Merge branch 'master' into grsec-stdenv

This is needed for grsecurity kernels to be able to build stuff (e.g. pango).
With grsec the libGL is slower, but we don't care much at build time,
so we can share binaries among grsec and nogrsec.

This adds 2-3 MB to nogrsec closures that use mesa drivers (libGL is doubled).

pkgs/applications/networking/browsers/chromium/browser.nix

@@ -1,11 +1,11 @@
-{ stdenv, mkChromiumDerivation }:
+{ stdenv, mkChromiumDerivation, arch }:
 
 with stdenv.lib;
 
 mkChromiumDerivation (base: rec {
   name = "chromium-browser";
   packageName = "chromium";
-  buildTargets = [ "chrome" ];
+  buildTargets = [ "mksnapshot.${arch}" "chrome" ];
 
   installPhase = ''
     ensureDir "$libExecPath"

pkgs/applications/networking/browsers/chromium/common.nix

@@ -30,6 +30,7 @@
 
 , source
 , plugins
+, archInfo
 }:
 
 buildFun:
@@ -172,13 +173,7 @@ let
       # enable support for the H.264 codec
       proprietary_codecs = true;
       ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
-      target_arch = "x64";
-      python_arch = "x86-64";
-    } // optionalAttrs (stdenv.system == "i686-linux") {
-      target_arch = "ia32";
-      python_arch = "ia32";
-    } // (extraAttrs.gypFlags or {}));
+    } // archInfo // (extraAttrs.gypFlags or {}));
 
     configurePhase = ''
       # This is to ensure expansion of $out.
@@ -190,14 +185,21 @@ let
     buildPhase = let
       CC = "${gcc}/bin/gcc";
       CXX = "${gcc}/bin/g++";
-    in ''
-      CC="${CC}" CC_host="${CC}"     \
-      CXX="${CXX}" CXX_host="${CXX}" \
-      LINK_host="${CXX}"             \
-        "${ninja}/bin/ninja" -C "${buildPath}"  \
-          -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-          ${concatStringsSep " " (extraAttrs.buildTargets or [])}
-    '';
+      buildCommand = target: ''
+        CC="${CC}" CC_host="${CC}"     \
+        CXX="${CXX}" CXX_host="${CXX}" \
+        LINK_host="${CXX}"             \
+          "${ninja}/bin/ninja" -C "${buildPath}"  \
+            -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
+            ${target}
+
+        if [[ "${target}" == mksnapshot.* || "${target}" == "chrome" ]]; then
+          paxmark m "${buildPath}/${target}"
+        fi
+      '';
+      targets = extraAttrs.buildTargets or [];
+      commands = map buildCommand targets;
+    in concatStringsSep "\n" commands;
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.

pkgs/applications/networking/browsers/chromium/default.nix

@@ -15,6 +15,14 @@
 }:
 
 let
+  archInfo = with stdenv.lib; optionalAttrs (stdenv.system == "i686-linux") {
+    target_arch = "ia32";
+    python_arch = "ia32";
+  } // optionalAttrs (stdenv.system == "x86_64-linux") {
+    target_arch = "x64";
+    python_arch = "x86-64";
+  };
+
   callPackage = newScope chromium;
 
   chromium = {
@@ -27,10 +35,13 @@ let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
               gnomeKeyringSupport proprietaryCodecs cupsSupport
-              pulseSupport;
+              pulseSupport archInfo;
+    };
+
+    browser = callPackage ./browser.nix {
+      arch = archInfo.target_arch;
     };
 
-    browser = callPackage ./browser.nix { };
     sandbox = callPackage ./sandbox.nix { };
 
     plugins = callPackage ./plugins.nix {

pkgs/applications/networking/browsers/firefox/default.nix

@@ -91,6 +91,11 @@ rec {
 
     #installFlags = "SKIP_GRE_REGISTRATION=1";
 
