a/pkgs/development/compilers/ghc/8.2.2-binary.nix b/pkgs/development/compilers/ghc/8.2.2-binary.nix
index 039eea744f3..f52d8fd4a11 100644
--- a/pkgs/development/compilers/ghc/8.2.2-binary.nix
+++ b/pkgs/development/compilers/ghc/8.2.2-binary.nix
@@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
--replace-needed libtinfo.so libtinfo.so.5 \
--interpreter ${glibcDynLinker} {} \;
- paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
-
sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
'';
diff --git a/pkgs/development/compilers/ghc/8.2.2.nix b/pkgs/development/compilers/ghc/8.2.2.nix
index 3b9fecd55e1..3e355dc302d 100644
--- a/pkgs/development/compilers/ghc/8.2.2.nix
+++ b/pkgs/development/compilers/ghc/8.2.2.nix
@@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/ghc/8.4.4.nix b/pkgs/development/compilers/ghc/8.4.4.nix
index 4db5c07b460..c5fe3c925f0 100644
--- a/pkgs/development/compilers/ghc/8.4.4.nix
+++ b/pkgs/development/compilers/ghc/8.4.4.nix
@@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/ghc/8.6.1.nix b/pkgs/development/compilers/ghc/8.6.1.nix
index 5710c60338a..b54164ccc69 100644
--- a/pkgs/development/compilers/ghc/8.6.1.nix
+++ b/pkgs/development/compilers/ghc/8.6.1.nix
@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/ghc/8.6.2.nix b/pkgs/development/compilers/ghc/8.6.2.nix
index 914d6ae08fa..07d4420804d 100644
--- a/pkgs/development/compilers/ghc/8.6.2.nix
+++ b/pkgs/development/compilers/ghc/8.6.2.nix
@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/ghc/8.6.3.nix b/pkgs/development/compilers/ghc/8.6.3.nix
index b29b7facd1f..4e1f0dd9fc7 100644
--- a/pkgs/development/compilers/ghc/8.6.3.nix
+++ b/pkgs/development/compilers/ghc/8.6.3.nix
@@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix
index 42119682892..65a4a0c4ecd 100644
--- a/pkgs/development/compilers/ghc/head.nix
+++ b/pkgs/development/compilers/ghc/head.nix
@@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = ''
- for bin in "$out"/lib/${name}/bin/*; do
- isELF "$bin" || continue
- paxmark m "$bin"
- done
-
# Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
diff --git a/pkgs/development/compilers/jetbrains-jdk/default.nix b/pkgs/development/compilers/jetbrains-jdk/default.nix
index 39fab8b25d8..876e474bed9 100644
--- a/pkgs/development/compilers/jetbrains-jdk/default.nix
+++ b/pkgs/development/compilers/jetbrains-jdk/default.nix
@@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
installPhase = ''
cd ..
- exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
- for file in $exes; do
- paxmark m "$file"
- done
-
mv $sourceRoot $out
jrePath=$out/jre
'';
diff --git a/pkgs/development/compilers/julia/0004-hardened.patch b/pkgs/development/compilers/julia/0004-hardened.patch
deleted file mode 100644
index 901f967c9d5..00000000000
--- a/pkgs/development/compilers/julia/0004-hardened.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
-From: Will Dietz
-Date: Wed, 1 Feb 2017 06:09:49 -0600
-Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
-
----
- Makefile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/Makefile b/Makefile
-index 0e28cc87b..aab8cfa8d 100644
---- a/Makefile
-+++ b/Makefile
-@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
-
- julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
- @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
-+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
-+ @paxctl -czexm $(JULIA_EXECUTABLE_$*)
-
- julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
- @$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
---
-2.11.0
-
diff --git a/pkgs/development/compilers/julia/default.nix b/pkgs/development/compilers/julia/default.nix
index 086570f5ce2..4c0b1359bd8 100644
--- a/pkgs/development/compilers/julia/default.nix
+++ b/pkgs/development/compilers/julia/default.nix
@@ -1,6 +1,6 @@
{ stdenv, fetchurl, fetchzip
# build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
# libjulia dependencies
, libunwind, readline, utf8proc, zlib
, llvm
@@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
patches = [
./0001.1-use-system-utf8proc.patch
./0002-use-system-suitesparse.patch
- ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+ ];
postPatch = ''
patchShebangs . contrib
@@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
;
- nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
- ++ stdenv.lib.optional stdenv.needsPax paxctl;
+ nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
makeFlags =
let
diff --git a/pkgs/development/compilers/julia/shared.nix b/pkgs/development/compilers/julia/shared.nix
index 70ff40cd7ec..95b45adcc6f 100644
--- a/pkgs/development/compilers/julia/shared.nix
+++ b/pkgs/development/compilers/julia/shared.nix
@@ -5,7 +5,7 @@
}:
{ stdenv, fetchurl, fetchzip
# build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
, llvm, cmake
# libjulia dependencies
, libunwind, readline, utf8proc, zlib
@@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
patches = [
./0001.1-use-system-utf8proc.patch
- ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+ ];
postPatch = ''
patchShebangs . contrib
