fix paxmark on non-linux (a bug in grsecurity PR #1187)

2 files changed, 9 insertions, 3 deletions

diff --git a/pkgs/stdenv/generic/builder.sh b/pkgs/stdenv/generic/builder.sh
index fd4c17ca2519..60360e7b8256 100644
--- a/pkgs/stdenv/generic/builder.sh
+++ b/pkgs/stdenv/generic/builder.sh
@@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
+    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 1e2d76bb9810..cba456313f39 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -31,11 +31,19 @@ let
       builder = shell;
 
       args = ["-e" ./builder.sh];
+      /* TODO: special-cased @var@ substitutions are ugly.
+          However, using substituteAll* from setup.sh seems difficult,
+          as setup.sh can't be directly sourced.
+          Suggestion: split similar utility functions into a separate script.
+      */
 
       setup = setupScript;
 
       inherit preHook initialPath gcc shell;
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = result.isLinux && !skipPaxMarking;
+
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
 
@@ -159,9 +167,6 @@ let
            || system == "armv6l-linux"
            || system == "armv7l-linux";
 
-      # Whether we should run paxctl to pax-mark binaries
-      needsPax = isLinux && !skipPaxMarking;
-
       # For convenience, bring in the library functions in lib/ so
       # packages don't have to do that themselves.
       inherit lib;