Merge #1187 into p/stdenv

Tested building firefox, kdelibs, evince on x86_64-linux.

pkgs/applications/networking/browsers/chromium/browser.nix

@@ -1,11 +1,11 @@
-{ stdenv, mkChromiumDerivation }:
+{ stdenv, mkChromiumDerivation, arch }:
 
 with stdenv.lib;
 
 mkChromiumDerivation (base: rec {
   name = "chromium-browser";
   packageName = "chromium";
-  buildTargets = [ "chrome" ];
+  buildTargets = [ "mksnapshot.${arch}" "chrome" ];
 
   installPhase = ''
     ensureDir "$libExecPath"

pkgs/applications/networking/browsers/chromium/common.nix

@@ -30,6 +30,7 @@
 
 , source
 , plugins
+, archInfo
 }:
 
 buildFun:
@@ -172,13 +173,7 @@ let
       # enable support for the H.264 codec
       proprietary_codecs = true;
       ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
-      target_arch = "x64";
-      python_arch = "x86-64";
-    } // optionalAttrs (stdenv.system == "i686-linux") {
-      target_arch = "ia32";
-      python_arch = "ia32";
-    } // (extraAttrs.gypFlags or {}));
+    } // archInfo // (extraAttrs.gypFlags or {}));
 
     configurePhase = ''
       # This is to ensure expansion of $out.
@@ -190,14 +185,21 @@ let
     buildPhase = let
       CC = "${gcc}/bin/gcc";
       CXX = "${gcc}/bin/g++";
-    in ''
-      CC="${CC}" CC_host="${CC}"     \
-      CXX="${CXX}" CXX_host="${CXX}" \
-      LINK_host="${CXX}"             \
-        "${ninja}/bin/ninja" -C "${buildPath}"  \
-          -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-          ${concatStringsSep " " (extraAttrs.buildTargets or [])}
-    '';
+      buildCommand = target: ''
+        CC="${CC}" CC_host="${CC}"     \
+        CXX="${CXX}" CXX_host="${CXX}" \
+        LINK_host="${CXX}"             \
+          "${ninja}/bin/ninja" -C "${buildPath}"  \
+            -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
+            ${target}
+
+        if [[ "${target}" == mksnapshot.* || "${target}" == "chrome" ]]; then
+          paxmark m "${buildPath}/${target}"
+        fi
+      '';
+      targets = extraAttrs.buildTargets or [];
+      commands = map buildCommand targets;
+    in concatStringsSep "\n" commands;
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.

pkgs/applications/networking/browsers/chromium/default.nix

@@ -15,6 +15,14 @@
 }:
 
 let
+  archInfo = with stdenv.lib; optionalAttrs (stdenv.system == "i686-linux") {
+    target_arch = "ia32";
+    python_arch = "ia32";
+  } // optionalAttrs (stdenv.system == "x86_64-linux") {
+    target_arch = "x64";
+    python_arch = "x86-64";
+  };
+
   callPackage = newScope chromium;
 
   chromium = {
@@ -27,10 +35,13 @@ let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
               gnomeKeyringSupport proprietaryCodecs cupsSupport
-              pulseSupport;
+              pulseSupport archInfo;
+    };
+
+    browser = callPackage ./browser.nix {
+      arch = archInfo.target_arch;
     };
 
-    browser = callPackage ./browser.nix { };
     sandbox = callPackage ./sandbox.nix { };
 
     plugins = callPackage ./plugins.nix {

pkgs/applications/networking/browsers/firefox/default.nix

@@ -91,6 +91,11 @@ rec {
 
     #installFlags = "SKIP_GRE_REGISTRATION=1";
 
