treewide: remove paxutils from stdenv

More then one year ago we removed grsecurity kernels from nixpkgs:
https://github.com/NixOS/nixpkgs/pull/25277

This removes now also paxutils from stdenv.
This commit is contained in:
Jörg Thalheim 2018-12-22 12:49:41 +01:00
parent 0a2efa121d
commit 1b146a8c6f
No known key found for this signature in database
GPG Key ID: CA4106B8D7CC79FA
65 changed files with 17 additions and 687 deletions

View File

@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>
paxctl
</term>
<listitem>
<para>
Defines the <varname>paxmark</varname> helper for setting per-executable
PaX flags on Linux (where it is available by default; on all other
platforms, <varname>paxmark</varname> is a no-op). For example, to
disable secure memory protections on the executable
<replaceable>foo</replaceable>
<programlisting>
postFixup = ''
paxmark m $out/bin/<replaceable>foo</replaceable>
'';
</programlisting>
The <literal>m</literal> flag is the most common flag and is typically
required for applications that employ JIT compilation or otherwise need
to execute code generated at run-time. Disabling PaX protections should
be considered a last resort: if possible, problematic features should be
disabled or patched to work with PaX.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term> <term>
autoPatchelfHook autoPatchelfHook

View File

@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \; find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
paxmark m $out/share/parity-ui/parity-ui
mkdir -p $out/bin mkdir -p $out/bin
ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
''; '';

View File

@ -70,9 +70,6 @@ let
ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \; find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
paxmark m $share/atom
paxmark m $share/resources/app/apm/bin/node
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {

View File

@ -282,8 +282,6 @@ let
MENUNAME="Chromium" MENUNAME="Chromium"
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1" process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
) )
'' + optionalString (target == "mksnapshot" || target == "chrome") ''
paxmark m "${buildPath}/${target}"
''; '';
targets = extraAttrs.buildTargets or []; targets = extraAttrs.buildTargets or [];
commands = map buildCommand targets; commands = map buildCommand targets;

View File

@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true; enableParallelBuilding = true;
doCheck = false; # "--disable-tests" above doCheck = false; # "--disable-tests" above
preInstall = ''
# The following is needed for startup cache creation on grsecurity kernels.
paxmark m dist/bin/xpcshell
'';
installPhase = if stdenv.isDarwin then '' installPhase = if stdenv.isDarwin then ''
mkdir -p $out/Applications mkdir -p $out/Applications
cp -LR dist/Firefox.app $out/Applications cp -LR dist/Firefox.app $out/Applications
'' else null; '' else null;
postInstall = lib.optionalString stdenv.isLinux '' postInstall = lib.optionalString stdenv.isLinux ''
# For grsecurity kernels
paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
# Remove SDK cruft. FIXME: move to a separate output? # Remove SDK cruft. FIXME: move to a separate output?
rm -rf $out/share/idl $out/include $out/lib/firefox-devel-* rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*

View File

@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \ patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
$out/opt/discord/Discord $out/opt/discord/Discord
paxmark m $out/opt/discord/Discord
wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath} wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
ln -s $out/opt/discord/Discord $out/bin/ ln -s $out/opt/discord/Discord $out/bin/

View File

@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
''; '';
postFixup = '' postFixup = ''
paxmark m $out/opt/franz/Franz
wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
''; '';

View File

@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
''; '';
postFixup = '' postFixup = ''
paxmark m $out/opt/wavebox/Wavebox
makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \ makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
--prefix PATH : ${xdg_utils}/bin --prefix PATH : ${xdg_utils}/bin
''; '';

View File

@ -108,18 +108,9 @@ in stdenv.mkDerivation rec {
cd ../objdir cd ../objdir
''; '';
preInstall =
''
# The following is needed for startup cache creation on grsecurity kernels.
paxmark m ../objdir/dist/bin/xpcshell
'';
dontWrapGApps = true; # we do it ourselves dontWrapGApps = true; # we do it ourselves
postInstall = postInstall =
'' ''
# For grsecurity kernels
paxmark m $out/lib/thunderbird/thunderbird
# TODO: Move to a dev output? # TODO: Move to a dev output?
rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl

View File

@ -112,7 +112,6 @@ stdenv.mkDerivation {
patchelf --set-interpreter $interpreter \ patchelf --set-interpreter $interpreter \
--set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \ --set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
$out/bin/mendeleydesktop $out/bin/mendeleydesktop
paxmark m $out/bin/mendeleydesktop
wrapProgram $out/bin/mendeleydesktop \ wrapProgram $out/bin/mendeleydesktop \
--add-flags "--unix-distro-build" \ --add-flags "--unix-distro-build" \

View File

@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
postFixup = postFixup =
'' ''
for exe in $out/bin/qemu-system-* ; do
paxmark m $exe
done
# copy qemu-ga (guest agent) to separate output # copy qemu-ga (guest agent) to separate output
mkdir -p $ga/bin mkdir -p $ga/bin
cp $out/bin/qemu-ga $ga/bin/ cp $out/bin/qemu-ga $ga/bin/

View File

@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
installPhase = '' installPhase = ''
cd .. cd ..
# Set PaX markings
exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file"
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
done
mv $sourceRoot $out mv $sourceRoot $out
rm -rf $out/demo rm -rf $out/demo

View File

@ -282,11 +282,6 @@ postInstall() {
fi fi
done done
# Disable RANDMMAP on grsec, which causes segfaults when using
# precompiled headers.
# See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
# Two identical man pages are shipped (moving and compressing is done later) # Two identical man pages are shipped (moving and compressing is done later)
ln -sf gcc.1 "$out"/share/man/man1/g++.1 ln -sf gcc.1 "$out"/share/man/man1/g++.1
} }

View File

@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
--replace-needed libtinfo.so libtinfo.so.5 \ --replace-needed libtinfo.so libtinfo.so.5 \
--interpreter ${glibcDynLinker} {} \; --interpreter ${glibcDynLinker} {} \;
paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
''; '';

View File

@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
postInstall = '' postInstall = ''
for bin in "$out"/lib/${name}/bin/*; do
isELF "$bin" || continue
paxmark m "$bin"
done
# Install the bash completion file. # Install the bash completion file.
install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc

View File

@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
installPhase = '' installPhase = ''
cd .. cd ..
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file"
done
mv $sourceRoot $out mv $sourceRoot $out
jrePath=$out/jre jrePath=$out/jre
''; '';

View File

@ -1,25 +0,0 @@
From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Wed, 1 Feb 2017 06:09:49 -0600
Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index 0e28cc87b..aab8cfa8d 100644
--- a/Makefile
+++ b/Makefile
@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
+ @paxctl -czexm $(JULIA_EXECUTABLE_$*)
julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
--
2.11.0

View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, fetchzip { stdenv, fetchurl, fetchzip
# build tools # build tools
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl , gfortran, m4, makeWrapper, patchelf, perl, which, python2
# libjulia dependencies # libjulia dependencies
, libunwind, readline, utf8proc, zlib , libunwind, readline, utf8proc, zlib
, llvm , llvm
@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
patches = [ patches = [
./0001.1-use-system-utf8proc.patch ./0001.1-use-system-utf8proc.patch
./0002-use-system-suitesparse.patch ./0002-use-system-suitesparse.patch
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; ];
postPatch = '' postPatch = ''
patchShebangs . contrib patchShebangs . contrib
@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
; ;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
++ stdenv.lib.optional stdenv.needsPax paxctl;
makeFlags = makeFlags =
let let