@@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
;
- nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
- ++ stdenv.lib.optional stdenv.needsPax paxctl;
+ nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
makeFlags =
let
diff --git a/pkgs/development/compilers/llvm/3.5/llvm.nix b/pkgs/development/compilers/llvm/3.5/llvm.nix
index 388da007d33..2645469767a 100644
--- a/pkgs/development/compilers/llvm/3.5/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.5/llvm.nix
@@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
-
- paxmark m unittests/ExecutionEngine/JIT/JITTests
- paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
- paxmark m unittests/Support/SupportTests
'';
enableParallelBuilding = true;
diff --git a/pkgs/development/compilers/llvm/3.7/llvm.nix b/pkgs/development/compilers/llvm/3.7/llvm.nix
index e540469c627..a6fd18f94d6 100644
--- a/pkgs/development/compilers/llvm/3.7/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.7/llvm.nix
@@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
'';
enableParallelBuilding = true;
diff --git a/pkgs/development/compilers/llvm/3.8/llvm.nix b/pkgs/development/compilers/llvm/3.8/llvm.nix
index c246bfe496e..fcb4214a1de 100644
--- a/pkgs/development/compilers/llvm/3.8/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.8/llvm.nix
@@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
'';
postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 3cc1a4d6cce..00c56e49e37 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
'';
postInstall = ""
diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix
index 7d93fec6a12..aac9c4275ad 100644
--- a/pkgs/development/compilers/llvm/4/llvm.nix
+++ b/pkgs/development/compilers/llvm/4/llvm.nix
@@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
- paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
- paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
- paxmark m unittests/Support/SupportTests
- paxmark m bin/lli-child-target
'';
preCheck = ''
diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix
index 5277205f880..9e181a1202b 100644
--- a/pkgs/development/compilers/llvm/5/llvm.nix
+++ b/pkgs/development/compilers/llvm/5/llvm.nix
@@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
- paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
- paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
- paxmark m unittests/Support/SupportTests
- paxmark m bin/lli-child-target
'';
preCheck = ''
diff --git a/pkgs/development/compilers/llvm/6/llvm.nix b/pkgs/development/compilers/llvm/6/llvm.nix
index 192439b019b..328f95f11b3 100644
--- a/pkgs/development/compilers/llvm/6/llvm.nix
+++ b/pkgs/development/compilers/llvm/6/llvm.nix
@@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
- paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
- paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
- paxmark m unittests/Support/SupportTests
- paxmark m bin/lli-child-target
'';
preCheck = ''
diff --git a/pkgs/development/compilers/llvm/7/llvm.nix b/pkgs/development/compilers/llvm/7/llvm.nix
index d085f3af0ea..2ef6b147214 100644
--- a/pkgs/development/compilers/llvm/7/llvm.nix
+++ b/pkgs/development/compilers/llvm/7/llvm.nix
@@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec {
postBuild = ''
rm -fR $out
-
- paxmark m bin/{lli,llvm-rtdyld}
- paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
- paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
- paxmark m unittests/Support/SupportTests
- paxmark m bin/lli-child-target
'';
preCheck = ''
diff --git a/pkgs/development/compilers/openjdk/11.nix b/pkgs/development/compilers/openjdk/11.nix
index 42208ecf8d9..a389f0f5ca1 100644
--- a/pkgs/development/compilers/openjdk/11.nix
+++ b/pkgs/development/compilers/openjdk/11.nix
@@ -21,7 +21,6 @@ let
update = ".0.1";
build = "13";
repover = "jdk-${major}${update}+${build}";
- paxflags = if stdenv.isi686 then "msp" else "m";
openjdk = stdenv.mkDerivation {
name = "openjdk-${major}${update}-b${build}";
@@ -106,14 +105,6 @@ let
rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
''}
- # Set PaX markings
- exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
- echo "to mark: *$exes*"
- for file in $exes; do
- echo "marking *$file*"
- paxmark ${paxflags} "$file"
- done
-
ln -s $out/lib/openjdk/bin $out/bin
'';
diff --git a/pkgs/development/compilers/openjdk/8.nix b/pkgs/development/compilers/openjdk/8.nix
index d26627ff5b9..19b16921e32 100644
--- a/pkgs/development/compilers/openjdk/8.nix
+++ b/pkgs/development/compilers/openjdk/8.nix
@@ -25,7 +25,6 @@ let
build = "26";
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
repover = "jdk8u${update}-b${build}";
- paxflags = if stdenv.isi686 then "msp" else "m";
jdk8 = fetchurl {
url = "${baseurl}/archive/${repover}.tar.gz";
sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
@@ -176,14 +175,6 @@ let
rm -rf $out/lib/openjdk/jre/lib/cmm
ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
- # Set PaX markings
- exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
- echo "to mark: *$exes*"
- for file in $exes; do
- echo "marking *$file*"
- paxmark ${paxflags} "$file"
