Merge #2798: stdenv and a few other big updates

Stdenv-changing things:
    - gcc 4.8.2 -> 4.8.3
    - long-running grsecurity branch
Others:
    - pkgconfig update
    - CVE for libtasn1, dbus

Conflicts (simple):
    pkgs/development/compilers/ghc/7.6.3.nix

pkgs/applications/networking/browsers/chromium/browser.nix

@@ -1,11 +1,11 @@
-{ stdenv, mkChromiumDerivation }:
+{ stdenv, mkChromiumDerivation, arch }:
 
 with stdenv.lib;
 
 mkChromiumDerivation (base: rec {
   name = "chromium-browser";
   packageName = "chromium";
-  buildTargets = [ "chrome" ];
+  buildTargets = [ "mksnapshot.${arch}" "chrome" ];
 
   installPhase = ''
     ensureDir "$libExecPath"

pkgs/applications/networking/browsers/chromium/common.nix

@@ -30,6 +30,7 @@
 
 , source
 , plugins
+, archInfo
 }:
 
 buildFun:
@@ -172,13 +173,7 @@ let
       # enable support for the H.264 codec
       proprietary_codecs = true;
       ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
-      target_arch = "x64";
-      python_arch = "x86-64";
-    } // optionalAttrs (stdenv.system == "i686-linux") {
-      target_arch = "ia32";
-      python_arch = "ia32";
-    } // (extraAttrs.gypFlags or {}));
+    } // archInfo // (extraAttrs.gypFlags or {}));
 
     configurePhase = ''
       # This is to ensure expansion of $out.
@@ -190,14 +185,21 @@ let
     buildPhase = let
       CC = "${gcc}/bin/gcc";
       CXX = "${gcc}/bin/g++";
-    in ''
-      CC="${CC}" CC_host="${CC}"     \
-      CXX="${CXX}" CXX_host="${CXX}" \
-      LINK_host="${CXX}"             \
-        "${ninja}/bin/ninja" -C "${buildPath}"  \
-          -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-          ${concatStringsSep " " (extraAttrs.buildTargets or [])}
-    '';
+      buildCommand = target: ''
+        CC="${CC}" CC_host="${CC}"     \
+        CXX="${CXX}" CXX_host="${CXX}" \
+        LINK_host="${CXX}"             \
+          "${ninja}/bin/ninja" -C "${buildPath}"  \
+            -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
+            ${target}
+
+        if [[ "${target}" == mksnapshot.* || "${target}" == "chrome" ]]; then
+          paxmark m "${buildPath}/${target}"
+        fi
+      '';
+      targets = extraAttrs.buildTargets or [];
+      commands = map buildCommand targets;
+    in concatStringsSep "\n" commands;
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.

pkgs/applications/networking/browsers/chromium/default.nix

@@ -15,6 +15,14 @@
 }:
 
 let
+  archInfo = with stdenv.lib; optionalAttrs (stdenv.system == "i686-linux") {
+    target_arch = "ia32";
+    python_arch = "ia32";
+  } // optionalAttrs (stdenv.system == "x86_64-linux") {
+    target_arch = "x64";
+    python_arch = "x86-64";
+  };
+
   callPackage = newScope chromium;
 
   chromium = {
@@ -27,10 +35,13 @@ let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
               gnomeKeyringSupport proprietaryCodecs cupsSupport
-              pulseSupport;
+              pulseSupport archInfo;
+    };
+
+    browser = callPackage ./browser.nix {
+      arch = archInfo.target_arch;
     };
 
-    browser = callPackage ./browser.nix { };
     sandbox = callPackage ./sandbox.nix { };
 
     plugins = callPackage ./plugins.nix {

pkgs/applications/networking/browsers/firefox/default.nix

@@ -91,6 +91,11 @@ rec {
 
     #installFlags = "SKIP_GRE_REGISTRATION=1";
 
+    preInstall = ''
+      # The following is needed for startup cache creation on grsecurity kernels
+      paxmark m ../objdir/dist/bin/xpcshell
+    '';
+
     postInstall = ''
       # Fix run-mozilla.sh search
       libDir=$(cd $out/lib && ls -d xulrunner-[0-9]*)
@@ -109,6 +114,10 @@ rec {
       for i in $out/lib/$libDir/*.so; do
           patchelf --set-rpath "$(patchelf --print-rpath "$i"):$out/lib/$libDir" $i || true
       done
+
+      # For grsecurity kernels
+      paxmark m $out/lib/$libDir/{plugin-container,xulrunner}
+
       for i in $out/lib/$libDir/{plugin-container,xulrunner,xulrunner-stub}; do
           wrapProgram $i --prefix LD_LIBRARY_PATH ':' "$out/lib/$libDir"
       done

pkgs/development/compilers/gcc/4.6/builder.sh

@@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then
 
         # The path to the Glibc binaries such as `crti.o'.
         glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib"
-        
+
     else
         # Hack: support impure environments.
         extraFlags="-isystem /usr/include"
@@ -214,7 +214,7 @@ postInstall() {
     # previous gcc.
     rm -rf $out/libexec/gcc/*/*/install-tools
     rm -rf $out/lib/gcc/*/*/install-tools
-    
+
     # More dependencies with the previous gcc or some libs (gccbug stores the build command line)
     rm -rf $out/bin/gccbug
     # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out
@@ -240,6 +240,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.6/default.nix