+    preInstall = ''
+      # The following is needed for startup cache creation on grsecurity kernels
+      paxmark m ../objdir/dist/bin/xpcshell
+    '';
+
     postInstall = ''
       # Fix run-mozilla.sh search
       libDir=$(cd $out/lib && ls -d xulrunner-[0-9]*)
@@ -109,6 +114,10 @@ rec {
       for i in $out/lib/$libDir/*.so; do
           patchelf --set-rpath "$(patchelf --print-rpath "$i"):$out/lib/$libDir" $i || true
       done
+
+      # For grsecurity kernels
+      paxmark m $out/lib/$libDir/{plugin-container,xulrunner}
+
       for i in $out/lib/$libDir/{plugin-container,xulrunner,xulrunner-stub}; do
           wrapProgram $i --prefix LD_LIBRARY_PATH ':' "$out/lib/$libDir"
       done

pkgs/development/compilers/gcc/4.6/builder.sh

@@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then
 
         # The path to the Glibc binaries such as `crti.o'.
         glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib"
-        
+
     else
         # Hack: support impure environments.
         extraFlags="-isystem /usr/include"
@@ -214,7 +214,7 @@ postInstall() {
     # previous gcc.
     rm -rf $out/libexec/gcc/*/*/install-tools
     rm -rf $out/lib/gcc/*/*/install-tools
-    
+
     # More dependencies with the previous gcc or some libs (gccbug stores the build command line)
     rm -rf $out/bin/gccbug
     # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out
@@ -240,6 +240,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.6/default.nix

@@ -99,7 +99,7 @@ let version = "4.6.3";
         withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else "";
         withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else "";
         withFloat = if gccFloat != null then " --with-float=${gccFloat}" else "";
-      in 
+      in
         (withArch +
         withCpu +
         withAbi +

pkgs/development/compilers/gcc/4.8/builder.sh

@@ -239,6 +239,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/ghc/7.6.3.nix

@@ -1,6 +1,13 @@
 { stdenv, fetchurl, ghc, perl, gmp, ncurses }:
 
-stdenv.mkDerivation rec {
+let
+  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
+  # to the gold linker). It prevents binaries' stacks from being marked as
+  # executable, which fails to run on a grsecurity/PaX kernel.
+  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
+  cFlags = "-Wa,--noexecstack";
+
+in stdenv.mkDerivation rec {
   version = "7.6.3";
 
   name = "ghc-${version}";
@@ -12,21 +19,38 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ghc perl gmp ncurses ];
 
-
   buildMK = ''
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
+
+    # Set ghcFlags for building ghc itself
+    SRC_HC_OPTS += ${ghcFlags}
+    SRC_CC_OPTS += ${cFlags}
   '';
 
   preConfigure = ''
     echo "${buildMK}" > mk/build.mk
     sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
+
+    # Set ghcFlags for binaries that ghc builds
+    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
+
   '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
   '';
 
   configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
 
+  postInstall = ''
+    # ghci uses mmap with rwx protection at it implements dynamic
+    # linking on its own. See:
+    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
+    # - https://ghc.haskell.org/trac/ghc/ticket/4244
+    # Therefore, we have to pax-mark the resulting binary.
+    # Haddock also seems to run with ghci, so mark it as well.
+    paxmark m $out/lib/${name}/{ghc,haddock}
+  '';
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/icedtea/default.nix

@@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
     "--disable-downloading"
 
     "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
     "--with-jdk-home=${jdkPath}"
   ];
 

pkgs/development/compilers/jdk/jdk7-linux.nix

@@ -2,6 +2,7 @@
 , stdenv
 , requireFile
 , unzip
+, file
 , xlibs ? null
 , installjdk ? true
 , pluginSupport ? true
@@ -71,10 +72,20 @@ stdenv.mkDerivation rec {
     else
       abort "jdk requires i686-linux or x86_64 linux";
 
