More then one year ago we removed grsecurity kernels from nixpkgs: https://github.com/NixOS/nixpkgs/pull/25277 This removes now also paxutils from stdenv.wip/yesman
parent
0a2efa121d
commit
1b146a8c6f
@ -1,25 +0,0 @@ |
||||
From eddb251a00ace6e63e32e7dcb9e1ec632cac14e0 Mon Sep 17 00:00:00 2001
|
||||
From: Will Dietz <w@wdtz.org>
|
||||
Date: Wed, 1 Feb 2017 06:09:49 -0600
|
||||
Subject: [PATCH] Set pax flags on julia binaries to disable memory protection.
|
||||
|
||||
---
|
||||
Makefile | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 0e28cc87b..aab8cfa8d 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -91,6 +91,8 @@ julia-src-release julia-src-debug : julia-src-% : julia-deps julia_flisp.boot.in
|
||||
|
||||
julia-ui-release julia-ui-debug : julia-ui-% : julia-src-%
|
||||
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT)/ui julia-$*
|
||||
+ @echo "setting PaX flags on $(JULIA_EXECUTABLE_$*)"
|
||||
+ @paxctl -czexm $(JULIA_EXECUTABLE_$*)
|
||||
|
||||
julia-inference : julia-base julia-ui-$(JULIA_BUILD_MODE) $(build_prefix)/.examples
|
||||
@$(MAKE) $(QUIET_MAKE) -C $(BUILDROOT) $(build_private_libdir)/inference.ji JULIA_BUILD_MODE=$(JULIA_BUILD_MODE)
|
||||
--
|
||||
2.11.0
|
||||
|
@ -1,33 +0,0 @@ |
||||
--- swift/utils/build-script-impl 2017-01-23 12:47:20.401326309 -0600
|
||||
+++ swift-pax/utils/build-script-impl 2017-01-23 13:24:10.339366996 -0600
|
||||
@@ -1837,6 +1837,17 @@ function set_lldb_xcodebuild_options() {
|
||||
fi
|
||||
}
|
||||
|
||||
+## XXX: Taken from nixpkgs /pkgs/stdenv/generic/setup.sh
|
||||
+isELF() {
|
||||
+ local fn="$1"
|
||||
+ local fd
|
||||
+ local magic
|
||||
+ exec {fd}< "$fn"
|
||||
+ read -n 4 -u $fd magic
|
||||
+ exec {fd}<&-
|
||||
+ if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
|
||||
+}
|
||||
+
|
||||
#
|
||||
# Configure and build each product
|
||||
#
|
||||
@@ -2735,6 +2746,12 @@ for host in "${ALL_HOSTS[@]}"; do
|
||||
fi
|
||||
|
||||
call "${CMAKE_BUILD[@]}" "${build_dir}" $(cmake_config_opt ${product}) -- "${BUILD_ARGS[@]}" ${build_targets[@]}
|
||||
+
|
||||
+ while IFS= read -r -d $'\0' i; do
|
||||
+ if ! isELF "$i"; then continue; fi
|
||||
+ echo "setting pax flags on $i"
|
||||
+ paxctl -czexm "$i" || true
|
||||
+ done < <(find "${build_dir}" -executable -type f -wholename "*/bin/*" -print0)
|
||||
fi
|
||||
done
|
||||
done
|
@ -1,48 +0,0 @@ |
||||
diff --git a/src/3rdparty/chromium/v8/src/v8.gyp b/chromium/v8/src/v8.gyp
|
||||
index e7e19f5059..934448c7d8 100644
|
||||
--- a/src/3rdparty/chromium/v8/src/v8.gyp
|
||||
+++ b/src/3rdparty/chromium/v8/src/v8.gyp
|
||||
@@ -35,6 +35,7 @@
|
||||
'v8_extra_library_files%': [],
|
||||
'v8_experimental_extra_library_files%': [],
|
||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
||||
'v8_os_page_size%': 0,
|
||||
},
|
||||
'includes': ['../gypfiles/toolchain.gypi', '../gypfiles/features.gypi', 'inspector/inspector.gypi'],
|
||||
@@ -2576,7 +2577,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
- 'target_name': 'mksnapshot',
|
||||