@@ -99,7 +99,7 @@ let version = "4.6.3";
         withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else "";
         withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else "";
         withFloat = if gccFloat != null then " --with-float=${gccFloat}" else "";
-      in 
+      in
         (withArch +
         withCpu +
         withAbi +

pkgs/development/compilers/gcc/4.8/bug-58800.patch

@@ -1,79 +0,0 @@
-Index: gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h
-===================================================================
---- gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203872)
-+++ gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203873)
-@@ -2279,7 +2279,7 @@
- 				_RandomAccessIterator __last)
-     {
-       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
--      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2));
-+      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1);
-       return std::__unguarded_partition(__first + 1, __last, *__first);
-     }
- 
-@@ -2291,7 +2291,7 @@
- 				_RandomAccessIterator __last, _Compare __comp)
-     {
-       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
--      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2),
-+      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1,
- 				  __comp);
-       return std::__unguarded_partition(__first + 1, __last, *__first, __comp);
-     }
-Index: gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc
-===================================================================
---- gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 0)
-+++ gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 203873)
-@@ -0,0 +1,52 @@
-+// Copyright (C) 2013 Free Software Foundation, Inc.
-+//
-+// This file is part of the GNU ISO C++ Library.  This library is free
-+// software; you can redistribute it and/or modify it under the
-+// terms of the GNU General Public License as published by the
-+// Free Software Foundation; either version 3, or (at your option)
-+// any later version.
-+
-+// This library is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+// GNU General Public License for more details.
-+
-+// You should have received a copy of the GNU General Public License along
-+// with this library; see the file COPYING3.  If not see
-+// <http://www.gnu.org/licenses/>.
-+
-+// 25.3.2 [lib.alg.nth.element]
-+
-+// { dg-options "-std=gnu++11" }
-+
-+#include <algorithm>
-+#include <testsuite_hooks.h>
-+#include <testsuite_iterators.h>
-+
-+using __gnu_test::test_container;
-+using __gnu_test::random_access_iterator_wrapper;
-+
-+typedef test_container<int, random_access_iterator_wrapper> Container;
-+
-+void test01()
-+{
-+  std::vector<int> v = {
-+    207089,
-+    202585,
-+    180067,
-+    157549,
-+    211592,
-+    216096,
-+    207089
-+  };
-+
-+  Container con(v.data(), v.data() + 7);
-+
-+  std::nth_element(con.begin(), con.begin() + 3, con.end());
-+}
-+
-+int main()
-+{
-+  test01();
-+  return 0;
-+}

pkgs/development/compilers/gcc/4.8/builder.sh

@@ -239,6 +239,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.8/default.nix

@@ -54,7 +54,7 @@ assert langGo -> langCC;
 with stdenv.lib;
 with builtins;
 
-let version = "4.8.2";
+let version = "4.8.3";
 
     # Whether building a cross-compiler for GNU/Hurd.
     crossGNU = cross != null && cross.config == "i586-pc-gnu";
@@ -64,7 +64,7 @@ let version = "4.8.2";
   */
     enableParallelBuilding = !profiledCompiler;
 
-    patches = [ ./bug-58800.patch ] # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58800
+    patches = []
       ++ optional enableParallelBuilding ./parallel-bconfig.patch
       ++ optional (cross != null) ./libstdc++-target.patch
       # ++ optional noSysDirs ./no-sys-dirs.patch
@@ -212,7 +212,7 @@ stdenv.mkDerivation ({
 
   src = fetchurl {
     url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2";
-    sha256 = "1j6dwgby4g3p3lz7zkss32ghr45zpdidrg8xvazvn91lqxv25p09";
+    sha256 = "07hg10zs7gnqz58my10ch0zygizqh0z0bz6pv4pgxx45n48lz3ka";
   };
 
   inherit patches;

pkgs/development/compilers/ghc/6.10.4.nix

@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   meta = {
     inherit homepage;
     description = "The Glasgow Haskell Compiler";

pkgs/development/compilers/ghc/6.12.3.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.0.4.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.2.2.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.6.3.nix

@@ -1,6 +1,13 @@
-{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
+{ stdenv, fetchurl, ghc, perl, gmp, ncurses, binutils }:
 
-stdenv.mkDerivation rec {
+let
+  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
+  # to the gold linker). It prevents binaries' stacks from being marked as
+  # executable, which fails to run on a grsecurity/PaX kernel.
+  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
+  cFlags = "-Wa,--noexecstack";
+
+in stdenv.mkDerivation rec {
   version = "7.6.3";
 
   name = "ghc-${version}";
@@ -12,21 +19,40 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ghc perl gmp ncurses ];
 
-
   buildMK = ''
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for building ghc itself
+    SRC_HC_OPTS += ${ghcFlags}
+    SRC_CC_OPTS += ${cFlags}
   '';
 
   preConfigure = ''
     echo "${buildMK}" > mk/build.mk
     sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for binaries that ghc builds
+    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
+
   '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
   '';
 
   configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
 
+  postInstall = ''
+    # ghci uses mmap with rwx protection at it implements dynamic
+    # linking on its own. See:
+    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
+    # - https://ghc.haskell.org/trac/ghc/ticket/4244
+    # Therefore, we have to pax-mark the resulting binary.
+    # Haddock also seems to run with ghci, so mark it as well.
+    paxmark m $out/lib/${name}/{ghc,haddock}
+  '';
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/icedtea/default.nix

@@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
     "--disable-downloading"
 