- done
-
# Remove duplicate binaries.
for i in $(cd $out/lib/openjdk/bin && echo *); do
if [ "$i" = java ]; then continue; fi
diff --git a/pkgs/development/compilers/openjdk/bootstrap.nix b/pkgs/development/compilers/openjdk/bootstrap.nix
index 1b20ca6cc60..e58888cc9ed 100644
--- a/pkgs/development/compilers/openjdk/bootstrap.nix
+++ b/pkgs/development/compilers/openjdk/bootstrap.nix
@@ -36,13 +36,5 @@ let
patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
done
-
- # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
- find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do
- isELF "$elf" || continue
- paxmark m "$elf"
- # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
- ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''}
- done
'';
in bootstrap
diff --git a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
index 5d55e0554e5..8e04b776ed8 100644
--- a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
+++ b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
@@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec {
installPhase = ''
cd ..
- # Set PaX markings
- exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
- for file in $exes; do
- paxmark m "$file" || true
- # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
- ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
- done
-
if test -z "$installjdk"; then
mv $sourceRoot/jre $out
else
diff --git a/pkgs/development/compilers/swift/default.nix b/pkgs/development/compilers/swift/default.nix
index bbfa1be8f92..02b100fe613 100644
--- a/pkgs/development/compilers/swift/default.nix
+++ b/pkgs/development/compilers/swift/default.nix
@@ -27,7 +27,6 @@
, git
, libgit2
, fetchFromGitHub
-, paxctl
, findutils
, makeWrapper
, gnumake
@@ -150,7 +149,7 @@ stdenv.mkDerivation rec {
findutils
makeWrapper
gnumake
- ] ++ stdenv.lib.optional stdenv.needsPax paxctl;
+ ];
# TODO: Revisit what's propagated and how
propagatedBuildInputs = [
@@ -218,9 +217,6 @@ stdenv.mkDerivation rec {
substituteInPlace swift/utils/build-script-impl \
--replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
- '' + stdenv.lib.optionalString stdenv.needsPax ''
- patch -p1 -d swift -i ${./patches/build-script-pax.patch}
- '' + ''
patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
@@ -266,9 +262,6 @@ stdenv.mkDerivation rec {
tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
find $out -type d -empty -delete
- paxmark pmr $out/bin/swift
- paxmark pmr $out/bin/*
-
# TODO: Use wrappers to get these on the PATH for swift tools, instead
ln -s ${clang}/bin/* $out/bin/
ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar
diff --git a/pkgs/development/compilers/swift/patches/build-script-pax.patch b/pkgs/development/compilers/swift/patches/build-script-pax.patch
deleted file mode 100644
index 1f47bf8ee04..00000000000
--- a/pkgs/development/compilers/swift/patches/build-script-pax.patch
+++ /dev/null
@@ -1,33 +0,0 @@
---- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600
-+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600
-@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
- fi
- }
-
-+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
-+isELF() {
-+ local fn="$1"
-+ local fd
-+ local magic
-+ exec {fd}< "$fn"
-+ read -n 4 -u $fd magic
-+ exec {fd}<&-
-+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
-+}
-+
- #
- # Configure and build each product
- #
-@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
- fi
-
- call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
-+
-+ while IFS= read -r -d $'\0' i; do
-+ if ! isELF "$i"; then continue; fi
-+ echo "setting pax flags on $i"
-+ paxctl -czexm "$i" || true
-+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
- fi
- done
- done
