diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix
index 8e70ddd8434..795ffa38ac4 100644
--- a/pkgs/os-specific/linux/paxctl/default.nix
+++ b/pkgs/os-specific/linux/paxctl/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     "MANDIR=share/man/man1"
   ];
 
+  setupHook = ./setup-hook.sh;
+
   meta = with stdenv.lib; {
     description = "A tool for controlling PaX flags on a per binary basis";
     homepage    = "https://pax.grsecurity.net";
diff --git a/pkgs/os-specific/linux/paxctl/setup-hook.sh b/pkgs/os-specific/linux/paxctl/setup-hook.sh
new file mode 100644
index 00000000000..11a6bb9910f
--- /dev/null
+++ b/pkgs/os-specific/linux/paxctl/setup-hook.sh
@@ -0,0 +1,8 @@
+# PaX-mark binaries.
+paxmark() {
+    local flags="$1"
+    shift
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
diff --git a/pkgs/stdenv/generic/builder.sh b/pkgs/stdenv/generic/builder.sh
index 60360e7b825..fd4c17ca251 100644
--- a/pkgs/stdenv/generic/builder.sh
+++ b/pkgs/stdenv/generic/builder.sh
@@ -12,7 +12,6 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
-    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index f370aec88cf..28a3c1e9f3b 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -10,8 +10,6 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
-
-, skipPaxMarking ? false
 }:
 
 let
@@ -56,9 +54,6 @@ let
 
       inherit preHook initialPath gcc shell;
 
-      # Whether we should run paxctl to pax-mark binaries
-      needsPax = result.isLinux && !skipPaxMarking;
-
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
     }
@@ -181,6 +176,9 @@ let
            || system == "armv6l-linux"
            || system == "armv7l-linux";
 
+      # Whether we should run paxctl to pax-mark binaries.
+      needsPax = isLinux;
+
       # For convenience, bring in the library functions in lib/ so
       # packages don't have to do that themselves.
       inherit lib;
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index e5fdbdf2d53..72db7dc6004 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -337,22 +337,9 @@ fi
 export NIX_BUILD_CORES
 
 
-######################################################################
-# Misc. helper functions.
-
-
-# PaX-mark binaries
-paxmark() {
-    local flags="$1"
-    shift
-
-    if [ -z "@needsPax@" ]; then
-        return
-    fi
-
-    paxctl -c "$@"
-    paxctl -zex -${flags} "$@"
-}
+# Dummy implementation of the paxmark function. On Linux, this is
+# overwritten by paxctl's setup hook.
+paxmark() { true; }
 
 
 ######################################################################