     "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
     "--with-jdk-home=${jdkPath}"
   ];
 

pkgs/development/compilers/jdk/jdk7-linux.nix

@@ -2,6 +2,7 @@
 , stdenv
 , requireFile
 , unzip
+, file
 , xlibs ? null
 , installjdk ? true
 , pluginSupport ? true
@@ -71,10 +72,20 @@ stdenv.mkDerivation rec {
     else
       abort "jdk requires i686-linux or x86_64 linux";
 
-  buildInputs = if installjce then [ unzip ] else [];
+  nativeBuildInputs = [ file ]
+    ++ stdenv.lib.optional installjce unzip;
 
   installPhase = ''
     cd ..
+
+    # Set PaX markings
+    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    for file in $exes; do
+      paxmark m "$file"
+      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+    done
+
     if test -z "$installjdk"; then
       mv $sourceRoot/jre $out
     else

pkgs/development/compilers/llvm/3.3/llvm.nix

@@ -22,11 +22,20 @@ in stdenv.mkDerivation rec {
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   doCheck = true;

pkgs/development/compilers/llvm/3.4/dragonegg.nix

@@ -1,10 +1,18 @@
-{stdenv, fetch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:
+{stdenv, fetch, fetchpatch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:
 
 stdenv.mkDerivation rec {
   name = "dragonegg-${version}";
 
   src = fetch "dragonegg" "1733czbvby1ww3xkwcwmm0km0bpwhfyxvf56wb0zv5gksp3kbgrl";
 
+  patches = [(fetchpatch {
+    url = "https://llvm.org/viewvc/llvm-project/dragonegg/trunk/src/x86/ABIHack.inc"
+      + "?r1=208730&r2=208729&view=patch";
+    sha256 = "1al82gqz90hzjx24p0wls029lw2bgnlgd209kgvxsp82p4z1v1c1";
+    name = "bug-18548.patch";
+  })];
+  patchFlags = "-p2";
+
   # The gcc the plugin will be built for (the same used building dragonegg)
   GCC = "gcc";
 

pkgs/development/compilers/llvm/3.4/llvm.nix

@@ -36,15 +36,25 @@ in stdenv.mkDerivation rec {
     mkdir -p $out/
     ln -sv $PWD/lib $out
   '';
-  postBuild = "rm -fR $out";
 
   cmakeFlags = with stdenv; [
     "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
     "-DLLVM_ENABLE_FFI=ON"
     "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
     "-DCMAKE_CXX_FLAGS=-std=c++11"
   ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
 
+  postBuild = ''
+    rm -fR $out
+
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
   enableParallelBuilding = true;
 
   passthru.src = src;

pkgs/development/compilers/openjdk/bootstrap.nix

@@ -1,4 +1,4 @@
-{ runCommand, glibc, fetchurl }:
+{ stdenv, runCommand, glibc, fetchurl, file }:
 
 let
   # !!! These should be on nixos.org
@@ -18,4 +18,12 @@ in
 runCommand "openjdk-bootstrap" {} ''
   xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv
   mv openjdk-bootstrap $out
+
+  # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
+  exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+  for file in $exes; do
+    paxmark m "$file"
+    # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+    ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+  done
 ''

pkgs/development/compilers/openjdk/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups
-, which, jdk, nettools, xorg
+, which, jdk, nettools, xorg, file
 , fontconfig, cpio, cacert, perl, setJavaClassPath }:
 
 let
@@ -19,6 +19,9 @@ let
 
   build = "43";
 
+  # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+  paxflags = if stdenv.isi686 then "msp" else "m";
+
 in
 
 stdenv.mkDerivation rec {
@@ -35,7 +38,7 @@ stdenv.mkDerivation rec {
     [ unzip procps ant which zip cpio nettools alsaLib
       xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst
       xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir
-      fontconfig perl
+      fontconfig perl file
     ];
 
   NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama";
@@ -49,7 +52,7 @@ stdenv.mkDerivation rec {
       openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk
   '';
 
-  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ];
+  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ];
 
   NIX_NO_SELF_RPATH = true;
 
@@ -72,6 +75,14 @@ stdenv.mkDerivation rec {
 
   configurePhase = "true";
 
+  preBuild = ''
+    # We also need to PaX-mark in the middle of the build
+    substituteInPlace hotspot/make/linux/makefiles/launcher.make \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+    substituteInPlace jdk/make/common/Program.gmk  \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+  '';
+
   installPhase = ''
     mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk
 
@@ -98,6 +109,14 @@ stdenv.mkDerivation rec {
     rm -rf $out/lib/openjdk/jre/bin
     ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin
 
+    # Set PaX markings
+    exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    echo "to mark: *$exes*"
+    for file in $exes; do
+      echo "marking *$file*"
+      paxmark ${paxflags} "$file"
+    done
+
     # Remove duplicate binaries.
     for i in $(cd $out/lib/openjdk/bin && echo *); do
       if [ "$i" = java ]; then continue; fi

pkgs/development/compilers/openjdk/paxctl.patch

@@ -0,0 +1,28 @@
+diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make
+index 34bbcd6..41b9332 100644
+--- a/hotspot/make/linux/makefiles/launcher.make
++++ b/hotspot/make/linux/makefiles/launcher.make
+@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE)
+ 	$(QUIETLY) echo Linking launcher...
+ 	$(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK)
+ 	$(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER)
++	paxctl -c $(LAUNCHER)
++	paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER)
+ 	$(QUIETLY) $(LINK_LAUNCHER/POST_HOOK)
+ 
+ $(LAUNCHER): $(LAUNCHER_SCRIPT)
+diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk
+index 091800d..1de8cb4 100644
+--- a/jdk/make/common/Program.gmk
++++ b/jdk/make/common/Program.gmk
+@@ -60,6 +60,10 @@ ACTUAL_PROGRAM      = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME)
+ program_default_rule: all
+ 
+ program: $(ACTUAL_PROGRAM)
++	if [[ "$(PROGRAM)" = "java" ]]; then \
++		paxctl -c $(ACTUAL_PROGRAM); \
++		paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \
++	fi
+ 
+ # Work-around for missing processor specific mapfiles
+ ifndef CROSS_COMPILE_ARCH