diff --git a/pkgs/development/compilers/terra/default.nix b/pkgs/development/compilers/terra/default.nix
index 98795f96ffa..80d04080aac 100644
--- a/pkgs/development/compilers/terra/default.nix
+++ b/pkgs/development/compilers/terra/default.nix
@@ -51,10 +51,6 @@ stdenv.mkDerivation rec {
''
;
- postFixup = ''
- paxmark m $bin/bin/terra
- '';
-
buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
meta = with stdenv.lib; {
diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix
index da706d502e6..a5c3db65857 100644
--- a/pkgs/development/compilers/tinycc/default.nix
+++ b/pkgs/development/compilers/tinycc/default.nix
@@ -33,10 +33,6 @@ stdenv.mkDerivation rec {
doCheck = true;
checkTarget = "test";
- postFixup = ''
- paxmark m $out/bin/tcc
- '';
-
meta = {
description = "Small, fast, and embeddable C compiler and interpreter";
diff --git a/pkgs/development/interpreters/python/cpython/2.7/boot.nix b/pkgs/development/interpreters/python/cpython/2.7/boot.nix
index 976d30819db..ccb366903c5 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/boot.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/boot.nix
@@ -77,8 +77,6 @@ stdenv.mkDerivation rec {
''
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
- paxmark E $out/bin/python2.7
-
rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
'';
diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix
index 63dad3bf42f..ff1497a24e4 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@@ -229,8 +229,6 @@ in stdenv.mkDerivation ({
ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
- paxmark E $out/bin/python${majorVersion}
-
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix
index 92c277aacd4..19e9f3169c7 100644
--- a/pkgs/development/interpreters/python/cpython/3.5/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix
@@ -143,7 +143,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
- paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix
index 4c9d0c2a896..692f5c263a3 100644
--- a/pkgs/development/interpreters/python/cpython/3.6/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix
@@ -164,7 +164,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
- paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
diff --git a/pkgs/development/interpreters/python/cpython/3.7/default.nix b/pkgs/development/interpreters/python/cpython/3.7/default.nix
index d1403ba95e4..80d519b109e 100644
--- a/pkgs/development/interpreters/python/cpython/3.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.7/default.nix
@@ -154,7 +154,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
- paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
diff --git a/pkgs/development/interpreters/spidermonkey/1.8.5.nix b/pkgs/development/interpreters/spidermonkey/1.8.5.nix
index 46637195586..9c81b230ada 100644
--- a/pkgs/development/interpreters/spidermonkey/1.8.5.nix
+++ b/pkgs/development/interpreters/spidermonkey/1.8.5.nix
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
# so the failure of that test does not matter much.
configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++
stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [
- "--with-cpu-arch=armv5t"
+ "--with-cpu-arch=armv5t"
"--disable-tracejit" ];
# hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393
@@ -59,9 +59,6 @@ stdenv.mkDerivation rec {
preCheck = ''
rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522
-
- paxmark mr shell/js
- paxmark mr jsapi-tests/jsapi-tests
'';
meta = with stdenv.lib; {
diff --git a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
index d4d4082509e..96c9d8e0c8e 100644
--- a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
+++ b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
@@ -36,8 +36,6 @@ stdenv.mkDerivation rec {
postInstall = ''
