treewide: remove paxutils from stdenv

More then one year ago we removed grsecurity kernels from nixpkgs:
https://github.com/NixOS/nixpkgs/pull/25277

This removes now also paxutils from stdenv.

doc/stdenv.xml

@@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
       </para>
      </listitem>
     </varlistentry>
-    <varlistentry>
-     <term>
-      paxctl
-     </term>
-     <listitem>
-      <para>
-       Defines the <varname>paxmark</varname> helper for setting per-executable
-       PaX flags on Linux (where it is available by default; on all other
-       platforms, <varname>paxmark</varname> is a no-op). For example, to
-       disable secure memory protections on the executable
-       <replaceable>foo</replaceable>
-<programlisting>
-      postFixup = ''
-        paxmark m $out/bin/<replaceable>foo</replaceable>
-      '';
-    </programlisting>
-       The <literal>m</literal> flag is the most common flag and is typically
-       required for applications that employ JIT compilation or otherwise need
-       to execute code generated at run-time. Disabling PaX protections should
-       be considered a last resort: if possible, problematic features should be
-       disabled or patched to work with PaX.
-      </para>
-     </listitem>
-    </varlistentry>
     <varlistentry>
      <term>
       autoPatchelfHook

pkgs/applications/altcoins/parity-ui/default.nix

@@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
 
     find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
 
-    paxmark m $out/share/parity-ui/parity-ui
-
     mkdir -p $out/bin
     ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
   '';

pkgs/applications/editors/atom/default.nix

@@ -70,9 +70,6 @@ let
       ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
 
       find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
-
-      paxmark m $share/atom
-      paxmark m $share/resources/app/apm/bin/node
     '';
 
     meta = with stdenv.lib; {

pkgs/applications/networking/browsers/chromium/common.nix

@@ -282,8 +282,6 @@ let
           MENUNAME="Chromium"
           process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
         )
-      '' + optionalString (target == "mksnapshot" || target == "chrome") ''
-        paxmark m "${buildPath}/${target}"
       '';
       targets = extraAttrs.buildTargets or [];
       commands = map buildCommand targets;

pkgs/applications/networking/browsers/firefox/common.nix

@@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
   doCheck = false; # "--disable-tests" above
 
-  preInstall = ''
-    # The following is needed for startup cache creation on grsecurity kernels.
-    paxmark m dist/bin/xpcshell
-  '';
-
   installPhase = if stdenv.isDarwin then ''
     mkdir -p $out/Applications
     cp -LR dist/Firefox.app $out/Applications
   '' else null;
 
   postInstall = lib.optionalString stdenv.isLinux ''
-    # For grsecurity kernels
-    paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
-
     # Remove SDK cruft. FIXME: move to a separate output?
     rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
 

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
         patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
                  $out/opt/discord/Discord
 
-        paxmark m $out/opt/discord/Discord
-
         wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
 
         ln -s $out/opt/discord/Discord $out/bin/

pkgs/applications/networking/instant-messengers/franz/default.nix

@@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    paxmark m $out/opt/franz/Franz
     wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
   '';
 

pkgs/applications/networking/instant-messengers/wavebox/default.nix

@@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    paxmark m $out/opt/wavebox/Wavebox
     makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
       --prefix PATH : ${xdg_utils}/bin
   '';

pkgs/applications/networking/mailreaders/thunderbird/default.nix

@@ -100,7 +100,7 @@ in stdenv.mkDerivation rec {
     ''
       cxxLib=$( echo -n ${gcc}/include/c++/* )
       archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
-  
+
       test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
 
       configureScript="$(realpath ./configure)"
@@ -108,18 +108,9 @@ in stdenv.mkDerivation rec {
       cd ../objdir
     '';
 
-  preInstall =
-    ''
-      # The following is needed for startup cache creation on grsecurity kernels.
-      paxmark m ../objdir/dist/bin/xpcshell
-    '';
-
   dontWrapGApps = true; # we do it ourselves
   postInstall =
     ''
-      # For grsecurity kernels
-      paxmark m $out/lib/thunderbird/thunderbird
-
       # TODO: Move to a dev output?
       rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
 

pkgs/applications/office/mendeley/default.nix

@@ -112,7 +112,6 @@ stdenv.mkDerivation {
     patchelf --set-interpreter $interpreter \
              --set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
              $out/bin/mendeleydesktop
-    paxmark m $out/bin/mendeleydesktop
 
     wrapProgram $out/bin/mendeleydesktop \
       --add-flags "--unix-distro-build" \

pkgs/applications/virtualization/qemu/default.nix

@@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
 
   postFixup =
     ''
-      for exe in $out/bin/qemu-system-* ; do
-        paxmark m $exe
-      done
       # copy qemu-ga (guest agent) to separate output
       mkdir -p $ga/bin
       cp $out/bin/qemu-ga $ga/bin/

pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix

@@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
   installPhase = ''
     cd ..
 