pkgs/development/interpreters/python/2.7/default.nix

@@ -80,6 +80,8 @@ let
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb
         ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
         ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
+
+        paxmark E $out/bin/python${majorVersion}
       '';
 
     passthru = {

pkgs/development/interpreters/python/3.3/default.nix

@@ -53,6 +53,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/python/3.4/default.nix

@@ -54,6 +54,8 @@ stdenv.mkDerivation {
   postInstall = ''
     rm -rf "$out/lib/python${majorVersion}/test"
     ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
+
+    paxmark E $out/bin/python${majorVersion}
   '';
 
   passthru = {

pkgs/development/interpreters/spidermonkey/17.0.nix

@@ -28,7 +28,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark m shell/js17
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/interpreters/spidermonkey/185-1.0.0.nix

@@ -28,7 +28,13 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+
+  preCheck = ''
+    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
+
+    paxmark mr shell/js
+    paxmark mr jsapi-tests/jsapi-tests
+  '';
 
   meta = with stdenv.lib; {
     description = "Mozilla's JavaScript engine written in C/C++";

pkgs/development/libraries/dbus/default.nix

@@ -3,8 +3,8 @@
 , libX11, libICE, libSM, useX11 ? (stdenv.isLinux || stdenv.isDarwin) }:
 
 let
-  version = "1.8.2";
-  sha256 = "025f7dnhr4gy5vcqsvn78x2bk382ldvf4x3ryd9wkbb5250zg2an";
+  version = "1.8.4";
+  sha256 = "1y0zcmd4jsf2gq5yymz9gcnwxijh0vxbmxz73q3l440is343vxiy";
 
   inherit (stdenv) lib;
 

pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix

@@ -22,8 +22,12 @@ stdenv.mkDerivation rec {
     --disable-examples --enable-failing-tests --localstatedir=/var --disable-gtk-doc --disable-docbook
   '';
 
-  # Hm, apparently --disable-gtk-doc is ignored...
-  postInstall = "rm -rf $out/share/gtk-doc";
+  postInstall = ''
+    # Hm, apparently --disable-gtk-doc is ignored...
+    rm -rf $out/share/gtk-doc
+
+    paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
+  '';
 
   setupHook = ./setup-hook.sh;
 

pkgs/development/libraries/libffi/default.nix

@@ -8,9 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "077ibkf84bvcd6rw1m6jb107br63i2pp301rkmsbgg6300adxp8x";
   };
 
+  patches = stdenv.lib.optional (stdenv.needsPax) ./libffi-3.0.13-emutramp_pax_proc.patch;
+
   buildInputs = stdenv.lib.optional doCheck dejagnu;
 
-  configureFlags = [ "--with-gcc-arch=generic" ]; # no detection of -march= or -mtune=
+  configureFlags = [
+    "--with-gcc-arch=generic" # no detection of -march= or -mtune=
+  ] ++ stdenv.lib.optional (stdenv.needsPax) "--enable-pax_emutramp";
 
   doCheck = stdenv.isLinux; # until we solve dejagnu problems on darwin and expect on BSD
 

pkgs/development/libraries/libffi/libffi-3.0.13-emutramp_pax_proc.patch

@@ -0,0 +1,37 @@
+2013-05-22  Magnus Granberg  <zorry@gentoo.org>
+
+	#457194
+	* src/closuer.c (emutramp_enabled_check): Check with /proc.
+
+--- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
++++ b/src/closures.c	2013-04-29 23:26:02.279022022 +0200
+@@ -181,10 +181,26 @@ static int emutramp_enabled = -1;
+ static int
+ emutramp_enabled_check (void)
+ {
+-  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+-    return 1;
+-  else
++  char *buf = NULL;
++  size_t len = 0;
++  FILE *f;
++  int ret;
++  f = fopen ("/proc/self/status", "r");
++  if (f == NULL)
+     return 0;
++  ret = 0;
++
++  while (getline (&buf, &len, f) != -1)
++    if (!strncmp (buf, "PaX:", 4))
++      {
++        char emutramp;
++        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
++          ret = (emutramp == 'E');
++        break;
++      }
++  free (buf);
++  fclose (f);
++  return ret;
+ }
+ 
+ #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \

pkgs/development/libraries/libshout/default.nix

@@ -1,17 +1,18 @@
-{stdenv, fetchurl, pkgconfig 
-, libvorbis, libtheora, speex}:
+{ stdenv, fetchurl, pkgconfig
+, libvorbis, libtheora, speex }:
 
 # need pkgconfig so that libshout installs ${out}/lib/pkgconfig/shout.pc
 
 stdenv.mkDerivation rec {
-	name = "libshout-2.3.1";
+  name = "libshout-2.3.1";
 
-	src = fetchurl {
-		url = "http://downloads.xiph.org/releases/libshout/${name}.tar.gz";
-		sha256 = "cf3c5f6b4a5e3fcfbe09fb7024aa88ad4099a9945f7cb037ec06bcee7a23926e";
-	};
+  src = fetchurl {
+    url = "http://downloads.xiph.org/releases/libshout/${name}.tar.gz";
+    sha256 = "cf3c5f6b4a5e3fcfbe09fb7024aa88ad4099a9945f7cb037ec06bcee7a23926e";
+  };
 