# Hm, apparently --disable-gtk-doc is ignored...
rm -rf $out/share/gtk-doc
-
- paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
'';
setupHook = ./setup-hook.sh;
diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix
index 8093aec6bcc..83f19e442c6 100644
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@@ -72,13 +72,6 @@ stdenv.mkDerivation rec {
makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
- # The following is required on grsecurity/PaX due to spidermonkey's JIT
- postBuild = stdenv.lib.optionalString stdenv.isLinux ''
- paxmark mr src/polkitbackend/.libs/polkitd
- '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
- paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
- '';
-
installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
inherit doCheck;
diff --git a/pkgs/development/libraries/qt-5/5.11/default.nix b/pkgs/development/libraries/qt-5/5.11/default.nix
index 6f90f1cea7f..5fbab32acda 100644
--- a/pkgs/development/libraries/qt-5/5.11/default.nix
+++ b/pkgs/development/libraries/qt-5/5.11/default.nix
@@ -61,7 +61,6 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
- qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ];
};
diff --git a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch
deleted file mode 100644
index e1621b005c6..00000000000
--- a/pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
-index e7e19f5059..934448c7d8 100644
---- a/src/3rdparty/chromium/v8/src/v8.gyp
-+++ b/src/3rdparty/chromium/v8/src/v8.gyp
-@@ -35,6 +35,7 @@
- 'v8_extra_library_files%': [],
- 'v8_experimental_extra_library_files%': [],
- 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
- 'v8_os_page_size%': 0,
- },
- 'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
-@@ -2576,7 +2577,7 @@
- ]
- },
- {
-- 'target_name': 'mksnapshot',
-+ 'target_name': 'mksnapshot_u',
- 'type': 'executable',
- 'dependencies': [
- 'v8_base',
-@@ -2606,5 +2607,26 @@
- }],
- ],
- },
-+ {
-+ 'target_name': 'mksnapshot',
-+ 'type': 'executable',
-+ 'dependencies': ['mksnapshot_u'],
-+ 'actions': [
-+ {
-+ 'action_name': 'paxmark_m_mksnapshot',
-+ 'inputs': [
-+ '<(mksnapshot_u_exec)',
-+ ],
-+ 'outputs': [
-+ '<(mksnapshot_exec)',
-+ ],
-+ 'action': [
-+ 'sh',
-+ '-c',
-+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+ ],
-+ },
-+ ],
-+ },
- ],
- }
diff --git a/pkgs/development/libraries/qt-5/5.6/default.nix b/pkgs/development/libraries/qt-5/5.6/default.nix
index e815cc8f70f..9391999f1e9 100644
--- a/pkgs/development/libraries/qt-5/5.6/default.nix
+++ b/pkgs/development/libraries/qt-5/5.6/default.nix
@@ -51,8 +51,7 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
- qtwebengine = [ ./qtwebengine-seccomp.patch ]
- ++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
+ qtwebengine = [ ./qtwebengine-seccomp.patch ];
qtwebkit = [ ./qtwebkit.patch ];
};
diff --git a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch
deleted file mode 100644
index b3316188f7d..00000000000
--- a/pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch
+++ /dev/null
@@ -1,46 +0,0 @@
---- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
-+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
-@@ -33,6 +33,7 @@
- 'embed_script%': "",
- 'v8_extra_library_files%': [],
- 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
- 'remove_v8base_debug_symbols%': 0,
- },
- 'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
-@@ -1913,7 +1914,7 @@
- ]
- },
- {
-- 'target_name': 'mksnapshot',
-+ 'target_name': 'mksnapshot_u',
- 'type': 'executable',
- 'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
- 'include_dirs+': [
-@@ -1936,5 +1937,26 @@
- }],
- ],
- },
-+ {
-+ 'target_name': 'mksnapshot',
-+ 'type': 'executable',
-+ 'dependencies': ['mksnapshot_u'],
-+ 'actions': [
-+ {
-+ 'action_name': 'paxmark_m_mksnapshot',
-+ 'inputs': [
-+ '<(mksnapshot_u_exec)',
-+ ],
-+ 'outputs': [
-+ '<(mksnapshot_exec)',
-+ ],
-+ 'action': [
-+ 'sh',
-+ '-c',
-+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+ ],
-+ },
-+ ],
-+ },
- ],
- }
diff --git a/pkgs/development/libraries/qt-5/5.9/default.nix b/pkgs/development/libraries/qt-5/5.9/default.nix
index 6fcb7a0dc5e..4acc6a6393f 100644
--- a/pkgs/development/libraries/qt-5/5.9/default.nix
+++ b/pkgs/development/libraries/qt-5/5.9/default.nix
@@ -43,7 +43,6 @@ let
qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ];
- qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ];
};
diff --git a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch b/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch
deleted file mode 100644
index 5e170567ce5..00000000000
--- a/pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
-===================================================================
---- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
-+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
-@@ -36,6 +36,7 @@
- 'v8_experimental_extra_library_files%': [],
- 'v8_enable_inspector%': 0,
- 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
- 'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
- 'v8_os_page_size%': 0,
- },
-@@ -2432,7 +2433,7 @@
- ]
- },
- {
-- 'target_name': 'mksnapshot',
-+ 'target_name': 'mksnapshot_u',
- 'type': 'executable',
- 'dependencies': [
- 'v8_base',
-@@ -2485,5 +2486,26 @@
- }],
- ],
- },
-+ {
-+ 'target_name': 'mksnapshot',
-+ 'type': 'executable',
-+ 'dependencies': ['mksnapshot_u'],
-+ 'actions': [
-+ {
-+ 'action_name': 'paxmark_m_mksnapshot',
-+ 'inputs': [
-+ '<(mksnapshot_u_exec)',
-+ ],
-+ 'outputs': [
-+ '<(mksnapshot_exec)',
-+ ],
-+ 'action': [
-+ 'sh',
-+ '-c',
-+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+ ],
-+ },
-+ ],
-+ },
- ],
- }
diff --git a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
index 71ecde66a1f..a80488bad5e 100644
--- a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
+++ b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
@@ -14,7 +14,7 @@
, enableProprietaryCodecs ? true
, gn, darwin, openbsm
, ffmpeg ? null
-, lib, stdenv # lib.optional, needsPax
+, lib, stdenv
}:
with stdenv.lib;
@@ -181,7 +181,6 @@ EOF
[Paths]
Prefix = ..