View File

@ -5,7 +5,7 @@
}: }:
{ stdenv, fetchurl, fetchzip { stdenv, fetchurl, fetchzip
# build tools # build tools
, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl , gfortran, m4, makeWrapper, patchelf, perl, which, python2
, llvm, cmake , llvm, cmake
# libjulia dependencies # libjulia dependencies
, libunwind, readline, utf8proc, zlib , libunwind, readline, utf8proc, zlib
@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
patches = [ patches = [
./0001.1-use-system-utf8proc.patch ./0001.1-use-system-utf8proc.patch
] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch; ];
postPatch = '' postPatch = ''
patchShebangs . contrib patchShebangs . contrib
@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices] ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
; ;
nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ] nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
++ stdenv.lib.optional stdenv.needsPax paxctl;
makeFlags = makeFlags =
let let

View File

@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/JIT/JITTests
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/Support/SupportTests
''; '';
enableParallelBuilding = true; enableParallelBuilding = true;

View File

@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
''; '';
enableParallelBuilding = true; enableParallelBuilding = true;

View File

@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
''; '';
postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) '' postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''

View File

@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
''; '';
postInstall = "" postInstall = ""

View File

@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
''; '';
preCheck = '' preCheck = ''

View File

@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
''; '';
preCheck = '' preCheck = ''

View File

@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
''; '';
preCheck = '' preCheck = ''

View File

@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec {
postBuild = '' postBuild = ''
rm -fR $out rm -fR $out
paxmark m bin/{lli,llvm-rtdyld}
paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
paxmark m unittests/Support/SupportTests
paxmark m bin/lli-child-target
''; '';
preCheck = '' preCheck = ''

View File

@ -21,7 +21,6 @@ let
update = ".0.1"; update = ".0.1";
build = "13"; build = "13";
repover = "jdk-${major}${update}+${build}"; repover = "jdk-${major}${update}+${build}";
paxflags = if stdenv.isi686 then "msp" else "m";
openjdk = stdenv.mkDerivation { openjdk = stdenv.mkDerivation {
name = "openjdk-${major}${update}-b${build}"; name = "openjdk-${major}${update}-b${build}";
@ -106,14 +105,6 @@ let
rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
''} ''}
# Set PaX markings
exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
echo "to mark: *$exes*"
for file in $exes; do
echo "marking *$file*"
paxmark ${paxflags} "$file"
done
ln -s $out/lib/openjdk/bin $out/bin ln -s $out/lib/openjdk/bin $out/bin
''; '';

View File

@ -25,7 +25,6 @@ let
build = "26"; build = "26";
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u"; baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
repover = "jdk8u${update}-b${build}"; repover = "jdk8u${update}-b${build}";
paxflags = if stdenv.isi686 then "msp" else "m";
jdk8 = fetchurl { jdk8 = fetchurl {
url = "${baseurl}/archive/${repover}.tar.gz"; url = "${baseurl}/archive/${repover}.tar.gz";
sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d"; sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
@ -176,14 +175,6 @@ let
rm -rf $out/lib/openjdk/jre/lib/cmm rm -rf $out/lib/openjdk/jre/lib/cmm
ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
# Set PaX markings
exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
echo "to mark: *$exes*"
for file in $exes; do
echo "marking *$file*"
paxmark ${paxflags} "$file"
done
# Remove duplicate binaries. # Remove duplicate binaries.
for i in $(cd $out/lib/openjdk/bin && echo *); do for i in $(cd $out/lib/openjdk/bin && echo *); do
if [ "$i" = java ]; then continue; fi if [ "$i" = java ]; then continue; fi

View File

@ -36,13 +36,5 @@ let
patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
done done
# Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do
isELF "$elf" || continue
paxmark m "$elf"
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''}
done
''; '';
in bootstrap in bootstrap

View File

@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec {
installPhase = '' installPhase = ''
cd .. cd ..
# Set PaX markings
exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
for file in $exes; do
paxmark m "$file" || true
# On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
done
if test -z "$installjdk"; then if test -z "$installjdk"; then
mv $sourceRoot/jre $out mv $sourceRoot/jre $out
else else