-  buildInputs = [ libvorbis libtheora speex pkgconfig ];
+  nativeBuildInputs = [ pkgconfig ];
+  propagatedBuildInputs = [ libvorbis libtheora speex ];
 
   meta = {
     description = "icecast 'c' language bindings";

pkgs/development/libraries/libtasn1/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl, perl, texinfo }:
 
 stdenv.mkDerivation rec {
-  name = "libtasn1-3.4";
+  name = "libtasn1-3.6";
 
   src = fetchurl {
     url = "mirror://gnu/libtasn1/${name}.tar.gz";
-    sha256 = "1j5cwsjk9wai700ljsr5qyzywijrr5ba05hhg4mkgqlg8mx50lzk";
+    sha256 = "0c547qa1vfk1x2jzgjhf65izf4sfi86c6g46q7779g4aldk4gqqr";
   };
 
   buildInputs = [ perl texinfo ];

pkgs/development/libraries/mesa/default.nix

@@ -1,7 +1,8 @@
-{ stdenv, fetchurl, pkgconfig, intltool, flex, bison, autoreconfHook
+{ stdenv, fetchurl, pkgconfig, intltool, flex, bison, autoreconfHook, substituteAll
 , python, libxml2Python, file, expat, makedepend
 , libdrm, xorg, wayland, udev, llvm, libffi
 , libvdpau, libelf
+, grsecEnabled
 , enableTextureFloats ? false # Texture floats are patented, see docs/patents.txt
 , enableExtraFeatures ? false # not maintained
 }:
@@ -23,7 +24,7 @@ else
 */
 
 let
-  version = "10.1.4";
+  version = "10.1.5";
   # this is the default search path for DRI drivers
   driverLink = "/run/opengl-driver" + stdenv.lib.optionalString stdenv.isi686 "-32";
 in
@@ -34,16 +35,21 @@ stdenv.mkDerivation {
 
   src =  fetchurl {
     url = "ftp://ftp.freedesktop.org/pub/mesa/${version}/MesaLib-${version}.tar.bz2";
-    sha256 = "0g2j2zz7yq3i8k8dkji8h7iqfbcm8afb5lrb4dxrcyjl1bh6gibg";
+    sha256 = "1g2vy7zaamzs00xasiwg0d6cb5sclfd9v8jms14ll9bghg3mwv5w";
   };
 
   prePatch = "patchShebangs .";
 
   patches = [
     ./static-gallium.patch
+    ./glx_ro_text_segm.patch # fix for grsecurity/PaX
    # TODO: revive ./dricore-gallium.patch when it gets ported (from Ubuntu),
    #  as it saved ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog
-  ];
+  ] ++ optional stdenv.isLinux
+      (substituteAll {
+        src = ./dlopen-absolute-paths.diff;
+        inherit udev;
+      });
 
   # Change the search path for EGL drivers from $drivers/* to driverLink
   postPatch = ''
@@ -79,7 +85,8 @@ stdenv.mkDerivation {
       "--enable-openvg" "--enable-gallium-egl" # not needed for EGL in Gallium, but OpenVG might be useful
       #"--enable-xvmc" # tests segfault with 9.1.{1,2,3}
       #"--enable-opencl" # ToDo: opencl seems to need libclc for clover
-    ];
+    ]
+    ++ optional grsecEnabled "--enable-glx-rts"; # slight performance degradation, enable only for grsec
 
   nativeBuildInputs = [ pkgconfig python makedepend file flex bison ];
 

pkgs/development/libraries/mesa/dlopen-absolute-paths.diff

@@ -0,0 +1,13 @@
+diff --git a/src/loader/loader.c b/src/loader/loader.c
+index 666d015..4d7a9be 100644
+--- a/src/loader/loader.c
++++ b/src/loader/loader.c
+@@ -101,7 +101,7 @@ static void *
+ udev_dlopen_handle(void)
+ {
+    if (!udev_handle) {
+-      udev_handle = dlopen("libudev.so.1", RTLD_LOCAL | RTLD_LAZY);
++      udev_handle = dlopen("@udev@/lib/libudev.so.1", RTLD_LOCAL | RTLD_LAZY);
+ 
+       if (!udev_handle) {
+          /* libudev.so.1 changed the return types of the two unref functions

pkgs/development/libraries/mesa/glx_ro_text_segm.patch

@@ -0,0 +1,25 @@
+diff --git a/configure.ac b/configure.ac
+index 5068913..3d4271e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -429,6 +429,20 @@ AC_SUBST([GLESv2_LIB_GLOB])
+ AC_SUBST([VG_LIB_GLOB])
+ AC_SUBST([GLAPI_LIB_GLOB])
+ 
++
++dnl readonly text segment on x86 hardened platforms
++AC_ARG_ENABLE([glx_rts],
++    [AS_HELP_STRING([--enable-glx-rts],
++        [on x86, use a readonly text segment for libGL @<:@default=disabled@:>@])],
++    [enable_glx_rts="$enableval"],
++    [enable_glx_rts=no])
++if test "x$enable_glx_rts" = xyes; then
++    DEFINES="$DEFINES -DGLX_X86_READONLY_TEXT"
++else
++    enable_glx_rts=no
++fi
++
++
+ dnl
+ dnl Arch/platform-specific settings
+ dnl