EOF
- paxmark m $out/libexec/QtWebEngineProcess
'';
meta = with lib; {
diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix
index 2e04cac6c49..78f40913eb5 100644
--- a/pkgs/development/tools/analysis/valgrind/default.nix
+++ b/pkgs/development/tools/analysis/valgrind/default.nix
@@ -73,8 +73,6 @@ stdenv.mkDerivation rec {
--replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
--replace 'obj:/usr/lib' 'obj:*/lib'
done
-
- paxmark m $out/lib/valgrind/*-*-linux
'';
meta = {
diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix
index 5d60903ee86..787a5dbc646 100644
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
# Make binutils output deterministic by default.
./deterministic.patch
- # Always add PaX flags section to ELF files.
- # This is needed, for instance, so that running "ldd" on a binary that is
- # PaX-marked to disable mprotect doesn't fail with permission denied.
- ./pt-pax-flags.patch
-
# Bfd looks in BINDIR/../lib for some plugins that don't
# exist. This is pointless (since users can't install plugins
# there) and causes a cycle between the lib and bin outputs, so
diff --git a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch b/pkgs/development/tools/misc/binutils/pt-pax-flags.patch
deleted file mode 100644
index 3c060012ad0..00000000000
--- a/pkgs/development/tools/misc/binutils/pt-pax-flags.patch
+++ /dev/null
@@ -1,233 +0,0 @@
---- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100
-+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100
-@@ -1266,6 +1266,9 @@
- /* Should the PT_GNU_RELRO segment be emitted? */
- bfd_boolean relro;
-
-+ /* Segment flags for the PT_PAX_FLAGS segment. */
-+ unsigned int pax_flags;
-+
- /* Symbol version definitions in external objects. */
- Elf_Internal_Verdef *verdef;
-
---- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400
-+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400
-@@ -1085,6 +1085,7 @@
- case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
- case PT_GNU_STACK: pt = "STACK"; break;
- case PT_GNU_RELRO: pt = "RELRO"; break;
-+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
- default: pt = NULL; break;
- }
- return pt;
-@@ -2346,6 +2347,9 @@
- case PT_GNU_RELRO:
- return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
-
-+ case PT_PAX_FLAGS:
-+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
-+
- default:
- /* Check for any processor-specific program segment types. */
- bed = get_elf_backend_data (abfd);
-@@ -3326,6 +3330,11 @@
- ++segs;
- }
-
-+ {
-+ /* We need a PT_PAX_FLAGS segment. */
-+ ++segs;
-+ }
-+
- for (s = abfd->sections; s != NULL; s = s->next)
- {
- if ((s->flags & SEC_LOAD) != 0
-@@ -3945,6 +3954,20 @@
- pm = &m->next;
- }
-
-+ {
-+ amt = sizeof (struct elf_segment_map);
-+ m = bfd_zalloc (abfd, amt);
-+ if (m == NULL)
-+ goto error_return;
-+ m->next = NULL;
-+ m->p_type = PT_PAX_FLAGS;
-+ m->p_flags = elf_tdata (abfd)->pax_flags;
-+ m->p_flags_valid = 1;
-+
-+ *pm = m;
-+ pm = &m->next;
-+ }
-+
- free (sections);
- elf_tdata (abfd)->segment_map = mfirst;
- }
-@@ -5129,7 +5152,8 @@
- 5. PT_GNU_STACK segments do not include any sections.