+    preInstall = ''
+      # The following is needed for startup cache creation on grsecurity kernels
+      paxmark m ../objdir/dist/bin/xpcshell
+    '';
+
     postInstall = ''
       # Fix run-mozilla.sh search
       libDir=$(cd $out/lib && ls -d xulrunner-[0-9]*)
@@ -109,6 +114,10 @@ rec {
       for i in $out/lib/$libDir/*.so; do
           patchelf --set-rpath "$(patchelf --print-rpath "$i"):$out/lib/$libDir" $i || true
       done
+
+      # For grsecurity kernels
+      paxmark m $out/lib/$libDir/{plugin-container,xulrunner}
+
       for i in $out/lib/$libDir/{plugin-container,xulrunner,xulrunner-stub}; do
           wrapProgram $i --prefix LD_LIBRARY_PATH ':' "$out/lib/$libDir"
       done

pkgs/development/compilers/gcc/4.6/builder.sh

@@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then
 
         # The path to the Glibc binaries such as `crti.o'.
         glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib"
-        
+
     else
         # Hack: support impure environments.
         extraFlags="-isystem /usr/include"
@@ -214,7 +214,7 @@ postInstall() {
     # previous gcc.
     rm -rf $out/libexec/gcc/*/*/install-tools
     rm -rf $out/lib/gcc/*/*/install-tools
-    
+
     # More dependencies with the previous gcc or some libs (gccbug stores the build command line)
     rm -rf $out/bin/gccbug
     # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out
@@ -240,6 +240,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.6/default.nix

@@ -99,7 +99,7 @@ let version = "4.6.3";
         withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else "";
         withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else "";
         withFloat = if gccFloat != null then " --with-float=${gccFloat}" else "";
-      in 
+      in
         (withArch +
         withCpu +
         withAbi +

pkgs/development/compilers/gcc/4.8/builder.sh

@@ -239,6 +239,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/ghc/7.6.3.nix

@@ -1,6 +1,13 @@
 { stdenv, fetchurl, ghc, perl, gmp, ncurses }:
 
-stdenv.mkDerivation rec {
+let
+  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
+  # to the gold linker). It prevents binaries' stacks from being marked as
+  # executable, which fails to run on a grsecurity/PaX kernel.
+  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
+  cFlags = "-Wa,--noexecstack";
+
+in stdenv.mkDerivation rec {
   version = "7.6.3";
 
   name = "ghc-${version}";
@@ -12,21 +19,38 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ghc perl gmp ncurses ];
 
-
   buildMK = ''
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
+
+    # Set ghcFlags for building ghc itself
+    SRC_HC_OPTS += ${ghcFlags}
+    SRC_CC_OPTS += ${cFlags}
   '';
 
   preConfigure = ''
     echo "${buildMK}" > mk/build.mk
     sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
+
+    # Set ghcFlags for binaries that ghc builds
+    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
+
   '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
   '';
 
   configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
 
+  postInstall = ''
+    # ghci uses mmap with rwx protection at it implements dynamic
+    # linking on its own. See:
+    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
+    # - https://ghc.haskell.org/trac/ghc/ticket/4244
+    # Therefore, we have to pax-mark the resulting binary.
+    # Haddock also seems to run with ghci, so mark it as well.
+    paxmark m $out/lib/${name}/{ghc,haddock}
+  '';
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/icedtea/default.nix

@@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
     "--disable-downloading"
 
     "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
     "--with-jdk-home=${jdkPath}"
   ];
 

pkgs/development/compilers/jdk/jdk7-linux.nix

@@ -2,6 +2,7 @@
 , stdenv
 , requireFile
 , unzip
+, file
 , xlibs ? null
 , installjdk ? true
 , pluginSupport ? true
@@ -71,10 +72,20 @@ stdenv.mkDerivation rec {
     else
       abort "jdk requires i686-linux or x86_64 linux";
 
-  buildInputs = if installjce then [ unzip ] else [];
+  nativeBuildInputs = [ file ]
+    ++ stdenv.lib.optional installjce unzip;
 
   installPhase = ''
     cd ..
+
+    # Set PaX markings
+    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    for file in $exes; do
+      paxmark m "$file"
+      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+    done
+
     if test -z "$installjdk"; then
       mv $sourceRoot/jre $out
     else

pkgs/development/compilers/llvm/3.3/llvm.nix

@@ -22,11 +22,20 @@ in stdenv.mkDerivation rec {
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   doCheck = true;