pkgs/development/libraries/polkit/default.nix

@@ -58,6 +58,12 @@ stdenv.mkDerivation rec {
 
   makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
 
+  # The following is required on grsecurity/PaX due to spidermonkey's JIT
+  postBuild = ''
+    paxmark mr src/polkitbackend/.libs/polkitd
+    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
+  '';
+
   #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
 
   meta = with stdenv.lib; {

pkgs/development/libraries/qimageblitz/default.nix

@@ -7,14 +7,16 @@ in
 
 stdenv.mkDerivation {
   name = "${pn}-${v}";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/${pn}/${pn}-${v}.tar.bz2";
     sha256 = "0pnaf3qi7rgkxzs2mssmslb3f9ya4cyx09wzwlis3ppyvf72j0p9";
   };
-  
+
   buildInputs = [ cmake qt4 ];
 
+  patches = [ ./qimageblitz-9999-exec-stack.patch ];
+
   meta = {
     description = "Graphical effect and filter library for KDE4";
     license = "BSD";

pkgs/development/libraries/qimageblitz/qimageblitz-9999-exec-stack.patch

@@ -0,0 +1,11 @@
+diff -uar qimageblitz/blitz/asm_scale.S qimageblitz~/blitz/asm_scale.S
+--- qimageblitz-orig/blitz/asm_scale.S	2007-10-17 01:17:57.000000000 +0200
++++ qimageblitz/blitz/asm_scale.S	2007-10-17 01:19:12.000000000 +0200
+@@ -814,3 +814,7 @@
+ SIZE(qimageScale_mmx_AARGBA)
+ 
+ #endif
++#if defined(__linux__) && defined(__ELF__)
++.section .note.GNU-stack,"",%progbits
++#endif
++

pkgs/development/tools/misc/binutils/default.nix

@@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
 
     # Make binutils output deterministic by default.
     ./deterministic.patch
+
+    # Always add PaX flags section to ELF files.
+    # This is needed, for instance, so that running "ldd" on a binary that is
+    # PaX-marked to disable mprotect doesn't fail with permission denied.
+    ./pt-pax-flags-20121023.patch
   ];
 
   buildInputs =

pkgs/development/tools/misc/pkgconfig/default.nix

@@ -1,15 +1,17 @@
 {stdenv, fetchurl, automake, vanilla ? false}:
 
 stdenv.mkDerivation (rec {
-  name = "pkg-config-0.23";
+  name = "pkg-config-0.28";
   
   setupHook = ./setup-hook.sh;
   
   src = fetchurl {
     url = "http://pkgconfig.freedesktop.org/releases/${name}.tar.gz";
-    sha256 = "0lrvk17724mc2nzpaa0vwybarrl50r7qdnr4h6jijm50srrf1808";
+    sha256 = "0igqq5m204w71m11y0nipbdf5apx87hwfll6axs12hn4dqfb6vkb";
   };
 
+  configureFlags = [ "--with-internal-glib" ];
+
   patches = if vanilla then [] else [
     # Process Requires.private properly, see
     # http://bugs.freedesktop.org/show_bug.cgi?id=4738.

