forked from mirrors/nixpkgs
ghc: Add support for grsecurity
In this case, we also need to specify compilation flags to mark stacks as non-executable, otherwise PaX will not allow ghc or binaries built by ghc to run. This is what gentoo-hardened does as well.
This commit is contained in:
parent
92cc5b8c0c
commit
2204eb9f18
|
@ -1,6 +1,13 @@
|
|||
{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
let
|
||||
# The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
|
||||
# to the gold linker). It prevents binaries' stacks from being marked as
|
||||
# executable, which fails to run on a grsecurity/PaX kernel.
|
||||
ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
|
||||
cFlags = "-Wa,--noexecstack";
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
version = "7.6.3";
|
||||
|
||||
name = "ghc-${version}";
|
||||
|
@ -12,21 +19,38 @@ stdenv.mkDerivation rec {
|
|||
|
||||
buildInputs = [ ghc perl gmp ncurses ];
|
||||
|
||||
|
||||
buildMK = ''
|
||||
libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
|
||||
libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
|
||||
|
||||
# Set ghcFlags for building ghc itself
|
||||
SRC_HC_OPTS += ${ghcFlags}
|
||||
SRC_CC_OPTS += ${cFlags}
|
||||
'';
|
||||
|
||||
preConfigure = ''
|
||||
echo "${buildMK}" > mk/build.mk
|
||||
sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
|
||||
|
||||
# Set ghcFlags for binaries that ghc builds
|
||||
sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
|
||||
|
||||
'' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
|
||||
export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
|
||||
'';
|
||||
|
||||
configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
|
||||
|
||||
postInstall = ''
|
||||
# ghci uses mmap with rwx protection at it implements dynamic
|
||||
# linking on its own. See:
|
||||
# - https://bugs.gentoo.org/show_bug.cgi?id=299709
|
||||
# - https://ghc.haskell.org/trac/ghc/ticket/4244
|
||||
# Therefore, we have to pax-mark the resulting binary.
|
||||
# Haddock also seems to run with ghci, so mark it as well.
|
||||
paxmark m $out/lib/${name}/{ghc,haddock}
|
||||
'';
|
||||
|
||||
# required, because otherwise all symbols from HSffi.o are stripped, and
|
||||
# that in turn causes GHCi to abort
|
||||
stripDebugFlags=["-S" "--keep-file-symbols"];
|
||||
|
|
Loading…
Reference in a new issue