+ 'target_name': 'mksnapshot_u',
|
||||
'type': 'executable',
|
||||
'dependencies': [
|
||||
'v8_base',
|
||||
@@ -2606,5 +2607,26 @@
|
||||
}],
|
||||
],
|
||||
},
|
||||
+ {
|
||||
+ 'target_name': 'mksnapshot',
|
||||
+ 'type': 'executable',
|
||||
+ 'dependencies': ['mksnapshot_u'],
|
||||
+ 'actions': [
|
||||
+ {
|
||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
||||
+ 'inputs': [
|
||||
+ '<(mksnapshot_u_exec)',
|
||||
+ ],
|
||||
+ 'outputs': [
|
||||
+ '<(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ 'action': [
|
||||
+ 'sh',
|
||||
+ '-c',
|
||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ },
|
||||
+ ],
|
||||
+ },
|
||||
],
|
||||
}
|
@ -1,46 +0,0 @@ |
||||
--- qtwebengine-opensource-src-5.6.0-orig/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-03-04 01:48:36.000000000 +1100
|
||||
+++ qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp/v8.gyp 2016-05-01 19:15:44.052770543 +1000
|
||||
@@ -33,6 +33,7 @@
|
||||
'embed_script%': "",
|
||||
'v8_extra_library_files%': [],
|
||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
||||
'remove_v8base_debug_symbols%': 0,
|
||||
},
|
||||
'includes': ['../../build/toolchain.gypi', '../../build/features.gypi'],
|
||||
@@ -1913,7 +1914,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
- 'target_name': 'mksnapshot',
|
||||
+ 'target_name': 'mksnapshot_u',
|
||||
'type': 'executable',
|
||||
'dependencies': ['v8_base', 'v8_nosnapshot', 'v8_libplatform'],
|
||||
'include_dirs+': [
|
||||
@@ -1936,5 +1937,26 @@
|
||||
}],
|
||||
],
|
||||
},
|
||||
+ {
|
||||
+ 'target_name': 'mksnapshot',
|
||||
+ 'type': 'executable',
|
||||
+ 'dependencies': ['mksnapshot_u'],
|
||||
+ 'actions': [
|
||||
+ {
|
||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
||||
+ 'inputs': [
|
||||
+ '<(mksnapshot_u_exec)',
|
||||
+ ],
|
||||
+ 'outputs': [
|
||||
+ '<(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ 'action': [
|
||||
+ 'sh',
|
||||
+ '-c',
|
||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ },
|
||||
+ ],
|
||||
+ },
|
||||
],
|
||||
}
|
@ -1,48 +0,0 @@ |
||||
Index: qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
|
||||
===================================================================
|
||||
--- qtwebengine-opensource-src-5.9.0.orig/src/3rdparty/chromium/v8/src/v8.gyp
|
||||
+++ qtwebengine-opensource-src-5.9.0/src/3rdparty/chromium/v8/src/v8.gyp
|
||||
@@ -36,6 +36,7 @@
|
||||
'v8_experimental_extra_library_files%': [],
|
||||
'v8_enable_inspector%': 0,
|
||||
'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
|
||||
+ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
|
||||
'mkpeephole_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkpeephole<(EXECUTABLE_SUFFIX)',
|
||||
'v8_os_page_size%': 0,
|
||||
},
|
||||
@@ -2432,7 +2433,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
- 'target_name': 'mksnapshot',
|
||||
+ 'target_name': 'mksnapshot_u',
|
||||
'type': 'executable',
|
||||
'dependencies': [
|
||||
'v8_base',
|
||||
@@ -2485,5 +2486,26 @@
|
||||
}],
|
||||
],
|
||||
},
|