-    # Set PaX markings
-    exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-    for file in $exes; do
-      paxmark m "$file"
-      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
-      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
-    done
-
     mv $sourceRoot $out
 
     rm -rf $out/demo

pkgs/development/compilers/gcc/builder.sh

@@ -282,11 +282,6 @@ postInstall() {
         fi
     done
 
-    # Disable RANDMMAP on grsec, which causes segfaults when using
-    # precompiled headers.
-    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
-    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
-
     # Two identical man pages are shipped (moving and compressing is done later)
     ln -sf gcc.1 "$out"/share/man/man1/g++.1
 }

pkgs/development/compilers/ghc/8.2.2-binary.nix

@@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
           --replace-needed libtinfo.so libtinfo.so.5 \
           --interpreter ${glibcDynLinker} {} \;
 
-      paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
-
       sed -i "s|/usr/bin/perl|perl\x00        |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
       sed -i "s|/usr/bin/gcc|gcc\x00        |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
     '';

pkgs/development/compilers/ghc/8.2.2.nix

@@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.4.4.nix

@@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.1.nix

@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.2.nix

@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.3.nix

@@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/head.nix

@@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/jetbrains-jdk/default.nix

@@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
   installPhase = ''
     cd ..
 
-    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-    for file in $exes; do
-      paxmark m "$file"
-    done
-
     mv $sourceRoot $out
     jrePath=$out/jre
   '';

pkgs/development/compilers/julia/0004-hardened.patch

@@ -1,25 +0,0 @@
-From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
-From: Will Dietz <w@wdtz.org>
-Date: Wed, 1 Feb 2017 06:09:49 -0600
-Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
-
----
- Makefile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/Makefile b/Makefile
-index 0e28cc87b..aab8cfa8d 100644
---- a/Makefile
-+++ b/Makefile
-@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
- 
- julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
- 	@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
-+	@echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
-+	@paxctl -czexm $(JULIA_EXECUTABLE_$*)
- 
- julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
- 	@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
--- 
-2.11.0
-

pkgs/development/compilers/julia/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, fetchzip
 # build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
 # libjulia dependencies
 , libunwind, readline, utf8proc, zlib
 , llvm
@@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
   patches = [
     ./0001.1-use-system-utf8proc.patch
     ./0002-use-system-suitesparse.patch
-  ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+  ];
 
   postPatch = ''
     patchShebangs . contrib
@@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
   ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
   ;
 
-  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
-    ++ stdenv.lib.optional stdenv.needsPax paxctl;
+  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
 
   makeFlags =
     let

pkgs/development/compilers/julia/shared.nix

@@ -5,7 +5,7 @@
 }:
 { stdenv, fetchurl, fetchzip
 # build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
 , llvm, cmake
 # libjulia dependencies
 , libunwind, readline, utf8proc, zlib
@@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./0001.1-use-system-utf8proc.patch
-  ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+  ];
 
   postPatch = ''
     patchShebangs . contrib
@@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
   ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
   ;
 
-  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
-    ++ stdenv.lib.optional stdenv.needsPax paxctl;
+  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
 
   makeFlags =
     let

pkgs/development/compilers/llvm/3.5/llvm.nix

@@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-
-    paxmark m unittests/ExecutionEngine/JIT/JITTests
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/Support/SupportTests
   '';
 
   enableParallelBuilding = true;

pkgs/development/compilers/llvm/3.7/llvm.nix

@@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   enableParallelBuilding = true;

pkgs/development/compilers/llvm/3.8/llvm.nix

@@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''

pkgs/development/compilers/llvm/3.9/llvm.nix

@@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   postInstall = ""

pkgs/development/compilers/llvm/4/llvm.nix

@@ -121,12 +121,6 @@ in stdenv.mkDerivation (rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
-    paxmark m unittests/Support/SupportTests
-    paxmark m bin/lli-child-target
   '';
 
   preCheck = ''

pkgs/development/compilers/llvm/5/llvm.nix

@@ -98,12 +98,6 @@ in stdenv.mkDerivation (rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
-    paxmark m unittests/Support/SupportTests
-    paxmark m bin/lli-child-target
   '';
 
   preCheck = ''

pkgs/development/compilers/llvm/6/llvm.nix

@@ -115,12 +115,6 @@ in stdenv.mkDerivation (rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
-    paxmark m unittests/Support/SupportTests
-    paxmark m bin/lli-child-target
   '';
 
   preCheck = ''

pkgs/development/compilers/llvm/7/llvm.nix

@@ -110,12 +110,6 @@ in stdenv.mkDerivation (rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/ExecutionEngine/Orc/OrcJITTests
-    paxmark m unittests/Support/SupportTests
-    paxmark m bin/lli-child-target
   '';
 
   preCheck = ''

pkgs/development/compilers/openjdk/11.nix

@@ -21,7 +21,6 @@ let
   update = ".0.1";
   build = "13";
   repover = "jdk-${major}${update}+${build}";
-  paxflags = if stdenv.isi686 then "msp" else "m";
 
   openjdk = stdenv.mkDerivation {
     name = "openjdk-${major}${update}-b${build}";
@@ -106,14 +105,6 @@ let
         rm $out/lib/openjdk/lib/{libjsound,libfontmanager}.so
       ''}
 