pkgs/development/compilers/llvm/3.4/llvm.nix

@@ -36,15 +36,25 @@ in stdenv.mkDerivation rec {
     mkdir -p $out/
     ln -sv $PWD/lib $out
   '';
-  postBuild = "rm -fR $out";
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DCMAKE_CXX_FLAGS=-std=c++11"
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    rm -fR $out
+
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   passthru.src = src;

pkgs/development/compilers/openjdk/bootstrap.nix

@@ -1,4 +1,4 @@
-{ runCommand, glibc, fetchurl }:
+{ stdenv, runCommand, glibc, fetchurl, file }:
 
 let
   # !!! These should be on nixos.org
@@ -18,4 +18,12 @@ in
 runCommand "openjdk-bootstrap" {} ''
   xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv
   mv openjdk-bootstrap $out
+
+  # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
+  exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+  for file in $exes; do
+    paxmark m "$file"
+    # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+    ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+  done
 ''

pkgs/development/compilers/openjdk/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups
-, which, jdk, nettools, xorg
+, which, jdk, nettools, xorg, file
 , fontconfig, cpio, cacert, perl, setJavaClassPath }:
 
 let
@@ -19,6 +19,9 @@ let
 
   build = "43";
 
+  # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+  paxflags = if stdenv.isi686 then "msp" else "m";
+
 in
 
 stdenv.mkDerivation rec {
@@ -35,7 +38,7 @@ stdenv.mkDerivation rec {
     [ unzip procps ant which zip cpio nettools alsaLib
       xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst
       xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir
-      fontconfig perl
+      fontconfig perl file
     ];
 
   NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama";
@@ -49,7 +52,7 @@ stdenv.mkDerivation rec {
       openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk
   '';
 
-  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ];
+  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ];
 
   NIX_NO_SELF_RPATH = true;
 
@@ -72,6 +75,14 @@ stdenv.mkDerivation rec {
 
   configurePhase = "true";
 
+  preBuild = ''
+    # We also need to PaX-mark in the middle of the build
+    substituteInPlace hotspot/make/linux/makefiles/launcher.make \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+    substituteInPlace jdk/make/common/Program.gmk  \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+  '';
+
   installPhase = ''
     mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk
 
@@ -98,6 +109,14 @@ stdenv.mkDerivation rec {
     rm -rf $out/lib/openjdk/jre/bin
     ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin
 
+    # Set PaX markings
+    exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    echo "to mark: *$exes*"
+    for file in $exes; do
+      echo "marking *$file*"
+      paxmark ${paxflags} "$file"
+    done
+
     # Remove duplicate binaries.
     for i in $(cd $out/lib/openjdk/bin && echo *); do
       if [ "$i" = java ]; then continue; fi

pkgs/development/compilers/openjdk/paxctl.patch

@@ -0,0 +1,28 @@
+diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make
+index 34bbcd6..41b9332 100644
+--- a/hotspot/make/linux/makefiles/launcher.make
++++ b/hotspot/make/linux/makefiles/launcher.make
+@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE)
+ 	$(QUIETLY) echo Linking launcher...
+ 	$(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK)
+ 	$(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER)
++	paxctl -c $(LAUNCHER)
++	paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER)
+ 	$(QUIETLY) $(LINK_LAUNCHER/POST_HOOK)
+ 
+ $(LAUNCHER): $(LAUNCHER_SCRIPT)
+diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk
+index 091800d..1de8cb4 100644
+--- a/jdk/make/common/Program.gmk
++++ b/jdk/make/common/Program.gmk
+@@ -60,6 +60,10 @@ ACTUAL_PROGRAM      = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME)
+ program_default_rule: all
+ 
+ program: $(ACTUAL_PROGRAM)
++	if [[ "$(PROGRAM)" = "java" ]]; then \
++		paxctl -c $(ACTUAL_PROGRAM); \
++		paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \
++	fi
+ 
+ # Work-around for missing processor specific mapfiles
+ ifndef CROSS_COMPILE_ARCH

pkgs/development/interpreters/python/2.7/default.nix

@@ -84,6 +84,8 @@ let
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
         ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
+
+        paxmark E $out/bin/python${majorVersion}
       '';
 
     passthru = {

pkgs/development/interpreters/python/3.3/default.nix

@@ -53,6 +53,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/python/3.4/default.nix

