diff options
65 files changed, 17 insertions, 687 deletions
diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 1c18fab86696..564471bbbbc6 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -2435,30 +2435,6 @@ addEnvHooks "$hostOffset" myBashFunction </varlistentry> <varlistentry> <term> - paxctl - </term> - <listitem> - <para> - Defines the <varname>paxmark</varname> helper for setting per-executable - PaX flags on Linux (where it is available by default; on all other - platforms, <varname>paxmark</varname> is a no-op). For example, to - disable secure memory protections on the executable - <replaceable>foo</replaceable> -<programlisting> - postFixup = '' - paxmark m $out/bin/<replaceable>foo</replaceable> - ''; - </programlisting> - The <literal>m</literal> flag is the most common flag and is typically - required for applications that employ JIT compilation or otherwise need - to execute code generated at run-time. Disabling PaX protections should - be considered a last resort: if possible, problematic features should be - disabled or patched to work with PaX. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> autoPatchelfHook </term> <listitem> diff --git a/pkgs/applications/altcoins/parity-ui/default.nix b/pkgs/applications/altcoins/parity-ui/default.nix index ec2e571e3f0b..c59b2ccb8ac3 100644 --- a/pkgs/applications/altcoins/parity-ui/default.nix +++ b/pkgs/applications/altcoins/parity-ui/default.nix @@ -34,8 +34,6 @@ in stdenv.mkDerivation rec { find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \; - paxmark m $out/share/parity-ui/parity-ui - mkdir -p $out/bin ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui ''; diff --git a/pkgs/applications/editors/atom/default.nix b/pkgs/applications/editors/atom/default.nix index 710c3ca335a6..13dc9e1285b1 100644 --- a/pkgs/applications/editors/atom/default.nix +++ b/pkgs/applications/editors/atom/default.nix @@ -70,9 +70,6 @@ let ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \; - - paxmark m $share/atom - paxmark m $share/resources/app/apm/bin/node ''; meta = with stdenv.lib; { diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index bcf6df7417f7..0c199dab6bc8 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -282,8 +282,6 @@ let MENUNAME="Chromium" process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1" ) - '' + optionalString (target == "mksnapshot" || target == "chrome") '' - paxmark m "${buildPath}/${target}" ''; targets = extraAttrs.buildTargets or []; commands = map buildCommand targets; diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 2a2f71d419fd..8f135614f4d2 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -263,20 +263,12 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; doCheck = false; # "--disable-tests" above - preInstall = '' - # The following is needed for startup cache creation on grsecurity kernels. - paxmark m dist/bin/xpcshell - ''; - installPhase = if stdenv.isDarwin then '' mkdir -p $out/Applications cp -LR dist/Firefox.app $out/Applications '' else null; postInstall = lib.optionalString stdenv.isLinux '' - # For grsecurity kernels - paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container} - # Remove SDK cruft. FIXME: move to a separate output? rm -rf $out/share/idl $out/include $out/lib/firefox-devel-* diff --git a/pkgs/applications/networking/instant-messengers/discord/default.nix b/pkgs/applications/networking/instant-messengers/discord/default.nix index 09ead9b3de65..4b1af80d6243 100644 --- a/pkgs/applications/networking/instant-messengers/discord/default.nix +++ b/pkgs/applications/networking/instant-messengers/discord/default.nix @@ -32,8 +32,6 @@ stdenv.mkDerivation rec { patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \ $out/opt/discord/Discord - paxmark m $out/opt/discord/Discord - wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath} ln -s $out/opt/discord/Discord $out/bin/ diff --git a/pkgs/applications/networking/instant-messengers/franz/default.nix b/pkgs/applications/networking/instant-messengers/franz/default.nix index 2f3870d78994..4b8670f23d43 100644 --- a/pkgs/applications/networking/instant-messengers/franz/default.nix +++ b/pkgs/applications/networking/instant-messengers/franz/default.nix @@ -54,7 +54,6 @@ in stdenv.mkDerivation rec { ''; postFixup = '' - paxmark m $out/opt/franz/Franz wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin ''; diff --git a/pkgs/applications/networking/instant-messengers/wavebox/default.nix b/pkgs/applications/networking/instant-messengers/wavebox/default.nix index b85e9d3d4cb8..d7d882564e7f 100644 --- a/pkgs/applications/networking/instant-messengers/wavebox/default.nix +++ b/pkgs/applications/networking/instant-messengers/wavebox/default.nix @@ -52,7 +52,6 @@ in stdenv.mkDerivation rec { ''; postFixup = '' - paxmark m $out/opt/wavebox/Wavebox makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \ --prefix PATH : ${xdg_utils}/bin ''; diff --git a/pkgs/applications/networking/mailreaders/thunderbird/default.nix b/pkgs/applications/networking/mailreaders/thunderbird/default.nix index c048c2938a92..b53c7b910f6a 100644 --- a/pkgs/applications/networking/mailreaders/thunderbird/default.nix +++ b/pkgs/applications/networking/mailreaders/thunderbird/default.nix @@ -100,7 +100,7 @@ in stdenv.mkDerivation rec { '' cxxLib=$( echo -n ${gcc}/include/c++/* ) archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine ) - + test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml configureScript="$(realpath ./configure)" @@ -108,18 +108,9 @@ in stdenv.mkDerivation rec { cd ../objdir ''; - preInstall = - '' - # The following is needed for startup cache creation on grsecurity kernels. - paxmark m ../objdir/dist/bin/xpcshell - ''; - dontWrapGApps = true; # we do it ourselves postInstall = '' - # For grsecurity kernels - paxmark m $out/lib/thunderbird/thunderbird - # TODO: Move to a dev output? rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl diff --git a/pkgs/applications/office/mendeley/default.nix b/pkgs/applications/office/mendeley/default.nix index aa9317d2ffd6..9c4c22dabe97 100644 --- a/pkgs/applications/office/mendeley/default.nix +++ b/pkgs/applications/office/mendeley/default.nix @@ -112,7 +112,6 @@ stdenv.mkDerivation { patchelf --set-interpreter $interpreter \ --set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \ $out/bin/mendeleydesktop - paxmark m $out/bin/mendeleydesktop wrapProgram $out/bin/mendeleydesktop \ --add-flags "--unix-distro-build" \ diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 1cd85cead125..49ddab1d6d23 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -125,9 +125,6 @@ stdenv.mkDerivation rec { postFixup = '' - for exe in $out/bin/qemu-system-* ; do - paxmark m $exe - done # copy qemu-ga (guest agent) to separate output mkdir -p $ga/bin cp $out/bin/qemu-ga $ga/bin/ diff --git a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix index eb614b0784f9..531cf3a80517 100644 --- a/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix +++ b/pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix @@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec { installPhase = '' cd .. - # Set PaX markings - exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//') - for file in $exes; do - paxmark m "$file" - # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well. - ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''} - done - mv $sourceRoot $out rm -rf $out/demo diff --git a/pkgs/development/compilers/gcc/builder.sh b/pkgs/development/compilers/gcc/builder.sh index 75e70006d749..07a003691d6b 100644 --- a/pkgs/development/compilers/gcc/builder.sh +++ b/pkgs/development/compilers/gcc/builder.sh @@ -282,11 +282,6 @@ postInstall() { fi done - # Disable RANDMMAP on grsec, which causes segfaults when using - # precompiled headers. - # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31 - paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus} - # Two identical man pages are shipped (moving and compressing is done later) ln -sf gcc.1 "$out"/share/man/man1/g++.1 } diff --git a/pkgs/development/compilers/ghc/8.2.2-binary.nix b/pkgs/development/compilers/ghc/8.2.2-binary.nix index 039eea744f36..f52d8fd4a11f 100644 --- a/pkgs/development/compilers/ghc/8.2.2-binary.nix +++ b/pkgs/development/compilers/ghc/8.2.2-binary.nix @@ -105,8 +105,6 @@ stdenv.mkDerivation rec { --replace-needed libtinfo.so libtinfo.so.5 \ --interpreter ${glibcDynLinker} {} \; - paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 - sed -i "s|/usr/bin/perl|perl\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 sed -i "s|/usr/bin/gcc|gcc\x00 |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2 ''; diff --git a/pkgs/development/compilers/ghc/8.2.2.nix b/pkgs/development/compilers/ghc/8.2.2.nix index 3b9fecd55e10..3e355dc302d6 100644 --- a/pkgs/development/compilers/ghc/8.2.2.nix +++ b/pkgs/development/compilers/ghc/8.2.2.nix @@ -238,11 +238,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.4.4.nix b/pkgs/development/compilers/ghc/8.4.4.nix index 4db5c07b4601..c5fe3c925f00 100644 --- a/pkgs/development/compilers/ghc/8.4.4.nix +++ b/pkgs/development/compilers/ghc/8.4.4.nix @@ -214,11 +214,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.1.nix b/pkgs/development/compilers/ghc/8.6.1.nix index 5710c60338a8..b54164ccc696 100644 --- a/pkgs/development/compilers/ghc/8.6.1.nix +++ b/pkgs/development/compilers/ghc/8.6.1.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.2.nix b/pkgs/development/compilers/ghc/8.6.2.nix index 914d6ae08fac..07d4420804dd 100644 --- a/pkgs/development/compilers/ghc/8.6.2.nix +++ b/pkgs/development/compilers/ghc/8.6.2.nix @@ -195,11 +195,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/8.6.3.nix b/pkgs/development/compilers/ghc/8.6.3.nix index b29b7facd1f4..4e1f0dd9fc72 100644 --- a/pkgs/development/compilers/ghc/8.6.3.nix +++ b/pkgs/development/compilers/ghc/8.6.3.nix @@ -192,11 +192,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash completion file. install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix index 42119682892d..65a4a0c4ecdb 100644 --- a/pkgs/development/compilers/ghc/head.nix +++ b/pkgs/development/compilers/ghc/head.nix @@ -177,11 +177,6 @@ stdenv.mkDerivation (rec { hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie"; postInstall = '' - for bin in "$out"/lib/${name}/bin/*; do - isELF "$bin" || continue - paxmark m "$bin" - done - # Install the bash comple |