-      # Set PaX markings
-      exes=$(file $out/lib/openjdk/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-      echo "to mark: *$exes*"
-      for file in $exes; do
-        echo "marking *$file*"
-        paxmark ${paxflags} "$file"
-      done
-
       ln -s $out/lib/openjdk/bin $out/bin
     '';
 

pkgs/development/compilers/openjdk/8.nix

@@ -25,7 +25,6 @@ let
   build = "26";
   baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
   repover = "jdk8u${update}-b${build}";
-  paxflags = if stdenv.isi686 then "msp" else "m";
   jdk8 = fetchurl {
              url = "${baseurl}/archive/${repover}.tar.gz";
              sha256 = "1hx5sfsglc101aqs9n7cz7rh447d6rxfxkbw03crvzbvy9n6ag2d";
@@ -176,14 +175,6 @@ let
       rm -rf $out/lib/openjdk/jre/lib/cmm
       ln -s {$jre,$out}/lib/openjdk/jre/lib/cmm
 
-      # Set PaX markings
-      exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-      echo "to mark: *$exes*"
-      for file in $exes; do
-        echo "marking *$file*"
-        paxmark ${paxflags} "$file"
-      done
-
       # Remove duplicate binaries.
       for i in $(cd $out/lib/openjdk/bin && echo *); do
         if [ "$i" = java ]; then continue; fi

pkgs/development/compilers/openjdk/bootstrap.nix

@@ -36,13 +36,5 @@ let
       patchelf --set-interpreter $(cat "${stdenv.cc}/nix-support/dynamic-linker") "$elf" || true
       patchelf --set-rpath "${stdenv.cc.libc}/lib:${stdenv.cc.cc.lib}/lib:${zlib}/lib:$LIBDIRS" "$elf" || true
     done
-
-    # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
-    find "$out/bin" -type f -print0 | while IFS= read -r -d "" elf; do
-      isELF "$elf" || continue
-      paxmark m "$elf"
-      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
-      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$elf"''}
-    done
   '';
 in bootstrap

pkgs/development/compilers/oraclejdk/jdk-linux-base.nix

@@ -93,14 +93,6 @@ let result = stdenv.mkDerivation rec {
   installPhase = ''
     cd ..
 
-    # Set PaX markings
-    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-    for file in $exes; do
-      paxmark m "$file" || true
-      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
-      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
-    done
-
     if test -z "$installjdk"; then
       mv $sourceRoot/jre $out
     else

pkgs/development/compilers/swift/default.nix

@@ -27,7 +27,6 @@
 , git
 , libgit2
 , fetchFromGitHub
-, paxctl
 , findutils
 , makeWrapper
 , gnumake
@@ -150,7 +149,7 @@ stdenv.mkDerivation rec {
     findutils
     makeWrapper
     gnumake
-  ] ++ stdenv.lib.optional stdenv.needsPax paxctl;
+  ];
 
   # TODO: Revisit what's propagated and how
   propagatedBuildInputs = [
@@ -218,9 +217,6 @@ stdenv.mkDerivation rec {
     substituteInPlace swift/utils/build-script-impl \
       --replace '/usr/include/c++' "${clang.cc.gcc}/include/c++"
     patch -p1 -d swift -i ${./patches/glibc-arch-headers.patch}
-  '' + stdenv.lib.optionalString stdenv.needsPax ''
-    patch -p1 -d swift -i ${./patches/build-script-pax.patch}
-  '' + ''
     patch -p1 -d swift -i ${./patches/0001-build-presets-linux-don-t-require-using-Ninja.patch}
     patch -p1 -d swift -i ${./patches/0002-build-presets-linux-allow-custom-install-prefix.patch}
     patch -p1 -d swift -i ${./patches/0004-build-presets-linux-plumb-extra-cmake-options.patch}
@@ -266,9 +262,6 @@ stdenv.mkDerivation rec {
     tar xf $INSTALLABLE_PACKAGE -C $out --strip-components=3 $PREFIX
     find $out -type d -empty -delete
 
-    paxmark pmr $out/bin/swift
-    paxmark pmr $out/bin/*
-
     # TODO: Use wrappers to get these on the PATH for swift tools, instead
     ln -s ${clang}/bin/* $out/bin/
     ln -s ${targetPackages.stdenv.cc.bintools.bintools_bin}/bin/ar $out/bin/ar

pkgs/development/compilers/swift/patches/build-script-pax.patch

@@ -1,33 +0,0 @@
---- swift/utils/build-script-impl	2017-01-23 12:47:20.401326309 -0600
-+++ swift-pax/utils/build-script-impl	2017-01-23 13:24:10.339366996 -0600
-@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
-     fi
- }
- 
-+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
-+isELF() {
-+    local fn="$1"
-+    local fd
-+    local magic
-+    exec {fd}< "$fn"
-+    read -n 4 -u $fd magic
-+    exec {fd}<&-
-+    if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
-+}
-+
- #
- # Configure and build each product
- #
-@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
-             fi
- 
-             call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
-+            
-+						while IFS= read -r -d $'\0' i; do
-+								if ! isELF "$i"; then continue; fi
-+								echo "setting pax flags on $i"
-+								paxctl -czexm "$i" || true
-+						done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
-         fi
-     done
- done

pkgs/development/compilers/terra/default.nix

@@ -51,10 +51,6 @@ stdenv.mkDerivation rec {
   ''
   ;
 