@@ -54,6 +54,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/spidermonkey/17.0.nix

@@ -28,7 +28,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark m shell/js17
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/interpreters/spidermonkey/185-1.0.0.nix

@@ -28,7 +28,13 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark mr shell/js
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix

@@ -22,8 +22,12 @@ stdenv.mkDerivation rec {
     --disable-examples --enable-failing-tests --localstatedir=/var --disable-gtk-doc --disable-docbook
   '';
 
-  # Hm, apparently --disable-gtk-doc is ignored...
-  postInstall = "rm -rf $out/share/gtk-doc";
+  postInstall = ''
+    # Hm, apparently --disable-gtk-doc is ignored...
+    rm -rf $out/share/gtk-doc
+
+    paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
+  '';
 
   setupHook = ./setup-hook.sh;
 

pkgs/development/libraries/libffi/default.nix

@@ -8,9 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "077ibkf84bvcd6rw1m6jb107br63i2pp301rkmsbgg6300adxp8x";
   };
 
+  patches = stdenv.lib.optional (stdenv.needsPax) ./libffi-3.0.13-emutramp_pax_proc.patch;
+
   buildInputs = stdenv.lib.optional doCheck dejagnu;
 
-  configureFlags = [ "--with-gcc-arch=generic" ]; # no detection of -march= or -mtune=
+  configureFlags = [
+    "--with-gcc-arch=generic" # no detection of -march= or -mtune=
+  ] ++ stdenv.lib.optional (stdenv.needsPax) "--enable-pax_emutramp";
 
   doCheck = stdenv.isLinux; # until we solve dejagnu problems on darwin and expect on BSD
 

pkgs/development/libraries/libffi/libffi-3.0.13-emutramp_pax_proc.patch

@@ -0,0 +1,37 @@
+2013-05-22  Magnus Granberg  <zorry@gentoo.org>
+
+	#457194
+	* src/closuer.c (emutramp_enabled_check): Check with /proc.
+
+--- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
++++ b/src/closures.c	2013-04-29 23:26:02.279022022 +0200
+@@ -181,10 +181,26 @@ static int emutramp_enabled = -1;
+ static int
+ emutramp_enabled_check (void)
+ {
+-  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+-    return 1;
+-  else
++  char *buf = NULL;
++  size_t len = 0;
++  FILE *f;
++  int ret;
++  f = fopen ("/proc/self/status", "r");
++  if (f == NULL)
+     return 0;
++  ret = 0;
++
++  while (getline (&buf, &len, f) != -1)
++    if (!strncmp (buf, "PaX:", 4))
++      {
++        char emutramp;
++        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
++          ret = (emutramp == 'E');
++        break;
++      }
++  free (buf);
++  fclose (f);
++  return ret;
+ }
+ 
+ #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \

pkgs/development/libraries/mesa/default.nix

@@ -2,6 +2,7 @@
 , python, libxml2Python, file, expat, makedepend
 , libdrm, xorg, wayland, udev, llvm, libffi
 , libvdpau, libelf
+, grsecEnabled
 , enableTextureFloats ? false # Texture floats are patented, see docs/patents.txt
 , enableExtraFeatures ? false # not maintained
 }:
@@ -41,6 +42,7 @@ stdenv.mkDerivation {
 
   patches = [
     ./static-gallium.patch
+    ./glx_ro_text_segm.patch # fix for grsecurity/PaX
    # TODO: revive ./dricore-gallium.patch when it gets ported (from Ubuntu),
    #  as it saved ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog
   ];
@@ -79,7 +81,8 @@ stdenv.mkDerivation {
       "--enable-openvg" "--enable-gallium-egl" # not needed for EGL in Gallium, but OpenVG might be useful
       #"--enable-xvmc" # tests segfault with 9.1.{1,2,3}
       #"--enable-opencl" # ToDo: opencl seems to need libclc for clover
-    ];
+    ]
+    ++ optional grsecEnabled "--enable-glx-rts"; # slight performance degradation, enable only for grsec
 
   nativeBuildInputs = [ pkgconfig python makedepend file flex bison ];
 