- 6. PT_TLS segment includes only SHF_TLS sections.
- 7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
-- 8. PT_DYNAMIC should not contain empty sections at the beginning
-+ 8. PT_PAX_FLAGS segments do not include any sections.
-+ 9. PT_DYNAMIC should not contain empty sections at the beginning
- (with the possible exception of .dynamic). */
- #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \
- ((((segment->p_paddr \
-@@ -5138,6 +5162,7 @@
- && (section->flags & SEC_ALLOC) != 0) \
- || IS_COREFILE_NOTE (segment, section)) \
- && segment->p_type != PT_GNU_STACK \
-+ && segment->p_type != PT_PAX_FLAGS \
- && (segment->p_type != PT_TLS \
- || (section->flags & SEC_THREAD_LOCAL)) \
- && (segment->p_type == PT_LOAD \
---- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100
-+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100
-@@ -5764,18 +5764,32 @@
- && ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
- return FALSE;
-
-+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
-+
-+ if (info->execheap)
-+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
-+ else if (info->noexecheap)
-+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
-+
- /* Determine any GNU_STACK segment requirements, after the backend
- has had a chance to set a default segment size. */
- if (info->execstack)
-+ {
- elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
-+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
-+ }
- else if (info->noexecstack)
-+ {
- elf_stack_flags (output_bfd) = PF_R | PF_W;
-+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
-+ }
- else
- {
- bfd *inputobj;
- asection *notesec = NULL;
- int exec = 0;
-
-+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
- for (inputobj = info->input_bfds;
- inputobj;
- inputobj = inputobj->link_next)
-@@ -5789,7 +5803,11 @@
- if (s)
- {
- if (s->flags & SEC_CODE)
-- exec = PF_X;
-+ {
-+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
-+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
-+ exec = PF_X;
-+ }
- notesec = s;
- }
- else if (bed->default_execstack)
---- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100
-+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100
-@@ -2293,6 +2293,7 @@
- return "GNU_EH_FRAME";
- case PT_GNU_STACK: return "GNU_STACK";
- case PT_GNU_RELRO: return "GNU_RELRO";
-+ case PT_PAX_FLAGS: return "PAX_FLAGS";
-
- default:
- if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
---- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100
-@@ -313,6 +313,14 @@
- flags. */
- unsigned int noexecstack: 1;
-
-+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
-+ flags. */
-+ unsigned int execheap: 1;
-+
-+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
-+ flags. */
-+ unsigned int noexecheap: 1;
-+
- /* TRUE if PT_GNU_RELRO segment should be created. */
- unsigned int relro: 1;
-
---- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100
-@@ -423,6 +423,7 @@
- #define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */
- #define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */
- #define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */
-+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */
-
- /* Program segment permissions, in program header p_flags field. */
-
-@@ -433,6 +434,19 @@
- #define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */
- #define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */
-
-+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
-+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
-+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
-+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
-+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
-+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
-+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
-+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
-+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
-+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
-+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
-+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
-+
- /* Values for section header, sh_type field. */
-
- #define SHT_NULL 0 /* Section header table entry unused */
---- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200
-+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200
-@@ -2139,6 +2139,16 @@
- link_info.noexecstack = TRUE;
- link_info.execstack = FALSE;
- }
-+ else if (strcmp (optarg, "execheap") == 0)
-+ {
-+ link_info.execheap = TRUE;
-+ link_info.noexecheap = FALSE;
-+ }
-+ else if (strcmp (optarg, "noexecheap") == 0)
-+ {
-+ link_info.noexecheap = TRUE;
-+ link_info.execheap = FALSE;
-+ }
- EOF
-
- if test -n "$COMMONPAGESIZE"; then
---- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100
-@@ -1073,6 +1073,8 @@