View File

@ -27,7 +27,6 @@
, git , git
, libgit2 , libgit2
, fetchFromGitHub , fetchFromGitHub
, paxctl
, findutils , findutils
, makeWrapper , makeWrapper
, gnumake , gnumake
@ -150,7 +149,7 @@ stdenv.mkDerivation rec {
findutils findutils
makeWrapper makeWrapper
gnumake gnumake
] ++ stdenv.lib.optional stdenv.needsPax paxctl; ];
# TODO: Revisit what's propagated and how # TODO: Revisit what's propagated and how
propagatedBuildInputs = [ propagatedBuildInputs = [
@ -218,9 +217,6 @@ stdenv.mkDerivation rec {
substituteInPlace swift/utils/build-script-impl \ substituteInPlace swift/utils/build-script-impl \
--replace '/usr/include/c++' "${clang.cc.gcc}/include/c++" --replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch} patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
'' + stdenv.lib.optionalString stdenv.needsPax ''
patch -p1 -d swift -i ${./patches/build-script-pax.patch}
'' + ''
patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch} patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch} patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch} patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
@ -266,9 +262,6 @@ stdenv.mkDerivation rec {
tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
find $out -type d -empty -delete find $out -type d -empty -delete
paxmark pmr $out/bin/swift
paxmark pmr $out/bin/*
# TODO: Use wrappers to get these on the PATH for swift tools, instead # TODO: Use wrappers to get these on the PATH for swift tools, instead
ln -s ${clang}/bin/* $out/bin/ ln -s ${clang}/bin/* $out/bin/
ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar

View File

@ -1,33 +0,0 @@
--- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600
+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600
@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
fi
}
+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
+isELF() {
+ local fn="$1"
+ local fd
+ local magic
+ exec {fd}< "$fn"
+ read -n 4 -u $fd magic
+ exec {fd}<&-
+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
+}
+
#
# Configure and build each product
#
@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
fi
call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
+
+ while IFS= read -r -d $'\0' i; do
+ if ! isELF "$i"; then continue; fi
+ echo "setting pax flags on $i"
+ paxctl -czexm "$i" || true
+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
fi
done
done

View File

@ -51,10 +51,6 @@ stdenv.mkDerivation rec {
'' ''
; ;
postFixup = ''
paxmark m $bin/bin/terra
'';
buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ]; buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
meta = with stdenv.lib; { meta = with stdenv.lib; {

View File

@ -33,10 +33,6 @@ stdenv.mkDerivation rec {
doCheck = true; doCheck = true;
checkTarget = "test"; checkTarget = "test";
postFixup = ''
paxmark m $out/bin/tcc
'';
meta = { meta = {
description = "Small, fast, and embeddable C compiler and interpreter"; description = "Small, fast, and embeddable C compiler and interpreter";

View File

@ -77,8 +77,6 @@ stdenv.mkDerivation rec {
'' ''
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
paxmark E $out/bin/python2.7
rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
''; '';

View File

@ -229,8 +229,6 @@ in stdenv.mkDerivation ({
ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion} ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz} ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

View File

@ -143,7 +143,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

View File

@ -164,7 +164,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

View File

@ -154,7 +154,6 @@ in stdenv.mkDerivation {
touch $out/lib/python${majorVersion}/test/__init__.py touch $out/lib/python${majorVersion}/test/__init__.py
ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}" ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
paxmark E $out/bin/python${majorVersion}
# Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

View File

@ -59,9 +59,6 @@ stdenv.mkDerivation rec {
preCheck = '' preCheck = ''
rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522 rm jit-test/tests/sunspider/check-date-format-tofte.js # https://bugzil.la/600522
paxmark mr shell/js
paxmark mr jsapi-tests/jsapi-tests
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {

View File

@ -36,8 +36,6 @@ stdenv.mkDerivation rec {
postInstall = '' postInstall = ''
# Hm, apparently --disable-gtk-doc is ignored... # Hm, apparently --disable-gtk-doc is ignored...
rm -rf $out/share/gtk-doc rm -rf $out/share/gtk-doc
paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
''; '';
setupHook = ./setup-hook.sh; setupHook = ./setup-hook.sh;