-  postFixup = ''
-    paxmark m $bin/bin/terra
-  '';
-
   buildInputs = with llvmPackages; [ lua llvm clang-unwrapped ncurses ];
 
   meta = with stdenv.lib; {

pkgs/development/compilers/tinycc/default.nix

@@ -33,10 +33,6 @@ stdenv.mkDerivation rec {
   doCheck = true;
   checkTarget = "test";
 
-  postFixup = ''
-    paxmark m $out/bin/tcc
-  '';
-
   meta = {
     description = "Small, fast, and embeddable C compiler and interpreter";
 

pkgs/development/interpreters/python/cpython/2.7/boot.nix

@@ -77,8 +77,6 @@ stdenv.mkDerivation rec {
     ''
       ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
 
-      paxmark E $out/bin/python2.7
-
       rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
     '';
 

pkgs/development/interpreters/python/cpython/2.7/default.nix

@@ -229,8 +229,6 @@ in stdenv.mkDerivation ({
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
         ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
 
-        paxmark E $out/bin/python${majorVersion}
-
         # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
         echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
 

pkgs/development/interpreters/python/cpython/3.5/default.nix

@@ -143,7 +143,6 @@ in stdenv.mkDerivation {
     touch $out/lib/python${majorVersion}/test/__init__.py
 
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
-    paxmark E $out/bin/python${majorVersion}
 
     # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
     echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

pkgs/development/interpreters/python/cpython/3.6/default.nix

@@ -164,7 +164,6 @@ in stdenv.mkDerivation {
     touch $out/lib/python${majorVersion}/test/__init__.py
 
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
-    paxmark E $out/bin/python${majorVersion}
 
     # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
     echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

pkgs/development/interpreters/python/cpython/3.7/default.nix

@@ -154,7 +154,6 @@ in stdenv.mkDerivation {
     touch $out/lib/python${majorVersion}/test/__init__.py
 
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
-    paxmark E $out/bin/python${majorVersion}
 
     # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
     echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py

pkgs/development/interpreters/spidermonkey/1.8.5.nix

@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
   # so the failure of that test does not matter much.
   configureFlags = [ "--enable-threadsafe" "--with-system-nspr" ] ++
     stdenv.lib.optionals (stdenv.hostPlatform.system == "armv5tel-linux") [
-        "--with-cpu-arch=armv5t" 
+        "--with-cpu-arch=armv5t"
         "--disable-tracejit" ];
 
   # hack around a make problem, see https://github.com/NixOS/nixpkgs/issues/1279#issuecomment-29547393
@@ -59,9 +59,6 @@ stdenv.mkDerivation rec {
 
   preCheck = ''
     rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
-
-    paxmark mr shell/js
-    paxmark mr jsapi-tests/jsapi-tests
   '';
 
   meta = with stdenv.lib; {

pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix

@@ -36,8 +36,6 @@ stdenv.mkDerivation rec {
   postInstall = ''
     # Hm, apparently --disable-gtk-doc is ignored...
     rm -rf $out/share/gtk-doc
-
-    paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
   '';
 
   setupHook = ./setup-hook.sh;

pkgs/development/libraries/polkit/default.nix

@@ -72,13 +72,6 @@ stdenv.mkDerivation rec {
 
   makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
 
-  # The following is required on grsecurity/PaX due to spidermonkey's JIT
-  postBuild = stdenv.lib.optionalString stdenv.isLinux ''
-    paxmark mr src/polkitbackend/.libs/polkitd
-  '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
-    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
-  '';
-
   installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
 
   inherit doCheck;

pkgs/development/libraries/qt-5/5.11/default.nix

@@ -61,7 +61,6 @@ let
     qtscript = [ ./qtscript.patch ];
     qtserialport = [ ./qtserialport.patch ];
     qttools = [ ./qttools.patch ];
-    qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
     qtwebkit = [ ./qtwebkit.patch ];
   };
 

pkgs/development/libraries/qt-5/5.11/qtwebengine-paxmark-mksnapshot.patch

@@ -1,48 +0,0 @@
-diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
-index e7e19f5059..934448c7d8 100644
---- a/src/3rdparty/chromium/v8/src/v8.gyp
-+++ b/src/3rdparty/chromium/v8/src/v8.gyp
-@@ -35,6 +35,7 @@
-     'v8_extra_library_files%': [],
-     'v8_experimental_extra_library_files%': [],
-     'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+    'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
-     'v8_os_page_size%': 0,
-   },
-   'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
-@@ -2576,7 +2577,7 @@
-         ]
-     },
-     {
--      'target_name': 'mksnapshot',
-+      'target_name': 'mksnapshot_u',
-       'type': 'executable',
-       'dependencies': [
-         'v8_base',
-@@ -2606,5 +2607,26 @@
-         }],
-       ],
-     },
-+    {
-+      'target_name': 'mksnapshot',
-+      'type': 'executable',
-+      'dependencies': ['mksnapshot_u'],
-+      'actions': [
-+        {
-+          'action_name': 'paxmark_m_mksnapshot',
-+          'inputs': [
-+            '<(mksnapshot_u_exec)',
-+          ],
-+          'outputs': [
-+            '<(mksnapshot_exec)',
-+          ],
-+          'action': [
-+            'sh',
-+            '-c',
-+            'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+          ],
-+        },
-+      ],
-+    },
-   ],
- }