-  buildInputs = if installjce then [ unzip ] else [];
+  nativeBuildInputs = [ file ]
+    ++ stdenv.lib.optional installjce unzip;
 
   installPhase = ''
     cd ..
+
+    # Set PaX markings
+    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    for file in $exes; do
+      paxmark m "$file"
+      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+    done
+
     if test -z "$installjdk"; then
       mv $sourceRoot/jre $out
     else

pkgs/development/compilers/llvm/3.3/llvm.nix

@@ -22,11 +22,20 @@ in stdenv.mkDerivation rec {
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   doCheck = true;

pkgs/development/compilers/llvm/3.4/llvm.nix

@@ -36,15 +36,25 @@ in stdenv.mkDerivation rec {
     mkdir -p $out/
     ln -sv $PWD/lib $out
   '';
-  postBuild = "rm -fR $out";
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DCMAKE_CXX_FLAGS=-std=c++11"
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    rm -fR $out
+
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   passthru.src = src;

pkgs/development/compilers/openjdk/bootstrap.nix

@@ -1,4 +1,4 @@
-{ runCommand, glibc, fetchurl }:
+{ stdenv, runCommand, glibc, fetchurl, file }:
 
 let
   # !!! These should be on nixos.org
@@ -18,4 +18,12 @@ in
 runCommand "openjdk-bootstrap" {} ''
   xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv
   mv openjdk-bootstrap $out
+
+  # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
+  exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+  for file in $exes; do
+    paxmark m "$file"
+    # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+    ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+  done
 ''

pkgs/development/compilers/openjdk/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups
-, which, jdk, nettools, xorg
+, which, jdk, nettools, xorg, file
 , fontconfig, cpio, cacert, perl, setJavaClassPath }:
 
 let
@@ -19,6 +19,9 @@ let
 
   build = "43";
 
+  # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+  paxflags = if stdenv.isi686 then "msp" else "m";
+
 in
 
 stdenv.mkDerivation rec {
@@ -35,7 +38,7 @@ stdenv.mkDerivation rec {
     [ unzip procps ant which zip cpio nettools alsaLib
       xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst
       xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir
-      fontconfig perl
+      fontconfig perl file
     ];
 
   NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama";
@@ -49,7 +52,7 @@ stdenv.mkDerivation rec {
       openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk
   '';
 
-  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ];
+  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ];
 
   NIX_NO_SELF_RPATH = true;
 
@@ -72,6 +75,14 @@ stdenv.mkDerivation rec {
 
   configurePhase = "true";
 
+  preBuild = ''
+    # We also need to PaX-mark in the middle of the build
+    substituteInPlace hotspot/make/linux/makefiles/launcher.make \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+    substituteInPlace jdk/make/common/Program.gmk  \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+  '';
+
   installPhase = ''
     mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk
 
@@ -98,6 +109,14 @@ stdenv.mkDerivation rec {
     rm -rf $out/lib/openjdk/jre/bin
     ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin
 
+    # Set PaX markings
+    exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    echo "to mark: *$exes*"
+    for file in $exes; do
+      echo "marking *$file*"
+      paxmark ${paxflags} "$file"
+    done
+
     # Remove duplicate binaries.
     for i in $(cd $out/lib/openjdk/bin && echo *); do
       if [ "$i" = java ]; then continue; fi

pkgs/development/compilers/openjdk/paxctl.patch

@@ -0,0 +1,28 @@
+diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make
+index 34bbcd6..41b9332 100644
+--- a/hotspot/make/linux/makefiles/launcher.make
++++ b/hotspot/make/linux/makefiles/launcher.make
+@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE)
+ 	$(QUIETLY) echo Linking launcher...
+ 	$(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK)
+ 	$(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER)
++	paxctl -c $(LAUNCHER)
++	paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER)
+ 	$(QUIETLY) $(LINK_LAUNCHER/POST_HOOK)
+ 
+ $(LAUNCHER): $(LAUNCHER_SCRIPT)
+diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk
+index 091800d..1de8cb4 100644
+--- a/jdk/make/common/Program.gmk
++++ b/jdk/make/common/Program.gmk
+@@ -60,6 +60,10 @@ ACTUAL_PROGRAM      = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME)
+ program_default_rule: all
+ 
+ program: $(ACTUAL_PROGRAM)
++	if [[ "$(PROGRAM)" = "java" ]]; then \
++		paxctl -c $(ACTUAL_PROGRAM); \
++		paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \
++	fi
+ 
+ # Work-around for missing processor specific mapfiles
+ ifndef CROSS_COMPILE_ARCH

pkgs/development/interpreters/python/2.7/default.nix

@@ -84,6 +84,8 @@ let
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
         ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
+
+        paxmark E $out/bin/python${majorVersion}
       '';
 
     passthru = {

pkgs/development/interpreters/python/3.3/default.nix

@@ -53,6 +53,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/python/3.4/default.nix