View File

@ -72,13 +72,6 @@ stdenv.mkDerivation rec {
makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"; makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
# The following is required on grsecurity/PaX due to spidermonkey's JIT
postBuild = stdenv.lib.optionalString stdenv.isLinux ''
paxmark mr src/polkitbackend/.libs/polkitd
'' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
'';
installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"]; installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
inherit doCheck; inherit doCheck;

View File

@ -61,7 +61,6 @@ let
qtscript = [ ./qtscript.patch ]; qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ]; qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ]; qttools = [ ./qttools.patch ];
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ]; qtwebkit = [ ./qtwebkit.patch ];
}; };

View File

@ -1,48 +0,0 @@
diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
index e7e19f5059..934448c7d8 100644
--- a/src/3rdparty/chromium/v8/src/v8.gyp
+++ b/src/3rdparty/chromium/v8/src/v8.gyp
@@ -35,6 +35,7 @@
'v8_extra_library_files%': [],
'v8_experimental_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'v8_os_page_size%': 0,
},
'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
@@ -2576,7 +2577,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': [
'v8_base',
@@ -2606,5 +2607,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

View File

@ -51,8 +51,7 @@ let
qtscript = [ ./qtscript.patch ]; qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ]; qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ]; qttools = [ ./qttools.patch ];
qtwebengine = [ ./qtwebengine-seccomp.patch ] qtwebengine = [ ./qtwebengine-seccomp.patch ];
++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ]; qtwebkit = [ ./qtwebkit.patch ];
}; };

View File

@ -1,46 +0,0 @@
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
@@ -33,6 +33,7 @@
'embed_script%': "",
'v8_extra_library_files%': [],
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'remove_v8base_debug_symbols%': 0,
},
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
@@ -1913,7 +1914,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
'include_dirs+': [
@@ -1936,5 +1937,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

View File

@ -43,7 +43,6 @@ let
qtscript = [ ./qtscript.patch ]; qtscript = [ ./qtscript.patch ];
qtserialport = [ ./qtserialport.patch ]; qtserialport = [ ./qtserialport.patch ];
qttools = [ ./qttools.patch ]; qttools = [ ./qttools.patch ];
qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
qtwebkit = [ ./qtwebkit.patch ]; qtwebkit = [ ./qtwebkit.patch ];
}; };

View File

@ -1,48 +0,0 @@
Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
===================================================================
--- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
@@ -36,6 +36,7 @@
'v8_experimental_extra_library_files%': [],
'v8_enable_inspector%': 0,
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
'v8_os_page_size%': 0,
},
@@ -2432,7 +2433,7 @@
]
},
{
- 'target_name': 'mksnapshot',
+ 'target_name': 'mksnapshot_u',
'type': 'executable',
'dependencies': [
'v8_base',
@@ -2485,5 +2486,26 @@
}],
],
},
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
+ 'dependencies': ['mksnapshot_u'],
+ 'actions': [
+ {
+ 'action_name': 'paxmark_m_mksnapshot',
+ 'inputs': [
+ '<(mksnapshot_u_exec)',
+ ],
+ 'outputs': [
+ '<(mksnapshot_exec)',
+ ],
+ 'action': [
+ 'sh',
+ '-c',
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
+ ],
+ },
+ ],
+ },
],
}

View File

@ -14,7 +14,7 @@
, enableProprietaryCodecs ? true , enableProprietaryCodecs ? true
, gn, darwin, openbsm , gn, darwin, openbsm
, ffmpeg ? null , ffmpeg ? null
, lib, stdenv # lib.optional, needsPax , lib, stdenv
}: }:
with stdenv.lib; with stdenv.lib;
@ -181,7 +181,6 @@ EOF
[Paths] [Paths]
Prefix = .. Prefix = ..
EOF EOF
paxmark m $out/libexec/QtWebEngineProcess
''; '';
meta = with lib; { meta = with lib; {