- $$ = exp_intop (0x6474e550);
- else if (strcmp (s, "PT_GNU_STACK") == 0)
- $$ = exp_intop (0x6474e551);
-+ else if (strcmp (s, "PT_PAX_FLAGS") == 0)
-+ $$ = exp_intop (0x65041580);
- else
- {
- einfo (_("\
---- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100
-+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100
-@@ -1793,8 +1793,12 @@
- fprintf (file, _("\
- -z muldefs Allow multiple definitions\n"));
- fprintf (file, _("\
-+ -z execheap Mark executable as requiring executable heap\n"));
-+ fprintf (file, _("\
- -z execstack Mark executable as requiring executable stack\n"));
- fprintf (file, _("\
-+ -z noexecheap Mark executable as not requiring executable heap\n"));
-+ fprintf (file, _("\
- -z noexecstack Mark executable as not requiring executable stack\n"));
- }
-
diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix
index a9c08e1c5b7..e5c52f620ac 100644
--- a/pkgs/development/web/nodejs/nodejs.nix
+++ b/pkgs/development/web/nodejs/nodejs.nix
@@ -88,7 +88,6 @@ in
doCheck = false; # fails 4 out of 1453 tests
postInstall = ''
- paxmark m $out/bin/node
PATH=$out/bin:$PATH patchShebangs $out
${optionalString enableNpm ''
diff --git a/pkgs/stdenv/cross/default.nix b/pkgs/stdenv/cross/default.nix
index 4790145e01f..7d98e5cf488 100644
--- a/pkgs/stdenv/cross/default.nix
+++ b/pkgs/stdenv/cross/default.nix
@@ -59,7 +59,7 @@ in lib.init bootStages ++ [
extraNativeBuildInputs = old.extraNativeBuildInputs
++ lib.optionals
(hostPlatform.isLinux && !buildPlatform.isLinux)
- [ buildPackages.patchelf buildPackages.paxctl ]
+ [ buildPackages.patchelf ]
++ lib.optional
(let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
buildPackages.updateAutotoolsGnuConfigScriptsHook
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index be9d38f9780..f77f43aea88 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -130,9 +130,6 @@ let
# The derivation's `system` is `buildPlatform.system`.
inherit (buildPlatform) system;
- # Whether we should run paxctl to pax-mark binaries.
- needsPax = isLinux;
-
inherit (import ./make-derivation.nix {
inherit lib config stdenv;
}) mkDerivation;
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index be96d018612..03fa589138d 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi
BASH="$SHELL"
export CONFIG_SHELL="$SHELL"
-# Dummy implementation of the paxmark function. On Linux, this is
-# overwritten by paxctl's setup hook.
-paxmark() { true; }
-
# Execute the pre-hook.
if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi
diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 28c3b9f3fb4..12bf781de70 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -216,7 +216,7 @@ in
inherit (prevStage)
ccWrapperStdenv
gcc-unwrapped coreutils gnugrep
- perl paxctl gnum4 bison;
+ perl gnum4 bison;
# This also contains the full, dynamically linked, final Glibc.
binutils = prevStage.binutils.override {
# Rewrap the binutils with the new glibc, so both the next
@@ -250,7 +250,7 @@ in
isl = isl_0_17;
};
};
- extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
+ extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook;
@@ -325,7 +325,7 @@ in
initialPath =
((import ../common-path.nix) {pkgs = prevStage;});
- extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
+ extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook;
@@ -349,7 +349,7 @@ in
# Simple executable tools
concatMap (p: [ (getBin p) (getLib p) ]) [
gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
- gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl
+ gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed
]
# Library dependencies
++ map getLib (
@@ -368,7 +368,7 @@ in
inherit (prevStage)
gzip bzip2 xz bash coreutils diffutils findutils gawk
gnumake gnused gnutar gnugrep gnupatch patchelf
- attr acl paxctl zlib pcre;
+ attr acl zlib pcre;
${localSystem.libc} = getLibc prevStage;
} // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
# Need to get rid of these when cross-compiling.
diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix
index 86287779792..d5079750859 100644
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@@ -109,8 +109,6 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
postInstall = ''
- paxmark pms $out/sbin/grub-{probe,bios-setup}
-
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
'';
diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix
index d4d79c6e59f..94beff8dfe3 100644
--- a/pkgs/tools/misc/grub/trusted.nix
+++ b/pkgs/tools/misc/grub/trusted.nix
@@ -90,10 +90,6 @@ stdenv.mkDerivation rec {
doCheck = false;
enableParallelBuilding = true;
- postInstall = ''
- paxmark pms $out/sbin/grub-{probe,bios-setup}
- '';
-
meta = with stdenv.lib; {
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
homepage = https://github.com/Sirrix-AG/TrustedGRUB2;