@@ -54,6 +54,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/spidermonkey/17.0.nix

@@ -28,7 +28,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark m shell/js17
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/interpreters/spidermonkey/185-1.0.0.nix

@@ -28,7 +28,13 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark mr shell/js
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix

@@ -22,8 +22,12 @@ stdenv.mkDerivation rec {
     --disable-examples --enable-failing-tests --localstatedir=/var --disable-gtk-doc --disable-docbook
   '';
 
-  # Hm, apparently --disable-gtk-doc is ignored...
-  postInstall = "rm -rf $out/share/gtk-doc";
+  postInstall = ''
+    # Hm, apparently --disable-gtk-doc is ignored...
+    rm -rf $out/share/gtk-doc
+
+    paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
+  '';
 
   setupHook = ./setup-hook.sh;
 

pkgs/development/libraries/libffi/default.nix

@@ -8,9 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "077ibkf84bvcd6rw1m6jb107br63i2pp301rkmsbgg6300adxp8x";
   };
 
+  patches = stdenv.lib.optional (stdenv.needsPax) ./libffi-3.0.13-emutramp_pax_proc.patch;
+
   buildInputs = stdenv.lib.optional doCheck dejagnu;
 
-  configureFlags = [ "--with-gcc-arch=generic" ]; # no detection of -march= or -mtune=
+  configureFlags = [
+    "--with-gcc-arch=generic" # no detection of -march= or -mtune=
+  ] ++ stdenv.lib.optional (stdenv.needsPax) "--enable-pax_emutramp";
 
   doCheck = stdenv.isLinux; # until we solve dejagnu problems on darwin and expect on BSD
 

pkgs/development/libraries/libffi/libffi-3.0.13-emutramp_pax_proc.patch

@@ -0,0 +1,37 @@
+2013-05-22  Magnus Granberg  <zorry@gentoo.org>
+
+	#457194
+	* src/closuer.c (emutramp_enabled_check): Check with /proc.
+
+--- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
++++ b/src/closures.c	2013-04-29 23:26:02.279022022 +0200
+@@ -181,10 +181,26 @@ static int emutramp_enabled = -1;
+ static int
+ emutramp_enabled_check (void)
+ {
+-  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+-    return 1;
+-  else
++  char *buf = NULL;
++  size_t len = 0;
++  FILE *f;
++  int ret;
++  f = fopen ("/proc/self/status", "r");
++  if (f == NULL)
+     return 0;
++  ret = 0;
++
++  while (getline (&buf, &len, f) != -1)
++    if (!strncmp (buf, "PaX:", 4))
++      {
++        char emutramp;
++        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
++          ret = (emutramp == 'E');
++        break;
++      }
++  free (buf);
++  fclose (f);
++  return ret;
+ }
+ 
+ #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \

pkgs/development/libraries/mesa/default.nix

@@ -2,6 +2,7 @@
 , python, libxml2Python, file, expat, makedepend
 , libdrm, xorg, wayland, udev, llvm, libffi
 , libvdpau, libelf
+, grsecEnabled
 , enableTextureFloats ? false # Texture floats are patented, see docs/patents.txt
 , enableExtraFeatures ? false # not maintained
 }:
@@ -41,6 +42,7 @@ stdenv.mkDerivation {
 
   patches = [
     ./static-gallium.patch
+    ./glx_ro_text_segm.patch # fix for grsecurity/PaX
    # TODO: revive ./dricore-gallium.patch when it gets ported (from Ubuntu),
    #  as it saved ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog
   ];
@@ -79,7 +81,8 @@ stdenv.mkDerivation {
       "--enable-openvg" "--enable-gallium-egl" # not needed for EGL in Gallium, but OpenVG might be useful
       #"--enable-xvmc" # tests segfault with 9.1.{1,2,3}
       #"--enable-opencl" # ToDo: opencl seems to need libclc for clover
-    ];
+    ]
+    ++ optional grsecEnabled "--enable-glx-rts"; # slight performance degradation, enable only for grsec
 