||||
+ {
|
||||
+ 'target_name': 'mksnapshot',
|
||||
+ 'type': 'executable',
|
||||
+ 'dependencies': ['mksnapshot_u'],
|
||||
+ 'actions': [
|
||||
+ {
|
||||
+ 'action_name': 'paxmark_m_mksnapshot',
|
||||
+ 'inputs': [
|
||||
+ '<(mksnapshot_u_exec)',
|
||||
+ ],
|
||||
+ 'outputs': [
|
||||
+ '<(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ 'action': [
|
||||
+ 'sh',
|
||||
+ '-c',
|
||||
+ 'cp <(mksnapshot_u_exec) <(mksnapshot_exec) && paxctl -czexm <(mksnapshot_exec)',
|
||||
+ ],
|
||||
+ },
|
||||
+ ],
|
||||
+ },
|
||||
],
|
||||
}
|
@ -1,233 +0,0 @@ |
||||
--- binutils-2.15.94.0.2.2.orig/bfd/elf-bfd.h 2005-02-07 20:42:44.000000000 +0100
|
||||
+++ binutils-2.15.94.0.2.2/bfd/elf-bfd.h 2005-02-20 13:13:17.362558200 +0100
|
||||
@@ -1266,6 +1266,9 @@
|
||||
/* Should the PT_GNU_RELRO segment be emitted? */
|
||||
bfd_boolean relro;
|
||||
|
||||
+ /* Segment flags for the PT_PAX_FLAGS segment. */
|
||||
+ unsigned int pax_flags;
|
||||
+
|
||||
/* Symbol version definitions in external objects. */
|
||||
Elf_Internal_Verdef *verdef;
|
||||
|
||||
--- binutils-2.17.50.0.18/bfd/elf.c.orig 2007-08-01 11:12:02.000000000 -0400
|
||||
+++ binutils-2.17.50.0.18/bfd/elf.c 2007-08-01 14:27:36.086986774 -0400
|
||||
@@ -1085,6 +1085,7 @@
|
||||
case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break;
|
||||
case PT_GNU_STACK: pt = "STACK"; break;
|
||||
case PT_GNU_RELRO: pt = "RELRO"; break;
|
||||
+ case PT_PAX_FLAGS: pt = "PAX_FLAGS"; break;
|
||||
default: pt = NULL; break;
|
||||
}
|
||||
return pt;
|
||||
@@ -2346,6 +2347,9 @@
|
||||
case PT_GNU_RELRO:
|
||||
return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "relro");
|
||||
|
||||
+ case PT_PAX_FLAGS:
|
||||
+ return _bfd_elf_make_section_from_phdr (abfd, hdr, hdr_index, "pax_flags");
|
||||
+
|
||||
default:
|
||||
/* Check for any processor-specific program segment types. */
|
||||
bed = get_elf_backend_data (abfd);
|
||||
@@ -3326,6 +3330,11 @@
|
||||
++segs;
|
||||
}
|
||||
|
||||
+ {
|
||||
+ /* We need a PT_PAX_FLAGS segment. */
|
||||
+ ++segs;
|
||||
+ }
|
||||
+
|
||||
for (s = abfd->sections; s != NULL; s = s->next)
|
||||
{
|
||||
if ((s->flags & SEC_LOAD) != 0
|
||||
@@ -3945,6 +3954,20 @@
|
||||
pm = &m->next;
|
||||
}
|
||||
|
||||
+ {
|
||||
+ amt = sizeof (struct elf_segment_map);
|
||||
+ m = bfd_zalloc (abfd, amt);
|
||||
+ if (m == NULL)
|
||||
+ goto error_return;
|
||||
+ m->next = NULL;
|
||||
+ m->p_type = PT_PAX_FLAGS;
|
||||
+ m->p_flags = elf_tdata (abfd)->pax_flags;
|
||||
+ m->p_flags_valid = 1;
|
||||
+
|
||||
+ *pm = m;
|
||||
+ pm = &m->next;
|
||||
+ }
|
||||
+
|
||||
free (sections);
|
||||
elf_tdata (abfd)->segment_map = mfirst;
|
||||
}
|
||||
@@ -5129,7 +5152,8 @@
|
||||
5. PT_GNU_STACK segments do not include any sections.
|
||||
6. PT_TLS segment includes only SHF_TLS sections.
|
||||
7. SHF_TLS sections are only in PT_TLS or PT_LOAD segments.
|
||||
- 8. PT_DYNAMIC should not contain empty sections at the beginning
|
||||
+ 8. PT_PAX_FLAGS segments do not include any sections.