pkgs/development/libraries/qt-5/5.6/default.nix

@@ -51,8 +51,7 @@ let
     qtscript = [ ./qtscript.patch ];
     qtserialport = [ ./qtserialport.patch ];
     qttools = [ ./qttools.patch ];
-    qtwebengine = [ ./qtwebengine-seccomp.patch ]
-      ++ optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
+    qtwebengine = [ ./qtwebengine-seccomp.patch ];
     qtwebkit = [ ./qtwebkit.patch ];
   };
 

pkgs/development/libraries/qt-5/5.6/qtwebengine-paxmark-mksnapshot.patch

@@ -1,46 +0,0 @@
---- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp	2016-03-04 01:48:36.000000000 +1100
-+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp	2016-05-01 19:15:44.052770543 +1000
-@@ -33,6 +33,7 @@
-     'embed_script%': "",
-     'v8_extra_library_files%': [],
-     'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+    'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
-     'remove_v8base_debug_symbols%': 0,
-   },
-   'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
-@@ -1913,7 +1914,7 @@
-         ]
-     },
-     {
--      'target_name': 'mksnapshot',
-+      'target_name': 'mksnapshot_u',
-       'type': 'executable',
-       'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
-       'include_dirs+': [
-@@ -1936,5 +1937,26 @@
-         }],
-       ],
-     },
-+    {
-+      'target_name': 'mksnapshot',
-+      'type': 'executable',
-+      'dependencies': ['mksnapshot_u'],
-+      'actions': [
-+        {
-+          'action_name': 'paxmark_m_mksnapshot',
-+          'inputs': [
-+            '<(mksnapshot_u_exec)',
-+          ],
-+          'outputs': [
-+            '<(mksnapshot_exec)',
-+          ],
-+          'action': [
-+            'sh',
-+            '-c',
-+            'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+          ],
-+        },
-+      ],
-+    },
-   ],
- }

pkgs/development/libraries/qt-5/5.9/default.nix

@@ -43,7 +43,6 @@ let
     qtscript = [ ./qtscript.patch ];
     qtserialport = [ ./qtserialport.patch ];
     qttools = [ ./qttools.patch ];
-    qtwebengine = optional stdenv.needsPax ./qtwebengine-paxmark-mksnapshot.patch;
     qtwebkit = [ ./qtwebkit.patch ];
   };
 

pkgs/development/libraries/qt-5/5.9/qtwebengine-paxmark-mksnapshot.patch

@@ -1,48 +0,0 @@
-Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
-===================================================================
---- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
-+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
-@@ -36,6 +36,7 @@
-     'v8_experimental_extra_library_files%': [],
-     'v8_enable_inspector%': 0,
-     'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
-+    'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
-     'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
-     'v8_os_page_size%': 0,
-   },
-@@ -2432,7 +2433,7 @@
-         ]
-     },
-     {
--      'target_name': 'mksnapshot',
-+      'target_name': 'mksnapshot_u',
-       'type': 'executable',
-       'dependencies': [
-         'v8_base',
-@@ -2485,5 +2486,26 @@
-         }],
-       ],
-     },
-+    {
-+      'target_name': 'mksnapshot',
-+      'type': 'executable',
-+      'dependencies': ['mksnapshot_u'],
-+      'actions': [
-+        {
-+          'action_name': 'paxmark_m_mksnapshot',
-+          'inputs': [
-+            '<(mksnapshot_u_exec)',
-+          ],
-+          'outputs': [
-+            '<(mksnapshot_exec)',
-+          ],
-+          'action': [
-+            'sh',
-+            '-c',
-+            'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
-+          ],
-+        },
-+      ],
-+    },
-   ],
- }

pkgs/development/libraries/qt-5/modules/qtwebengine.nix

@@ -14,7 +14,7 @@
 , enableProprietaryCodecs ? true
 , gn, darwin, openbsm
 , ffmpeg ? null
-, lib, stdenv # lib.optional, needsPax
+, lib, stdenv
 }:
 
 with stdenv.lib;
@@ -181,7 +181,6 @@ EOF
     [Paths]
     Prefix = ..
     EOF
-    paxmark m $out/libexec/QtWebEngineProcess
   '';
 
   meta = with lib; {

pkgs/development/tools/analysis/valgrind/default.nix

@@ -73,8 +73,6 @@ stdenv.mkDerivation rec {
         --replace 'obj:/usr/X11R6/lib' 'obj:*/lib' \
         --replace 'obj:/usr/lib' 'obj:*/lib'
     done
-
-    paxmark m $out/lib/valgrind/*-*-linux
   '';
 
   meta = {

pkgs/development/tools/misc/binutils/default.nix

@@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
     # Make binutils output deterministic by default.
     ./deterministic.patch
 