pkgs/development/tools/misc/pkgconfig/requires-private.patch

@@ -1,221 +1,17 @@
-diff -rc pkg-config-0.23-orig/main.c pkg-config-0.23/main.c
-*** pkg-config-0.23-orig/main.c	2008-01-16 23:06:48.000000000 +0100
---- pkg-config-0.23/main.c	2008-10-14 13:04:04.000000000 +0200
-***************
-*** 431,436 ****
---- 431,454 ----
-    else
-      disable_private_libs();
-  
-+   /* Only process Requires field if cflags or libs wanted */
-+   if (want_libs ||
-+       want_cflags ||
-+       want_l_libs ||
-+       want_L_libs ||
-+       want_other_libs ||
-+       want_I_cflags ||
-+       want_other_cflags)
-+     enable_requires();
-+   else
-+     disable_requires();
-+ 
-+   /* Only process Requires.private if static libs wanted */
-+   if (want_static_lib_list)
-+     enable_requires_private();
-+   else
-+     disable_requires_private();
-+ 
-    if (want_my_version)
-      {
-        printf ("%s\n", VERSION);
-diff -rc pkg-config-0.23-orig/parse.c pkg-config-0.23/parse.c
-*** pkg-config-0.23-orig/parse.c	2008-01-16 21:42:49.000000000 +0100
---- pkg-config-0.23/parse.c	2008-10-13 14:41:42.000000000 +0200
-***************
-*** 913,919 ****
-  #endif
-  
-  static void
-! parse_line (Package *pkg, const char *untrimmed, const char *path, gboolean ignore_requires, gboolean ignore_private_libs)
-  {
-    char *str;
-    char *p;
---- 913,921 ----
-  #endif
-  
-  static void
-! parse_line (Package *pkg, const char *untrimmed, const char *path,
-!             gboolean ignore_requires, gboolean ignore_requires_private,
-!             gboolean ignore_private_libs)
-  {
-    char *str;
-    char *p;
-***************
-*** 956,970 ****
-          parse_description (pkg, p, path);
-        else if (strcmp (tag, "Version") == 0)
-          parse_version (pkg, p, path);
-!       else if (strcmp (tag, "Requires.private") == 0)
-! 	parse_requires_private (pkg, p, path);
-!       else if (strcmp (tag, "Requires") == 0)
-! 	{
-!           if (ignore_requires == FALSE)
-! 	    parse_requires (pkg, p, path);
-!           else
-! 	    goto cleanup;
-!         }
-        else if ((strcmp (tag, "Libs.private") == 0) && 
-                 ignore_private_libs == FALSE)
-          parse_libs_private (pkg, p, path);
---- 958,969 ----
-          parse_description (pkg, p, path);
-        else if (strcmp (tag, "Version") == 0)
-          parse_version (pkg, p, path);
-!       else if ((strcmp (tag, "Requires.private") == 0) &&
-!                ignore_requires_private == FALSE)
-!         parse_requires_private (pkg, p, path);
-!       else if ((strcmp (tag, "Requires") == 0) &&
-!                ignore_requires == FALSE)
-!         parse_requires (pkg, p, path);
-        else if ((strcmp (tag, "Libs.private") == 0) && 
-                 ignore_private_libs == FALSE)
-          parse_libs_private (pkg, p, path);
-***************
-*** 1067,1073 ****
-  }
-  
-  Package*
-! parse_package_file (const char *path, gboolean ignore_requires, gboolean ignore_private_libs)
-  {
-    FILE *f;
-    Package *pkg;
---- 1066,1074 ----
-  }
-  
-  Package*
-! parse_package_file (const char *path, gboolean ignore_requires,
-!                     gboolean ignore_requires_private,
-!                     gboolean ignore_private_libs)
-  {
-    FILE *f;
-    Package *pkg;
-***************
-*** 1104,1110 ****
-      {
-        one_line = TRUE;
-        
-!       parse_line (pkg, str->str, path, ignore_requires, ignore_private_libs);
-  
-        g_string_truncate (str, 0);
-      }
---- 1105,1112 ----
-      {
-        one_line = TRUE;
-        
-!       parse_line (pkg, str->str, path, ignore_requires,
-!                   ignore_requires_private, ignore_private_libs);
-  
-        g_string_truncate (str, 0);
-      }
-diff -rc pkg-config-0.23-orig/parse.h pkg-config-0.23/parse.h
-*** pkg-config-0.23-orig/parse.h	2008-01-16 21:42:49.000000000 +0100
---- pkg-config-0.23/parse.h	2008-10-13 14:41:42.000000000 +0200
-***************
-*** 23,28 ****
---- 23,29 ----
-  #include "pkg.h"
-  
-  Package *parse_package_file (const char *path, gboolean ignore_requires,
-+                              gboolean ignore_requires_private,
-                               gboolean ignore_private_libs);
-  
-  Package *get_compat_package (const char *name);
-diff -rc pkg-config-0.23-orig/pkg.c pkg-config-0.23/pkg.c
-*** pkg-config-0.23-orig/pkg.c	2008-01-16 22:59:49.000000000 +0100
---- pkg-config-0.23/pkg.c	2008-10-13 14:41:42.000000000 +0200
-***************
-*** 55,60 ****
---- 55,61 ----
-  
-  gboolean disable_uninstalled = FALSE;
-  gboolean ignore_requires = FALSE;
-+ gboolean ignore_requires_private = FALSE;
-  gboolean ignore_private_libs = TRUE;
-  
-  void
-***************
-*** 337,343 ****
-      }
-  
-    debug_spew ("Reading '%s' from file '%s'\n", name, location);
-!   pkg = parse_package_file (location, ignore_requires, ignore_private_libs);
-    
-    if (pkg == NULL)
-      {
---- 338,345 ----
-      }
-  
-    debug_spew ("Reading '%s' from file '%s'\n", name, location);
-!   pkg = parse_package_file (location, ignore_requires, ignore_requires_private,
-!                             ignore_private_libs);
-    
-    if (pkg == NULL)
-      {
-***************
-*** 1506,1511 ****
---- 1508,1514 ----
-    int mlen = 0;
-    
-    ignore_requires = TRUE;
-+   ignore_requires_private = TRUE;
-  
-    g_hash_table_foreach (locations, max_len_foreach, &mlen);
-    g_hash_table_foreach (locations, packages_foreach, GINT_TO_POINTER (mlen + 1));
-***************
-*** 1522,1524 ****
---- 1525,1551 ----
-  {
-    ignore_private_libs = TRUE;
-  }
-+ 
-+ void
-+ enable_requires(void)
-+ {
-+   ignore_requires = FALSE;
-+ }
-+ 
-+ void
-+ disable_requires(void)
-+ {
-+   ignore_requires = TRUE;
-+ }
-+ 
-+ void
-+ enable_requires_private(void)
-+ {
-+   ignore_requires_private = FALSE;
-+ }
-+ 
-+ void
-+ disable_requires_private(void)
-+ {
-+   ignore_requires_private = TRUE;
-+ }
-diff -rc pkg-config-0.23-orig/pkg.h pkg-config-0.23/pkg.h
-*** pkg-config-0.23-orig/pkg.h	2008-01-16 22:27:19.000000000 +0100
---- pkg-config-0.23/pkg.h	2008-10-13 14:41:42.000000000 +0200
-***************
-*** 120,125 ****
---- 120,131 ----
-  void enable_private_libs(void);
-  void disable_private_libs(void);
-  
-+ void enable_requires(void);
-+ void disable_requires(void);
-+ 
-+ void enable_requires_private(void);
-+ void disable_requires_private(void);
-+ 
-  /* If TRUE, do not automatically prefer uninstalled versions */
-  extern gboolean disable_uninstalled;
-  
+diff --git a/main.c b/main.c
+index b61ca34..5a420c2 100644
+--- a/main.c
++++ b/main.c
+@@ -602,10 +602,10 @@ main (int argc, char **argv)
+   else
+     disable_private_libs();
+ 
+-  /* honor Requires.private if any Cflags are requested or any static
++  /* honor Requires.private if any any static
+    * libs are requested */
+ 
+-  if (pkg_flags & CFLAGS_ANY || want_requires_private || want_exists ||
++  if (want_requires_private ||
+       (want_static_lib_list && (pkg_flags & LIBS_ANY)))
+     enable_requires_private();
+ 