   nativeBuildInputs = [ pkgconfig python makedepend file flex bison ];
 

pkgs/development/libraries/mesa/glx_ro_text_segm.patch

@@ -0,0 +1,25 @@
+diff --git a/configure.ac b/configure.ac
+index 5068913..3d4271e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -429,6 +429,20 @@ AC_SUBST([GLESv2_LIB_GLOB])
+ AC_SUBST([VG_LIB_GLOB])
+ AC_SUBST([GLAPI_LIB_GLOB])
+ 
++
++dnl readonly text segment on x86 hardened platforms
++AC_ARG_ENABLE([glx_rts],
++    [AS_HELP_STRING([--enable-glx-rts],
++        [on x86, use a readonly text segment for libGL @<:@default=disabled@:>@])],
++    [enable_glx_rts="$enableval"],
++    [enable_glx_rts=no])
++if test "x$enable_glx_rts" = xyes; then
++    DEFINES="$DEFINES -DGLX_X86_READONLY_TEXT"
++else
++    enable_glx_rts=no
++fi
++
++
+ dnl
+ dnl Arch/platform-specific settings
+ dnl

pkgs/development/libraries/polkit/default.nix

@@ -58,6 +58,12 @@ stdenv.mkDerivation rec {
 
   makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
 
+  # The following is required on grsecurity/PaX due to spidermonkey's JIT
+  postBuild = ''
+    paxmark mr src/polkitbackend/.libs/polkitd
+    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
+  '';
+
   #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
 
   meta = with stdenv.lib; {

pkgs/development/libraries/qimageblitz/default.nix

@@ -7,14 +7,16 @@ in
 
 stdenv.mkDerivation {
   name = "${pn}-${v}";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/${pn}/${pn}-${v}.tar.bz2";
     sha256 = "0pnaf3qi7rgkxzs2mssmslb3f9ya4cyx09wzwlis3ppyvf72j0p9";
   };
-  
+
   buildInputs = [ cmake qt4 ];
 
+  patches = [ ./qimageblitz-9999-exec-stack.patch ];
+
   meta = {
     description = "Graphical effect and filter library for KDE4";
     license = "BSD";

pkgs/development/libraries/qimageblitz/qimageblitz-9999-exec-stack.patch

@@ -0,0 +1,11 @@
+diff -uar qimageblitz/blitz/asm_scale.S qimageblitz~/blitz/asm_scale.S
+--- qimageblitz-orig/blitz/asm_scale.S	2007-10-17 01:17:57.000000000 +0200
++++ qimageblitz/blitz/asm_scale.S	2007-10-17 01:19:12.000000000 +0200
+@@ -814,3 +814,7 @@
+ SIZE(qimageScale_mmx_AARGBA)
+ 
+ #endif
++#if defined(__linux__) && defined(__ELF__)
++.section .note.GNU-stack,"",%progbits
++#endif
++

pkgs/development/tools/misc/binutils/default.nix

@@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
 
     # Make binutils output deterministic by default.
     ./deterministic.patch
+
+    # Always add PaX flags section to ELF files.
+    # This is needed, for instance, so that running "ldd" on a binary that is
+    # PaX-marked to disable mprotect doesn't fail with permission denied.
+    ./pt-pax-flags-20121023.patch
   ];
 
   buildInputs =

pkgs/misc/emulators/wine/stable.nix

@@ -62,6 +62,9 @@ in stdenv.mkDerivation rec {
     install -D ${gecko} $out/share/wine/gecko/${gecko64.name}
   '' + ''
     install -D ${mono} $out/share/wine/mono/${mono.name}
+
+    paxmark psmr $out/bin/wine{,-preloader}
+
     wrapProgram $out/bin/wine --prefix LD_LIBRARY_PATH : ${stdenv.gcc.gcc}/lib
   '';
 