-    # Always add PaX flags section to ELF files.
-    # This is needed, for instance, so that running "ldd" on a binary that is
-    # PaX-marked to disable mprotect doesn't fail with permission denied.
-    ./pt-pax-flags.patch
-
     # Bfd looks in BINDIR/../lib for some plugins that don't
     # exist. This is pointless (since users can't install plugins
     # there) and causes a cycle between the lib and bin outputs, so

pkgs/development/tools/misc/binutils/pt-pax-flags.patch

@@ -1,233 +0,0 @@
---- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h	2005-02-07 20:42:44.000000000 +0100
-+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h	2005-02-20 13:13:17.362558200 +0100
-@@ -1266,6 +1266,9 @@
-   /* Should the PT_GNU_RELRO segment be emitted?  */
-   bfd_boolean relro;
- 
-+  /* Segment flags for the PT_PAX_FLAGS segment.  */
-+  unsigned int pax_flags;
-+
-   /* Symbol version definitions in external objects.  */
-   Elf_Internal_Verdef *verdef;
- 
---- binutils-2.17.50.0.18/bfd/elf.c.orig	2007-08-01 11:12:02.000000000 -0400
-+++ binutils-2.17.50.0.18/bfd/elf.c	2007-08-01 14:27:36.086986774 -0400
-@@ -1085,6 +1085,7 @@
-     case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
-     case PT_GNU_STACK: pt = "STACK"; break;
-     case PT_GNU_RELRO: pt = "RELRO"; break;
-+    case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
-     default: pt = NULL; break;
-     }
-   return pt;
-@@ -2346,6 +2347,9 @@
-     case PT_GNU_RELRO:
-       return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
- 
-+    case PT_PAX_FLAGS:
-+      return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
-+
-     default:
-       /* Check for any processor-specific program segment types.  */
-       bed = get_elf_backend_data (abfd);
-@@ -3326,6 +3330,11 @@
-       ++segs;
-     }
- 
-+    {
-+      /* We need a PT_PAX_FLAGS segment.  */
-+      ++segs;
-+    }
-+
-   for (s = abfd->sections; s != NULL; s = s->next)
-     {
-       if ((s->flags & SEC_LOAD) != 0
-@@ -3945,6 +3954,20 @@
- 	  pm = &m->next;
- 	}
- 
-+      {
-+        amt = sizeof (struct elf_segment_map);
-+        m = bfd_zalloc (abfd, amt);
-+        if (m == NULL)
-+  	goto error_return;
-+        m->next = NULL;
-+        m->p_type = PT_PAX_FLAGS;
-+        m->p_flags = elf_tdata (abfd)->pax_flags;
-+        m->p_flags_valid = 1;
-+  
-+        *pm = m;
-+        pm = &m->next;
-+      }
-+
-       free (sections);
-       elf_tdata (abfd)->segment_map = mfirst;
-     }
-@@ -5129,7 +5152,8 @@
-        5. PT_GNU_STACK segments do not include any sections.
-        6. PT_TLS segment includes only SHF_TLS sections.
-        7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
--       8. PT_DYNAMIC should not contain empty sections at the beginning
-+       8. PT_PAX_FLAGS segments do not include any sections.
-+       9. PT_DYNAMIC should not contain empty sections at the beginning
- 	  (with the possible exception of .dynamic).  */
- #define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed)		\
-   ((((segment->p_paddr							\
-@@ -5138,6 +5162,7 @@
-      && (section->flags & SEC_ALLOC) != 0)				\
-     || IS_COREFILE_NOTE (segment, section))				\
-    && segment->p_type != PT_GNU_STACK					\
-+   && segment->p_type != PT_PAX_FLAGS					\
-    && (segment->p_type != PT_TLS					\
-        || (section->flags & SEC_THREAD_LOCAL))				\
-    && (segment->p_type == PT_LOAD					\
---- binutils-2.23.52.0.1/bfd/elflink.c.orig	2013-02-27 21:28:03.000000000 +0100
-+++ binutils-2.23.52.0.1/bfd/elflink.c	2013-03-01 17:32:44.922717879 +0100
-@@ -5764,18 +5764,32 @@
-       && ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
-     return FALSE;
- 
-+  elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
-+
-+  if (info->execheap)
-+    elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
-+  else if (info->noexecheap)
-+    elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
-+
-   /* Determine any GNU_STACK segment requirements, after the backend
-      has had a chance to set a default segment size.  */
-   if (info->execstack)
-+  {
-     elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
-+    elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
-+  }
-   else if (info->noexecstack)
-+  {
-     elf_stack_flags (output_bfd) = PF_R | PF_W;
-+    elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
-+  }
-   else
-     {
-       bfd *inputobj;
-       asection *notesec = NULL;
-       int exec = 0;
- 
-+      elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
-       for (inputobj = info->input_bfds;
- 	   inputobj;
- 	   inputobj = inputobj->link_next)