pkgs/misc/emulators/wine/stable.nix

@@ -62,6 +62,9 @@ in stdenv.mkDerivation rec {
     install -D ${gecko} $out/share/wine/gecko/${gecko64.name}
   '' + ''
     install -D ${mono} $out/share/wine/mono/${mono.name}
+
+    paxmark psmr $out/bin/wine{,-preloader}
+
     wrapProgram $out/bin/wine --prefix LD_LIBRARY_PATH : ${stdenv.gcc.gcc}/lib
   '';
 

pkgs/os-specific/linux/spl/const.patch

@@ -0,0 +1,13 @@
+diff --git a/module/spl/spl-proc.c b/module/spl/spl-proc.c
+index f25239a..b731123 100644
+--- a/module/spl/spl-proc.c
++++ b/module/spl/spl-proc.c
+@@ -38,7 +38,7 @@
+ 
+ #define SS_DEBUG_SUBSYS SS_PROC
+ 
+-#if defined(CONSTIFY_PLUGIN) && LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0)
++#if defined(CONSTIFY_PLUGIN)
+ typedef struct ctl_table __no_const spl_ctl_table;
+ #else
+ typedef struct ctl_table spl_ctl_table;

pkgs/os-specific/linux/spl/default.nix

@@ -7,7 +7,7 @@ stdenv.mkDerivation {
     sha256 = "196scl8q0bkkak6m0p1l1fz254cgsizqm73bf9wk3iynamq7qmrw";
   };
 
-  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ];
+  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ./const.patch ];
 
   buildInputs = [ perl autoconf automake libtool ];
 
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
 
     longDescription = ''
       This kernel module is a porting layer for ZFS to work inside the linux
-      kernel. 
+      kernel.
     '';
 
     homepage = http://zfsonlinux.org/;

pkgs/stdenv/generic/builder.sh

@@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
+    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 

pkgs/stdenv/generic/default.nix

@@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 
 , extraBuildInputs ? []
+
+, skipPaxMarking ? false
 }:
 
 let
@@ -38,11 +40,19 @@ let
       builder = shell;
 
       args = ["-e" ./builder.sh];
+      /* TODO: special-cased @var@ substitutions are ugly.
+          However, using substituteAll* from setup.sh seems difficult,
+          as setup.sh can't be directly sourced.
+          Suggestion: split similar utility functions into a separate script.
+      */
 
       setup = setupScript;
 
       inherit preHook initialPath gcc shell;
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = result.isLinux && !skipPaxMarking;
+
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
 

pkgs/stdenv/generic/setup.sh

@@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
     if [ "$i" = / ]; then i=; fi
     addToSearchPath PATH $i/bin
+    addToSearchPath PATH $i/sbin
 done
 
 if [ "$NIX_DEBUG" = 1 ]; then
@@ -293,6 +294,18 @@ stripDirs() {
     fi
 }
 
+# PaX-mark binaries
+paxmark() {
+    local flags="$1"
+    shift
+
+    if [ -z "@needsPax@" ]; then
+        return
+    fi
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
 
 ######################################################################
 # Textual substitution functions.

pkgs/stdenv/linux/default.nix

@@ -210,6 +210,7 @@ rec {
     extraAttrs = {
       glibc = stdenvLinuxGlibc;   # Required by gcc47 build
     };
+    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
     inherit fetchurl;
   };
 
@@ -268,7 +269,7 @@ rec {
 
     initialPath =
       ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
 
     gcc = wrapGCC rec {
       inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@@ -295,7 +296,7 @@ rec {
       inherit (stdenvLinuxBoot4Pkgs)
         gzip bzip2 xz bash coreutils diffutils findutils gawk
         gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
     };
   };
 

pkgs/tools/misc/grub/2.0x.nix

@@ -68,6 +68,10 @@ stdenv.mkDerivation rec {
   doCheck = false;
   enableParallelBuilding = true;
 
+  postInstall = ''
+    paxmark pms $out/sbin/grub-{probe,bios-setup}
+  '';
+
   meta = {
     description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
 

pkgs/top-level/all-packages.nix

@@ -5559,11 +5559,18 @@ let
 
   mesaSupported = lib.elem system lib.platforms.mesaPlatforms;
 
-  mesa_original = callPackage ../development/libraries/mesa { };
+  mesa_original = callPackage ../development/libraries/mesa {
+    # makes it slower, but during runtime we link against just mesa_drivers
+    # through /run/opengl-driver*, which is overriden according to config.grsecurity
+    grsecEnabled = true;
+  };
+
   mesa_noglu = if stdenv.isDarwin
     then darwinX11AndOpenGL // { driverLink = mesa_noglu; }
     else mesa_original;
-  mesa_drivers = mesa_original.drivers;
+  mesa_drivers = let
+      mo = mesa_original.override { grsecEnabled = config.grsecurity or false; };
+    in mo.drivers;
   mesa_glu = callPackage ../development/libraries/mesa-glu { };
   mesa = if stdenv.isDarwin then darwinX11AndOpenGL
     else buildEnv {