View File

@ -73,8 +73,6 @@ stdenv.mkDerivation rec {
--replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \ --replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
--replace 'obj:/usr/lib' 'obj:*/lib' --replace 'obj:/usr/lib' 'obj:*/lib'
done done
paxmark m $out/lib/valgrind/*-*-linux
''; '';
meta = { meta = {

View File

@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
# Make binutils output deterministic by default. # Make binutils output deterministic by default.
./deterministic.patch ./deterministic.patch
# Always add PaX flags section to ELF files.
# This is needed, for instance, so that running "ldd" on a binary that is
# PaX-marked to disable mprotect doesn't fail with permission denied.
./pt-pax-flags.patch
# Bfd looks in BINDIR/../lib for some plugins that don't # Bfd looks in BINDIR/../lib for some plugins that don't
# exist. This is pointless (since users can't install plugins # exist. This is pointless (since users can't install plugins
# there) and causes a cycle between the lib and bin outputs, so # there) and causes a cycle between the lib and bin outputs, so

View File

@ -1,233 +0,0 @@
--- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100
+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100
@@ -1266,6 +1266,9 @@
/* Should the PT_GNU_RELRO segment be emitted? */
bfd_boolean relro;
+ /* Segment flags for the PT_PAX_FLAGS segment. */
+ unsigned int pax_flags;
+
/* Symbol version definitions in external objects. */
Elf_Internal_Verdef *verdef;
--- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400
+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400
@@ -1085,6 +1085,7 @@
case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
case PT_GNU_STACK: pt = "STACK"; break;
case PT_GNU_RELRO: pt = "RELRO"; break;
+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
default: pt = NULL; break;
}
return pt;
@@ -2346,6 +2347,9 @@
case PT_GNU_RELRO:
return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
+ case PT_PAX_FLAGS:
+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
+
default:
/* Check for any processor-specific program segment types. */
bed = get_elf_backend_data (abfd);
@@ -3326,6 +3330,11 @@
++segs;
}
+ {
+ /* We need a PT_PAX_FLAGS segment. */
+ ++segs;
+ }
+
for (s = abfd->sections; s != NULL; s = s->next)
{
if ((s->flags & SEC_LOAD) != 0
@@ -3945,6 +3954,20 @@
pm = &m->next;
}
+ {
+ amt = sizeof (struct elf_segment_map);
+ m = bfd_zalloc (abfd, amt);
+ if (m == NULL)
+ goto error_return;
+ m->next = NULL;
+ m->p_type = PT_PAX_FLAGS;
+ m->p_flags = elf_tdata (abfd)->pax_flags;
+ m->p_flags_valid = 1;
+
+ *pm = m;
+ pm = &m->next;
+ }
+
free (sections);
elf_tdata (abfd)->segment_map = mfirst;
}
@@ -5129,7 +5152,8 @@
5. PT_GNU_STACK segments do not include any sections.
6. PT_TLS segment includes only SHF_TLS sections.
7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
- 8. PT_DYNAMIC should not contain empty sections at the beginning
+ 8. PT_PAX_FLAGS segments do not include any sections.
+ 9. PT_DYNAMIC should not contain empty sections at the beginning
(with the possible exception of .dynamic). */
#define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \
((((segment->p_paddr \
@@ -5138,6 +5162,7 @@
&& (section->flags & SEC_ALLOC) != 0) \
|| IS_COREFILE_NOTE (segment, section)) \
&& segment->p_type != PT_GNU_STACK \
+ && segment->p_type != PT_PAX_FLAGS \
&& (segment->p_type != PT_TLS \
|| (section->flags & SEC_THREAD_LOCAL)) \
&& (segment->p_type == PT_LOAD \
--- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100
+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100
@@ -5764,18 +5764,32 @@
&& ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
return FALSE;