-@@ -5789,7 +5803,11 @@
- 	  if (s)
- 	    {
- 	      if (s->flags & SEC_CODE)
--		exec = PF_X;
-+		{
-+		  elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
-+		  elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
-+		  exec = PF_X;
-+		}
- 	      notesec = s;
- 	    }
- 	  else if (bed->default_execstack)
---- binutils-2.15.94.0.2.2.orig/binutils/readelf.c	2005-02-18 07:14:30.000000000 +0100
-+++ binutils-2.15.94.0.2.2/binutils/readelf.c	2005-02-20 13:13:17.470541784 +0100
-@@ -2293,6 +2293,7 @@
- 			return "GNU_EH_FRAME";
-     case PT_GNU_STACK:	return "GNU_STACK";
-     case PT_GNU_RELRO:  return "GNU_RELRO";
-+    case PT_PAX_FLAGS:	return "PAX_FLAGS";
- 
-     default:
-       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
---- binutils-2.15.94.0.2.2.orig/include/bfdlink.h	2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/include/bfdlink.h	2005-02-20 13:13:17.476540872 +0100
-@@ -313,6 +313,14 @@
-      flags.  */
-   unsigned int noexecstack: 1;
- 
-+  /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
-+     flags.  */
-+  unsigned int execheap: 1;
-+
-+  /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
-+     flags.  */
-+  unsigned int noexecheap: 1;
-+
-   /* TRUE if PT_GNU_RELRO segment should be created.  */
-   unsigned int relro: 1;
- 
---- binutils-2.15.94.0.2.2.orig/include/elf/common.h	2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/include/elf/common.h	2005-02-20 13:13:17.482539960 +0100
-@@ -423,6 +423,7 @@
- #define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME      /* Solaris uses the same value */
- #define PT_GNU_STACK	(PT_LOOS + 0x474e551) /* Stack flags */
- #define PT_GNU_RELRO	(PT_LOOS + 0x474e552) /* Read-only after relocation */
-+#define PT_PAX_FLAGS   (PT_LOOS + 0x5041580) /* PaX flags */
- 
- /* Program segment permissions, in program header p_flags field.  */
- 
-@@ -433,6 +434,19 @@
- #define PF_MASKOS	0x0FF00000	/* New value, Oct 4, 1999 Draft */
- #define PF_MASKPROC	0xF0000000	/* Processor-specific reserved bits */
- 
-+#define PF_PAGEEXEC        (1 << 4)    /* Enable  PAGEEXEC */
-+#define PF_NOPAGEEXEC  (1 << 5)    /* Disable PAGEEXEC */
-+#define PF_SEGMEXEC        (1 << 6)    /* Enable  SEGMEXEC */
-+#define PF_NOSEGMEXEC  (1 << 7)    /* Disable SEGMEXEC */
-+#define PF_MPROTECT        (1 << 8)    /* Enable  MPROTECT */
-+#define PF_NOMPROTECT  (1 << 9)    /* Disable MPROTECT */
-+#define PF_RANDEXEC        (1 << 10)   /* Enable  RANDEXEC */
-+#define PF_NORANDEXEC  (1 << 11)   /* Disable RANDEXEC */
-+#define PF_EMUTRAMP        (1 << 12)   /* Enable  EMUTRAMP */
-+#define PF_NOEMUTRAMP  (1 << 13)   /* Disable EMUTRAMP */
-+#define PF_RANDMMAP        (1 << 14)   /* Enable  RANDMMAP */
-+#define PF_NORANDMMAP  (1 << 15)   /* Disable RANDMMAP */
-+
- /* Values for section header, sh_type field.  */
- 
- #define SHT_NULL	0		/* Section header table entry unused */
---- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig	2007-09-08 19:34:12.000000000 +0200
-+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em	2007-09-15 21:41:35.688212063 +0200
-@@ -2139,6 +2139,16 @@
- 	  link_info.noexecstack = TRUE;
- 	  link_info.execstack = FALSE;
- 	}
-+      else if (strcmp (optarg, "execheap") == 0)
-+	{
-+	  link_info.execheap = TRUE;
-+	  link_info.noexecheap = FALSE;
-+	}
-+      else if (strcmp (optarg, "noexecheap") == 0)
-+	{
-+	  link_info.noexecheap = TRUE;
-+	  link_info.execheap = FALSE;
-+	}
- EOF
- 
-   if test -n "$COMMONPAGESIZE"; then
---- binutils-2.15.94.0.2.2.orig/ld/ldgram.y	2004-11-22 21:33:32.000000000 +0100
-+++ binutils-2.15.94.0.2.2/ld/ldgram.y	2005-02-20 13:13:17.499537376 +0100
-@@ -1073,6 +1073,8 @@
- 			    $$ = exp_intop (0x6474e550);
- 			  else if (strcmp (s, "PT_GNU_STACK") == 0)
- 			    $$ = exp_intop (0x6474e551);
-+			  else if (strcmp (s, "PT_PAX_FLAGS") == 0)
-+			    $$ = exp_intop (0x65041580);
- 			  else
- 			    {
- 			      einfo (_("\
---- binutils-2.26/ld/lexsup.c.orig	2015-11-13 09:27:42.000000000 +0100
-+++ binutils-2.26/ld/lexsup.c	2016-01-26 21:08:41.787138458 +0100
-@@ -1793,8 +1793,12 @@
-   fprintf (file, _("\
-   -z muldefs                  Allow multiple definitions\n"));
-   fprintf (file, _("\
-+  -z execheap                 Mark executable as requiring executable heap\n"));
-+  fprintf (file, _("\
-   -z execstack                Mark executable as requiring executable stack\n"));
-   fprintf (file, _("\
-+  -z noexecheap               Mark executable as not requiring executable heap\n"));
-+  fprintf (file, _("\
-   -z noexecstack              Mark executable as not requiring executable stack\n"));
- }
- 