|
||||
+ 9. PT_DYNAMIC should not contain empty sections at the beginning
|
||||
(with the possible exception of .dynamic). */
|
||||
#define IS_SECTION_IN_INPUT_SEGMENT(section, segment, bed) \
|
||||
((((segment->p_paddr \
|
||||
@@ -5138,6 +5162,7 @@
|
||||
&& (section->flags & SEC_ALLOC) != 0) \
|
||||
|| IS_COREFILE_NOTE (segment, section)) \
|
||||
&& segment->p_type != PT_GNU_STACK \
|
||||
+ && segment->p_type != PT_PAX_FLAGS \
|
||||
&& (segment->p_type != PT_TLS \
|
||||
|| (section->flags & SEC_THREAD_LOCAL)) \
|
||||
&& (segment->p_type == PT_LOAD \
|
||||
--- binutils-2.23.52.0.1/bfd/elflink.c.orig 2013-02-27 21:28:03.000000000 +0100
|
||||
+++ binutils-2.23.52.0.1/bfd/elflink.c 2013-03-01 17:32:44.922717879 +0100
|
||||
@@ -5764,18 +5764,32 @@
|
||||
&& ! (*bed->elf_backend_always_size_sections) (output_bfd, info))
|
||||
return FALSE;
|
||||
|
||||
+ elf_tdata (output_bfd)->pax_flags = PF_NORANDEXEC;
|
||||
+
|
||||
+ if (info->execheap)
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOMPROTECT;
|
||||
+ else if (info->noexecheap)
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_MPROTECT;
|
||||
+
|
||||
/* Determine any GNU_STACK segment requirements, after the backend
|
||||
has had a chance to set a default segment size. */
|
||||
if (info->execstack)
|
||||
+ {
|
||||
elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X;
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
|
||||
+ }
|
||||
else if (info->noexecstack)
|
||||
+ {
|
||||
elf_stack_flags (output_bfd) = PF_R | PF_W;
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
|
||||
+ }
|
||||
else
|
||||
{
|
||||
bfd *inputobj;
|
||||
asection *notesec = NULL;
|
||||
int exec = 0;
|
||||
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_NOEMUTRAMP;
|
||||
for (inputobj = info->input_bfds;
|
||||
inputobj;
|
||||
inputobj = inputobj->link_next)
|
||||
@@ -5789,7 +5803,11 @@
|
||||
if (s)
|
||||
{
|
||||
if (s->flags & SEC_CODE)
|
||||
- exec = PF_X;
|
||||
+ {
|
||||
+ elf_tdata (output_bfd)->pax_flags &= ~PF_NOEMUTRAMP;
|
||||
+ elf_tdata (output_bfd)->pax_flags |= PF_EMUTRAMP;
|
||||
+ exec = PF_X;
|
||||
+ }
|
||||
notesec = s;
|
||||
}
|
||||
else if (bed->default_execstack)
|
||||
--- binutils-2.15.94.0.2.2.orig/binutils/readelf.c 2005-02-18 07:14:30.000000000 +0100
|
||||
+++ binutils-2.15.94.0.2.2/binutils/readelf.c 2005-02-20 13:13:17.470541784 +0100
|
||||
@@ -2293,6 +2293,7 @@
|
||||
return "GNU_EH_FRAME";
|
||||
case PT_GNU_STACK: return "GNU_STACK";
|
||||
case PT_GNU_RELRO: return "GNU_RELRO";
|
||||
+ case PT_PAX_FLAGS: return "PAX_FLAGS";
|
||||
|
||||
default:
|
||||
if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))
|
||||
--- binutils-2.15.94.0.2.2.orig/include/bfdlink.h 2004-11-22 21:33:32.000000000 +0100
|
||||
+++ binutils-2.15.94.0.2.2/include/bfdlink.h 2005-02-20 13:13:17.476540872 +0100
|
||||
@@ -313,6 +313,14 @@
|
||||
flags. */
|
||||
unsigned int noexecstack: 1;
|
||||
|
||||
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_NOMPROTECT
|
||||
+ flags. */
|
||||
+ unsigned int execheap: 1;
|
||||
+
|
||||
+ /* TRUE if PT_PAX_FLAGS segment should be created with PF_MPROTECT
|
||||
+ flags. */
|
||||
+ unsigned int noexecheap: 1;
|
||||
+
|
||||
/* TRUE if PT_GNU_RELRO segment should be created. */
|
||||
unsigned int relro: 1;
|
||||
|
||||
--- binutils-2.15.94.0.2.2.orig/include/elf/common.h 2004-11-22 21:33:32.000000000 +0100
|