+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
+
+ if (info->execheap)
+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
+ else if (info->noexecheap)
+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
+
/* Determine any GNU_STACK segment requirements, after the backend
has had a chance to set a default segment size. */
if (info->execstack)
+ {
elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
+ }
else if (info->noexecstack)
+ {
elf_stack_flags (output_bfd) = PF_R | PF_W;
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
+ }
else
{
bfd *inputobj;
asection *notesec = NULL;
int exec = 0;
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
for (inputobj = info->input_bfds;
inputobj;
inputobj = inputobj->link_next)
@@ -5789,7 +5803,11 @@
if (s)
{
if (s->flags & SEC_CODE)
- exec = PF_X;
+ {
+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
+ exec = PF_X;
+ }
notesec = s;
}
else if (bed->default_execstack)
--- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100
+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100
@@ -2293,6 +2293,7 @@
return "GNU_EH_FRAME";
case PT_GNU_STACK: return "GNU_STACK";
case PT_GNU_RELRO: return "GNU_RELRO";
+ case PT_PAX_FLAGS: return "PAX_FLAGS";
default:
if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
--- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100
@@ -313,6 +313,14 @@
flags. */
unsigned int noexecstack: 1;
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
+ flags. */
+ unsigned int execheap: 1;
+
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
+ flags. */
+ unsigned int noexecheap: 1;
+
/* TRUE if PT_GNU_RELRO segment should be created. */
unsigned int relro: 1;
--- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100
@@ -423,6 +423,7 @@
#define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */
#define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */
#define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */
+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */
/* Program segment permissions, in program header p_flags field. */
@@ -433,6 +434,19 @@
#define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */
#define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */
+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
+
/* Values for section header, sh_type field. */
#define SHT_NULL 0 /* Section header table entry unused */
--- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200
+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200
@@ -2139,6 +2139,16 @@
link_info.noexecstack = TRUE;
link_info.execstack = FALSE;
}
+ else if (strcmp (optarg, "execheap") == 0)
+ {
+ link_info.execheap = TRUE;
+ link_info.noexecheap = FALSE;
+ }
+ else if (strcmp (optarg, "noexecheap") == 0)
+ {
+ link_info.noexecheap = TRUE;
+ link_info.execheap = FALSE;
+ }
EOF
if test -n "$COMMONPAGESIZE"; then
--- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100
+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100
@@ -1073,6 +1073,8 @@
$$ = exp_intop (0x6474e550);
else if (strcmp (s, "PT_GNU_STACK") == 0)
$$ = exp_intop (0x6474e551);
+ else if (strcmp (s, "PT_PAX_FLAGS") == 0)
+ $$ = exp_intop (0x65041580);
else
{
einfo (_("\
--- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100
+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100
@@ -1793,8 +1793,12 @@
fprintf (file, _("\
-z muldefs Allow multiple definitions\n"));
fprintf (file, _("\
+ -z execheap Mark executable as requiring executable heap\n"));
+ fprintf (file, _("\
-z execstack Mark executable as requiring executable stack\n"));
fprintf (file, _("\
+ -z noexecheap Mark executable as not requiring executable heap\n"));
+ fprintf (file, _("\
-z noexecstack Mark executable as not requiring executable stack\n"));
}