pkgs/development/web/nodejs/nodejs.nix

@@ -88,7 +88,6 @@ in
     doCheck = false; # fails 4 out of 1453 tests
 
     postInstall = ''
-      paxmark m $out/bin/node
       PATH=$out/bin:$PATH patchShebangs $out
 
       ${optionalString enableNpm ''

pkgs/stdenv/cross/default.nix

@@ -59,7 +59,7 @@ in lib.init bootStages ++ [
       extraNativeBuildInputs = old.extraNativeBuildInputs
         ++ lib.optionals
              (hostPlatform.isLinux && !buildPlatform.isLinux)
-             [ buildPackages.patchelf buildPackages.paxctl ]
+             [ buildPackages.patchelf ]
         ++ lib.optional
              (let f = p: !p.isx86 || p.libc == "musl"; in f hostPlatform && !(f buildPlatform))
              buildPackages.updateAutotoolsGnuConfigScriptsHook

pkgs/stdenv/generic/default.nix

@@ -130,9 +130,6 @@ let
       # The derivation's `system` is `buildPlatform.system`.
       inherit (buildPlatform) system;
 
-      # Whether we should run paxctl to pax-mark binaries.
-      needsPax = isLinux;
-
       inherit (import ./make-derivation.nix {
         inherit lib config stdenv;
       }) mkDerivation;

pkgs/stdenv/generic/setup.sh

@@ -280,10 +280,6 @@ if [ -z "${SHELL:-}" ]; then echo "SHELL not set"; exit 1; fi
 BASH="$SHELL"
 export CONFIG_SHELL="$SHELL"
 
-# Dummy implementation of the paxmark function. On Linux, this is
-# overwritten by paxctl's setup hook.
-paxmark() { true; }
-
 
 # Execute the pre-hook.
 if [ -z "${shell:-}" ]; then export shell="$SHELL"; fi

pkgs/stdenv/linux/default.nix

@@ -216,7 +216,7 @@ in
       inherit (prevStage)
         ccWrapperStdenv
         gcc-unwrapped coreutils gnugrep
-        perl paxctl gnum4 bison;
+        perl gnum4 bison;
       # This also contains the full, dynamically linked, final Glibc.
       binutils = prevStage.binutils.override {
         # Rewrap the binutils with the new glibc, so both the next
@@ -250,7 +250,7 @@ in
         isl = isl_0_17;
       };
     };
-    extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
+    extraNativeBuildInputs = [ prevStage.patchelf ] ++
       # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
       lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
                    prevStage.updateAutotoolsGnuConfigScriptsHook;
@@ -325,7 +325,7 @@ in
       initialPath =
         ((import ../common-path.nix) {pkgs = prevStage;});
 
-      extraNativeBuildInputs = [ prevStage.patchelf prevStage.paxctl ] ++
+      extraNativeBuildInputs = [ prevStage.patchelf ] ++
         # Many tarballs come with obsolete config.sub/config.guess that don't recognize aarch64.
         lib.optional (!localSystem.isx86 || localSystem.libc == "musl")
         prevStage.updateAutotoolsGnuConfigScriptsHook;
@@ -349,7 +349,7 @@ in
         # Simple executable tools
         concatMap (p: [ (getBin p) (getLib p) ]) [
             gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
-            gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed paxctl
+            gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed
           ]
         # Library dependencies
         ++ map getLib (
@@ -368,7 +368,7 @@ in
         inherit (prevStage)
           gzip bzip2 xz bash coreutils diffutils findutils gawk
           gnumake gnused gnutar gnugrep gnupatch patchelf
-          attr acl paxctl zlib pcre;
+          attr acl zlib pcre;
         ${localSystem.libc} = getLibc prevStage;
       } // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
         # Need to get rid of these when cross-compiling.

pkgs/tools/misc/grub/2.0x.nix

@@ -109,8 +109,6 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   postInstall = ''
-    paxmark pms $out/sbin/grub-{probe,bios-setup}
-
     # Avoid a runtime reference to gcc
     sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
   '';

pkgs/tools/misc/grub/trusted.nix

@@ -90,10 +90,6 @@ stdenv.mkDerivation rec {
   doCheck = false;
   enableParallelBuilding = true;
 
-  postInstall = ''
-    paxmark pms $out/sbin/grub-{probe,bios-setup}
-  '';
-
   meta = with stdenv.lib; {
     description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
     homepage = https://github.com/Sirrix-AG/TrustedGRUB2;