pkgs/development/libraries/mesa/glx_ro_text_segm.patch

@@ -0,0 +1,25 @@
+diff --git a/configure.ac b/configure.ac
+index 5068913..3d4271e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -429,6 +429,20 @@ AC_SUBST([GLESv2_LIB_GLOB])
+ AC_SUBST([VG_LIB_GLOB])
+ AC_SUBST([GLAPI_LIB_GLOB])
+ 
++
++dnl readonly text segment on x86 hardened platforms
++AC_ARG_ENABLE([glx_rts],
++    [AS_HELP_STRING([--enable-glx-rts],
++        [on x86, use a readonly text segment for libGL @<:@default=disabled@:>@])],
++    [enable_glx_rts="$enableval"],
++    [enable_glx_rts=no])
++if test "x$enable_glx_rts" = xyes; then
++    DEFINES="$DEFINES -DGLX_X86_READONLY_TEXT"
++else
++    enable_glx_rts=no
++fi
++
++
+ dnl
+ dnl Arch/platform-specific settings
+ dnl

pkgs/development/libraries/polkit/default.nix

@@ -58,6 +58,12 @@ stdenv.mkDerivation rec {
 
   makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
 
+  # The following is required on grsecurity/PaX due to spidermonkey's JIT
+  postBuild = ''
+    paxmark mr src/polkitbackend/.libs/polkitd
+    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
+  '';
+
   #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
 
   meta = with stdenv.lib; {

pkgs/development/libraries/qimageblitz/default.nix

@@ -7,14 +7,16 @@ in
 
 stdenv.mkDerivation {
   name = "${pn}-${v}";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/${pn}/${pn}-${v}.tar.bz2";
     sha256 = "0pnaf3qi7rgkxzs2mssmslb3f9ya4cyx09wzwlis3ppyvf72j0p9";
   };
-  
+
   buildInputs = [ cmake qt4 ];
 
+  patches = [ ./qimageblitz-9999-exec-stack.patch ];
+
   meta = {
     description = "Graphical effect and filter library for KDE4";
     license = "BSD";

pkgs/development/libraries/qimageblitz/qimageblitz-9999-exec-stack.patch

@@ -0,0 +1,11 @@
+diff -uar qimageblitz/blitz/asm_scale.S qimageblitz~/blitz/asm_scale.S
+--- qimageblitz-orig/blitz/asm_scale.S	2007-10-17 01:17:57.000000000 +0200
++++ qimageblitz/blitz/asm_scale.S	2007-10-17 01:19:12.000000000 +0200
+@@ -814,3 +814,7 @@
+ SIZE(qimageScale_mmx_AARGBA)
+ 
+ #endif
++#if defined(__linux__) && defined(__ELF__)
++.section .note.GNU-stack,"",%progbits
++#endif
++

pkgs/development/tools/misc/binutils/default.nix

@@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
 
     # Make binutils output deterministic by default.
     ./deterministic.patch
+
+    # Always add PaX flags section to ELF files.
+    # This is needed, for instance, so that running "ldd" on a binary that is
+    # PaX-marked to disable mprotect doesn't fail with permission denied.
+    ./pt-pax-flags-20121023.patch
   ];
 
   buildInputs =

pkgs/misc/emulators/wine/stable.nix

@@ -62,6 +62,9 @@ in stdenv.mkDerivation rec {
     install -D ${gecko} $out/share/wine/gecko/${gecko64.name}
   '' + ''
     install -D ${mono} $out/share/wine/mono/${mono.name}
+
+    paxmark psmr $out/bin/wine{,-preloader}
+
     wrapProgram $out/bin/wine --prefix LD_LIBRARY_PATH : ${stdenv.gcc.gcc}/lib
   '';
 

pkgs/os-specific/linux/spl/const.patch

@@ -0,0 +1,13 @@
+diff --git a/module/spl/spl-proc.c b/module/spl/spl-proc.c
+index f25239a..b731123 100644
+--- a/module/spl/spl-proc.c
++++ b/module/spl/spl-proc.c
+@@ -38,7 +38,7 @@
+ 
+ #define SS_DEBUG_SUBSYS SS_PROC
+ 
+-#if defined(CONSTIFY_PLUGIN) && LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0)
++#if defined(CONSTIFY_PLUGIN)
+ typedef struct ctl_table __no_const spl_ctl_table;
+ #else
+ typedef struct ctl_table spl_ctl_table;

pkgs/os-specific/linux/spl/default.nix

@@ -7,7 +7,7 @@ stdenv.mkDerivation {
     sha256 = "196scl8q0bkkak6m0p1l1fz254cgsizqm73bf9wk3iynamq7qmrw";
   };
 