View File

@ -88,7 +88,6 @@ in
doCheck = false; # fails 4 out of 1453 tests doCheck = false; # fails 4 out of 1453 tests
postInstall = '' postInstall = ''
paxmark m $out/bin/node
PATH=$out/bin:$PATH patchShebangs $out PATH=$out/bin:$PATH patchShebangs $out
${optionalString enableNpm '' ${optionalString enableNpm ''

View File

@ -59,7 +59,7 @@ in lib.init bootStages ++ [
extraNativeBuildInputs = old.extraNativeBuildInputs extraNativeBuildInputs = old.extraNativeBuildInputs
++ lib.optionals ++ lib.optionals
(hostPlatform.isLinux && !buildPlatform.isLinux) (hostPlatform.isLinux && !buildPlatform.isLinux)
[ buildPackages.patchelf buildPackages.paxctl ] [ buildPackages.patchelf ]
++ lib.optional ++ lib.optional
(let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform)) (let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
buildPackages.updateAutotoolsGnuConfigScriptsHook buildPackages.updateAutotoolsGnuConfigScriptsHook

View File

@ -130,9 +130,6 @@ let
# The derivation's `system` is `buildPlatform.system`. # The derivation's `system` is `buildPlatform.system`.
inherit (buildPlatform) system; inherit (buildPlatform) system;
# Whether we should run paxctl to pax-mark binaries.
needsPax = isLinux;
inherit (import ./make-derivation.nix { inherit (import ./make-derivation.nix {
inherit lib config stdenv; inherit lib config stdenv;
}) mkDerivation; }) mkDerivation;

View File

@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi
BASH="$SHELL" BASH="$SHELL"
export CONFIG_SHELL="$SHELL" export CONFIG_SHELL="$SHELL"
# Dummy implementation of the paxmark function. On Linux, this is
# overwritten by paxctl's setup hook.
paxmark() { true; }
# Execute the pre-hook. # Execute the pre-hook.
if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi

View File

@ -216,7 +216,7 @@ in
inherit (prevStage) inherit (prevStage)
ccWrapperStdenv ccWrapperStdenv
gcc-unwrapped coreutils gnugrep gcc-unwrapped coreutils gnugrep
perl paxctl gnum4 bison; perl gnum4 bison;
# This also contains the full, dynamically linked, final Glibc. # This also contains the full, dynamically linked, final Glibc.
binutils = prevStage.binutils.override { binutils = prevStage.binutils.override {
# Rewrap the binutils with the new glibc, so both the next # Rewrap the binutils with the new glibc, so both the next
@ -250,7 +250,7 @@ in
isl = isl_0_17; isl = isl_0_17;
}; };
}; };
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++ extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64. # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl") lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook; prevStage.updateAutotoolsGnuConfigScriptsHook;
@ -325,7 +325,7 @@ in
initialPath = initialPath =
((import ../common-path.nix) {pkgs = prevStage;}); ((import ../common-path.nix) {pkgs = prevStage;});
extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++ extraNativeBuildInputs = [ prevStage.patchelf ] ++
# Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64. # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
lib.optional (!localSystem.isx86 || localSystem.libc == "musl") lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
prevStage.updateAutotoolsGnuConfigScriptsHook; prevStage.updateAutotoolsGnuConfigScriptsHook;
@ -349,7 +349,7 @@ in
# Simple executable tools # Simple executable tools
concatMap (p: [ (getBin p) (getLib p) ]) [ concatMap (p: [ (getBin p) (getLib p) ]) [
gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed
] ]
# Library dependencies # Library dependencies
++ map getLib ( ++ map getLib (
@ -368,7 +368,7 @@ in
inherit (prevStage) inherit (prevStage)
gzip bzip2 xz bash coreutils diffutils findutils gawk gzip bzip2 xz bash coreutils diffutils findutils gawk
gnumake gnused gnutar gnugrep gnupatch patchelf gnumake gnused gnutar gnugrep gnupatch patchelf
attr acl paxctl zlib pcre; attr acl zlib pcre;
${localSystem.libc} = getLibc prevStage; ${localSystem.libc} = getLibc prevStage;
} // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) { } // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
# Need to get rid of these when cross-compiling. # Need to get rid of these when cross-compiling.

View File

@ -109,8 +109,6 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true; enableParallelBuilding = true;
postInstall = '' postInstall = ''
paxmark pms $out/sbin/grub-{probe,bios-setup}
# Avoid a runtime reference to gcc # Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|" sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
''; '';

View File

@ -90,10 +90,6 @@ stdenv.mkDerivation rec {
doCheck = false; doCheck = false;
enableParallelBuilding = true; enableParallelBuilding = true;
postInstall = ''
paxmark pms $out/sbin/grub-{probe,bios-setup}
'';
meta = with stdenv.lib; { meta = with stdenv.lib; {
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)"; description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
homepage = https://github.com/Sirrix-AG/TrustedGRUB2; homepage = https://github.com/Sirrix-AG/TrustedGRUB2;