pkgs/os-specific/linux/spl/const.patch

@@ -0,0 +1,13 @@
+diff --git a/module/spl/spl-proc.c b/module/spl/spl-proc.c
+index f25239a..b731123 100644
+--- a/module/spl/spl-proc.c
++++ b/module/spl/spl-proc.c
+@@ -38,7 +38,7 @@
+ 
+ #define SS_DEBUG_SUBSYS SS_PROC
+ 
+-#if defined(CONSTIFY_PLUGIN) && LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0)
++#if defined(CONSTIFY_PLUGIN)
+ typedef struct ctl_table __no_const spl_ctl_table;
+ #else
+ typedef struct ctl_table spl_ctl_table;

pkgs/os-specific/linux/spl/default.nix

@@ -7,7 +7,7 @@ stdenv.mkDerivation {
     sha256 = "196scl8q0bkkak6m0p1l1fz254cgsizqm73bf9wk3iynamq7qmrw";
   };
 
-  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ];
+  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ./const.patch ];
 
   buildInputs = [ perl autoconf automake libtool ];
 
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
 
     longDescription = ''
       This kernel module is a porting layer for ZFS to work inside the linux
-      kernel. 
+      kernel.
     '';
 
     homepage = http://zfsonlinux.org/;

pkgs/stdenv/generic/builder.sh

@@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
+    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 

pkgs/stdenv/generic/default.nix

@@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
+
+, skipPaxMarking ? false
 }:
 
 let
@@ -29,11 +31,19 @@ let
       builder = shell;
 
       args = ["-e" ./builder.sh];
+      /* TODO: special-cased @var@ substitutions are ugly.
+          However, using substituteAll* from setup.sh seems difficult,
+          as setup.sh can't be directly sourced.
+          Suggestion: split similar utility functions into a separate script.
+      */
 
       setup = setupScript;
 
       inherit preHook initialPath gcc shell;
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = result.isLinux && !skipPaxMarking;
+
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
 

pkgs/stdenv/generic/setup.sh

@@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
     if [ "$i" = / ]; then i=; fi
     addToSearchPath PATH $i/bin
+    addToSearchPath PATH $i/sbin
 done
 
 if [ "$NIX_DEBUG" = 1 ]; then
@@ -293,6 +294,18 @@ stripDirs() {
     fi
 }
 
+# PaX-mark binaries
+paxmark() {
+    local flags="$1"
+    shift
+
+    if [ -z "@needsPax@" ]; then
+        return
+    fi
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
 
 ######################################################################
 # Textual substitution functions.

pkgs/stdenv/linux/default.nix

@@ -210,6 +210,7 @@ rec {
     extraAttrs = {
       glibc = stdenvLinuxGlibc;   # Required by gcc47 build
     };
+    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
     inherit fetchurl;
   };
 
@@ -268,7 +269,7 @@ rec {
 
     initialPath =
       ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
 
     gcc = wrapGCC rec {
       inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@@ -295,7 +296,7 @@ rec {
       inherit (stdenvLinuxBoot4Pkgs)
         gzip bzip2 xz bash coreutils diffutils findutils gawk
         gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
     };
   };
 

pkgs/tools/misc/grub/2.0x.nix

@@ -68,6 +68,10 @@ stdenv.mkDerivation rec {
   doCheck = false;
   enableParallelBuilding = true;
 
+  postInstall = ''
+    paxmark pms $out/sbin/grub-{probe,bios-setup}
+  '';
+
   meta = {
     description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
 

pkgs/top-level/all-packages.nix

@@ -5504,11 +5504,18 @@ let
 
   mesaSupported = lib.elem system lib.platforms.mesaPlatforms;
 
-  mesa_original = callPackage ../development/libraries/mesa { };
+  mesa_original = callPackage ../development/libraries/mesa {
+    # makes it slower, but during runtime we link against just mesa_drivers
+    # through /run/opengl-driver*, which is overriden according to config.grsecurity
+    grsecEnabled = true;
+  };
+
   mesa_noglu = if stdenv.isDarwin
     then darwinX11AndOpenGL // { driverLink = mesa_noglu; }
     else mesa_original;
-  mesa_drivers = mesa_original.drivers;
+  mesa_drivers = let
+      mo = mesa_original.override { grsecEnabled = config.grsecurity or false; };
+    in mo.drivers;
   mesa_glu = callPackage ../development/libraries/mesa-glu { };
   mesa = if stdenv.isDarwin then darwinX11AndOpenGL
     else buildEnv {