-  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ];
+  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ./const.patch ];
 
   buildInputs = [ perl autoconf automake libtool ];
 
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
 
     longDescription = ''
       This kernel module is a porting layer for ZFS to work inside the linux
-      kernel. 
+      kernel.
     '';
 
     homepage = http://zfsonlinux.org/;

pkgs/stdenv/generic/builder.sh

@@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
+    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 

pkgs/stdenv/generic/default.nix

@@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
+
+, skipPaxMarking ? false
 }:
 
 let
@@ -29,11 +31,19 @@ let
       builder = shell;
 
       args = ["-e" ./builder.sh];
+      /* TODO: special-cased @var@ substitutions are ugly.
+          However, using substituteAll* from setup.sh seems difficult,
+          as setup.sh can't be directly sourced.
+          Suggestion: split similar utility functions into a separate script.
+      */
 
       setup = setupScript;
 
       inherit preHook initialPath gcc shell;
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = result.isLinux && !skipPaxMarking;
+
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
 

pkgs/stdenv/generic/setup.sh

@@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
     if [ "$i" = / ]; then i=; fi
     addToSearchPath PATH $i/bin
+    addToSearchPath PATH $i/sbin
 done
 
 if [ "$NIX_DEBUG" = 1 ]; then
@@ -293,6 +294,18 @@ stripDirs() {
     fi
 }
 
+# PaX-mark binaries
+paxmark() {
+    local flags="$1"
+    shift
+
+    if [ -z "@needsPax@" ]; then
+        return
+    fi
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
 
 ######################################################################
 # Textual substitution functions.

pkgs/stdenv/linux/default.nix

@@ -210,6 +210,7 @@ rec {
     extraAttrs = {
       glibc = stdenvLinuxGlibc;   # Required by gcc47 build
     };
+    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
     inherit fetchurl;
   };
 
@@ -268,7 +269,7 @@ rec {
 
     initialPath =
       ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
 
     gcc = wrapGCC rec {
       inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@@ -295,7 +296,7 @@ rec {
       inherit (stdenvLinuxBoot4Pkgs)
         gzip bzip2 xz bash coreutils diffutils findutils gawk
         gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
     };
   };
 

pkgs/tools/misc/grub/2.0x.nix

@@ -68,6 +68,10 @@ stdenv.mkDerivation rec {
   doCheck = false;
   enableParallelBuilding = true;
 
+  postInstall = ''
+    paxmark pms $out/sbin/grub-{probe,bios-setup}
+  '';
+
   meta = {
     description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
 

pkgs/top-level/all-packages.nix

@@ -5510,11 +5510,18 @@ let
 
   mesaSupported = lib.elem system lib.platforms.mesaPlatforms;
 
-  mesa_original = callPackage ../development/libraries/mesa { };
+  mesa_original = callPackage ../development/libraries/mesa {
+    # makes it slower, but during runtime we link against just mesa_drivers
+    # through /run/opengl-driver*, which is overriden according to config.grsecurity
+    grsecEnabled = true;
+  };
+
   mesa_noglu = if stdenv.isDarwin
     then darwinX11AndOpenGL // { driverLink = mesa_noglu; }
     else mesa_original;
-  mesa_drivers = mesa_original.drivers;
+  mesa_drivers = let
+      mo = mesa_original.override { grsecEnabled = config.grsecurity or false; };
+    in mo.drivers;
   mesa_glu = callPackage ../development/libraries/mesa-glu { };
   mesa = if stdenv.isDarwin then darwinX11AndOpenGL
     else buildEnv {