From 8d5ce245a29751db6c30f48cd102630d8922c3f2 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Mon, 17 Feb 2014 19:29:43 +0100
Subject: [PATCH] grsecurity: Add paxctl, paxmark and stdenv.needsPax to stdenv

---
 pkgs/stdenv/generic/default.nix |  5 +++++
 pkgs/stdenv/generic/setup.sh    | 13 +++++++++++++
 pkgs/stdenv/linux/default.nix   |  5 +++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 14da127b9e0..1e2d76bb981 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
+
+, skipPaxMarking ? false
 }:
 
 let
@@ -157,6 +159,9 @@ let
            || system == "armv6l-linux"
            || system == "armv7l-linux";
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = isLinux && !skipPaxMarking;
+
       # For convenience, bring in the library functions in lib/ so
       # packages don't have to do that themselves.
       inherit lib;
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index 1d79a45678c..ce83b1f6961 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
     if [ "$i" = / ]; then i=; fi
     addToSearchPath PATH $i/bin
+    addToSearchPath PATH $i/sbin
 done
 
 if [ "$NIX_DEBUG" = 1 ]; then
@@ -293,6 +294,18 @@ stripDirs() {
     fi
 }
 
+# PaX-mark binaries
+paxmark() {
+    local flags="$1"
+    shift
+
+    if [ -z "@needsPax@" ]; then
+        return
+    fi
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
 
 ######################################################################
 # Textual substitution functions.
diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 1c6a93b222d..23cccf223f4 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -210,6 +210,7 @@ rec {
     extraAttrs = {
       glibc = stdenvLinuxGlibc;   # Required by gcc47 build
     };
+    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
     inherit fetchurl;
   };
 
@@ -268,7 +269,7 @@ rec {
 
     initialPath =
       ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
 
     gcc = wrapGCC rec {
       inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@@ -295,7 +296,7 @@ rec {
       inherit (stdenvLinuxBoot4Pkgs)
         gzip bzip2 xz bash coreutils diffutils findutils gawk
         gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
     };
   };