||||
+++ binutils-2.15.94.0.2.2/include/elf/common.h 2005-02-20 13:13:17.482539960 +0100
|
||||
@@ -423,6 +423,7 @@
|
||||
#define PT_SUNW_EH_FRAME PT_GNU_EH_FRAME /* Solaris uses the same value */
|
||||
#define PT_GNU_STACK (PT_LOOS + 0x474e551) /* Stack flags */
|
||||
#define PT_GNU_RELRO (PT_LOOS + 0x474e552) /* Read-only after relocation */
|
||||
+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580) /* PaX flags */
|
||||
|
||||
/* Program segment permissions, in program header p_flags field. */
|
||||
|
||||
@@ -433,6 +434,19 @@
|
||||
#define PF_MASKOS 0x0FF00000 /* New value, Oct 4, 1999 Draft */
|
||||
#define PF_MASKPROC 0xF0000000 /* Processor-specific reserved bits */
|
||||
|
||||
+#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
|
||||
+#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
|
||||
+#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
|
||||
+#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
|
||||
+#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
|
||||
+#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
|
||||
+#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
|
||||
+#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
|
||||
+#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
|
||||
+#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
|
||||
+#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
|
||||
+#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
|
||||
+
|
||||
/* Values for section header, sh_type field. */
|
||||
|
||||
#define SHT_NULL 0 /* Section header table entry unused */
|
||||
--- binutils-2.18.50.0.1/ld/emultempl/elf32.em.orig 2007-09-08 19:34:12.000000000 +0200
|
||||
+++ binutils-2.18.50.0.1/ld/emultempl/elf32.em 2007-09-15 21:41:35.688212063 +0200
|
||||
@@ -2139,6 +2139,16 @@
|
||||
link_info.noexecstack = TRUE;
|
||||
link_info.execstack = FALSE;
|
||||
}
|
||||
+ else if (strcmp (optarg, "execheap") == 0)
|
||||
+ {
|
||||
+ link_info.execheap = TRUE;
|
||||
+ link_info.noexecheap = FALSE;
|
||||
+ }
|
||||
+ else if (strcmp (optarg, "noexecheap") == 0)
|
||||
+ {
|
||||
+ link_info.noexecheap = TRUE;
|
||||
+ link_info.execheap = FALSE;
|
||||
+ }
|
||||
EOF
|
||||
|
||||
if test -n "$COMMONPAGESIZE"; then
|
||||
--- binutils-2.15.94.0.2.2.orig/ld/ldgram.y 2004-11-22 21:33:32.000000000 +0100
|
||||
+++ binutils-2.15.94.0.2.2/ld/ldgram.y 2005-02-20 13:13:17.499537376 +0100
|
||||
@@ -1073,6 +1073,8 @@
|
||||
$$ = exp_intop (0x6474e550);
|
||||
else if (strcmp (s, "PT_GNU_STACK") == 0)
|
||||
$$ = exp_intop (0x6474e551);
|
||||
+ else if (strcmp (s, "PT_PAX_FLAGS") == 0)
|
||||
+ $$ = exp_intop (0x65041580);
|
||||
else
|
||||
{
|
||||
einfo (_("\
|
||||
--- binutils-2.26/ld/lexsup.c.orig 2015-11-13 09:27:42.000000000 +0100
|
||||
+++ binutils-2.26/ld/lexsup.c 2016-01-26 21:08:41.787138458 +0100
|
||||
@@ -1793,8 +1793,12 @@
|
||||
fprintf (file, _("\
|
||||
-z muldefs Allow multiple definitions\n"));
|
||||
fprintf (file, _("\
|
||||
+ -z execheap Mark executable as requiring executable heap\n"));
|
||||
+ fprintf (file, _("\
|
||||
-z execstack Mark executable as requiring executable stack\n"));
|
||||
fprintf (file, _("\
|
||||
+ -z noexecheap Mark executable as not requiring executable heap\n"));
|
||||
+ fprintf (file, _("\
|
||||
-z noexecstack Mark executable as not requiring executable stack\n"));
|
||||
}
|
||||
|
Loading…
Reference in new issue